Weekly Edition
Return to the Kernel pageRecent Features
| |||||||||||||||||||
TOMOYO 2.4: Conditional ACL support
This patchset adds support for conditional ACL. Four examples are shown.
(1) file read /tmp/\* task.uid=path1.uid
(2) file execute /bin/sh exec.realpath="/bin/bash"
(3) file symlink /var/www/html/index.html symlink.target="\*.html"
(4) file execute /bin/sh exec.argc=3 exec.argv[1]="-c" exec.envp["PATH"]="/bin:/usr/bin"
Example (1) allows opening arbitrary files in /tmp/ directory for reading only
if current thread's UID matches the target file's owner id. This is for
performing more fine grained permission checks.
Example (2) allows execve("/bin/sh") if /bin/sh is a symlink to /bin/bash .
Currently, execute permission is checked using the symlink's pathname if the
pathname passed to execve() is a symlink. This is not safe if users can execute
symlinks which they can select their targets. For example, if
file execute /tmp/app
file unlink /tmp/app
file symlink /tmp/app
are granted, users can execute arbitrary programs by changing where the symlink
/tmp/app points to.
Example (3) allows symlink("/var/www/html/index.html") if the symlink's content
matches \*.html pattern. Currently, "file symlink" keyword allows creation of a
symlink but does not check the symlink's target. Usually it is no problem
because permission checks (except "file execute") are done using dereferenced
pathname. But in some cases, we should restrict the symlink's target. For
example, "ln -s .htpasswd /var/www/html/readme.html" by CGI program should be
blocked because we will allow Apache to read both /var/www/html/readme.html and
/var/www/html/.htpasswd .
Example (4) allows 'sh -c "something"' if environment variable PATH is
"/bin:/usr/bin". This is intended for preventing shellcodes from executing
/bin/sh when the policy has to grant execution of /bin/sh , for shellcodes tend
to execute /bin/sh without passing sane argv[]/envp[] arguments.
In order to perform complicated inspection, TOMOYO 1.8 has a feature called
"execute handler". The "execute handler" acts like
#! /bin/sh
# check and sanitize argv[]/envp[] passed to /path/to/originally/requested/program here.
exec /path/to/originally/requested/program "$@"
. However, TOMOYO 2.4 is not ready for merging "execute handler" (because
in order to avoid infinite "execute handler" loop, I need to remember using
per-task_struct variables whether the current thread is already running as
"execute handler" or not. Also, I need security_bprm_free() for kfree()ing the
memory for holding the pathname of "execute handler"). Until "execute handler"
becomes ready to merge, (4) is the only way to check argv[]/envp[] passed to
execve() requests.
For more information, please see http://tomoyo.sourceforge.jp/2.4/chapter-10.html .
[PATCH 1/5] TOMOYO: Allow using UID/GID etc. of current thread as conditions.
[PATCH 2/5] TOMOYO: Allow using owner/group etc. of file objects as conditions.
[PATCH 3/5] TOMOYO: Allow using executable's realpath and symlink's target as conditions.
[PATCH 4/5] TOMOYO: Allow using argv[]/envp[] of execve() as conditions.
[PATCH 5/5] TOMOYO: Enable conditional ACL.
security-testing-2.6/security/tomoyo/condition.c | 349 +++++++++++
security/tomoyo/Makefile | 2
security/tomoyo/audit.c | 236 +++++++
security/tomoyo/common.c | 305 +++++++++
security/tomoyo/common.h | 260 ++++++++
security/tomoyo/condition.c | 702 ++++++++++++++++++++++-
security/tomoyo/domain.c | 120 ++-
security/tomoyo/file.c | 35 +
security/tomoyo/gc.c | 56 +
security/tomoyo/mount.c | 8
security/tomoyo/tomoyo.c | 14
security/tomoyo/util.c | 2
12 files changed, 2005 insertions(+), 84 deletions(-)
Regards.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
|||||||||||||||||||