From: David Howells <dhowells@redhat.com>
To: sds@tycho.nsa.gov, Karl MacMillan <kmacmill@redhat.com>
Cc: David Howells <dhowells@redhat.com>,
jmorris@namei.org, chrisw@sous-sol.org, selinux@tycho.nsa.gov,
linux-kernel@vger.kernel.org, aviro@redhat.com
Subject: Re: Security issues with local filesystem caching
Date: Tue, 31 Oct 2006 21:26:48 +0000 [thread overview]
Message-ID: <31035.1162330008@redhat.com> (raw)
In-Reply-To: <16969.1161771256@redhat.com>
David Howells <dhowells@redhat.com> wrote:
> Some issues have been raised by Christoph Hellwig over how I'm handling
> filesystem security in my CacheFiles module, and I'd like advice on how to
> deal with them.
Having discussed this with Stephen Smally and Karl MacMillan, this is, I think,
the security model for CacheFiles:
(*) There will be four security labels per cache:
(a) A security label attached to the caching directory and all the files
and directories contained therein. This identifies those files as
being part of a particular cache's working set.
(b) A security label that defines the context under which the daemon
(cachefilesd) operates. This permits cachefilesd to be restricted to
only accessing files labelled in (a), and only to do things like stat,
list and delete them - not read or write them.
(c) A security label that defines the context under which the module
operates when accessing the cache. This allows the module, when
accessing the cache, to only operate within the bounds of the cache.
It also permits the module to set a common security label on all the
files it creates in the cache.
(d) A security label to attached to the cachefiles control character
device. This limits access to processes with label (b).
(*) The module will obtain label (a) - the security label with which to label
the files it creates (create_sid) - by reading the security label on the
cache base directory (inode->i_security->sid).
(*) The module will obtain label (c) by reading label (b) from the cachefilesd
process when it opens the cachefiles control chardev and then passing it
through security_change_sid() to ask the security policy to for label (c).
(*) When accessing the cache to look up a cache object (equivalent to NFS read
inode), the CacheFiles module will make temporary substitutions for the
following process security attributes:
(1) current->fsuid and current->fsgid will both become 0.
(2) current->security->create_sid will be set to label (a) so that
vfs_mkdir() and vfs_create() will set the correct labels.
(3) current->security->sid will be set to label (c) so that vfs_mkdir(),
vfs_create() and lookup ops will check for the correct labels.
After the access, the old label will be restored.
Point (3) shouldn't cause a cross-thread race as it would appear that the
security label can only be changed on single-threaded processes. Attempts
to do so on multi-threaded processes are rejected.
David
next prev parent reply other threads:[~2006-10-31 21:28 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-25 10:14 Security issues with local filesystem caching David Howells
2006-10-25 16:52 ` Nate Diller
2006-10-25 16:48 ` Jeff V. Merkey
2006-10-25 17:21 ` David Howells
2006-10-25 17:42 ` Jeff V. Merkey
2006-10-25 18:15 ` David Howells
2006-10-25 20:21 ` Josef Sipek
2006-10-25 20:28 ` Josef Sipek
2006-10-26 9:56 ` David Howells
2006-10-27 15:54 ` Josef Sipek
2006-10-25 21:12 ` Stephen Smalley
2006-10-26 10:40 ` David Howells
2006-10-26 12:51 ` Stephen Smalley
2006-10-26 16:04 ` David Howells
2006-10-26 16:34 ` Stephen Smalley
2006-10-26 17:09 ` David Howells
2006-10-26 17:45 ` Stephen Smalley
2006-10-26 22:53 ` David Howells
2006-10-27 14:48 ` Stephen Smalley
2006-10-27 15:42 ` David Howells
2006-10-27 16:10 ` Stephen Smalley
2006-10-27 16:25 ` David Howells
2006-10-27 17:09 ` Stephen Smalley
2006-10-27 17:34 ` David Howells
2006-10-27 14:41 ` David Howells
2006-10-25 23:37 ` Alan Cox
2006-10-26 0:32 ` Al Viro
2006-10-26 10:45 ` David Howells
2006-10-26 10:54 ` Alan Cox
2006-10-26 9:14 ` Jan Dittmer
2006-10-26 10:55 ` David Howells
2006-10-26 11:52 ` Alan Cox
2006-10-31 21:26 ` David Howells [this message]
2006-11-01 13:28 ` Stephen Smalley
2006-11-01 15:34 ` David Howells
2006-11-01 15:58 ` Karl MacMillan
2006-11-01 17:45 ` Stephen Smalley
2006-11-02 16:29 ` Karl MacMillan
2006-11-02 18:04 ` Stephen Smalley
2006-11-01 17:30 ` Stephen Smalley
2006-11-02 17:16 ` David Howells
2006-11-02 19:49 ` Trond Myklebust
2006-11-02 20:38 ` David Howells
2006-11-02 21:24 ` Trond Myklebust
2006-11-03 10:27 ` David Howells
2006-11-03 13:41 ` Trond Myklebust
2006-11-03 15:23 ` David Howells
2006-11-03 17:30 ` Trond Myklebust
2006-11-14 19:22 ` David Howells
2006-11-15 14:05 ` Trond Myklebust
2006-11-15 15:28 ` David Howells
2006-11-15 16:41 ` Trond Myklebust
2006-11-15 18:17 ` David Howells
2006-11-03 15:33 ` David Howells
2006-11-02 20:33 ` Stephen Smalley
2006-11-02 21:05 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=31035.1162330008@redhat.com \
--to=dhowells@redhat.com \
--cc=aviro@redhat.com \
--cc=chrisw@sous-sol.org \
--cc=jmorris@namei.org \
--cc=kmacmill@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox