Using dyntransition to reduce privileges for Web application
Scott Gifford
sgifford at suspectclass.com
Sun Feb 20 05:31:47 UTC 2011
On Mon, Jan 17, 2011 at 11:27 PM, Scott Gifford
<sgifford at suspectclass.com>wrote:
> On Mon, Jan 17, 2011 at 2:45 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> [ ... ]
>
>> > Third, since my main goal here is to prevent processes from interacting
>> with
>> > each other inappropriately, I would like to prevent each HTTP worker
>> from
>> > reading any information from "/proc" for other HTTP workers. Currently
>> they
>> > are allowed to do this, because they all run in the same domain. Is
>> there
>> > any way to prevent this?
>> >
>>
>> libvirt and sandbox use MCS separation for this. Basically they grab
>> random MCS labels to separate the processes. I would suggest using two
>> Categories, s0:c0-c1023,c0-1023 and make sure they are never the same.
>>
>> s0:c1,c43
>> s0:c2,c43
>>
>> Is fine.
>>
>> s0:c1,c1 is not
>>
>> Then just set that context and you should get separation. if you need
>> the processes to handle data it might get a little more complicated.
>>
>
> Thanks! I think I will need to learn a little more about this feature
> before I can use it. I will need a way to generate a unique category number
> (maybe from the PID?), and the processes will need to handle some shared
> data and code, so I will need to figure that out as well.
>
OK, so I have started experimenting with this, but /proc is not behaving how
I expect so far.
So I open up two shells. In the first I run:
runcon -l s0-s0:c0,c1 bash
and in the second:
runcon -l s0-s0:c0,c2 bash
So both should have access to c1, but only the first will have access to c1
and only the second will have access to c2.
When I try this on files, it works:
shell1$ *id -Z*
user_u:system_r:unconfined_t:-s0:c0,c1
shell1$ *ls -lZ test.c1 test.c2*
-rw-rw-r-- sgifford sgifford user_u:object_r:user_home_t:s0:c1 test.c1
-rw-rw-r-- sgifford sgifford user_u:object_r:user_home_t:s0:c2 test.c2
shell1$ *head -1 test.c1 test.c2*
==> test.c1 <==
Category 1
head: cannot open `test.c2' for reading: Permission denied
But on /proc files it does not:
shell1$ *id -Z*
user_u:system_r:unconfined_t:-s0:c0,c1
shell1$ *ls -lZ /proc/10961/maps*
-r--r--r-- sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2
/proc/10961/maps
shell1$ *head -1 /proc/10961/maps*
002ac000-002ad000 r-xp 002ac000 00:00 0 [vdso]
That is, even though "ls -lZ" indicates that the maps file for PID 10961
requires c2 and my shell does not have c2, still I am allowed to read this
file.
I must be misunderstanding something here. Any thoughts or hints?
Thanks!
-----Scott.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110220/77ba15ee/attachment.html
More information about the selinux
mailing list