On Thu, 2004-10-14 at 13:56, Steve Coleman wrote: > So just to clarify, whats the difference between a user running a script > file that does exec "java ./MyClass.class" and a stack overrun causing a > browser with a smashed stack to save a MyBackdoor.class to the local > file system and execing "java ./MyBackdoor.class -irc > blackhathosting.org" ? Calling context. User is initially in a given domain (e.g. user_t), runs script file that may or may not transition depending on policy. Browser runs in a different domain (e.g. user_mozilla_t) that has a subset of user_t's permissions. Further, files writable by browser domain are not executable by user directly without explicit relabel by user. (Note: I don't know if that is still true in the present Fedora policy, but certainly possible to configure it that way). > In both cases its the same user, and in both cases its the same java VM > binary. SELinux can capture the entire call chain (via execve, not function calls here) if desired, e.g. distinguishing here on the browser, although you typically only encode new domains where you cross a trust boundary. > The java binary is likely the only process that knows enought to > enforce anything here based on when, what, and where things are run by > the user. SELinux can enforce a coarse-grained policy over the maximum access granted to the process. But I agree that the VMM ultimately needs some awareness of security to refine that policy to deal with the finer-grained internal abstractions it manages. Nonetheless, you don't want to rely entirely on the VMM's enforcement, as it may be subverted itself. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency