Re: Using dyntransition to reduce privileges for Web application

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Jan 17, 2011 at 11:27 PM, Scott Gifford <sgifford@xxxxxxxxxxxxxxxx> wrote:
On Mon, Jan 17, 2011 at 2:45 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
[ ... ] 
> Third, since my main goal here is to prevent processes from interacting with
> each other inappropriately, I would like to prevent each HTTP worker from
> reading any information from "/proc" for other HTTP workers.  Currently they
> are allowed to do this, because they all run in the same domain.  Is there
> any way to prevent this?
>

libvirt and sandbox use MCS separation for this.  Basically they grab
random MCS labels to separate the processes.  I would suggest using two
Categories, s0:c0-c1023,c0-1023 and make sure they are never the same.

s0:c1,c43
s0:c2,c43

Is fine.

s0:c1,c1 is not

Then just set that context and you should get separation. if you need
the processes to handle data it might get a little more complicated.

Thanks!  I think I will need to learn a little more about this feature before I can use it.  I will need a way to generate a unique category number (maybe from the PID?), and the processes will need to handle some shared data and code, so I will need to figure that out as well.

OK, so I have started experimenting with this, but /proc is not behaving how I expect so far.

So I open up two shells.  In the first I run:

runcon -l s0-s0:c0,c1 bash

and in the second:

runcon -l s0-s0:c0,c2 bash

So both should have access to c1, but only the first will have access to c1 and only the second will have access to c2.

When I try this on files, it works:

shell1$ id -Z
user_u:system_r:unconfined_t:-s0:c0,c1
shell1$ ls -lZ test.c1 test.c2
-rw-rw-r--  sgifford sgifford user_u:object_r:user_home_t:s0:c1 test.c1
-rw-rw-r--  sgifford sgifford user_u:object_r:user_home_t:s0:c2 test.c2
shell1$ head -1 test.c1 test.c2
==> test.c1 <==
Category 1
head: cannot open `test.c2' for reading: Permission denied

But on /proc files it does not:

shell1$ id -Z
user_u:system_r:unconfined_t:-s0:c0,c1
shell1$ ls -lZ /proc/10961/maps
-r--r--r--  sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2 /proc/10961/maps
shell1$ head -1 /proc/10961/maps
002ac000-002ad000 r-xp 002ac000 00:00 0          [vdso]

That is, even though "ls -lZ" indicates that the maps file for PID 10961 requires c2 and my shell does not have c2, still I am allowed to read this file.

I must be misunderstanding something here.  Any thoughts or hints?

Thanks!

-----Scott.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux