From: Eric Paris <eparis@parisplace.org>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Mimi Zohar <zohar@us.ibm.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] vfs: fix IMA lockdep circular locking dependency
Date: Wed, 30 May 2012 15:42:47 -0400 [thread overview]
Message-ID: <1338406967.2257.24.camel@localhost> (raw)
In-Reply-To: <20120530163605.GV11775@ZenIV.linux.org.uk>
On Wed, 2012-05-30 at 17:36 +0100, Al Viro wrote:
> The only question is what do we want passed to resulting two hooks. LSM
> folks?
Current hook:
int security_file_mmap(struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags,
unsigned long addr, unsigned long addr_only)
Obvious easy split:
int security_file_mmap(struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags)
int security_addr_mmap(unsigned long addr)
security_addr_mmap would be used as you described. Which means
security_file_mmap() would pretty much only be used in do_mmap_pgoff()
(or validate_mmap_request)
file:
capabilities: does not use
apparmor/smack/selinux: used to get security blobs from
file/dentry/inode
reqprot: the PROT_* requested by userspace.
prot: the actual PROT_* which will be applied (read-implies-exec is the
difference)
capabilities: does not use *prot
SMACK: does not use *prot
apparmor: only uses prot (not reqprot)
SELinux: uses prot or reqprot based on a kernel build/selinuxfs/cmdline
value. Fedora/RHEL uses reqprot, not prot. This seems dumb, but it's
what we are doing.
These are basically used to check permission to read/write/execute the
file based on PROT_READ/PROT_WRITE/PROT_EXECUTE etc. If you move this
up we won't have reqprot and prot, we'll only have reqprot. So we would
need a helper in the mm code which allow us to easily calculate the
read-implies-exec behavior. for apparmor (and less common selinux)
***flags
capabilities: does not use
SMACK: does not use
apparmor: if (!(flags & MAP_PRIVATE))
SELinux: if ((flags & MAP_TYPE) == MAP_SHARED)
So both apparmor and SELinux only use flags to know if PROT_WRITE will
actually change the backing file. PROT_WRITE is ignored if MAP_PRIVATE.
So this could be a bool called "shared" or the LSMs can just parse the
flags. Doesn't matter to me.
next prev parent reply other threads:[~2012-05-30 19:43 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-14 2:47 [PATCH] vfs: fix IMA lockdep circular locking dependency Mimi Zohar
2012-05-15 0:29 ` James Morris
2012-05-15 0:51 ` Mimi Zohar
2012-05-15 15:14 ` James Morris
2012-05-15 16:06 ` Mimi Zohar
2012-05-15 17:19 ` Linus Torvalds
2012-05-15 18:36 ` Mimi Zohar
2012-05-15 18:41 ` Linus Torvalds
2012-05-15 19:42 ` Eric Paris
2012-05-15 20:07 ` Mimi Zohar
2012-05-15 21:43 ` Linus Torvalds
2012-05-16 0:37 ` Linus Torvalds
2012-05-16 0:42 ` Al Viro
2012-05-16 0:45 ` Linus Torvalds
2012-05-16 1:53 ` Linus Torvalds
2012-05-16 11:37 ` James Morris
2012-05-16 11:38 ` James Morris
2012-05-16 13:27 ` Mimi Zohar
2012-05-16 13:42 ` Eric Paris
2012-05-16 13:52 ` Mimi Zohar
2012-05-16 14:06 ` Eric Paris
2012-05-16 15:23 ` Linus Torvalds
2012-05-16 15:47 ` Mimi Zohar
2012-05-16 16:09 ` Linus Torvalds
2012-05-16 2:18 ` Al Viro
2012-05-23 21:18 ` Mimi Zohar
2012-05-30 4:34 ` Al Viro
2012-05-30 16:36 ` Al Viro
2012-05-30 19:42 ` Eric Paris [this message]
2012-05-30 20:24 ` Al Viro
2012-05-30 20:28 ` Linus Torvalds
2012-05-30 20:56 ` Al Viro
2012-05-30 21:04 ` Linus Torvalds
2012-05-30 21:36 ` Al Viro
2012-05-30 22:51 ` Linus Torvalds
2012-05-31 0:28 ` Al Viro
2012-05-31 0:40 ` Linus Torvalds
2012-05-31 0:56 ` Al Viro
2012-05-31 3:55 ` Mimi Zohar
2012-05-31 4:20 ` James Morris
2012-05-30 20:33 ` Mimi Zohar
2012-05-30 20:53 ` Al Viro
2012-05-16 14:13 ` Eric Paris
2012-05-16 15:13 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1338406967.2257.24.camel@localhost \
--to=eparis@parisplace.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
--cc=zohar@linux.vnet.ibm.com \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.