From: David Howells <dhowells@redhat.com>
To: James Morris <jmorris@namei.org>
Cc: David Howells <dhowells@redhat.com>,
Linus Torvalds <torvalds@osdl.org>, Andrew Morton <akpm@osdl.org>,
keyrings@linux-nfs.org, linux-kernel@vger.kernel.org,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [Keyrings] [PATCH] Keys: Add LSM hooks for key management
Date: Thu, 06 Oct 2005 12:06:00 +0100 [thread overview]
Message-ID: <23641.1128596760@warthog.cambridge.redhat.com> (raw)
In-Reply-To: <Pine.LNX.4.63.0510060404141.25593@excalibur.intercode>
James Morris <jmorris@namei.org> wrote:
> I think this looks ok from an SELinux point of view if keys are treated as
> opaque objects, i.e. like files.
I'll make some changes based on the suggestions I've received. Those who
request the return of keyfs can go boil their heads.
> We could do something like create a new object class (kernkey or
> something) and implement SELinux permissions for the class such as read,
> write, search, link, setattr and getattr. Your KEY_VIEW perm could be
> translated to SELinux getattr.
Should I expand the permissions mask to include a setattr?
> More thought needs to go into whether we need to implement an SELinux
> create permission (and add hooks into the code), for control over whether
> a process can create an anonymous keyring.
That's not really a per-key type of thing.
> I'm not sure if we need user-level labeling of keys via the set & get
> security ops, although LSPP may require some form of get_security. If we
> don't need to manually set security attributes but still view them, they
> could be displayed via /proc/keys rather than implementing a separate
> multiplexed syscall.
Would it be worth me adding a key type op by which a security module can ask
the type its opinion (or by which key_alloc() can ask the type to give the
security module an earful)?
> keyctl_chown_key()
> keyctl_setperm_key()
Okay.
> keyctl_set_reqkey_keyring()
Should this really be securified? It merely controls the default destination
for a key created by request_key(), and is limited to the keyrings the process
is subscribed to in any case.
> keyctl_join_session_keyring() [only if we add a 'create' perm]
This does need a security hook, at least for joining an existing session.
I wonder if I should treat named sessions on a per-user basis and whether I
should separate them from keyrings, so that session names refer to keyrings
and have their own permissions and security, but aren't those keyrings. This
latter bit is the big stumbling block that I had with the clone-handle
functionality that Kyle Moffett woulkd like.
> All users of key_permission() need to propagate the error code from the
> LSM back to the user.
Really? Why?
Note that the fact that key_permission() fails for a key is sometimes ignored,
such as when I'm doing a search and one potentially matching key fails, but a
subsequent matching key passes.
David
next prev parent reply other threads:[~2005-10-06 11:06 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-05 16:28 [PATCH] Keys: Add LSM hooks for key management David Howells
2005-10-05 16:44 ` [Keyrings] " James Morris
2005-10-05 16:48 ` David Howells
2005-10-05 19:31 ` James Morris
2005-10-05 18:40 ` serue
2005-10-05 21:10 ` [Keyrings] " Chris Wright
2005-10-06 8:03 ` James Morris
2005-10-06 10:54 ` David Howells
2005-10-06 15:04 ` James Morris
2005-10-06 15:18 ` David Howells
2005-10-06 16:02 ` James Morris
2005-10-07 8:50 ` David Howells
2005-10-07 18:36 ` Chris Wright
2005-10-06 17:58 ` Chris Wright
2005-10-07 9:10 ` David Howells
2005-10-07 12:59 ` Stephen Smalley
2005-10-07 18:51 ` Chris Wright
2005-10-06 10:30 ` David Howells
2005-10-06 23:10 ` Chris Wright
2005-10-07 9:57 ` David Howells
2005-10-07 19:36 ` Chris Wright
2005-10-06 8:38 ` James Morris
2005-10-06 11:06 ` David Howells [this message]
2005-10-06 14:25 ` James Morris
2005-10-06 15:11 ` David Howells
2005-10-06 16:14 ` James Morris
2005-10-07 9:03 ` David Howells
2005-10-07 14:05 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=23641.1128596760@warthog.cambridge.redhat.com \
--to=dhowells@redhat.com \
--cc=akpm@osdl.org \
--cc=jmorris@namei.org \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox