From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Kentaro Takeda <takedakn@nttdata.co.jp>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, haradats@nttdata.co.jp,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Al Viro <viro@ZenIV.linux.org.uk>
Subject: Re: [TOMOYO #9 (2.6.27-rc7-mm1) 1/6] LSM adapter functions.
Date: Tue, 30 Sep 2008 11:23:21 -0500 [thread overview]
Message-ID: <20080930162321.GA31779@us.ibm.com> (raw)
In-Reply-To: <1222791288.19676.114.camel@moss-spartans.epoch.ncsc.mil>
Quoting Stephen Smalley (sds@tycho.nsa.gov):
>
> On Tue, 2008-09-30 at 10:45 -0500, Serge E. Hallyn wrote:
> > Quoting Kentaro Takeda (takedakn@nttdata.co.jp):
> > > Serge E. Hallyn wrote:
> > > > Unfortunately I think that is a shortcoming in the security_path_*
> > > > patchset. Unfortunate bc that is going to be a pain to work out.
> > > Thanks for your constructive and tough suggestion. ;-)
> > >
> > > > So for starters,
> > > > both vfs_mknod and vfs_create do may_create, so just pull that
> > > > into the callers.
> > > Do you mean that we should move DAC code to all the caller of vfs_* ?
> >
> > That's not reasonable, is it.
> >
> > The rule thus far has been 'DAC before MAC'. Question to all: do we
> > insist on keeping it that way?
>
> It isn't a hard rule; there are already some hooks that occur before the
> DAC checking, e.g. setattr, because the DAC checking happens in the fs
> code as part of the inode op. But when possible, we prefer DAC before
> MAC for SELinux so that we don't get noise in the audit logs from
Since SELinux won't be using the security_path hooks, it won't be
affected by this, though, right?
Though if we start down the path of mixing dac+mac with _path hooks then
it may get harder to continue to keep that order for other hooks...
> harmless application/library probing that would be denied by DAC anyway.
> Same issue would seemingly apply for learning modes of TOMOYO or
> AppArmor.
Good point. Kentaro, is that an issue for you?
> > If the answer is yes, then the security_path_hooks patch is inherently
> > wrong.
> >
> > If the answer is no, then Kentaro doesn't need to resort to this
> > ugliness to try and get may_delete() called before his MAC code, only to
> > have may_delete() called a second time from the vfs_* functions.
>
> --
> Stephen Smalley
> National Security Agency
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2008-09-30 16:23 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-24 9:03 [TOMOYO #9 (2.6.27-rc7-mm1) 0/6] TOMOYO Linux Kentaro Takeda
2008-09-24 9:03 ` [TOMOYO #9 (2.6.27-rc7-mm1) 1/6] LSM adapter functions Kentaro Takeda
2008-09-25 16:59 ` Serge E. Hallyn
2008-09-26 5:38 ` Kentaro Takeda
2008-09-26 13:04 ` Serge E. Hallyn
2008-09-29 4:04 ` Kentaro Takeda
2008-09-30 15:45 ` Serge E. Hallyn
2008-09-30 16:14 ` Stephen Smalley
2008-09-30 16:23 ` Serge E. Hallyn [this message]
2008-10-01 8:19 ` Kentaro Takeda
2008-10-01 2:33 ` Casey Schaufler
2008-10-01 5:05 ` Valdis.Kletnieks
2008-10-01 8:23 ` Kentaro Takeda
2008-10-01 21:15 ` Serge E. Hallyn
2008-10-02 5:04 ` Kentaro Takeda
2008-10-02 13:39 ` Serge E. Hallyn
2008-10-03 6:37 ` Kentaro Takeda
2008-10-03 13:09 ` Serge E. Hallyn
2008-10-06 2:19 ` Kentaro Takeda
2008-10-06 16:54 ` Serge E. Hallyn
2008-10-07 6:28 ` Kentaro Takeda
2008-09-24 9:03 ` [TOMOYO #9 (2.6.27-rc7-mm1) 2/6] Memory and pathname management functions Kentaro Takeda
2008-09-24 9:03 ` [TOMOYO #9 (2.6.27-rc7-mm1) 3/6] Common functions for TOMOYO Linux Kentaro Takeda
2008-09-24 9:03 ` [TOMOYO #9 (2.6.27-rc7-mm1) 4/6] Domain transition handler Kentaro Takeda
2008-09-24 9:03 ` [TOMOYO #9 (2.6.27-rc7-mm1) 5/6] File operation restriction part Kentaro Takeda
2008-09-24 9:03 ` [TOMOYO #9 (2.6.27-rc7-mm1) 6/6] Kconfig and Makefile Kentaro Takeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080930162321.GA31779@us.ibm.com \
--to=serue@us.ibm.com \
--cc=haradats@nttdata.co.jp \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=takedakn@nttdata.co.jp \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox