[rsbac] Security bugfix for RSBAC for kernels 2.6.35 and later

Amon Ott ao at rsbac.org
Wed Nov 30 09:42:23 CET 2011

Hello everyone,

unfortunately, there is a severe bug in the code that determines the RSBAC 
request type in sys_open() calls. As a result from this bug, open access will 
be decided upon by RSBAC with wrong request type, a read open can happen 
unnoticed. A read() access after opening is intercepted as intended, because 
only the open interception is wrong.

Affected are all RSBAC git repos for kernels starting from 2.6.35 and the 
official release 1.4.5 for 2.6.35. RSBAC for kernel 2.6.32 is not affected.

Please update your kernel sources from git or apply the attached patch for 
2.6.35.y and rebuild to get the bug fixed. I will try to get a new release 
out for kernel 3.1.4 or later as soon as possible. After fixing, your system 
might need RSBAC rights adjustments, because the set of accesses changes.

Background: Between 2.6.32 and 2.6.35, the meaning of the flags parameter for 
sys_open() helper functions changed from some translated internal value to an 
exact copy of the sys_open() flags parameter. When porting RSBAC code from 
2.6.32, we did not notice that change.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openmode.diff
Type: text/x-diff
Size: 1456 bytes
Desc: not available
URL: <http://www.rsbac.org/pipermail/rsbac/attachments/20111130/851040ac/attachment.diff>

More information about the rsbac mailing list