Since Dan Walsh wrote "What does SELinux do to contain the the bash exploit?" ( http://danwalsh.livejournal.com/71122.html ), I'd like to write about TOMOYO/AKARI/CaitSith cases.
TOMOYO/AKARI/CaitSith are pathname based access control with ability to check command line arguments and environment variables' names and values. Thus, they are good at protecting from "arbitrary OS command injection vulnerability". For example, if you allowed executing only /bin/mail from /bin/bash and you are using enforcing mode, only /bin/mail can be executed from /bin/bash . In other words, the crafted environment variable can execute not /bin/cat , /bin/mv , /bin/rm etc. but /bin/mail . For example, if you allowed to execute only /bin/mail with explicit command line arguments (e.g. /bin/sh -c "mail root") and you are using enforcing mode, only /bin/mail with the specified command line arguments can be executed. In other words, the crafted environment variable can execute only /bin/mail with these command line arguments. Even if you didn't restrict command line arguments for /bin/mail , only resources allowed to be accessed by /bin/mail can be accessed by /bin/mail . By the way, if you are not using TOMOYO/AKARI but want to identify where bash is executed from in order to assess possibility of damage caused by CVE-2014-6271, the TaskTracker loadable kernel module available at http://sourceforge.jp/projects/akari/scm/svn/tree/head/branches/tasktracker/ may help. I had a presentation titled "How to obtain information for troubleshooting enterprise servers" at LinuxCon Japan 2014. The presentation slide available at http://I-love.SAKURA.ne.jp/tomoyo/LCJ2014-en.pdf introduces various ideas for understanding your Linux systems. Questions/feedbacks are welcome. _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
