5/15/2006 lspp Meeting Minutes:
===============================
Attendees
Janak Desai (IBM) - JD
Paul Moore (HP) - PM
Amy Griffis (HP) - AG
Steve Grubb (Red Hat) - SG
Loulwa Salem (IBM) - LS
Lisa Smith (HP) - LMS
Michael Thompson (IBM) - MT
Al Viro (Red Hat) - AV
Dan Walsh (Red Hat) - DW
George Wilson (IBM) - GW
Matt Anderson (HP) - MA
Klaus Weidner (Atsec) - KW
Linda Knippers (HP) - LK
James Antel (Red Hat) - JA
Kernel update
-------------
GW: we'll lead off with AL, any updates or issues with the kernel
AV: last week there have been minor changes to the tree, a deadlock was
found and fixed. I hope to have updates on Friday. I've had a bit
of hardware trouble and it got serviced today, so I'll have
updates Tuesday.
SG: AL, when should we step up to rc4 of git tree?
AV: well, next update is tomorrow. I hoped to have had it done
Friday afternoon, but there have been raid array problems.
SG: I just wanted to know when to move up
AV: tomorrow I'll put an update out, so it's up to you to keep it for
now; or wait until tomorrow, there will be more patches added to the set
GW: thanks for the update AL, so far with new audit, things are looking
good, have we run any regression tests lou.
LS: no, not yet.
LSPP kernel issues
------------------
SG: Michael was reporting a problem, that lou was seeing before
MT: yeah, first execution of auditctl command is denied, but subsequent
ones are permitted
SG: I got an strace from lou, and it looked like the problem is from
the kernel. I am at a loss of what it is, sounds like an
uninitialized variable.
AV: try to see where it goes next. how far does it get.
SG: it shows a normal syscall exit.
AV: ok we send a packet hopefully it is received. inside kernel in
the kernel we start to handle that. question is how far did it get.
MT: is there a kernel build in your tree steve
SG: yes. one of hooks you want is /etc/security/nlssg-pass that has
the netlink code. The function name is selinux_nlm_lookup, that's
where it makes the decision to allow package or not, unless there
is another basis to reject it.
GW: Does this happen in permissive only, I always ran in enforcing, I
want to try that, how do you recreate it.
MT: Just boot in permissive, login as root, execute auditctl -l. I'm
seeing it on i386, and lou saw it on x86_64. could it be an intel
thing, but that doesn't make sense
GW: Ok. Any other kernel issues
AV: I have a question for Amy, but she is not here yet.
Audit performance and stability issues
--------------------------------------
GW: Amy if you are on, can you tell us about audit.
LMS: Amy is not here yet, I'll go get her.
AuditFS/inotify completion
---------------------------
AG: I found a bug in inotify release patch. There is a bug where the list
got mangled. I need something to compare the code with my additions
to. I have to figure out what is going on. Last week Al and I were
talking about not having records for files/directory removes; he had
an idea that I liked about applying a filter. I am thinking to get
a patch out tomorrow, after I'm done with the inotify work. One more
issue, it is actually a bug; when you tell inotify to clean up, it
doesn't clean properly, so when you add a rule later it thinks it's
already there.
SG: You think we are in good shape to let the code go to -mm tree.
AG: depends on the inotify patch, I need to test that first. I ran
into something that looks like a bug so I need to get that fixed.
After that, we might be ready.
SG: Ok. 2.6.17 is about to release and the window to 2.6.18 is about to
open. We won't have time to test in -mm.
AV: I'm going to star pushing stuff that doesn't depend on inotify to -mm,
so that inotify won't interfere with the rest, I'm going to push them
to Andrew, so if anyone can think of patches that are not Dependant
on inotify, you need to tell me. However, nothing not in the current
tree will go into -mm.
SG: George, the patches you have need to also see the light of day,
everything going into 2.6.18 needs to go in -mm tree to check for bugs.
GW: Ok, I'll commit to put the patches out by tomorrow.
Audit of POSIX message queues
------------------------------
GW: I still need to put my patch out. I found bug and I'm in the process
of fixing it.
Audit API
---------
SG: Not alot new, Friday I put an update to fix the problem of deleting
everything. Also add audit by ppid.
AV: By the way, I'm going to put validation of stuff that validates rules in
userland . I don't believe that range checks on those ever makes
sense; only thing we do with inode number is compare it equal or
not equal to another inode
SG: sounds fine to me
Audit failure action inquiry function
--------------------------------------
GW: Lisa, would you like to tell us how is this going?
LMS: sure, I sent out an updated proposal last week, and waiting
for feedback
GW: I looked at it and it's fine with me. It may be an overkill after we
had our discussion. I certainly need to call something from the
self tests. Have you started implementing anything?
LMS: Not yet, I'm still waiting on feedback. Do we still have consensus
to pursue this. we were gonna make a call to a function and I was
gonna return ENUM; do we still need that? are there many applications
that need this. Do we still feel we should pursue this. I would like
people's thoughts on this.
GW: I remember we ran into problem about what if auditd is not running,
what if messages can't make it out.
LMS: if auditd is not running, it gets written to syslog. messages are
still logged.
GW: we wanted to do this in audit library, that was the consensus last time.
SG: yeah, that can be done in audit library
GW: so all applications will fail from audit library and can decide what
to do. self test is going to be the one that brings the system down?
LK: I don't think self test will call that function
GW: they were gonna send messages and check audit system health
periodically.
LK: not sure what that has to do with userspace.
GW: well we were gonna have applications stop the system, but not any more
AG: I don't think it was gonna panic the system. seems to me self tests
are separate than this.
GW: I agree. any reason not to go ahead and start prototyping.
LMS: I can start that if people think this is the way to go. Ok, sounds like
I'll start prototyping. if people have comments please send to list
or directly to me.
Audit of service discontinuity
------------------------------
GW: I remember .. klaus said we need explicit records to go between
run levels. that's when we got into discussion of what to do when
auditd shuts down. is James working on these. We need some
configurability there to panic the system.
JA: I wasn't sure I was assigned to be working on that.
GW: so we need owners for that. we need it configurable but we don't have
to make it more usable friendly if we are out of time
SG: We don't want automatic relabeling, it goes to shell for administrator
to make changes.
GW: we discussed that before. it is not a requirement, but nice feature
to have.
SG: it was in RBAC. there is a maintenance mode, but also single user
mode. when it booted up, it had an option to auto relabel or go
into single user mode
GW: it doesn't specify it tightly, but yeah. I am trying to check
the protection profile. No one is working on this. Ivan was gonna
take that.
SG: looks like a simple thing to do, about 5-10 minutes
GW: but no one owns it. we need to be clear on requirements. There is
an explicit requirement, I agree.
Print
-----
MA: the postscript(PS) container I mentioned last week is not completely
working. I'm getting close. Once that is working, I was planning
on implementing access control check. I need some code so I can write
a design doc. Also I tried changing the resolution as Klaus mentioned
last time, it was better, but still pixelated, and produced a
larger file.
GW: Does it still look like a fax
MA: Yes .. like a fax.
KW: did you print it or saw it on screen?
MA: The thing is on screen it looks always good, but on print it is
not good. Also it has slow printing.
KW: maybe the printer has small memory. Some old printers have
these problems
MA: this is a fairly modern printer, but I'll check on it's memory though.
KW: if you use the postscript as the intermediate language you would
still have to put the interpreter in the LLD since you can't trust
the output.
MA: but the input postscript has been completely rendered to bitmap.
The labeling filter would only be called after the rendering filter.
AV: you can't encapsulate original interpreter. you can' trust it won't
be able to do anything . you can't make assumptions about output
being compromised.
KW: you don't have that trust separation anymore. Now instead of
having simple output, you get postscript.
MA: that postscript outputs a .tiff, then you can string together
tiff images.
AV: one thing to keep in mind, compromised .tiff can cause considerable
trouble to parse unless you are careful
MA: I'll do good error checking around that
KW: need to try hard to argue that the postscript interpreter in
backend does not need to be included in the LLD.
GW: how hard we have to argue klaus.
KW: You need to know privileges of what things are running at.
AV: what I think is going on, we get a completely untrusted PS in input,
we run it in sandbox. the output is completely untrusted, .tiff
is easier to validate if we do the validation of that stuff in
trusted and the output is PS. Then it does not depend on ps input it
is .tiff frame containing bitmaps. bitmaps are the only place where
regional input may affect this. That is a very restricted subset of PS.
KW: the tricky part is in the details. make sure people can't pass
pipeline. how can you be sure you are only getting that subset
MA: subset is picked by the filter.
KW: It doesn't work that way. you have to ensure filters can't be bypassed.
MA: the postscript is interpreted by filter.
KW: but it is only an assumption that postscript is not hostile.
AV: that's not what is going on. what we're saying is that if everything
in sandbox is subverted, you get hostile files pretending to be .tiffs,
this affects assumptions of everything after that stage. only thing
you get out of compromised interpreter will be those files.
KW: maybe not even root. it can be running at different level. in sandbox
it starts a process, but they need to be running at different levels
AV: you need to prove that sandbox will contain whatever is put inside.
KW: in general it is feasible. filter and sandbox are not by passable.
we need to show that if we need to exclude the postscritp interpreter
from the trusted list.
GW: how much explanations do we need?
KW: not much, maybe a page or two explaining privileges
MA: Ok, shouldn't be hard.
GW: argue that it is constrained by selinux.
MA: to get to filters you need to bypass the selinux.
KW: as long as you make a good case about not caring what it does in detail.
AV: let's say low-level backend in PS that generates data for whatever
printer is out there. lets assume that it recognizes given combination
of pixels and does something nice to it. assumes author of PS is
hostile if got a bug in rendering that can be used to subvert backend
PS driver, may still be in trouble no matter how easy the PS part is
MA: the printer would have that backdoor or the interpreter?
AV: interpreter
KW: It is generally safe to assume developers of software are not hostile.
AV: bugs in rendering part of driver can be generated by sequences fed
to printer. those parts may have unintentional exploitable bugs
KW: we don't need to show it is completely free of backdoors, but just
that is has reasonable separation.
AV: more details, suppose printer uses odd compression scheme, and backend
part of ps will have to take whatever bitmap it got and run compression
over it. assume on some inputs you have a buffer overrun in compression
MA: I think you're example is a little off AL. I think a buffer overflow,
once you are talking about compression, that's beyond the scope of
EAL4. There is clearly a security vulnerability there, but it's
beyond our work.
KW: make sure it is not easily by passable. if you can do that with
selinux it's good enough
MA: the vulnerability will be in actual printer firmware.
KW: for that you got the LLD of printer which should address those issues.
GW: going back to manual recovery. it is a requirement
SG: put something in /etc/sysconfig. it can be a variable to tell if it is
a relabel or single user mode. seems like a quicker fix to do it than
to talk about it.
GW: you don't want to just auto relabel, need to give them option to drop
to single user mode.
DW: give option or force.
KW: make a flag, if something happens and system doesn't know, it goes
to single user mode. create a file and indicate a dirty state.
DW: it knows it is not running in selinux. there is a file like that,
every time you reboot it creates a new file.
KW: our solution could be something similar.
DW: You want to put a flag that says don't auto relabel, just go to single
user mode. that's fine, but prompting the user is bad.
GW: we can configure it right?
DW: yeah configure to do relabel or single user mode.
DW: assign this one to me.
GW: thanks Dan.
CIPSO
-----
PM: still going, got all feedback from stephen smalley and james morris.
I finished the code to enable the pure sec(??) socket option. I'll
try to get it out by end of this week, but other things are preoccupying
me, if not this week, then early next week. For the next one that comes
out, everyone with experience, please take a look at it, since at this
point we are at the stage of minimal functionality. And I would like
some feedback. Any questions.
GW: I am hoping joy and serge will take a good look at that from our
end. Trent also would be nice for him to look at it.
PM: I'll continue posting to lspp mailing list, also the lsm list. Depending
on feedback from this patch, the other one should soon follow.
GW: sounds good, thanks
SELinux base update
-------------------
DW: mcstrans got in. The dev mls utils is still in fedora extras, trying
to push that see if they approve it. As for policy, we go back and
forth with Michael about that. We are going through difference between
the roles. Q&A coming from IBM are helping define those roles. we are
testing as we go. right now all roles can change passwd, but only
sysadmin needs to change passwd. we need to prethink of those scenarios
early so we don't stumble later. I'll respond to your email
tonight Michael.
SG: George, let's remove the label transition daemon from the agenda, if
you have issues, send bugs
IPsec labeling, xinetd, secpeer
-------------------------------
GW: Trent posted xinetd.
SG: I took a very quick look. I don't think the code addressed the issues
I brought up in October. But I still need to look at it in more details.
GW: level negotiation kind of issues
SG: I'll take a look at it this week, and see how it meshes with the
way xinetd is designed.
GW: good, sounds reasonable. Did unix domain datagram support ever make
it into kernel. katheryn did separate patch for unix domain datagrams,
but I never knew if it made it in. We need to make sure that got
incorporated. Al do you know
AV: I don't think I ever had it, might have gone to mainline before
January. I never had that. We need to get it in lspp kernel first.
GW: we also need the netdev community to accept it first. This was in
an email on april 10 (updated af_unix datagram get peer sec).
AV: It never made it into lspp, and as far as I can tell never made it
into mainline.
GW: I'll follow up with katheryn, I'll follow to completion with her.
AV: just post it.
ipsec-tools patches: Base, SPD dump, and racoon MLS
-----------------------------------------------------
GW: joy is out on personal business. she is not contactable right now. Chad
and vinkat, wanna talk about the posting you had. are they on? Ok, they
are not on. Vinkat made postings about MLS negotiation with IPSEC.
it's a pretty sizable patch, I didn't look at it. we need to decide
what to do with it. Wish joy was here since she is our primary ipsec
person now. Wanted to thanks TCS for putting this out. we need to review
it, get comments and get it upstream. Same thing with the spd dump.
Device allocation
------------------
GW: Anything new with that Debbie?
DV: Steve posted couple of small items to fix. Corey started making changes,
and said he will make changes over weekend and get them out by Monday.
I still haven't seen anything from Corey yet.
GW: we'll have another record type for that.
SG: those are already in the version of audit that I released last Friday
Label translation daemon
-------------------------
GW: will be removed from agenda next week
Self tests
----------
GW: I am still working on that
VFS polyinstantiation
---------------------s
JD: pam namespaces is in rawhide, few people are testing. bugzilla
reports are being fixed and tested, one turned out a bug with
regression, Andrew Morton said he'll revert the patch that caused it.
As far as cron, it's still not in rawhide, but fedora maintainer said
it should be in rawhide to test
DW: any solution for x windows
KW: there has been discussion on how to handle directory structure
JD: I told Russel I'll look through, he had certain attacks that he said I
should take care of. I'll write those attacks down, and we can decide
on them, some of them are beyond our work. What I told Russel, is
I'll try and write down and have more coherent explanation of
those possibilities
KW: What about the direcotry discussion?
JD: he wants an intermediate directory.
KW: he can create an intermediate directory himself and put it as part
of config file
JD: I'll have email with each of these attack scenarios and we can
address them. I agree, you can manually create this direcotry and
add it.
DW: so he wants a /tmp/?? directory to be created.
JD: yes .. a user will have access to a file, and only way to do that if
you have unmount .. or if user is running without polyinstantiation.
DW: ???
JD: right now we run with policy default. We do set execon to null to
let policy decide.
DW: You do it before set execcon.
JD: it happens from a different process. it does happen before user
shell gets executed.
DW: can you do something with mount bind with x windows on top
JD: to the script?
DW: yes, can you take the top level X11 and put that over user directory
JD: haven't tried that. I'll try that. As far as mount patch, I saw
someone from redhat named Zack mailed Adrian to include the patch.
would be great to include it in rawhide.
DW: I triggered that, I sent the patch to zack to put it upstream.
JD: I checked if the patch is upstream or he heard anything back, and
he said no to both.
GW: we are still trying to get work completed. we are at home streatch and
just need to keep the energy up. We need to get everything in 2.6.18.
We need to redouble our efforts to get things in 2.6.18, also in -mm. As
far as the 2.6.18 we don't know when the window will open for that, so
finish as soon as possible. I don't know of any patches that don't need
to be in -mm.
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
