public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
* PATCH: "Kernel Insider" (security optimization)
@ 2001-05-25  3:14 bruj0
  2001-05-25  4:59 ` David Wagner
  0 siblings, 1 reply; 2+ messages in thread
From: bruj0 @ 2001-05-25  3:14 UTC (permalink / raw)
  To: linux-kernel

Hello, i wrote a modification for kernels 2.4.x, actually it can be
lodaded as a module and its not intrusive. I would love to get you opinions,
critics, flames about it. Plase CC: me becouse im not in the list. thanx
The whole package with a intructions is at
http://securityportal.com.ar/files/insider-1.6.tar.gz

This is the description:
INSIDER
-------
Its a linux kernel modification, that allows to decide wich uid, pid or
file can open a tcp socket in listening state.
The changes to the kernel are really insignificant, only to export 2
variables.
When  a program tries to open a port it first makes a md5 checksum
of the file and compares it with the config list then it compares the user
id and finally the pid.
The policy is to "DENY" everything that is not in the allowed list.

Bruj0


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: PATCH: "Kernel Insider" (security optimization)
  2001-05-25  3:14 PATCH: "Kernel Insider" (security optimization) bruj0
@ 2001-05-25  4:59 ` David Wagner
  0 siblings, 0 replies; 2+ messages in thread
From: David Wagner @ 2001-05-25  4:59 UTC (permalink / raw)
  To: linux-kernel

>Its a linux kernel modification, that allows to decide wich uid, pid or
>file can open a tcp socket in listening state.

- Putting access control on listen() [rather than socket()/bind()]
  seems like a really bad idea.  In particular, in some cases one can
  bind to a port and receive messages on it without ever calling listen(),
  if I am not mistaken.

- The use of sock_i_uid(sock) seems poorly chosen; if sock->socket==NULL,
  then your module will mistakenly think that the action was requested by
  uid 0.  In general, the return value from sock_i_uid() cannot be trusted
  for permission checks for several reasons.  Why don't you simply use
  current->euid for your permission checks?

- Checking pid's doesn't seem like a good idea.  If a process listed in
  allowed_pids dies, then some other malicious process can wrap the pid
  space and take over that trusted pid, thereby subverting your access
  control policy.

- Are you aware of previous work on this subject?  In particular, you
  might enjoy checking out the Janus project, which is a much more general
  implementation of this idea: http://www.cs.berkeley.edu/~daw/janus/

- You should really join the mailing list hosted by Crispin Cowan working
  to develop kernel hooks for this sort of kernel security modification.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2001-05-25  5:02 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-05-25  3:14 PATCH: "Kernel Insider" (security optimization) bruj0
2001-05-25  4:59 ` David Wagner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox