Re: [RFC] Privilege dropping security module
From: Andy Spencer
Date: Fri Sep 25 2009 - 03:30:03 EST
> If I understand correctly, this isn't sufficient to run untrusted code,
> because it only restricts access to the filesystem. You gotta restrict
> access to the network, interaction with other processes, and so on.
> (For instance, does dpriv let the untrusted process take over another of
> your processes using ptrace?)
Yes, currently dpriv allows a process to take over another process using
ptrace. However, I plan on supporting limits on ptrace (and other
things) in the future.
> I suspect making all permissions recursive is going to lead to overly
> permissive policies. Suppose I want to allow read access to everything
> under /lib and /usr/lib, read-execute access to everything under /bin
> and /usr/bin, and read-write access to everything under /tmp. (But I
> do not want to allow any access to any other directories.) How do I
> do it?
The important thing is that limits can be overridden while they are
still in the stage. This allows you to deny access to a directory, but
still allow access to specific subdirectories.
$ echo -----X / > /sys/kernel/security/dpriv/stage
$ echo r--R-X /lib > /sys/kernel/security/dpriv/stage
$ echo r--R-X /usr/lib > /sys/kernel/security/dpriv/stage
$ echo r-xR-X /bin > /sys/kernel/security/dpriv/stage
$ echo r-xR-X /usr/bin > /sys/kernel/security/dpriv/stage
$ echo rw-RWX /tmp > /sys/kernel/security/dpriv/stage
$ echo commit > /sys/kernel/security/dpriv/control
Does this answer your question? It should be noted that you can still
walk to any directory because X is allowed on /. To prevent this you
would have to allow X on / and then specifically deny X on /*/, but
expanding * is something that I would rather have done in userspace.
Attachment:
pgp00000.pgp
Description: PGP signature