From: Stephen Smalley <sds-FVV4AS6k8l2W8mdqIt43Ew@public.gmane.org>
To: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Cc: Casey Schaufler <casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
SELinux <selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>,
Linux Containers
<containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>,
Alexey Dobriyan
<adobriyan-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Andrew Morgan <morgan-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Subject: Re: [PATCH 1/1] cr: lsm: restore LSM contexts for ipc objects
Date: Mon, 22 Jun 2009 10:47:05 -0400 [thread overview]
Message-ID: <1245682025.3033.178.camel@localhost.localdomain> (raw)
In-Reply-To: <20090620013216.GA4435-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
On Fri, 2009-06-19 at 20:32 -0500, Serge E. Hallyn wrote:
> Here is the next version of the patch implementing checkpoint
> and restore of LSM contexts. This is just handling IPC objects
> as a proof of concept. But actually, looking ahead and both
> files and tasks, I see that selinux stores several sids in the
> security structs. For instance, for tasks there is the current
> sid, exec sid, create sid, keycreate_sid, and sockcreate_sid.
> So I guess I'll have to ask the LSM for how many secids it wants
> to checkpoint, then checkpoint an array of contexts?
You will need to support checkpointing multiple secids/contexts per
object, but what about other state that might live in the security
structs, e.g. flags fields, policy seqno, etc.
> >From 19669b07cdfef4d377f3f188e2421c4124e38708 Mon Sep 17 00:00:00 2001
> From: Serge E. Hallyn <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
> Date: Wed, 17 Jun 2009 12:00:21 -0400
> Subject: [PATCH 1/1] cr: lsm: restore LSM contexts for ipc objects
>
> Introduce a cache of secids for checkpoint and restart.
Not sure you need to cache them in the cr layer (vs. just using the
mapping functions provided by the LSM hook interface, and letting the
security module handle caching internally).
> At checkpoint, it takes a secid, stores the corresponding
> context string, and stores the objref for later use.
> At restart, read the context from checkpoint image,
> ask the security module for a secid, and store the secid
> on the objhash.
>
> The per-object security c/r code will be responsible for
> getting secid from void*security at checkpoint time, and
> converting secid to void*security at restore time.
>
> The code to c/r contexts for IPC objects is also in this
> patch.
>
> For Smack, assign the label of the process doing sys_restart()
> if !capable(CAP_MAC_ADMIN), otherwise use the checkpointed
> label.
>
> For SELinux, define a new 'restore' permission for ipc objects.
> (A corresponding trival policy patch adding 'restore' to the
> common flask permissions for refpolicy is also needed). The
> caller of sys_restart() must have the class:restore permission
> to assign the checkpointed label, else restart will be refused.
>
> Signed-off-by: Serge E. Hallyn <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
> diff --git a/include/linux/checkpoint_hdr.h b/include/linux/checkpoint_hdr.h
> index e42e0db..e3fb9b3 100644
> --- a/include/linux/checkpoint_hdr.h
> +++ b/include/linux/checkpoint_hdr.h
> @@ -418,7 +426,7 @@ struct ckpt_hdr_ipc_perms {
> __u32 cuid;
> __u32 cgid;
> __u32 mode;
> - __u32 _padding;
> + __s32 secref;
Why s32 vs u32? secids are u32 and 0 means they aren't supported by the
security module.
--
Stephen Smalley
National Security Agency
WARNING: multiple messages have this Message-ID (diff)
From: Stephen Smalley <sds@epoch.ncsc.mil>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Linux Containers <containers@lists.osdl.org>,
linux-security-module@vger.kernel.org,
SELinux <selinux@tycho.nsa.gov>,
Alexey Dobriyan <adobriyan@gmail.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Andrew Morgan <morgan@kernel.org>
Subject: Re: [PATCH 1/1] cr: lsm: restore LSM contexts for ipc objects
Date: Mon, 22 Jun 2009 10:47:05 -0400 [thread overview]
Message-ID: <1245682025.3033.178.camel@localhost.localdomain> (raw)
In-Reply-To: <20090620013216.GA4435@us.ibm.com>
On Fri, 2009-06-19 at 20:32 -0500, Serge E. Hallyn wrote:
> Here is the next version of the patch implementing checkpoint
> and restore of LSM contexts. This is just handling IPC objects
> as a proof of concept. But actually, looking ahead and both
> files and tasks, I see that selinux stores several sids in the
> security structs. For instance, for tasks there is the current
> sid, exec sid, create sid, keycreate_sid, and sockcreate_sid.
> So I guess I'll have to ask the LSM for how many secids it wants
> to checkpoint, then checkpoint an array of contexts?
You will need to support checkpointing multiple secids/contexts per
object, but what about other state that might live in the security
structs, e.g. flags fields, policy seqno, etc.
> >From 19669b07cdfef4d377f3f188e2421c4124e38708 Mon Sep 17 00:00:00 2001
> From: Serge E. Hallyn <serue@us.ibm.com>
> Date: Wed, 17 Jun 2009 12:00:21 -0400
> Subject: [PATCH 1/1] cr: lsm: restore LSM contexts for ipc objects
>
> Introduce a cache of secids for checkpoint and restart.
Not sure you need to cache them in the cr layer (vs. just using the
mapping functions provided by the LSM hook interface, and letting the
security module handle caching internally).
> At checkpoint, it takes a secid, stores the corresponding
> context string, and stores the objref for later use.
> At restart, read the context from checkpoint image,
> ask the security module for a secid, and store the secid
> on the objhash.
>
> The per-object security c/r code will be responsible for
> getting secid from void*security at checkpoint time, and
> converting secid to void*security at restore time.
>
> The code to c/r contexts for IPC objects is also in this
> patch.
>
> For Smack, assign the label of the process doing sys_restart()
> if !capable(CAP_MAC_ADMIN), otherwise use the checkpointed
> label.
>
> For SELinux, define a new 'restore' permission for ipc objects.
> (A corresponding trival policy patch adding 'restore' to the
> common flask permissions for refpolicy is also needed). The
> caller of sys_restart() must have the class:restore permission
> to assign the checkpointed label, else restart will be refused.
>
> Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
> diff --git a/include/linux/checkpoint_hdr.h b/include/linux/checkpoint_hdr.h
> index e42e0db..e3fb9b3 100644
> --- a/include/linux/checkpoint_hdr.h
> +++ b/include/linux/checkpoint_hdr.h
> @@ -418,7 +426,7 @@ struct ckpt_hdr_ipc_perms {
> __u32 cuid;
> __u32 cgid;
> __u32 mode;
> - __u32 _padding;
> + __s32 secref;
Why s32 vs u32? secids are u32 and 0 means they aren't supported by the
security module.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-06-22 14:47 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-20 1:32 [PATCH 1/1] cr: lsm: restore LSM contexts for ipc objects Serge E. Hallyn
2009-06-20 1:32 ` Serge E. Hallyn
2009-06-22 5:37 ` James Morris
2009-06-22 5:37 ` James Morris
2009-06-22 16:25 ` Serge E. Hallyn
2009-06-22 16:25 ` Serge E. Hallyn
[not found] ` <20090620013216.GA4435-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-06-22 14:47 ` Stephen Smalley [this message]
2009-06-22 14:47 ` Stephen Smalley
2009-06-22 17:50 ` Serge E. Hallyn
2009-06-22 17:50 ` Serge E. Hallyn
2009-06-22 18:23 ` Stephen Smalley
2009-06-22 18:23 ` Stephen Smalley
2009-06-23 3:10 ` Casey Schaufler
2009-06-23 3:10 ` Casey Schaufler
2009-06-23 17:55 ` Stephen Smalley
2009-06-23 17:55 ` Stephen Smalley
2009-06-23 18:18 ` Serge E. Hallyn
2009-06-23 18:18 ` Serge E. Hallyn
2009-06-23 19:57 ` Serge E. Hallyn
2009-06-23 19:57 ` Serge E. Hallyn
2009-06-24 13:10 ` Stephen Smalley
2009-06-24 13:10 ` Stephen Smalley
2009-06-24 22:07 ` Serge E. Hallyn
2009-06-24 22:07 ` Serge E. Hallyn
2009-06-25 12:34 ` Stephen Smalley
2009-06-25 12:34 ` Stephen Smalley
2009-06-25 12:59 ` Serge E. Hallyn
2009-06-25 12:59 ` Serge E. Hallyn
2009-06-25 14:06 ` Stephen Smalley
2009-06-25 14:06 ` Stephen Smalley
2009-06-25 4:21 ` Oren Laadan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1245682025.3033.178.camel@localhost.localdomain \
--to=sds-fvv4as6k8l2w8mdqit43ew@public.gmane.org \
--cc=adobriyan-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=morgan-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
--cc=serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.