Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List
subject: Bug in selinux_task_reparent_to_init (?) Date: Tue, 1 Oct 2002 20:20:28 +0200 (IST)
During a brief code review of selinux-lsm I noticed that in the function hooks.c:selinux_task_reparent_to_init() there is: tsec = current->security; I assume this code was copied from selinux_task_kmod_set_label(), but shouldn't it be 'tsec = p->security;' and act on p instead of current in this case ? I didn't verify exploitability yet, but it may be possible to gain SECINITSID_INIT as a normal process this way, using a syscall that creates a kernel thread. (opening a loop blockdev comes to mind but I didn't verify it). btw, can anyone explain how this dereferencing of current never caused a problem when selinux_task_reparent_to_init is called from somewhere taskless like usb hotplug ? Yoav Weiss -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com> subject: Re: Bug in selinux_task_reparent_to_init (?) Date: Tue, 1 Oct 2002 13:35:02 -0400 (EDT)
On Tue, 1 Oct 2002 ml-selinux@unpatched.net wrote:
> During a brief code review of selinux-lsm I noticed that in the function Strictly speaking, yes. But it doesn't matter, because the kernel reparent_to_init() function [in kernel/sched.c in 2.4, or kernel/exit.c in 2.5] always operates on the current task (this_task = current in 2.4, and direct use of current in 2.5). We pass the task to the hook for generality in case the kernel code changes in the future to use a different task, so the hook should use 'p' instead of 'current', but it doesn't make any difference at present. A kernel thread gets its own task structure. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |