From: ebiederm@xmission.com (Eric W. Biederman)
To: linux-security-module@vger.kernel.org
Subject: [RFC][PATCH] security: Make the selinux setxattr and removexattr hooks behave
Date: Sun, 01 Oct 2017 17:11:58 -0500 [thread overview]
Message-ID: <87a81ajz69.fsf@xmission.com> (raw)
In-Reply-To: <fa55814b-469d-65a5-16dc-3641614b8a18@schaufler-ca.com> (Casey Schaufler's message of "Sun, 1 Oct 2017 11:52:29 -0700")
Casey Schaufler <casey@schaufler-ca.com> writes:
> On 9/30/2017 6:02 PM, Eric W. Biederman wrote:
>> I don't have a smack configuration handy, but reading through
>> the code smack setxattr the permission checks for all xattrs
>> that are not smack xattrs to cap_inode_setxattr.
>
> It's not hard to configure Smack. But, if you have a test case
> I can run it for you.
All I did was take /bin/ping from a RHEL or equally a fedora code base
where it is setcap, and copied it with rsync as root in a user namespace
and looked at the xattr.
>From memory:
$ cd
$ unshare -Ur
# rsync -Xp /bin/ping ping
>> So smack and commoncap combined will not fail.
>>
>> smack and selinux will result in people who should be able to set
>> selinux xattrs not being able to. That however is less of an immediate
>> problem.
>
> That's not currently a problem as you can't configure
> them both to be enabled.
Like I said not immediate.
> You clearly don't work in security is running into a brick
> wall is a shocking experience :)
The shock was that the security code was so b0rked.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-10-01 22:11 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-28 22:34 [RFC][PATCH] security: Make the selinux setxattr and removexattr hooks behave Eric W. Biederman
[not found] ` <87tvzmqwoi.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-09-29 1:16 ` Casey Schaufler
2017-09-29 12:36 ` Stephen Smalley
2017-09-29 1:16 ` Casey Schaufler
[not found] ` <1913d5c4-64ef-36c1-e8ad-c779ff5c7995-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-09-29 14:18 ` Stephen Smalley
2017-09-29 14:18 ` Stephen Smalley
2017-09-29 15:46 ` Casey Schaufler
[not found] ` <6f293107-6ff9-c4c7-f682-207a546c5061-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-09-30 16:22 ` Eric W. Biederman
2017-09-30 16:22 ` Eric W. Biederman
2017-09-30 17:01 ` Casey Schaufler
2017-09-30 20:40 ` Eric W. Biederman
[not found] ` <87d167ncms.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-09-30 23:22 ` Casey Schaufler
2017-09-30 23:22 ` Casey Schaufler
[not found] ` <bf18e641-91ed-0d75-f514-c059b5dfbb14-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-01 1:02 ` Eric W. Biederman
2017-10-01 1:02 ` Eric W. Biederman
2017-10-01 18:52 ` Casey Schaufler
2017-10-01 19:54 ` Serge E. Hallyn
2017-10-01 22:11 ` Eric W. Biederman [this message]
[not found] ` <db1c58f3-5a01-5276-eba7-5aac7cdcbcf5-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-09-30 20:40 ` Eric W. Biederman
[not found] ` <1506694737.5571.9.camel-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2017-09-29 15:46 ` Casey Schaufler
2017-09-29 12:36 ` Stephen Smalley
[not found] ` <1506688601.5571.1.camel-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2017-10-02 3:26 ` Eric W. Biederman
2017-10-02 14:38 ` [PATCH] selinux: Perform both commoncap and selinux xattr checks Eric W. Biederman
2017-10-02 3:26 ` [RFC][PATCH] security: Make the selinux setxattr and removexattr hooks behave Eric W. Biederman
2017-10-02 14:38 ` [PATCH] selinux: Perform both commoncap and selinux xattr checks Eric W. Biederman
2017-10-02 15:52 ` Serge E. Hallyn
[not found] ` <873771ipib.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-10-02 15:52 ` Serge E. Hallyn
2017-10-03 16:24 ` Stephen Smalley
2017-10-03 21:08 ` Paul Moore
2017-10-03 21:08 ` Paul Moore
2017-10-03 21:08 ` Paul Moore
2017-10-03 21:26 ` Eric W. Biederman
2017-10-03 21:26 ` Eric W. Biederman
[not found] ` <87a8179b3u.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-10-04 14:53 ` Paul Moore
2017-10-04 14:53 ` Paul Moore
2017-10-04 14:53 ` Paul Moore
[not found] ` <CAHC9VhTzDKbP-h=GBaCTYOM9Sm=3C=nhNghmPoCRZitCpJj6YA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-10-03 21:26 ` Eric W. Biederman
2017-10-03 16:24 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2017-09-28 22:34 [RFC][PATCH] security: Make the selinux setxattr and removexattr hooks behave Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a81ajz69.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.