From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pavel Machek Subject: Re: [AppArmor 39/41] AppArmor: Profile loading and manipulation, pathname matching Date: Mon, 16 Apr 2007 09:39:40 +0200 Message-ID: <20070416073940.GA2146@elf.ucw.cz> References: <20070412090809.917795000@suse.de> <20070412090849.465428000@suse.de> <200704151621.52906.agruen@suse.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Andi Kleen , jjohansen@suse.de, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, chrisw@sous-sol.org To: Andreas Gruenbacher Return-path: Content-Disposition: inline In-Reply-To: <200704151621.52906.agruen@suse.de> Sender: linux-security-module-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org Hi! > > > + > > > + /* get optional subprofiles */ > > > + if (aa_is_nameX(e, AA_LIST, "hats")) { > > > + while (!aa_is_nameX(e, AA_LISTEND, NULL)) { > > > + struct aa_profile *subprofile; > > > + subprofile = aa_unpack_profile(e); > > > > Is there any check that would guard the recursion from stack > > overflow on malicious input? > > It's nice to check for consistency though, so we're adding that. Profile > loading is a trusted operation, at least so far, and so security wise we > don't actually have to care --- if loading an invalid profile can bring down > the system, then that's no worse than an arbitrary module that crashes the > machine. Not sure if there will ever be user loadable profiles; at least at > that point we had to care. It is not a _security_ problem, but face it, mount("/very weird filename") is not expected to crash the kernel, either. It is quality-of-impelmentation problem. -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html