symlink hardening should lock itself down |
|||
Issue descriptiononce we've finished initializing symlink exceptions, we should signal the lsm that it should disallow any more exceptions. this way people can't update the lsm to whitelist everything.
,
May 3 2017
It's certainly possible to do this and the idea has crossed my mind before. I'm doubtful on whether this buys us anything though: In order to lift the symlink traversal exceptions, an attacker will already need to have arbitrary file write permissions to access the /sys/kernel/security. Assuming they have that, why would they bother about symlink traversal? Do you have a specific attack scenario in mind?
,
May 3 2017
i agree on the limitedness of it, and i don't have an attack scenario in mind. it just came up as a cheap change. wrt writing arbitrary files, we've seen clever attacks that rely on tricking programs to write their output elsewhere, and abusing their limited output (like the modprobe stuff). in this case, we just need like an errant /.
,
May 24 2017
What is the next step here? Should this work be done, or is it not worthwhile?
,
Aug 2
|
|||
►
Sign in to add a comment |
|||
Comment 1 by vapier@chromium.org
, May 3 2017