From: Vasiliy Kulikov <segoon@openwall.com>
To: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Eric Paris <eparis@redhat.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, apparmor@lists.ubuntu.com,
"selinux@tycho.nsa.gov Stephen Smalley" <sds@tycho.nsa.gov>,
James Morris <jmorris@namei.org>,
Eric Paris <eparis@parisplace.org>,
John Johansen <john.johansen@canonical.com>,
kernel-hardening@lists.openwall.com, serge@hallyn.com
Subject: [kernel-hardening] Re: [RFC v2] security: intoduce ptrace_task_may_access_current
Date: Mon, 20 Jun 2011 19:44:29 +0400 [thread overview]
Message-ID: <20110620154429.GA12879@albatros> (raw)
In-Reply-To: <20110620150001.GF12469@mail.hallyn.com>
On Mon, Jun 20, 2011 at 10:00 -0500, Serge Hallyn wrote:
> > >diff --git a/kernel/capability.c b/kernel/capability.c
> > >index 283c529..bc9b07f 100644
> > >--- a/kernel/capability.c
> > >+++ b/kernel/capability.c
> > >@@ -356,6 +356,30 @@ bool capable(int cap)
> > > }
> > > EXPORT_SYMBOL(capable);
> > >
> > >+bool task_capable(struct task_struct *task, int cap)
> > >+{
> > >+ return ns_task_capable(task,&init_user_ns, cap);
> > >+}
> > >+EXPORT_SYMBOL(task_capable);
> >
> > Why do we keep adding things like task_capable? Can't we just stop
> > adding non-lsm functions and just call the right LSM functions from
> > now on? This is my original comments mostly directed at Serge. I'm
> > to the point where I want to NAK anything new in kernel/capability.c
> > (and yes, I know i'm guilty in the paste)
> >
> > >+bool ns_task_capable(struct task_struct *task, struct user_namespace *ns, int cap)
>
> Can you just use has_ns_capability() at the places where you wanted to
> use your new ns_task_capable()? It won't set PF_SUPERPRIV, but you
> can't set that on another task anyway IIRC.
has_ns_capability() doesn't touch LSMs, but ns_task_capable() uses
security_task_capable() which uses LSMs.
Actually, I'm a bit confused in sense of what capable functions should
be used in specific cases. Where we need to inform LSM and where not.
I don't want to bypass LSMs where it should not do it otherwise. In the
patch I've copied alredy existing behaviour leaving LSM iteraction
as-is.
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
WARNING: multiple messages have this Message-ID (diff)
From: Vasiliy Kulikov <segoon@openwall.com>
To: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Eric Paris <eparis@redhat.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, apparmor@lists.ubuntu.com,
"selinux@tycho.nsa.gov Stephen Smalley" <sds@tycho.nsa.gov>,
James Morris <jmorris@namei.org>,
Eric Paris <eparis@parisplace.org>,
John Johansen <john.johansen@canonical.com>,
kernel-hardening@lists.openwall.com, serge@hallyn.com
Subject: Re: [RFC v2] security: intoduce ptrace_task_may_access_current
Date: Mon, 20 Jun 2011 19:44:29 +0400 [thread overview]
Message-ID: <20110620154429.GA12879@albatros> (raw)
In-Reply-To: <20110620150001.GF12469@mail.hallyn.com>
On Mon, Jun 20, 2011 at 10:00 -0500, Serge Hallyn wrote:
> > >diff --git a/kernel/capability.c b/kernel/capability.c
> > >index 283c529..bc9b07f 100644
> > >--- a/kernel/capability.c
> > >+++ b/kernel/capability.c
> > >@@ -356,6 +356,30 @@ bool capable(int cap)
> > > }
> > > EXPORT_SYMBOL(capable);
> > >
> > >+bool task_capable(struct task_struct *task, int cap)
> > >+{
> > >+ return ns_task_capable(task,&init_user_ns, cap);
> > >+}
> > >+EXPORT_SYMBOL(task_capable);
> >
> > Why do we keep adding things like task_capable? Can't we just stop
> > adding non-lsm functions and just call the right LSM functions from
> > now on? This is my original comments mostly directed at Serge. I'm
> > to the point where I want to NAK anything new in kernel/capability.c
> > (and yes, I know i'm guilty in the paste)
> >
> > >+bool ns_task_capable(struct task_struct *task, struct user_namespace *ns, int cap)
>
> Can you just use has_ns_capability() at the places where you wanted to
> use your new ns_task_capable()? It won't set PF_SUPERPRIV, but you
> can't set that on another task anyway IIRC.
has_ns_capability() doesn't touch LSMs, but ns_task_capable() uses
security_task_capable() which uses LSMs.
Actually, I'm a bit confused in sense of what capable functions should
be used in specific cases. Where we need to inform LSM and where not.
I don't want to bypass LSMs where it should not do it otherwise. In the
patch I've copied alredy existing behaviour leaving LSM iteraction
as-is.
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
next prev parent reply other threads:[~2011-06-20 15:44 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-17 17:11 [kernel-hardening] [RFC v2] security: intoduce ptrace_task_may_access_current Vasiliy Kulikov
2011-06-17 17:11 ` Vasiliy Kulikov
2011-06-20 14:22 ` [kernel-hardening] " Eric Paris
2011-06-20 14:22 ` Eric Paris
2011-06-20 14:40 ` [kernel-hardening] " Vasiliy Kulikov
2011-06-20 14:40 ` Vasiliy Kulikov
2011-06-20 14:43 ` [kernel-hardening] " Vasiliy Kulikov
2011-06-20 14:43 ` Vasiliy Kulikov
2011-06-20 14:44 ` [kernel-hardening] " Eric Paris
2011-06-20 14:44 ` Eric Paris
2011-06-20 15:00 ` [kernel-hardening] " Serge Hallyn
2011-06-20 15:00 ` Serge Hallyn
2011-06-20 15:44 ` Vasiliy Kulikov [this message]
2011-06-20 15:44 ` Vasiliy Kulikov
2011-06-20 15:51 ` [kernel-hardening] " Serge E. Hallyn
2011-06-20 15:51 ` Serge E. Hallyn
2011-06-20 16:50 ` [kernel-hardening] " Eric Paris
2011-06-20 16:50 ` Eric Paris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110620154429.GA12879@albatros \
--to=segoon@openwall.com \
--cc=apparmor@lists.ubuntu.com \
--cc=eparis@parisplace.org \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=serge.hallyn@canonical.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.