Date: Fri, 29 Jul 2016 20:12:13 +0200 From: Jann Horn <jann@...jh.net> To: kernel-hardening@...ts.openwall.com Cc: linux-security-module@...r.kernel.org, keescook@...omium.org, spender@...ecurity.net, jmorris@...ei.org, casey.schaufler@...el.com, michael.leibowitz@...el.com, william.c.roberts@...el.com, Elena Reshetova <elena.reshetova@...el.com> Subject: Re: [RFC] [PATCH 1/5] path_fchdir and path_fhandle LSM hooks On Fri, Jul 29, 2016 at 10:34:36AM +0300, Elena Reshetova wrote: > This introduces two new LSM hooks operating on paths. > > - security_path_fchdir() checks for permission on > changing working directory. It can be used by > LSMs concerned on fchdir system call I don't think security_path_fchdir() is a good abstraction level. It neither covers the whole case of "cwd is changed" nor does it cover the whole case of "someone uses a file descriptor to a directory to look up stuff outside that directory". For example, security_path_fchdir() seems to be intended to prevent the use of a leaked file descriptor to the outside world for accessing other files in the outside world. But this is trivially bypassed by first using openat() directly instead of fchdir()+open() (something that used to work against grsecurity, but was fixed quite a while ago). Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.