[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Lower Process Capabilities



On Wed, 2009-07-29 at 09:10 -0400, Stephen Smalley wrote:
> On Wed, 2009-07-29 at 23:01 +1000, James Morris wrote:
> > On Wed, 29 Jul 2009, Stephen Smalley wrote:
> > 
> > > So I think the only piece of the proposal that is orthogonal to SELinux
> > > is privilege bracketing within the program (dropping caps after use).  
> > > But the changes to the file and directory permissions seem more
> > > questionable.
> > 
> > Once we have access control on policy itself, we may be able to provide an 
> > API where an application can toggle a boolean on itself, e.g. to perform 
> > one action with broader permissions, then switch to a tighter set of 
> > permissions.  This might be implementable in a way which also prevents 
> > applications from ever gaining more permissions (via typebounds).
> 
> We can actually already apply fine-grained access control on temporary
> changes to booleans - just specify a distinct label for the boolean in
> policy (via genfscon selinuxfs entries) and then control who can write
> to that file type.
> 
> However, note that such changes affect all processes running in a given
> domain, so it isn't precisely the same thing as process privilege
> bracketing.

If you want something more akin to privilege bracketing within a
program, then a closer analog in SELinux would be setcon(3) to switch to
a more restricted domain.  But in general our goal is to enforce
security goals at the system level and not depend on the correctness of
the application to shed privilege.

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]