Re: [PATCH v2] security: Yama LSM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Kees Cook <kees.cook@xxxxxxxxxxxxx> writes:
> +
> +config SECURITY_YAMA_SYMLINKS
> +	bool "Yama: protect symlink following in sticky world-writable
> dirs"

IMHO it's bad style to have CONFIGs that just set defaults,
if that can be done at runtime too. Especially as in your case if it's 
a lot of settings. Is it that bad to have a init script and drop these 
CONFIGs? 

However the help texts are useful,  these should be in the sysctl
documentatin in Documentation instead.

> +	if (rc) {
> +		printk_ratelimited(KERN_INFO "ptrace of non-child"
> +			" pid %d was attempted by: %s (pid %d)\n",
> +			child->pid, get_task_comm(name, current),
> +			current->pid);

It's probably obscure and other kernel code has this too, but at some point
there were attacks to use terminal ESC sequences to attack root's
terminal when they dmesg. Couldn't that be done through "comm" here?

At least the other code who has this problem doesn't claim to enhance
security :)

-Andi


-- 
ak@xxxxxxxxxxxxxxx -- Speaking for myself only.
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux