[redhat-lspp] Re: inotify_rm_watch behavior
Darrel Goeddel
dgoeddel at trustedcs.com
Tue Sep 12 14:09:31 UTC 2006
Stephen Smalley wrote:
> On Mon, 2006-09-11 at 15:34 -0400, Amy Griffis wrote:
>
>>Stephen Smalley wrote: [Mon Sep 11 2006, 03:15:59PM EDT]
>>
>>>On Mon, 2006-09-11 at 14:49 -0400, Amy Griffis wrote:
>>>
>>>>Eduardo Madeira Fleury wrote: [Mon Sep 11 2006, 02:05:24PM EDT]
>>>>
>>>>>I'm doing some tests and currently inotify_rm_watch is not performing any
>>>>>permission checks, i.e., an ordinary user can remove a watch set by root on a
>>>>>file with root:root 400 permission.
>>>>>
>>>>>Is this the expected behavior? Seems like neither MAC nor MLS checks are being
>>>>>done.
>>>>
>>>>Yes. As I understand it, an inotify watch is not a data object, and
>>>>so does not require DAC or MAC checks.
>>>
>>>Not sure I follow the rationale for MAC. Process in security context C1
>>>creates an inotify instance, adds some watches to files/directories it
>>>can read (read permission checked between C1 and file context upon
>>>inotify_add_watch), provides the instance descriptor to a process in
>>>security context C2 via execve inheritance or local IPC. Process in
>>>security context C2 can now read events on those watched
>>>files/directories even if it lacks direct read permission to them and
>>>can add and remove watches on the inotify instance, indirectly signaling
>>>the C1 process via the shared inotify instance.
>>>
>>>All of which would be avoided if the MLS policy included a constraint on
>>>fd use permission, thereby preventing such sharing of inotify instances
>>>among processes in different levels except for trusted subjects or
>>>objects identified by a type attribute.
>>
>>Agreed. I was trying to say that there shouldn't be a constraint on
>>the inotify watch itself. Until I saw your mail, I wasn't aware that
>>there aren't currently any constraints on sharing inotify instances.
>
>
> Yes, I pointed this out during the "Syscalls questions" discussion back
> in June. Not sure why no one bothered adding such a constraint to MLS
> policy at the time. It would be something like:
> policy/mls:
> # No sharing of open file descriptions between levels unless
> # the process type is authorized to use fds created by
> # other levels (mlsfduse) or the fd type is authorized to
> # shared among levels (mlsfdshare).
> mlsconstrain fd use ( l1 eq l2 or t1 == mlsfduse or t2 == mlsfdshare);
>
> policy/modules/kernel/mls.te:
> attribute mlsfduse;
> attribute mlsfdshare;
>
> policy/modules/kernel/mls.if:
> interface(`mls_fd_use',`
> gen_require(`
> attribute mlsfduse;
> ')
>
> typeattribute $1 mlsfduse;
> ')
>
> interface(`mls_fd_share',`
> gen_require(`
> attribute mlsfdshare;
> ')
>
> typeattribute $1 mlsfdshare;
> ')
>
>
> And then one would add mls_fd_use() and mls_fd_share() as appropriate to
> types in the policy, e.g.
> policy/modules/system/selinuxtil.te:
> mls_fd_share(newrole_t)
>
> and likewise for login and friends.
>
> Naturally, one would need to exercise the system quite a bit to work out
> exactly what domains require such use/sharing.
The approach outlined above looks good.
--
Darrel
More information about the Linux-audit
mailing list