From: Paul Moore <pmoore@redhat.com>
To: Karol Lewandowski <k.lewandowsk@samsung.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Kosina <jkosina@suse.cz>,
Linux API <linux-api@vger.kernel.org>,
linux-kernel@vger.kernel.org,
John Stultz <john.stultz@linaro.org>,
Arnd Bergmann <arnd@arndb.de>, Tejun Heo <tj@kernel.org>,
Ryan Lortie <desrt@desrt.ca>,
Simon McVittie <simon.mcvittie@collabora.co.uk>,
daniel@zonque.org, David Herrmann <dh.herrmann@gmail.com>,
"casey.schaufler@intel.com" <casey.schaufler@intel.com>,
marcel@holtmann.org, tixxdz@opendz.org,
javier.martinez@collabora.co.uk, alban.crequy@collabora.co.uk,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 00/12] Add kdbus implementation
Date: Thu, 30 Oct 2014 19:39:36 -0400 [thread overview]
Message-ID: <5113482.YUK8i6Rueb@sifl> (raw)
In-Reply-To: <545297CC.6020306@samsung.com>
On Thursday, October 30, 2014 08:55:56 PM Karol Lewandowski wrote:
> On 2014-10-30 15:47, Greg Kroah-Hartman wrote:
> > Other than that, I don't know exactly what your patches do, or why they
> > are needed, care to go into details?
>
> Patches in question were supposed to add few hooks for kdbus-specific
> operations that doesn't seem to have compatible semantics with hooks
> currently available in LSM.
>
> kdbus' bus introduces quite a few new concepts that we wanted to be able
> to limit based on MAC label/context, eg.
>
> - check flags at HELO stage (say disallow fd passing),
>
> - restrict ability to acquire name to certain subjects (for system bus),
>
> - disallow creation of new buses,
>
> - limit scope of broadcasts,
>
> - etc.
>
> Please take a look at hook list - I think most of names are
> self-explanatory:
>
>
> https://github.com/lmctl/linux/blob/a9fe4c33b6e5ab25a243e0590df406aabb6add1
> 2/include/linux/security.h#L1874
>
> kdbus modifications were pretty light - with most visible change being
> addition of opaque security pointer to kdbus_bus and similar structs.
[NOTE: we really should add the LSM list to this discussion and future
patchset postings.]
Also, to be completely honest, I don't think we ever really arrived at any
final conclusion about those LSM/kdbus hooks either. At least I don't think I
ever really satisfied myself that what we had was the "right" solution.
We both got busy and kinda drifted away from this effort. Karol, did you do
any further work on the hooks?
--
paul moore
security and virtualization @ redhat
next prev parent reply other threads:[~2014-10-30 23:48 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-29 22:00 [PATCH 00/12] Add kdbus implementation Greg Kroah-Hartman
2014-10-29 22:00 ` kdbus: add documentation Greg Kroah-Hartman
2014-10-30 12:20 ` Peter Meerwald
2014-11-02 1:29 ` Greg Kroah-Hartman
2014-10-29 22:00 ` kdbus: add header file Greg Kroah-Hartman
2014-10-30 8:20 ` Arnd Bergmann
2014-10-30 11:02 ` Tom Gundersen
2014-10-30 11:26 ` Arnd Bergmann
2014-10-30 11:52 ` Daniel Mack
2014-10-30 12:03 ` Arnd Bergmann
2014-10-31 10:03 ` Daniel Mack
2014-10-29 22:00 ` kdbus: add driver skeleton, ioctl entry points and utility functions Greg Kroah-Hartman
2014-10-30 3:50 ` Eric W. Biederman
2014-10-30 23:45 ` Thomas Gleixner
2014-10-31 0:23 ` Jiri Kosina
2014-10-31 0:42 ` Thomas Gleixner
2014-10-29 22:00 ` kdbus: add connection pool implementation Greg Kroah-Hartman
2014-10-29 22:00 ` kdbus: add connection, queue handling and message validation code Greg Kroah-Hartman
[not found] ` <87k33iw759.fsf@x220.int.ebiederm.org>
2014-10-30 3:55 ` Andy Lutomirski
2014-10-30 9:06 ` Djalal Harouni
2014-10-29 22:00 ` kdbus: add code to gather metadata Greg Kroah-Hartman
2014-10-29 22:33 ` Andy Lutomirski
2014-10-30 0:13 ` Andy Lutomirski
2014-10-30 8:45 ` Daniel Mack
2014-10-30 14:07 ` Andy Lutomirski
2014-10-30 15:54 ` Daniel Mack
2014-10-30 21:01 ` Andy Lutomirski
2014-11-01 11:05 ` Daniel Mack
2014-11-01 16:19 ` Andy Lutomirski
2014-11-03 12:00 ` Simon McVittie
2014-11-03 17:05 ` Andy Lutomirski
2014-10-30 8:09 ` Daniel Mack
2014-10-29 22:00 ` kdbus: add code for notifications and matches Greg Kroah-Hartman
2014-10-29 22:00 ` kdbus: add code for buses, domains and endpoints Greg Kroah-Hartman
2014-10-30 3:59 ` Eric W. Biederman
2014-10-30 9:58 ` Djalal Harouni
2014-10-30 12:15 ` Eric W. Biederman
2014-10-30 14:48 ` Djalal Harouni
2014-10-30 14:58 ` Andy Lutomirski
2014-10-30 18:08 ` Djalal Harouni
2014-10-30 18:46 ` Simon McVittie
2014-11-05 19:59 ` Djalal Harouni
2014-10-30 20:37 ` Andy Lutomirski
[not found] ` <m2ublh$5h7$2@ger.gmane.org>
2014-10-30 22:00 ` Andy Lutomirski
2014-10-30 23:38 ` How Not To Use kref (was Re: kdbus: add code for buses, domains and endpoints) Al Viro
2014-10-31 18:00 ` Linus Torvalds
2014-10-31 19:56 ` Al Viro
2014-11-04 9:11 ` David Herrmann
2014-10-31 1:39 ` kdbus: add code for buses, domains and endpoints Al Viro
2014-10-31 9:55 ` Daniel Mack
2014-10-29 22:00 ` kdbus: add name registry implementation Greg Kroah-Hartman
2014-10-29 22:00 ` kdbus: add policy database implementation Greg Kroah-Hartman
2014-10-29 22:00 ` kdbus: add Makefile, Kconfig and MAINTAINERS entry Greg Kroah-Hartman
2014-10-29 22:00 ` kdbus: add selftests Greg Kroah-Hartman
2014-10-30 8:31 ` Arnd Bergmann
2014-11-14 3:42 ` Michael Ellerman
2014-11-14 8:56 ` Daniel Mack
2014-10-29 22:15 ` [PATCH 00/12] Add kdbus implementation Greg KH
2014-10-30 4:04 ` Eric W. Biederman
2014-10-30 7:12 ` Daniel Mack
2014-10-29 22:15 ` Andy Lutomirski
2014-10-29 22:27 ` Greg Kroah-Hartman
2014-10-29 22:34 ` Andy Lutomirski
2014-10-30 2:27 ` Andy Lutomirski
2014-10-30 4:20 ` Eric W. Biederman
2014-10-30 10:15 ` Tom Gundersen
2014-10-30 12:02 ` Eric W. Biederman
2014-10-30 13:48 ` Andy Lutomirski
2014-10-29 22:19 ` Andy Lutomirski
2014-10-29 22:25 ` Greg Kroah-Hartman
2014-10-29 22:28 ` Andy Lutomirski
2014-10-29 22:36 ` Andy Lutomirski
2014-10-30 7:44 ` Daniel Mack
2014-11-05 14:34 ` Daniel Mack
2014-10-29 23:00 ` Jiri Kosina
2014-10-29 23:11 ` Greg Kroah-Hartman
2014-10-29 23:12 ` Greg Kroah-Hartman
2014-10-29 23:24 ` Jiri Kosina
2014-10-29 23:26 ` Jiri Kosina
2014-10-29 23:34 ` Greg Kroah-Hartman
2014-10-29 23:40 ` Greg Kroah-Hartman
2014-10-29 23:55 ` Andy Lutomirski
2014-10-30 11:52 ` Tom Gundersen
2014-10-30 12:28 ` Simon McVittie
2014-10-30 13:59 ` Andy Lutomirski
2014-10-30 20:28 ` Alex Elsayed
2014-10-30 9:51 ` Karol Lewandowski
2014-10-30 10:44 ` Karol Lewandowski
2014-10-30 14:47 ` Greg Kroah-Hartman
2014-10-30 19:55 ` Karol Lewandowski
2014-10-30 20:24 ` Greg Kroah-Hartman
2014-10-31 11:15 ` Karol Lewandowski
2014-10-30 23:13 ` One Thousand Gnomes
2014-10-31 10:58 ` Karol Lewandowski
2014-10-30 23:39 ` Paul Moore [this message]
2014-10-31 14:21 ` Karol Lewandowski
[not found] ` <1414773397-26490-1-git-send-email-k.lewandowsk@samsung.com>
[not found] ` <20141107180120.GA15387@kroah.com>
2014-11-09 0:07 ` [RFC PATCH 0/5] kdbus: add support for lsm Karol Lewandowski
[not found] ` <1414773397-26490-2-git-send-email-k.lewandowsk@samsung.com>
2014-11-17 1:47 ` [PATCH 1/5] kdbus: extend structures with security pointer " Karol Lewandowski
2014-11-17 18:37 ` Greg KH
2014-11-02 1:21 ` [PATCH 00/12] Add kdbus implementation Greg Kroah-Hartman
2014-11-03 14:38 ` One Thousand Gnomes
2014-10-30 8:33 ` Arnd Bergmann
2014-10-30 16:17 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5113482.YUK8i6Rueb@sifl \
--to=pmoore@redhat.com \
--cc=alban.crequy@collabora.co.uk \
--cc=arnd@arndb.de \
--cc=casey.schaufler@intel.com \
--cc=daniel@zonque.org \
--cc=desrt@desrt.ca \
--cc=dh.herrmann@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=javier.martinez@collabora.co.uk \
--cc=jkosina@suse.cz \
--cc=john.stultz@linaro.org \
--cc=k.lewandowsk@samsung.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=simon.mcvittie@collabora.co.uk \
--cc=tixxdz@opendz.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox