All of lore.kernel.org
 help / color / mirror / Atom feed
From: Eric Paris <eparis@redhat.com>
To: James Morris <jmorris@namei.org>
Cc: Eric Paris <eparis@parisplace.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Joe Perches <joe@perches.com>,
	Dan Rosenberg <drosenberg@vsecurity.com>,
	LKML <linux-kernel@vger.kernel.org>, Ingo Molnar <mingo@elte.hu>,
	Eugene Teo <eugeneteo@kernel.org>,
	Kees Cook <kees.cook@canonical.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	LSM List <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH] Fix dmesg_restrict build failure with CONFIG_EMBEDDED=y and CONFIG_PRINTK=n
Date: Mon, 15 Nov 2010 17:43:07 -0500	[thread overview]
Message-ID: <1289860987.14282.40.camel@localhost.localdomain> (raw)
In-Reply-To: <alpine.LRH.2.00.1011160908380.29867@tundra.namei.org>

On Tue, 2010-11-16 at 09:13 +1100, James Morris wrote:
> On Mon, 15 Nov 2010, Eric Paris wrote:
> 
> > On Mon, Nov 15, 2010 at 12:41 PM, Linus Torvalds
> > <torvalds@linux-foundation.org> wrote:
> > > If the old rule should have been that you _have_
> > > to call cap_syslog(), then just eviscerating that entirely and putting
> > > it in the generic code is definitely the right thing.
> > 
> > That is the rule for ALL of the hooks in commoncap.c.  The one time I
> > tried to do something else *cough*mmap_min_addr*cough* I screwed it
> > up.  I'll put a note in my todo list about looking into lifting all of
> > commoncap.c into the callers.
> 
> If it's a requirement of the API that all of the cap calls are made 
> first, then build it into the API, so developers can't make a mistake.  
> e.g. have the LSM API do the secondary stacking of caps behind the scenes.

At this point it's a defacto requirement since noone is doing anything
like that.  My mmap_min_addr screw up is, to the best of my knowledge,
the only time anyone has intentionally not called the caps code...

And I sorta like the idea of moving the cap_* calls directly into
security_*.  Great, another item on the todo list.  Lift as many cap
calls into the caller as is reasonable (I don't think there are
many/any) and if not possible lift them directory into security_*.  If
someone else really wants to make a system truely without capabilities
lets look at there solution then....

> I had thought that the idea was that some LSM may want to not implement 
> capabilities at all, on which case, it should still not be possible for 
> the API to weaken the default security with or without caps.

Not sure how that's possible.  I mean, I guess it's possible if the
fabled LSM reimplements the cap call, but I'm not sure how you can
remove a restrictive only security check without 'weakening' the system
in some way.


  reply	other threads:[~2010-11-15 22:44 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-13 17:26 [PATCH] Fix dmesg_restrict build failure with CONFIG_EMBEDDED=y and CONFIG_PRINTK=n Joe Perches
2010-11-13 17:50 ` Linus Torvalds
2010-11-13 18:25   ` Dan Rosenberg
2010-11-13 20:22     ` Linus Torvalds
2010-11-14  3:05       ` Kees Cook
2010-11-14 12:35       ` Ingo Molnar
2010-11-13 19:51   ` Joe Perches
2010-11-13 20:01     ` Joe Perches
2010-11-13 20:31     ` Linus Torvalds
2010-11-15  1:16       ` James Morris
2010-11-15 17:04       ` Eric Paris
2010-11-15 17:34         ` Eric Paris
2010-11-15 17:41           ` Linus Torvalds
2010-11-15 17:45             ` Eric Paris
2010-11-15 18:20               ` Linus Torvalds
2010-11-15 22:13               ` James Morris
2010-11-15 22:43                 ` Eric Paris [this message]
2010-11-15 22:58                   ` James Morris
2010-11-15 23:08                     ` Eric Paris
2010-11-15 22:16             ` James Morris
2010-11-15 22:36               ` Linus Torvalds
2010-11-15 22:51                 ` James Morris
2010-11-14  2:44   ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1289860987.14282.40.camel@localhost.localdomain \
    --to=eparis@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=drosenberg@vsecurity.com \
    --cc=eparis@parisplace.org \
    --cc=eugeneteo@kernel.org \
    --cc=jmorris@namei.org \
    --cc=joe@perches.com \
    --cc=kees.cook@canonical.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.