From: Toshiharu Harada <haradats@nttdata.co.jp>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Paul Moore <paul.moore@hp.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
Kentaro Takeda <takedakn@nttdata.co.jp>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
linux-netdev <netdev@vger.kernel.org>
Subject: Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO.
Date: Fri, 11 Apr 2008 20:48:30 +0900 [thread overview]
Message-ID: <47FF500E.6020503@nttdata.co.jp> (raw)
In-Reply-To: <1207831882.21223.694.camel@moss-spartans.epoch.ncsc.mil>
On 4/10/2008 9:51 PM, Stephen Smalley wrote:
>>> There are two options:
>>> 1) Submit patches to pass down the vfsmounts to the vfs helpers so that
>>> they can be passed to the existing security_inode hooks. -or-
>>> 2) Submit patches to add new security hooks to the callers where the
>>> vfsmount is already available (some have suggested moving the existing
>>> security_inode hooks to the callers, but that would cause problems for
>>> SELinux as I've posted elsewhere, so adding new hooks is preferable, and
>>> then SELinux can just default to the dummy functions for those new
>>> hooks).
>> Thank you for your suggestions. I drew a diagram. Is this correct?
>
> I think the text above is self-explanatory; I'm not sure what the
> diagram adds. Also, Matthew Wilcox pointed out a third option that you
> ought to consider, and you can look to the example of audit filesystem
> watches there, which leverages inotify internally.
The diagram was meant to help clarifying things not to add/change
the information. I also like texts but IMO diagrams are useful
for starting arguments over networks.
Yes. Regarding the third option, Tetsuo is preparing to respond
(Matthew, sorry for snail response. it's on the way).
> If that isn't feasible for some reason, then option (2) should be fairly
> straightforward - you just define and insert some new security hooks in
> the callers where the vfsmount is already available.
My diagram worked very well for me. I noticed theoretically
there are four options.
option (1) "pass down the vfsmounts to the vfs helpers"
(let "vfsmount" bridge namespace and filesystems)
+ LSM needs less changes
- VFS and filesystems need more changes
option (2) "add new security hooks to the callers"
(adding hooks in namespace)
+ VFS and filesystems need very little changes
- LSM needs to be added new hooks
option (3) "pathname based policy and inode based access control" (by Wilcox)
(self-explanatory)
+ does not need changes for LSM nor VFS
- can not keep consistency of policy and results
option (4) "introduce completely orthogonal access control besides LSM"
(like devcgroup, r/o bind mounts (in mm tree))
+ does not need LSM changes
+ pathname based MAC can coexists with label based MAC
- should not ... (the LAST method)
Regarding option 3, Tetsuo will explain difficulties in
another message. TOMOYO Linux project is planning to
make patches of option 2 because it's the most straightforward way
as you suggested. Also we will be carefully watching the
discussion of "vfs: add helpers to check r/o bind mounts".
Regards,
Toshiharu Harada
NTT DATA CORPORATION
next prev parent reply other threads:[~2008-04-11 11:48 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080404122242.867070732@I-love.SAKURA.ne.jp>
2008-04-04 12:22 ` [TOMOYO #7 07/30] Some wrapper functions for socket operation Tetsuo Handa
2008-04-04 12:23 ` [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO Tetsuo Handa
2008-04-04 16:29 ` Daniel Walker
2008-04-07 13:56 ` Tetsuo Handa
2008-04-07 15:39 ` Daniel Walker
2008-04-07 15:40 ` Paul Moore
2008-04-07 22:57 ` Casey Schaufler
2008-04-09 8:37 ` Toshiharu Harada
2008-04-09 12:49 ` Stephen Smalley
2008-04-10 5:57 ` Toshiharu Harada
2008-04-10 12:51 ` Stephen Smalley
2008-04-11 11:48 ` Toshiharu Harada [this message]
2008-04-09 13:11 ` Matthew Wilcox
2008-04-09 13:26 ` Stephen Smalley
2008-04-11 14:12 ` Tetsuo Handa
2008-04-11 14:30 ` Matthew Wilcox
2008-04-12 11:33 ` Tetsuo Handa
2008-04-13 16:36 ` Serge E. Hallyn
2008-04-14 2:05 ` Crispin Cowan
2008-04-14 14:17 ` Stephen Smalley
2008-04-14 17:05 ` Casey Schaufler
2008-04-15 4:59 ` Crispin Cowan
2008-04-16 16:31 ` Stephen Smalley
2008-04-17 7:49 ` Crispin Cowan
2008-04-17 8:45 ` Jamie Lokier
2008-04-17 12:42 ` Stephen Smalley
2008-04-15 13:00 ` Toshiharu Harada
2008-04-14 1:41 ` Crispin Cowan
2008-04-14 13:48 ` Matthew Wilcox
2008-04-15 3:21 ` Crispin Cowan
2008-04-15 4:57 ` Al Viro
2008-04-09 13:22 ` Serge E. Hallyn
2008-04-11 3:57 ` Toshiharu Harada
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47FF500E.6020503@nttdata.co.jp \
--to=haradats@nttdata.co.jp \
--cc=akpm@linux-foundation.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paul.moore@hp.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=takedakn@nttdata.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).