From: Casey Schaufler <casey@schaufler-ca.com>
To: Mike Palmiotto <mike.palmiotto@crunchydata.com>,
Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
selinux@tycho.nsa.gov, arve@google.com,
linux-security-module@vger.kernel.org,
James Morris <james.l.morris@oracle.com>,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: Exposing secid to secctx mapping to user-space
Date: Mon, 14 Dec 2015 09:31:21 -0800 [thread overview]
Message-ID: <566EFCE9.3080606@schaufler-ca.com> (raw)
In-Reply-To: <CAMN686H=1MKUWa5iW9cciiVwto03uEVGC7uj7kdt3S0-29BvhQ@mail.gmail.com>
On 12/14/2015 9:03 AM, Mike Palmiotto wrote:
> On Sun, Dec 13, 2015 at 5:06 PM, Paul Moore <paul@paul-moore.com> wrote:
>> On Friday, December 11, 2015 05:14:38 PM Stephen Smalley wrote:
>>> Perhaps we could provide a new fixed-size tokenized version of the
>>> security context string for export to userspace that could be embedded
>>> in the binder transaction structure? This could avoid both the
>>> limitations of the current secid (e.g. limited to 32 bits, no
>>> stackability) and the overhead of copying context strings on every IPC.
>> On Friday, December 11, 2015 04:24:48 PM Casey Schaufler wrote:
>>> How about this: Provide an alias mechanism for secctx. There would then
>>> be a secid (32bits) a secctx (arbitrary text string) and a secalias which
>>> could be a limited string of some length. You could use the alias in place
>>> of the secctx anywhere you liked.
>> My initial reaction to the secalias idea isn't overly positive. It seems like
>> a kludge with a lot of duplication, both in terms of code and concept, and a
>> lot of risk for confusion both by users and policy writers. I think if we
>> really wanted to limit the security label string format to a small size we
>> should have done that from the start, it's too late now.
>>
>> Assuming we see some binder performance numbers, and the numbers are bad, I'm
>> a little more open to doing something with the secid token. Up to this point
>> we haven't made any guarantees about the token and we haven't exported it
>> outside the kernel so there is some ability to change it to fit our needs.
>> Granted, this isn't perfect solution either, and perhaps ultimately we would
>> need something else, but I think it is worth looking into this first before we
>> introduce another string label.
> Agreed here. I can definitely see a use for security identifier tokens
> in SE Postgres as well. Ideally these tokens would be 32 bit uints as
> opposed to shorter string aliases.
If you need something persistent you can't use what the
kernel would provide, and if you don't you can make it up
on the fly. The binder case is different (and evil) because
the binder driver is letting user space make decisions on
behalf of the kernel.
>
> --Mike
>
>> --
>> paul moore
>> www.paul-moore.com
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
next prev parent reply other threads:[~2015-12-14 17:31 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-11 18:37 Exposing secid to secctx mapping to user-space Daniel Cashman
2015-12-11 19:55 ` Paul Moore
2015-12-11 20:41 ` Roberts, William C
2015-12-11 22:14 ` Stephen Smalley
2015-12-12 0:24 ` Casey Schaufler
2015-12-13 22:06 ` Paul Moore
2015-12-14 17:03 ` Mike Palmiotto
2015-12-14 17:31 ` Casey Schaufler [this message]
2015-12-14 17:42 ` Stephen Smalley
2015-12-14 17:50 ` Casey Schaufler
2015-12-14 21:29 ` Roberts, William C
2015-12-14 22:11 ` Stephen Smalley
2015-12-14 22:52 ` William Roberts
2015-12-14 22:57 ` Roberts, William C
2015-12-15 15:00 ` Stephen Smalley
2015-12-15 16:06 ` Casey Schaufler
2015-12-15 16:55 ` Stephen Smalley
2015-12-15 17:36 ` Casey Schaufler
2015-12-15 17:19 ` Joe Nall
2015-12-15 18:03 ` Stephen Smalley
2015-12-15 19:09 ` Joe Nall
2015-12-18 23:55 ` Paul Moore
2015-12-15 20:58 ` Daniel Cashman
2015-12-15 22:41 ` William Roberts
2015-12-18 23:54 ` Paul Moore
2015-12-11 20:36 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=566EFCE9.3080606@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=arve@google.com \
--cc=james.l.morris@oracle.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mike.palmiotto@crunchydata.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.