我们在
《Linux内核NULL指针引发的BUG(三)--源码》(以下简称文三)中提到该漏洞和SElinux有一些关系,是在开启SElinux的系统上进行利用的。但是,是不是就可以因此说SElinux的弱化了Linux的安全呢。下面转载一篇SElinux Team开发人员对SElinux的分析。原文链接:。
本文欢迎自由转载,但请标明出处,并保证本文的完整性。
作者:GodbachBlog:
http://Godbach.cublog.cn
日期:2010/01/13【原文】Thoughts on Linux
- mmap_min_addr on SELinux and non-SELinux system
- July 21st, 2009
There has been a lot of conversation about the difference in how the
mmap_min_addr proteciton is applied on SELinux vs. non-SELinux systems
and how these differences made it easier to exploit a recent kernel BUG
on SELinux systems. A number of people have claimed the SELinux made
the system weaker. It did, but in other ways it was still stronger.
I'm working to get the best of both worlds, but it isn't fair to claim
a universal across the board weakening.
We, the SELinux team,
made a decision to not require CAP_SYS_RAWIO (non techies can think of
this as root, or uid=0) for mapping the 0 page. Instead we have an
SELinux policy specific permission for this operation, mmap_zero. We
made the choice to not require one to be root because WINE needs to do
this operation and (sadly) there are a number of users out there who
run windows applications inside WINE.
Recently a kernel exploit
was posted which works by mapping the 0 page, putting crafty info on
that page, tickling a bug in the kernel, and winning (It is brilliant,
as usual from Brad.) To get that 0 page mapped on a non-SELinux
system he had to find a busted suid application (he found pulseaudio)
and get that to map the page for him. Since SELinux systems don't
require root, he didn't need to find a busted suid application, he just
had to map the 0 page and tickle the kernel bug.
Now the claim
comes out that SELinux systems are less secure than non-SELinux
systems. It's true, SELinux systems are weaker against authenticated
logged in local users in this case. But it's stronger against remote
attacks. What? Yes, I agree completely that I need to strengthen the
system against attacks from a malicious local user, but we do a much
better job in this case if an attacker was trying to attack remotely.
【Godbach注:】这里作者认为SElinux更注重于远程的攻击,而对于本地恶意用户发起攻击的防御则相对弱一些。SElinux是需要加强对本地恶意用户的防御。言下之意,并不能因为SElinux对本地用户的防御不很完善,就说SElinux弱化了系统的安全。下面两段内容就是作者对SElinux对于防御远程攻击进行的分析,并和non-SElinux进行对比,进一步验证作者提出的观点。On
a non-SELinux system if the attacker was able to subvert any network
facing daemon they won. They just tickled do the same thing. Take
over daemon remotely, use pulseaudio to map the page, tickle the kernel
bug, win. But what happens on an SELinux system? It doesn't work!
Take over the network facing daemon, try the pulseaudio trick, crap,
didn't get the page. Try to map the zero page directly. Crap it
didn't work. Now what? You win, they lose. SELinux is stronger than
non-SELinux.
This is because SELinux confines network facing
daemons and doesn't give them permissions to map the 0 page. It's not
about root or non-root. It's not about suid or non-suid. It's about
the SELinux domain not allowing the daemon to map the 0 page. Yes, as
an unconfined user you can map the page (and I'm looking at ways to fix
that) but if your system is subverted remotely, you are likely much
better protected with SELinux than without.
阅读(2773) | 评论(0) | 转发(3) |