On Wed, Aug 30, 2006 at 08:33:20PM -0500, Klaus Weidner wrote:
> I was a bit surprised that a "s2-s2" process can connect successfully to
> a "s3-s3" process, send it data, and select/poll(2) waiting for data.
> Select will tell it when the s3 process sent data, and when it tries to
> read that data read(2) will return 0 which the program interprets as EOF.
> I was expecting the connect to fail. This way it permits "write up"
> operations (which are compatible with LSPP but frowned upon), and it
> looks like a covert channel.
[...]
> poll([{fd=3, events=POLLIN, revents=POLLIN}, {fd=0, events=POLLIN}], 2, -1) =
> 1
> read(3, "", 1024) = 0
>
> type=AVC msg=audit(1156984506.126:359): avc: denied { write } for pid=2366
> comm="nc" name="[11390]" dev=sockfs ino=11390
> scontext=staff_u:staff_r:staff_t:s3 tcontext=staff_u:staff_r:staff_t:s2
> tclass=tcp_socket
> type=SYSCALL msg=audit(1156984506.126:359): arch=40000003 syscall=4
> success=no exit=-13 a0=4 a1=bfc70538 a2=2 a3=2 items=0 ppid=2301 pid=2366
> auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
> fsgid=500 tty=pts2 comm="nc" exe="/usr/bin/nc"
> subj=staff_u:staff_r:staff_t:s3 key=(null)
> type=AVC_PATH msg=audit(1156984506.126:359): path="socket:[11390]"
Oops, I meant to include the strace output from the s3 process also:
[{fd=4, events=POLLIN}, {fd=0, events=POLLIN, revents=POLLIN}], 2, -1) = 1
read(0, "x\n", 1024) = 2
write(4, "x\n", 2) = -1 EACCES (Permission denied)
FYI, if this is the way it's supposed to work the write(2) man page should
be updated, it currently doesn't document ever getting EACCES errors.
(Speaking of covert channels, binding a port owned by a process at a
different level produces EADDRINUSE errors, but that's not easily fixable
without polyinstantiated ports. It's possible to have covert channels and
still be LSPP compliant though, they are out of scope for that PP.)
-Klaus
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
