The Linux Kernel Mailing List
 help / color / mirror / Atom feed
From: Eric Paris <eparis@redhat.com>
To: James Morris <jmorris@namei.org>
Cc: Eric Paris <eparis@parisplace.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Joe Perches <joe@perches.com>,
	Dan Rosenberg <drosenberg@vsecurity.com>,
	LKML <linux-kernel@vger.kernel.org>, Ingo Molnar <mingo@elte.hu>,
	Eugene Teo <eugeneteo@kernel.org>,
	Kees Cook <kees.cook@canonical.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	LSM List <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH] Fix dmesg_restrict build failure with CONFIG_EMBEDDED=y and CONFIG_PRINTK=n
Date: Mon, 15 Nov 2010 17:43:07 -0500	[thread overview]
Message-ID: <1289860987.14282.40.camel@localhost.localdomain> (raw)
In-Reply-To: <alpine.LRH.2.00.1011160908380.29867@tundra.namei.org>

On Tue, 2010-11-16 at 09:13 +1100, James Morris wrote:
> On Mon, 15 Nov 2010, Eric Paris wrote:
> 
> > On Mon, Nov 15, 2010 at 12:41 PM, Linus Torvalds
> > <torvalds@linux-foundation.org> wrote:
> > > If the old rule should have been that you _have_
> > > to call cap_syslog(), then just eviscerating that entirely and putting
> > > it in the generic code is definitely the right thing.
> > 
> > That is the rule for ALL of the hooks in commoncap.c.  The one time I
> > tried to do something else *cough*mmap_min_addr*cough* I screwed it
> > up.  I'll put a note in my todo list about looking into lifting all of
> > commoncap.c into the callers.
> 
> If it's a requirement of the API that all of the cap calls are made 
> first, then build it into the API, so developers can't make a mistake.  
> e.g. have the LSM API do the secondary stacking of caps behind the scenes.

At this point it's a defacto requirement since noone is doing anything
like that.  My mmap_min_addr screw up is, to the best of my knowledge,
the only time anyone has intentionally not called the caps code...

And I sorta like the idea of moving the cap_* calls directly into
security_*.  Great, another item on the todo list.  Lift as many cap
calls into the caller as is reasonable (I don't think there are
many/any) and if not possible lift them directory into security_*.  If
someone else really wants to make a system truely without capabilities
lets look at there solution then....

> I had thought that the idea was that some LSM may want to not implement 
> capabilities at all, on which case, it should still not be possible for 
> the API to weaken the default security with or without caps.

Not sure how that's possible.  I mean, I guess it's possible if the
fabled LSM reimplements the cap call, but I'm not sure how you can
remove a restrictive only security check without 'weakening' the system
in some way.


  reply	other threads:[~2010-11-15 22:44 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-13 17:26 [PATCH] Fix dmesg_restrict build failure with CONFIG_EMBEDDED=y and CONFIG_PRINTK=n Joe Perches
2010-11-13 17:50 ` Linus Torvalds
2010-11-13 18:25   ` Dan Rosenberg
2010-11-13 20:22     ` Linus Torvalds
2010-11-14  3:05       ` Kees Cook
2010-11-14 12:35       ` Ingo Molnar
2010-11-13 19:51   ` Joe Perches
2010-11-13 20:01     ` Joe Perches
2010-11-13 20:31     ` Linus Torvalds
2010-11-15  1:16       ` James Morris
2010-11-15 17:04       ` Eric Paris
2010-11-15 17:34         ` Eric Paris
2010-11-15 17:41           ` Linus Torvalds
2010-11-15 17:45             ` Eric Paris
2010-11-15 18:20               ` Linus Torvalds
2010-11-15 22:13               ` James Morris
2010-11-15 22:43                 ` Eric Paris [this message]
2010-11-15 22:58                   ` James Morris
2010-11-15 23:08                     ` Eric Paris
2010-11-15 22:16             ` James Morris
2010-11-15 22:36               ` Linus Torvalds
2010-11-15 22:51                 ` James Morris
2010-11-14  2:44   ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1289860987.14282.40.camel@localhost.localdomain \
    --to=eparis@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=drosenberg@vsecurity.com \
    --cc=eparis@parisplace.org \
    --cc=eugeneteo@kernel.org \
    --cc=jmorris@namei.org \
    --cc=joe@perches.com \
    --cc=kees.cook@canonical.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox