Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)

[Pavel Machek]

Hi!

On Tue 18-04-06 13:13:03, Crispin Cowan wrote:
> Valdis.Kletnieks@xxxxxx wrote:
> > If we heave the LSM stuff overboard, there's one thing that *will* need
> > addressing - what to do with kernel support of Posix-y capabilities.  Currently
> > some of the heavy lifting is done by security/commoncap.c.
> >
> > Frankly, that's *another* thing that we need to either *fix* so it works right,
> > or rip out of the kernel entirely.  As far as I know, there's no in-tree way
> > to make /usr/bin/ping be set-CAP_NET_RAW and have it DTRT.
> >   
> This has actually been one of the interesting developments in AppArmor.
> I also had no use for POSIX.1e capabilities; I thought they were so
> awkward as to be useless. That is, until we integrated capabilities into
> AppArmor profiles.
> 
> Consider this profile for /bin/stty
> /bin/stty {
>   #include <abstractions/base>
> 
>   capability sys_tty_config,
> 
>   /bin/stty r,
> }
> 
> This policy basically allows stty to run, read its own text file, and
> use the capability sys_tty_config. Even though it may run as root, this
> profile confines it to *only* have sys_tty_config.


What happens if I ln /bin/stty /tmp/evilstty, then exploit
vulnerability in stty? 
							Pavel
-- 
Thanks, Sharp!
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/