LWN: Comments on "The return of authoritative hooks"

The return of authoritative hooks

FnH — Fri, 28 Mar 2008 20:39:17 +0000

Could someone explain to me why granting someone something you don't have by default
(authorative) is different from not granting something you have by default to everyone else
(restrictive)?

Could allow inclusion of systrace?

oak — Wed, 26 Mar 2008 18:52:54 +0000

> You mean Roland McGrath's utrace?

Sorry, yes.  I noticed that first/early patch(es) of it have gone to 
2.6.25. 


> (however, things like UML are in effect using it as such in any case, so 
security-hole-inducing bugs in ptrace() *are* likely to get fixed.)

Sounds promising. :-)

Could allow inclusion of systrace?

nix — Wed, 26 Mar 2008 15:38:11 +0000

You mean Roland McGrath's utrace?

While incredibly nifty and a long-overdue revamp of the awful ptrace() 
interface, utrace hasn't been designed as a security enforcement mechanism 
either :)

(however, things like UML are in effect using it as such in any case, so 
security-hole-inducing bugs in ptrace() *are* likely to get fixed.)

Could allow inclusion of systrace?

oak — Wed, 26 Mar 2008 14:53:19 +0000

Hm.  Systrace site says this on security:
"Just keep in mind that ptrace has not been designed as a security 
primitive and while the ptrace backend can restrict the behavior of 
programs in non-adversarial settings, there are many ways to circumvent 
it."

Maybe ltrace (new kernel implementation for ptrace that is supposed to 
solve many of its problems) could help also on this?

Could allow inclusion of systrace?

Klavs — Tue, 25 Mar 2008 10:56:03 +0000

I would hope so too. I've always liked the concept of systrace - and it's simplicity is IMHO
good for security.

Could allow inclusion of systrace?

AnswerGuy — Sat, 22 Mar 2008 04:28:40 +0000

Perhaps this consolidation will also pave the way for the inclusion of Niels Provos' systrace patches.

Systrace implements a brilliant, elegant, approach to security, by allowing any user to interpose a set of "firewall" rules between the code that they run and the kernel (via the system call APIs).

This approach is vastly simpler than SELinux, which loads up the system with a large number of additional labels (domains, types, roles), and which add additional options to many commands (the -Z flags to ls, ps, etc.) and is generally impossible for mere mortal to comprehend

Systrace allows a normal user to create a policy and limit the access by programs, without giving the user any additional systems level permissions beyond what he or she already had. (It essentially uses the ptrace mechanism). So a user can, for example, run Mozilla while restricting it read/write open() calls to just the ~/.mozilla and ~/Downloads directories. In that example a compromised Mozilla can only write to those two directories and can't plant a trojan in your ~/bin directory, for example.

Another advantage of systrace is that it's already included in NetBSD and OpenBSD, and available for OpenSolaris, and FreeBSD. That makes it the only viable security enhancement to UNIX-like systems which is cross-platform.

The return of authoritative hooks

rvfh — Fri, 21 Mar 2008 09:53:36 +0000

From the article, it seems LSM is seen as a way to restrict a user's rights from an original
set, where I think it should be a way to say who can do what.

Each user could then have a tick-box kind of configuration, which is in fact similar to making
a user part of a group to give them access to a category of devices.

But I suppose the all idea now would be to say like: user A cannot access /dev/sda* (the hard
disk), but can access /dev/sdb* (a USB key that is known to belong to them).

Correct?

The return of authoritative hooks

jengelh — Thu, 20 Mar 2008 14:00:21 +0000

>An LSM hook can deny an action, but it can never empower a process to do something it would
not have been allowed to do in the absence of the security module.

The MultiAdm LSM [ http://lwn.net/Articles/255650/ ] can give regular users extra
capabilities, empowering them to do something they would not have been allowed otherwise.