Re: policy for PowerDNS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/03/2013 08:47 AM, Sander Hoentjen wrote:
> On 12/27/2012 06:21 PM, Daniel J Walsh wrote:
>> On 12/27/2012 10:23 AM, Sander Hoentjen wrote:
>>> On 12/27/2012 04:17 PM, Daniel J Walsh wrote:
>>>> On 12/24/2012 07:48 AM, Sander Hoentjen wrote:
>>>>> On 12/05/2012 08:24 PM, Sven Vermeulen wrote:
>>>>>> On Wed, Dec 05, 2012 at 06:51:54AM -0500, Daniel J Walsh wrote:
>>>>>>>> If named by default doesn't require this access, doesn't it
>>>>>>>> make sense to keep it restricted? Remote code execution 
>>>>>>>> vulnerabilities might be mitigated if the policy prohibits 
>>>>>>>> execution of common binaries
>>>>>>>> 
>>>>>>>> Reading /usr however seems less problematic (I'm even
>>>>>>>> surprised it doesn't require this already).
>>>>>>> 
>>>>>>> Perhaps but if you have enough control over a process to
>>>>>>> execute random binaries, one would guess you have enough
>>>>>>> control to call other syscalls implemented in those binaries.
>>>>>> 
>>>>>> I can follow your reasoning, but I disagree.
>>>>>> 
>>>>>> Remote command execution can be done either in a very simple way
>>>>>> (for instance, user input that is not correctly sanitized and
>>>>>> that is directly used for spawning specific commands) or through
>>>>>> memory manipulation.
>>>>>> 
>>>>>> Let's say it is memory manipulation, then there are imho two
>>>>>> ways this can lead to a remote command execution: data memory or
>>>>>> execution memory.
>>>>>> 
>>>>>> Either the memory is data (non-executable) and is used by the 
>>>>>> application for its flows, logic and what else. In this case,
>>>>>> you won't have the ability to invoke syscalls yourself (through
>>>>>> the exploit) but you can manipulate the application, which
>>>>>> underlyingly might use the data to spawn commands.
>>>>>> 
>>>>>> Or the memory is code (executable). In this case, if you can 
>>>>>> manipulate this, then you indeed have control over the
>>>>>> application completely and can invoke system calls yourself.
>>>>>> 
>>>>>> The majority of Remote Code Execution vulnerabilities, imho,
>>>>>> plays in the data memory, not in the executable memory. For one,
>>>>>> because executable memory shouldn't be writeable in the first
>>>>>> place (you can use PaX or other constraints for that). It is also
>>>>>> harder to manipulate this code to the extend that you can do
>>>>>> useful things with it.
>>>>>> 
>>>>>> But if we're talking about data memory manipulation/corruption,
>>>>>> then the syscalls don't play a role, and SELinux can reduce the
>>>>>> impact of such vulnerabilities if you can downplay what the
>>>>>> domain is allowed to do. Such as executing generic binaries.
>>>>>> 
>>>>>> Of course, an even better way to handle this is to chroot the
>>>>>> named daemon itself so that there are no binaries to execute
>>>>>> beyond those that are already needed. I do believe that chrooting
>>>>>> named is still a very useful approach even if you use SELinux
>>>>>> [1], but there are people that think differently.
>>>>>> 
>>>>> Trying to move the policy for pdns forward, do I understand
>>>>> correctly that the following additions to the policy would be ok: 
>>>>> ======pdns.fc====== /usr/sbin/pdns_server           -- 
>>>>> gen_context(system_u:object_r:named_exec_t,s0) /etc/pdns/pdns\.conf
>>>>> -- gen_context(system_u:object_r:named_conf_t,s0) 
>>>>> /var/run/pdns\.controlsocket    -s 
>>>>> gen_context(system_u:object_r:named_var_run_t,s0)
>>>>> /var/run/pdns\.pid -- 
>>>>> gen_context(system_u:object_r:named_var_run_t,s0)
>>>>> =================== ======pdns.te====== policy_module(pdns,0.0.1)
>>>> 
>>>>> require{ type named_t; }
>>>> 
>>>>> #only needed if using the guardian allow named_t self:capability {
>>>>> kill };
>>>> 
>>>>> #gmysql backend: mysql_read_config(named_t) 
>>>>> files_read_usr_files(named_t) mysql_stream_connect(named_t)
>>>> 
>>>>> #postgres backend: postgresql_stream_connect(named_t) 
>>>>> ===================
>>>> 
>>>>> But the following addition to the .te is under discussion: #pipe 
>>>>> backend: corecmd_exec_bin(named_t)
>>>> 
>>>>> If i am correct up till this point, I would be okay with either
>>>>> having corecmd_exec_bin in a boolean, or use a new type for this
>>>>> and add documentation to pdns showing what type you need to make
>>>>> your pipe backend.
>>>> 
>>>>> What do you guys think?
>>>> 
>>>>> -- This message was distributed to subscribers of the selinux
>>>>> mailing list. If you no longer wish to subscribe, send mail to 
>>>>> majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux"
>>>>> without quotes as the message.
>>>> 
>>>> 
>>>> 
>>>> What is the path to the bin_t?  I am not opposed to allow it to
>>>> execute random bin_t, but if this is a constant path, then labeling
>>>> it would be more secure. named_helper_exec_t or something.
>>>> 
>>> Well, there is not a fixed path at this moment. The point of the 
>>> pipe-backend is that you can easily write your own script/binary. Then
>>> in the config you tell pdns where it is located. So then in the
>>> documentation for the pipe-backend we could write that in the case of
>>> selinux you either need top put it in the right path, or apply the
>>> correct label yourself.
>> 
>> Well it is not quite that easy, since the back end would be running as a 
>> random label, we would have to write policy about more then just
>> executing the script but also all of the access required for the dns
>> server to talk to this back end.  Stuff like connecting to a labeled unix
>> fifo file or sock file, connecting to a processes running what ever label
>> the process is running with.
>> 
> Well, in the simple case this is not needed, the example script[1] is just
> a simple perl script, that needs no extra access. But I guess you mean that
> if this script does things not allowed for named_t then it will fail. I
> guess you are right, but I do not know what would be a good way to fix
> this. It doesn't matter in this case if it is bin_t or some other type,
> right?
> 
> 
> [1] 
> http://wiki.powerdns.com/trac/browser/trunk/pdns/modules/pipebackend/backend.pl
>
>  -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes
> as the message.
> 

Yes the question is do you expect admin to modify this script to do nutty
things or do you envision this script to only be used as is.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDltI8ACgkQrlYvE4MpobPKrwCcCZX3H1XHf4DmR2z+7LRlquGn
MZEAn1QAoGnQ6Bn1bT73wkOYObs8x0+e
=FOeI
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.


[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux