mmap_file_perms needs ioctl also

mmap_file_perms needs ioctl also

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: nsaserefpolicy_policy_support_obj_perm_sets.spt --]
[-- Type: text/plain, Size: 656 bytes --]

--- nsaserefpolicy/policy/support/obj_perm_sets.spt	2007-01-02 12:57:51.000000000 -0500
+++ serefpolicy-2.5.8/policy/support/obj_perm_sets.spt	2007-03-08 08:42:37.000000000 -0500
@@ -215,7 +215,7 @@
 define(`getattr_file_perms',`{ getattr }')
 define(`setattr_file_perms',`{ setattr }')
 define(`read_file_perms',`{ getattr read lock ioctl }')
-define(`mmap_file_perms',`{ getattr read execute }')
+define(`mmap_file_perms',`{ getattr read execute ioctl }')
 define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
 define(`append_file_perms',`{ getattr append lock ioctl }')
 define(`write_file_perms',`{ getattr write append lock ioctl }')

Re: mmap_file_perms needs ioctl also

[Russell Coker]

Why?

Many programs that mmap files will also make ioctl() calls on them.  But AFAIK 
there is nothing forcing the application programmer to do so.  Expanding the 
permissions in this regard seems unnecessary.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: mmap_file_perms needs ioctl also

[Stephen Smalley]

On Fri, 2007-03-09 at 18:38 +1100, Russell Coker wrote:
> Why?
> 
> Many programs that mmap files will also make ioctl() calls on them.  But AFAIK 
> there is nothing forcing the application programmer to do so.  Expanding the 
> permissions in this regard seems unnecessary.

ioctl permission is effectively useless as it doesn't distinguish
read-flow vs. write-flow vs. control-op, so it ends up being allowed
pervasively whenever you allow read or write.  We really need to just
replace it (ala the attempts by Lorenzo in the past), but doing so
compatibly won't be easy.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: mmap_file_perms needs ioctl also

[Daniel J Walsh]

Stephen Smalley wrote:
> On Fri, 2007-03-09 at 18:38 +1100, Russell Coker wrote:
>   
>> Why?
>>
>> Many programs that mmap files will also make ioctl() calls on them.  But AFAIK 
>> there is nothing forcing the application programmer to do so.  Expanding the 
>> permissions in this regard seems unnecessary.
>>     
>
> ioctl permission is effectively useless as it doesn't distinguish
> read-flow vs. write-flow vs. control-op, so it ends up being allowed
> pervasively whenever you allow read or write.  We really need to just
> replace it (ala the attempts by Lorenzo in the past), but doing so
> compatibly won't be easy.
>
>   
I just want the AVC go away...

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: mmap_file_perms needs ioctl also

[Casey Schaufler]

--- Stephen Smalley <sds@tycho.nsa.gov> wrote:

 
> ioctl permission is effectively useless as it
> doesn't distinguish
> read-flow vs. write-flow vs. control-op, so it ends
> up being allowed
> pervasively whenever you allow read or write.  We
> really need to just
> replace it (ala the attempts by Lorenzo in the
> past), but doing so
> compatibly won't be easy.

That is a significant understatement. Ioctl is
used, misused, and abused so many different ways
in so many places that doing a granular enforcement
may be beyond the current state of the art and is
certainly a maintenance burden that exceeds the
scope of the existing SELinux implementation.
An investigation into the networking drivers alone
ought to send the rational programmer running in
blind terror. Then there are the graphics
implementations.

I suggest that an approach that would add more
value to the kernel overall and make someone a
minor kernel diety would be to replace the ioctl
mechanism completely. I also think that it would
be less work than trying to do a proper job of
granualizing the existing smoldering pile of
technology.

We did look into the granular ioctl security
policy issue in Unix in the 20th centuty. If
you restrict your system to a very limited set
of devices it still stretches an evaluation
budget beyond the breaking point. It's very
hard to justify the value of the granularity
in terms of the cost.



Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: mmap_file_perms needs ioctl also

[Stephen Smalley]

On Fri, 2007-03-09 at 09:06 -0800, Casey Schaufler wrote:
> --- Stephen Smalley <sds@tycho.nsa.gov> wrote:
> 
>  
> > ioctl permission is effectively useless as it
> > doesn't distinguish
> > read-flow vs. write-flow vs. control-op, so it ends
> > up being allowed
> > pervasively whenever you allow read or write.  We
> > really need to just
> > replace it (ala the attempts by Lorenzo in the
> > past), but doing so
> > compatibly won't be easy.
> 
> That is a significant understatement. Ioctl is
> used, misused, and abused so many different ways
> in so many places that doing a granular enforcement
> may be beyond the current state of the art and is
> certainly a maintenance burden that exceeds the
> scope of the existing SELinux implementation.
> An investigation into the networking drivers alone
> ought to send the rational programmer running in
> blind terror. Then there are the graphics
> implementations.
> 
> I suggest that an approach that would add more
> value to the kernel overall and make someone a
> minor kernel diety would be to replace the ioctl
> mechanism completely. I also think that it would
> be less work than trying to do a proper job of
> granualizing the existing smoldering pile of
> technology.

The trend seems to be to replace such things with pseudo filesystem
interfaces, but in doing so, they usually aren't thinking through the
security aspects (e.g. see the CKRM discussion and my comments on the
kernel cpuset filesystem), so the file-level controls are often
inadequate and we are back to adding hooks into the underlying
implementation...

> We did look into the granular ioctl security
> policy issue in Unix in the 20th centuty. If
> you restrict your system to a very limited set
> of devices it still stretches an evaluation
> budget beyond the breaking point. It's very
> hard to justify the value of the granularity
> in terms of the cost.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.