From: Casey Schaufler <casey@schaufler-ca.com>
To: Roberto Sassu <roberto.sassu@polito.it>
Cc: linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
dhowells@redhat.com, jmorris@namei.org, zohar@linux.vnet.ibm.com,
safford@watson.ibm.com, tyhicks@linux.vnet.ibm.com,
kirkland@canonical.com, ecryptfs-devel@lists.launchpad.net,
eparis@redhat.com, sds@tycho.nsa.gov, selinux@tycho.nsa.gov,
viro@zeniv.linux.org.uk
Subject: Re: [RFC][PATCH 0/7] File descriptor labeling
Date: Wed, 27 Apr 2011 13:19:55 -0700 [thread overview]
Message-ID: <4DB87A6B.7060805@schaufler-ca.com> (raw)
In-Reply-To: <1303907657-18366-1-git-send-email-roberto.sassu@polito.it>
On 4/27/2011 5:34 AM, Roberto Sassu wrote:
> File descriptor labeling issue
>
> Actually SELinux and SMACK assign to file descriptors the same label of the
> opening process and use it in LSM hooks security_file_permission(),
> security_file_fcntl() and others to verify if the 'current' process has the
> rights to perform the requested operation.
>
> Using the credentials of the 'current' process may be not appropriate in
> case a file descriptor is opened by a kernel service (i.e. a filesystem)
> and made shared among user processes. For instance, in a system with
> SELinux and eCryptfs, if the process A opens an encrypted file, eCryptfs
> obtains a file descriptor to access the correspondent inode in the lower
> filesystem, labeled with the A's label.
>
> If the process B accesses the same encrypted file, it needs the 'use'
> permission on the A's label other than permissions for the lower inode.
> However, if B is the first accessing process, A needs the 'use' permission
> on the B's label.
I am having trouble understanding the argument. I will pose my
question in Smack terms, as I can speak most definitively in them.
A process running with a Smack label "A" creates a file, and that
file gets labeled "A", as it ought. If eCryptfs is behaving correctly
this ought not change. If eCryptfs in encrypting the label it needs
to do so in such a way as to be able to decrypt it prior to
presentation to the vfs layer, where it will be used in an access
check. When the process running with a Smack label "B" comes along
the vfs code will check the fetched and possibly decrypted "A"
against "B" and, unless there is an explicit Smack rule in place
granting "B" access to "A", fail.
What is the problem? What is eCryptfs doing that prevents this
from working?
next prev parent reply other threads:[~2011-04-27 20:20 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-27 12:34 [RFC][PATCH 0/7] File descriptor labeling Roberto Sassu
2011-04-27 12:34 ` [RFC][PATCH 1/7] fs: initialize file->f_cred with credentials provided Roberto Sassu
2011-04-27 12:34 ` [RFC][PATCH 2/7] selinux: label new file descriptors using file->f_cred Roberto Sassu
2011-04-27 12:34 ` [RFC][PATCH 3/7] smack: assign the label set in file->f_cred to new file descriptors Roberto Sassu
2011-04-27 23:26 ` Casey Schaufler
2011-04-28 8:06 ` Roberto Sassu
2011-04-27 12:34 ` [RFC][PATCH 4/7] smack: fix label check in smack_kernel_act_as() Roberto Sassu
2011-04-27 23:22 ` Casey Schaufler
2011-04-28 9:22 ` Roberto Sassu
2011-04-27 12:34 ` [RFC][PATCH 5/7] smack: import the security label in smack_secctx_to_secid() Roberto Sassu
2011-04-27 23:47 ` Casey Schaufler
2011-04-27 12:34 ` [RFC][PATCH 6/7] security: new LSM hook security_file_getsecid() Roberto Sassu
2011-04-27 23:50 ` Casey Schaufler
2011-04-28 9:41 ` Roberto Sassu
2011-04-27 12:34 ` [RFC][PATCH 7/7] ima: added new LSM conditions in the policy Roberto Sassu
2011-04-28 13:32 ` Mimi Zohar
2011-04-28 13:52 ` Roberto Sassu
2011-04-27 15:52 ` [RFC][PATCH 0/7] File descriptor labeling Casey Schaufler
2011-04-27 20:19 ` Casey Schaufler [this message]
2011-04-27 23:27 ` Tyler Hicks
2011-04-27 23:57 ` Casey Schaufler
2011-04-28 0:06 ` Tyler Hicks
2011-04-28 12:35 ` Roberto Sassu
2011-04-28 17:37 ` Casey Schaufler
2011-04-28 17:56 ` Eric Paris
-- strict thread matches above, loose matches on Subject: below --
2011-04-29 9:39 Roberto Sassu
2011-04-29 15:46 ` Casey Schaufler
2011-05-02 8:53 ` Roberto Sassu
2011-05-03 22:58 ` Casey Schaufler
2011-05-03 23:58 ` John Johansen
2011-05-04 8:47 ` Roberto Sassu
2011-05-04 17:34 ` Casey Schaufler
2011-05-04 9:19 ` Roberto Sassu
2011-05-04 17:42 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DB87A6B.7060805@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=ecryptfs-devel@lists.launchpad.net \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=kirkland@canonical.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=roberto.sassu@polito.it \
--cc=safford@watson.ibm.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=tyhicks@linux.vnet.ibm.com \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox