From: David Howells <dhowells@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: dhowells@redhat.com, Karl MacMillan <kmacmill@redhat.com>,
viro@ftp.linux.org.uk, hch@infradead.org,
Trond.Myklebust@netapp.com, casey@schaufler-ca.com,
linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]
Date: Tue, 11 Dec 2007 20:42:05 +0000 [thread overview]
Message-ID: <9789.1197405725@redhat.com> (raw)
In-Reply-To: <1197401823.28006.74.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > That sounds too SELinux specific. How do I do it so that it works for any
> > LSM?
>
> You can't. There is no LSM for userspace; LSM specifically disavowed
> any common userspace API, and that was one of our original
> objections/concerns about it.
So, basically, userspace programs (outside of security tools) aren't supposed
to need access to the security infrastructure?
> > Is linking against libselinux is a viable option if it's not available under
> > all LSM models? Is it available under all LSM models? Perhaps Casey can
> > answer this one.
>
> Nope, they would all have their own libraries, if they have a library at
> all. But that isn't your problem
It is if I have to maintain a special pieces of code for each possible LSM.
One piece for SELinux, one piece for AppArmour, one piece for Smack, one piece
for Casey's security system. That sounds like a pain.
> - your kernel interface should be generic, and your LSM hooks should be
> generic, but your userspace isn't required to be. Have a look at how many
> programs in the distribution currently link against libselinux, whether
> directly or by dlopen'ing it.
In /usr/bin ldd reports approximately 297 binaries link to libselinux, though
I can't say how many of those linked against it directly rather than picking
it up by contamination through a shared library. Furthermore, I've no idea
how many more find it by dlopen.
> > > > I use to do that, but someone objected... Possibly Karl MacMillan.
> > >
> > > Yes, but I think I disagreed then too.
> >
> > So, who's right?
>
> Karl isn't a maintainer of the SELinux kernel code. And I had thought
> that even he had reconsidered this idea after further discussion.
Not that I know of.
> > > It doesn't fit with how other users of security_kernel_act_as() will
> > > likely want to work (they will want to just set the context to a
> > > specified value, whether one obtained from the client or from some local
> > > source), nor with how type transitions normally work (exec, with the
> > > program type as the second type field). I think it will just cause
> > > confusion and subtle breakage.
> >
> > It's causing me lots of confusion as it is. I have been / am being told by
> > different people to do different things just in dealing with SELinux, and
> > various people are raising extra requirements or restrictions beyond that.
> > There doesn't seem to be a consensus.
> >
> > It sounds like the best option is just to have the kernel nick the userspace
> > daemon's security context and use that as is, and junk all the restrictions on
> > what the daemon can do so that the kernel isn't too restricted.
>
> Well, you could do that, if that meets your needs, but it doesn't sound
> very optimal either.
True. I'd rather have separate security for each.
> Why are you opposed to having userspace determine the context and write it
> to a cachefiles interface,
Because, from what I gather, that means my userspace program needs to do
something different, depending on the security model that's currently in force
on a system. Furthermore, I would have to have separate code, as far as I
know, for each security model as there's no commonality in userspace.
I can't just link against libselinux. It might not be there. I'm not going
to tie my program to SELinux either.
Furthermore, I worked out "the right way to do this" with some apparent
SELinux person, and you seemed reasonably accepting of it. Now I have to go
and redo all the work, having had to redo the security stuff a couple of times
already because someone objected. *That* is the main obstacle to getting my
code accepted at the moment, I think.
How about I just stick the context in /etc/cachefilesd.conf as a textual
configuration item and have the daemon pass that as a string to the cachefiles
kernel module, which can then ask LSM if it's valid to set this context as an
override, given the daemon's own security context? That seems entirely
reasonable to me.
David
next prev parent reply other threads:[~2007-12-11 20:43 UTC|newest]
Thread overview: 126+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-05 19:38 [PATCH 00/28] Permit filesystem local caching [try #2] David Howells
2007-12-05 19:38 ` [PATCH 01/28] KEYS: Increase the payload size when instantiating a key " David Howells
2007-12-05 19:38 ` [PATCH 02/28] KEYS: Check starting keyring as part of search " David Howells
2007-12-05 19:38 ` [PATCH 03/28] KEYS: Allow the callout data to be passed as a blob rather than a string " David Howells
2007-12-05 19:38 ` [PATCH 04/28] KEYS: Add keyctl function to get a security label " David Howells
2007-12-05 19:38 ` [PATCH 05/28] Security: Change current->fs[ug]id to current_fs[ug]id() " David Howells
2007-12-05 19:38 ` [PATCH 06/28] SECURITY: Separate task security context from task_struct " David Howells
2007-12-05 19:38 ` [PATCH 07/28] SECURITY: De-embed task security record from task and use refcounting " David Howells
2007-12-05 19:38 ` [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions " David Howells
2007-12-10 16:46 ` Stephen Smalley
2007-12-10 17:07 ` David Howells
2007-12-10 17:23 ` Stephen Smalley
2007-12-10 21:08 ` David Howells
2007-12-10 21:27 ` Stephen Smalley
2007-12-10 22:26 ` Casey Schaufler
2007-12-10 23:44 ` David Howells
2007-12-10 23:56 ` Casey Schaufler
2007-12-11 18:34 ` Stephen Smalley
2007-12-11 19:26 ` Casey Schaufler
2007-12-11 19:56 ` Stephen Smalley
2007-12-11 20:40 ` Casey Schaufler
2007-12-10 23:36 ` David Howells
2007-12-10 23:46 ` Casey Schaufler
2007-12-11 19:52 ` Stephen Smalley
2007-12-11 19:37 ` Stephen Smalley
2007-12-11 20:42 ` David Howells [this message]
2007-12-11 21:18 ` Casey Schaufler
2007-12-11 21:34 ` Stephen Smalley
2007-12-11 22:43 ` David Howells
2007-12-11 23:04 ` Casey Schaufler
2007-12-12 15:25 ` Stephen Smalley
2007-12-12 16:51 ` Casey Schaufler
2007-12-12 18:12 ` Stephen Smalley
2007-12-12 18:34 ` David Howells
2007-12-12 19:44 ` Casey Schaufler
2007-12-12 19:49 ` Stephen Smalley
2007-12-12 20:09 ` Casey Schaufler
2007-12-12 22:29 ` David Howells
2007-12-12 22:32 ` David Howells
2007-12-12 18:29 ` David Howells
2007-12-12 19:33 ` Stephen Smalley
2007-12-12 22:49 ` David Howells
2007-12-13 14:49 ` Stephen Smalley
2007-12-13 15:36 ` David Howells
2007-12-13 16:23 ` Stephen Smalley
2007-12-13 17:01 ` David Howells
2007-12-13 17:27 ` Stephen Smalley
2007-12-13 18:04 ` David Howells
2007-12-12 19:37 ` Casey Schaufler
2007-12-12 22:52 ` David Howells
2007-12-12 18:25 ` David Howells
2007-12-12 19:20 ` Casey Schaufler
2007-12-12 19:29 ` David Howells
2007-12-12 19:35 ` Stephen Smalley
2007-12-12 22:55 ` David Howells
2007-12-13 14:51 ` Stephen Smalley
2007-12-13 16:03 ` David Howells
2007-12-19 3:28 ` Crispin Cowan
2007-12-19 5:39 ` Casey Schaufler
2007-12-19 14:54 ` Stephen Smalley
2007-12-19 3:28 ` Crispin Cowan
2007-12-19 23:38 ` David Howells
2007-12-12 14:41 ` Karl MacMillan
2007-12-12 14:53 ` David Howells
2007-12-12 14:59 ` Karl MacMillan
2008-01-09 16:51 ` David Howells
2008-01-09 17:27 ` David Howells
2008-01-09 18:11 ` Stephen Smalley
2008-01-09 18:56 ` David Howells
2008-01-09 19:19 ` Stephen Smalley
2008-01-10 11:09 ` David Howells
2008-01-14 14:01 ` David Howells
2008-01-14 14:06 ` David Howells
2008-01-15 14:58 ` Stephen Smalley
2008-01-23 20:52 ` David Howells
2008-01-23 22:03 ` James Morris
2008-01-14 14:52 ` Casey Schaufler
2008-01-14 15:19 ` David Howells
2008-01-15 14:56 ` Stephen Smalley
2008-01-15 16:03 ` David Howells
2008-01-15 16:08 ` Stephen Smalley
2008-01-15 18:10 ` Casey Schaufler
2008-01-15 19:15 ` Stephen Smalley
2008-01-15 21:55 ` David Howells
2008-01-15 22:23 ` Casey Schaufler
2007-12-05 19:39 ` [PATCH 09/28] FS-Cache: Release page->private after failed readahead " David Howells
2007-12-14 3:51 ` Nick Piggin
2007-12-17 22:42 ` David Howells
2007-12-18 7:03 ` Nick Piggin
2007-12-05 19:39 ` [PATCH 10/28] FS-Cache: Recruit a couple of page flags for cache management " David Howells
2007-12-14 4:08 ` Nick Piggin
2007-12-17 22:36 ` David Howells
2007-12-18 7:00 ` Nick Piggin
2007-12-20 18:33 ` David Howells
2007-12-21 1:08 ` Nick Piggin
2008-01-02 16:27 ` David Howells
2008-01-07 11:33 ` Nick Piggin
2008-01-07 13:09 ` David Howells
2008-01-08 3:01 ` Nick Piggin
2008-01-08 23:51 ` David Howells
2008-01-09 1:52 ` Nick Piggin
2008-01-09 15:45 ` David Howells
2008-01-09 23:52 ` Nick Piggin
2007-12-05 19:39 ` [PATCH 11/28] FS-Cache: Provide an add_wait_queue_tail() function " David Howells
2007-12-05 19:39 ` [PATCH 12/28] FS-Cache: Generic filesystem caching facility " David Howells
2007-12-05 19:39 ` [PATCH 13/28] CacheFiles: Add missing copy_page export for ia64 " David Howells
2007-12-05 19:39 ` [PATCH 14/28] CacheFiles: Be consistent about the use of mapping vs file->f_mapping in Ext3 " David Howells
2007-12-05 19:39 ` [PATCH 15/28] CacheFiles: Add a hook to write a single page of data to an inode " David Howells
2007-12-05 19:39 ` [PATCH 16/28] CacheFiles: Permit the page lock state to be monitored " David Howells
2007-12-05 19:39 ` [PATCH 17/28] CacheFiles: Export things for CacheFiles " David Howells
2007-12-05 19:39 ` [PATCH 18/28] CacheFiles: A cache that backs onto a mounted filesystem " David Howells
2007-12-05 19:39 ` [PATCH 19/28] NFS: Use local caching " David Howells
2007-12-05 19:40 ` [PATCH 20/28] NFS: Configuration and mount option changes to enable local caching on NFS " David Howells
2007-12-05 19:40 ` [PATCH 21/28] NFS: Display local caching state " David Howells
2007-12-05 19:40 ` [PATCH 22/28] fcrypt endianness misannotations " David Howells
2007-12-05 19:40 ` [PATCH 23/28] AFS: Add TestSetPageError() " David Howells
2007-12-05 19:40 ` [PATCH 24/28] AFS: Add a function to excise a rejected write from the pagecache " David Howells
2007-12-14 4:21 ` Nick Piggin
2007-12-17 22:54 ` David Howells
2007-12-18 7:07 ` Nick Piggin
2007-12-20 18:49 ` David Howells
2007-12-21 1:11 ` Nick Piggin
2007-12-05 19:40 ` [PATCH 25/28] AFS: Improve handling of a rejected writeback " David Howells
2007-12-05 19:40 ` [PATCH 26/28] AF_RXRPC: Save the operation ID for debugging " David Howells
2007-12-05 19:40 ` [PATCH 27/28] AFS: Implement shared-writable mmap " David Howells
2007-12-05 19:40 ` [PATCH 28/28] FS-Cache: Make kAFS use FS-Cache " David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9789.1197405725@redhat.com \
--to=dhowells@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=casey@schaufler-ca.com \
--cc=hch@infradead.org \
--cc=kmacmill@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=viro@ftp.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).