Tetsuo Handa
2014-09-27 12:26:39 UTC
Since Dan Walsh wrote "What does SELinux do to contain the the bash exploit?"
( http://danwalsh.livejournal.com/71122.html ), I'd like to write about
TOMOYO/AKARI/CaitSith cases.
TOMOYO/AKARI/CaitSith are pathname based access control with ability to check
command line arguments and environment variables' names and values. Thus, they
are good at protecting from "arbitrary OS command injection vulnerability".
For example, if you allowed executing only /bin/mail from /bin/bash and you are
using enforcing mode, only /bin/mail can be executed from /bin/bash . In other
words, the crafted environment variable can execute not /bin/cat , /bin/mv ,
/bin/rm etc. but /bin/mail .
For example, if you allowed to execute only /bin/mail with explicit command
line arguments (e.g. /bin/sh -c "mail root") and you are using enforcing mode,
only /bin/mail with the specified command line arguments can be executed. In
other words, the crafted environment variable can execute only /bin/mail with
these command line arguments. Even if you didn't restrict command line
arguments for /bin/mail , only resources allowed to be accessed by /bin/mail
can be accessed by /bin/mail .
By the way, if you are not using TOMOYO/AKARI but want to identify where
bash is executed from in order to assess possibility of damage caused by
CVE-2014-6271, the TaskTracker loadable kernel module available at
http://sourceforge.jp/projects/akari/scm/svn/tree/head/branches/tasktracker/
may help.
I had a presentation titled "How to obtain information for troubleshooting
enterprise servers" at LinuxCon Japan 2014. The presentation slide available at
http://I-love.SAKURA.ne.jp/tomoyo/LCJ2014-en.pdf introduces various ideas for
understanding your Linux systems. Questions/feedbacks are welcome.
( http://danwalsh.livejournal.com/71122.html ), I'd like to write about
TOMOYO/AKARI/CaitSith cases.
TOMOYO/AKARI/CaitSith are pathname based access control with ability to check
command line arguments and environment variables' names and values. Thus, they
are good at protecting from "arbitrary OS command injection vulnerability".
For example, if you allowed executing only /bin/mail from /bin/bash and you are
using enforcing mode, only /bin/mail can be executed from /bin/bash . In other
words, the crafted environment variable can execute not /bin/cat , /bin/mv ,
/bin/rm etc. but /bin/mail .
For example, if you allowed to execute only /bin/mail with explicit command
line arguments (e.g. /bin/sh -c "mail root") and you are using enforcing mode,
only /bin/mail with the specified command line arguments can be executed. In
other words, the crafted environment variable can execute only /bin/mail with
these command line arguments. Even if you didn't restrict command line
arguments for /bin/mail , only resources allowed to be accessed by /bin/mail
can be accessed by /bin/mail .
By the way, if you are not using TOMOYO/AKARI but want to identify where
bash is executed from in order to assess possibility of damage caused by
CVE-2014-6271, the TaskTracker loadable kernel module available at
http://sourceforge.jp/projects/akari/scm/svn/tree/head/branches/tasktracker/
may help.
I had a presentation titled "How to obtain information for troubleshooting
enterprise servers" at LinuxCon Japan 2014. The presentation slide available at
http://I-love.SAKURA.ne.jp/tomoyo/LCJ2014-en.pdf introduces various ideas for
understanding your Linux systems. Questions/feedbacks are welcome.