From: Oren Laadan <orenl@librato.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Dan Smith <danms@us.ibm.com>,
containers@lists.osdl.org, netdev@vger.kernel.org,
Alexey Dobriyan <adobriyan@gmail.com>
Subject: Re: [PATCH 5/5] c/r: Add AF_UNIX support (v6)
Date: Wed, 29 Jul 2009 11:34:39 -0400 [thread overview]
Message-ID: <4A706C0F.20405@librato.com> (raw)
In-Reply-To: <20090729133606.GB31730@us.ibm.com>
Serge E. Hallyn wrote:
> Quoting Oren Laadan (orenl@librato.com):
>>> OL> Does the following bypass security checks for sys_connect() ?
>
> [ on sock_unix_restore()->sock_unix_restore_connected()->sock_unix_join() ]
>
>>> I don't think so. We're basically replicating sys_socketpair() here,
>>> which does not do a security check, presumably because all you're
>>> doing is hooking two sockets together that both belong to you. That's
>>> not to say that we're as safe as that limited operation, but I don't
>>> think it's totally clear. Perhaps someone more confident will
>>> comment.
>> Yes, please ... Serge ?
>>
>> To me it sounds plausible. If we adopt it, then a comment in the
>> code is worthwhile.
>
> I'm not sure what Oren means "sounds plausible" or should be adopted.
> Using a common helper with sys_connect()?
I meant that Dan's argument sounds plausible, and if we go that
way, it deserves a comment in the code explaining why the security
call is omitted.
Of course, that was before reading your concern about LSM-labeling
of sockets...
Oren.
>
> At the moment you miss out on the security_socket_connect() call. That
> may be not as important for unix sockets, but it does look like selinux +
> netlabel can label unix sockets as well. So I'm not convinced we can
> just ignore it, as once we start properly LSM-labeling tasks and
> sockets we may need to do that to ensure proper restart under selinux.
>
> The other thing is that some new fancy doohicky might require another
> hook in sys_connect, which may or may not be needed for this path.
> If coded this way, we may not find out until someone reports some
> subtle failure long after the fact.
>
> Still your code is so customized that perhaps an explicit
> security_socket_connect() call in your sock_unix_join() may be the
> way to go...
>
> -serge
next prev parent reply other threads:[~2009-07-29 15:34 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-22 20:41 Add Checkpoint/Restart support for UNIX sockets Dan Smith
[not found] ` <1248295301-30930-1-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-22 20:41 ` [PATCH 1/5] Add _ckpt_read_hdr_type() helper Dan Smith
[not found] ` <1248295301-30930-2-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-23 3:59 ` Oren Laadan
[not found] ` <4A67E027.1050602-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2009-07-23 16:43 ` Dan Smith
2009-07-22 20:41 ` [PATCH 2/5] Add an errno validation function Dan Smith
[not found] ` <1248295301-30930-3-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-23 3:17 ` Oren Laadan
[not found] ` <4A67D654.2000206-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>
2009-07-23 15:40 ` Dan Smith
2009-07-22 20:41 ` [PATCH 3/5] Add a ckpt_read_string() function to allow reading of a variable-length (but length-capped) string from the checkpoint stream Dan Smith
[not found] ` <1248295301-30930-4-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-23 4:19 ` Oren Laadan
[not found] ` <4A67E4EC.3070509-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>
2009-07-23 16:58 ` Dan Smith
[not found] ` <87y6qfnxoq.fsf-FLMGYpZoEPULwtHQx/6qkW3U47Q5hpJU@public.gmane.org>
2009-07-24 1:32 ` Oren Laadan
2009-07-22 20:41 ` [PATCH 4/5] Add a common sock_bind() helper to unify the security hook Dan Smith
2009-07-22 20:41 ` [PATCH 5/5] c/r: Add AF_UNIX support (v6) Dan Smith
[not found] ` <1248295301-30930-6-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-28 16:54 ` Oren Laadan
2009-07-28 20:34 ` Dan Smith
2009-07-28 21:18 ` Oren Laadan
2009-07-29 13:36 ` Serge E. Hallyn
2009-07-29 14:49 ` Dan Smith
2009-07-29 14:59 ` Serge E. Hallyn
2009-07-29 15:03 ` Dan Smith
2009-07-29 15:34 ` Oren Laadan [this message]
2009-07-29 18:37 ` Dan Smith
2009-07-30 15:49 ` Dan Smith
2009-07-30 22:10 ` John Dykstra
2009-07-30 22:12 ` John Dykstra
2009-07-30 22:14 ` Dan Smith
2009-08-04 8:27 ` Oren Laadan
2009-08-04 15:16 ` Dan Smith
2009-08-04 17:05 ` Oren Laadan
2009-08-04 17:13 ` Dan Smith
2009-07-29 1:56 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A706C0F.20405@librato.com \
--to=orenl@librato.com \
--cc=adobriyan@gmail.com \
--cc=containers@lists.osdl.org \
--cc=danms@us.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.