Re: Leaking Path in XFS's ioctl interface(missing LSM check)
From: Tetsuo Handa
Date: Thu Sep 27 2018 - 19:13:13 EST
On 2018/09/28 7:19, Dave Chinner wrote:> IOWs, the security_file_ioctl() hook is almost completely useless in
> cases like this - you can't isolate the ioctl based on the file
> argument, because it can point to any file or directory in the
> filesystem. And without actually parsing, decoding and instantiating
> the the ioctl arguments, you can't tell the ioctl it can't act on
> specific targets. And because filehandle to dentry resolution
> results in disconnected dentries, the paths are not complete and
> hence path based security checks (e.g. tomoyo) are likely to be
> broken and unfixable...
Though TOMOYO uses pathname as a mandatory parameter, CaitSith
(currently waiting for review) does not.
CaitSith can filter filesystem specific ioctl() using fsmagic
and cmd parameter like:
10 acl ioctl path.fsmagic=0x9FA0
audit 0
10 deny cmd=@FORBIDDEN_IOCTLS_ON_PROCFS
20 allow
CaitSith does ioctl() checks. Missing LSM check is a bug.