From: Stephen Smalley <sds@tycho.nsa.gov>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: serue@us.ibm.com, jmorris@namei.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, akpm@linux-foundation.org,
linux-kernel@vger.kernel.org, takedakn@nttdata.co.jp,
haradats@nttdata.co.jp
Subject: Re: [PATCH (mmotm-2008-12-02-17-08)] Introduce security_path_set/clear() hooks.
Date: Fri, 05 Dec 2008 16:53:18 -0500 [thread overview]
Message-ID: <1228513998.21715.75.camel@localhost.localdomain> (raw)
In-Reply-To: <200812042100.HFE00081.tFFOHMQVOLFOSJ@I-love.SAKURA.ne.jp>
On Thu, 2008-12-04 at 21:00 +0900, Tetsuo Handa wrote:
> Hello.
>
> Stephen Smalley wrote:
> > On Wed, 2008-12-03 at 17:56 +0900, Kentaro Takeda wrote:
> > > Stephen, Serge,
> > > Here is the patch for introducing new security_path_set()/clear() hooks.
> > >
> > > This patch enables LSM module to remember vfsmount's pathname so that it can
> > > calculate absolute pathname in security_inode_*(). Since actual MAC can be
> > > performed after DAC, there will not be any noise in auditing and learning
> > > features. This patch currently assumes that the vfsmount's pathname is stored in
> > > hash table in LSM module. (Should I use stack memory?)
> > >
> > > Since security_inode_*() are not always called after security_path_set(),
> > > security_path_clear() hook is needed to free the remembered pathname.
> >
> > Your security_path_set()/security_path_clear() pairs look rather similar
> > to mnt_want_write()/mnt_drop_write() pairs. What if you were to call
> > your hooks from those functions, and then you would only need to add
> > further hook calls in the case of read-only and execute/search checks?
>
> Right. Locations of inserting security_path_set()/security_path_clear() pairs
> are subset of mnt_want_write()/mnt_drop_write() pairs. Thus, we can insert
> security_path_set()/security_path_clear() pairs into
> mnt_want_write()/mnt_drop_write() pairs, if we can tolerate performance
> regression. According to our rough measurement, there is about 8 - 22% of
> performance regression. But this approach needs minimum modification to the
> existing kernel (only two hooks to be inserted).
I assume you also need separate hooks to cover the read-only open case?
As for your performance, your implementation of mp_* is clearly
non-optimal, so I'd expect there is plenty of room for improvement
there.
<snip>
> --- linux-2.6.28-rc7-mm1.orig/fs/namespace.c
> +++ linux-2.6.28-rc7-mm1/fs/namespace.c
> @@ -254,6 +254,10 @@ int mnt_want_write(struct vfsmount *mnt)
> int ret = 0;
> struct mnt_writer *cpu_writer;
>
> +#ifdef CONFIG_SECURITY_PATH
> + if (security_path_set(mnt) < 0)
> + return -ENOMEM;
> +#endif
No #ifdef's within the functions, of course. That gets handled by
security.h.
--
Stephen Smalley
National Security Agency
next prev parent reply other threads:[~2008-12-05 21:56 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-20 11:25 [TOMOYO #13 (mmotm 2008-11-19-02-19) 00/11] TOMOYO Linux Tetsuo Handa
2008-11-20 11:25 ` [TOMOYO #13 (mmotm 2008-11-19-02-19) 01/11] Introduce security_path_clear() hook Tetsuo Handa
2008-12-01 20:00 ` Stephen Smalley
2008-12-02 10:39 ` Tetsuo Handa
2008-12-02 13:48 ` Stephen Smalley
2008-12-03 8:49 ` Kentaro Takeda
2008-12-03 8:56 ` [PATCH (mmotm-2008-12-02-17-08)] Introduce security_path_set/clear() hooks Kentaro Takeda
2008-12-03 14:13 ` Stephen Smalley
2008-12-04 12:00 ` Tetsuo Handa
2008-12-04 18:20 ` Serge E. Hallyn
2008-12-04 21:41 ` [PATCH (mmotm-2008-12-02-17-08)] Introducesecurity_path_set/clear() hooks Tetsuo Handa
2008-12-05 21:53 ` Stephen Smalley [this message]
2008-12-05 23:27 ` [PATCH (mmotm-2008-12-02-17-08)] Introduce security_path_set/clear() hooks Tetsuo Handa
2008-12-06 5:25 ` [RFC] Add "reason" parameter to mnt_want_write() Tetsuo Handa
2008-12-06 5:53 ` Al Viro
2008-12-06 6:16 ` [PATCH (mmotm-2008-12-02-17-08)] Introduce security_path_set/clear() hooks Al Viro
2008-11-20 11:25 ` [TOMOYO #13 (mmotm 2008-11-19-02-19) 02/11] Add in_execve flag into task_struct Tetsuo Handa
2008-11-20 11:25 ` [TOMOYO #13 (mmotm 2008-11-19-02-19) 03/11] Singly linked list implementation Tetsuo Handa
2008-11-20 11:25 ` [TOMOYO #13 (mmotm 2008-11-19-02-19) 04/11] Introduce d_realpath() Tetsuo Handa
2008-11-20 11:25 ` [TOMOYO #13 (mmotm 2008-11-19-02-19) 05/11] Memory and pathname management functions Tetsuo Handa
2008-11-20 11:25 ` [TOMOYO #13 (mmotm 2008-11-19-02-19) 06/11] Common functions for TOMOYO Linux Tetsuo Handa
2008-11-20 11:25 ` [TOMOYO #13 (mmotm 2008-11-19-02-19) 07/11] File operation restriction part Tetsuo Handa
2008-11-20 11:25 ` [TOMOYO #13 (mmotm 2008-11-19-02-19) 08/11] Domain transition handler Tetsuo Handa
2008-11-20 11:25 ` [TOMOYO #13 (mmotm 2008-11-19-02-19) 09/11] LSM adapter functions Tetsuo Handa
2008-12-01 20:10 ` Stephen Smalley
2008-12-02 10:40 ` Tetsuo Handa
2008-11-20 11:25 ` [TOMOYO #13 (mmotm 2008-11-19-02-19) 10/11] Kconfig and Makefile Tetsuo Handa
2008-11-20 11:25 ` [TOMOYO #13 (mmotm 2008-11-19-02-19) 11/11] MAINTAINERS info Tetsuo Handa
2008-11-29 11:59 ` [TOMOYO #13 (mmotm 2008-11-19-02-19) 00/11] TOMOYO Linux Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1228513998.21715.75.camel@localhost.localdomain \
--to=sds@tycho.nsa.gov \
--cc=akpm@linux-foundation.org \
--cc=haradats@nttdata.co.jp \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=serue@us.ibm.com \
--cc=takedakn@nttdata.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox