mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: David Howells <dhowells@redhat.com>, casey@schaufler-ca.com
Cc: dhowells@redhat.com, Stephen Smalley <sds@tycho.nsa.gov>,
	torvalds@osdl.org, akpm@osdl.org, steved@redhat.com,
	trond.myklebust@fys.uio.no, linux-fsdevel@vger.kernel.org,
	linux-cachefs@redhat.com, nfsv4@linux-nfs.org,
	linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov,
	LSM List <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH 00/16] Permit filesystem local caching [try #3]
Date: Mon, 13 Aug 2007 14:44:40 -0700 (PDT)	[thread overview]
Message-ID: <462850.65153.qm@web36605.mail.mud.yahoo.com> (raw)
In-Reply-To: <16119.1187034756@redhat.com>


--- David Howells <dhowells@redhat.com> wrote:

> Casey Schaufler <casey@schaufler-ca.com> wrote:
> 
> > The specification of your push interface that the push operation
> > not affect how others access the process is OK for SELinux, but
> > not for any other MAC scheme that I've dealt with, and I think
> > that's most of them. Nuts. Smack, for example, uses exactly one
> > label on the process for all purposes.
> 
> It's a fairly important concept.  The victimisation security context on a
> process must not change, even if the kernel overrides the security context
> that that process acts as so that it can transparently do work on its behalf.
> 
> IMO, the right way to do this is to pass the security context directly to
> vfs_mkdir() and co.
> 
> > Are you concerned about accesses other than signals? Signals
> > could be staitforward to deal with in a pushed situation, but
> > I'd hesitate to say that the solution would generalize without
> > additional thought.
> 
> There's also /proc and ptrace() for example.  ps -z must not show the
> overridden state.
> 
> > > > >   (5) int security_xfrm_to_kernel_context(void *from, void **_to);
> > > > 
> > > > Woof. What are you transforming from? 
> > > 
> > > In CacheFiles case, the cachefilesd daemon's security label into the
> label
> > > the cache driver acts as on behalf of other processes.
> > 
> > I'm not sure I understand what this is doing.
> 
> CacheFiles consists of two parts: the kernel module which creates things in
> the cache and does accesses into the cache on behalf of processes that access
> cached filesystems, and the userspace daemon that builds cull tables and
> deletes things.
> 
> The reason there are two security labels is that the daemon's label gives it
> just enough rights to be able to do its job.  More or less all it can do is
> lookup, opendir, readdir, stat, rmdir, unlink and open the chardev for
> talking
> to the kernel module.  This means that the daemon can't, for example, be made
> to read or modify cache storage objects.
> 
> Thus means, however, that the daemon's label isn't sufficient for the kernel
> module to do its job.  But since there's no way for the kernel module to
> directly get a label (and indeed it doesn't know the label it needs), a
> transformation has to be applied that turns the process label used by the
> daemon into a process label that the kernel, and only the kernel, can use.
> 
> The kernel's label gives it, amongst other things, the additional rights to
> do
> mkdir, creat, open, read, write, setxattr, getxattr, rename - things the
> daemon isn't allowed to do.

With Smack you can leave the label alone, raise CAP_MAC_OVERRIDE,
do your business of setting the label correctly, and then drop
the capability. No new hooks required.


Casey Schaufler
casey@schaufler-ca.com

  reply	other threads:[~2007-08-13 21:45 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-08-10 16:04 David Howells
2007-08-10 16:05 ` [PATCH 01/16] FS-Cache: Release page->private after failed readahead " David Howells
2007-08-10 16:05 ` [PATCH 02/16] FS-Cache: Recruit a couple of page flags for cache management " David Howells
2007-08-10 16:05 ` [PATCH 03/16] FS-Cache: Provide an add_wait_queue_tail() function " David Howells
2007-08-10 16:05 ` [PATCH 04/16] FS-Cache: Generic filesystem caching facility " David Howells
2007-08-10 16:05 ` [PATCH 05/16] CacheFiles: Add missing copy_page export for ia64 " David Howells
2007-08-10 16:05 ` [PATCH 06/16] CacheFiles: Add a hook to write a single page of data to an inode " David Howells
2007-08-10 16:05 ` [PATCH 07/16] CacheFiles: Permit the page lock state to be monitored " David Howells
2007-08-10 16:05 ` [PATCH 08/16] CacheFiles: Export things for CacheFiles " David Howells
2007-08-10 16:05 ` [PATCH 09/16] CacheFiles: Permit a process's create SID to be overridden " David Howells
2007-08-10 16:52   ` Casey Schaufler
2007-08-10 16:05 ` [PATCH 10/16] CacheFiles: Add an act-as SID override in task_security_struct " David Howells
2007-08-10 16:05 ` [PATCH 11/16] CacheFiles: Permit an inode's security ID to be obtained " David Howells
2007-08-10 16:05 ` [PATCH 12/16] CacheFiles: Get the SID under which the CacheFiles module should operate " David Howells
2007-08-10 16:06 ` [PATCH 13/16] CacheFiles: A cache that backs onto a mounted filesystem " David Howells
2007-08-10 16:06 ` [PATCH 14/16] NFS: Use local caching " David Howells
2007-08-10 16:06 ` [PATCH 15/16] NFS: Configuration and mount option changes to enable local caching on NFS " David Howells
2007-08-10 16:06 ` [PATCH 16/16] NFS: Display local caching state " David Howells
2007-08-10 22:13 ` [PATCH 00/16] Permit filesystem local caching " Casey Schaufler
2007-08-11  8:41   ` David Howells
2007-08-11 15:56     ` Casey Schaufler
2007-08-13 10:54       ` David Howells
2007-08-13 13:46         ` Casey Schaufler
2007-08-13 14:51           ` David Howells
2007-08-13 14:57             ` Stephen Smalley
2007-08-13 15:42               ` Casey Schaufler
2007-08-13 15:22             ` David Howells
2007-08-13 16:20               ` Casey Schaufler
2007-08-13 16:31                 ` David Howells
2007-08-13 16:58                   ` Casey Schaufler
2007-08-13 19:52                     ` David Howells
2007-08-13 21:44                       ` Casey Schaufler [this message]
2007-08-14  9:39                         ` David Howells
2007-08-14 15:53                           ` Casey Schaufler
2007-08-14 17:42                             ` Stephen Smalley
2007-08-15 16:30                               ` Casey Schaufler
2007-08-14 17:58                             ` David Howells
2007-08-14 17:50                         ` Stephen Smalley
2007-08-13 13:50         ` Stephen Smalley
2007-08-13 15:10           ` Casey Schaufler
2007-08-13 13:01       ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=462850.65153.qm@web36605.mail.mud.yahoo.com \
    --to=casey@schaufler-ca.com \
    --cc=akpm@osdl.org \
    --cc=dhowells@redhat.com \
    --cc=linux-cachefs@redhat.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nfsv4@linux-nfs.org \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    --cc=steved@redhat.com \
    --cc=torvalds@osdl.org \
    --cc=trond.myklebust@fys.uio.no \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Powered by JetHome