On Mon, 01 Nov 2004 22:58:20 GMT, Luke Kenneth Casson Leighton said:

> any process which uses either mls_upgrade or mls_downgrade must contain
> within it [usually by accident] resources that are being passed over to
> the other context after the mls change.

Right so far - if it isn't dragging a resource along, there's no point to doing the up/downgrade call.

> by exec()'ing a process, that just simply cannot occur: the
> most you pass over is the command-line arguments, environment
> variables and um... according to man exec that's it. [oh, and
> man execve says it respects setuid and setgid bits on an executable.]

Not true at all - just because the only things passed to the execve() syscall are the argv[] and envp[] arrays doesn't mean that it's the only resources passed to the post-exec code:

1. Open file descriptors, unless flagged as close-on-exec
2. ulimit/umask settings
3. Posix 1.e attributes (modulo the active/permitted/inherited changes)
4. The current working directory
5. Any namespaces created by mount --bind, clone(CLONE_FS), and friends.

And probably a bunch of other stuff I'm forgetting. There's PLENTY of places to accidentally leak stuff up/down across an exec() call....

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



application/pgp-signature attachment: stored