From: Joshua Brindle <jbrindle@tresys.com>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: Luke Kenneth Casson Leighton <lkcl@lkcl.net>,
SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: banning copying of binaries (e.g. mozilla etc).
Date: Tue, 31 Aug 2004 13:00:18 -0400 [thread overview]
Message-ID: <4134AEA2.5090300@tresys.com> (raw)
In-Reply-To: <1093970980.8517.169.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Tue, 2004-08-31 at 12:25, Joshua Brindle wrote:
>
>>It's worth noting that this will not stop execution of said binaries
>>entirely. One only needs to know enough to use /lib/ld.so to run any
>>dynamically linked binary which he doesn't have execute access on.
>>Unfortunatly disabling user domains access to ld.so would make him
>>unable to run any dynamically linked apps whatsoever, sounds like we
>>need a userland enforcer in glibc ;)
>
>
> Running it via ld.so should still trigger SELinux permission checks for
> read and execute (upon the mmap) and possibly other checks induced by
> earlier operations by ld.so (e.g. stat'ing the file will require
> getattr), so this only has an affect on the execute_no_trans check.
>
> With regard to the latter point, the kernel doesn't check
> execute_no_trans to the interpreter when handling an execve itself, so
> you can remove execute_no_trans permission to ld.so from a domain to
> prevent direct execution while still allowing the kernel to invoke it on
> behalf of the process upon an execve.
>
Ah, my mistake. Out of curiousity why does the ld_so_t have execute
permission in the uses_shlib macro if the kernel is executing it? Does
the kernel still check for execute permission for the current domain
before it executes ld.so?
Joshua Brindle
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2004-08-31 17:00 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-30 22:23 banning copying of binaries (e.g. mozilla etc) Luke Kenneth Casson Leighton
2004-08-30 23:33 ` Joshua Brindle
2004-08-31 9:24 ` Luke Kenneth Casson Leighton
2004-08-31 11:29 ` Stephen Smalley
2004-08-31 12:25 ` Luke Kenneth Casson Leighton
2004-08-31 12:34 ` Stephen Smalley
2004-08-31 13:27 ` Luke Kenneth Casson Leighton
2004-08-31 13:29 ` Stephen Smalley
2004-08-31 16:25 ` Joshua Brindle
2004-08-31 16:49 ` Stephen Smalley
2004-08-31 17:00 ` Joshua Brindle [this message]
2004-08-31 17:21 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4134AEA2.5090300@tresys.com \
--to=jbrindle@tresys.com \
--cc=lkcl@lkcl.net \
--cc=sds@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.