[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: severity for bugs in ignoring TMP/TMPDIR?

On Mon, Feb 13, 2012 at 8:57 PM, Marco d'Itri wrote:
> On Feb 13, Ian Jackson  wrote:
>> The rule would be that if:
>>   * A file is being opened in a sticky directory
>>   * The file is going to be created by this operation
>>   * O_EXCL was not specified
>> then the syscall fails with EPERM.
> This should be easy to implement as a LSM.

Kees Cook implemented protections against symlink attacks in Yama (an LSM):


Of course LSMs don't yet stack so it cannot be combined with SELinux etc.



Reply to: