Lower Process Capabilities
Stephen Smalley
sds at tycho.nsa.gov
Wed Jul 29 13:32:21 UTC 2009
On Wed, 2009-07-29 at 09:10 -0400, Stephen Smalley wrote:
> On Wed, 2009-07-29 at 23:01 +1000, James Morris wrote:
> > On Wed, 29 Jul 2009, Stephen Smalley wrote:
> >
> > > So I think the only piece of the proposal that is orthogonal to SELinux
> > > is privilege bracketing within the program (dropping caps after use).
> > > But the changes to the file and directory permissions seem more
> > > questionable.
> >
> > Once we have access control on policy itself, we may be able to provide an
> > API where an application can toggle a boolean on itself, e.g. to perform
> > one action with broader permissions, then switch to a tighter set of
> > permissions. This might be implementable in a way which also prevents
> > applications from ever gaining more permissions (via typebounds).
>
> We can actually already apply fine-grained access control on temporary
> changes to booleans - just specify a distinct label for the boolean in
> policy (via genfscon selinuxfs entries) and then control who can write
> to that file type.
>
> However, note that such changes affect all processes running in a given
> domain, so it isn't precisely the same thing as process privilege
> bracketing.
If you want something more akin to privilege bracketing within a
program, then a closer analog in SELinux would be setcon(3) to switch to
a more restricted domain. But in general our goal is to enforce
security goals at the system level and not depend on the correctness of
the application to shed privilege.
--
Stephen Smalley
National Security Agency
More information about the devel
mailing list