Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Handle symlinks as IPC security targets
- Security policy files name a "policy target" path but the policy object itself is keyed by a canonical "program target" which is the result of resolving symlinks for the "policy target", and also matches the target of the /proc/<pid>/exe symlink for a running process. - policy lookup functions resolve their argument to its program target before looking up the policy. If they need to create a new one, they pass a "program target", not a "policy target" as an argument. - Renamed validate_ipc_target to validate_ipc_program_target to emphasize the fact that it should be called with a "program target" not a "policy target". This has the unfortunate side-effect that errors report the "program target" at fault, not the "policy target" as it appears in the config file. This is necessary in order to avoid the possible race condition, described below. Originally, validate_ipc_target() always tried to resolve its argument for symlinks, and returned a parogram target string if it validates. This created a possible race condition with security implications. The problem is that get_feature_policy() first independently resolved the policy target in order to check whether a policy already exists. If it didn't find any, it called alloc_feature_policy() which called validate_ipc_target() which resolved the policy target again. In the time between the two checks, the symlink could be altered, and a lucky attacker could fool the program into thinking that a policy doesn't exist for a target, and then switch the symlink to point at another file. At the very least this could allow him to create two policies for the same program target, and possibly to bypass security by associating the permissions for one target with another, or force default permissions to apply to a target for which a more specific rule has been configured. So we don't that. Instead, the policy target is resolved once and that result is used for the rest of the lookup/creation process.
- Loading branch information