From: Eric Paris <eparis@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>,
Andreas Gruenbacher <andreas.gruenbacher@gmail.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Christoph Hellwig <hch@infradead.org>,
"Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>,
linux-fsdevel@vger.kernel.org,
David Quigley <dpquigl@davequigley.com>,
"J. Bruce Fields" <bfields@fieldses.org>
Cc: linux-security-module@vger.kernel.org, cluster-devel@redhat.com
Subject: Re: [RFC 00/11] Inode security label invalidation
Date: Mon, 24 Aug 2015 15:47:58 -0500 [thread overview]
Message-ID: <1440449278.3361.23.camel@redhat.com> (raw)
In-Reply-To: <55DB578A.3080108@tycho.nsa.gov>
On Mon, 2015-08-24 at 13:42 -0400, Stephen Smalley wrote:
> On 08/20/2015 02:19 PM, Andreas Gruenbacher wrote:
> > For that case, the file system has no way of updating the security
> > label before
> > selinux next uses it. Things also don't fix themselves over time;
> > when selinux
> > rejects access, the file system never notices.
>
> The current NFSv4 model is to call security_inode_notifysecctx() to
> notify the security module of the new label. Does that not work for
> gfs2 or others? It is up to the filesystem client side code to
> actually
> detect the change and fetch the new value, then push it to the
> security
> module via the security_inode_notifysecctx() hook.
I'm told that most of these filesystems have NO push to clients about
changes. Only clients 'pull'.
Image the inode has the label "no_access". I try to access it on node1.
We pull the inode into core and set the isec to no_access and then get
denied. Now on node2 I relabel to "yes_access". There is no push
mechanism for node1 to find out. Now on node1 if I call access() I
"should" have access, but the VFS/LSM will never call the filesystem
code, so fs never knows to call security_inode_notifysecctx().
Somehow we have to get into the FS function so the FS can tell us that
it is invalid...
prev parent reply other threads:[~2015-08-24 20:48 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-20 18:19 [RFC 00/11] Inode security label invalidation Andreas Gruenbacher
2015-08-20 18:19 ` [RFC 01/11] ubifs: Remove unused "security.*" xattr handler Andreas Gruenbacher
2015-08-20 18:19 ` [RFC 02/11] hfsplus: Remove unused xattr handler list operations Andreas Gruenbacher
2015-08-20 18:19 ` [RFC 03/11] 9p: Simplify the xattr handlers Andreas Gruenbacher
2015-08-20 18:19 ` [RFC 04/11] xattr handlers: Pass handler to operations instead of flags Andreas Gruenbacher
2015-08-20 18:19 ` [RFC 05/11] xattr handlers: Some simplifications Andreas Gruenbacher
2015-08-20 18:19 ` [RFC 06/11] lib: Move strcmp_prefix into string.c Andreas Gruenbacher
2015-08-20 18:19 ` [RFC 07/11] 9p: Stop using the generic xattr_handler infrastructure Andreas Gruenbacher
2015-08-21 6:46 ` Christoph Hellwig
2015-08-21 8:35 ` [Cluster-devel] " Steven Whitehouse
2015-08-20 18:19 ` [RFC 08/11] xattr: Pass inodes to xattr handlers instead of dentries Andreas Gruenbacher
2015-08-20 18:19 ` [RFC 09/11] vfs: Add igetxattr inode operation Andreas Gruenbacher
2015-08-21 6:48 ` Christoph Hellwig
2015-08-20 18:19 ` [RFC 10/11] selinux: Allow to invalidate an inode's security label Andreas Gruenbacher
2015-08-20 18:19 ` [RFC 11/11] gfs2: Invalide security labels of inodes that go invalid Andreas Gruenbacher
2015-08-21 6:49 ` Christoph Hellwig
2015-08-21 9:25 ` [Cluster-devel] " Andreas Gruenbacher
2015-08-24 17:42 ` [RFC 00/11] Inode security label invalidation Stephen Smalley
2015-08-24 19:13 ` Andreas Grünbacher
2015-08-24 20:47 ` Eric Paris [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1440449278.3361.23.camel@redhat.com \
--to=eparis@redhat.com \
--cc=andreas.gruenbacher@gmail.com \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=bfields@fieldses.org \
--cc=cluster-devel@redhat.com \
--cc=dpquigl@davequigley.com \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).