On Wed, 29 Jun 2011, Sam Gandhi <samgandhi9@xxxxxxxxx> wrote: > In my situation I am using busybox that is compiled with option > CONFIG_INSTALL_APPLET_SCRIPT_WRAPPERS=y. > hence /bin/sh is not a link, but really a script that contains following > line > > #!/bin/busybox That is a rather convoluted way of launching all the shell scripts that have #!/bin/sh at the start, but it probably doesn't make a noticable impact on performance with modern hardware. > We decided to use option of CONFIG_INSTALL_APPLET_SCRIPT_WRAPPERS as > it will allow us to label busybox executables and may not require > approach you have suggested in your paper The advantage of using a small C program as the wrapper or of having multiple busybox applications for different sets of utilities is to provide a reliable atomic domain transition. If one of those shell scripts causes a transition into a more privileged domain (as could be the case for ping or traceroute if you use them) then a hostile party could create a symlink to the shell script in question and try a race condition of replacing the link while in the process of executing it. If they time it right then the old version of the symlink (pointing to a system script) would be used for the domain transition and the new version would be executed. Of course if you define the threat model for your embedded/mobile device to not include having user_t take over ping_t via a race condition then it could be OK. It would be quite valid in some situations to define SE Linux as only protecting local resources and not have it restrict network access. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
