From: Stephen Smalley <sds@tycho.nsa.gov>
To: David Herrmann <dh.herrmann@gmail.com>,
Casey Schaufler <casey@schaufler-ca.com>
Cc: Greg KH <gregkh@linuxfoundation.org>,
Daniel Mack <daniel@zonque.org>,
Djalal Harouni <tixxdz@opendz.org>,
lkml <linux-kernel@vger.kernel.org>,
LSM <linux-security-module@vger.kernel.org>,
Paul Osmialowski <p.osmialowsk@samsung.com>,
Paul Moore <paul@paul-moore.com>
Subject: Re: kdbus: credential faking
Date: Fri, 10 Jul 2015 09:29:38 -0400 [thread overview]
Message-ID: <559FC8C2.6030409@tycho.nsa.gov> (raw)
In-Reply-To: <CANq1E4T0BkqZDBAs17LRTheFcnnKEpRgMp=wdEUpRK_ysXNjRA@mail.gmail.com>
On 07/10/2015 05:05 AM, David Herrmann wrote:
> Hi
>
> On Fri, Jul 10, 2015 at 12:56 AM, Casey Schaufler
> <casey@schaufler-ca.com> wrote:
>> On 7/9/2015 3:22 PM, David Herrmann wrote:
>>> Regarding requiring CAP_SYS_ADMIN, I don't really see the point. In
>>> the kdbus security model, if you don't trust the bus-creator, you
>>> should not connect to the bus.
>>
>> That's fine in a discretionary access control model, but
>> not in a mandatory access control model. The decision on
>> trust of the "other" guy is never up to the process, it's
>> up to the mandatory access control policy.
>
> Exactly. So LSMs are free to use a hook to limit faking other user's
> credentials. But why does that have to affect the default (which, in
> the case of kdbus, is a dac model)?
>
>>> A bus-creator can bypass kdbus
>>> policies, sniff on any transmission and modify bus behavior. It just
>>> seems logical to bind faked-metadata to the same privilege. However, I
>>> also have no strong feeling about that, if you place valid points. So
>>> please elaborate.
>>
>> Smack has to require CAP_MAC_ADMIN to allow a process to fake
>> Smack metadata. This is exactly what CAP_MAC_ADMIN is for.
>> Changing Smack metadata is considered a hugely dangerous activity.
>
> I'm totally fine with dropping support to fake seclabels, if LSM
> developers see no need for it. I, certainly, will not insist on it.
> With that in mind, I'd prefer if we limit this discussion to faking CREDS/PIDS.
Well, based on your use case, we actually do need support for faking
seclabels if we need support for faking credentials at all, because your
proxy needs to be able to fake all of the credentials in order to be
fully transparent and preserve compatibility. So I don't think they can
be divorced from each other.
Regardless, we will definitely want a hook for controlling this ability
to fake credentials, and I think we would want to separately distinguish
each of the cases that you currently lump under your single privileged
boolean, as the ability to do one should not necessarily imply the
ability to do them all.
next prev parent reply other threads:[~2015-07-10 13:32 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-09 18:26 kdbus: credential faking Stephen Smalley
2015-07-09 22:22 ` David Herrmann
2015-07-09 22:56 ` Casey Schaufler
2015-07-10 9:05 ` David Herrmann
2015-07-10 13:29 ` Stephen Smalley [this message]
2015-07-10 13:25 ` Stephen Smalley
2015-07-10 13:43 ` David Herrmann
2015-07-10 14:20 ` Martin Steigerwald
2015-07-10 14:25 ` Martin Steigerwald
2015-07-10 14:47 ` Stephen Smalley
2015-07-10 14:57 ` Alex Elsayed
2015-07-10 16:20 ` Casey Schaufler
2015-07-10 16:30 ` Alex Elsayed
2015-07-10 17:46 ` Casey Schaufler
2015-07-10 16:48 ` David Herrmann
2015-07-10 18:13 ` Stephen Smalley
2015-07-10 22:04 ` Greg KH
2015-07-10 15:59 ` Casey Schaufler
2015-07-10 16:26 ` David Herrmann
2015-07-10 17:16 ` Casey Schaufler
2015-07-10 18:02 ` Richard Weinberger
2015-07-10 18:36 ` Casey Schaufler
2015-07-10 18:39 ` Richard Weinberger
2015-07-11 11:30 ` Richard Weinberger
2015-07-11 11:02 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=559FC8C2.6030409@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=casey@schaufler-ca.com \
--cc=daniel@zonque.org \
--cc=dh.herrmann@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=p.osmialowsk@samsung.com \
--cc=paul@paul-moore.com \
--cc=tixxdz@opendz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.