On Tue, 12 Feb 2008 10:45:41 -0500 "Todd Miller" wrote: > Daniel J Walsh wrote: > > So this exploit, don't you neet to write to /proc? xguest_t should > > not be allowed to do this? > > No, you don't need to be able to write to /proc to exploit the bug. > Having read access /proc/kallsyms just makes things a little easier > for the attacker. Removing the address of selinux_enforcing from > kallsyms doesn't stop the attack, it just makes the attacker work > a little harder. Yes, we do not need write access to /proc/kallsyms. > Note that the modified exploit that uses kallsyms to find the address > of vmsplice and then opens /dev/kmem read/write to do its work would > be stopped by SELinux. Default xguest_t does not allow execution of program on /home so, exploit program can not be executed. I tried exploit with boolean allow_xguest_exec_content on. However, in this case, it is easy to guess address of selinux_enforcing, because the address of selinux_enforcing is the same in another machine, as long as the same kernel binary is used. > > - todd Regards, Yuichi Nakamura -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
