From: Casey Schaufler <casey@schaufler-ca.com>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
"Serge E. Hallyn" <serue@us.ibm.com>,
Oren Laadan <orenl@cs.columbia.edu>,
Linux Containers <containers@lists.osdl.org>,
linux-security-module@vger.kernel.org,
SELinux <selinux@tycho.nsa.gov>,
"Eric W. Biederman" <ebiederm@xmission.com>,
James Morris <jmorris@namei.org>,
David Howells <dhowells@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH 3/5] cr: add generic LSM c/r support
Date: Mon, 31 Aug 2009 22:49:45 -0700 [thread overview]
Message-ID: <4A9CB5F9.3000509@schaufler-ca.com> (raw)
In-Reply-To: <1251722750.16143.31.camel@moss-pluto.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Sun, 2009-08-30 at 12:03 -0700, Casey Schaufler wrote:
>
>> Serge E. Hallyn wrote:
>>
>>> Quoting Casey Schaufler (casey@schaufler-ca.com):
>>>
>>>
>>>> Serge E. Hallyn wrote:
>>>>
>>>>
>>>>> Quoting Casey Schaufler (casey@schaufler-ca.com):
>>>>>
>>>>>
>>>>>> But each can be expressed as a context, can't it?
>>>>>>
>>>>>>
>>>>>>
>>>>> A set of contexts (root_u:root_r:root_t:::system_u:system_r\
>>>>> :system_t::...).
>>>>>
>>>>> There would be a problem if it were stored as a more
>>>>> structured type, and if the ->restore handler wanted to
>>>>> re-create an actual task_security_struct, ipc_security_struct,
>>>>> etc. So the last paragraph in the patch intro was just trying to
>>>>> explain why the intermediate layer, storing a generic string on
>>>>> the c/r object hash, needs to be there. The thing that is
>>>>> not possible is to place the actual void *security or a struct
>>>>> task_security_struct on the objhash.
>>>>>
>>>>>
>>>>>
>>>> Right. Now why do you need a set of contexts?
>>>>
>>>>
>>> Because for SELinux, for instance, when checkpointing a security
>>> context for a task, we want to checkpoint the actual context,
>>> the fscreate context, the sockcreate context, keycreate context,
>>> and the task create (exec_create) context.
>>>
>>>
>> My. That is quite a lot of contexts to keep track of.
>>
>
> Doesn't Smack also have at least one case where it supports multiple
> distinct contexts for different purposes on a single object (e.g.
> sockets)?
>
Smack does support associating labels with incoming and/or
outgoing packets from a particular socket. I haven't looked
carefully at how the checkpoint/restart scheme is handling
sockets in general, so I couldn't say if its going to get the
rest of it right, either. In any case, that's something that
is strictly in the realm of privileged processes for which
checkpoint/restart is going to be one hairy potato.
Processes that use this mechanism will be quite rare. The
Smack port multiplexer (smackpolyport) that I'll be talking
about in Portland and a small set of security enforcing
applications should be about it.
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
"Serge E. Hallyn" <serue@us.ibm.com>,
Oren Laadan <orenl@cs.columbia.edu>,
Linux Containers <containers@lists.osdl.org>,
linux-security-module@vger.kernel.org,
SELinux <selinux@tycho.nsa.gov>,
"Eric W. Biederman" <ebiederm@xmission.com>,
James Morris <jmorris@namei.org>,
David Howells <dhowells@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH 3/5] cr: add generic LSM c/r support
Date: Mon, 31 Aug 2009 22:49:45 -0700 [thread overview]
Message-ID: <4A9CB5F9.3000509@schaufler-ca.com> (raw)
In-Reply-To: <1251722750.16143.31.camel@moss-pluto.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Sun, 2009-08-30 at 12:03 -0700, Casey Schaufler wrote:
>
>> Serge E. Hallyn wrote:
>>
>>> Quoting Casey Schaufler (casey@schaufler-ca.com):
>>>
>>>
>>>> Serge E. Hallyn wrote:
>>>>
>>>>
>>>>> Quoting Casey Schaufler (casey@schaufler-ca.com):
>>>>>
>>>>>
>>>>>> But each can be expressed as a context, can't it?
>>>>>>
>>>>>>
>>>>>>
>>>>> A set of contexts (root_u:root_r:root_t:::system_u:system_r\
>>>>> :system_t::...).
>>>>>
>>>>> There would be a problem if it were stored as a more
>>>>> structured type, and if the ->restore handler wanted to
>>>>> re-create an actual task_security_struct, ipc_security_struct,
>>>>> etc. So the last paragraph in the patch intro was just trying to
>>>>> explain why the intermediate layer, storing a generic string on
>>>>> the c/r object hash, needs to be there. The thing that is
>>>>> not possible is to place the actual void *security or a struct
>>>>> task_security_struct on the objhash.
>>>>>
>>>>>
>>>>>
>>>> Right. Now why do you need a set of contexts?
>>>>
>>>>
>>> Because for SELinux, for instance, when checkpointing a security
>>> context for a task, we want to checkpoint the actual context,
>>> the fscreate context, the sockcreate context, keycreate context,
>>> and the task create (exec_create) context.
>>>
>>>
>> My. That is quite a lot of contexts to keep track of.
>>
>
> Doesn't Smack also have at least one case where it supports multiple
> distinct contexts for different purposes on a single object (e.g.
> sockets)?
>
Smack does support associating labels with incoming and/or
outgoing packets from a particular socket. I haven't looked
carefully at how the checkpoint/restart scheme is handling
sockets in general, so I couldn't say if its going to get the
rest of it right, either. In any case, that's something that
is strictly in the realm of privileged processes for which
checkpoint/restart is going to be one hairy potato.
Processes that use this mechanism will be quite rare. The
Smack port multiplexer (smackpolyport) that I'll be talking
about in Portland and a small set of security enforcing
applications should be about it.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-09-01 5:49 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-28 21:00 [PATCH 1/5] cr: define ckpt_debug if CONFIG_CHECKPOINT=n Serge E. Hallyn
2009-08-28 21:02 ` [PATCH 2/5] cr: checkpoint the active LSM and add RESTART_KEEP_LSM flag Serge E. Hallyn
2009-08-28 21:02 ` Serge E. Hallyn
2009-08-28 21:03 ` [PATCH 1/1] mktree: accept the lsm_name field in header and add -k flag Serge E. Hallyn
2009-08-28 21:03 ` Serge E. Hallyn
2009-08-29 4:43 ` [PATCH 2/5] cr: checkpoint the active LSM and add RESTART_KEEP_LSM flag Casey Schaufler
2009-08-29 4:43 ` Casey Schaufler
2009-08-29 22:59 ` Serge E. Hallyn
2009-08-29 22:59 ` Serge E. Hallyn
2009-08-30 0:03 ` Casey Schaufler
2009-08-30 0:03 ` Casey Schaufler
2009-08-30 13:48 ` Serge E. Hallyn
2009-08-30 13:48 ` Serge E. Hallyn
2009-08-30 18:58 ` Casey Schaufler
2009-08-30 18:58 ` Casey Schaufler
2009-08-30 20:24 ` Serge E. Hallyn
2009-08-30 20:24 ` Serge E. Hallyn
2009-08-30 21:43 ` Casey Schaufler
2009-08-30 21:43 ` Casey Schaufler
2009-08-31 13:22 ` Serge E. Hallyn
2009-08-31 13:22 ` Serge E. Hallyn
2009-08-31 13:36 ` Serge E. Hallyn
2009-08-31 13:36 ` Serge E. Hallyn
2009-09-01 5:51 ` Casey Schaufler
2009-09-01 5:51 ` Casey Schaufler
[not found] ` <4A9ACBD4.4020804-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2009-09-01 12:29 ` Russell Coker
2009-09-01 12:29 ` Russell Coker
2009-09-02 16:36 ` Casey Schaufler
2009-09-02 16:36 ` Casey Schaufler
2009-09-02 18:55 ` Shaya Potter
2009-09-02 22:27 ` Casey Schaufler
2009-09-02 22:27 ` Casey Schaufler
2009-08-28 21:04 ` [PATCH 3/5] cr: add generic LSM c/r support Serge E. Hallyn
2009-08-28 21:04 ` Serge E. Hallyn
2009-08-29 4:30 ` Casey Schaufler
2009-08-29 4:30 ` Casey Schaufler
2009-08-29 22:41 ` Serge E. Hallyn
2009-08-29 22:41 ` Serge E. Hallyn
2009-08-29 23:40 ` Casey Schaufler
2009-08-29 23:40 ` Casey Schaufler
2009-08-30 13:58 ` Serge E. Hallyn
2009-08-30 13:58 ` Serge E. Hallyn
2009-08-30 19:03 ` Casey Schaufler
2009-08-30 19:03 ` Casey Schaufler
2009-08-30 20:26 ` Serge E. Hallyn
2009-08-30 20:26 ` Serge E. Hallyn
[not found] ` <4A9ACD0A.9050004-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2009-08-31 12:45 ` Stephen Smalley
2009-08-31 12:45 ` Stephen Smalley
2009-09-01 5:49 ` Casey Schaufler [this message]
2009-09-01 5:49 ` Casey Schaufler
2009-09-04 13:38 ` Serge E. Hallyn
2009-09-04 13:38 ` Serge E. Hallyn
2009-08-28 21:04 ` [PATCH 4/5] cr: add smack support to lsm c/r Serge E. Hallyn
2009-08-28 21:04 ` Serge E. Hallyn
2009-08-28 21:05 ` [PATCH 5/5] cr: add selinux support Serge E. Hallyn
2009-08-28 21:05 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A9CB5F9.3000509@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=adobriyan@gmail.com \
--cc=containers@lists.osdl.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jmorris@namei.org \
--cc=linux-security-module@vger.kernel.org \
--cc=orenl@cs.columbia.edu \
--cc=sds@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.