login
Login / Register
Header Space

 
 

Home » Mailing list archives » linux-fsdevel » 2008 » February » 29

Re: [PATCH 01/11] Security: Add hook to get full maclabel xattr name

Score:
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Stephen Smalley <sds@...>
To: Christoph Hellwig <hch@...>
Cc: Dave Quigley <dpquigl@...>, <casey@...>, <viro@...>, <trond.myklebust@...>, <bfields@...>, <linux-kernel@...>, <linux-fsdevel@...>, LSM List <linux-security-module@...>
Subject: Re: [PATCH 01/11] Security: Add hook to get full maclabel xattr name
Date: Friday, February 29, 2008 - 9:30 am

On Thu, 2008-02-28 at 20:00 -0500, Christoph Hellwig wrote:

Possibly I'm missing something, but if I'm implementing a security
module that has any security attribute at all, e.g. capability module
with security.capability, and I see a hook called "get_security_blob" or
"get_security_attr" or the like, I'll implement that hook and return my
attribute there.  Which in turn will _break_ the labeled NFS
functionality because it is expecting a MAC label specifically.

The whole point here is that we do not want modules like capability to
return their security attributes here, because this is to support
labeled NFS functionality in support of enforcing MAC.

I don't especially care about the hook name per se, but the interface
(whatever it may be) needs to convey the proper semantics, and the
semantics truly are MAC specific (and should be).


-- 
Stephen Smalley
National Security Agency

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
RFC Labeled NFS Initial Code Review, David P. Quigley, (Wed Feb 27, 6:11 pm)
Re: RFC Labeled NFS Initial Code Review, Dave Quigley, (Wed Feb 27, 9:23 pm)
Re: RFC Labeled NFS Initial Code Review, Dave Quigley, (Wed Feb 27, 8:48 pm)
[PATCH 08/11] NFS: Introduce lifecycle management for label ..., David P. Quigley, (Wed Feb 27, 6:11 pm)
Re: [PATCH 08/11] NFS: Introduce lifecycle management for la..., Dave Quigley, (Thu Feb 28, 12:46 pm)
Re: [PATCH 08/11] NFS: Introduce lifecycle management for la..., James Morris, (Thu Feb 28, 12:13 am)
Re: [PATCH 08/11] NFS: Introduce lifecycle management for la..., Dave Quigley, (Thu Feb 28, 12:24 pm)
[PATCH 07/11] NFS/SELinux: Add security_label text mount opt..., David P. Quigley, (Wed Feb 27, 6:11 pm)
Re: [PATCH 07/11] NFS/SELinux: Add security_label text mount..., Eric Paris, (Thu Feb 28, 10:22 am)
[PATCH 06/11] SELinux: Add new labeling type native labels, David P. Quigley, (Wed Feb 27, 6:11 pm)
[PATCH 05/11] NFSv4: Add label recommended attribute and NFS..., David P. Quigley, (Wed Feb 27, 6:11 pm)
Re: [PATCH 05/11] NFSv4: Add label recommended attribute and..., James Morris, (Wed Feb 27, 9:52 pm)
Re: [PATCH 05/11] NFSv4: Add label recommended attribute and..., Stephen Smalley, (Thu Feb 28, 9:55 am)
Re: [PATCH 05/11] NFSv4: Add label recommended attribute and..., Dave Quigley, (Wed Feb 27, 9:45 pm)
[PATCH 04/11] KConfig: Add KConfig entries for SELinux label..., David P. Quigley, (Wed Feb 27, 6:11 pm)
[PATCH 03/11] VFS: Add security label support to *notify, David P. Quigley, (Wed Feb 27, 6:11 pm)
Re: [PATCH 03/11] VFS: Add security label support to *notify, Christoph Hellwig, (Thu Feb 28, 7:54 pm)
Re: [PATCH 03/11] VFS: Add security label support to *notify, Dave Quigley, (Thu Feb 28, 7:44 pm)
Re: [PATCH 03/11] VFS: Add security label support to *notify, Christoph Hellwig, (Thu Feb 28, 8:23 pm)
Re: [PATCH 03/11] VFS: Add security label support to *notify, Dave Quigley, (Fri Feb 29, 4:19 pm)
Re: [PATCH 03/11] VFS: Add security label support to *notify, Dave Quigley, (Thu Feb 28, 9:52 pm)
Re: [PATCH 03/11] VFS: Add security label support to *notify, Dave Quigley, (Thu Feb 28, 8:06 pm)
Re: [PATCH 03/11] VFS: Add security label support to *notify, James Morris, (Wed Feb 27, 9:20 pm)
Re: [PATCH 03/11] VFS: Add security label support to *notify, Dave Quigley, (Thu Feb 28, 12:07 pm)
[PATCH 02/11] Security: Add hook to calculate context based ..., David P. Quigley, (Wed Feb 27, 6:11 pm)
[PATCH 01/11] Security: Add hook to get full maclabel xattr ..., David P. Quigley, (Wed Feb 27, 6:11 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Dave Quigley, (Fri Feb 29, 5:50 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Wed Feb 27, 7:42 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Dave Quigley, (Wed Feb 27, 8:12 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Wed Feb 27, 9:07 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Stephen Smalley, (Thu Feb 28, 9:43 am)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Thu Feb 28, 3:23 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Stephen Smalley, (Thu Feb 28, 3:30 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Christoph Hellwig, (Thu Feb 28, 7:48 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Stephen Smalley, (Fri Feb 29, 9:31 am)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Fri Feb 29, 1:52 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Dave Quigley, (Thu Feb 28, 8:04 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., James Morris, (Thu Feb 28, 9:15 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Thu Feb 28, 9:04 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Dave Quigley, (Thu Feb 28, 8:52 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Thu Feb 28, 10:29 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Dave Quigley, (Thu Feb 28, 10:09 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Christoph Hellwig, (Thu Feb 28, 8:39 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Dave Quigley, (Thu Feb 28, 8:32 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Thu Feb 28, 9:47 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., James Morris, (Thu Feb 28, 10:15 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Dave Quigley, (Thu Feb 28, 9:33 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Christoph Hellwig, (Thu Feb 28, 9:00 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Stephen Smalley, (Fri Feb 29, 9:30 am)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Stephen Smalley, (Fri Feb 29, 10:45 am)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Dave Quigley, (Thu Feb 28, 8:42 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Thu Feb 28, 10:07 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Dave Quigley, (Thu Feb 28, 9:48 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Trond Myklebust, (Thu Feb 28, 8:50 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Thu Feb 28, 9:26 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Trond Myklebust, (Fri Feb 29, 1:01 am)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Fri Feb 29, 1:26 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Christoph Hellwig, (Thu Feb 28, 8:51 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Trond Myklebust, (Thu Feb 28, 9:00 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Thu Feb 28, 9:55 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Trond Myklebust, (Fri Feb 29, 1:04 am)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Fri Feb 29, 1:46 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Trond Myklebust, (Fri Feb 29, 2:28 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Fri Feb 29, 2:52 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Trond Myklebust, (Fri Feb 29, 3:50 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Fri Feb 29, 5:07 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Trond Myklebust, (Fri Feb 29, 8:09 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Fri Feb 29, 8:41 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Dave Quigley, (Fri Feb 29, 5:00 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Fri Feb 29, 6:27 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Dave Quigley, (Fri Feb 29, 6:15 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Fri Feb 29, 6:58 pm)
Re: [PATCH 01/11] Security: Add hook to get full maclabel xa..., Casey Schaufler, (Thu Feb 28, 3:59 pm)
[PATCH 11/11] NFSD: Server implementation of MAC Labeling, David P. Quigley, (Wed Feb 27, 6:11 pm)
Re: [PATCH 11/11] NFSD: Server implementation of MAC Labeling, James Morris, (Wed Feb 27, 9:46 pm)
[PATCH 10/11] NFS: Extend nfs xattr handlers to accept the s..., David P. Quigley, (Wed Feb 27, 6:11 pm)
[PATCH 09/11] NFS: Client implementation of Labeled-NFS, David P. Quigley, (Wed Feb 27, 6:11 pm)

Mail archive search
Enter your search terms.
Optionally limit your search to a specific mailing list.
advanced
Colocation donated by:
Who's online
There are currently 5 users and 1385 guests online.

Online users

Syndicate
Syndicate content
© 2007 KernelTrap.  |  Powered by Drupal.  |  Legal statement.
speck-geostationary