All of lore.kernel.org
 help / color / mirror / Atom feed
From: daw@cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: [RFC] Privilege dropping security module
Date: Fri, 25 Sep 2009 20:48:27 +0000 (UTC)	[thread overview]
Message-ID: <h9jaar$url$1@taverner.cs.berkeley.edu> (raw)
In-Reply-To: 20090925072248.GB9821@c.hsd1.tn.comcast.net

Andy Spencer  wrote:
>> If I understand correctly, this isn't sufficient to run untrusted code,
>> because it only restricts access to the filesystem.  You gotta restrict
>> access to the network, interaction with other processes, and so on.
>> (For instance, does dpriv let the untrusted process take over another of
>> your processes using ptrace?)
>
>Yes, currently dpriv allows a process to take over another process using
>ptrace. However, I plan on supporting limits on ptrace (and other
>things) in the future.

Ptrace is just one example: there is a non-trivial list of non-filesystem
resources that must be controlled, to run untrusted code safely.

>> I suspect making all permissions recursive is going to lead to overly
>> permissive policies.  Suppose I want to allow read access to everything
>> under /lib and /usr/lib, read-execute access to everything under /bin
>> and /usr/bin, and read-write access to everything under /tmp.  (But I
>> do not want to allow any access to any other directories.)  How do I
>> do it?
>
>The important thing is that limits can be overridden while they are
>still in the stage. This allows you to deny access to a directory, but
>still allow access to specific subdirectories.
>
>  $ echo -----X /        > /sys/kernel/security/dpriv/stage
>  $ echo r--R-X /lib     > /sys/kernel/security/dpriv/stage
>  $ echo r--R-X /usr/lib > /sys/kernel/security/dpriv/stage
>  $ echo r-xR-X /bin     > /sys/kernel/security/dpriv/stage
>  $ echo r-xR-X /usr/bin > /sys/kernel/security/dpriv/stage
>  $ echo rw-RWX /tmp     > /sys/kernel/security/dpriv/stage
>  $ echo commit          > /sys/kernel/security/dpriv/control
>
>Does this answer your question?

Unfortunately it does not, because as you note:

>It should be noted that you can still
>walk to any directory because X is allowed on /.

Which contradicts the goal of not allowing access to any other
directories.  In other words, the implementation above of my desired
policy is overly permissive.  This illustrates my more general point:
the dpriv policy specification language seems likely to lead to overly
permissive policies -- policies that are more permissive than what was
really desired.

>To prevent this you
>would have to allow X on / and then specifically deny X on /*/, but
>expanding * is something that I would rather have done in userspace.

In principle a user of dpriv could do that, to be sure, but in practice
this becomes unwieldy, so I suspect few will.  As a result, in practice
this interface to dpriv probably means that most implemented policies
will be more permissive than intended/desired.  I consider that a defect
in the design of the specification language.  It seems like it would
be preferable to have a specification language that better facilitates
secure use of dpriv.

  reply	other threads:[~2009-09-25 20:48 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-09-23  0:56 [RFC] Privilege dropping security module Andy Spencer
2009-09-23 20:46 ` Casey Schaufler
2009-09-23 22:31   ` Andy Spencer
2009-09-23 23:03     ` Tetsuo Handa
2009-09-24 16:37     ` David Wagner
2009-09-25  7:22       ` Andy Spencer
2009-09-25 20:48         ` David Wagner [this message]
2009-09-26 21:09           ` Andy Spencer
2009-09-27  0:28             ` David Wagner
2009-10-01  7:38     ` Pavel Machek
2009-10-01  9:15       ` Andy Spencer
2009-10-01 10:42         ` Pavel Machek
2009-09-23 21:31 ` [RFC][PATCH] " Andy Spencer
2009-09-24 16:25   ` Casey Schaufler
2009-09-25 10:06     ` Andy Spencer
2009-09-25 16:23       ` Casey Schaufler
2009-09-26 21:35         ` Andy Spencer
2009-09-28  5:38           ` Rob Meijer
2009-09-25 21:00       ` David Wagner
2009-09-29  7:36         ` Andy Spencer
2009-09-29  7:10 ` [RFC][PATCH] Permission masking security module (was dpriv) Andy Spencer
2009-09-29 17:44   ` Greg KH
2009-09-30  0:18     ` Andy Spencer
2009-10-01  2:33   ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='h9jaar$url$1@taverner.cs.berkeley.edu' \
    --to=daw@cs.berkeley.edu \
    --cc=daw-news@cs.berkeley.edu \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.