On Thu, 2007-11-08 at 23:20 -0600, Lin Tan wrote: > Seems that an unauthorized user can send file through sockets due to > the following missing check errors. > > There is not security_file_permission() check from sys_splice(), > which can invoke sock_sendpage(). The call chain is as follows. > sys_splice -> do_splice -> do_splice_from -> generic_splice_sendpage > (via function pointer out->f_op->splice_write, which is set up in net/ > socket.c) -> pipe_to_sendpage -> sock_sendpage ( via file->f_op- > >sendpage, in net/socket.c) > > I believe sock_sendpage() needs to be protected by > security_file_permission() for two reasons. First, in the following > path it is protected. > > sys_sendfile -> do_sendfile -> file_send_actor -> sock_sendpage > > Second, if it is not protected, then unauthorized user can send file > through sockets. Adding the check in do_splice_from() should solve > the problem. > > Similar problems exit in do_splice_to() and probably in sys_vmspliace > () too.
What kernel version are you looking at? Current kernel has security_file_permission() calls in do_splice_from() and do_splice_to(). BTW, one might argue that for the socket case, these should be mediated by the socket hooks, which does happen if the sendpage operation falls back to sock_no_sendpage() -> kernel_sendmsg() -> sock_sendmsg(). But that doesn't happen when the protocol implementation implements its own sendpage operations, of course. So possibly there should be a socket security hook call in sock_sendpage(). -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html