Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1764776AbXE2L1Z (ORCPT ); Tue, 29 May 2007 07:27:25 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1756172AbXE2L1S (ORCPT ); Tue, 29 May 2007 07:27:18 -0400 Received: from wine.ocn.ne.jp ([220.111.47.146]:57121 "EHLO smtp.wine.ocn.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752119AbXE2L1S (ORCPT ); Tue, 29 May 2007 07:27:18 -0400 X-Greylist: delayed 2473 seconds by postgrey-1.27 at vger.kernel.org; Tue, 29 May 2007 07:27:17 EDT To: crispin@novell.com, cliffe@iinet.net.au Cc: casey@schaufler-ca.com, mrmacman_g4@mac.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSMhook From: Tetsuo Handa References: <653438.15244.qm@web36612.mail.mud.yahoo.com> <465AE46B.4090109@iinet.net.au> <465B57D7.2040101@novell.com> In-Reply-To: <465B57D7.2040101@novell.com> Message-Id: <200705291946.FDB72328.NtTGSNMP@I-love.SAKURA.ne.jp> X-Mailer: Winbiff [Version 2.50] X-Accept-Language: ja,en Date: Tue, 29 May 2007 19:46:04 +0900 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4102 Lines: 79 Hello. Crispin Cowan wrote: > AppArmor actually does something similar to this, by mediating all of > the ways that you can make an alias to a file. These are: > > * Symbolic links: these actually don't work for making aliases with > respect to LSM-based security systems such as AppArmor, SELinux, > and TOMOYO Linux, because the symbolic link is resolved before the > access request is presented to the LSM hooks. So if you create the > symbolic link /tmp/harmless -> /etc/shadow and then the confined > victim tries to access /tmp/harmless, what the LSM sees is an > attempt to access /etc/shadow. Yes, TOMOYO does so too. Although TOMOYO is not using LSM, TOMOYO checks it by manually inserted hooks that are called after resolving the symbolic links. > * Hard links: AppArmor explicitly mediates permission to make a hard > link to a file. To be able to make a hard link /tmp/harmless -> > /etc/shadow you have to have explicit permission to do so, or the > attempt to make the link is blocked. This mediation is kept > relatively simple by the fact that you can only hard link to > files, and not to directories. Yes, TOMOYO does so too. Conventional UNIX's access control can't restrict which path_to_file can link with which another_path_to_file because UNIX's access control is a label-based access control. Therefore "ln /etc/shadow /tmp/harmless" becomes a problem when introducing pathname-based access control. TOMOYO checks the combination of both link source and destination, using "allow_link path_to_link_source path_to_link_destination" syntax. Therefore "ln /etc/shadow /tmp/harmless" is impossible as long as "allow_link /etc/shadow /tmp/harmless" (or something like "allow_link /etc/\* /tmp/\*") is not given. TOMOYO checks rename operation as well using "allow_rename path_to_oldname path_to_newname" syntax. > * Multiple mounts: Linux lets you mount the same file system > multiple times at multiple mount points, so the same file could > appear at two different places. AppArmor has very coarse mediation > here, and simply prohibits all calls to mount() without special > permission. So only highly privileged processes can create such an > alias. Yes, TOMOYO does so too. But TOMOYO checks not only the capability to call mount() system call but also the combination of "path_to_device" "path_to_mountpoint" and "filesystem_type" using "allow_mount path_to_device path_to_mountpoint filesystem_type" ("allow_mount --bind path_to_bind_source path_to_bind_destionation" for bind mounts) syntax. And, this is why this very long long thread began. One of the reasons that TOMOYO doesn't use LSM is that it is impossible to obtain "struct vfsmount" parameter inside some of LSM hook functions. From the label-based access control's point of view, bind mount interferes nothing with label based access control and passing "struct vfsmount" parameter looks redundant. But, from the pathname-based access control's point of view, bind mount interferes severely with pathname-based access control because it is impossible to determine which pathname was requested. Although both pathnames point to the same object, TOMOYO focuses on the PROCEDURE FOR REACHING AN OBJECT and being able to know the procedure is very important. (In contrast, SELinux focuses on the ATTRIBUTE OF THE REQUESTED OBJECT, doesn't it?) > So it could be done, but AFAICT, with small benefit and large cost. More > security may be more secure, but it isn't necessarily better. I don't think so. I think the pathname-based access control and the label-based access control are complementarity relation. TOMOYO can coexist with SELinux and AppArmor. What is sad, it becomes impossible to coexist with SELinux and AppArmor if TOMOYO uses LSM. Thanks. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/