From: Christian Brauner <brauner@kernel.org>
To: cgzones@googlemail.com
Cc: linux-security-module@vger.kernel.org,
Chuck Lever <chuck.lever@oracle.com>,
Jeff Layton <jlayton@kernel.org>,
Amir Goldstein <amir73il@gmail.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Jan Kara <jack@suse.cz>, Serge Hallyn <serge@hallyn.com>,
Julia Lawall <Julia.Lawall@inria.fr>,
Nicolas Palix <nicolas.palix@imag.fr>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-nfs@vger.kernel.org, cocci@inria.fr
Subject: Re: [PATCH 09/11] fs: reorder capability check last
Date: Mon, 25 Nov 2024 13:17:31 +0100 [thread overview]
Message-ID: <20241125-rausch-sprossen-2570a6fe045a@brauner> (raw)
In-Reply-To: <20241125104011.36552-8-cgoettsche@seltendoof.de>
On Mon, Nov 25, 2024 at 11:40:01AM +0100, Christian Göttsche wrote:
> From: Christian Göttsche <cgzones@googlemail.com>
>
> capable() calls refer to enabled LSMs whether to permit or deny the
> request. This is relevant in connection with SELinux, where a
> capability check results in a policy decision and by default a denial
> message on insufficient permission is issued.
> It can lead to three undesired cases:
> 1. A denial message is generated, even in case the operation was an
> unprivileged one and thus the syscall succeeded, creating noise.
> 2. To avoid the noise from 1. the policy writer adds a rule to ignore
> those denial messages, hiding future syscalls, where the task
> performs an actual privileged operation, leading to hidden limited
> functionality of that task.
> 3. To avoid the noise from 1. the policy writer adds a rule to permit
> the task the requested capability, while it does not need it,
> violating the principle of least privilege.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
Reviewed-by: Christian Brauner <brauner@kernel.org>
next prev parent reply other threads:[~2024-11-25 12:17 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-25 10:39 [PATCH 02/11] quota: reorder capability check last Christian Göttsche
2024-11-25 10:39 ` [PATCH 03/11] ext4: " Christian Göttsche
2024-11-25 10:39 ` [PATCH 04/11] hugetlbfs: " Christian Göttsche
2024-11-25 10:39 ` [PATCH 05/11] genwqe: " Christian Göttsche
2024-11-25 10:39 ` [PATCH 06/11] ubifs: " Christian Göttsche
2024-11-25 11:10 ` Liviu Dudau
2024-11-25 11:30 ` Richard Weinberger
2024-11-25 11:48 ` Christian Göttsche
2024-11-25 10:39 ` [PATCH 07/11] ipv4: " Christian Göttsche
2024-11-26 8:01 ` Paolo Abeni
2024-11-25 10:40 ` [PATCH 08/11] gfs2: " Christian Göttsche
2024-11-25 11:34 ` Andreas Gruenbacher
2024-11-25 10:40 ` [PATCH 09/11] fs: " Christian Göttsche
2024-11-25 12:17 ` Christian Brauner [this message]
2024-11-25 10:40 ` [PATCH 10/11] skbuff: " Christian Göttsche
2024-11-25 10:40 ` [PATCH 11/11] infiniband: " Christian Göttsche
2024-11-25 10:40 ` [PATCH 01/11] coccinelle: Add script to reorder capable() calls Christian Göttsche
2024-11-25 17:48 ` [cocci] " Markus Elfring
2024-11-26 12:55 ` Markus Elfring
2024-11-27 11:45 ` Markus Elfring
2024-11-29 12:38 ` Markus Elfring
2024-11-30 4:08 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241125-rausch-sprossen-2570a6fe045a@brauner \
--to=brauner@kernel.org \
--cc=Julia.Lawall@inria.fr \
--cc=amir73il@gmail.com \
--cc=cgzones@googlemail.com \
--cc=chuck.lever@oracle.com \
--cc=cocci@inria.fr \
--cc=jack@suse.cz \
--cc=jlayton@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nicolas.palix@imag.fr \
--cc=serge@hallyn.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox