Isolation LSM: Difference between revisions

From OLPC
Jump to navigation Jump to search
m (New page: [http://cr.yp.to/djb.html Daniel Bernstein] has observed that security-conscious unprivileged userland processes may benefit from the ability to irrevocably remove their ability to create,...)
 
mNo edit summary
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
[http://cr.yp.to/djb.html Daniel Bernstein] has observed that security-conscious unprivileged userland processes may benefit from the ability to irrevocably remove their ability to create, bind, connect to, or send messages to non-AF_UNIX sockets.
[http://cr.yp.to/djb.html Daniel Bernstein] has [http://cr.yp.to/unix/disablenetwork.html observed] that security-conscious unprivileged userland processes may benefit from the ability to irrevocably remove their ability to create, bind, connect to, or send messages to non-AF_UNIX sockets.


[http://dev.laptop.org/git?p=users/mstone/olpc-2.6;a=commit;h=c05cc7eadcee3d9450c1eb6a41ef9c932f9aad53 This patch] defines a 'long sys_disablenetwork(void)' syscall and implements it in an LSM in order to avoid modifying the definition of 'struct task_struct'.
[http://dev.laptop.org/git?p=users/mstone/olpc-2.6;a=commit;h=c05cc7eadcee3d9450c1eb6a41ef9c932f9aad53 This patch] defines a 'long sys_disablenetwork(void)' syscall and implements it in an LSM in order to avoid modifying the definition of 'struct task_struct'.

Some [http://lists.laptop.org/pipermail/security/2008-April/000390.html review] of this LSM took place and several improvements were suggested:

* consider whether to enable localhost-IP connections for improved compatibility with portable software
* consider whether to disable the abstract namespace of Unix sockets (or to enter a fresh namespace) since Unix DAC is not available to control access to such sockets
* rewrite for recent kernels (which removed the modularity of the LSM framework)
* consider non-syscall APIs.

[[Category:Security]]

Latest revision as of 16:05, 21 August 2008

Daniel Bernstein has observed that security-conscious unprivileged userland processes may benefit from the ability to irrevocably remove their ability to create, bind, connect to, or send messages to non-AF_UNIX sockets.

This patch defines a 'long sys_disablenetwork(void)' syscall and implements it in an LSM in order to avoid modifying the definition of 'struct task_struct'.

Some review of this LSM took place and several improvements were suggested:

  • consider whether to enable localhost-IP connections for improved compatibility with portable software
  • consider whether to disable the abstract namespace of Unix sockets (or to enter a fresh namespace) since Unix DAC is not available to control access to such sockets
  • rewrite for recent kernels (which removed the modularity of the LSM framework)
  • consider non-syscall APIs.