On Fri, 19 Dec 2003 08:02, martin f krafft <[EMAIL PROTECTED]> wrote: > I would be very interested, Russel, to hear your opinion about the > claim that the LSM hooks are dangerous in terms of root kit > exploits. Do you agree? If not, then please tell us what LSM > precautions take care to prevent that.
Henrique sums it up pretty well. There are kernel module root kits out there being used right now. Some are buggy and allow experienced administrators to find them, some probably aren't! LSM gives access in parts of the code needed to perform access control. For example there are cases where you can make a system call that takes pointers and then change the data that is pointed to between the start of the system call and when it actually does things. This is why auditing and access control systems that just take over entries in the system call table are not good enough. However if all you want to do is hide a process from appearing in /proc, hide a file in a directory, etc. Then all you have to do is to take over the system call table entries for the relevant calls. A minor race condition that could allow someone to see your hidden process on a SMP machine when you have shared memory used for parameters isn't the big risk for an attacker in terms of discovery! If the administrator thinks that an attacker has loaded a kernel module then they can boot from a CD and run tripwire. In summary, LSM provides features that are useful for the rightful administrator to protect against hostile users. But those features aren't as necessary for an attacker to protect against the administrator. If someone can load their own code into your kernel then you've lost the game already. In terms of LSM protection against this, if you use SE Linux then all aspects of file access and module loading are controlled by the policy. I am going to write a policy that implements something similar to BSD secure levels so that you can put a server into a mode where all kmem and module load access is disabled. That should be all you need. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
