From: Stephen Smalley <sds@tycho.nsa.gov>
To: "José Bollo" <jobol@nonadev.net>, selinux@tycho.nsa.gov
Cc: paul@paul-moore.com, james.l.morris@oracle.com,
linux-security-module@vger.kernel.org, casey@schaufler-ca.com,
john.johansen@canonical.com
Subject: Re: [PATCH 2/2] proc,security: move restriction on writing /proc/pid/attr nodes to proc
Date: Tue, 20 Dec 2016 11:50:36 -0500 [thread overview]
Message-ID: <1482252636.28169.34.camel@tycho.nsa.gov> (raw)
In-Reply-To: <1482251949.25787.1.camel@nonadev.net>
On Tue, 2016-12-20 at 17:39 +0100, José Bollo wrote:
> Le mardi 20 décembre 2016 à 11:14 -0500, Stephen Smalley a écrit :
> >
> >
> > Looking at your PTAGS implementation, I feel it is only fair to
> > warn
> > you that your usage of /proc/pid/attr is insecure, regardless of
> > whether you use task security blobs or cred security blobs.
>
> Fair?!
>
> >
> > Getting the attributes of another process via /proc/pid files is
> > inherently racy, as the process may exit and another process with
> > different attributes may be created with the same pid (and no, this
> > is not theoretical; it has been demonstrated).
>
> I know. And I'm surprized that you dont do anything to change that.
There is a reason why SO_PEERSEC and SCM_SECURITY exist. Again, learn
from the upstream security modules rather than re-inventing them,
badly.
>
> >
> > Similarly, setting the
> > attributes of another process via /proc/pid files is likewise
> > inherently racy; you may end up setting the attributes on the wrong
> > process entirely.
>
> I also know that.
>
> >
> > Setting another process' attributes in this manner
> > is also prone to other kinds of races, since there is no
> > coordination
> > between the process execution state and when the new tag is
> > applied.
>
> Yes it is expected.
>
> >
> > Again, I encourage you to reconsider your approach if you want to
> > have a secure solution.
>
> Well I know that managing processes is not secure because there is no
> kind of unique id. But please instead of thinking that it is to
> risky,
> please hear that some risks are manageable or acceptable.
Even when there are known, better ways of doing things?
next prev parent reply other threads:[~2016-12-20 16:50 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-16 17:41 [PATCH 1/2] selinux: clean up cred usage and simplify Stephen Smalley
2016-12-16 17:41 ` [PATCH 2/2] proc, security: move restriction on writing /proc/pid/attr nodes to proc Stephen Smalley
2016-12-16 18:38 ` [PATCH 2/2] proc,security: " Casey Schaufler
2016-12-16 19:06 ` John Johansen
2016-12-16 22:06 ` Paul Moore
2016-12-16 22:13 ` Casey Schaufler
2016-12-20 1:30 ` Paul Moore
2016-12-20 1:51 ` Casey Schaufler
2016-12-20 10:36 ` José Bollo
2016-12-20 11:13 ` [PATCH 2/2] proc, security: " Tetsuo Handa
2016-12-20 12:14 ` [PATCH 2/2] proc,security: " José Bollo
2016-12-19 9:44 ` José Bollo
2016-12-19 14:33 ` Stephen Smalley
2016-12-19 15:00 ` José Bollo
2016-12-19 15:41 ` José Bollo
2016-12-19 15:52 ` Stephen Smalley
2016-12-19 16:32 ` Casey Schaufler
2016-12-19 17:09 ` Stephen Smalley
2016-12-19 18:00 ` Casey Schaufler
2016-12-19 18:18 ` José Bollo
2016-12-19 18:12 ` José Bollo
2016-12-19 20:36 ` John Johansen
2016-12-19 21:25 ` Casey Schaufler
2016-12-19 21:46 ` [PATCH 2/2] proc, security: move restriction on writing/proc/pid/attr " Tetsuo Handa
2016-12-19 21:50 ` [PATCH 2/2] proc,security: move restriction on writing /proc/pid/attr " Stephen Smalley
2016-12-19 22:31 ` Casey Schaufler
2016-12-19 22:45 ` John Johansen
2016-12-19 22:49 ` Casey Schaufler
2016-12-20 1:27 ` Paul Moore
2016-12-20 1:23 ` Paul Moore
2016-12-20 1:59 ` Casey Schaufler
2016-12-20 14:40 ` José Bollo
2016-12-20 16:21 ` Casey Schaufler
2016-12-20 16:14 ` Stephen Smalley
2016-12-20 16:39 ` José Bollo
2016-12-20 16:50 ` Stephen Smalley [this message]
2016-12-20 18:17 ` Casey Schaufler
2016-12-20 18:28 ` Stephen Smalley
2016-12-20 19:07 ` Casey Schaufler
2016-12-20 19:35 ` Stephen Smalley
2016-12-20 20:03 ` Casey Schaufler
2016-12-20 21:22 ` José Bollo
2016-12-20 21:35 ` Stephen Smalley
2016-12-20 21:38 ` John Johansen
2016-12-21 2:37 ` Paul Moore
2016-12-21 7:04 ` José Bollo
2016-12-21 15:15 ` Paul Moore
2016-12-16 22:02 ` [PATCH 1/2] selinux: clean up cred usage and simplify Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1482252636.28169.34.camel@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=casey@schaufler-ca.com \
--cc=james.l.morris@oracle.com \
--cc=jobol@nonadev.net \
--cc=john.johansen@canonical.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.