From: Joshua Brindle <jbrindle@tresys.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov, James Morris <jmorris@namei.org>,
Eric Paris <eparis@parisplace.org>,
"Serge E. Hallyn" <serue@us.ibm.com>,
"Christopher J. PeBenito" <cpebenito@tresys.com>,
Chad Sellers <csellers@tresys.com>,
Karl MacMillan <kmacmillan@mentalrootkit.com>,
Darrel Goeddel <dgoeddel@TrustedCS.com>,
Chad Hanson <chanson@TrustedCS.com>
Subject: Re: [RFC v2][PATCH] selinux: enable authoritative granting of capabilities
Date: Wed, 20 Jun 2007 18:33:34 -0400 [thread overview]
Message-ID: <4679AB3E.3090302@tresys.com> (raw)
In-Reply-To: <1182365766.15064.199.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> An alternative approach to implementing this support for authoritative
> granting of capabilities by SELinux would be to compute the full
> cap_override access vector upon exec and cap_combine it with the base
> capability sets, such that the task's capability bitmasks would reflect
> the combined capabilities authorized by the base logic and by SELinux
> policy. Then the capable() hook itself would remain unchanged from the
> current (unpatched) code, just checking the task's capability bitmask
> and then checking the SELinux capability access vector as a further
> restriction on use.
>
> There are two places where that computation and combination could be
> done: before the usual capability evolution logic is applied (by
> cap_bprm_apply_creds) or after it. If before, we'd be manipulating the
> bprm capability bitmasks (similar to file capabilities) and then letting
> the usual capability evolution occur; if after, we'd be manipulating the
> task capability bitmasks after they have been updated by the capability
> module.
>
> Observations:
> - This approach would make the granting of such capabilities visible in
> the task's capability bitmasks as returned by capget
> or /proc/self/status. Those bitmasks would however still not reflect
> the further restrictions imposed by the SELinux capability access vector
> check.
> - This approach would enable the existing capability-based tests to
> provide some protection of the privileged process even apart from the
> SELinux checks, although such protection will still be incomplete
> without the SELinux checks (e.g. we'd gain separate ptrace checking
> based on capabilities, but still depend on selinux control over
> creating/relabeling-to the entrypoint type for the domain). The extent
> of additional checking depends on whether we do the manipulation before
> or after the usual evolution logic as well; if before, we pick up the
> usual checking on exec; if after, we don't.
> - Doing the computation and combination first and then applying the
> usual evolution logic has a cost in flexibility as it won't support
> orthogonal changes in capabilities.
>
> Thoughts?
>
So this lets SELinux granted capabilities to migrate across execve(),
granted the Selinux policy still has to be consulted to grant
capabilities before use but this could result in incorrect policy being
enforced, right? Particularly across policy reloads or boolean changes;
this just doesn't seem as robust as the old method of deciding at time
of use rather than time of process creation.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2007-06-20 22:33 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-15 14:28 [RFC v2][PATCH] selinux: enable authoritative granting of capabilities Stephen Smalley
2007-06-15 14:42 ` [RFC v2][PATCH] refpolicy: add memprotect and cap_override definitions and interfaces Stephen Smalley
2007-06-19 12:56 ` Christopher J. PeBenito
2007-06-15 15:14 ` [RFC v2][PATCH] selinux: enable authoritative granting of capabilities Casey Schaufler
2007-06-15 15:27 ` Stephen Smalley
2007-06-15 16:05 ` Casey Schaufler
2007-06-15 16:24 ` Karl MacMillan
2007-06-15 19:36 ` Stephen Smalley
2007-06-15 20:50 ` Casey Schaufler
2007-06-18 13:03 ` Stephen Smalley
2007-06-18 15:32 ` Casey Schaufler
2007-06-18 17:03 ` Stephen Smalley
2007-06-21 20:41 ` Casey Schaufler
2007-06-20 18:56 ` Stephen Smalley
2007-06-20 20:13 ` Serge E. Hallyn
2007-06-20 20:52 ` Stephen Smalley
2007-06-20 21:08 ` Serge E. Hallyn
2007-06-21 12:24 ` Stephen Smalley
2007-06-22 1:29 ` Linux user / SELinux user changes Hasan Rezaul-CHR010
2007-06-22 2:55 ` Ken YANG
2007-06-22 11:36 ` Stephen Smalley
2007-06-20 22:33 ` Joshua Brindle [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4679AB3E.3090302@tresys.com \
--to=jbrindle@tresys.com \
--cc=chanson@TrustedCS.com \
--cc=cpebenito@tresys.com \
--cc=csellers@tresys.com \
--cc=dgoeddel@TrustedCS.com \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=kmacmillan@mentalrootkit.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.