From: David Howells <dhowells@redhat.com>
To: Crispin Cowan <crispin@crispincowan.com>
Cc: dhowells@redhat.com, Stephen Smalley <sds@tycho.nsa.gov>,
Karl MacMillan <kmacmill@redhat.com>,
viro@ftp.linux.org.uk, hch@infradead.org,
Trond.Myklebust@netapp.com, casey@schaufler-ca.com,
linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org,
apparmor-dev <apparmor-dev@forge.novell.com>
Subject: Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]
Date: Wed, 19 Dec 2007 23:38:27 +0000 [thread overview]
Message-ID: <2618.1198107507@redhat.com> (raw)
In-Reply-To: <47688FD9.6080705@crispincowan.com>
Crispin Cowan <crispin@crispincowan.com> wrote:
> > This is used, for example, by CacheFiles which has to transparently access
> > the cache on behalf of a process that thinks it is doing, say, NFS
> > accesses with a potentially inappropriate (with respect to accessing the
> > cache) set of security data.
> I'm not sure, but I think that you could do this *much* easier in
> AppArmor using change_profile to switch the NFS Daemon to the profile of
> the requesting process. That still leaves some problems:
NFS Daemon? NFS quite often runs in the context of whichever process issued,
say, a read syscall. It's at this point the cachefiles needs to run, and
using change_profile is I suspect not an option there. Remember: you can't
change the objective profile of the aforementioned process, hence the act_as
pointer.
That said, I don't know what change_profile does.
> However, it seems to me that you have the same problem with SELinux:
> what do you do if the domain/type of the requesting process does not
> exist on the NFS server? How do you ensure a uniform name space of types?
I'm not sure what you're getting at. The security NFS uses to access the
server is separate from the security that cachefiles uses to access the cache.
> > How about I just stick the context in /etc/cachefilesd.conf as a textual
> > configuration item and have the daemon pass that as a string to the
> > cachefiles kernel module, which can then ask LSM if it's valid to set this
> > context as an override, given the daemon's own security context? That
> > seems entirely reasonable to me.
> >
> That semantically maps well to the AppArmor change_profile() API, so
> conceptually it should work.
Okay.
> It would be easier if you did that in user space instead of in the kernel,
Do what in userspace? Parse the context? Validate the context? Or change
the context?
> I don't know if it causes a problem to attempt to kind-of call
> change_profile() from within the kernel. Notably, change_profile can fail,
> so what does your kernel module do when the attempt to change security
> context fails?
The cache aborts and all subsequent operations on that cache bounce and go to
the server instead.
The change of context cannot be done in userspace because to get to a
userspace capable of attempting this operation would itself require a change
of context. Besides, it'd also be inefficient, probably horribly so, to do
all caching ops in userspace.
What I need is an LSM operation to change a task_security struct to have a
specified context. I can then use the task_security struct in all future
cache ops on a cache by pointing task->act_as at it.
David
next prev parent reply other threads:[~2007-12-19 23:39 UTC|newest]
Thread overview: 126+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-05 19:38 [PATCH 00/28] Permit filesystem local caching [try #2] David Howells
2007-12-05 19:38 ` [PATCH 01/28] KEYS: Increase the payload size when instantiating a key " David Howells
2007-12-05 19:38 ` [PATCH 02/28] KEYS: Check starting keyring as part of search " David Howells
2007-12-05 19:38 ` [PATCH 03/28] KEYS: Allow the callout data to be passed as a blob rather than a string " David Howells
2007-12-05 19:38 ` [PATCH 04/28] KEYS: Add keyctl function to get a security label " David Howells
2007-12-05 19:38 ` [PATCH 05/28] Security: Change current->fs[ug]id to current_fs[ug]id() " David Howells
2007-12-05 19:38 ` [PATCH 06/28] SECURITY: Separate task security context from task_struct " David Howells
2007-12-05 19:38 ` [PATCH 07/28] SECURITY: De-embed task security record from task and use refcounting " David Howells
2007-12-05 19:38 ` [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions " David Howells
2007-12-10 16:46 ` Stephen Smalley
2007-12-10 17:07 ` David Howells
2007-12-10 17:23 ` Stephen Smalley
2007-12-10 21:08 ` David Howells
2007-12-10 21:27 ` Stephen Smalley
2007-12-10 22:26 ` Casey Schaufler
2007-12-10 23:44 ` David Howells
2007-12-10 23:56 ` Casey Schaufler
2007-12-11 18:34 ` Stephen Smalley
2007-12-11 19:26 ` Casey Schaufler
2007-12-11 19:56 ` Stephen Smalley
2007-12-11 20:40 ` Casey Schaufler
2007-12-10 23:36 ` David Howells
2007-12-10 23:46 ` Casey Schaufler
2007-12-11 19:52 ` Stephen Smalley
2007-12-11 19:37 ` Stephen Smalley
2007-12-11 20:42 ` David Howells
2007-12-11 21:18 ` Casey Schaufler
2007-12-11 21:34 ` Stephen Smalley
2007-12-11 22:43 ` David Howells
2007-12-11 23:04 ` Casey Schaufler
2007-12-12 15:25 ` Stephen Smalley
2007-12-12 16:51 ` Casey Schaufler
2007-12-12 18:12 ` Stephen Smalley
2007-12-12 18:34 ` David Howells
2007-12-12 19:44 ` Casey Schaufler
2007-12-12 19:49 ` Stephen Smalley
2007-12-12 20:09 ` Casey Schaufler
2007-12-12 22:29 ` David Howells
2007-12-12 22:32 ` David Howells
2007-12-12 18:29 ` David Howells
2007-12-12 19:33 ` Stephen Smalley
2007-12-12 22:49 ` David Howells
2007-12-13 14:49 ` Stephen Smalley
2007-12-13 15:36 ` David Howells
2007-12-13 16:23 ` Stephen Smalley
2007-12-13 17:01 ` David Howells
2007-12-13 17:27 ` Stephen Smalley
2007-12-13 18:04 ` David Howells
2007-12-12 19:37 ` Casey Schaufler
2007-12-12 22:52 ` David Howells
2007-12-12 18:25 ` David Howells
2007-12-12 19:20 ` Casey Schaufler
2007-12-12 19:29 ` David Howells
2007-12-12 19:35 ` Stephen Smalley
2007-12-12 22:55 ` David Howells
2007-12-13 14:51 ` Stephen Smalley
2007-12-13 16:03 ` David Howells
2007-12-19 3:28 ` Crispin Cowan
2007-12-19 5:39 ` Casey Schaufler
2007-12-19 14:54 ` Stephen Smalley
2007-12-19 3:28 ` Crispin Cowan
2007-12-19 23:38 ` David Howells [this message]
2007-12-12 14:41 ` Karl MacMillan
2007-12-12 14:53 ` David Howells
2007-12-12 14:59 ` Karl MacMillan
2008-01-09 16:51 ` David Howells
2008-01-09 17:27 ` David Howells
2008-01-09 18:11 ` Stephen Smalley
2008-01-09 18:56 ` David Howells
2008-01-09 19:19 ` Stephen Smalley
2008-01-10 11:09 ` David Howells
2008-01-14 14:01 ` David Howells
2008-01-14 14:06 ` David Howells
2008-01-15 14:58 ` Stephen Smalley
2008-01-23 20:52 ` David Howells
2008-01-23 22:03 ` James Morris
2008-01-14 14:52 ` Casey Schaufler
2008-01-14 15:19 ` David Howells
2008-01-15 14:56 ` Stephen Smalley
2008-01-15 16:03 ` David Howells
2008-01-15 16:08 ` Stephen Smalley
2008-01-15 18:10 ` Casey Schaufler
2008-01-15 19:15 ` Stephen Smalley
2008-01-15 21:55 ` David Howells
2008-01-15 22:23 ` Casey Schaufler
2007-12-05 19:39 ` [PATCH 09/28] FS-Cache: Release page->private after failed readahead " David Howells
2007-12-14 3:51 ` Nick Piggin
2007-12-17 22:42 ` David Howells
2007-12-18 7:03 ` Nick Piggin
2007-12-05 19:39 ` [PATCH 10/28] FS-Cache: Recruit a couple of page flags for cache management " David Howells
2007-12-14 4:08 ` Nick Piggin
2007-12-17 22:36 ` David Howells
2007-12-18 7:00 ` Nick Piggin
2007-12-20 18:33 ` David Howells
2007-12-21 1:08 ` Nick Piggin
2008-01-02 16:27 ` David Howells
2008-01-07 11:33 ` Nick Piggin
2008-01-07 13:09 ` David Howells
2008-01-08 3:01 ` Nick Piggin
2008-01-08 23:51 ` David Howells
2008-01-09 1:52 ` Nick Piggin
2008-01-09 15:45 ` David Howells
2008-01-09 23:52 ` Nick Piggin
2007-12-05 19:39 ` [PATCH 11/28] FS-Cache: Provide an add_wait_queue_tail() function " David Howells
2007-12-05 19:39 ` [PATCH 12/28] FS-Cache: Generic filesystem caching facility " David Howells
2007-12-05 19:39 ` [PATCH 13/28] CacheFiles: Add missing copy_page export for ia64 " David Howells
2007-12-05 19:39 ` [PATCH 14/28] CacheFiles: Be consistent about the use of mapping vs file->f_mapping in Ext3 " David Howells
2007-12-05 19:39 ` [PATCH 15/28] CacheFiles: Add a hook to write a single page of data to an inode " David Howells
2007-12-05 19:39 ` [PATCH 16/28] CacheFiles: Permit the page lock state to be monitored " David Howells
2007-12-05 19:39 ` [PATCH 17/28] CacheFiles: Export things for CacheFiles " David Howells
2007-12-05 19:39 ` [PATCH 18/28] CacheFiles: A cache that backs onto a mounted filesystem " David Howells
2007-12-05 19:39 ` [PATCH 19/28] NFS: Use local caching " David Howells
2007-12-05 19:40 ` [PATCH 20/28] NFS: Configuration and mount option changes to enable local caching on NFS " David Howells
2007-12-05 19:40 ` [PATCH 21/28] NFS: Display local caching state " David Howells
2007-12-05 19:40 ` [PATCH 22/28] fcrypt endianness misannotations " David Howells
2007-12-05 19:40 ` [PATCH 23/28] AFS: Add TestSetPageError() " David Howells
2007-12-05 19:40 ` [PATCH 24/28] AFS: Add a function to excise a rejected write from the pagecache " David Howells
2007-12-14 4:21 ` Nick Piggin
2007-12-17 22:54 ` David Howells
2007-12-18 7:07 ` Nick Piggin
2007-12-20 18:49 ` David Howells
2007-12-21 1:11 ` Nick Piggin
2007-12-05 19:40 ` [PATCH 25/28] AFS: Improve handling of a rejected writeback " David Howells
2007-12-05 19:40 ` [PATCH 26/28] AF_RXRPC: Save the operation ID for debugging " David Howells
2007-12-05 19:40 ` [PATCH 27/28] AFS: Implement shared-writable mmap " David Howells
2007-12-05 19:40 ` [PATCH 28/28] FS-Cache: Make kAFS use FS-Cache " David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2618.1198107507@redhat.com \
--to=dhowells@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=apparmor-dev@forge.novell.com \
--cc=casey@schaufler-ca.com \
--cc=crispin@crispincowan.com \
--cc=hch@infradead.org \
--cc=kmacmill@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=viro@ftp.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).