[Toybox] Adding LSM support to mkdir.
Rob Landley
rob at landley.net
Tue May 19 21:31:50 PDT 2015
Looking at the smack-10 tree ala:
commit cbc95a1a00ae0a1a806e7cc241cdf7b821ee4951
Author: José Bollo <jose.bollo at open.eurogiciel.org>
Date: Mon May 11 18:53:12 2015 +0200
mkdir: Add -Z option
Specifically this bit:
- for (s=toys.optargs; *s; s++)
+ for (s=toys.optargs; *s; s++) {
if (mkpathat(AT_FDCWD, *s, mode, toys.optflags|1))
perror_msg("'%s'", *s);
+ else if (CFG_MKDIR_SECURITY && (toys.optflags & FLAG_Z)) {
+ if (security_set_context(*s, TT.arg_context) < 0) {
+ rmdir(*s);
+ error_exit("Unable to create directory '%s' with '%s' as
context.", *s,
+ }
+ }
+ }
Isn't this racy? You create the directory without a label, then come along
at some arbitrary point later and add one? Shouldn't we at least mkpathat()
with mode 000, add the label, and then chmod()?
Or does it not work that way with this stuff? (I dunno if we can add a label
to a directory we can't write to. I dunno we can chmod it after we've stuck
a label on it. Maybe the race condition is inherent in the design because
Stewart's bosses were more interested in gaining perpetual access to
everybody's infrastructure than actually securing it?)
Also, I take it setcontext still isn't setting errno to anything useful?
Sigh. These are very rough-edged APIs. Nobody's ever gone through to clean
them up on the kernel side. (I dunno if this is the same "How dare newbies
like you look through openssl to find heartbleed? Keep your ignorant paws
off our magic code mortals are not meant to understand" thing as the crypto
world, or if it's just nobody who isn't being paid to work on this cares
about this bureaucratic infrastructure for filling out forms in triplicate.
Possibly a combination of the two.)
Oh, don't error_exit() in the middle of looping on optargs, just error_msg()
and that'll set toys.exitval to 1 if it's not already set to a nonzero value
so when we _do_ exit it returns an error value. Otherwise you don't process
the full list, and you're supposed to.
Rob
P.S. I suspect I have slightly more sympathy for smack than for other Linux
Sado-Masochism plugins because at least they're not using "security"
infrastructure developed by the NSA _after_ the Snowden revelations*. Then
again rolling your own security seems like rolling your own crypto, so...
Either way I still consider this stuff mostly for show, as in the "S" in
the middle of TSA, NSA, and LSM all have the exact same meaning as far as
I'm concerned, and are of about as much real-world use.
But I'm trying very hard not to let this influence my technical judgement.
"I am not the target audience for this infrastructure, and the people who
need it care deeply about it." (Whether what they need it for is to
placate middle management or justify budgetary expenditures or show nominal
compliance with a bureaucratic standard is none of my business: they
can't deploy the software without it. "Something must be done, this is
something, therefore we must do it.")
On the one hand, it doesn't seem to be important to its target audience
whether it actually _works_ (as long as it _seems_ to work). On the other
hand, if toybox is going to have infrastructure I want it to be the best
version of that infrastructure it can be. If we're gonna do it, we do it
right.
Alas, all my instincts say that doing it right in this case involves not
going there in the first place, and we've already burned that bridge, so
there's a certain amount of "flying blind on a rocketcycle"** going on here.
I do not know how to fix this, on at least two levels.
* I can't remember if those were in Leviticus or Deuteronomy. Something
about nine-bladed flaming swords with root access.
** It's a BRIAN BLESSED reference. It was the 80's. Queen was involved.
More information about the Toybox
mailing list