From: Stephen Smalley <sds@tycho.nsa.gov>
To: Paul Moore <paul@paul-moore.com>, Daniel Cashman <dcashman@android.com>
Cc: selinux@tycho.nsa.gov, Eric Paris <eparis@parisplace.org>,
James Morris <james.l.morris@oracle.com>,
serge@hallyn.com, linux-security-module@vger.kernel.org,
jeffv@google.com, nnk@google.com, arve@google.com
Subject: Re: Exposing secid to secctx mapping to user-space
Date: Fri, 11 Dec 2015 17:14:38 -0500 [thread overview]
Message-ID: <566B4ACE.3040301@tycho.nsa.gov> (raw)
In-Reply-To: <CAHC9VhRuVg_gwJbz_NA5ftUHT9gzFR8sx3AXmQkZViXwnq3Sow@mail.gmail.com>
On 12/11/2015 02:55 PM, Paul Moore wrote:
> On Fri, Dec 11, 2015 at 1:37 PM, Daniel Cashman <dcashman@android.com> wrote:
>> Hello,
>>
>> I would like to write a patch that would expose, via selinuxfs, the
>> mapping between secids in the kernel and security contexts to
>> user-space, but before doing so wanted to get some feedback as to
>> whether or not such an endeavor could have any support upstream. The
>> direct motivation for this is the desire to communicate calling security
>> ids/contexts over binder IPC on android for use in a user-space object
>> manager. Passing the security ids themselves would be simpler and more
>> efficient in the critical kernel path, but they currently have no
>> user-space meaning.
>
> In general we try to avoid exposing the secid tokens outside the
> kernel, I view them as an implementation hack designed to make it
> easier to manage and operate on the security labels in the kernel. I
> suspect you will hear something very similar from Casey and the other
> Smack developers. Another consideration is the long standing LSM
> stacking effort, they have several good reasons for wanting to abolish
> the secid token, propagating it to userspace would make that all but
> impossible.
>
> While I'm sympathetic to your desire for less complexity and better
> performance in passing security labels, from a kernel perspective I
> think we lose too much in exporting the secid tokens outside the LSM.
To clarify, security identifiers were by design provided in the Flask
architecture and SELinux as lightweight, non-persistent handles to
security contexts, and exposed to userspace by the original SELinux API
(pre-2.6, of course). They were only removed when we transitioned to
using extended attributes and the xattr API for file security labels,
and we made all of the other APIs consistent as passing context strings
seemed acceptable for proc and selinuxfs as well. There was some
thought to turning SIDs into proper reference-counted objects or even
wrapping them with descriptors so that their lifecycles could be fully
managed by the kernel, but that never happened.
Passing a security context string on every binder IPC may be too costly
from a performance point of view (numbers would be helpful here). I
think this situation differs from that of stream sockets (i.e.
getsockopt SO_PEERSEC), since they are looking at enabling passing of
sender security label for every binder IPC (not just specific
applications) and since binder IPC is quite different from stream socket
IPC in its semantics and its performance.
Perhaps we could provide a new fixed-size tokenized version of the
security context string for export to userspace that could be embedded
in the binder transaction structure? This could avoid both the
limitations of the current secid (e.g. limited to 32 bits, no
stackability) and the overhead of copying context strings on every IPC.
next prev parent reply other threads:[~2015-12-11 22:14 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-11 18:37 Exposing secid to secctx mapping to user-space Daniel Cashman
2015-12-11 19:55 ` Paul Moore
2015-12-11 20:41 ` Roberts, William C
2015-12-11 22:14 ` Stephen Smalley [this message]
2015-12-12 0:24 ` Casey Schaufler
2015-12-13 22:06 ` Paul Moore
2015-12-14 17:03 ` Mike Palmiotto
2015-12-14 17:31 ` Casey Schaufler
2015-12-14 17:42 ` Stephen Smalley
2015-12-14 17:50 ` Casey Schaufler
2015-12-14 21:29 ` Roberts, William C
2015-12-14 22:11 ` Stephen Smalley
2015-12-14 22:52 ` William Roberts
2015-12-14 22:57 ` Roberts, William C
2015-12-15 15:00 ` Stephen Smalley
2015-12-15 16:06 ` Casey Schaufler
2015-12-15 16:55 ` Stephen Smalley
2015-12-15 17:36 ` Casey Schaufler
2015-12-15 17:19 ` Joe Nall
2015-12-15 18:03 ` Stephen Smalley
2015-12-15 19:09 ` Joe Nall
2015-12-18 23:55 ` Paul Moore
2015-12-15 20:58 ` Daniel Cashman
2015-12-15 22:41 ` William Roberts
2015-12-18 23:54 ` Paul Moore
2015-12-11 20:36 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=566B4ACE.3040301@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=arve@google.com \
--cc=dcashman@android.com \
--cc=eparis@parisplace.org \
--cc=james.l.morris@oracle.com \
--cc=jeffv@google.com \
--cc=linux-security-module@vger.kernel.org \
--cc=nnk@google.com \
--cc=paul@paul-moore.com \
--cc=selinux@tycho.nsa.gov \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.