netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
Cc: Paul Moore <paul.moore-VXdhtT5mjnY@public.gmane.org>,
	sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org,
	jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org,
	rjw-KKrjLPT3xs0@public.gmane.org,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	kernel-testers-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [Bug #11500] /proc/net bug related to selinux
Date: Wed, 17 Sep 2008 15:32:49 -0700	[thread overview]
Message-ID: <m17i9axv1q.fsf@frodo.ebiederm.org> (raw)
In-Reply-To: <20080917144842.7df59f9e.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> (Andrew Morton's message of "Wed, 17 Sep 2008 14:48:42 -0700")

Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> writes:

> We don't even know the extent of the damage yet.  Which distros were
> affected? With which versions of which userspace packages?

This seems to me to be an extremely fragile selinux user space policy.
In their code that derives security labels from path names.
Why don't we have AppArmor in the kernel again?

Further I don't see how we could have possibly have supported that user space
policy.  How can we apply a user space defined label required by the selinux
policy to a symlink that did not exist?

I expect cd /proc/self/net would work.  In your situation and you can
see /proc/self/net/dev.

Everything here sounds to me like that selinux policy is impossibly brittle.
And anything that is that brittle I have no intention in claiming is a bug
in proc.

Eric

  parent reply	other threads:[~2008-09-17 22:32 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <j3zWxt-CgYL.A.WTF.bbsyIB@albercik>
     [not found] ` <SpS7rta8n4.A.DCB.IfsyIB@albercik>
2008-09-13  8:47   ` [Bug #11271] BUG: fealnx in 2.6.27-rc1 Jaswinder Singh
     [not found] ` <SpS7rta8n4.A.i9G.ZcsyIB@albercik>
     [not found]   ` <alpine.LRH.1.10.0809130812460.12313@tundra.namei.org>
     [not found]     ` <20080912152443.c4e59f42.akpm@linux-foundation.org>
     [not found]       ` <alpine.LRH.1.10.0809131012310.13073@tundra.namei.org>
     [not found]         ` <20080913123722.e238ae2a.akpm@linux-foundation.org>
     [not found]           ` <1221483926.30816.18.camel@moss-spartans.epoch.ncsc.mil>
     [not found]             ` <1221483926.30816.18.camel-/ugcdrsPCSfIm9DtXLC9OUVfdvkotuLY+aIohriVLy8@public.gmane.org>
2008-09-17 19:50               ` [Bug #11500] /proc/net bug related to selinux Andrew Morton
2008-09-17 21:24                 ` Paul Moore
2008-09-17 21:39                   ` Eric W. Biederman
     [not found]                     ` <m1vdwu4fku.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
2008-09-17 22:11                       ` Andrew Morton
2008-09-17 21:48                   ` Andrew Morton
2008-09-17 22:12                     ` Paul Moore
2008-09-17 22:24                       ` Andrew Morton
     [not found]                         ` <20080917152407.76230f0c.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2008-09-17 22:53                           ` Eric W. Biederman
     [not found]                     ` <20080917144842.7df59f9e.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2008-09-17 22:32                       ` Eric W. Biederman [this message]
2008-09-18 12:38                         ` Stephen Smalley
2008-09-18 13:03                           ` Stephen Smalley
2008-09-18 18:09                             ` Eric W. Biederman
2008-09-18 18:34                               ` Stephen Smalley
     [not found]                                 ` <1221762850.24048.107.camel-/ugcdrsPCSfIm9DtXLC9OUVfdvkotuLY+aIohriVLy8@public.gmane.org>
2008-09-19 16:58                                   ` david-gFPdbfVZQbY
2008-09-19 17:07                                     ` Stephen Smalley
2008-09-29 16:49                                   ` Stephen Smalley
     [not found]                   ` <200809171724.36269.paul.moore-VXdhtT5mjnY@public.gmane.org>
2008-09-17 22:23                     ` David Miller
     [not found]                 ` <20080917125053.1f9ecf37.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2008-09-17 21:56                   ` Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m17i9axv1q.fsf@frodo.ebiederm.org \
    --to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
    --cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
    --cc=jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org \
    --cc=kernel-testers-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=paul.moore-VXdhtT5mjnY@public.gmane.org \
    --cc=rjw-KKrjLPT3xs0@public.gmane.org \
    --cc=sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).