Re: [kernel-hardening] [PATCH 1/2] fs: add link restrictions

2012-08-12 Thread Vasily Kulikov
On Sat, Aug 11, 2012 at 23:34 -0700, Kees Cook wrote: > On Wed, Aug 8, 2012 at 5:19 AM, Vasily Kulikov wrote: > > Hi Kees, > > > > On Wed, Jul 25, 2012 at 17:29 -0700, Kees Cook wrote: > >> +/** > >> + * safe_hardlink_source - Check for safe hardlink conditions > >> + * @inode: the source inode to

Re: [kernel-hardening] [PATCH 1/2] fs: add link restrictions

2012-08-11 Thread Kees Cook
On Wed, Aug 8, 2012 at 5:19 AM, Vasily Kulikov wrote: > Hi Kees, > > On Wed, Jul 25, 2012 at 17:29 -0700, Kees Cook wrote: >> +/** >> + * safe_hardlink_source - Check for safe hardlink conditions >> + * @inode: the source inode to hardlink from >> + * >> + * Return false if at least one of the fol

Re: [kernel-hardening] [PATCH 1/2] fs: add link restrictions

2012-08-08 Thread Vasily Kulikov
Hi Kees, On Wed, Jul 25, 2012 at 17:29 -0700, Kees Cook wrote: > +/** > + * safe_hardlink_source - Check for safe hardlink conditions > + * @inode: the source inode to hardlink from > + * > + * Return false if at least one of the following conditions: > + *- inode is not a regular file > + *

Re: [kernel-hardening] [PATCH 1/2] fs: add link restrictions

2012-08-06 Thread Kees Cook
[resend: MUA tricked me into sending HTML email...] On Mon, Aug 6, 2012 at 4:55 PM, Eric W. Biederman wrote: > > Kees Cook writes: > > > On Thu, Aug 2, 2012 at 9:26 PM, James Morris wrote: > >> On Wed, 25 Jul 2012, Kees Cook wrote: > >> > >>> This adds symlink and hardlink restrictions to the L

Re: [kernel-hardening] [PATCH 1/2] fs: add link restrictions

2012-08-06 Thread Eric W. Biederman
Kees Cook writes: > On Thu, Aug 2, 2012 at 9:26 PM, James Morris wrote: >> On Wed, 25 Jul 2012, Kees Cook wrote: >> >>> This adds symlink and hardlink restrictions to the Linux VFS. >> >> Is Al happy with this now? > > Looks like it; thanks for checking. It's in mainline now: > http://git.kernel

Re: [kernel-hardening] [PATCH 1/2] fs: add link restrictions

2012-08-03 Thread Kees Cook
On Thu, Aug 2, 2012 at 9:26 PM, James Morris wrote: > On Wed, 25 Jul 2012, Kees Cook wrote: > >> This adds symlink and hardlink restrictions to the Linux VFS. > > Is Al happy with this now? Looks like it; thanks for checking. It's in mainline now: http://git.kernel.org/?p=linux/kernel/git/torvald

Re: [kernel-hardening] [PATCH 1/2] fs: add link restrictions

2012-08-02 Thread James Morris
On Wed, 25 Jul 2012, Kees Cook wrote: > This adds symlink and hardlink restrictions to the Linux VFS. Is Al happy with this now? > > Symlinks: > > A long-standing class of security issues is the symlink-based > time-of-check-time-of-use race, most commonly seen in world-writable > directories

[PATCH 1/2] fs: add link restrictions

2012-07-25 Thread Kees Cook
This adds symlink and hardlink restrictions to the Linux VFS. Symlinks: A long-standing class of security issues is the symlink-based time-of-check-time-of-use race, most commonly seen in world-writable directories like /tmp. The common method of exploitation of this flaw is to cross privilege bo