From: William Lee Irwin III <wli@holomorphy.com>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: Marc-Christian Petersen <m.c.p@wolk-project.de>,
lkml <linux-kernel@vger.kernel.org>,
Andrea Arcangeli <andrea@suse.de>, Andrew Morton <akpm@osdl.org>,
kenneth.w.chen@intel.com, Chris Wright <chrisw@osdl.org>
Subject: Re: disable-cap-mlock
Date: Thu, 1 Apr 2004 11:26:12 -0800 [thread overview]
Message-ID: <20040401192612.GL791@holomorphy.com> (raw)
In-Reply-To: <1080845238.25431.196.camel@moss-spartans.epoch.ncsc.mil>
On Thu, Apr 01, 2004 at 01:47:18PM -0500, Stephen Smalley wrote:
> Some form of control over changing the sysctl settings (beyond just the
> mode) should be provided; otherwise, the module is too unsafe by itself
> for real use, and you can't assume that people will only use it stacked
> with SELinux (which could control such changes). Allowing the settings
> to be locked as mcp suggested sounds simple and sufficient for the
> proposed use; they can disable their desired capability and then lock in
> /sbin/init. For greater generality, I'd suggest adding a new capability
> to control the ability to set the capability sysctls, but then we are in
> a vicious cycle...
Okay, done.
Misc fix thrown in: the policies beyond enabled/disabled were wrongly
set up in minmax' args, so this throws the real max in the table.
-- wli
Index: mm4-2.6.5-rc3/security/sysctl_capable.c
===================================================================
--- mm4-2.6.5-rc3.orig/security/sysctl_capable.c 2004-04-01 10:11:53.000000000 -0800
+++ mm4-2.6.5-rc3/security/sysctl_capable.c 2004-04-01 11:24:44.000000000 -0800
@@ -43,6 +43,7 @@
#define CAP_SYSCTL_MKNOD (1 + CAP_MKNOD)
#define CAP_SYSCTL_LEASE (1 + CAP_LEASE)
#define MAX_CAPABILITY CAP_SYSCTL_LEASE
+#define CAP_SYSCTL_LOCKDOWN (1 + MAX_CAPABILITY)
#define CAPABILITY_SYSCTL_ENABLED 0
#define CAPABILITY_SYSCTL_DISABLED 1
@@ -56,19 +57,22 @@
.ctl_name = CAP_SYSCTL_##x, \
.procname = #y , \
.extra1 = (void *)&capability_sysctl_zero, \
- .extra2 = (void *)&capability_sysctl_one, \
+ .extra2 = (void *)&capability_sysctl_three, \
.data = &capability_sysctl_state[CAP_##x], \
.mode = 0644, \
.strategy = sysctl_intvec, \
- .proc_handler = proc_dointvec_minmax, \
+ .proc_handler = capability_sysctl_handler, \
.maxlen = sizeof(int), \
},
static int capability_sysctl_state[MAX_CAPABILITY];
static const int capability_sysctl_zero = 0;
static const int capability_sysctl_one = 1;
-static int secondary;
+static const int capability_sysctl_three = 3;
+static int secondary, lockdown;
static struct ctl_table_header *capability_sysctl_table_header;
+static int capability_sysctl_handler(struct ctl_table *, int,
+ struct file *, void __user *, size_t *);
static struct ctl_table capability_sysctl_table[] = {
MKCTL(CHOWN, chown)
@@ -101,6 +105,17 @@
MKCTL(MKNOD, mknod)
MKCTL(LEASE, lease)
{
+ .ctl_name = CAP_SYSCTL_LOCKDOWN,
+ .procname = "lockdown",
+ .extra1 = (void *)&capability_sysctl_zero,
+ .extra2 = (void *)&capability_sysctl_one,
+ .data = &lockdown,
+ .mode = 0644,
+ .strategy = sysctl_intvec,
+ .proc_handler = capability_sysctl_handler,
+ .maxlen = sizeof(int),
+ },
+ {
.ctl_name = 0,
},
};
@@ -138,6 +153,14 @@
.vm_enough_memory = cap_vm_enough_memory,
};
+static int capability_sysctl_handler(struct ctl_table *table,
+ int write, struct file *file, void __user *buf, size_t *length)
+{
+ if (lockdown && write)
+ return -EINVAL;
+ else
+ return proc_dointvec_minmax(table, write, file, buf, length);
+}
static int capability_sysctl_capable(task_t *task, int cap)
{
next prev parent reply other threads:[~2004-04-01 19:26 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-01 13:59 disable-cap-mlock Andrea Arcangeli
2004-04-01 14:12 ` disable-cap-mlock Martin Zwickel
2004-04-01 16:48 ` disable-cap-mlock William Lee Irwin III
2004-04-01 16:59 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:11 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 17:16 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:34 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:38 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:42 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:37 ` disable-cap-mlock Stephen Smalley
2004-04-01 17:44 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:49 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:51 ` disable-cap-mlock William Lee Irwin III
2004-04-01 18:12 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:52 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 17:54 ` disable-cap-mlock William Lee Irwin III
2004-04-01 18:47 ` disable-cap-mlock Stephen Smalley
2004-04-01 19:26 ` William Lee Irwin III [this message]
2004-04-01 20:23 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 21:13 ` disable-cap-mlock William Lee Irwin III
2004-04-01 21:31 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 18:34 ` disable-cap-mlock Andrew Morton
2004-04-01 18:49 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 18:52 ` disable-cap-mlock Chen, Kenneth W
2004-04-01 18:59 ` disable-cap-mlock William Lee Irwin III
2004-04-01 19:27 ` disable-cap-mlock James Morris
2004-04-02 10:39 ` disable-cap-mlock Pavel Machek
2004-04-02 23:44 ` disable-cap-mlock William Lee Irwin III
2004-04-01 19:44 ` disable-cap-mlock Rik van Riel
2004-04-01 19:52 ` disable-cap-mlock Andrew Morton
2004-04-01 22:36 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 22:43 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 23:08 ` disable-cap-mlock Rik van Riel
2004-04-01 23:26 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 0:59 ` disable-cap-mlock Chris Wright
2004-04-01 22:29 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 1:07 ` disable-cap-mlock Chris Wright
2004-04-02 1:18 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 1:30 ` disable-cap-mlock Chris Wright
2004-04-02 1:35 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:04 ` disable-cap-mlock Chris Wright
2004-04-02 2:13 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:21 ` disable-cap-mlock Chris Wright
2004-04-02 2:38 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:48 ` disable-cap-mlock Chris Wright
2004-04-02 1:30 ` disable-cap-mlock Andrew Morton
2004-04-02 1:59 ` disable-cap-mlock Chris Wright
2004-04-02 2:09 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:30 ` disable-cap-mlock Andrew Morton
2004-04-02 2:33 ` disable-cap-mlock Chris Wright
2004-04-02 2:45 ` disable-cap-mlock Andrew Morton
2004-04-02 2:51 ` disable-cap-mlock Chris Wright
2004-04-02 3:21 ` disable-cap-mlock William Lee Irwin III
2004-04-02 2:41 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:49 ` disable-cap-mlock Andrew Morton
2004-04-02 3:07 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 21:35 ` disable-cap-mlock Andrew Morton
2004-04-02 22:36 ` disable-cap-mlock Chris Wright
2004-04-02 22:56 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 23:01 ` disable-cap-mlock Andrew Morton
2004-04-02 23:18 ` disable-cap-mlock Chris Wright
2004-04-05 12:13 ` disable-cap-mlock Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040401192612.GL791@holomorphy.com \
--to=wli@holomorphy.com \
--cc=akpm@osdl.org \
--cc=andrea@suse.de \
--cc=chrisw@osdl.org \
--cc=kenneth.w.chen@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=m.c.p@wolk-project.de \
--cc=sds@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox