From: Eric Paris <eparis@parisplace.org>
To: James Morris <jmorris@namei.org>
Cc: Joy Latten <latten@austin.ibm.com>,
David Miller <davem@davemloft.net>,
selinux@tycho.nsa.gov, netdev@vger.kernel.org,
vyekkirala@TrustedCS.com
Subject: Re: [PATCH]: Add security check before flushing SAD/SPD
Date: Fri, 23 Mar 2007 01:39:47 -0400 [thread overview]
Message-ID: <1174628387.10788.53.camel@localhost.localdomain> (raw)
In-Reply-To: <Line.LNX.4.64.0703221943110.24461@d.namei>
On Thu, 2007-03-22 at 19:49 -0400, James Morris wrote:
> On Thu, 22 Mar 2007, Joy Latten wrote:
>
> > > I would look at this patch differently if there were some
> > > security level key being checked for a match here, which is
> > > an input key to the flush, but that is not what is happening
> > > here as the object is being looked at by itself.
> >
> > Yes, I understand what you are saying.
> > I was concerned about having to check each entry
> > to flush database.
> >
> > I did this patch because we check for authorization
> > when deleting single specified entries from the SAD/SPD. It
> > seem like a hole to me that we check for this, but that same
> > user/process can delete the entire database with no checks.
>
> Indeed. Removing an entry is modifying MAC policy, which requires
> appropriate authorization.
>
> The security label is encapsulated with the object, which is why it's
> passed to the security layer.
>
> Perhaps a better semantic would be to fail the entire flush operation if
> one of the security checks failed. e.g. loop through for permissions
> first, then if all ok, loop through for deletion.
Maybe I'm way out on a limb here but if I am a regular user and I say
rm /tmp/* and I only have permissions to delete some of the files I
expect just those couple to be delete, not the whole operation denied.
It seems reasonable to me that the check for every policy (which is
between current->security->sid and xp->security->ctx_sid) makes sense.
There doesn't appear to me right offhand to be anything intrinsic in the
code which says that a flush request must flush everything or nothing.
In either case though proper auditing needs to be addressed. I see that
the first patch from Joy wouldn't audit deletion failures. It appears
to me if the check is done per policy then the security hook return code
needs to be recorded and passed to xfrm_audit_log instead of the hard
coded 1 result used now.
Assuming we go with James's double loop what should we be auditing for a
security hook denial? Just audit the first policy entry which we tried
to remove but couldn't and then leave the rest of the auditing in those
functions the way it is now in case there was no denial, calling
xfrm_audit_log with a hard coded 1 for the result?
-Eric
next prev parent reply other threads:[~2007-03-23 5:41 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-22 18:35 [PATCH]: Add security check before flushing SAD/SPD Joy Latten
2007-03-22 19:01 ` David Miller
2007-03-22 21:23 ` Joy Latten
2007-03-22 23:49 ` James Morris
2007-03-22 23:50 ` Joy Latten
2007-03-23 0:56 ` James Morris
2007-03-23 5:39 ` Eric Paris [this message]
2007-03-23 6:22 ` David Miller
2007-03-23 16:33 ` Joy Latten
2007-03-23 16:59 ` Eric Paris
2007-03-23 18:50 ` Joy Latten
2007-03-23 18:46 ` James Morris
2007-03-23 18:47 ` David Miller
2007-03-23 18:50 ` Eric Paris
-- strict thread matches above, loose matches on Subject: below --
2007-03-26 19:39 Joy Latten
2007-03-26 20:05 ` James Morris
2007-03-26 20:14 ` James Morris
2007-03-26 20:34 ` Eric Paris
2007-03-26 22:58 Joy Latten
2007-03-26 23:21 Joy Latten
2007-03-27 3:08 ` James Morris
2007-06-04 19:05 ` Eric Paris
2007-06-04 19:44 ` James Morris
2007-06-04 23:13 ` James Morris
2007-06-04 23:55 ` David Miller
2007-06-05 17:56 ` Joy Latten
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1174628387.10788.53.camel@localhost.localdomain \
--to=eparis@parisplace.org \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=latten@austin.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).