Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListBug in selinux_task_reparent_to_init (?)
From: ml-selinux_at_unpatched.net
Date: Tue, 1 Oct 2002 20:20:28 +0200 (IST)
During a brief code review of selinux-lsm I noticed that in the function hooks.c:selinux_task_reparent_to_init() there is: tsec = current->security; I assume this code was copied from selinux_task_kmod_set_label(), but shouldn't it be 'tsec = p->security;' and act on p instead of current in this case ? I didn't verify exploitability yet, but it may be possible to gain SECINITSID_INIT as a normal process this way, using a syscall that creates a kernel thread. (opening a loop blockdev comes to mind but I didn't verify it). btw, can anyone explain how this dereferencing of current never caused a problem when selinux_task_reparent_to_init is called from somewhere taskless like usb hotplug ? Yoav Weiss -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Tue 1 Oct 2002 - 13:22:03 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |