From: David Howells <dhowells@redhat.com>
To: Josef Sipek <jsipek@fsl.cs.sunysb.edu>
Cc: sds@tycho.nsa.gov, jmorris@namei.org, chrisw@sous-sol.org,
selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org,
aviro@redhat.com
Subject: Re: Security issues with local filesystem caching
Date: Thu, 26 Oct 2006 10:56:08 +0100 [thread overview]
Message-ID: <7864.1161856568@redhat.com> (raw)
In-Reply-To: <20061025202155.GB3854@filer.fsl.cs.sunysb.edu>
Josef Sipek <jsipek@fsl.cs.sunysb.edu> wrote:
> Hrm. How do you do DAC checks if you don't copy over the permissions without
> alteration?
You have to remember there are two filesystem layers involved. NFS or other
netfs does the DAC, MAC, whatever checks to see whether the user can access a
file. NFS then asks the cache to back the netfs file and the cache creates a
file in the local filesystem to do that.
The cache file doesn't need the DAC/MAC/whatever attributes applied to the
netfs file, and, in fact, may not be able to support what the netfs deals
with.
> I'm wondering, why don't just you duplicate all the attributes of the files
> (including xattrs)? That would take care of most if not all the DAC/MAC
> issues, no?
You're forgetting that the userspace cache manager daemon still has to access
the cache.
> > (1) Do all the cache operations in their own thread (sort of like knfsd).
>
> In our case it works well, however we have only very specific times when we
> need to use the work queue, so the performance hit doesn't hurt us as much
> as it would hurt you - I'm assuming you'd be using the thread for a sizable
> portion of calls you get.
I'm not sure exactly. Actually, I could probably deal with read/write ops
inline - though I don't have a file struct to carry a security context - but
getting and releasing inodes would certainly wind up being farmed off.
Consider the automounter releasing an NFS share that's been heavily used...
> I'm thinking that it would be nice to combine the caching related security
> code with those for stackable filesystems.
That's fine by me, though I want the security on a cache file to be different
to that on the netfs file it's backing.
David
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: David Howells <dhowells@redhat.com>
To: Josef Sipek <jsipek@fsl.cs.sunysb.edu>
Cc: sds@tycho.nsa.gov, jmorris@namei.org, chrisw@sous-sol.org,
selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org,
aviro@redhat.com
Subject: Re: Security issues with local filesystem caching
Date: Thu, 26 Oct 2006 10:56:08 +0100 [thread overview]
Message-ID: <7864.1161856568@redhat.com> (raw)
In-Reply-To: <20061025202155.GB3854@filer.fsl.cs.sunysb.edu>
Josef Sipek <jsipek@fsl.cs.sunysb.edu> wrote:
> Hrm. How do you do DAC checks if you don't copy over the permissions without
> alteration?
You have to remember there are two filesystem layers involved. NFS or other
netfs does the DAC, MAC, whatever checks to see whether the user can access a
file. NFS then asks the cache to back the netfs file and the cache creates a
file in the local filesystem to do that.
The cache file doesn't need the DAC/MAC/whatever attributes applied to the
netfs file, and, in fact, may not be able to support what the netfs deals
with.
> I'm wondering, why don't just you duplicate all the attributes of the files
> (including xattrs)? That would take care of most if not all the DAC/MAC
> issues, no?
You're forgetting that the userspace cache manager daemon still has to access
the cache.
> > (1) Do all the cache operations in their own thread (sort of like knfsd).
>
> In our case it works well, however we have only very specific times when we
> need to use the work queue, so the performance hit doesn't hurt us as much
> as it would hurt you - I'm assuming you'd be using the thread for a sizable
> portion of calls you get.
I'm not sure exactly. Actually, I could probably deal with read/write ops
inline - though I don't have a file struct to carry a security context - but
getting and releasing inodes would certainly wind up being farmed off.
Consider the automounter releasing an NFS share that's been heavily used...
> I'm thinking that it would be nice to combine the caching related security
> code with those for stackable filesystems.
That's fine by me, though I want the security on a cache file to be different
to that on the netfs file it's backing.
David
next prev parent reply other threads:[~2006-10-26 9:56 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-25 10:14 Security issues with local filesystem caching David Howells
2006-10-25 10:14 ` David Howells
2006-10-25 16:52 ` Nate Diller
2006-10-25 16:52 ` Nate Diller
2006-10-25 16:48 ` Jeff V. Merkey
2006-10-25 17:21 ` David Howells
2006-10-25 17:21 ` David Howells
2006-10-25 17:42 ` Jeff V. Merkey
2006-10-25 18:15 ` David Howells
2006-10-25 18:15 ` David Howells
2006-10-25 20:21 ` Josef Sipek
2006-10-25 20:28 ` Josef Sipek
2006-10-26 9:56 ` David Howells [this message]
2006-10-26 9:56 ` David Howells
2006-10-27 15:54 ` Josef Sipek
2006-10-25 21:12 ` Stephen Smalley
2006-10-25 21:12 ` Stephen Smalley
2006-10-26 10:40 ` David Howells
2006-10-26 10:40 ` David Howells
2006-10-26 12:51 ` Stephen Smalley
2006-10-26 12:51 ` Stephen Smalley
2006-10-26 16:04 ` David Howells
2006-10-26 16:04 ` David Howells
2006-10-26 16:34 ` Stephen Smalley
2006-10-26 16:34 ` Stephen Smalley
2006-10-26 17:09 ` David Howells
2006-10-26 17:09 ` David Howells
2006-10-26 17:45 ` Stephen Smalley
2006-10-26 17:45 ` Stephen Smalley
2006-10-26 22:53 ` David Howells
2006-10-26 22:53 ` David Howells
2006-10-27 14:48 ` Stephen Smalley
2006-10-27 14:48 ` Stephen Smalley
2006-10-27 15:42 ` David Howells
2006-10-27 15:42 ` David Howells
2006-10-27 16:10 ` Stephen Smalley
2006-10-27 16:10 ` Stephen Smalley
2006-10-27 16:25 ` David Howells
2006-10-27 16:25 ` David Howells
2006-10-27 17:09 ` Stephen Smalley
2006-10-27 17:09 ` Stephen Smalley
2006-10-27 17:34 ` David Howells
2006-10-27 17:34 ` David Howells
2006-10-27 14:41 ` David Howells
2006-10-27 14:41 ` David Howells
2006-10-27 15:03 ` Stephen Smalley
2006-10-27 16:12 ` David Howells
2006-10-27 16:37 ` Stephen Smalley
2006-10-27 17:28 ` David Howells
2006-10-27 18:10 ` Stephen Smalley
2006-10-30 15:13 ` David Howells
2006-10-31 16:19 ` David Howells
2006-10-31 16:51 ` Stephen Smalley
2006-10-31 19:21 ` David Howells
2006-10-25 23:37 ` Alan Cox
2006-10-26 0:32 ` Al Viro
2006-10-26 10:45 ` David Howells
2006-10-26 10:45 ` David Howells
2006-10-26 10:54 ` Alan Cox
2006-10-26 9:14 ` Jan Dittmer
2006-10-26 10:55 ` David Howells
2006-10-26 10:55 ` David Howells
2006-10-26 11:52 ` Alan Cox
2006-10-31 21:26 ` David Howells
2006-10-31 21:26 ` David Howells
2006-11-01 13:28 ` Stephen Smalley
2006-11-01 13:28 ` Stephen Smalley
2006-11-01 15:34 ` David Howells
2006-11-01 15:34 ` David Howells
2006-11-01 15:58 ` Karl MacMillan
2006-11-01 15:58 ` Karl MacMillan
2006-11-01 17:45 ` Stephen Smalley
2006-11-01 17:45 ` Stephen Smalley
2006-11-02 16:29 ` Karl MacMillan
2006-11-02 16:29 ` Karl MacMillan
2006-11-02 18:04 ` Stephen Smalley
2006-11-02 18:04 ` Stephen Smalley
2006-11-01 17:30 ` Stephen Smalley
2006-11-01 17:30 ` Stephen Smalley
2006-11-02 17:16 ` David Howells
2006-11-02 17:16 ` David Howells
2006-11-02 19:49 ` Trond Myklebust
2006-11-02 20:38 ` David Howells
2006-11-02 20:38 ` David Howells
2006-11-02 21:24 ` Trond Myklebust
2006-11-03 10:27 ` David Howells
2006-11-03 10:27 ` David Howells
2006-11-03 13:41 ` Trond Myklebust
2006-11-03 15:23 ` David Howells
2006-11-03 15:23 ` David Howells
2006-11-03 17:30 ` Trond Myklebust
2006-11-14 19:22 ` David Howells
2006-11-14 19:22 ` David Howells
2006-11-15 14:05 ` Trond Myklebust
2006-11-15 15:28 ` David Howells
2006-11-15 15:28 ` David Howells
2006-11-15 16:41 ` Trond Myklebust
2006-11-15 18:17 ` David Howells
2006-11-15 18:17 ` David Howells
2006-11-03 15:33 ` David Howells
2006-11-03 15:33 ` David Howells
2006-11-02 20:33 ` Stephen Smalley
2006-11-02 20:33 ` Stephen Smalley
2006-11-02 21:05 ` David Howells
2006-11-02 21:05 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7864.1161856568@redhat.com \
--to=dhowells@redhat.com \
--cc=aviro@redhat.com \
--cc=chrisw@sous-sol.org \
--cc=jmorris@namei.org \
--cc=jsipek@fsl.cs.sunysb.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.