security module question

security module question

[Justin Banks]

Hello - I'm trying to implement a security module that will allow or
disallow writes on files by byte ranges. Is there a way to use
inode_permission() to do this, or is there an alternative route I should
take? It doesn't look like inode_permission() will give me the data I
need (offset + length of write).

Also, is there a security module that will examine data being written
for certain patterns or content?

Please CC: me on responses. I used to be subscribed, but the traffic was
just too much.

-justinb

-- 
Justin Banks
BakBone Software
justinb@bakbone.com

Re: security module question

[James Morris]

On Tue, 4 Aug 2009, Justin Banks wrote:

> Hello - I'm trying to implement a security module that will allow or
> disallow writes on files by byte ranges. Is there a way to use
> inode_permission() to do this, or is there an alternative route I should
> take? It doesn't look like inode_permission() will give me the data I
> need (offset + length of write).

This doesn't seem to fit with the LSM model, where access is mediated at 
object-level granularity.  i.e. can user A read file B ?

> Also, is there a security module that will examine data being written
> for certain patterns or content?

The fanotify / TALPA file access scanning work being done by Eric Paris 
might be more appropriate.

See http://lwn.net/Articles/339399/

> Please CC: me on responses. I used to be subscribed, but the traffic was
> just too much.

You probably want the LSM mailing list (cc'd).


-- 
James Morris
<jmorris@namei.org>

Re: security module question

[Eric Paris]

On Wed, 2009-08-05 at 12:02 +1000, James Morris wrote:
> On Tue, 4 Aug 2009, Justin Banks wrote:
> 
> > Hello - I'm trying to implement a security module that will allow or
> > disallow writes on files by byte ranges. Is there a way to use
> > inode_permission() to do this, or is there an alternative route I should
> > take? It doesn't look like inode_permission() will give me the data I
> > need (offset + length of write).

There is nothing that can do that.  Neither fanotify nor the LSM.
Biggest problem is mmap.....

I think there was past kernel module which did this, but I don't
remember what they were called.  Nothing which tracks this and could be
used was ever reasonable for the mainline kernel.

-Eric

Re: security module question

[Shaya Potter]

Eric Paris wrote:
> On Wed, 2009-08-05 at 12:02 +1000, James Morris wrote:
>> On Tue, 4 Aug 2009, Justin Banks wrote:
>>
>>> Hello - I'm trying to implement a security module that will allow or
>>> disallow writes on files by byte ranges. Is there a way to use
>>> inode_permission() to do this, or is there an alternative route I should
>>> take? It doesn't look like inode_permission() will give me the data I
>>> need (offset + length of write).
> 
> There is nothing that can do that.  Neither fanotify nor the LSM.
> Biggest problem is mmap.....
> 
> I think there was past kernel module which did this, but I don't
> remember what they were called.  Nothing which tracks this and could be
> used was ever reasonable for the mainline kernel.

stackable file-system could do it (ala ecryptfs).  You'd end up with
double page table usage (as they don't stack well), but you'd be able to
catch all mmap writes to disk.