From: Casey Schaufler <casey@schaufler-ca.com>
To: "David P. Quigley" <dpquigl@tycho.nsa.gov>
Cc: jmorris@namei.org, sds@tycho.nsa.gov, gregkh@suse.de,
ebiederm@xmission.com, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH] Security/sysfs: Enable security xattrs to be set on sysfs files, directories, and symlinks.
Date: Thu, 20 Aug 2009 20:38:06 -0700 [thread overview]
Message-ID: <4A8E169E.70009@schaufler-ca.com> (raw)
In-Reply-To: <1250774285.2542.72.camel@moss-terrapins.epoch.ncsc.mil>
David P. Quigley wrote:
> Since Casey has withdrawn his NAK for the patch I guess the only other
> concern was about the generality of the solution from Eric. Did Steve's
> response adequately address this or are there any other questions that
> people need answered before Greg can take the patch.
>
Well, I've withdrawn the NAK, but I would still like to see:
Use the xattr, not a secid. Really. An LSM that has multiple attributes
is going to get bitten by that one. Also, any LSM that does neither
networking nor audit has no need for secids, so I would be happier if
the use of secids didn't expand into the file system space. Plus,
if it is going to be rare for an xattr to be set in sysfs (Stephen's
claim, which is consistent with my experience) saving a real xattr
should be no big deal.
Replace the security_xattr_to_secid hook in any case. All this is doing
is exposing what should be a strictly LSM internal function. You can
do it with a combination of existing hooks, if you have the time to code
up the error conditions.
You can ignore these objections if you feel you must. I'll still buy
a round in Portland.
next prev parent reply other threads:[~2009-08-21 3:38 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-15 13:48 [PATCH] Security/sysfs: Enable security xattrs to be set on sysfs files, directories, and symlinks David P. Quigley
2009-07-15 14:28 ` David P. Quigley
2009-07-15 14:31 ` David P. Quigley
2009-07-21 16:29 ` David P. Quigley
2009-07-21 16:49 ` Greg KH
2009-07-21 16:34 ` David P. Quigley
2009-07-21 17:01 ` David P. Quigley
2009-07-24 8:13 ` James Morris
2009-07-24 14:34 ` David P. Quigley
2009-07-24 14:54 ` Casey Schaufler
2009-08-14 4:59 ` Casey Schaufler
2009-08-14 12:20 ` Stephen Smalley
2009-08-14 12:40 ` Stephen Smalley
2009-08-15 1:33 ` Casey Schaufler
2009-08-17 12:01 ` Stephen Smalley
2009-08-15 1:19 ` Casey Schaufler
2009-08-17 11:53 ` Stephen Smalley
2009-08-14 22:02 ` Eric W. Biederman
2009-08-15 1:42 ` Casey Schaufler
2009-08-15 2:15 ` Eric W. Biederman
2009-08-15 4:56 ` Casey Schaufler
2009-08-15 6:01 ` Eric W. Biederman
2009-08-16 17:25 ` Casey Schaufler
2009-08-18 3:55 ` [PATCH] Security/sysfs: v2 - " Casey Schaufler
2009-08-18 12:14 ` Stephen Smalley
2009-08-18 14:12 ` Casey Schaufler
2009-08-18 14:23 ` Stephen Smalley
2009-08-19 4:37 ` Casey Schaufler
2009-08-19 11:58 ` Stephen Smalley
2009-08-19 17:47 ` Casey Schaufler
2009-08-19 23:59 ` Casey Schaufler
2009-08-20 2:41 ` Eric W. Biederman
2009-08-20 11:53 ` Stephen Smalley
2009-08-20 13:18 ` [PATCH] Security/sysfs: " David P. Quigley
2009-08-21 3:38 ` Casey Schaufler [this message]
-- strict thread matches above, loose matches on Subject: below --
2009-09-03 18:25 David P. Quigley
2009-07-08 17:28 David P. Quigley
2009-07-09 1:44 ` Casey Schaufler
2009-07-09 14:05 ` David P. Quigley
2009-07-09 14:49 ` Casey Schaufler
2009-07-09 14:56 ` David P. Quigley
2009-07-09 15:16 ` David P. Quigley
2009-07-09 15:16 ` Greg KH
2009-07-09 14:11 ` David P. Quigley
2009-07-09 17:26 ` David P. Quigley
2009-07-09 17:50 ` Greg KH
2009-07-09 19:32 ` David P. Quigley
2009-07-09 20:13 ` Greg KH
2009-07-10 3:25 ` Casey Schaufler
2009-07-13 15:07 ` David P. Quigley
2009-07-09 15:18 ` Greg KH
2009-07-09 17:13 ` David P. Quigley
2009-07-09 17:52 ` Greg KH
2009-07-09 19:28 ` David P. Quigley
2009-07-09 20:12 ` Greg KH
2009-07-09 20:19 ` David P. Quigley
2009-07-09 20:41 ` Greg KH
2009-07-14 16:37 ` David P. Quigley
2009-07-14 17:50 ` Greg KH
2009-07-14 20:16 ` David P. Quigley
2009-07-14 20:35 ` Greg KH
2009-07-14 20:35 ` David P. Quigley
[not found] ` <m1r5wmnee0.fsf@fess.ebiederm.org>
[not found] ` <1247498399.4398.259.camel@localhost>
2009-07-13 16:50 ` Eric W. Biederman
2009-07-13 19:18 ` David P. Quigley
2009-07-14 0:29 ` Eric W. Biederman
2009-07-14 13:55 ` David P. Quigley
2009-07-14 3:06 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A8E169E.70009@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=dpquigl@tycho.nsa.gov \
--cc=ebiederm@xmission.com \
--cc=gregkh@suse.de \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox