Re: [Umbrella-devel] Re: Getting full path from dentry in LSM hooks

[Kristian Sørensen]

Horst von Brand wrote:
> > Also simple bufferoverflows in suid-root programs may be avoided.
>
>
> How?
You can (naturally) not avoid the attack and thereby the process from 
crashing - but you can avoid the effects of it. E.g. if you restrict the 
suid-root process form spawning new processes, it would not be able to 
spawn a root shell, programs liks passwd and cdrecord would be good 
candidates to this restriction.


> >                                                                  The 
> > simple way would to set the restriction "no fork", and thus if an 
> > attacker tries to fork a (root) shell, this would be denied.
>
>
> A simple exec(2) will do. Or overwriting a file. Or... If you restrict all
> potentially dangerous operations, you have nothing useful left.
>
>
> >                                                             Another way 
> > could be to heavily restrict access to the filesystem. If the program is 
> > restricted from /var, the root shell spawned by the attack would not 
> > have access either. (restrictions are enherited from parent to children).
>
>
> Just delete /var. Oops, it is there for a purpose...
Sure... but not all programs really need access to this. My calendar on 
my PDA for one do not. It (restricting /var) was, as I hope you 
guessed?, an example!


A cool thing is also, that if you restrict the init process from 
accessing a secific directory, then all processes in the system will be 
restricted from this. This will be utilized by Umbrella, to introduce 
signed files (public key cryptography). The area of the public keys will 
be protected by the kernel - simply by restricting Init from this location.


KS.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/