Commit graph

11 commits

Author SHA1 Message Date
Mykyta Holubakha
4f905ecb96
permit.c: check for NULL pointer dereference 2017-07-01 21:35:53 +03:00
Jerzi Kaminsky
2ad8850398 Handle symlinks as IPC security targets
- When policies are allocated, the ipc target path goes
  through symlink resolution. The result is used as
  the canonical for matching pids to policies at runtime.
  In particular, this matches up with the target of
  the `/proc/<pid>/exe`.
- There's a possible race condition if this isn't done
  correctly, read below.

Originally, validate_ipc_target() always tried to resolve
its argument for symlinks, and returned a parogram target string
if it validates. This created a possible race condition with
security implications. The problem is that get_feature_policy()
first independently resolved the policy target in order to check
whether a policy already exists. If it didn't find any, it called
alloc_feature_policy() which called validate_ipc_target() which
resolved the policy target again. In the time between the two
checks, the symlink could be altered, and a lucky attacker could
fool the program into thinking that a policy doesn't exist
for a target, and then switch the symlink to point at another file.
At the very least this could allow him to create two policies
for the same program target, and possibly to bypass security
by associating the permissions for one target with another,
or force default permissions to apply to a target for which
a more specific rule has been configured. So we don't that.

Instead, the policy target is resolved once and that result is
used for the rest of the lookup/creation process.
2017-04-16 17:09:53 +03:00
Jerzi Kaminsky
bfb99235e3 Move get_feature_policy to sway/security.c 2017-04-16 17:09:53 +03:00
Jerzi Kaminsky
b4357a8eb6 Rename get_policy to get_feature_policy 2017-04-16 17:09:53 +03:00
Drew DeVault
126ce571da Read configs from /etc/sway/security.d/* 2017-02-20 07:51:31 -05:00
Drew DeVault
b10721b89e Add initial support code for new IPC security 2017-02-20 06:11:56 -05:00
Drew DeVault
1172566d4e Change how security config is loaded 2016-12-17 15:21:57 -05:00
Drew DeVault
7784f1a905 Handle allocation failures in security code
Note that such errors are generally going to be fatal
2016-12-15 19:01:41 -05:00
Drew DeVault
d353da248b Add ipc connection feature policy controls 2016-12-02 18:09:19 -05:00
Drew DeVault
f23880b1fd Add support for command policies in config file 2016-12-02 08:10:03 -05:00
Drew DeVault
76cab04b4d Implement permit and reject commands 2016-12-01 21:36:43 -05:00