From: Casey Schaufler <casey@schaufler-ca.com>
To: russell@coker.com.au
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Oren Laadan <orenl@cs.columbia.edu>,
Linux Containers <containers@lists.osdl.org>,
linux-security-module@vger.kernel.org,
SELinux <selinux@tycho.nsa.gov>,
"Eric W. Biederman" <ebiederm@xmission.com>,
David Howells <dhowells@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH 2/5] cr: checkpoint the active LSM and add RESTART_KEEP_LSM flag
Date: Wed, 02 Sep 2009 09:36:36 -0700 [thread overview]
Message-ID: <4A9E9F14.2010103@schaufler-ca.com> (raw)
In-Reply-To: <200909012229.48973.russell@coker.com.au>
Russell Coker wrote:
> On Mon, 31 Aug 2009, Casey Schaufler <casey@schaufler-ca.com> wrote:
>
>> I seem to be having some trouble presenting my point. It's not about
>> the passwords. It's not about the firewall configuration. It's not
>> even really about the SELinux policy. It's about the total security
>> configuration of the system. This is a problem with checkpoint/restart
>> in general and there isn't much we can do about reassigning user id
>> and other bad things that can happen.
>>
>> If the admin decides that an action is acceptable because the SELinux
>> policy prevents some other action it had better be the case that a
>> process was never allowed to perform that "other action". If you allow
>> restart across policy changes you can't be sure that the process has
>> not performed such an "other action". Processes are not stateless.
>>
>
> Of course we potentially have the same issue when changing a boolean, and when
> loading a new policy on a running system. In a realistic scenario, if you
> make a change that allows a process context to write to a public data store
> while at the same time denying read access to secret data then you also need
> to purge the contents of any files that the process may open for read/write.
>
> Similar problems can also occur using Unix permissions and certain
> combinations of chmod with setuid/setgid bits. Of course most potential
> cases of triggering this issue with Unix permissions are extremely contrived
> and wouldn't be a likely attack scenario. The best example I can think of
> with Unix permissions is access to sound devices. If a system is configured
> to add the "audio" supplementary group to a user's session when they login at
> the console then they can keep a detached process running to maintain access
> to the audio devices (and anything else permitted to that group).
>
Checkpoint/restart has traditionally been interesting in the
mainframe and supercomputer space. These environments have very
different security profiles from a user desktop. No one at the
[.......] National Supercomputer Centre cares if you can save
your rogue game as soon as you pick up the Amulet of Yendor and
restart it if you get killed on the way up. These environments
are concerned with leaking data between the groups that have
funded the facility, which is why they are very often customers
of advanced access control technologies. I don't know that I see
a really good security story for C/R in the desktop space, and
as Russell points out, there are plenty of opportunities to
exploit the feature. This is of course well outside the scope of
what goes on within an LSM, where the specific issues are more
or less contained.
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com>
To: russell@coker.com.au
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Oren Laadan <orenl@cs.columbia.edu>,
Linux Containers <containers@lists.osdl.org>,
linux-security-module@vger.kernel.org,
SELinux <selinux@tycho.nsa.gov>,
"Eric W. Biederman" <ebiederm@xmission.com>,
David Howells <dhowells@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH 2/5] cr: checkpoint the active LSM and add RESTART_KEEP_LSM flag
Date: Wed, 02 Sep 2009 09:36:36 -0700 [thread overview]
Message-ID: <4A9E9F14.2010103@schaufler-ca.com> (raw)
In-Reply-To: <200909012229.48973.russell@coker.com.au>
Russell Coker wrote:
> On Mon, 31 Aug 2009, Casey Schaufler <casey@schaufler-ca.com> wrote:
>
>> I seem to be having some trouble presenting my point. It's not about
>> the passwords. It's not about the firewall configuration. It's not
>> even really about the SELinux policy. It's about the total security
>> configuration of the system. This is a problem with checkpoint/restart
>> in general and there isn't much we can do about reassigning user id
>> and other bad things that can happen.
>>
>> If the admin decides that an action is acceptable because the SELinux
>> policy prevents some other action it had better be the case that a
>> process was never allowed to perform that "other action". If you allow
>> restart across policy changes you can't be sure that the process has
>> not performed such an "other action". Processes are not stateless.
>>
>
> Of course we potentially have the same issue when changing a boolean, and when
> loading a new policy on a running system. In a realistic scenario, if you
> make a change that allows a process context to write to a public data store
> while at the same time denying read access to secret data then you also need
> to purge the contents of any files that the process may open for read/write.
>
> Similar problems can also occur using Unix permissions and certain
> combinations of chmod with setuid/setgid bits. Of course most potential
> cases of triggering this issue with Unix permissions are extremely contrived
> and wouldn't be a likely attack scenario. The best example I can think of
> with Unix permissions is access to sound devices. If a system is configured
> to add the "audio" supplementary group to a user's session when they login at
> the console then they can keep a detached process running to maintain access
> to the audio devices (and anything else permitted to that group).
>
Checkpoint/restart has traditionally been interesting in the
mainframe and supercomputer space. These environments have very
different security profiles from a user desktop. No one at the
[.......] National Supercomputer Centre cares if you can save
your rogue game as soon as you pick up the Amulet of Yendor and
restart it if you get killed on the way up. These environments
are concerned with leaking data between the groups that have
funded the facility, which is why they are very often customers
of advanced access control technologies. I don't know that I see
a really good security story for C/R in the desktop space, and
as Russell points out, there are plenty of opportunities to
exploit the feature. This is of course well outside the scope of
what goes on within an LSM, where the specific issues are more
or less contained.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-09-02 16:36 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-28 21:00 [PATCH 1/5] cr: define ckpt_debug if CONFIG_CHECKPOINT=n Serge E. Hallyn
2009-08-28 21:02 ` [PATCH 2/5] cr: checkpoint the active LSM and add RESTART_KEEP_LSM flag Serge E. Hallyn
2009-08-28 21:02 ` Serge E. Hallyn
2009-08-28 21:03 ` [PATCH 1/1] mktree: accept the lsm_name field in header and add -k flag Serge E. Hallyn
2009-08-28 21:03 ` Serge E. Hallyn
2009-08-29 4:43 ` [PATCH 2/5] cr: checkpoint the active LSM and add RESTART_KEEP_LSM flag Casey Schaufler
2009-08-29 4:43 ` Casey Schaufler
2009-08-29 22:59 ` Serge E. Hallyn
2009-08-29 22:59 ` Serge E. Hallyn
2009-08-30 0:03 ` Casey Schaufler
2009-08-30 0:03 ` Casey Schaufler
2009-08-30 13:48 ` Serge E. Hallyn
2009-08-30 13:48 ` Serge E. Hallyn
2009-08-30 18:58 ` Casey Schaufler
2009-08-30 18:58 ` Casey Schaufler
2009-08-30 20:24 ` Serge E. Hallyn
2009-08-30 20:24 ` Serge E. Hallyn
2009-08-30 21:43 ` Casey Schaufler
2009-08-30 21:43 ` Casey Schaufler
2009-08-31 13:22 ` Serge E. Hallyn
2009-08-31 13:22 ` Serge E. Hallyn
2009-08-31 13:36 ` Serge E. Hallyn
2009-08-31 13:36 ` Serge E. Hallyn
2009-09-01 5:51 ` Casey Schaufler
2009-09-01 5:51 ` Casey Schaufler
[not found] ` <4A9ACBD4.4020804-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2009-09-01 12:29 ` Russell Coker
2009-09-01 12:29 ` Russell Coker
2009-09-02 16:36 ` Casey Schaufler [this message]
2009-09-02 16:36 ` Casey Schaufler
2009-09-02 18:55 ` Shaya Potter
2009-09-02 22:27 ` Casey Schaufler
2009-09-02 22:27 ` Casey Schaufler
2009-08-28 21:04 ` [PATCH 3/5] cr: add generic LSM c/r support Serge E. Hallyn
2009-08-28 21:04 ` Serge E. Hallyn
2009-08-29 4:30 ` Casey Schaufler
2009-08-29 4:30 ` Casey Schaufler
2009-08-29 22:41 ` Serge E. Hallyn
2009-08-29 22:41 ` Serge E. Hallyn
2009-08-29 23:40 ` Casey Schaufler
2009-08-29 23:40 ` Casey Schaufler
2009-08-30 13:58 ` Serge E. Hallyn
2009-08-30 13:58 ` Serge E. Hallyn
2009-08-30 19:03 ` Casey Schaufler
2009-08-30 19:03 ` Casey Schaufler
2009-08-30 20:26 ` Serge E. Hallyn
2009-08-30 20:26 ` Serge E. Hallyn
[not found] ` <4A9ACD0A.9050004-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2009-08-31 12:45 ` Stephen Smalley
2009-08-31 12:45 ` Stephen Smalley
2009-09-01 5:49 ` Casey Schaufler
2009-09-01 5:49 ` Casey Schaufler
2009-09-04 13:38 ` Serge E. Hallyn
2009-09-04 13:38 ` Serge E. Hallyn
2009-08-28 21:04 ` [PATCH 4/5] cr: add smack support to lsm c/r Serge E. Hallyn
2009-08-28 21:04 ` Serge E. Hallyn
2009-08-28 21:05 ` [PATCH 5/5] cr: add selinux support Serge E. Hallyn
2009-08-28 21:05 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A9E9F14.2010103@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=adobriyan@gmail.com \
--cc=containers@lists.osdl.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=linux-security-module@vger.kernel.org \
--cc=orenl@cs.columbia.edu \
--cc=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.