[Toybox] Adding LSM support to mkdir.

José Bollo jobol at nonadev.net
Wed May 20 06:46:40 PDT 2015


Le mardi 19 mai 2015 à 23:31 -0500, Rob Landley a écrit :
> Looking at the smack-10 tree ala:
> 
>   commit cbc95a1a00ae0a1a806e7cc241cdf7b821ee4951
>   Author: José Bollo <jose.bollo at open.eurogiciel.org>
>   Date:   Mon May 11 18:53:12 2015 +0200
> 
>       mkdir: Add -Z option
> 
> Specifically this bit:
> 
>   -  for (s=toys.optargs; *s; s++)
>   +  for (s=toys.optargs; *s; s++) {
>        if (mkpathat(AT_FDCWD, *s, mode, toys.optflags|1))
>          perror_msg("'%s'", *s);
>   +    else if (CFG_MKDIR_SECURITY && (toys.optflags & FLAG_Z)) {
>   +      if (security_set_context(*s, TT.arg_context) < 0) {
>   +        rmdir(*s);
>   +        error_exit("Unable to create directory '%s' with '%s' as
> context.", *s,
>   +      }
>   +    }
>   +  }
> 
> Isn't this racy? You create the directory without a label, then come along
> at some arbitrary point later and add one? Shouldn't we at least mkpathat()
> with mode 000, add the label, and then chmod()?

Hello,

You are right. See
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363855%
28v=vs.85%29.aspx too get an other point de vue.

> Or does it not work that way with this stuff? (I dunno if we can add a label
> to a directory we can't write to. I dunno we can chmod it after we've stuck
> a label on it. Maybe the race condition is inherent in the design because
> Stewart's bosses were more interested in gaining perpetual access to
> everybody's infrastructure than actually securing it?)

yes

> Also, I take it setcontext still isn't setting errno to anything useful?

alas

> Sigh. These are very rough-edged APIs. Nobody's ever gone through to clean
> them up on the kernel side. (I dunno if this is the same "How dare newbies
> like you look through openssl to find heartbleed? Keep your ignorant paws
> off our magic code mortals are not meant to understand" thing as the crypto
> world, or if it's just nobody who isn't being paid to work on this cares
> about this bureaucratic infrastructure for filling out forms in triplicate.
> Possibly a combination of the two.)
> 
> Oh, don't error_exit() in the middle of looping on optargs, just error_msg()
> and that'll set toys.exitval to 1 if it's not already set to a nonzero value
> so when we _do_ exit it returns an error value. Otherwise you don't process
> the full list, and you're supposed to.

you are right. thank you for the tip.

> 
> Rob
> 
> P.S. I suspect I have slightly more sympathy for smack than for other Linux
> Sado-Masochism plugins because at least they're not using "security"
> infrastructure developed by the NSA _after_ the Snowden revelations*. Then
> again rolling your own security seems like rolling your own crypto, so...
> Either way I still consider this stuff mostly for show, as in the "S" in
> the middle of TSA, NSA, and LSM all have the exact same meaning as far as
> I'm concerned, and are of about as much real-world use.

Who are nasty people and how they sadly influence our everyday life?

> But I'm trying very hard not to let this influence my technical judgement.
> "I am not the target audience for this infrastructure, and the people who
> need it care deeply about it." (Whether what they need it for is to
> placate middle management or justify budgetary expenditures or show nominal
> compliance with a bureaucratic standard is none of my business: they
> can't deploy the software without it. "Something must be done, this is
> something, therefore we must do it.")
> 
> On the one hand, it doesn't seem to be important to its target audience
> whether it actually _works_ (as long as it _seems_ to work). On the other
> hand, if toybox is going to have infrastructure I want it to be the best
> version of that infrastructure it can be. If we're gonna do it, we do it
> right.
> 
> Alas, all my instincts say that doing it right in this case involves not
> going there in the first place, and we've already burned that bridge, so
> there's a certain amount of "flying blind on a rocketcycle"** going on here.
> I do not know how to fix this, on at least two levels.

If you were radical you had turned off C programming language and POSIX.
That is the way I'm doing toys.
https://fosdem.org/2015/schedule/event/flk/



> * I can't remember if those were in Leviticus or Deuteronomy. Something
> about nine-bladed flaming swords with root access.
> 
> ** It's a BRIAN BLESSED reference. It was the 80's. Queen was involved.
> _______________________________________________
> Toybox mailing list
> Toybox at lists.landley.net
> http://lists.landley.net/listinfo.cgi/toybox-landley.net



 1432129600.0


More information about the Toybox mailing list