Re: [Umbrella-devel] Re: Getting full path from dentry in LSM hooks

From: Kristian Sørensen
Date: Fri Sep 03 2004 - 15:03:47 EST

Next message: Matthew Wilcox: "[PATCH] pci_bus_address [1/5]"
Previous message: Russell King: "Re: [PATCH 2.6.8.1 0/2] leds: new class for led devices"
In reply to: Christoph Hellwig: "Re: [Umbrella-devel] Re: Getting full path from dentry in LSM hooks"
Next in thread: Christoph Hellwig: "Re: [Umbrella-devel] Re: Getting full path from dentry in LSM hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Christoph Hellwig wrote:

On Fri, Sep 03, 2004 at 03:20:55PM +0200, Kristian Sørensen wrote:

But we do not have a struct file - just an inode or a dentry :((

Then you can't generate a full path.

We are working on a project called Umbrella, (umbrella.sf.net) which implements processbased mandatory accesscontrol in the Linux kernel. This access control is controlled by "restriction", e.g. by restricting some process from accessing any given file or directory.

E.g. if a root owned process is restricted from accessing /var/www, and the process is compromised by an attacker, no mater what he does, he would not be able to access this directory.

mount --bind /var/www /home/joe/p0rn/, and then?

Actually this "attack" is avoided, because restrictions are enherited, from parent proces to its children.

Okay, this is how it works in basic:

------------------
ks@qbox:~/umbrella-devel/userspace
$ touch /tmp/a

ks@qbox:~/umbrella-devel/userspace
$ ./umbrella_restricted_sh

sh-2.05b$ touch /tmp/a
touch: setting times of `/tmp/a': Operation not permitted

sh-2.05b$ exit
Restricted child died
Thank you for testing!
Concider joining the development at http://umbrella.sourceforge.net
------------------

- the "umbrella_restricted_sh" just forks a new shell, which is restricted from /tmp

Now let's try your suggestion:

------------------------
root@qbox:~/umbrella-devel/userspace
$ id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

root@qbox:~/umbrella-devel/userspace
$ mkdir new-tmp

root@qbox:~/umbrella-devel/userspace
$ mount --bind /tmp new-tmp

root@qbox:~/umbrella-devel/userspace
$ mount
/dev/discs/disc1/part2 on / type ext3 (rw)
none on /dev type devfs (rw)
none on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /dev/pts type devpts (rw)
/dev/discs/disc0/part1 on /home type ext3 (rw)
/dev/discs/disc0/part2 on /media type ext3 (rw)
none on /dev/shm type tmpfs (rw)
none on /proc/bus/usb type usbfs (rw)
/tmp on /home/ks/umbrella-devel/userspace/new-tmp type none (rw,bind)

root@qbox:~/umbrella-devel/userspace
$ ./umbrella_restricted_sh

sh-2.05b# touch /tmp/a
touch: setting times of `/tmp/a': Operation not permitted

sh-2.05b# touch new-tmp/a
touch: setting times of `new-tmp/a': Operation not permitted

sh-2.05b# ls new-tmp/
ls: new-tmp/: Operation not permitted

sh-2.05b# exit
Restricted child died
Thank you for testing!
Concider joining the development at http://umbrella.sourceforge.net
------------------------

As you can see, the bind-mount fails to succeed in accessing the files in /tmp.

Best regards, Kristian.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Matthew Wilcox: "[PATCH] pci_bus_address [1/5]"
Previous message: Russell King: "Re: [PATCH 2.6.8.1 0/2] leds: new class for led devices"
In reply to: Christoph Hellwig: "Re: [Umbrella-devel] Re: Getting full path from dentry in LSM hooks"
Next in thread: Christoph Hellwig: "Re: [Umbrella-devel] Re: Getting full path from dentry in LSM hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]