From: Eric Paris <eparis@redhat.com>
To: James Morris <jmorris@namei.org>
Cc: Eric Paris <eparis@parisplace.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Joe Perches <joe@perches.com>,
Dan Rosenberg <drosenberg@vsecurity.com>,
LKML <linux-kernel@vger.kernel.org>, Ingo Molnar <mingo@elte.hu>,
Eugene Teo <eugeneteo@kernel.org>,
Kees Cook <kees.cook@canonical.com>,
Andrew Morton <akpm@linux-foundation.org>,
LSM List <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH] Fix dmesg_restrict build failure with CONFIG_EMBEDDED=y and CONFIG_PRINTK=n
Date: Mon, 15 Nov 2010 17:43:07 -0500 [thread overview]
Message-ID: <1289860987.14282.40.camel@localhost.localdomain> (raw)
In-Reply-To: <alpine.LRH.2.00.1011160908380.29867@tundra.namei.org>
On Tue, 2010-11-16 at 09:13 +1100, James Morris wrote:
> On Mon, 15 Nov 2010, Eric Paris wrote:
>
> > On Mon, Nov 15, 2010 at 12:41 PM, Linus Torvalds
> > <torvalds@linux-foundation.org> wrote:
> > > If the old rule should have been that you _have_
> > > to call cap_syslog(), then just eviscerating that entirely and putting
> > > it in the generic code is definitely the right thing.
> >
> > That is the rule for ALL of the hooks in commoncap.c. The one time I
> > tried to do something else *cough*mmap_min_addr*cough* I screwed it
> > up. I'll put a note in my todo list about looking into lifting all of
> > commoncap.c into the callers.
>
> If it's a requirement of the API that all of the cap calls are made
> first, then build it into the API, so developers can't make a mistake.
> e.g. have the LSM API do the secondary stacking of caps behind the scenes.
At this point it's a defacto requirement since noone is doing anything
like that. My mmap_min_addr screw up is, to the best of my knowledge,
the only time anyone has intentionally not called the caps code...
And I sorta like the idea of moving the cap_* calls directly into
security_*. Great, another item on the todo list. Lift as many cap
calls into the caller as is reasonable (I don't think there are
many/any) and if not possible lift them directory into security_*. If
someone else really wants to make a system truely without capabilities
lets look at there solution then....
> I had thought that the idea was that some LSM may want to not implement
> capabilities at all, on which case, it should still not be possible for
> the API to weaken the default security with or without caps.
Not sure how that's possible. I mean, I guess it's possible if the
fabled LSM reimplements the cap call, but I'm not sure how you can
remove a restrictive only security check without 'weakening' the system
in some way.
next prev parent reply other threads:[~2010-11-15 22:44 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-13 17:26 [PATCH] Fix dmesg_restrict build failure with CONFIG_EMBEDDED=y and CONFIG_PRINTK=n Joe Perches
2010-11-13 17:50 ` Linus Torvalds
2010-11-13 18:25 ` Dan Rosenberg
2010-11-13 20:22 ` Linus Torvalds
2010-11-14 3:05 ` Kees Cook
2010-11-14 12:35 ` Ingo Molnar
2010-11-13 19:51 ` Joe Perches
2010-11-13 20:01 ` Joe Perches
2010-11-13 20:31 ` Linus Torvalds
2010-11-15 1:16 ` James Morris
2010-11-15 17:04 ` Eric Paris
2010-11-15 17:34 ` Eric Paris
2010-11-15 17:41 ` Linus Torvalds
2010-11-15 17:45 ` Eric Paris
2010-11-15 18:20 ` Linus Torvalds
2010-11-15 22:13 ` James Morris
2010-11-15 22:43 ` Eric Paris [this message]
2010-11-15 22:58 ` James Morris
2010-11-15 23:08 ` Eric Paris
2010-11-15 22:16 ` James Morris
2010-11-15 22:36 ` Linus Torvalds
2010-11-15 22:51 ` James Morris
2010-11-14 2:44 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1289860987.14282.40.camel@localhost.localdomain \
--to=eparis@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=drosenberg@vsecurity.com \
--cc=eparis@parisplace.org \
--cc=eugeneteo@kernel.org \
--cc=jmorris@namei.org \
--cc=joe@perches.com \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox