User: Password:
Subscribe / Log in / New account


Pathname-based hooks for SELinux?

By Jake Edge
December 8, 2010

A patch that would add the last path component as a parameter to the Linux security module (LSM) hooks for inode creation raised a few eyebrows. It looked to be an attempt to add pathname-based hooks for SELinux—after many SELinux developers took strong stands against those kinds of hooks when they were proposed for AppArmor and, later, TOMOYO. But, this change would not add pathname-based access controls to SELinux, and would, instead, allow it to make decisions about the label it applies to a new inode based on the filename being created. Still, there are questions about whether this is just an ad hoc change to the LSM API for SELinux, and whether there are other hooks that might benefit from similar treatment.

The patches, which were proposed by Eric Paris on the linux-security-module mailing list, are fairly straightforward. The first simply adds a struct qstr pointer to the inode_init_security() hook and changes all the calls to it that are made, mostly in various filesystems. A qstr is a "quick string" object from the directory entry cache, which contains the filename and some additional information (length and hash). The other patch in the set changes SELinux so that it can use that information in its policies:

Currently SELinux has rules which label new objects according to 3 criteria. The label of the process creating the object, the label of the parent directory, and the type of object (reg, dir, char, block, etc.) This patch adds a 4th criteria, the dentry name, thus we can distinguish between creating a file in an etc_t directory called shadow and one called motd.

There is no file globbing, regex parsing, or anything mystical. Either the policy exactly (strcmp) matches the dentry name of the object or it doesn't. This patch has no changes from today if policy does not implement the new rules.

But the inclusion of path information was enough to get a rise out of Casey Schaufler: "I see. Pathname based controls. In SELinux.". He went on to note that AppArmor and TOMOYO had made similar arguments to Paris's and that there are already pathname-based hooks that were added to support those two solutions. But Paris is quick to point out that he is not implementing pathname-based access controls (which is what AppArmor and TOMOYO implement), but is only adding additional information for decisions about labeling new filesystem objects:

The intention is to remove some particularly gross userspace hacks related to new object labeling (read udev/restorecond/anything to do with /var/run, etc). It simplifies userspace, removes numerous races, and does so with no reduction in security (and theoretically the possibility of a more secure system)

Schaufler does not completely buy that argument because of the way labels are typically maintained in an SELinux system, i.e. using user-space utilities like restorecond that are pathname-based: "Yes, the kernel component of SELinux relies strictly on the labels, but the reality is that SELinux is heavily dependent on the user space component to maintain the proper labels on files so that the specified policy is rational." Stephen Smalley agreed with that to some extent, but tries to clarify the role of pathnames in SELinux:

That fact that we are already using the parent directory context as an input in computing the security context of a new files means that our file labeling logic is already "path-based" in a certain sense. It isn't solely path-based (either before or after this change), but it is already taking into account the placement of the file when it is created. This just refines the granularity at which we can make such decisions.

Smalley also explains more about the kinds of race conditions that the patch is trying to avoid:

restorecond and udev relabeling of kernel-created dev nodes are inherently racy - the file is not created in the desired security context initially, and must be relabeled by some userspace component that notices that the file has been created. Kernel support for incorporating the last component name as an additional input enables us to label certain files correctly upon creation and thus avoids that problem entirely.

Furthermore, Smalley said, the pathname-based hooks that are currently available in the LSM API are not usable to solve this problem because they don't address the issue of assigning labels to new inodes. The existing hooks are "about enforcing access control upon file accesses based on the pathname used to reach the file". The SELinux community has reached a consensus that the proposed change is needed, Smalley said, and the only real question in his mind was whether the changes were acceptable to the Linux virtual filesystem (VFS) and various filesystem developers.

While Schaufler recognizes that the SELinux community is fully behind the change, he wonders if there are other hooks that could also benefit from the filename information:

One of the concerns that has traditionally been raised when new LSM hooks or changes to existing hooks are proposed is that of generality. I can think of a number of ways in which the final component of a pathname could be used to make access control decisions, but I would not expect to be using them myself. Who else might you expect to make use of this LSM "enhancement", or is this something that only SELinux is ever going to want? Is the component something the LSM should be providing in general, or is this the only case in which it makes sense?

He goes on to point out that the LSM API is inconsistent and arbitrary, so it would make sense to look at the "bigger picture" before hacking in a change specifically for SELinux. As an example, he posits a possible access control mechanism that uses file extensions to make decisions ("only files suffixed with '.exe' can be executed and only files suffixed with '.so' can be mmapped"). Smalley believes that kind of access control could be done with the existing pathname-based hooks, but Kyle Moffett came up with another place where the filename information might be useful, even for SELinux:

While you of course cannot (and should not) *change* the label of a file in a link() or rename() operation, it would potentially be useful to deny an operation based on the old label and the new name that is being passed in.

The example Moffett gives would deny a compromised web application the ability to rename or link to the .htaccess file in its directories.

So far, none of the VFS or filesystem hackers have spoken up one way or another, so it is unclear whether this change will be acceptable to them. The LSM API is something of a kernel outcast—or so it appears at times—as no one is particularly satisfied with it, yet it is an integral part of the kernel security landscape. Sometimes that means that various "hacks" get added for specific security solutions, without looking at the overall picture, which is rather unfortunate. It may well be that this change is adopted, as is, without considering other potential users or consistency in the API.

Comments (4 posted)

Brief items

Security quotes of the week

Within a couple days' time, the WikiLeaks web content has been spread across enough independent parts of the Internet's DNS and routing space that they are, for all intents and purposes, now immune to takedown by any single legal authority. If pressure were applied, one imagines that the geographic diversity would simply double, and double again.
-- James Cowie

Unfortunately, my government does not agree with my definition of winning. They think that living in fear and trying desperately to keep us all 100% safe while flying is the most effective way to fight terrorism. It reminds me of a boss that told me he liked it when people lived in fear of being fired, they worked harder. I told him being fired held no fear for me. When you live in fear, you do irrational things - like sending millions of people's shoes through an xray scanner every day.
-- Stormy Peters

Some of them call terrorism an "existential threat" against our nation. It's not. Even the events of 9/11, as horrific as they were, didn't make an existential dent in our nation. Automobile-related fatalities -- at 42,000 per year, more deaths each month, on average, than 9/11 -- aren't, either. It's our reaction to terrorism that threatens our nation, not terrorism itself. The empty monument would symbolize the empty rhetoric of those leaders who preach fear and then use that fear for their own political ends.
-- Bruce Schneier on closing the Washington Monument (worth reading in its entirety)

Because if a group of well-planned and well-funded terrorist plotters makes it to the airport, the chance is pretty low that those blue-shirted crotch-groping water-bottle-confiscating TSA agents are going to catch them. The agents are trying to do a good job, but the deck is so stacked against them that their job is impossible. Airport security is the last line of defense, and it's not a very good one.
-- Bruce Schneier (yet again)

Comments (none posted)

Back door in ProFTPD FTP server (The H)

The H has an article about a back door that was recently put into the ProFTPD server code. "The back door provides the attackers with complete access to systems on which the modified version of the server has been installed. On installation, the modified version informs the group behind the back door by contacting an IP address in the Saudi Arabia area. Entering the command 'HELP ACIDBITCHEZ' results in the modified server displaying a root shell. [...] Ironically, to place their back door, the attackers used a zero day vulnerability in ProFTPD itself, which the developers were using to make the source code available to users." (Thanks to Jan-Frode Myklebust who gave us a heads-up about this issue).

Comments (39 posted)

Interesting kernel exploit posted

Dan Rosenberg has posted a new local kernel compromise program to the full-disclosure list. It is interesting in that it requires the simultaneous exploitation of three different vulnerabilities to work. This particular program is not useful for anybody wanting to take over a system, but: "However, the important issue, CVE-2010-4258, affects everyone, and it would be trivial to find an unpatched DoS under KERNEL_DS and write a slightly more sophisticated version of this that doesn't have the roadblocks I put in to prevent abuse by script kiddies."

Full Story (comments: 15)

New vulnerabilities

acroread: code execution

Package(s):acroread CVE #(s):CVE-2010-4091
Created:December 2, 2010 Updated:March 7, 2011

From the Red Hat advisory:

A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2010-3654, CVE-2010-4091)

Gentoo 201201-19 acroread 2012-01-30
SUSE SUSE-SA:2011:011 acroread 2011-03-07
openSUSE openSUSE-SU-2011:0156-1 acroread 2011-03-07
Gentoo 201101-08 acroread 2011-01-21
SUSE SUSE-SA:2010:058 acroread 2010-12-08
openSUSE openSUSE-SU-2010:1030-1 acroread 2010-12-07
Red Hat RHSA-2010:0934-01 acroread 2010-12-01

Comments (none posted)

bareftp: privilege escalation

Package(s):bareftp CVE #(s):CVE-2010-3350
Created:December 8, 2010 Updated:December 8, 2010
Description: From the CVE entry:

bareFTP 0.3.4 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.

Fedora FEDORA-2010-18323 bareftp 2010-11-29
Fedora FEDORA-2010-18310 bareftp 2010-11-29

Comments (none posted)

bind: multiple vulnerabilities

Package(s):bind9 CVE #(s):CVE-2010-3613 CVE-2010-3614
Created:December 2, 2010 Updated:January 27, 2011

From the Ubuntu advisory:

It was discovered that Bind would incorrectly allow a ncache entry and a rrsig for the same type. A remote attacker could exploit this to cause Bind to crash, resulting in a denial of service. (CVE-2010-3613)

It was discovered that Bind would incorrectly mark zone data as insecure when the zone is undergoing a key algorithm rollover. (CVE-2010-3614)

Gentoo 201206-01 bind 2012-06-02
CentOS CESA-2010:1000 bind 2011-01-27
Red Hat RHSA-2010:1000-01 bind 2010-12-20
Slackware SSA:2010-350-01 bind 2010-12-17
Mandriva MDVSA-2010:253 bind 2010-12-14
CentOS CESA-2010:0976 bind 2010-12-14
Red Hat RHSA-2010:0976-01 bind 2010-12-13
Red Hat RHSA-2010:0975-01 bind 2010-12-13
Debian DSA-2130-1 bind9 2010-12-10
Fedora FEDORA-2010-18469 bind 2010-12-02
openSUSE openSUSE-SU-2010:1031-1 bind 2010-12-08
Fedora FEDORA-2010-18521 dnsperf 2010-12-03
Fedora FEDORA-2010-18521 bind-dyndb-ldap 2010-12-03
Fedora FEDORA-2010-18521 bind 2010-12-03
Ubuntu USN-1025-1 bind9 2010-12-01

Comments (none posted)

clamav: multiple vulnerabilities

Package(s):clamav CVE #(s):CVE-2010-4260 CVE-2010-4479 CVE-2010-4261
Created:December 7, 2010 Updated:December 24, 2010
Description: From the Mandriva advisory:

Multiple unspecified vulnerabilities in pdf.c in libclamav in ClamAV before 0.96.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document (CVE-2010-4260, (CVE-2010-4479).

Off-by-one error in the icon_cb function in pe_icons.c in libclamav in ClamAV before 0.96.5 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. NOTE: some of these details are obtained from third party information (CVE-2010-4261).

Gentoo 201110-20 clamav 2011-10-23
SUSE SUSE-SR:2010:024 clamav, subversion, python, krb5, otrs, moonlight, OpenOffice_org, kdenetwork4, zope, xpdf, gnutls, and opera 2010-12-23
Fedora FEDORA-2010-18564 clamav 2010-12-05
Ubuntu USN-1031-1 clamav 2010-12-10
openSUSE openSUSE-SU-2010:1041-1 clamav 2010-12-10
Fedora FEDORA-2010-18568 clamav 2010-12-05
Mandriva MDVSA-2010:249 clamav 2010-12-07

Comments (none posted)

epiphany: arbitrary https web site spoofing

Package(s):epiphany CVE #(s):CVE-2010-3312
Created:December 7, 2010 Updated:January 25, 2011
Description: From the CVE entry:

Epiphany 2.28 and 2.29, when WebKit and LibSoup are used, unconditionally displays a closed-lock icon for any URL beginning with the https: substring, without any warning to the user, which allows man-in-the-middle attackers to spoof arbitrary https web sites via a crafted X.509 server certificate.

SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25
openSUSE openSUSE-SU-2011:0024-1 webkit 2011-01-12
SUSE SUSE-SR:2010:023 libxml2, tomboy, krb5, php5, cups, java-1_6_0-openjdk, epiphany, encfs 2010-12-08
openSUSE openSUSE-SU-2010:1027-1 epiphany 2010-12-07

Comments (none posted)

gnupg: code execution

Package(s):gnupg CVE #(s):
Created:December 6, 2010 Updated:December 10, 2010
Description: From the rPath advisory:

A use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG could allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by tricking a user into importing a certificate with a large number of Subject Alternate Names.

rPath rPSA-2010-0076-1 gnupg 2010-12-06

Comments (1 posted)

imagemagick: privilege escalation

Package(s):imagemagick CVE #(s):CVE-2010-4167
Created:December 8, 2010 Updated:March 22, 2012
Description: From the CVE entry:

Untrusted search path vulnerability in configure.c in ImageMagick before 6.6.5-5, when MAGICKCORE_INSTALLED_SUPPORT is defined, allows local users to gain privileges via a Trojan horse configuration file in the current working directory.

Oracle ELSA-2012-0544 ImageMagick 2012-05-08
Scientific Linux SL-Imag-20120508 ImageMagick 2012-05-08
CentOS CESA-2012:0544 ImageMagick 2012-05-07
Red Hat RHSA-2012:0544-01 ImageMagick 2012-05-07
Scientific Linux SL-Imag-20120321 ImageMagick 2012-03-21
Oracle ELSA-2012-0301 imagemagick 2012-03-07
Red Hat RHSA-2012:0301-03 ImageMagick 2012-02-21
Mandriva MDVSA-2012:077 imagemagick 2012-05-17
Fedora FEDORA-2010-19056 ImageMagick 2010-12-18
Fedora FEDORA-2010-19025 ImageMagick 2010-12-17
Ubuntu USN-1028-1 imagemagick 2010-12-07

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2010-4075 CVE-2010-4077 CVE-2010-4248
Created:December 6, 2010 Updated:August 9, 2011
Description: From the CVE entries:

The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel before 2.6.37-rc1 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. (CVE-2010-4075)

The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Linux kernel and earlier does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. (CVE-2010-4077)

Race condition in the __exit_signal function in kernel/exit.c in the Linux kernel before 2.6.37-rc2 allows local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread function in fs/exec.c. (CVE-2010-4248)

Oracle ELSA-2013-1645 kernel 2013-11-26
openSUSE openSUSE-SU-2013:0927-1 kernel 2013-06-10
Ubuntu USN-1218-1 linux 2011-09-29
Ubuntu USN-1216-1 linux-ec2 2011-09-26
Ubuntu USN-1208-1 linux-mvl-dove 2011-09-14
Ubuntu USN-1204-1 linux-fsl-imx51 2011-09-13
Ubuntu USN-1203-1 linux-mvl-dove 2011-09-13
Ubuntu USN-1202-1 linux-ti-omap4 2011-09-13
Ubuntu USN-1187-1 kernel 2011-08-09
Ubuntu USN-1183-1 kernel 2011-08-03
Ubuntu USN-1170-1 linux 2011-07-15
Ubuntu USN-1167-1 linux 2011-07-13
Ubuntu USN-1164-1 linux-fsl-imx51 2011-07-06
Debian DSA-2264-1 linux-2.6 2011-06-18
SUSE SUSE-SA:2011:017 kernel 2011-04-18
openSUSE openSUSE-SU-2011:0346-1 kernel 2011-04-18
Ubuntu USN-1105-1 linux 2011-04-05
Ubuntu USN-1093-1 linux-mvl-dove 2011-03-25
Ubuntu USN-1092-1 linux-source-2.6.15 2011-03-25
SUSE SUSE-SA:2011:015 kernel 2011-03-24
Ubuntu USN-1090-1 linux 2011-03-18
Ubuntu USN-1089-1 linux, linux-ec2 2011-03-18
Red Hat RHSA-2011:0330-01 kernel-rt 2011-03-10
Ubuntu USN-1086-1 linux-ec2 2011-03-08
SUSE SUSE-SA:2011:012 kernel 2011-03-08
Ubuntu USN-1080-2 linux-ec2 2011-03-02
Ubuntu USN-1081-1 linux 2011-03-02
Ubuntu USN-1080-1 linux 2011-03-01
Ubuntu USN-1073-1 linux, linux-ec2 2011-02-25
Ubuntu USN-1072-1 linux 2011-02-25
Mandriva MDVSA-2011:029 kernel 2011-02-17
openSUSE openSUSE-SU-2011:0399-1 kernel 2011-04-28
Debian DSA-2153-1 linux-2.6 kernel 2011-01-30
CentOS CESA-2011:0162 kernel 2011-01-27
Red Hat RHSA-2011:0162-01 kernel 2011-01-18
Red Hat RHSA-2011:0007-01 kernel 2011-01-11
CentOS CESA-2011:0004 kernel 2011-01-06
Red Hat RHSA-2011:0004-01 kernel 2011-01-04
Red Hat RHSA-2010:0958-01 kernel-rt 2010-12-08
Fedora FEDORA-2010-18506 kernel 2010-12-03
Fedora FEDORA-2010-18493 kernel 2010-12-03
Red Hat RHSA-2011:0017-01 kernel 2011-01-13

Comments (none posted)

mercurial: man-in-the-middle attack

Package(s):mercurial CVE #(s):CVE-2010-4237
Created:December 7, 2010 Updated:December 8, 2010
Description: From the Novell bugzilla:

a security flaw was found in the way Mercurial handled subject Common Name field of the provided certificate (the check if the commonName in the received certificate matches the requested hostname was not performed). An attacker, able to get a carefully-crafted certificate signed by a Certificate Authority could use the certificate during a man-in-the-middle attack and potentially confuse Mercurial into accepting it by mistake.

openSUSE openSUSE-SU-2010:1029-1 mercurial 2010-12-07

Comments (none posted)

openssl: unintended cipher use

Package(s):openssl CVE #(s):CVE-2010-4180
Created:December 7, 2010 Updated:July 27, 2011
Description: From the Mandriva advisory:

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.

Gentoo 201110-01 openssl 2011-10-09
SUSE SUSE-SU-2011:0847-1 compat-openssl097g 2011-07-27
openSUSE openSUSE-SU-2011:0845-1 compat-openssl097g 2011-07-27
rPath rPSA-2011-0013-1 openssl 2011-04-11
SUSE SUSE-SR:2011:009 mailman, openssl, tgt, rsync, vsftpd, libzip1/libzip-devel, otrs, libtiff, kdelibs4, libwebkit, libpython2_6-1_0, perl, pure-ftpd, collectd, vino, aaa_base, exim 2011-05-17
CentOS CESA-2010:0977 openssl 2011-01-27
SUSE SUSE-SR:2011:001 finch/pidgin, libmoon-devel/moonlight-plugin, libsmi, openssl, perl-CGI-Simple, supportutils, wireshark 2011-01-11
Debian DSA-2141-1 openssl 2011-01-06
openSUSE openSUSE-SU-2011:0014-1 openssl 2011-01-05
Fedora FEDORA-2010-18736 openssl 2010-12-09
CentOS CESA-2010:0978 openssl 2010-12-14
Red Hat RHSA-2010:0979-01 openssl 2010-12-13
Red Hat RHSA-2010:0978-01 openssl 2010-12-13
Red Hat RHSA-2010:0977-01 openssl 2010-12-13
Fedora FEDORA-2010-18765 openssl 2010-12-09
Ubuntu USN-1029-1 openssl 2010-12-08
Slackware SSA:2010-340-01 openssl 2010-12-07
Mandriva MDVSA-2010:248 openssl 2010-12-07

Comments (none posted)

openssl: unintended cipher use

Package(s):openssl CVE #(s):CVE-2008-7270
Created:December 8, 2010 Updated:January 27, 2011
Description: From the CVE entry:

OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.

CentOS CESA-2010:0977 openssl 2011-01-27
CentOS CESA-2010:0978 openssl 2010-12-14
Red Hat RHSA-2010:0978-01 openssl 2010-12-13
Red Hat RHSA-2010:0977-01 openssl 2010-12-13
Ubuntu USN-1029-1 openssl 2010-12-08

Comments (none posted)

openssl: authentication bypass

Package(s):openssl CVE #(s):CVE-2010-4252
Created:December 7, 2010 Updated:December 8, 2010
Description: From the CVE entry:

OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.

Gentoo 201110-01 openssl 2011-10-09
Slackware SSA:2010-340-01 openssl 2010-12-07

Comments (none posted)

python-paste: cross-site scripting

Package(s):paste CVE #(s):CVE-2010-2477
Created:December 8, 2010 Updated:December 8, 2010
Description: From the CVE entry:

Multiple cross-site scripting (XSS) vulnerabilities in the paste.httpexceptions implementation in Paste before 1.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving a 404 status code, related to (1) paste.urlparser.StaticURLParser, (2) paste.urlparser.PkgResourcesParser, (3) paste.urlmap.URLMap, and (4) HTTPNotFound.

Ubuntu USN-1026-1 paste 2010-12-07

Comments (none posted)

tomboy: code execution

Package(s):tomboy CVE #(s):CVE-2010-4005
Created:December 2, 2010 Updated:June 16, 2011

From the Novell bugzilla entry:

The following files set LD_LIBRARY_PATH in a way that allows empty elements which means the current directory is included:

/usr/bin/tomboy (+: instead of :+:)
/usr/bin/tomboy-panel (+: instead of :+:)

Gentoo 201401-28 tomboy 2014-01-25
Fedora FEDORA-2011-7997 tomboy 2011-06-07
Fedora FEDORA-2011-7994 tomboy 2011-06-07
Mandriva MDVSA-2011:035 tomboy 2011-02-22
SUSE SUSE-SR:2010:023 libxml2, tomboy, krb5, php5, cups, java-1_6_0-openjdk, epiphany, encfs 2010-12-08
openSUSE openSUSE-SU-2010:1001-1 tomboy 2010-12-02

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds