On May 26, 2007, at 10:44:46, Tetsuo Handa wrote:
Andreas Gruenbacher wrote:
Tetsuo Handa wrote:
Therefore, TOMOYO Linux checks the combination of filename and
argv[0] passed to execve().
So you are indeed trying to control the value of argv[0]? Well,
good luck with that, but it's totally insane. You are guaranteed
to break some applications.
TOMOYO Linux ristricts argv[0] using allow_argv0 syntax.
"allow_argv0 /bin/bash -bash" to allow passing "/bin/bash" to
filename and "-bash" to argv[0]. "allow_argv0 /bin/gzip gunzip" to
allow passing "/bin/gzip" to filename and "gunzip" to argv[0].
"allow_argv0 /sbin/busybox cat" to allow passing "/sbin/busybox" to
filename and "cat" to argv[0]. No need to use allow_argv0 syntax
if the basename of filename and basename of argv[0] are the same
(i.e. "allow_argv0 /bin/bash bash" is not required). TOMOYO Linux
doesn't unconditionally forbid passing different values for
filename and argv[0]. TOMOYO Linux allows passing different values
for filename and argv[0] only if it is allowed by allow_argv0 syntax.
Could you please explain me why this approach breaks applications?
One of my servers runs 3 different instances of the "kadmind"
Kerberos daemon, one for each realm which I need to be able to modify/
change-passwords/etc. In order to differentiate and stop/restart the
appropriate daemon, I have a simple starter script which runs each
kadmind process with a unique name derived from the realm (EG:
"kadmind(EXAMPLE.COM)", "kadmind(OTHER.EXAMPLE.COM)"). Since this is
a Kerberos server I use a very strict SELinux-based policy, yet my
management tools need to be able to easily add and remove realms in a
secure fashion. It sounds like TOMOYO Linux would not be able to
handle this situation at all; I would either have to completely turn
off that security "feature" and lose most of the functionality of
TOMOYO Linux, or hard-code the list of realms into the policy file
and have to completely reload policy every time I need to add/remove
realms (big gaping security hole).
Cheers,
Kyle Moffett
-
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html