Re: [PATCH] BSD Secure Levels: claim block dev in file struct rather than inode struct, 2.6.11-rc2-mm1 (3/8)

[Michael Halcrow <mhalcrow@us.ibm.com>]

[-- Attachment #1: Type: text/plain, Size: 1770 bytes --]

On Mon, Feb 07, 2005 at 02:26:03PM -0800, Chris Wright wrote:
> * Michael Halcrow (mhalcrow@us.ibm.com) wrote:
> > This is the third in a series of eight patches to the BSD Secure
> > Levels LSM.  It moves the claim on the block device from the inode
> > struct to the file struct in order to address a potential
> > circumvention of the control via hard links to block devices.  Thanks
> > to Serge Hallyn for pointing this out.
> 
> Hard links still point to same inode, what's the issue that this
> addresses?

Actually, it turns out that hard links have nothing to do with the
vulnerability that this patch addresses:

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>

int main()
{
        int fd1, fd2;
        int rc;
        fd1 = open( "/dev/device", O_RDONLY );
        fd2 = open( "/dev/device", O_RDWR );
        close(fd1);
        getchar();
        rc = write( fd2, "0", 1 );
        printf( "write result: [%d]\n", rc );
        close( fd2 );
        return 0;
}

While the program is waiting for a keystroke, mount the block device.
Enter a keystroke.  The result without the patch is 1, which is a
security violation.  This occurs because the bd_release function will
bd_release(bdev) and set inode->i_security to NULL on the close(fd1).
Hence, we want to place the control at the level of the file struct,
not the inode.

Mike
.___________________________________________________________________.
                         Michael A. Halcrow                          
       Security Software Engineer, IBM Linux Technology Center       
GnuPG Fingerprint: 05B5 08A8 713A 64C1 D35D  2371 2D3C FDDA 3EB6 601D

The hokey pokey... What if that's really what it's all about? 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]