[Toybox] Adding LSM support to mkdir.

enh enh at google.com
Wed May 27 19:55:50 PDT 2015 

On Tue, May 19, 2015 at 9:31 PM, Rob Landley <rob at landley.net> wrote:

> Looking at the smack-10 tree ala:
>
>   commit cbc95a1a00ae0a1a806e7cc241cdf7b821ee4951
>   Author: José Bollo <jose.bollo at open.eurogiciel.org>
>   Date:   Mon May 11 18:53:12 2015 +0200
>
>       mkdir: Add -Z option
>
> Specifically this bit:
>
>   -  for (s=toys.optargs; *s; s++)
>   +  for (s=toys.optargs; *s; s++) {
>        if (mkpathat(AT_FDCWD, *s, mode, toys.optflags|1))
>          perror_msg("'%s'", *s);
>   +    else if (CFG_MKDIR_SECURITY && (toys.optflags & FLAG_Z)) {
>   +      if (security_set_context(*s, TT.arg_context) < 0) {
>   +        rmdir(*s);
>   +        error_exit("Unable to create directory '%s' with '%s' as
> context.", *s,
>   +      }
>   +    }
>   +  }
>
> Isn't this racy? You create the directory without a label, then come along
> at some arbitrary point later and add one? Shouldn't we at least mkpathat()
> with mode 000, add the label, and then chmod()?
>

i don't know if this is the least worst job you can do with SMACK, but this
isn't how you'd do it with SELinux. you'd call setfscreatecon before the
mkdir, so there would be no race. call it again with NULL afterwards to go
back to the default.

(note that i'm not actually an SELinux expert. i just play one on this
mailing list. but i've seen this done in other code by people who do know
what they're doing.)


> Or does it not work that way with this stuff? (I dunno if we can add a
> label
> to a directory we can't write to. I dunno we can chmod it after we've stuck
> a label on it. Maybe the race condition is inherent in the design because
> Stewart's bosses were more interested in gaining perpetual access to
> everybody's infrastructure than actually securing it?)
>
> Also, I take it setcontext still isn't setting errno to anything useful?
> Sigh. These are very rough-edged APIs. Nobody's ever gone through to clean
> them up on the kernel side. (I dunno if this is the same "How dare newbies
> like you look through openssl to find heartbleed? Keep your ignorant paws
> off our magic code mortals are not meant to understand" thing as the crypto
> world, or if it's just nobody who isn't being paid to work on this cares
> about this bureaucratic infrastructure for filling out forms in triplicate.
> Possibly a combination of the two.)
>
> Oh, don't error_exit() in the middle of looping on optargs, just
> error_msg()
> and that'll set toys.exitval to 1 if it's not already set to a nonzero
> value
> so when we _do_ exit it returns an error value. Otherwise you don't process
> the full list, and you're supposed to.
>
> Rob
>
> P.S. I suspect I have slightly more sympathy for smack than for other Linux
>

<aside>
you know, if you spent as much time actually digging into this stuff as you
did ranting about it, you'd find that it's _very_ effective in practice :-)

SELinux demonstrably mitigates most of the classes of old Android exploits.
that is, even if you reintroduce the bugs that were in old versions of
Android, SELinux makes them non-expolitable.

it may not be pretty, but in the real world, mitigation is the best
defense. and, yes, you can screw up your use of the primitives [like with
this attempt at mkdir -Z] or you can screw up your security policies [that
is, allow things that shouldn't be allowed], but there's no question that
centralized policies are significantly more auditable than "all the code
that makes up the platform, plus every piece of OEM code, plus every piece
of third-party code you can install or sideload".

is it perfect? of course not.

are users significantly better off because of it? yes, no question about it.

and you don't have to trust the NSA --- you can show us where the backdoors
are. all this code is open source. none of this relies on any kind of
secret TPM stuff you're not allowed to look at.

i initially had the same knee-jerk "why do we need all this new-fangled
crap? i never needed it in the 1990s" reaction, and i still don't need it
on my development desktop, but in the hostile world of random
unsophisticated users downloading and executing arbitrary code it's
absolutely necessary.

...

at the risk of encouraging you, what you *should* be worried about is the
inherent tension with all this security stuff of the difference between
"good for users" and "good for developers" :-)
</aside>


> Sado-Masochism plugins because at least they're not using "security"
> infrastructure developed by the NSA _after_ the Snowden revelations*. Then
> again rolling your own security seems like rolling your own crypto, so...
> Either way I still consider this stuff mostly for show, as in the "S" in
> the middle of TSA, NSA, and LSM all have the exact same meaning as far as
> I'm concerned, and are of about as much real-world use.
>
> But I'm trying very hard not to let this influence my technical judgement.
> "I am not the target audience for this infrastructure, and the people who
> need it care deeply about it." (Whether what they need it for is to
> placate middle management or justify budgetary expenditures or show nominal
> compliance with a bureaucratic standard is none of my business: they
> can't deploy the software without it. "Something must be done, this is
> something, therefore we must do it.")
>
> On the one hand, it doesn't seem to be important to its target audience
> whether it actually _works_ (as long as it _seems_ to work). On the other
> hand, if toybox is going to have infrastructure I want it to be the best
> version of that infrastructure it can be. If we're gonna do it, we do it
> right.
>
> Alas, all my instincts say that doing it right in this case involves not
> going there in the first place, and we've already burned that bridge, so
> there's a certain amount of "flying blind on a rocketcycle"** going on
> here.
> I do not know how to fix this, on at least two levels.
>
> * I can't remember if those were in Leviticus or Deuteronomy. Something
> about nine-bladed flaming swords with root access.
>
> ** It's a BRIAN BLESSED reference. It was the 80's. Queen was involved.
> _______________________________________________
> Toybox mailing list
> Toybox at lists.landley.net
> http://lists.landley.net/listinfo.cgi/toybox-landley.net
>



-- 
Elliott Hughes - http://who/enh - http://jessies.org/~enh/
Android native code/tools questions? Mail me/drop by/add me as a reviewer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20150527/4b2fea96/attachment-0004.htm>

More information about the Toybox mailing list