K
K
k0taperkot2014-03-12 13:49:35
linux
k0taperkot, 2014-03-12 13:49:35

[WSWS] How do I change the security level of a process?

Hello. The management set the task to run processes from another user with different levels of secrecy. You need to do all this manually, su / sudo cannot be used. Why, they did not explain - the military does not like questions.
Operation algorithm:
1. I run the program as root, it forks its process
2. The child process checks the specified user for existence, requests information about him, changes the UID, GID and environment variables,
3. The child process replaces itself with another process-command (execvp ).
If you perform [run the process under a different user] and [change the process secret level] separately - everything is ok. And if together - the child process is not replaced by the process-command. If you use system (yes, it does not replace the process), then errno = 38 (Function not implemented), and execvp does not return any errors at all - it simply does not execute the command.
I change the user in the same way as in su, except for checking the password (I use PAM). But firstly, if you run the application as root, then su also ignores authentication, and secondly, everything works fine without changing the privacy level.
The level of secrecy (SL), according to the programmer's manual (book 14), is changed by 2 functions - setmac and psetmac. The privacy level can be changed either by root or by a user with the MCBC_CAP_SETMAC attribute. Actually both these functions also I try to use (not at the same time, of course). I change the US from the child process, after requesting information about the user, but before changing the UID and GID. I check the change of US using the pgetmac functions, getmac - shows that the US has changed, but as a result, then the process-command does not start.
When changing the CA, I expect that it will also be inherited by the process replacing the child process. But apparently something is going wrong =( Does anyone know how to start a process with the desired CS from the code?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
K
k0taperkot, 2014-03-12
@k0taperkot

Sorry, the question is removed. I tested it all on kgod2, it turned out that the problem is in it.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question