rtld issue, MAC subsystem suggestion

[Borja Marcos]

On Dec 3, 2009, at 1:45 PM, Borja Marcos wrote:

> There's a wrong assumption I made: the MAC subsystem should make a root exploit hard to achieve, and the latest security issue shows that indeed that's not necessarily the case. I chose not to chroot the runnnig CGI's so that they saw a complete operating system, avoiding the costs of lots of phone calls to support because their script got a text file and ran awk on it, etc, etc, you know. Keeping lots of copies of the OS is quite ineffective. And restricting access to mostly harmless programs such as ping can be a problem as well. One of my compromises (wrong, maybe) was to offer the closest thing to a complete system as possible.

Which brings an idea... I understand it might sound a bit ad-hoc after this problem, but how about extending the usage of the MAC subsystem so that MAC policies are enforced for such things as the dynamic linker? It would certainly put a stop to a whole class of attacks.

If a program with a given integrity label tried to link with a lower integrity shared library maybe the operation should fail. Same should apply to mac/mls. 

I see no reason to allow that behavior to succeed, and plenty of reasons for the MAC policies to be applied.





Borja.