From: Casey Schaufler <casey@schaufler-ca.com>
To: Stephen Smalley <sds@tycho.nsa.gov>, casey@schaufler-ca.com
Cc: Dave Quigley <dpquigl@tycho.nsa.gov>,
Christoph Hellwig <hch@lst.de>,
chrisw@sous-sol.org, jmorris@namei.org, viro@zeniv.linux.org.uk,
selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 1/2] VFS: Factor out part of vfs_setxattr so it can be called from the SELinux hook for inode_setsecctx.
Date: Fri, 7 Mar 2008 10:49:36 -0800 (PST) [thread overview]
Message-ID: <233981.53031.qm@web36601.mail.mud.yahoo.com> (raw)
In-Reply-To: <1204913853.1397.490.camel@moss-spartans.epoch.ncsc.mil>
--- Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On Fri, 2008-03-07 at 10:14 -0800, Casey Schaufler wrote:
> > --- Dave Quigley <dpquigl@tycho.nsa.gov> wrote:
> >
> > > For some odd reason I can't quite parse the first two parts
> >
> > Let me try a different angle on the question. Maybe it just
> > doesn't come up as a real issue, and I'm concerned about nothing.
> >
> > Just for grins lets say I wanted to set the secctx on a directory
> > in a derivative of ramfs in some unspecified way that is not
> > related to mkdir. There are no on-disk inodes. Should the code call
> > inode_setsecctx, inode_notifysecctx, or both? It seems rational to
> > me to call inode_setsecctx, but since the differentiation between
> > the interfaces is the "on disk" factor and ramfs only exists as
> > in core, it would seem that inode_notifysecctx would be correct.
>
> If you are setting (changing) the value, then use inode_setsecctx (or
> the existing inode_setsecurity, which is used by the xattr code, but
> that is limited to setting a single xattr value by name).
So any code that wants to explicitly set the secctx (as opposed to a
specific attribute value) calls inode_setsecctx. This makes perfect
sense.
> If you are just notifying the security module of a value that should be
> associated with the inode, use inode_notifysecctx.
So this is a way for filesystem code to pass information to an LSM
without specifying semantics. Is there an expectation that
inode_getsecctx return the value sent by inode_notifysecctx, or
would you expect the "notify" secctx to be stored elsewhere?
> Reasonable?
I think that the theory is fine, but I forsee implementation
complications if the details of what is expected of an LSM aren't
clear. At this point I'm not objecting to the interface so much as
hoping to be able to use it properly, even with my limited and
deteriorating mental facilties.
Thank you.
Casey Schaufler
casey@schaufler-ca.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com>
To: Stephen Smalley <sds@tycho.nsa.gov>, casey@schaufler-ca.com
Cc: Dave Quigley <dpquigl@tycho.nsa.gov>,
Christoph Hellwig <hch@lst.de>,
chrisw@sous-sol.org, jmorris@namei.org, viro@zeniv.linux.org.uk,
selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 1/2] VFS: Factor out part of vfs_setxattr so it can be called from the SELinux hook for inode_setsecctx.
Date: Fri, 7 Mar 2008 10:49:36 -0800 (PST) [thread overview]
Message-ID: <233981.53031.qm@web36601.mail.mud.yahoo.com> (raw)
In-Reply-To: <1204913853.1397.490.camel@moss-spartans.epoch.ncsc.mil>
--- Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On Fri, 2008-03-07 at 10:14 -0800, Casey Schaufler wrote:
> > --- Dave Quigley <dpquigl@tycho.nsa.gov> wrote:
> >
> > > For some odd reason I can't quite parse the first two parts
> >
> > Let me try a different angle on the question. Maybe it just
> > doesn't come up as a real issue, and I'm concerned about nothing.
> >
> > Just for grins lets say I wanted to set the secctx on a directory
> > in a derivative of ramfs in some unspecified way that is not
> > related to mkdir. There are no on-disk inodes. Should the code call
> > inode_setsecctx, inode_notifysecctx, or both? It seems rational to
> > me to call inode_setsecctx, but since the differentiation between
> > the interfaces is the "on disk" factor and ramfs only exists as
> > in core, it would seem that inode_notifysecctx would be correct.
>
> If you are setting (changing) the value, then use inode_setsecctx (or
> the existing inode_setsecurity, which is used by the xattr code, but
> that is limited to setting a single xattr value by name).
So any code that wants to explicitly set the secctx (as opposed to a
specific attribute value) calls inode_setsecctx. This makes perfect
sense.
> If you are just notifying the security module of a value that should be
> associated with the inode, use inode_notifysecctx.
So this is a way for filesystem code to pass information to an LSM
without specifying semantics. Is there an expectation that
inode_getsecctx return the value sent by inode_notifysecctx, or
would you expect the "notify" secctx to be stored elsewhere?
> Reasonable?
I think that the theory is fine, but I forsee implementation
complications if the details of what is expected of an LSM aren't
clear. At this point I'm not objecting to the interface so much as
hoping to be able to use it properly, even with my limited and
deteriorating mental facilties.
Thank you.
Casey Schaufler
casey@schaufler-ca.com
next prev parent reply other threads:[~2008-03-07 20:36 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-05 18:54 [RFC]Introduce generalized hooks for getting and setting inode secctx David P. Quigley
2008-03-05 18:54 ` David P. Quigley
2008-03-05 18:54 ` [PATCH 1/2] VFS: Factor out part of vfs_setxattr so it can be called from the SELinux hook for inode_setsecctx David P. Quigley
2008-03-05 18:54 ` David P. Quigley
2008-03-06 12:27 ` Christoph Hellwig
2008-03-06 16:47 ` Dave Quigley
2008-03-06 16:47 ` Dave Quigley
2008-03-07 10:05 ` Christoph Hellwig
2008-03-07 16:10 ` Dave Quigley
2008-03-07 16:10 ` Dave Quigley
2008-03-07 17:11 ` Casey Schaufler
2008-03-07 17:11 ` Casey Schaufler
2008-03-07 17:37 ` Dave Quigley
2008-03-07 17:37 ` Dave Quigley
2008-03-07 18:14 ` Casey Schaufler
2008-03-07 18:14 ` Casey Schaufler
2008-03-07 18:17 ` Stephen Smalley
2008-03-07 18:17 ` Stephen Smalley
2008-03-07 18:49 ` Casey Schaufler [this message]
2008-03-07 18:49 ` Casey Schaufler
2008-03-07 19:17 ` Stephen Smalley
2008-03-07 19:17 ` Stephen Smalley
2008-03-07 19:48 ` Casey Schaufler
2008-03-07 19:48 ` Casey Schaufler
2008-03-07 20:05 ` Stephen Smalley
2008-03-07 20:05 ` Stephen Smalley
2008-03-07 21:13 ` Casey Schaufler
2008-03-07 21:13 ` Casey Schaufler
2008-03-10 12:37 ` Stephen Smalley
2008-03-10 12:37 ` Stephen Smalley
2008-03-07 20:28 ` Chris Wright
2008-03-07 20:28 ` Chris Wright
2008-03-05 18:54 ` [PATCH 2/2] LSM/SELinux: inode_{get,set}secctx hooks to access LSM security context information David P. Quigley
2008-03-05 18:54 ` David P. Quigley
2008-03-05 20:45 ` Paul Moore
2008-03-05 20:45 ` Paul Moore
2008-03-05 20:54 ` Stephen Smalley
2008-03-05 20:54 ` Stephen Smalley
2008-03-05 22:28 ` Casey Schaufler
2008-03-05 22:28 ` Casey Schaufler
2008-03-06 12:30 ` Christoph Hellwig
2008-03-06 13:50 ` Stephen Smalley
2008-03-06 13:50 ` Stephen Smalley
2008-03-06 13:54 ` Christoph Hellwig
2008-03-06 14:05 ` Stephen Smalley
2008-03-06 14:05 ` Stephen Smalley
2008-03-06 14:07 ` Christoph Hellwig
2008-03-06 14:25 ` James Morris
2008-03-06 14:25 ` James Morris
2008-03-06 14:48 ` Stephen Smalley
2008-03-06 14:48 ` Stephen Smalley
2008-03-06 17:13 ` Dave Quigley
2008-03-06 17:13 ` Dave Quigley
2008-03-07 10:03 ` Christoph Hellwig
2008-03-07 16:06 ` Dave Quigley
2008-03-07 16:06 ` Dave Quigley
2008-03-07 16:54 ` Miklos Szeredi
2008-03-07 17:30 ` Dave Quigley
2008-03-07 17:30 ` Dave Quigley
2008-03-07 20:24 ` Miklos Szeredi
2008-03-07 21:07 ` Dave Quigley
2008-03-07 21:07 ` Dave Quigley
2008-03-07 21:46 ` Miklos Szeredi
2008-03-08 0:24 ` Brad Boyer
2008-03-07 21:23 ` Dave Quigley
2008-03-07 21:23 ` Dave Quigley
2008-03-08 11:49 ` Christoph Hellwig
-- strict thread matches above, loose matches on Subject: below --
2008-03-18 18:57 [RFC]Introduce generalized hooks for getting and setting inode secctx v3 David P. Quigley
2008-03-18 18:57 ` [PATCH 1/2] VFS: Factor out part of vfs_setxattr so it can be called from the SELinux hook for inode_setsecctx David P. Quigley
2008-03-18 18:57 ` David P. Quigley
2008-04-23 16:57 [PATCH]Introduce generalized hooks for getting and setting inode secctx David P. Quigley
2008-04-23 16:57 ` [PATCH 1/2] VFS: Factor out part of vfs_setxattr so it can be called from the SELinux hook for inode_setsecctx David P. Quigley
2008-04-23 16:57 ` David P. Quigley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=233981.53031.qm@web36601.mail.mud.yahoo.com \
--to=casey@schaufler-ca.com \
--cc=chrisw@sous-sol.org \
--cc=dpquigl@tycho.nsa.gov \
--cc=hch@lst.de \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.