From: Paul Moore <pmoore@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: mgrepl@redhat.com, eparis@redhat.com, selinux@tycho.nsa.gov
Subject: Re: [RFC PATCH v1] selinux: add transitions for kernel keys
Date: Thu, 13 Mar 2014 11:46:33 -0400 [thread overview]
Message-ID: <3794276.87hdXQ4UL5@sifl> (raw)
In-Reply-To: <5321AFD7.4010100@tycho.nsa.gov>
On Thursday, March 13, 2014 09:17:11 AM Stephen Smalley wrote:
> On 03/12/2014 05:53 PM, Paul Moore wrote:
> > Unfortunately, experience has shown that transitions are necessary for
> > keys stored in the kernel's keyring ...
...
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index 57b0b49..3ea05b6 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -5682,18 +5682,25 @@ static int selinux_inode_getsecctx(struct inode
> > *inode, void **ctx, u32 *ctxlen)>
> > static int selinux_key_alloc(struct key *k, const struct cred *cred,
> >
> > unsigned long flags)
> >
> > {
> >
> > - const struct task_security_struct *tsec;
> > + int rc;
> > + const struct task_security_struct *tsec = current_security();
> >
> > struct key_security_struct *ksec;
> >
> > + u32 sid;
> > +
> > + if (tsec->keycreate_sid)
> > + sid = tsec->keycreate_sid;
> > + else if (selinux_policycap_keytrans) {
> > + rc = security_transition_sid(tsec->sid, SECINITSID_KERNEL,
> > + SECCLASS_KEY, NULL, &sid);
>
> Wouldn't it be more general and help avoid the need for a separate
> policy capability and avoid special casing keys, to pass both the
> cred->security->sid and the current->security->sid to
> security_transition_sid()?
>
> Then you just arrange the sid argument order so that the current default
> behavior will be in effect in the absence of any type_transition or
> default_type rules?
>
> Also, isn't the use of current_security() here rather than the provided
> cred a divergence from the keyring model for DAC, and what implications
> exist there? Why isn't this a problem for their DAC model if it is a
> problem for SELinux?
My mistake, I agree that we should use cred->security instead of
current_security(), thanks for catching that.
However, I'm not sure passing both cred->sid and current->sid to the
transition call is the correct solution, regardless of which is acting as the
source/target (although both could be kernel_t in certain cases). In my mind
the target is either the kernel, or ideally, the linked keyring; unfortunately
we don't have a keyring in this scope and in some cases we may never have a
keyring. Perhaps you can elaborate a bit ... ?
--
paul moore
security and virtualization @ redhat
next prev parent reply other threads:[~2014-03-13 15:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-12 21:53 [RFC PATCH v1] selinux: add transitions for kernel keys Paul Moore
2014-03-13 13:17 ` Stephen Smalley
2014-03-13 15:46 ` Paul Moore [this message]
2014-03-13 16:34 ` Stephen Smalley
2014-03-13 23:00 ` Paul Moore
2014-03-14 12:00 ` Stephen Smalley
2014-03-14 13:49 ` Daniel J Walsh
2014-03-14 14:00 ` Paul Moore
2014-03-14 20:55 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3794276.87hdXQ4UL5@sifl \
--to=pmoore@redhat.com \
--cc=eparis@redhat.com \
--cc=mgrepl@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.