[Gllug] Restricting Process Visibility

Stuart Sears stuart at sjsears.com
Wed May 17 17:12:00 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - Tethys wrote:
> On 5/17/06, Steve Nelson <sanelson at gmail.com> wrote:
> 
>> > ps. On a more constructive note, SELinux sprung to mind.
>> > But I guess that only grants you or denys you the right to look
>> > at things in /proc
>>
>> Which would be a big step forward... but rhel 3 / 2.4 kernel doesn't
>> have selinux :(
> 
> Yeah, I thought about SELinux initially, and also systrace, which is
> probably a better option. But I don't think either of them allow
> conditional policy decisions in that way, which is what would be
> needed here. What you want is the ability to say:

well, the newer forms of SELinux policy should be able to allow this
sort of thing (yes, I know that this isn't going to help the OP, but
since it was brought up...).
The MCS (multi-category) and MLS (multi-level) policies are designed
with exactly this kind of restriction in mind.
If you assign each process a category (or a list of categories), you can
control which processes and files are 'visible' to it.
The intended restriction here is that a process is allowed to see (and
possibly do other things to, according to policy restrictions) a file if
the process's category set is a superset of that of the target file.
The same principle could be used to control results from some syscalls,
I would imagine (after all a syscall has to be made by a process of some
sort, neh?)

Bear in mind that this is undergoing a lot of development work at the
moment and is inherently complicated to manage.

so the MCS/MLS version of the example below would be something like this:

> - a request has been made to open() a file in /proc [1]
...by a process running with a specific context, and a list of
categories (e.g. web, devel, custard)
> - permit the syscall to continue if:
>  - the file is owned by the current user
the list of categories on the file is a selection from (web, devel,
custard) and doesn't contain any categories not in that list.

at least this is how I understand the new policies to work (or be
intended to work. eventually). MLS is a horribly complicated kettle of
worms (then you get categories *and* 'secrecy' levels)
IIRC the limits are something like 256 categories and 16 security
levels... but could be higher than this.

James Morris has written a number of blog entries about these policies:
http://james-morris.livejournal.com/5020.html

regards

Stuart
- --
Stuart Sears RHCA RHCX
To err is human, to forgive is Not Company Policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEa1lgamPtx1brPQ4RAsNXAJ9eTtZtXJ8+8KYIaNf8+fDmoTHNtACfenEP
TbCzzA6PACOku6z1lBDWTQs=
=fbTr
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list