From: Stephen Smalley <sds@tycho.nsa.gov>
To: Greg KH <gregkh@linuxfoundation.org>,
Daniel Mack <daniel@zonque.org>,
Djalal Harouni <tixxdz@opendz.org>,
lkml <linux-kernel@vger.kernel.org>,
LSM <linux-security-module@vger.kernel.org>,
Paul Osmialowski <p.osmialowsk@samsung.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Paul Moore <paul@paul-moore.com>
Subject: kdbus: credential faking
Date: Thu, 09 Jul 2015 14:26:08 -0400 [thread overview]
Message-ID: <559EBCC0.7040604@tycho.nsa.gov> (raw)
Hi,
I have a concern with the support for faked credentials in kdbus, but
don't know enough about the original motivation or intended use case to
evaluate it concretely. I raised this issue during the "kdbus for
4.1-rc1" thread a while back but none of the kdbus maintainers
responded, and the one D-BUS maintainer who did respond said that there
is no API in dbus-daemon for faking client credentials, so this is not
something inherited from dbus-daemon or required for compatibility with it.
First, I have doubts as to whether there should be any way to fake the
seclabel, no matter how "privileged" the caller. Unless there is a
clear use case for that functionality, I would prefer to see it dropped
altogether.
Second, IIUC, the ability to fake any portion of the credentials or pids
is granted if the caller either has CAP_IPC_OWNER or owns the bus (uid
match). Clearly that isn't sufficient basis for seclabel faking, and it
seems questionable as to whether it should be sufficient for faking any
of the other credentials or pids. Compare with e.g.
net/core/scm.c:scm_check_creds() logic for faking credentials on a Unix
domain socket, which requires CAP_SYS_ADMIN for faking pid, CAP_SETUID
for faking any of the uid fields, and CAP_SETGID for faking any of the
gid fields.
Thanks for any light you can shed on the matter.
next reply other threads:[~2015-07-09 18:27 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-09 18:26 Stephen Smalley [this message]
2015-07-09 22:22 ` kdbus: credential faking David Herrmann
2015-07-09 22:56 ` Casey Schaufler
2015-07-10 9:05 ` David Herrmann
2015-07-10 13:29 ` Stephen Smalley
2015-07-10 13:25 ` Stephen Smalley
2015-07-10 13:43 ` David Herrmann
2015-07-10 14:20 ` Martin Steigerwald
2015-07-10 14:25 ` Martin Steigerwald
2015-07-10 14:47 ` Stephen Smalley
2015-07-10 14:57 ` Alex Elsayed
2015-07-10 16:20 ` Casey Schaufler
2015-07-10 16:30 ` Alex Elsayed
2015-07-10 17:46 ` Casey Schaufler
2015-07-10 16:48 ` David Herrmann
2015-07-10 18:13 ` Stephen Smalley
2015-07-10 22:04 ` Greg KH
2015-07-10 15:59 ` Casey Schaufler
2015-07-10 16:26 ` David Herrmann
2015-07-10 17:16 ` Casey Schaufler
2015-07-10 18:02 ` Richard Weinberger
2015-07-10 18:36 ` Casey Schaufler
2015-07-10 18:39 ` Richard Weinberger
2015-07-11 11:30 ` Richard Weinberger
2015-07-11 11:02 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=559EBCC0.7040604@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=casey@schaufler-ca.com \
--cc=daniel@zonque.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=p.osmialowsk@samsung.com \
--cc=paul@paul-moore.com \
--cc=tixxdz@opendz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).