From: Casey Schaufler <casey@schaufler-ca.com>
To: Stephen Smalley <sds@tycho.nsa.gov>,
"Serge E. Hallyn" <serue@us.ibm.com>
Cc: linux-kernel@vger.kernel.org, casey@schaufler-ca.com,
chrisw@sous-sol.org, darwish.07@gmail.com, jmorris@namei.org,
method@manicmethod.com, morgan@kernel.org, paul.moore@hp.com,
LSM List <linux-security-module@vger.kernel.org>
Subject: Re: + smack-version-11c-simplified-mandatory-access-control-kernel.patch added to -mm tree
Date: Wed, 21 Nov 2007 09:21:04 -0800 (PST) [thread overview]
Message-ID: <383368.46196.qm@web36605.mail.mud.yahoo.com> (raw)
In-Reply-To: <1195660319.759.50.camel@moss-spartans.epoch.ncsc.mil>
--- Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Wed, 2007-11-21 at 09:48 -0600, Serge E. Hallyn wrote:
> > Quoting akpm@linux-foundation.org (akpm@linux-foundation.org):
> > > +/*
> > > + * There are not enough CAP bits available to make this
> > > + * real, so Casey borrowed the capability that looks to
> > > + * him like it has the best balance of similarity amd
> > > + * low use.
> > > + */
> > > +#define CAP_MAC_OVERRIDE CAP_LINUX_IMMUTABLE
> >
> > Hey Casey,
> >
> > note that 64-bit capabilities are now in -mm, so you could grab your own
> > capability.
A proposal with merit. I'll do it.
> Which brings up an interesting question - what to do with
> security-module-specific capabilities? CAP_MAC_OVERRIDE is specific to
> Smack - other MAC modules like SELinux won't honor it. Maybe it should
> be CAP_SMACK_OVERRIDE.
But what about the MAC modules like Smack that do honor it?
They shouldn't be using a module specific capability, so
calling it CAP_SMACK_OVERRIDE isn't right because then the
SecureWare* port would have to introduce CAP_SECUREWARE_OVERRIDE
and bam, there go all your shiny new capability values. Further,
Smack isn't what's overridden by CAP_MAC_OVERRIDE, it's the
access control check, which is not the same thing at all at all.
SELinux ignoring CAP_MAC_OVERRIDE is perfectly within the
restrictive model of the LSM. If someone ported the Trusted
Irix 4 MLS system as an LSM** having CAP_MAC_OVERRIDE wouldn't
have to allow read of higher labeled files, as the policy on that
system never allowed that, even for privileged processes.
SELinux has every right to make it's own choices regarding how
it behaves relative to any specific capability because it is
allowed to restrict access in any way it sees fit. I think that
you would get in trouble if you changed the value of a capability
on a task within the LSM, because that will impact the "usual"
access checks, but I wouldn't expect to see you doing that.
SELinux has gone in a different direction on privileged operations
than capabilities, so it's not surprising that the two schemes
don't look like they're meshing very well in this case.
----
* SecureWare was an MLS "kit". The MLS version of HP/UX was based
on it, and the Macintosh version got the first ever CMW evaluation.
SELinux took many of the same design approaches as SecureWare,
and in it's early versions bore a somewhat frightening resemblence
to the earlier system.
** Trix4 allowed a privileged process to write lower labeled files,
but not read higher labeled files. That way any files that got
created "by accident" were assured to be labeled at least as high
as the data they contained.
Casey Schaufler
casey@schaufler-ca.com
next prev parent reply other threads:[~2007-11-21 17:21 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200711202206.lAKM6BlW025868@imap1.linux-foundation.org>
2007-11-21 15:48 ` + smack-version-11c-simplified-mandatory-access-control-kernel.patch added to -mm tree Serge E. Hallyn
2007-11-21 15:51 ` Stephen Smalley
2007-11-21 17:04 ` Serge E. Hallyn
2007-11-21 17:21 ` Casey Schaufler [this message]
2007-11-21 18:02 ` Stephen Smalley
2007-11-21 19:19 ` Casey Schaufler
2007-11-24 3:25 ` Andrew Morgan
2007-11-24 4:47 ` Casey Schaufler
2007-11-24 6:09 ` Andrew Morgan
2007-11-24 11:39 ` Crispin Cowan
2007-11-24 19:16 ` Casey Schaufler
2007-11-25 2:07 ` Kyle Moffett
2007-11-25 3:36 ` Crispin Cowan
2007-11-26 17:36 ` Kyle Moffett
2007-11-26 19:55 ` Joshua Brindle
2007-11-24 11:39 ` Crispin Cowan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=383368.46196.qm@web36605.mail.mud.yahoo.com \
--to=casey@schaufler-ca.com \
--cc=chrisw@sous-sol.org \
--cc=darwish.07@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=method@manicmethod.com \
--cc=morgan@kernel.org \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox