From: Karl MacMillan <kmacmillan@mentalrootkit.com>
To: Eamon Walsh <ewalsh@tycho.nsa.gov>
Cc: Joshua Brindle <jbrindle@tresys.com>,
Mark Goldman <mgoldman@tresys.com>,
SE Linux <selinux@tycho.nsa.gov>,
Daniel J Walsh <dwalsh@redhat.com>
Subject: Re: [patch 1/3] libsemanage: genhomedircon replacement
Date: Fri, 22 Jun 2007 11:22:14 -0400 [thread overview]
Message-ID: <1182525734.3014.20.camel@localhost.localdomain> (raw)
In-Reply-To: <467AE59E.2050501@tycho.nsa.gov>
On Thu, 2007-06-21 at 16:54 -0400, Eamon Walsh wrote:
> Karl MacMillan wrote:
> > On Thu, 2007-06-21 at 14:25 -0400, Joshua Brindle wrote:
> >> Karl MacMillan wrote:
> >>> On Thu, 2007-06-21 at 14:09 -0400, Joshua Brindle wrote:
[...]
> >> Not to mention running a python interpreter from a library is pretty
> >> lame.
> >
> > Why? It's less lame than doing this string manipulation in C if you ask
> > me. Not to mention safer - the kind of string manipulation done for this
> > is perhaps the biggest source of exploitable flaws in software.
>
> I'm going to do the unthinkable and agree with Josh,
Now, now, I agree with Josh all the time.
> I think the
> solution to this is to write correct code, not to give up and use a
> scripting language.
Because writing correct code has worked so well for all of those other
projects with exploitable flaws . . .
> I'm not a fan of the Python dependencies.
>
Why?
> >
> > [...]
> >
> >>> Think about a process to verify untrusted data (like modules)
> >>> - it would be helpful to allow a separate process to examine
> >>> that data. Yes things like semodule will have full access but
> >>> allowing a lower-privileged process to handle some parts is desirable
> >>> in my opinion.
> >> We already have a facility to run external apps that can do that. In
> >> semanage.conf just do:
> >>
> >> [verify module]
> >> path=/some/path/to/checker
> >> [end]
> >>
> >> Which has nothing to do with genhomedircon, genhomedircon is mutating
> >> the store, we should not be providing a facility to let random programs
> >> mutate the store arbitrarilly.
> >
> > My point (that seems to be getting lost) is that genhomedircon is not an
> > arbitrary program. It's just part of libsemanage. Why shouldn't we allow
> > separate processes to mutate the store if they are built-in to
> > libsemanage?
>
> Running helpers from a library is IMO a bad idea, because it's not easy
> to completely insulate helper processes from the caller. Caller could
> get unexpected results from an ill-timed wait(2) call for example, or
> not be expecting strange things in its process tree.
>
I'm not convinced by this. First, we've been doing this for a long time
and haven't had a single problem. Second, libsemanage is not a typical
library (like, say, libm). Callers likely need to be fairly familiar
with how it works and use it carefully.
Other than being in-process, what are the other advantageous of writing
this in C (I've heard none). If it is just making it in-process why
don't we just embed the python interpreter :)
Karl
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-06-22 15:22 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-21 9:54 [patch 0/3] genhomedircon replacement in libsemanage jbrindle
2007-05-21 9:54 ` [patch 1/3] libsemanage: genhomedircon replacement jbrindle
2007-05-22 21:08 ` Karl MacMillan
2007-05-24 14:04 ` Mark Goldman
2007-05-24 14:45 ` Karl MacMillan
2007-05-24 15:44 ` Daniel J Walsh
2007-05-24 19:20 ` Mark Goldman
2007-05-25 15:52 ` Karl MacMillan
2007-05-25 17:06 ` Joshua Brindle
2007-05-26 0:02 ` Karl MacMillan
2007-05-29 20:25 ` audit2allow module generation Anand Patel
2007-05-29 21:11 ` Karl MacMillan
2007-05-30 14:44 ` Anand Patel
2007-05-31 16:05 ` Karl MacMillan
2007-06-08 15:36 ` Karl MacMillan
2007-06-11 13:47 ` Anand Patel
2007-08-30 13:43 ` Anand Patel
2007-09-03 16:13 ` Karl MacMillan
2007-09-10 14:10 ` Anand Patel
2007-09-10 16:01 ` Karl MacMillan
2007-06-19 15:09 ` [patch 1/3] libsemanage: genhomedircon replacement Joshua Brindle
2007-06-21 16:29 ` Karl MacMillan
2007-06-21 16:49 ` Joshua Brindle
2007-06-21 18:04 ` Karl MacMillan
2007-06-21 18:09 ` Joshua Brindle
2007-06-21 18:18 ` Karl MacMillan
2007-06-21 18:25 ` Joshua Brindle
2007-06-21 18:35 ` Karl MacMillan
2007-06-21 20:54 ` Eamon Walsh
2007-06-22 11:50 ` Daniel J Walsh
2007-06-22 15:22 ` Karl MacMillan [this message]
2007-06-22 15:31 ` Joshua Brindle
2007-06-22 16:04 ` Karl MacMillan
2007-06-22 16:58 ` Eamon Walsh
2007-06-22 19:30 ` Karl MacMillan
2007-06-22 20:55 ` Eamon Walsh
2007-07-02 14:00 ` Joshua Brindle
2007-07-02 14:23 ` Karl MacMillan
2007-07-02 15:54 ` Joshua Brindle
2007-07-02 21:26 ` Joshua Brindle
2007-07-03 1:12 ` James Antill
2007-07-03 11:15 ` Can someone please assist me with selinux issue David Cottle
[not found] ` <1183464455.12218.243.camel@moss-spartans.epoch.ncs! c.mil>
2007-07-03 12:07 ` Stephen Smalley
2007-07-04 23:30 ` David Cottle
2007-07-05 12:33 ` Stephen Smalley
2007-07-12 19:03 ` Libsemanage dependency on version of Linux Hasan Rezaul-CHR010
2007-07-12 19:39 ` Stephen Smalley
2007-07-12 19:48 ` Hasan Rezaul-CHR010
2007-07-12 19:57 ` Stephen Smalley
2007-07-12 19:49 ` Stephen Smalley
2007-07-02 14:54 ` [patch 1/3] libsemanage: genhomedircon replacement James Antill
2007-06-22 20:00 ` James Antill
2007-05-24 15:05 ` Steve G
2007-05-24 15:27 ` Karl MacMillan
2007-05-24 16:00 ` James Antill
2007-05-25 14:22 ` Mark Goldman
2007-05-21 9:54 ` [patch 2/3] libsemanage: test functions jbrindle
2007-05-21 9:54 ` [patch 3/3] Remove legacy genhomedircon python script jbrindle
2007-05-22 17:23 ` [patch 0/3] genhomedircon replacement in libsemanage Daniel J Walsh
2007-05-22 17:35 ` Joshua Brindle
2007-05-22 21:10 ` Karl MacMillan
2007-05-22 21:11 ` Karl MacMillan
-- strict thread matches above, loose matches on Subject: below --
2007-08-08 20:22 [patch 0/3] libsemanage: genhomedircon replacement tmiller
2007-08-08 20:22 ` [patch 1/3] " tmiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1182525734.3014.20.camel@localhost.localdomain \
--to=kmacmillan@mentalrootkit.com \
--cc=dwalsh@redhat.com \
--cc=ewalsh@tycho.nsa.gov \
--cc=jbrindle@tresys.com \
--cc=mgoldman@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.