* Disabling SELinux by kernel vulnerability @ 2008-02-12 14:43 Yuichi Nakamura 2008-02-12 14:59 ` Daniel J Walsh 2008-02-12 18:45 ` Stephen Smalley 0 siblings, 2 replies; 9+ messages in thread From: Yuichi Nakamura @ 2008-02-12 14:43 UTC (permalink / raw) To: selinux; +Cc: himainu-ynakam Hi. I saw an article on slashdot. http://it.slashdot.org/article.pl?sid=08/02/10/2011257 Local exploit code for Linux kernel exists, exploit code is also disclosed in http://www.milw0rm.com/exploits/5092. In the exploit code, only uid is changed to 0. So, SELinux is not affected. However, SELinux can be disabled by overwriting selinux_enforcing to 0. The address of selinux_enforcing can be seen in /proc/kallsyms, and I've set the value on the address to 0. I tried that on Fedora 8, and I could disable SELinux(set selinux as permissive) from xguest_t domain. I want to make it more difficult for attackers to disable SELinux by kernel exploit. I think not exporting selinux_enforcing(and selinux_disable) to /proc/kallsyms is useful. And /proc/kallsyms is visible from many processes because it is proc_t, assigning /proc/kallsyms label such as proc_ksym_t may be also useful. Are they really useful? Or any idea?? -- Yuichi Nakamura -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Disabling SELinux by kernel vulnerability 2008-02-12 14:43 Disabling SELinux by kernel vulnerability Yuichi Nakamura @ 2008-02-12 14:59 ` Daniel J Walsh 2008-02-12 15:45 ` Todd Miller 2008-02-12 18:45 ` Stephen Smalley 1 sibling, 1 reply; 9+ messages in thread From: Daniel J Walsh @ 2008-02-12 14:59 UTC (permalink / raw) To: Yuichi Nakamura; +Cc: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yuichi Nakamura wrote: > Hi. > > I saw an article on slashdot. > http://it.slashdot.org/article.pl?sid=08/02/10/2011257 > > Local exploit code for Linux kernel exists, > exploit code is also disclosed in http://www.milw0rm.com/exploits/5092. > > In the exploit code, only uid is changed to 0. > So, SELinux is not affected. > > However, SELinux can be disabled by overwriting selinux_enforcing to 0. > The address of selinux_enforcing can be seen in /proc/kallsyms, > and I've set the value on the address to 0. > > I tried that on Fedora 8, > and I could disable SELinux(set selinux as permissive) from xguest_t > domain. > > I want to make it more difficult > for attackers to disable SELinux by kernel exploit. > > I think not exporting selinux_enforcing(and selinux_disable) to > /proc/kallsyms is useful. > And /proc/kallsyms is visible from many processes because it is proc_t, > assigning /proc/kallsyms label such as proc_ksym_t may be also useful. > Are they really useful? > Or any idea?? > > -- > Yuichi Nakamura > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. So this exploit, don't you neet to write to /proc? xguest_t should not be allowed to do this? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkextEAACgkQrlYvE4MpobNWWgCg6acsickGQTXcl0xj3YyBYoRn NGUAnR45m3M0yM15igKtZzh6ORQ9CYTQ =64qb -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Disabling SELinux by kernel vulnerability 2008-02-12 14:59 ` Daniel J Walsh @ 2008-02-12 15:45 ` Todd Miller 2008-02-13 13:19 ` Yuichi Nakamura 0 siblings, 1 reply; 9+ messages in thread From: Todd Miller @ 2008-02-12 15:45 UTC (permalink / raw) To: Daniel J Walsh, Yuichi Nakamura; +Cc: selinux Daniel J Walsh wrote: > So this exploit, don't you neet to write to /proc? xguest_t should > not be allowed to do this? No, you don't need to be able to write to /proc to exploit the bug. Having read access /proc/kallsyms just makes things a little easier for the attacker. Removing the address of selinux_enforcing from kallsyms doesn't stop the attack, it just makes the attacker work a little harder. Note that the modified exploit that uses kallsyms to find the address of vmsplice and then opens /dev/kmem read/write to do its work would be stopped by SELinux. - todd -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Disabling SELinux by kernel vulnerability 2008-02-12 15:45 ` Todd Miller @ 2008-02-13 13:19 ` Yuichi Nakamura 0 siblings, 0 replies; 9+ messages in thread From: Yuichi Nakamura @ 2008-02-13 13:19 UTC (permalink / raw) To: Todd Miller; +Cc: himainu-ynakam, Daniel J Walsh, selinux On Tue, 12 Feb 2008 10:45:41 -0500 "Todd Miller" wrote: > Daniel J Walsh wrote: > > So this exploit, don't you neet to write to /proc? xguest_t should > > not be allowed to do this? > > No, you don't need to be able to write to /proc to exploit the bug. > Having read access /proc/kallsyms just makes things a little easier > for the attacker. Removing the address of selinux_enforcing from > kallsyms doesn't stop the attack, it just makes the attacker work > a little harder. Yes, we do not need write access to /proc/kallsyms. > Note that the modified exploit that uses kallsyms to find the address > of vmsplice and then opens /dev/kmem read/write to do its work would > be stopped by SELinux. Default xguest_t does not allow execution of program on /home so, exploit program can not be executed. I tried exploit with boolean allow_xguest_exec_content on. However, in this case, it is easy to guess address of selinux_enforcing, because the address of selinux_enforcing is the same in another machine, as long as the same kernel binary is used. > > - todd Regards, Yuichi Nakamura -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Disabling SELinux by kernel vulnerability 2008-02-12 14:43 Disabling SELinux by kernel vulnerability Yuichi Nakamura 2008-02-12 14:59 ` Daniel J Walsh @ 2008-02-12 18:45 ` Stephen Smalley 2008-02-13 12:06 ` Waide, Ronan 2008-02-13 13:47 ` Yuichi Nakamura 1 sibling, 2 replies; 9+ messages in thread From: Stephen Smalley @ 2008-02-12 18:45 UTC (permalink / raw) To: Yuichi Nakamura; +Cc: selinux, James Morris, Eric Paris, Daniel J Walsh On Tue, 2008-02-12 at 23:43 +0900, Yuichi Nakamura wrote: > Hi. > > I saw an article on slashdot. > http://it.slashdot.org/article.pl?sid=08/02/10/2011257 > > Local exploit code for Linux kernel exists, > exploit code is also disclosed in http://www.milw0rm.com/exploits/5092. > > In the exploit code, only uid is changed to 0. > So, SELinux is not affected. > > However, SELinux can be disabled by overwriting selinux_enforcing to 0. > The address of selinux_enforcing can be seen in /proc/kallsyms, > and I've set the value on the address to 0. > > I tried that on Fedora 8, > and I could disable SELinux(set selinux as permissive) from xguest_t > domain. > > I want to make it more difficult > for attackers to disable SELinux by kernel exploit. > > I think not exporting selinux_enforcing(and selinux_disable) to > /proc/kallsyms is useful. > And /proc/kallsyms is visible from many processes because it is proc_t, > assigning /proc/kallsyms label such as proc_ksym_t may be also useful. > Are they really useful? > Or any idea?? It would be more useful to just build a kernel with a config that disabled the support for permissive mode and runtime disable altogether; such config options already exist. And you can also omit /proc/kallsyms altogether via kernel config. Labeling /proc/kallsyms with a distinct type is likely feasible, so that could be changed in policy. There is a patch floating around to turn the LSM hook calls into direct SELinux calls so that there is no more security_ops pointer that can be overwritten. But there will still be other critical variables, and SELinux can't protect against kernel vulnerabilities in general. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Disabling SELinux by kernel vulnerability 2008-02-12 18:45 ` Stephen Smalley @ 2008-02-13 12:06 ` Waide, Ronan 2008-02-13 14:22 ` Stephen Smalley 2008-02-13 13:47 ` Yuichi Nakamura 1 sibling, 1 reply; 9+ messages in thread From: Waide, Ronan @ 2008-02-13 12:06 UTC (permalink / raw) To: Stephen Smalley, Yuichi Nakamura Cc: selinux@tycho.nsa.gov, James Morris, Eric Paris, Daniel J Walsh -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] > On Behalf Of Stephen Smalley > It would be more useful to just build a kernel with a config that > disabled the support for permissive mode and runtime disable > altogether; Is this the current recommended way of preventing SELinux from being switched off? There's a FAQ somewhere that used suggest disabling a particular macro in the policy build (which I can't recall off the top of my head) but by the time I got around to trying it out it on a test system the technique no longer worked. Cheers, Waider. - -- Ronan Waide / waider@amazon.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFHst0lBK4+zUKLsUkRAh5iAJ0YsGzYawUdra5uqxPQD5nJTzQU+wCfWU5D dRfh+aboTpBtCW4q8+6TlT0= =hU46 -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Disabling SELinux by kernel vulnerability 2008-02-13 12:06 ` Waide, Ronan @ 2008-02-13 14:22 ` Stephen Smalley 0 siblings, 0 replies; 9+ messages in thread From: Stephen Smalley @ 2008-02-13 14:22 UTC (permalink / raw) To: Waide, Ronan Cc: Yuichi Nakamura, selinux@tycho.nsa.gov, James Morris, Eric Paris, Daniel J Walsh On Wed, 2008-02-13 at 12:06 +0000, Waide, Ronan wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] > > On Behalf Of Stephen Smalley > > It would be more useful to just build a kernel with a config that > > disabled the support for permissive mode and runtime disable > > altogether; > > Is this the current recommended way of preventing SELinux from being > switched off? There's a FAQ somewhere that used suggest disabling a > particular macro in the policy build (which I can't recall off the top > of my head) but by the time I got around to trying it out it on a test > system the technique no longer worked. The policy-based approach only controls the ability to change enforcing mode or reload policy via the corresponding kernel interfaces. I think the secure_mode_policyload boolean exists in current policy to let you disable the ability to change enforcing mode or reload policy. But that doesn't help with exploitation of a kernel flaw that permits writing to kernel memory, which is what we are talking about here. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Disabling SELinux by kernel vulnerability 2008-02-12 18:45 ` Stephen Smalley 2008-02-13 12:06 ` Waide, Ronan @ 2008-02-13 13:47 ` Yuichi Nakamura 2008-02-13 14:47 ` Stephen Smalley 1 sibling, 1 reply; 9+ messages in thread From: Yuichi Nakamura @ 2008-02-13 13:47 UTC (permalink / raw) To: Stephen Smalley Cc: himainu-ynakam, selinux, James Morris, Eric Paris, Daniel J Walsh On Tue, 12 Feb 2008 13:45:12 -0500 Stephen Smalley wrote: > > On Tue, 2008-02-12 at 23:43 +0900, Yuichi Nakamura wrote: > > Hi. > > > > I saw an article on slashdot. > > http://it.slashdot.org/article.pl?sid=08/02/10/2011257 > > > > Local exploit code for Linux kernel exists, > > exploit code is also disclosed in http://www.milw0rm.com/exploits/5092. > > > > In the exploit code, only uid is changed to 0. > > So, SELinux is not affected. > > > > However, SELinux can be disabled by overwriting selinux_enforcing to 0. > > The address of selinux_enforcing can be seen in /proc/kallsyms, > > and I've set the value on the address to 0. > > > > I tried that on Fedora 8, > > and I could disable SELinux(set selinux as permissive) from xguest_t > > domain. > > > > I want to make it more difficult > > for attackers to disable SELinux by kernel exploit. > > > > I think not exporting selinux_enforcing(and selinux_disable) to > > /proc/kallsyms is useful. > > And /proc/kallsyms is visible from many processes because it is proc_t, > > assigning /proc/kallsyms label such as proc_ksym_t may be also useful. > > Are they really useful? > > Or any idea?? > > It would be more useful to just build a kernel with a config that > disabled the support for permissive mode and runtime disable altogether; > such config options already exist. And you can also omit /proc/kallsyms > altogether via kernel config. > > Labeling /proc/kallsyms with a distinct type is likely feasible, so that > could be changed in policy. Many people do not want to recompile kernel, so this looks more useful. But I am not sure whether this is really useful or not. In my environment(Fedora 8), the address of selinux_enforcing is the same in every boot. So I guess the address of selinux_enforcing is the same in the same kernel binary. The same kernel binary is used in Fedora, so attacker see the address of selinux_enforcing in his own Fedora, and he can use the address in other Fedora machines. If this is correct, it makes no sense to give different label for /proc/kallsyms. > There is a patch floating around to turn the LSM hook calls into direct > SELinux calls so that there is no more security_ops pointer that can be > overwritten. But there will still be other critical variables, and > SELinux can't protect against kernel vulnerabilities in general. Yes, basically it is correct. But making attack harder is good thing. > > -- > Stephen Smalley > National Security Agency > > Regards, Yuichi Nakamura -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Disabling SELinux by kernel vulnerability 2008-02-13 13:47 ` Yuichi Nakamura @ 2008-02-13 14:47 ` Stephen Smalley 0 siblings, 0 replies; 9+ messages in thread From: Stephen Smalley @ 2008-02-13 14:47 UTC (permalink / raw) To: Yuichi Nakamura; +Cc: selinux, James Morris, Eric Paris, Daniel J Walsh On Wed, 2008-02-13 at 22:47 +0900, Yuichi Nakamura wrote: > > On Tue, 12 Feb 2008 13:45:12 -0500 > Stephen Smalley wrote: > > > > On Tue, 2008-02-12 at 23:43 +0900, Yuichi Nakamura wrote: > > > Hi. > > > > > > I saw an article on slashdot. > > > http://it.slashdot.org/article.pl?sid=08/02/10/2011257 > > > > > > Local exploit code for Linux kernel exists, > > > exploit code is also disclosed in http://www.milw0rm.com/exploits/5092. > > > > > > In the exploit code, only uid is changed to 0. > > > So, SELinux is not affected. > > > > > > However, SELinux can be disabled by overwriting selinux_enforcing to 0. > > > The address of selinux_enforcing can be seen in /proc/kallsyms, > > > and I've set the value on the address to 0. > > > > > > I tried that on Fedora 8, > > > and I could disable SELinux(set selinux as permissive) from xguest_t > > > domain. > > > > > > I want to make it more difficult > > > for attackers to disable SELinux by kernel exploit. > > > > > > I think not exporting selinux_enforcing(and selinux_disable) to > > > /proc/kallsyms is useful. > > > And /proc/kallsyms is visible from many processes because it is proc_t, > > > assigning /proc/kallsyms label such as proc_ksym_t may be also useful. > > > Are they really useful? > > > Or any idea?? > > > > It would be more useful to just build a kernel with a config that > > disabled the support for permissive mode and runtime disable altogether; > > such config options already exist. And you can also omit /proc/kallsyms > > altogether via kernel config. > > > > Labeling /proc/kallsyms with a distinct type is likely feasible, so that > > could be changed in policy. > Many people do not want to recompile kernel, > so this looks more useful. > > But I am not sure whether this is really useful or not. > In my environment(Fedora 8), > the address of selinux_enforcing is the same in every boot. > So I guess the address of selinux_enforcing is the same in the same kernel binary. > The same kernel binary is used in Fedora, > so attacker see the address of selinux_enforcing in his own Fedora, > and he can use the address in other Fedora machines. > If this is correct, it makes no sense to give different label for /proc/kallsyms. Correct - you'd need to either eliminate selinux_enforcing (and certain other variables) altogether, or you'd need to somehow make them read-only after initial setting. If going the separate label route, rather than introducing a separate type for /proc/kallsyms, you could possibly just re-use the type of /boot/System.map*. > > There is a patch floating around to turn the LSM hook calls into direct > > SELinux calls so that there is no more security_ops pointer that can be > > overwritten. But there will still be other critical variables, and > > SELinux can't protect against kernel vulnerabilities in general. > Yes, basically it is correct. > But making attack harder is good thing. > > > > > -- > > Stephen Smalley > > National Security Agency > > > > > > Regards, > Yuichi Nakamura > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2008-02-13 14:47 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-02-12 14:43 Disabling SELinux by kernel vulnerability Yuichi Nakamura 2008-02-12 14:59 ` Daniel J Walsh 2008-02-12 15:45 ` Todd Miller 2008-02-13 13:19 ` Yuichi Nakamura 2008-02-12 18:45 ` Stephen Smalley 2008-02-13 12:06 ` Waide, Ronan 2008-02-13 14:22 ` Stephen Smalley 2008-02-13 13:47 ` Yuichi Nakamura 2008-02-13 14:47 ` Stephen Smalley
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.