public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>,
	Casey Schaufler <casey@schaufler-ca.com>
Cc: Stephen Smalley <sds@epoch.ncsc.mil>,
	"Serge E. Hallyn" <serue@us.ibm.com>,
	James Morris <jmorris@namei.org>,
	lkml <linux-kernel@vger.kernel.org>,
	linux-security-module@vger.kernel.org,
	Linux Containers <containers@lists.osdl.org>,
	Greg KH <greg@kroah.com>, Pavel Emelianov <xemul@openvz.org>
Subject: Re: [PATCH] cgroups: implement device whitelist lsm (v3)
Date: Mon, 17 Mar 2008 09:16:42 -0700 (PDT)	[thread overview]
Message-ID: <784599.23478.qm@web36615.mail.mud.yahoo.com> (raw)
In-Reply-To: <20080317140853.GC5875@sergelap.austin.rr.com>


--- "Serge E. Hallyn" <serue@us.ibm.com> wrote:

> Quoting Casey Schaufler (casey@schaufler-ca.com):
> ...
> > In particular, capabilities are not an access control mechanism,
> > they are a privilege mechanism. A lot of discussion about LSM has
> > centered around the appropriate charactoristics of an LSM, and
> > these discussions always assume that the LSM in question is
> > exactly an access control mechanism. If we split the LSM into
> > a LACM for access control and an LPM for privilege management
> > maybe we can eliminate the most contentious issues.
> > 
> > Does anyone know why that would be stoopid before I whack out
> > patches?
> 
> No I'd like to see those patches.  It would ideally allow LSM to become
> *purely* restrictive and LPM to be purely empowering, presumably making
> the resulting hook sets easier to review and maintain.  The LPM wouldn't
> (I assume) gain any *new* hook points so we wouldn't be adding any new
> places for hooks to be overriden by a rootkit.

I don't expect to put in any additional hooks points, although
it's safe to bet that someone will want to pretty quickly. What
I see as the big concern is our old friend the granularity question.
I can pretty well predict that we'll have quite a bruhaha over
whether each hook point should have it's own hook or if they should
be shared based on the privilege supported. For example, in namei.c
the function generic_permission() currently calls
capable(CAP_DAC_OVERRIDE). The privilege supported approach would
be to create a hook that gets used in many places that is a drop-in
replacement for that,

        if (capable(CAP_DAC_OVERRIDE))
becomes
        if (lpm_dac_override())

The alternative is to go the same route as the LSM, where it
becomes

        if (lpm_generic_permission_may_exec())

The former scheme is much easier to implement. It also would
mean that if would wanted to implement a finer granularity on
DAC overrides (e.g. CAP_DAC_READ, CAP_DAC_WRITE, CAP_DAC_EXECUTE)
you would have to introduce new hooks. That wouldn't be any worse
than today's situation where you would have to change the argument
passed to capable as far as the calling (e.g. generic_permission)
code is concerned, but it would mean updating all the LPMs. I
currently count 1084 calls to capable (sloppy grep method) and that's
way too many hooks in my mind. But, if there's anyone who thinks
that the way to go is for each existing capable call to be a hook,
feel free to make a convincing argument.

This should be fun.


Casey Schaufler
casey@schaufler-ca.com

  reply	other threads:[~2008-03-17 16:16 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-03-13 14:41 [PATCH] cgroups: implement device whitelist lsm (v3) Serge E. Hallyn
2008-03-14 10:17 ` James Morris
2008-03-14 13:27   ` Stephen Smalley
2008-03-14 14:32     ` Serge E. Hallyn
2008-03-14 17:41       ` Stephen Smalley
2008-03-14 22:44         ` Casey Schaufler
2008-03-17 13:26           ` Stephen Smalley
2008-03-18  6:48             ` Greg KH
2008-03-17 14:08           ` Serge E. Hallyn
2008-03-17 16:16             ` Casey Schaufler [this message]
2008-03-17 16:48               ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=784599.23478.qm@web36615.mail.mud.yahoo.com \
    --to=casey@schaufler-ca.com \
    --cc=containers@lists.osdl.org \
    --cc=greg@kroah.com \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=sds@epoch.ncsc.mil \
    --cc=serue@us.ibm.com \
    --cc=xemul@openvz.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox