From: Andy Lutomirski <luto@amacapital.net>
To: James Morris <jmorris@namei.org>
Cc: Andrew Lutomirski <luto@mit.edu>, Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org, linux-man@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-arch@vger.kernel.org, linux-doc@vger.kernel.org,
kernel-hardening@lists.openwall.com, netdev@vger.kernel.org,
x86@kernel.org, arnd@arndb.de,
"David S. Miller" <davem@davemloft.net>,
hpa@zytor.com, mingo@redhat.com, Oleg Nesterov <oleg@redhat.com>,
peterz@infradead.org, rdunlap@xenotime.net,
mcgrathr@chromium.org, tglx@linutronix.de,
Eric Paris <eparis@redhat.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
djm@mindrot.org, scarybeasts@gmail.com, indan@nul.nu,
pmoore@redhat.com, Andrew Morton <akpm@linux-foundation.org>,
Jonathan Corbet <corbet@lwn.net>,
eric.dumazet@gmail.com, markus@chromium.org,
coreyb@linux.vnet.ibm.com, Kees Cook <keescook@chromium.org>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH v18 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
Date: Thu, 12 Apr 2012 21:40:13 -0700 [thread overview]
Message-ID: <CALCETrUciLZfC4W6CwSzrvCRUxGtamx6gMbrA18R0ZoUUyJZfg@mail.gmail.com> (raw)
In-Reply-To: <alpine.LRH.2.02.1204131432430.22093@tundra.namei.org>
On Thu, Apr 12, 2012 at 9:34 PM, James Morris <jmorris@namei.org> wrote:
> On Thu, 12 Apr 2012, Andrew Lutomirski wrote:
>
>> > What about dynamic transitions in SELinux ?
>> >
>>
>> What's a dynamic transition?
>
> The security label can be changed without an exec:
>
> See selinux_setprocattr(), for "current".
Ah.
I see nothing wrong with that, for the same reason I see nothing wrong
with setuid (the system call) after PR_SET_NO_NEW_PRIVS. The
privileges granted by writing to /proc/self/attr/current were already
available in the sense that you could have written to current whenever
you wanted to.
(FWIW, I think that selinux should have made that the only way to
change contexts, full stop. And I think that the setuid and setgid
bits were mistakes. Water under the bridge...)
--Andy
WARNING: multiple messages have this Message-ID (diff)
From: Andy Lutomirski <luto@amacapital.net>
To: James Morris <jmorris@namei.org>
Cc: Andrew Lutomirski <luto@mit.edu>, Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org, linux-man@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-arch@vger.kernel.org, linux-doc@vger.kernel.org,
kernel-hardening@lists.openwall.com, netdev@vger.kernel.org,
x86@kernel.org, arnd@arndb.de,
"David S. Miller" <davem@davemloft.net>,
hpa@zytor.com, mingo@redhat.com, Oleg Nesterov <oleg@redhat.com>,
peterz@infradead.org, rdunlap@xenotime.net,
mcgrathr@chromium.org, tglx@linutronix.de,
Eric Paris <eparis@redhat.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
djm@mindrot.org, scarybeasts@gmail.com, indan@nul.nu,
pmoore@redhat.com, Andrew Morton <akpm@linux-foundation.org>,
Jonathan Corbet <corbet@lwn.net>,
eric.dumazet@gmail.com, markus@chromium.org,
coreyb@linux.vnet.ibm.com, Kees Cook <keescook@chromium.org>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: [kernel-hardening] Re: [PATCH v18 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
Date: Thu, 12 Apr 2012 21:40:13 -0700 [thread overview]
Message-ID: <CALCETrUciLZfC4W6CwSzrvCRUxGtamx6gMbrA18R0ZoUUyJZfg@mail.gmail.com> (raw)
In-Reply-To: <alpine.LRH.2.02.1204131432430.22093@tundra.namei.org>
On Thu, Apr 12, 2012 at 9:34 PM, James Morris <jmorris@namei.org> wrote:
> On Thu, 12 Apr 2012, Andrew Lutomirski wrote:
>
>> > What about dynamic transitions in SELinux ?
>> >
>>
>> What's a dynamic transition?
>
> The security label can be changed without an exec:
>
> See selinux_setprocattr(), for "current".
Ah.
I see nothing wrong with that, for the same reason I see nothing wrong
with setuid (the system call) after PR_SET_NO_NEW_PRIVS. The
privileges granted by writing to /proc/self/attr/current were already
available in the sense that you could have written to current whenever
you wanted to.
(FWIW, I think that selinux should have made that the only way to
change contexts, full stop. And I think that the setuid and setgid
bits were mistakes. Water under the bridge...)
--Andy
next prev parent reply other threads:[~2012-04-13 4:40 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-12 21:47 [PATCH v18 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 21:47 ` [PATCH v18 02/15] Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 21:47 ` [PATCH v18 03/15] sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 21:47 ` [PATCH v18 04/15] net/compat.c,linux/filter.h: share compat_sock_fprog Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 21:47 ` Will Drewry
2012-04-12 21:47 ` [PATCH v18 05/15] seccomp: kill the seccomp_t typedef Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 21:47 ` [PATCH v18 06/15] asm/syscall.h: add syscall_get_arch Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 21:47 ` [PATCH v18 07/15] arch/x86: add syscall_get_arch to syscall.h Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 22:18 ` Kees Cook
2012-04-12 22:18 ` [kernel-hardening] " Kees Cook
2012-04-12 21:47 ` [PATCH v18 08/15] seccomp: add system call filtering using BPF Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 22:19 ` Kees Cook
2012-04-12 22:19 ` [kernel-hardening] " Kees Cook
2012-04-12 22:19 ` Kees Cook
2012-04-12 21:47 ` [PATCH v18 09/15] seccomp: remove duplicated failure logging Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 21:47 ` [PATCH v18 10/15] seccomp: add SECCOMP_RET_ERRNO Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 21:48 ` [PATCH v18 11/15] signal, x86: add SIGSYS info and make it synchronous Will Drewry
2012-04-12 21:48 ` [kernel-hardening] " Will Drewry
2012-04-12 21:48 ` [PATCH v18 12/15] seccomp: Add SECCOMP_RET_TRAP Will Drewry
2012-04-12 21:48 ` [kernel-hardening] " Will Drewry
2012-04-12 21:48 ` [PATCH v18 13/15] ptrace,seccomp: Add PTRACE_SECCOMP support Will Drewry
2012-04-12 21:48 ` [kernel-hardening] " Will Drewry
2012-04-12 21:48 ` [PATCH v18 14/15] x86: Enable HAVE_ARCH_SECCOMP_FILTER Will Drewry
2012-04-12 21:48 ` [kernel-hardening] " Will Drewry
2012-04-12 22:16 ` Kees Cook
2012-04-12 22:16 ` [kernel-hardening] " Kees Cook
2012-04-12 21:48 ` [PATCH v18 15/15] Documentation: prctl/seccomp_filter Will Drewry
2012-04-12 21:48 ` [kernel-hardening] " Will Drewry
2012-04-12 22:11 ` Kees Cook
2012-04-12 22:11 ` [kernel-hardening] " Kees Cook
2012-04-18 2:28 ` Paul Gortmaker
2012-04-18 2:28 ` [kernel-hardening] " Paul Gortmaker
2012-04-18 2:53 ` Will Drewry
2012-04-18 2:53 ` [kernel-hardening] " Will Drewry
2012-04-18 2:53 ` Will Drewry
2012-04-12 22:17 ` [PATCH v18 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs Kees Cook
2012-04-12 22:17 ` [kernel-hardening] " Kees Cook
2012-04-13 4:16 ` James Morris
2012-04-13 4:16 ` [kernel-hardening] " James Morris
2012-04-13 4:16 ` James Morris
2012-04-13 4:16 ` James Morris
2012-04-13 4:25 ` Andrew Lutomirski
2012-04-13 4:25 ` [kernel-hardening] " Andrew Lutomirski
2012-04-13 4:25 ` Andrew Lutomirski
2012-04-13 4:34 ` James Morris
2012-04-13 4:34 ` [kernel-hardening] " James Morris
2012-04-13 4:34 ` James Morris
2012-04-13 4:34 ` James Morris
2012-04-13 4:40 ` Andy Lutomirski [this message]
2012-04-13 4:40 ` [kernel-hardening] " Andy Lutomirski
2012-04-14 1:45 ` James Morris
2012-04-14 1:45 ` [kernel-hardening] " James Morris
2012-04-14 3:06 ` Will Drewry
2012-04-14 3:06 ` [kernel-hardening] " Will Drewry
2012-04-14 3:06 ` Will Drewry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrUciLZfC4W6CwSzrvCRUxGtamx6gMbrA18R0ZoUUyJZfg@mail.gmail.com \
--to=luto@amacapital.net \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=corbet@lwn.net \
--cc=coreyb@linux.vnet.ibm.com \
--cc=davem@davemloft.net \
--cc=djm@mindrot.org \
--cc=eparis@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=hpa@zytor.com \
--cc=indan@nul.nu \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@mit.edu \
--cc=markus@chromium.org \
--cc=mcgrathr@chromium.org \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=pmoore@redhat.com \
--cc=rdunlap@xenotime.net \
--cc=scarybeasts@gmail.com \
--cc=sds@tycho.nsa.gov \
--cc=serge.hallyn@canonical.com \
--cc=tglx@linutronix.de \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.