Re: [PATCH] Security/sysfs: Enable security xattrs to be set on sysfs files, directories, and symlinks.

["David P. Quigley" <dpquigl@tycho.nsa.gov>]

On Thu, 2009-07-09 at 10:52 -0700, Greg KH wrote:
> On Thu, Jul 09, 2009 at 01:13:33PM -0400, David P. Quigley wrote:
> > The issue is that there really aren't any LSM hooks to accommodate that.
> > I have a few LSM hooks for the Labeled NFS work which could be used for
> > this but it still requires us to store the full xattr value somewhere
> > and referencing it in the sysfs_dirent structure.
> 
> A void pointer would handle that properly, right?

A void pointer would suffice if we wanted to store the opaque blob. My
argument is that storing that blob is too heavy weight memory wise.

> 
> > The issue here is that there are two ways of presenting security
> > information. The first is through the xattr interface which represents
> > the security information as an opaque blob which the LSM turns into an
> > internal representation. The second which is left over from the early
> > days is the secid which I equate to a file handle. The problem I see
> > is that the opaque blob (the xattr) is the interface presented to user
> > space. It isn't really used internally except to turn it into a data
> > structure or to write it to disk for persistence.
> 
> That is the way that selinux does it, do the other lsms also handle it
> this way?

Casey handles this a different way in Smack but it has more to do with
his model than his design. Since a Smack label is just a simple 23 byte
string he doesn't do any conversion to store it in Smack. SELinux
differs in that the label contains 4 components so these get broken out
into the security structure so they can be handled separately by the
security structure. I can't say for certain but I would probably say
that a label based LSM which attempts to implement several models will
probably have to do what SELinux does. The only thing I'm concerned with
is that Casey did mention when I was creating hooks for the Labeled NFS
work a situation where an LSM may implement multiple security.* xattrs.
We don't currently have any LSMs that work that way so I'm not sure if I
need to handle that now.

> 
> > The situation we have with sysfs is that there is no persistence for
> > labels and the in-core inode maybe evicted so we need a way of
> > persisting changes from the default label.
> 
> So you put it in the structure you did, which is correct.  You should
> also listen to all sysfs netlink messages to be sure to lable things
> when they are created, to handle the lack of persistence.

Thanks for the heads up. I'll make sure I look into this.

> 
> thanks,
> 
> greg k-h