mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/docs/raceguard.pod
Steve Beattie 6d3e74907d Import the rest of the core functionality of the internal apparmor 
development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00

93 lines
3.6 KiB
Text
Raw Blame History

# $Id: raceguard.pod 5820 2005-11-30 19:51:33Z sarnold $
# This publication is intellectual property of Novell Inc. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither SUSE LINUX GmbH, the authors, nor the translators shall be held
# liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. SUSE LINUX GmbH
# essentially adheres to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#
# Please direct suggestions and comments to apparmor-general@forge.novell.com.
=pod
=head1 NAME
RaceGuard - File system race protection
=head1 DESCRIPTION
It is a common programming idiom to perform an lstat(2) or stat(2) on a
potential temporary filename and create the file with open(2) using
O_CREAT as an argument. When this is used without the O_EXCL flag, a
symbolic or hard link could be sneaked into the filename selected before
the lstat(2) or stat(2) returned and before open(2) is called, causing
the program to follow a link it did not anticipate. This behavior is
unfortunately codified in the mktemp(3) function.
This filesystem race, in conjunction with setuid or setgid applications,
or daemons running with different privilege levels, can be used to read
or write files the attacker wouldn't normally be able to access.
RaceGuard works by preparing a per-process cache of recent
stat(2) filenames where stat(2) returns a notice that the file does not
exist; if a process then tries to open(2) O_CREAT without O_EXCL this
filename, RaceGuard will first check if a file with that name exists. If
it does, then some external process has likely raced this process, and
RaceGuard will either fail the open(2) or it will kill the process,
depending upon a sysctl.
To simply fail the open(2) calls:
# echo 0 > /proc/sys/kernel/raceguard_kill
To cause the raced process to be killed:
# echo 1 > /proc/sys/kernel/raceguard_kill
This value is also visible through the sysctl(8) mechanism.
To see RaceGuard in action, start two terminal shells.
In shell one do:
$ rm source target
$ ln -s target source
In shell two, do:
$ touch sou<TAB>
(We are using the shell's tab-completion for 'source', to cause a
stat(2)). When touch(1) runs, it will be killed by RaceGuard, and a
message similar to the following will be sent to the system logs:
Feb 7 18:26:07 lizaveta kernel: Immunix: RaceGuard: Killed bash (pid 30185) when trying to access /home/steve/source!
=cut
=head1 Fixing RaceGuard breakage
Large make(1) systems occasionally encounter problems when run under
RaceGuard. Behavior is random, because RaceGuard is actually correctly
detecting unknown race vulnerabilities in the make file. Re-starting the
build will occasionally mask the problem, as will reducing parallelism
to 1. If problems persist, you will need to install a custom kernel or
fix the make file to no longer have this concurrency fault. In future
versions of Immunix, we expect RaceGuard to be a removable kernel module
(see L<http://lsm.immunix.org/>).
=pod
=head1 SEE ALSO
access(2), lstat(2), stat(2), open(2), fork(2), exec(2), sysctl(8),
immunix(7)
=cut
Reference in a new issue View git blame Copy permalink