Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 29 Jul 2016 20:12:13 +0200
From: Jann Horn <jann@...jh.net>
To: kernel-hardening@...ts.openwall.com
Cc: linux-security-module@...r.kernel.org, keescook@...omium.org,
	spender@...ecurity.net, jmorris@...ei.org,
	casey.schaufler@...el.com, michael.leibowitz@...el.com,
	william.c.roberts@...el.com,
	Elena Reshetova <elena.reshetova@...el.com>
Subject: Re: [RFC] [PATCH 1/5] path_fchdir and
 path_fhandle LSM hooks

On Fri, Jul 29, 2016 at 10:34:36AM +0300, Elena Reshetova wrote:
> This introduces two new LSM hooks operating on paths.
> 
>   - security_path_fchdir() checks for permission on
>     changing working directory. It can be used by
>     LSMs concerned on fchdir system call

I don't think security_path_fchdir() is a good abstraction
level. It neither covers the whole case of "cwd is changed" nor does
it cover the whole case of "someone uses a file descriptor to a
directory to look up stuff outside that directory".

For example, security_path_fchdir() seems to be intended to prevent
the use of a leaked file descriptor to the outside world for accessing
other files in the outside world. But this is trivially bypassed by
first using openat() directly instead of fchdir()+open() (something
that used to work against grsecurity, but was fixed quite a while
ago).

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.