Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2] | KernelTrap

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

view
thread

!MAILaRCHIVE_VOTE_RePLACE

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Casey Schaufler <casey@...>

To: David Howells <dhowells@...>, <casey@...>

Cc: <dhowells@...>, Stephen Smalley <sds@...>, Karl MacMillan <kmacmill@...>, <viro@...>, <hch@...>, <Trond.Myklebust@...>, <linux-kernel@...>, <selinux@...>, <linux-security-module@...>

Subject: Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

Date: Wednesday, December 12, 2007 - 3:44 pm

--- David Howells <dhowells@redhat.com> wrote:

quoted text> Casey Schaufler <casey@schaufler-ca.com> wrote:
> 
> > What sort of authorization are you thinking of? I would expect
> > that to have been done by cachefileselinuxcontext (or
> > cachefilesspiffylsmcontext) up in userspace. If you're going to
> > rely on userspace applications for policy enforcement they need
> > to be good enough to count on after all.
> 
> It can't be done in userspace, otherwise someone using the cachefilesd
> interface can pass an arbitrary context up.

Yes, but I would expect that interface to be protected (owned by root,
mode 0400). If /dev/cachefiles has to be publicly accessable make it
a privileged ioctl.

quoted text> The security context has to be
> passed across the file descriptor attached to /dev/cachefiles along with the
> other configuration parameters as a text string.

I got that.

quoted text> This fd selects the
> particular cache context that a particular instance of a running daemon is
> using.

Yes, but forgive me being slow, I don't see the problem.


Casey Schaufler
casey@schaufler-ca.com
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH 00/28] Permit filesystem local caching [try #2], David Howells, (Wed Dec 5, 3:38 pm)

[PATCH 28/28] FS-Cache: Make kAFS use FS-Cache [try #2], David Howells, (Wed Dec 5, 3:40 pm)

[PATCH 27/28] AFS: Implement shared-writable mmap [try #2], David Howells, (Wed Dec 5, 3:40 pm)

[PATCH 26/28] AF_RXRPC: Save the operation ID for debugging ..., David Howells, (Wed Dec 5, 3:40 pm)

[PATCH 25/28] AFS: Improve handling of a rejected writeback ..., David Howells, (Wed Dec 5, 3:40 pm)

[PATCH 24/28] AFS: Add a function to excise a rejected write..., David Howells, (Wed Dec 5, 3:40 pm)

Re: [PATCH 24/28] AFS: Add a function to excise a rejected w..., Nick Piggin, (Fri Dec 14, 12:21 am)

[PATCH 23/28] AFS: Add TestSetPageError() [try #2], David Howells, (Wed Dec 5, 3:40 pm)

[PATCH 22/28] fcrypt endianness misannotations [try #2], David Howells, (Wed Dec 5, 3:40 pm)

[PATCH 21/28] NFS: Display local caching state [try #2], David Howells, (Wed Dec 5, 3:40 pm)

[PATCH 20/28] NFS: Configuration and mount option changes to..., David Howells, (Wed Dec 5, 3:40 pm)

[PATCH 19/28] NFS: Use local caching [try #2], David Howells, (Wed Dec 5, 3:39 pm)

[PATCH 18/28] CacheFiles: A cache that backs onto a mounted ..., David Howells, (Wed Dec 5, 3:39 pm)

[PATCH 17/28] CacheFiles: Export things for CacheFiles [try ..., David Howells, (Wed Dec 5, 3:39 pm)

[PATCH 16/28] CacheFiles: Permit the page lock state to be m..., David Howells, (Wed Dec 5, 3:39 pm)

[PATCH 15/28] CacheFiles: Add a hook to write a single page ..., David Howells, (Wed Dec 5, 3:39 pm)

[PATCH 14/28] CacheFiles: Be consistent about the use of map..., David Howells, (Wed Dec 5, 3:39 pm)

[PATCH 13/28] CacheFiles: Add missing copy_page export for i..., David Howells, (Wed Dec 5, 3:39 pm)

[PATCH 12/28] FS-Cache: Generic filesystem caching facility ..., David Howells, (Wed Dec 5, 3:39 pm)

[PATCH 11/28] FS-Cache: Provide an add_wait_queue_tail() fun..., David Howells, (Wed Dec 5, 3:39 pm)

[PATCH 10/28] FS-Cache: Recruit a couple of page flags for c..., David Howells, (Wed Dec 5, 3:39 pm)

Re: [PATCH 10/28] FS-Cache: Recruit a couple of page flags f..., Nick Piggin, (Fri Dec 14, 12:08 am)

[PATCH 09/28] FS-Cache: Release page->private after faile..., David Howells, (Wed Dec 5, 3:39 pm)

Re: [PATCH 09/28] FS-Cache: Release page->private after f..., Nick Piggin, (Thu Dec 13, 11:51 pm)

[PATCH 08/28] SECURITY: Allow kernel services to override LS..., David Howells, (Wed Dec 5, 3:38 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Mon Dec 10, 12:46 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Mon Dec 10, 1:07 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Mon Dec 10, 1:23 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Wed Jan 9, 12:51 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Wed Jan 9, 2:11 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Mon Jan 14, 10:01 am)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Tue Jan 15, 10:56 am)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Tue Jan 15, 12:03 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Casey Schaufler, (Tue Jan 15, 2:10 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Tue Jan 15, 3:15 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Tue Jan 15, 5:55 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Casey Schaufler, (Tue Jan 15, 6:23 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Tue Jan 15, 12:08 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Casey Schaufler, (Mon Jan 14, 10:52 am)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Mon Jan 14, 11:19 am)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Mon Jan 14, 10:06 am)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Tue Jan 15, 10:58 am)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Wed Jan 23, 4:52 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., James Morris, (Wed Jan 23, 6:03 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Wed Jan 9, 2:56 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Wed Jan 9, 3:19 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Thu Jan 10, 7:09 am)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Wed Jan 9, 1:27 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Mon Dec 10, 5:08 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Mon Dec 10, 5:27 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Casey Schaufler, (Mon Dec 10, 6:26 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Mon Dec 10, 7:44 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Casey Schaufler, (Mon Dec 10, 7:56 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Tue Dec 11, 2:34 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Casey Schaufler, (Tue Dec 11, 3:26 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Tue Dec 11, 3:56 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Casey Schaufler, (Tue Dec 11, 4:40 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Mon Dec 10, 7:36 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Casey Schaufler, (Mon Dec 10, 7:46 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Tue Dec 11, 3:52 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Tue Dec 11, 3:37 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Tue Dec 11, 4:42 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Casey Schaufler, (Tue Dec 11, 5:18 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Tue Dec 11, 5:34 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Tue Dec 11, 6:43 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Casey Schaufler, (Tue Dec 11, 7:04 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Wed Dec 12, 2:25 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Casey Schaufler, (Wed Dec 12, 3:20 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Wed Dec 12, 3:35 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Wed Dec 12, 6:55 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Thu Dec 13, 10:51 am)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Thu Dec 13, 12:03 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Wed Dec 12, 3:29 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Wed Dec 12, 11:25 am)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Casey Schaufler, (Wed Dec 12, 12:51 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Wed Dec 12, 2:34 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Casey Schaufler, (Wed Dec 12, 3:44 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Wed Dec 12, 6:32 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Wed Dec 12, 3:49 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Casey Schaufler, (Wed Dec 12, 4:09 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Wed Dec 12, 6:29 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Wed Dec 12, 2:12 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Wed Dec 12, 2:29 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Casey Schaufler, (Wed Dec 12, 3:37 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Wed Dec 12, 6:52 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Wed Dec 12, 3:33 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Wed Dec 12, 6:49 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Thu Dec 13, 10:49 am)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Thu Dec 13, 11:36 am)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Thu Dec 13, 12:23 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Thu Dec 13, 1:01 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Stephen Smalley, (Thu Dec 13, 1:27 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Thu Dec 13, 2:04 pm)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Karl MacMillan, (Wed Dec 12, 10:41 am)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., David Howells, (Wed Dec 12, 10:53 am)

Re: [PATCH 08/28] SECURITY: Allow kernel services to overrid..., Karl MacMillan, (Wed Dec 12, 10:59 am)

[PATCH 07/28] SECURITY: De-embed task security record from t..., David Howells, (Wed Dec 5, 3:38 pm)

[PATCH 06/28] SECURITY: Separate task security context from ..., David Howells, (Wed Dec 5, 3:38 pm)

[PATCH 05/28] Security: Change current->fs[ug]id to curre..., David Howells, (Wed Dec 5, 3:38 pm)

[PATCH 04/28] KEYS: Add keyctl function to get a security la..., David Howells, (Wed Dec 5, 3:38 pm)

[PATCH 03/28] KEYS: Allow the callout data to be passed as a..., David Howells, (Wed Dec 5, 3:38 pm)

[PATCH 02/28] KEYS: Check starting keyring as part of search..., David Howells, (Wed Dec 5, 3:38 pm)

[PATCH 01/28] KEYS: Increase the payload size when instantia..., David Howells, (Wed Dec 5, 3:38 pm)

Navigation

Popular discussions


linux-kernel:
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Paul Jackson	Re: cpuset-remove-sched-domain-hooks-from-cpusets
James Bruce	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Hidehiro Kawai	[PATCH 0/5] jbd: possible filesystem corruption fixes (take 2)
git:

linux-netdev:
Paul E. McKenney	Re: iptables very slow after commit 784544739a25c30637397ace5489eeb6e15d7d49
Gerrit Renker	[PATCH 34/37] dccp: Auto-load (when supported) CCID plugins for negotiation
Jarek Poplawski	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Alexey Dobriyan	Re: [GIT]: Networking
openbsd-misc:

Colocation donated by:

Who's online

There are currently 7 users and 932 guests online.

Online users

Syndicate