In-Reply-To: <200705262344.HGG92040.QtGFWFTOJMHOEFV@I-love.SAKURA.ne.jp>
References: <309300.41401.qm@web36615.mail.mud.yahoo.com> <200705261346.20712.agruen@suse.de> <200705262109.JJB99189.TFHFGQEOtVOMWJF@I-love.SAKURA.ne.jp> <200705261541.09891.agruen@suse.de> <200705262344.HGG92040.QtGFWFTOJMHOEFV@I-love.SAKURA.ne.jp>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <5630E353-1556-4A0F-8618-D885B5BC1842@mac.com>
Cc: agruen@suse.de, casey@schaufler-ca.com, jmorris@namei.org,
       linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org,
       linux-fsdevel@vger.kernel.org
Content-Transfer-Encoding: 7bit
From: Kyle Moffett <mrmacman_g4@mac.com>
Subject: Re: Pass struct vfsmount to the inode_create LSM hook
Date: Sat, 26 May 2007 14:16:26 -0400
To: Tetsuo Handa <penguin-fsdevel@I-love.SAKURA.ne.jp>
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 2415
Lines: 49

On May 26, 2007, at 10:44:46, Tetsuo Handa wrote:
> Andreas Gruenbacher wrote:
>> Tetsuo Handa wrote:
>>> Therefore, TOMOYO Linux checks the combination of filename and  
>>> argv[0] passed to execve().
>>
>> So you are indeed trying to control the value of argv[0]? Well,  
>> good luck with that, but it's totally insane. You are guaranteed  
>> to break some applications.
>
> TOMOYO Linux ristricts argv[0] using allow_argv0 syntax.   
> "allow_argv0 /bin/bash -bash" to allow passing "/bin/bash" to  
> filename and "-bash" to argv[0].  "allow_argv0 /bin/gzip gunzip" to  
> allow passing "/bin/gzip" to filename and "gunzip" to argv[0].   
> "allow_argv0 /sbin/busybox cat" to allow passing "/sbin/busybox" to  
> filename and "cat" to argv[0].  No need to use allow_argv0 syntax  
> if the basename of filename and basename of argv[0] are the same  
> (i.e. "allow_argv0 /bin/bash bash" is not required).  TOMOYO Linux  
> doesn't unconditionally forbid passing different values for  
> filename and argv[0].  TOMOYO Linux allows passing different values  
> for filename and argv[0] only if it is allowed by allow_argv0 syntax.
>
> Could you please explain me why this approach breaks applications?

One of my servers runs 3 different instances of the "kadmind"  
Kerberos daemon, one for each realm which I need to be able to modify/ 
change-passwords/etc.  In order to differentiate and stop/restart the  
appropriate daemon, I have a simple starter script which runs each  
kadmind process with a unique name derived from the realm (EG:  
"kadmind(EXAMPLE.COM)", "kadmind(OTHER.EXAMPLE.COM)").  Since this is  
a Kerberos server I use a very strict SELinux-based policy, yet my  
management tools need to be able to easily add and remove realms in a  
secure fashion.  It sounds like TOMOYO Linux would not be able to  
handle this situation at all;  I would either have to completely turn  
off that security "feature" and lose most of the functionality of  
TOMOYO Linux, or hard-code the list of realms into the policy file  
and have to completely reload policy every time I need to add/remove  
realms (big gaping security hole).

Cheers,
Kyle Moffett


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/