diff options
| author | Jann Horn | 2019-04-11 22:12:43 +0200 |
|---|---|---|
| committer | Micah Morton | 2019-07-15 17:07:51 +0200 |
| commit | 4f72123da579655855301b591535a1415224f123 (patch) | |
| tree | 6b9ca3a8a23eb20b41591819ee7fef3b04f207b4 /samples | |
| parent | LSM: SafeSetID: add read handler (diff) | |
| download | kernel-qcow2-linux-4f72123da579655855301b591535a1415224f123.tar.gz kernel-qcow2-linux-4f72123da579655855301b591535a1415224f123.tar.xz kernel-qcow2-linux-4f72123da579655855301b591535a1415224f123.zip | |
LSM: SafeSetID: verify transitive constrainedness
Someone might write a ruleset like the following, expecting that it
securely constrains UID 1 to UIDs 1, 2 and 3:
1:2
1:3
However, because no constraints are applied to UIDs 2 and 3, an attacker
with UID 1 can simply first switch to UID 2, then switch to any UID from
there. The secure way to write this ruleset would be:
1:2
1:3
2:2
3:3
, which uses "transition to self" as a way to inhibit the default-allow
policy without allowing anything specific.
This is somewhat unintuitive. To make sure that policy authors don't
accidentally write insecure policies because of this, let the kernel verify
that a new ruleset does not contain any entries that are constrained, but
transitively unconstrained.
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Micah Morton <mortonm@chromium.org>
Diffstat (limited to 'samples')
0 files changed, 0 insertions, 0 deletions