Re: + smack-version-11c-simplified-mandatory-access-control-kernel.patch added to -mm tree

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Crispin Cowan <crispin@crispincowan.com>
To: Andrew Morgan <morgan@kernel.org>
Cc: casey@schaufler-ca.com, Stephen Smalley <sds@tycho.nsa.gov>,
	"Serge E. Hallyn" <serue@us.ibm.com>,
	linux-kernel@vger.kernel.org, chrisw@sous-sol.org,
	darwish.07@gmail.com, jmorris@namei.org, method@manicmethod.com,
	paul.moore@hp.com,
	LSM List <linux-security-module@vger.kernel.org>
Subject: Re: + smack-version-11c-simplified-mandatory-access-control-kernel.patch added to -mm tree
Date: Sat, 24 Nov 2007 03:39:34 -0800	[thread overview]
Message-ID: <47480D76.8030701@crispincowan.com> (raw)
In-Reply-To: <4747C003.3070709@kernel.org>

Andrew Morgan wrote:
> Its not so much why you are wrong, as being clear that we're not using a
> generic name and inadvertently limiting ourselves to a SMACK-like model...
>   
It seems we all agree that it is a bad idea to tie a POSIX Capability to
one specific LSM model.

> It feels to me as if a MAC "override capability" is, if true to its
> name, extra to the MAC model; any MAC model that needs an 'override' to
> function seems under-specified...
An interesting observation. This is a core part of why I have always
found the hierarchical models BLP and Biba to be unsatisfying. These
systems essentially have one simple fixed policy "process label must
dominate object label to get access", and then you express all the rest
of your "policy" by labeling your stuff. It is impossible to manage such
systems without a MAC_OVERRIDE escape hatch of some kind, because the
"policy" is too simple and inflexible, e.g. it does not allow you to
reclassify anything.

>  SELinux clearly feels no need for one,
>   
That's not quite right. More specifically, it already has one in the
form of unconfined_t. AppArmor has a similar escape hatch in the "Ux"
permission. Its not that they don't need one, it is that they already
have one. They get to have one because they allow you to actually write
a policy that is more nuanced than "process label must dominate object
label".

> and browsing through your SMACK patch, there are many instances where
> this capability is used as an convenience privileged override. However,
> in other situations, it appears as if the capability is required for
> basic SMACK operations to succeed.
>
> My sense is that there is a case to be made for: CAP_MAC_ADMIN and
> CAP_MAC_OVERRIDE here. The former being for cases where SMACK (or
> whatever MAC supports it) requires privilege to perform a privileged MAC
> operation, and the latter for saying "OK, I'm without a paddle but need
> one" (or words to that effect).
>   
I don't get the difference. Both seem to permit the process to violate
the MAC policy. I could make up a meaning for MAC_ADMIN that is
different from MAC_OVERRIDE in the AppArmor sense, but I don't want to
:-) and worse, I suspect the distinction would be different for each
LSM. So let not, and just have one MAC_OVERRIDE capability.

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin
CEO, Mercenary Linux		   http://mercenarylinux.com/
	       Itanium. Vista. GPLv3. Complexity at work

next prev parent reply	other threads:[~2007-11-24 11:38 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <200711202206.lAKM6BlW025868@imap1.linux-foundation.org>
2007-11-21 15:48 ` + smack-version-11c-simplified-mandatory-access-control-kernel.patch added to -mm tree Serge E. Hallyn
2007-11-21 15:51   ` Stephen Smalley
2007-11-21 17:04     ` Serge E. Hallyn
2007-11-21 17:21     ` Casey Schaufler
2007-11-21 18:02       ` Stephen Smalley
2007-11-21 19:19         ` Casey Schaufler
2007-11-24  3:25           ` Andrew Morgan
2007-11-24  4:47             ` Casey Schaufler
2007-11-24  6:09               ` Andrew Morgan
2007-11-24 11:39                 ` Crispin Cowan [this message]
2007-11-24 19:16                   ` Casey Schaufler
2007-11-25  2:07                   ` Kyle Moffett
2007-11-25  3:36                     ` Crispin Cowan
2007-11-26 17:36                       ` Kyle Moffett
2007-11-26 19:55                         ` Joshua Brindle
2007-11-24 11:39               ` Crispin Cowan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47480D76.8030701@crispincowan.com \
    --to=crispin@crispincowan.com \
    --cc=casey@schaufler-ca.com \
    --cc=chrisw@sous-sol.org \
    --cc=darwish.07@gmail.com \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=method@manicmethod.com \
    --cc=morgan@kernel.org \
    --cc=paul.moore@hp.com \
    --cc=sds@tycho.nsa.gov \
    --cc=serue@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox