LSM root_plug module questions

LSM root_plug module questions

[David Härdeman]

Hi,

I'm currently playing around with the security/root_plug.c LSM module 
and I have two questions:

1) What's the recommended way of telling that someone is logging in to 
the computer (via ssh, virtual console, serial console, X, whatever) 
with LSM? Look for open() on /dev/pts?

2) root_plug currently scans the usb device tree looking for the 
appropriate device each time it's needed. In the interest of making the 
result of the lookup cached, it is possible for a module to register so 
that it is notified when a usb device is added/removed?

Regards,
David

Re: LSM root_plug module questions

[Chris Wright]

* David Härdeman (david@2gen.com) wrote:
> I'm currently playing around with the security/root_plug.c LSM module 
> and I have two questions:

you'll have better luck on the lsm list 

> 1) What's the recommended way of telling that someone is logging in to 
> the computer (via ssh, virtual console, serial console, X, whatever) 
> with LSM? Look for open() on /dev/pts?

logging in...this is really a userspace notion, so via PAM.  creating a
new process or changing credentials of a new process are the types of
things that lsm watches (and of course, opening of files).

> 2) root_plug currently scans the usb device tree looking for the 
> appropriate device each time it's needed. In the interest of making the 
> result of the lookup cached, it is possible for a module to register so 
> that it is notified when a usb device is added/removed?

I don't think that can be done in a race free manner.  Perhaps get the
device and check its state, but you'd have to ask usb folks.  ATM, it's
only checked during exec of root process.

Re: LSM root_plug module questions

[Crispin Cowan]

Chris Wright wrote:
> * David Härdeman (david@2gen.com) wrote:
>   
>> 2) root_plug currently scans the usb device tree looking for the 
>> appropriate device each time it's needed. In the interest of making the 
>> result of the lookup cached, it is possible for a module to register so 
>> that it is notified when a usb device is added/removed?
>>     
> I don't think that can be done in a race free manner.  Perhaps get the
> device and check its state, but you'd have to ask usb folks.  ATM, it's
> only checked during exec of root process.
>   
Why do you want to optimize root_plug's scan for the device? Are you
planning on logging in thousands of times per second? If it was a big
RADIUS or SSO server, that would make sense, but this is the "are you
physically present at the console?" login security, so I submit that it
happens at most a couple of times per minute, and from there it does not
matter if it takes a second or two to scan the USB devices.

OTOH, it looks from the above comments that the root_plug may be checked
on *all* exec's of root processes. If that is the case, then you do have
more of an optimization issue. However, I then submit that the correct
optimization is to choke down the check so that it is only performed on
root exec's that represent logins rather than all execs, instead of
trying to make the check go faster.

Crispin
-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com

Re: LSM root_plug module questions

[David Härdeman]

Chris Wright (chrisw@osdl.org) wrote:
> * David Härdeman (david@2gen.com) wrote:
> > I'm currently playing around with the security/root_plug.c LSM module
> you'll have better luck on the lsm list

Thanks for the pointer

> > 1) What's the recommended way of telling that someone is logging in to
> > the computer (via ssh, virtual console, serial console, X, whatever)
> > with LSM? Look for open() on /dev/pts?
>
> logging in...this is really a userspace notion, so via PAM.  creating a
> new process or changing credentials of a new process are the types of
> things that lsm watches (and of course, opening of files).

Yes, I realized that by reading the include/linux/security.h comments
describing the security hooks. The question is rather if there is something
which all the different methods of logging in have in common that can be
caught with a LSM hook?

> > 2) root_plug currently scans the usb device tree looking for the
> > appropriate device each time it's needed. In the interest of making the
> > result of the lookup cached, it is possible for a module to register so
> > that it is notified when a usb device is added/removed?
>
> I don't think that can be done in a race free manner.  Perhaps get the
> device and check its state, but you'd have to ask usb folks.  ATM, it's
> only checked during exec of root process.

The reason that I wanted to do caching is that I want to add more checks
to the root_plug module. For instance, to deny all socket accept() and
connect() calls when the USB module is missing (to not break already
established connections but not allow any new ones, e.g. to lock out any
new SSH sessions).

I'm assuming that this could introduce the need for some kind of caching
of the results of the USB-device-present check as the number of checks
increase.

Regards,
David