tech-security: Re: Systrace policy fingerprints? (Re: finer grained IPNOPRIVPORTing)

Subject: Re: Systrace policy fingerprints? (Re: finer grained IPNOPRIVPORTing)
To: Brett Lymn <blymn@baesystems.com.au>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 05/26/2005 13:05:13

On Thu, May 26, 2005 at 11:31:39PM +0930, Brett Lymn wrote:
> On Thu, May 26, 2005 at 09:08:50AM -0400, Thor Lancelot Simon wrote:
> > 
> > I can think of an _elegant_ way to solve this, involving combining
> > veriexec and systrace, with some minor tweak to allow setuid operation
> > (perhaps, since root would have to load the fingerprints of all the
> > systrace policies into the kernel, in this case systrace should _always_
> > behave as if invoked by root with -c uid of the actual invoking
> >user).
> 
> Hmmm do you mean use veriexec to ensure the policy files are not
> modified and only load files that have veriexec fingerprints loaded?
> If you do then Elad may have already done what you need - part of what
> he has done recently was add some sysctl knobs that give finer grain
> control over veriexec - one of those knobs (the "strict" knob) can be
> set such that files without fingerprints cannot be read.

That is not what I mean.

What I intend would be to extend veriexec so that a given executable
can have both its own fingerprint _and the fingerprint and pathname
of an associated systrace policy_ added.  When the executable where
invoked, the kernel would invoke it under the control of
/bin/systrace -c <invoking uid> but run /bin/systrace itself as root;
if the policy were not present in the filesystem or its fingerprint
did not match, the executable would not run at all.

It would in fact be nice to decouple this so that a systrace policy
path and fingerprint could be loaded without loading a fingerprint
for the executable -- that would have the result "whatever executable's
at that path, so long as you run it under this systrace policy".  And
it safely lets normal users invoke random executables without explicitly
calling systrace, while systrace (invoked by the kernel as root) can
enforce a privilege-elevating policy that lets those executables do
things like bind specific ports as root.

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com

"The inconsistency is startling, though admittedly, if consistency is to be
 abandoned or transcended, there is no problem."		- Noam Chomsky