Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List
subject: Re: writing zero bytes in bash Date: Tue, 01 Mar 2005 09:20:14 -0500
You can already test them via runcon, mkdir -Z, etc. -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tycho.nsa.gov> subject: Re: writing zero bytes in bash Date: Tue, 01 Mar 2005 09:38:05 -0500
BTW, we _could_ modify the kernel code to also accept a string containing only a newline as a variant way of expressing "clear attribute" for writes to /proc/pid/attr. But such a change will obviously take time to get into an upstream kernel, and I don't even want to think about changing libselinux to start doing that (with the attendant dependency on the new kernel). -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tycho.nsa.gov> subject: Re: writing zero bytes in bash Date: Tue, 01 Mar 2005 12:04:34 -0500
Sample patch below for the kernel, allows you to do:
echo system_u:object_r:etc_t > /proc/self/attr/fscreate;
echo hello > tmpfile;
ls -Z tmpfile tmpfile2 -rw-r--r-- root root system_u:object_r:etc_t tmpfile -rw-r--r-- root root root:object_r:user_home_t tmpfile2 Index: linux-2.6/security/selinux/hooks.c RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v retrieving revision 1.152 diff -u -p -r1.152 hooks.c --- linux-2.6/security/selinux/hooks.c 23 Feb 2005 20:26:50 -0000 1.152 +++ linux-2.6/security/selinux/hooks.c 1 Mar 2005 16:11:29 -0000 @@ -4094,6 +4094,7 @@ static int selinux_setprocattr(struct ta struct task_security_struct *tsec; u32 sid = 0; int error; + char *str = value; if (current != p) { /* SELinux only allows a process to change its own @@ -4118,8 +4119,11 @@ static int selinux_setprocattr(struct ta return error; /* Obtain a SID for the context, if one was specified. */ - if (size) { - int error; + if (size && str[1] && str[1] != '\n') { + if (str[size-1] == '\n') { + str[size-1] = 0; + size--; + } error = security_context_to_sid(value, size, &sid); if (error) return error; -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |