From: Jan Dittmer <jdi@l4x.org>
To: David Howells <dhowells@redhat.com>
Cc: sds@tycho.nsa.gov, jmorris@namei.org, chrisw@sous-sol.org,
selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org,
aviro@redhat.com
Subject: Re: Security issues with local filesystem caching
Date: Thu, 26 Oct 2006 11:14:25 +0200 [thread overview]
Message-ID: <45407C71.5070407@l4x.org> (raw)
In-Reply-To: <16969.1161771256@redhat.com>
David Howells wrote:
> Hi,
>
> Some issues have been raised by Christoph Hellwig over how I'm handling
> filesystem security in my CacheFiles module, and I'd like advice on how to deal
> with them.
>
> CacheFiles stores its cache objects as files and directories in a tree under a
> directory nominated by the configuration. This means the data it is holding
> (a) is potentially exposed to userspace, and (b) must be labelled for access
> control according to the usual filesystem rules.
>
> Currently, CacheFiles temporarily changes fsuid and fsgid to 0 whilst doing its
> own pathwalk through the cache and whilst creating files and directories in the
> cache. This allows it to deal with DAC security directly. All the directories
> it creates are given permissions mask 0700 and all files 0000.
>
> However, Christoph has objected to this practice, and has said that I'm not
> allowed to change fsuid and fsgid. The problem with not doing so is that this
> code is running in the context of the process that issued the original open(),
> read(), write(), etc, and so any accesses or creations it does would be done
> with that process's fsuid and fsgid, which would lead to a cache with bits that
> can't be shared between users.
>
> Another thing I'm currently doing is bypassing the usual calls to the LSM
> hooks. This means that I'm not setting and checking security labels and MACs.
> The reason for this is again that I'm running in some random process's context
> and labelling and MAC'ing will affect the sharability of the cache. This was
> objected to also.
>
> This also bypasses auditing (I think). I don't want the CacheFiles module's
> access to the cache to be logged against whatever process was accessing, say,
> an NFS file. That process didn't ask to access the cache, and the cache is
> meant to be transparent.
>
> I can see a few ways to deal with this:
>
> (1) Do all the cache operations in their own thread (sort of like knfsd).
>
> (2) Add further security ops for the caching code to call. These might be of
> use elsewhere in the kernel. These would set cache-specific security
> labels and check for them.
>
> (3) Add a flag or something to current to override the normal security on the
> basis that it should be using the cache's security rather than the
> process's security.
Why again no local userspace daemon to do the caching? That would
put the policy out of the kernel. The additional context switches
are probably pretty cheap compared to the io operations.
Thanks,
Jan
next prev parent reply other threads:[~2006-10-26 9:15 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-25 10:14 Security issues with local filesystem caching David Howells
2006-10-25 16:52 ` Nate Diller
2006-10-25 16:48 ` Jeff V. Merkey
2006-10-25 17:21 ` David Howells
2006-10-25 17:42 ` Jeff V. Merkey
2006-10-25 18:15 ` David Howells
2006-10-25 20:21 ` Josef Sipek
2006-10-25 20:28 ` Josef Sipek
2006-10-26 9:56 ` David Howells
2006-10-27 15:54 ` Josef Sipek
2006-10-25 21:12 ` Stephen Smalley
2006-10-26 10:40 ` David Howells
2006-10-26 12:51 ` Stephen Smalley
2006-10-26 16:04 ` David Howells
2006-10-26 16:34 ` Stephen Smalley
2006-10-26 17:09 ` David Howells
2006-10-26 17:45 ` Stephen Smalley
2006-10-26 22:53 ` David Howells
2006-10-27 14:48 ` Stephen Smalley
2006-10-27 15:42 ` David Howells
2006-10-27 16:10 ` Stephen Smalley
2006-10-27 16:25 ` David Howells
2006-10-27 17:09 ` Stephen Smalley
2006-10-27 17:34 ` David Howells
2006-10-27 14:41 ` David Howells
2006-10-25 23:37 ` Alan Cox
2006-10-26 0:32 ` Al Viro
2006-10-26 10:45 ` David Howells
2006-10-26 10:54 ` Alan Cox
2006-10-26 9:14 ` Jan Dittmer [this message]
2006-10-26 10:55 ` David Howells
2006-10-26 11:52 ` Alan Cox
2006-10-31 21:26 ` David Howells
2006-11-01 13:28 ` Stephen Smalley
2006-11-01 15:34 ` David Howells
2006-11-01 15:58 ` Karl MacMillan
2006-11-01 17:45 ` Stephen Smalley
2006-11-02 16:29 ` Karl MacMillan
2006-11-02 18:04 ` Stephen Smalley
2006-11-01 17:30 ` Stephen Smalley
2006-11-02 17:16 ` David Howells
2006-11-02 19:49 ` Trond Myklebust
2006-11-02 20:38 ` David Howells
2006-11-02 21:24 ` Trond Myklebust
2006-11-03 10:27 ` David Howells
2006-11-03 13:41 ` Trond Myklebust
2006-11-03 15:23 ` David Howells
2006-11-03 17:30 ` Trond Myklebust
2006-11-14 19:22 ` David Howells
2006-11-15 14:05 ` Trond Myklebust
2006-11-15 15:28 ` David Howells
2006-11-15 16:41 ` Trond Myklebust
2006-11-15 18:17 ` David Howells
2006-11-03 15:33 ` David Howells
2006-11-02 20:33 ` Stephen Smalley
2006-11-02 21:05 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45407C71.5070407@l4x.org \
--to=jdi@l4x.org \
--cc=aviro@redhat.com \
--cc=chrisw@sous-sol.org \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox