From: Shawn Wells <swells@redhat.com>
To: selinux <selinux@tycho.nsa.gov>
Cc: gov-eng@redhat.com, Matthew Jamison <jamisonm@redhat.com>
Subject: Multithreaded applications, SELinux, and RAM Protection
Date: Wed, 06 Feb 2008 23:52:22 -0500 [thread overview]
Message-ID: <47AA8E86.8010501@redhat.com> (raw)
Hi All,
I have a customer who is encountering the following issue, and I've
been unable to solve it myself.
The scenario:
WebUserX (with TS//SCI//Alpha) sends a query to MACHINE1 which then
parses the query and executes it on a database.
For example:
|-- WebUserX Sends Query to Query Engine
|--------> Query Engine creates new thread, parses, sends to database
|--------|--------> Database executes & returns data
|--------|--------|--------> Data is stored in RAM, say the first 512MB
of allocatable space
|--------|--------|--------|--------> Data passed back to WebUserX
|--------|--------|--------|--------|--------> Query Engine thread dies,
marks first 512MB of RAM available. Doesn't delete the data in RAM, but
it is now tagged as available.
WebUserY (with TS//SCI//Bravo) sends a different query to MACHINE1 which
then parses the query and executes it on a database. Same process is
followed, however the query engine thread becomes highjacked (bad SQL,
bad coding, whatever).
The customer is considering writing a hook to zero-out the RAM after the
thread dies, but this will be a lengthy process.
With all that said, my question is: how can we make sure that the
thread handling WebUserYs' connection (which is running as
TS//SCI//Bravo) can not see the data in the first 512MB of RAM (which
contains TS//SCI//Alpha)?
Possible ideas, that I just don't know enough about yet:
1) Program maps anonymous memory with mmap with PROT_EXEC. Note that
because anonymous memory is zero'd out by the system it makes not much
sense to not have it writable as well. (stolen from
http://people.redhat.com/~drepper/selinux-mem.html)
I googled "selinux, multithreaded applications," but didn't find to
much. Thanks for any help!
--
Shawn D. Wells
Solutions Architect, Federal Team
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2008-02-07 4:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-07 4:52 Shawn Wells [this message]
[not found] ` <47AA91D7.1010504@redhat.com>
2008-02-07 5:38 ` [gov-eng] Multithreaded applications, SELinux, and RAM Protection Shawn Wells
2008-02-07 14:28 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47AA8E86.8010501@redhat.com \
--to=swells@redhat.com \
--cc=gov-eng@redhat.com \
--cc=jamisonm@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.