From: David Howells <dhowells@redhat.com>
To: Jan Dittmer <jdi@l4x.org>
Cc: sds@tycho.nsa.gov, jmorris@namei.org, chrisw@sous-sol.org,
selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org,
aviro@redhat.com
Subject: Re: Security issues with local filesystem caching
Date: Thu, 26 Oct 2006 11:55:25 +0100 [thread overview]
Message-ID: <8791.1161860125@redhat.com> (raw)
In-Reply-To: <45407C71.5070407@l4x.org>
Jan Dittmer <jdi@l4x.org> wrote:
> > I can see a few ways to deal with this:
> >
> > (1) Do all the cache operations in their own thread (sort of like knfsd).
> >
> > (2) Add further security ops for the caching code to call. These might
> > be of use elsewhere in the kernel. These would set cache-specific
> > security labels and check for them.
> >
> > (3) Add a flag or something to current to override the normal security on
> > the basis that it should be using the cache's security rather than
> > the process's security.
>
> Why again no local userspace daemon to do the caching?
Because that reduces the problem to option (1), and then we add context
switches and pushing the metadata in and out of userspace. In addition, the
cache calls back into the netfs to get information.
I'm guess you're thinking of a halfway-house with userspace deciding which
files to open and then opening the file and telling the kernel to use that
file to back a particular netfs inode, with the kernel handling the actual
read/write ops. If you are, then this brings us back to the ENFILE problem,
and also raises EMFILE as a new possible problem. But this time, there isn't
a way to escape the ENFILE problem - you're opening files in userspace.
We could have userspace tell the kernel use a file by name rather than
actually opening it and handing over the fd, I suppose; but you still have the
serialisation issue to deal with.
> That would put the policy out of the kernel. The additional context switches
> are probably pretty cheap compared to the io operations.
It's not just a pair of context switches you have to add in.
David
next prev parent reply other threads:[~2006-10-26 10:56 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-25 10:14 Security issues with local filesystem caching David Howells
2006-10-25 16:52 ` Nate Diller
2006-10-25 16:48 ` Jeff V. Merkey
2006-10-25 17:21 ` David Howells
2006-10-25 17:42 ` Jeff V. Merkey
2006-10-25 18:15 ` David Howells
2006-10-25 20:21 ` Josef Sipek
2006-10-25 20:28 ` Josef Sipek
2006-10-26 9:56 ` David Howells
2006-10-27 15:54 ` Josef Sipek
2006-10-25 21:12 ` Stephen Smalley
2006-10-26 10:40 ` David Howells
2006-10-26 12:51 ` Stephen Smalley
2006-10-26 16:04 ` David Howells
2006-10-26 16:34 ` Stephen Smalley
2006-10-26 17:09 ` David Howells
2006-10-26 17:45 ` Stephen Smalley
2006-10-26 22:53 ` David Howells
2006-10-27 14:48 ` Stephen Smalley
2006-10-27 15:42 ` David Howells
2006-10-27 16:10 ` Stephen Smalley
2006-10-27 16:25 ` David Howells
2006-10-27 17:09 ` Stephen Smalley
2006-10-27 17:34 ` David Howells
2006-10-27 14:41 ` David Howells
2006-10-25 23:37 ` Alan Cox
2006-10-26 0:32 ` Al Viro
2006-10-26 10:45 ` David Howells
2006-10-26 10:54 ` Alan Cox
2006-10-26 9:14 ` Jan Dittmer
2006-10-26 10:55 ` David Howells [this message]
2006-10-26 11:52 ` Alan Cox
2006-10-31 21:26 ` David Howells
2006-11-01 13:28 ` Stephen Smalley
2006-11-01 15:34 ` David Howells
2006-11-01 15:58 ` Karl MacMillan
2006-11-01 17:45 ` Stephen Smalley
2006-11-02 16:29 ` Karl MacMillan
2006-11-02 18:04 ` Stephen Smalley
2006-11-01 17:30 ` Stephen Smalley
2006-11-02 17:16 ` David Howells
2006-11-02 19:49 ` Trond Myklebust
2006-11-02 20:38 ` David Howells
2006-11-02 21:24 ` Trond Myklebust
2006-11-03 10:27 ` David Howells
2006-11-03 13:41 ` Trond Myklebust
2006-11-03 15:23 ` David Howells
2006-11-03 17:30 ` Trond Myklebust
2006-11-14 19:22 ` David Howells
2006-11-15 14:05 ` Trond Myklebust
2006-11-15 15:28 ` David Howells
2006-11-15 16:41 ` Trond Myklebust
2006-11-15 18:17 ` David Howells
2006-11-03 15:33 ` David Howells
2006-11-02 20:33 ` Stephen Smalley
2006-11-02 21:05 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8791.1161860125@redhat.com \
--to=dhowells@redhat.com \
--cc=aviro@redhat.com \
--cc=chrisw@sous-sol.org \
--cc=jdi@l4x.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox