LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Announcements
->One big page
This page
Previous weekFollowing week
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SecurityPathname-based hooks for SELinux?A patch that would add the last path component as a parameter to the Linux security module (LSM) hooks for inode creation raised a few eyebrows. It looked to be an attempt to add pathname-based hooks for SELinux—after many SELinux developers took strong stands against those kinds of hooks when they were proposed for AppArmor and, later, TOMOYO. But, this change would not add pathname-based access controls to SELinux, and would, instead, allow it to make decisions about the label it applies to a new inode based on the filename being created. Still, there are questions about whether this is just an ad hoc change to the LSM API for SELinux, and whether there are other hooks that might benefit from similar treatment. The patches, which were proposed by Eric Paris on the linux-security-module mailing list, are fairly straightforward. The first simply adds a struct qstr pointer to the inode_init_security() hook and changes all the calls to it that are made, mostly in various filesystems. A qstr is a "quick string" object from the directory entry cache, which contains the filename and some additional information (length and hash). The other patch in the set changes SELinux so that it can use that information in its policies:
Currently SELinux has rules which label new objects according to 3 criteria.
The label of the process creating the object, the label of the parent
directory, and the type of object (reg, dir, char, block, etc.) This patch
adds a 4th criteria, the dentry name, thus we can distinguish between
creating a file in an etc_t directory called shadow and one called motd.
There is no file globbing, regex parsing, or anything mystical. Either the policy exactly (strcmp) matches the dentry name of the object or it doesn't. This patch has no changes from today if policy does not implement the new rules. But the inclusion of path information was enough to get a rise out of Casey Schaufler: "I see. Pathname based controls. In SELinux.". He went on to note that AppArmor and TOMOYO had made similar arguments to Paris's and that there are already pathname-based hooks that were added to support those two solutions. But Paris is quick to point out that he is not implementing pathname-based access controls (which is what AppArmor and TOMOYO implement), but is only adding additional information for decisions about labeling new filesystem objects:
The intention is to remove some particularly gross userspace hacks
related to new object labeling (read udev/restorecond/anything to do
with /var/run, etc). It simplifies userspace, removes numerous races,
and does so with no reduction in security (and theoretically the
possibility of a more secure system)
Schaufler does not completely buy that argument because of the way labels are typically maintained in an SELinux system, i.e. using user-space utilities like restorecond that are pathname-based: "Yes, the kernel component of SELinux relies strictly on the labels, but the reality is that SELinux is heavily dependent on the user space component to maintain the proper labels on files so that the specified policy is rational." Stephen Smalley agreed with that to some extent, but tries to clarify the role of pathnames in SELinux:
That fact that we are already
using the parent directory context as an input in computing the
security context of a new files means that our file labeling logic is
already "path-based" in a certain sense. It isn't solely path-based
(either before or after this change), but it is already taking into
account the placement of the file when it is created. This just
refines the granularity at which we can make such decisions.
Smalley also explains more about the kinds of race conditions that the patch is trying to avoid:
restorecond and udev relabeling of
kernel-created dev nodes are inherently racy - the file is not created
in the desired security context initially, and must be relabeled by
some userspace component that notices that the file has been created.
Kernel support for incorporating the last component name as an
additional input enables us to label certain files correctly upon
creation and thus avoids that problem entirely.
Furthermore, Smalley said, the pathname-based hooks that are currently available in the LSM API are not usable to solve this problem because they don't address the issue of assigning labels to new inodes. The existing hooks are "about enforcing access control upon file accesses based on the pathname used to reach the file". The SELinux community has reached a consensus that the proposed change is needed, Smalley said, and the only real question in his mind was whether the changes were acceptable to the Linux virtual filesystem (VFS) and various filesystem developers. While Schaufler recognizes that the SELinux community is fully behind the change, he wonders if there are other hooks that could also benefit from the filename information:
One of the concerns that has traditionally been raised when new
LSM hooks or changes to existing hooks are proposed is that of
generality. I can think of a number of ways in which the final
component of a pathname could be used to make access control
decisions, but I would not expect to be using them myself. Who
else might you expect to make use of this LSM "enhancement", or
is this something that only SELinux is ever going to want? Is
the component something the LSM should be providing in general,
or is this the only case in which it makes sense?
He goes on to point out that the LSM API is inconsistent and arbitrary, so it would make sense to look at the "bigger picture" before hacking in a change specifically for SELinux. As an example, he posits a possible access control mechanism that uses file extensions to make decisions ("only files suffixed with '.exe' can be executed and only files suffixed with '.so' can be mmapped"). Smalley believes that kind of access control could be done with the existing pathname-based hooks, but Kyle Moffett came up with another place where the filename information might be useful, even for SELinux:
While
you of course cannot (and should not) *change* the label of a file in
a link() or rename() operation, it would potentially be useful to deny
an operation based on the old label and the new name that is being
passed in.
The example Moffett gives would deny a compromised web application the ability to rename or link to the .htaccess file in its directories. So far, none of the VFS or filesystem hackers have spoken up one way or another, so it is unclear whether this change will be acceptable to them. The LSM API is something of a kernel outcast—or so it appears at times—as no one is particularly satisfied with it, yet it is an integral part of the kernel security landscape. Sometimes that means that various "hacks" get added for specific security solutions, without looking at the overall picture, which is rather unfortunate. It may well be that this change is adopted, as is, without considering other potential users or consistency in the API.
Brief items Security quotes of the week
Within a couple days' time, the WikiLeaks web content has been spread
across enough independent parts of the Internet's DNS and routing space
that they are, for all intents and purposes, now immune to takedown by any
single legal authority. If pressure were applied, one imagines that the
geographic diversity would simply double, and double again.
-- James
Cowie
Unfortunately, my government does not agree with my definition of
winning. They think that living in fear and trying desperately to keep us
all 100% safe while flying is the most effective way to fight terrorism. It
reminds me of a boss that told me he liked it when people lived in fear of
being fired, they worked harder. I told him being fired held no fear for
me. When you live in fear, you do irrational things - like sending millions
of people's shoes through an xray scanner every day.
-- Stormy Peters
Some of them call terrorism an "existential threat" against our
nation. It's not. Even the events of 9/11, as horrific as they were, didn't
make an existential dent in our nation. Automobile-related fatalities -- at
42,000 per year, more deaths each month, on average, than 9/11 -- aren't,
either. It's our reaction to terrorism that threatens our nation, not
terrorism itself. The empty monument would symbolize the empty rhetoric of
those leaders who preach fear and then use that fear for their own
political ends.
-- Bruce Schneier on closing the Washington Monument (worth
reading in its entirety)
Because if a group of well-planned and well-funded terrorist plotters makes
it to the airport, the chance is pretty low that those blue-shirted
crotch-groping water-bottle-confiscating TSA agents are going to catch
them. The agents are trying to do a good job, but the deck is so stacked
against them that their job is impossible. Airport security is the last
line of defense, and it's not a very good one.
-- Bruce
Schneier (yet again)
Back door in ProFTPD FTP server (The H)The H has an article about a back door that was recently put into the ProFTPD server code. "The back door provides the attackers with complete access to systems on which the modified version of the server has been installed. On installation, the modified version informs the group behind the back door by contacting an IP address in the Saudi Arabia area. Entering the command 'HELP ACIDBITCHEZ' results in the modified server displaying a root shell. [...] Ironically, to place their back door, the attackers used a zero day vulnerability in ProFTPD itself, which the developers were using to make the source code available to users." (Thanks to Jan-Frode Myklebust who gave us a heads-up about this issue).
Interesting kernel exploit postedDan Rosenberg has posted a new local kernel compromise program to the full-disclosure list. It is interesting in that it requires the simultaneous exploitation of three different vulnerabilities to work. This particular program is not useful for anybody wanting to take over a system, but: "However, the important issue, CVE-2010-4258, affects everyone, and it would be trivial to find an unpatched DoS under KERNEL_DS and write a slightly more sophisticated version of this that doesn't have the roadblocks I put in to prevent abuse by script kiddies."
New vulnerabilities acroread: code execution
bareftp: privilege escalation
bind: multiple vulnerabilities
clamav: multiple vulnerabilities
epiphany: arbitrary https web site spoofing
gnupg: code execution
imagemagick: privilege escalation
kernel: multiple vulnerabilities
mercurial: man-in-the-middle attack
openssl: unintended cipher use
openssl: unintended cipher use
openssl: authentication bypass
python-paste: cross-site scripting
tomboy: code execution
Page editor: Jake Edge |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||