From: David Howells <dhowells@redhat.com>
To: James Morris <jmorris@namei.org>
Cc: Chris Wright <chrisw@osdl.org>,
David Howells <dhowells@redhat.com>,
Andrew Morton <akpm@osdl.org>, Linus Torvalds <torvalds@osdl.org>,
keyrings@linux-nfs.org, linux-kernel@vger.kernel.org,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [Keyrings] [PATCH] Keys: Add LSM hooks for key management
Date: Thu, 06 Oct 2005 11:54:08 +0100 [thread overview]
Message-ID: <23333.1128596048@warthog.cambridge.redhat.com> (raw)
In-Reply-To: <Pine.LNX.4.63.0510060346140.25593@excalibur.intercode>
James Morris <jmorris@namei.org> wrote:
> > What case causes context != current?
>
> Indeed, this is critical: we always need to know which task initiated the
> current action. If it's not current, then we need the calling task struct
> passed into the security hook.
Surely you know the calling task struct: it's current, but I can pass it in
anyway if you wish.
As I outlined in a previous email, this has to do with the way request_key()
works, and the need for the process actually instantiating the key to gain
access to the keyrings, ownership, group membership, etc. of the process that
created the key.
> > > + /* do a final security check before publishing the key */
> > > + ret = security_key_alloc(key);
> >
> > This may simply be allocating space for the label (and possibly labelling)
> > not necessarily a security check.
>
> Agree, in fact, I think we should always aim to keep housekeeping hooks
> separate from access control hooks.
What do you mean by separate? And this provides a chance for the LSM to deny
the creation of a key before it's published.
> Access checks seem to be usually done before this point via
> lookup_user_key(), which is ideal.
Eh? lookup_user_key()? That's not necessarily called before, not if you're
creating a key.
> > This is odd, esp since nothing could have failed between alloc and
> > publish. Only state change is serial number. Would you expect the
> > security module to update a label based on serial number?
>
> I don't think SELinux would care about this yet. If so, the hook can be
> added later.
Auditing?
> > Are you sure this is right? Normally I'd expect users can _not_ set the
> > security labels of their own keys. But perhaps I've missed the point
> > of this one, could you give a use case?
>
> I think this is like xattrs on files, where the user can set and view
> security attributes.
That's what I was thinking of.
> David, admit it, this key stuff is all really a filesystem :-)
Grrrr. Next time I see you I might have to toss you in the nearest river:-)
No, it isn't, except in that all filesystems are databases anyway, and the VFS
should be ripped out and replaced with Reiser4.
David
next prev parent reply other threads:[~2005-10-06 10:54 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-05 16:28 [PATCH] Keys: Add LSM hooks for key management David Howells
2005-10-05 16:44 ` [Keyrings] " James Morris
2005-10-05 16:48 ` David Howells
2005-10-05 19:31 ` James Morris
2005-10-05 18:40 ` serue
2005-10-05 21:10 ` [Keyrings] " Chris Wright
2005-10-06 8:03 ` James Morris
2005-10-06 10:54 ` David Howells [this message]
2005-10-06 15:04 ` James Morris
2005-10-06 15:18 ` David Howells
2005-10-06 16:02 ` James Morris
2005-10-07 8:50 ` David Howells
2005-10-07 18:36 ` Chris Wright
2005-10-06 17:58 ` Chris Wright
2005-10-07 9:10 ` David Howells
2005-10-07 12:59 ` Stephen Smalley
2005-10-07 18:51 ` Chris Wright
2005-10-06 10:30 ` David Howells
2005-10-06 23:10 ` Chris Wright
2005-10-07 9:57 ` David Howells
2005-10-07 19:36 ` Chris Wright
2005-10-06 8:38 ` James Morris
2005-10-06 11:06 ` David Howells
2005-10-06 14:25 ` James Morris
2005-10-06 15:11 ` David Howells
2005-10-06 16:14 ` James Morris
2005-10-07 9:03 ` David Howells
2005-10-07 14:05 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=23333.1128596048@warthog.cambridge.redhat.com \
--to=dhowells@redhat.com \
--cc=akpm@osdl.org \
--cc=chrisw@osdl.org \
--cc=jmorris@namei.org \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.