From: Casey Schaufler <casey@schaufler-ca.com>
To: David Howells <dhowells@redhat.com>, casey@schaufler-ca.com
Cc: dhowells@redhat.com, Stephen Smalley <sds@tycho.nsa.gov>,
torvalds@osdl.org, akpm@osdl.org, steved@redhat.com,
trond.myklebust@fys.uio.no, linux-fsdevel@vger.kernel.org,
linux-cachefs@redhat.com, nfsv4@linux-nfs.org,
linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov,
LSM List <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH 00/16] Permit filesystem local caching [try #3]
Date: Mon, 13 Aug 2007 14:44:40 -0700 (PDT) [thread overview]
Message-ID: <462850.65153.qm@web36605.mail.mud.yahoo.com> (raw)
In-Reply-To: <16119.1187034756@redhat.com>
--- David Howells <dhowells@redhat.com> wrote:
> Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> > The specification of your push interface that the push operation
> > not affect how others access the process is OK for SELinux, but
> > not for any other MAC scheme that I've dealt with, and I think
> > that's most of them. Nuts. Smack, for example, uses exactly one
> > label on the process for all purposes.
>
> It's a fairly important concept. The victimisation security context on a
> process must not change, even if the kernel overrides the security context
> that that process acts as so that it can transparently do work on its behalf.
>
> IMO, the right way to do this is to pass the security context directly to
> vfs_mkdir() and co.
>
> > Are you concerned about accesses other than signals? Signals
> > could be staitforward to deal with in a pushed situation, but
> > I'd hesitate to say that the solution would generalize without
> > additional thought.
>
> There's also /proc and ptrace() for example. ps -z must not show the
> overridden state.
>
> > > > > (5) int security_xfrm_to_kernel_context(void *from, void **_to);
> > > >
> > > > Woof. What are you transforming from?
> > >
> > > In CacheFiles case, the cachefilesd daemon's security label into the
> label
> > > the cache driver acts as on behalf of other processes.
> >
> > I'm not sure I understand what this is doing.
>
> CacheFiles consists of two parts: the kernel module which creates things in
> the cache and does accesses into the cache on behalf of processes that access
> cached filesystems, and the userspace daemon that builds cull tables and
> deletes things.
>
> The reason there are two security labels is that the daemon's label gives it
> just enough rights to be able to do its job. More or less all it can do is
> lookup, opendir, readdir, stat, rmdir, unlink and open the chardev for
> talking
> to the kernel module. This means that the daemon can't, for example, be made
> to read or modify cache storage objects.
>
> Thus means, however, that the daemon's label isn't sufficient for the kernel
> module to do its job. But since there's no way for the kernel module to
> directly get a label (and indeed it doesn't know the label it needs), a
> transformation has to be applied that turns the process label used by the
> daemon into a process label that the kernel, and only the kernel, can use.
>
> The kernel's label gives it, amongst other things, the additional rights to
> do
> mkdir, creat, open, read, write, setxattr, getxattr, rename - things the
> daemon isn't allowed to do.
With Smack you can leave the label alone, raise CAP_MAC_OVERRIDE,
do your business of setting the label correctly, and then drop
the capability. No new hooks required.
Casey Schaufler
casey@schaufler-ca.com
next prev parent reply other threads:[~2007-08-13 21:45 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-10 16:04 David Howells
2007-08-10 16:05 ` [PATCH 01/16] FS-Cache: Release page->private after failed readahead " David Howells
2007-08-10 16:05 ` [PATCH 02/16] FS-Cache: Recruit a couple of page flags for cache management " David Howells
2007-08-10 16:05 ` [PATCH 03/16] FS-Cache: Provide an add_wait_queue_tail() function " David Howells
2007-08-10 16:05 ` [PATCH 04/16] FS-Cache: Generic filesystem caching facility " David Howells
2007-08-10 16:05 ` [PATCH 05/16] CacheFiles: Add missing copy_page export for ia64 " David Howells
2007-08-10 16:05 ` [PATCH 06/16] CacheFiles: Add a hook to write a single page of data to an inode " David Howells
2007-08-10 16:05 ` [PATCH 07/16] CacheFiles: Permit the page lock state to be monitored " David Howells
2007-08-10 16:05 ` [PATCH 08/16] CacheFiles: Export things for CacheFiles " David Howells
2007-08-10 16:05 ` [PATCH 09/16] CacheFiles: Permit a process's create SID to be overridden " David Howells
2007-08-10 16:52 ` Casey Schaufler
2007-08-10 16:05 ` [PATCH 10/16] CacheFiles: Add an act-as SID override in task_security_struct " David Howells
2007-08-10 16:05 ` [PATCH 11/16] CacheFiles: Permit an inode's security ID to be obtained " David Howells
2007-08-10 16:05 ` [PATCH 12/16] CacheFiles: Get the SID under which the CacheFiles module should operate " David Howells
2007-08-10 16:06 ` [PATCH 13/16] CacheFiles: A cache that backs onto a mounted filesystem " David Howells
2007-08-10 16:06 ` [PATCH 14/16] NFS: Use local caching " David Howells
2007-08-10 16:06 ` [PATCH 15/16] NFS: Configuration and mount option changes to enable local caching on NFS " David Howells
2007-08-10 16:06 ` [PATCH 16/16] NFS: Display local caching state " David Howells
2007-08-10 22:13 ` [PATCH 00/16] Permit filesystem local caching " Casey Schaufler
2007-08-11 8:41 ` David Howells
2007-08-11 15:56 ` Casey Schaufler
2007-08-13 10:54 ` David Howells
2007-08-13 13:46 ` Casey Schaufler
2007-08-13 14:51 ` David Howells
2007-08-13 14:57 ` Stephen Smalley
2007-08-13 15:42 ` Casey Schaufler
2007-08-13 15:22 ` David Howells
2007-08-13 16:20 ` Casey Schaufler
2007-08-13 16:31 ` David Howells
2007-08-13 16:58 ` Casey Schaufler
2007-08-13 19:52 ` David Howells
2007-08-13 21:44 ` Casey Schaufler [this message]
2007-08-14 9:39 ` David Howells
2007-08-14 15:53 ` Casey Schaufler
2007-08-14 17:42 ` Stephen Smalley
2007-08-15 16:30 ` Casey Schaufler
2007-08-14 17:58 ` David Howells
2007-08-14 17:50 ` Stephen Smalley
2007-08-13 13:50 ` Stephen Smalley
2007-08-13 15:10 ` Casey Schaufler
2007-08-13 13:01 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=462850.65153.qm@web36605.mail.mud.yahoo.com \
--to=casey@schaufler-ca.com \
--cc=akpm@osdl.org \
--cc=dhowells@redhat.com \
--cc=linux-cachefs@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nfsv4@linux-nfs.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=steved@redhat.com \
--cc=torvalds@osdl.org \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Powered by JetHome