AppArmor mediation in dbus-daemon

Marcel Holtmann marcel at holtmann.org
Mon Feb 17 23:44:30 CET 2014


Hi Marc,

>>> I still think that it shouldn't be considered deep packet introspection
>>> in kdbus and plan on submitting some small patches to you guys (kdbus
>>> upstream) that move several fields to the kdbus message metadata.
>> 
>> I mentioned this in the other thread as well, but let me just repeat this here.
>> 
>> You can not just attach arbitrary meta data and hope that your security model is secure. That is a fundamental design flaw in your security model. If kdbus can not verify that the attached meta data is correct, then you are as vulnerable as before.
>> 
>> An attacker can attach whatever meta data it wants and bluntly lie about what
> is actually in the message itself. Meaning it will be routed to the destination,
> but then the destination does execute something totally different than your
> AppArmor policy checked for.
>> 
> 
> The idea isn't to just attach the metadata, it's to _move_ it from the payload
> to the metadata. You can't just repeat it, that would definitely be a bad design.

these kind of information does not belong into kdbus meta data. I made this comment before. You do not add HTTP headers to the TCP header. Or TCP port numbers to IP header.

kdbus does not need to know about these information to get the message to its destination. If you want to inspect a message, then it needs to be done inside AppArmor itself. We have netfilter for the same reason. The networking core does not care what higher layers packet payload is. The job is to get a packet from a to b.

Regards

Marcel



More information about the dbus mailing list