Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Paul Moore

Subject: Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux.

Date: Tuesday, September 4, 2007 - 4:53 am

On Monday 03 September 2007 9:15:27 am Tetsuo Handa wrote:
quoted text> Hello.

Hi.

quoted text> Paul Moore wrote:
> > I apologize for not recognizing your approach from our earlier discussion
> > on the LSM mailing list in July.  Unfortunately, I have the same
> > objections to these changes that I did back then and from what I can
> > recall of the discussion the rest of the kernel networking community
> > agreed that these changes are not the preferred way of solving this
> > problem.  We offered suggestions on how to accomplish your goals in a way
> > that would be acceptable upstream and I would encourage you to
> > investigate those options further.
>
> When I proposed a patch in July, I was patching at post-copy_to_user() step
> (i.e. after sock_recvmsg()).
> This approach messed up user-supplied buffer.
>
> This time, I'm patching at pre-copy_to_user() step
> (i.e. at skb_recv_datagram()).
> This approach doesn't mess up user-supplied buffer.
> I think this is a cleaner way than the previous patch.

It might be cleaner than your previous patch but it ignores some of the more 
important points that were brought up by the community in previous 
discussions.

quoted text> Although read() gets an error when select() said "read ready",
> I can't find other place to use for accomplishing my goals.
>
> By the way, similar thing can happen when select() against
> a file descriptor said "read ready" but read() gets an error
> if security policy or security-id of the file has changed
> between select() and read(), isn't it?
> And such behavior is acceptable, isn't it?
> If such behavior can happen and is acceptable and *preferable*,
> I think checking permission at dequeue time (i.e. skb_recv_datagram())
> is *preferable* way than checking permission at enqueue time
> (i.e. socket_sock_rcv_skb()).

As mentioned before that problem with enforcing access control at "dequeue" 
time is that the system has already accepted the packet from the remote 
host - how do you plan to deal with these unacceptable/bad packets sitting on 
a socket, waiting to be read by a process which does not have access to them?  
What about connection oriented sockets where the remote host will assume 
everything is okay and continue blasting the machine with more, illegal 
packets?  If you aren't going to allow the socket/application to read the 
packet, never allow the system to accept it in the first place.

The *preferable* solution, as previously stated before by several people, is 
to investigate other access control methods like the netfilter userspace 
queue mechanism.  At the very least, please explain how the approaches we 
proposed will not accomplish what you require.

-- 
paul moore
linux security @ hp
-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[TOMOYO 00/15] TOMOYO Linux - MAC based on process invocat ..., Kentaro Takeda, (Fri Aug 24, 5:41 am)

[TOMOYO 01/15] Allow use of namespace_sem from LSM module., Kentaro Takeda, (Fri Aug 24, 5:44 am)

[TOMOYO 02/15] Kconfig and Makefile for TOMOYO Linux., Kentaro Takeda, (Fri Aug 24, 5:45 am)

[TOMOYO 03/15] Data structures and prototypes definition., Kentaro Takeda, (Fri Aug 24, 5:46 am)

[TOMOYO 04/15] Memory and pathname management functions., Kentaro Takeda, (Fri Aug 24, 5:48 am)

[TOMOYO 05/15] Utility functions and /proc interface for p ..., Kentaro Takeda, (Fri Aug 24, 5:49 am)

Re: [TOMOYO 02/15] Kconfig and Makefile for TOMOYO Linux., Jiri Kosina, (Fri Aug 24, 5:50 am)

[TOMOYO 06/15] Domain transition handler functions., Kentaro Takeda, (Fri Aug 24, 5:50 am)

[TOMOYO 07/15] Auditing interface., Kentaro Takeda, (Fri Aug 24, 5:52 am)

[TOMOYO 08/15] File access control functions., Kentaro Takeda, (Fri Aug 24, 5:53 am)

[TOMOYO 09/15] Argv[0] access control functions., Kentaro Takeda, (Fri Aug 24, 5:53 am)

[TOMOYO 10/15] Networking access control functions., Kentaro Takeda, (Fri Aug 24, 5:54 am)

[TOMOYO 11/15] Namespace manipulation control functions., Kentaro Takeda, (Fri Aug 24, 5:55 am)

[TOMOYO 12/15] Signal transmission control functions., Kentaro Takeda, (Fri Aug 24, 5:56 am)

[TOMOYO 13/15] LSM adapter for TOMOYO., Kentaro Takeda, (Fri Aug 24, 5:56 am)

[TOMOYO 14/15] Conditional permission support., Kentaro Takeda, (Fri Aug 24, 5:57 am)

[TOMOYO 15/15] LSM expansion for TOMOYO Linux., Kentaro Takeda, (Fri Aug 24, 5:58 am)

Re: [TOMOYO 14/15] Conditional permission support., Pavel Machek, (Sat Aug 25, 4:08 am)

Re: [TOMOYO 14/15] Conditional permission support., Toshiharu Harada, (Sat Aug 25, 3:46 pm)

Re: [TOMOYO 14/15] Conditional permission support., Tetsuo Handa, (Sat Aug 25, 7:13 pm)

Re: [TOMOYO 14/15] Conditional permission support., Kyle Moffett, (Mon Aug 27, 5:11 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Paul Moore, (Mon Aug 27, 7:49 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Tetsuo Handa, (Tue Aug 28, 3:39 am)

Re: [TOMOYO 14/15] Conditional permission support., Tetsuo Handa, (Tue Aug 28, 6:00 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Paul Moore, (Tue Aug 28, 6:21 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Tetsuo Handa, (Mon Sep 3, 6:15 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Paul Moore, (Tue Sep 4, 4:53 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Tetsuo Handa, (Tue Sep 4, 7:02 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Kyle Moffett, (Tue Sep 4, 7:13 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Paul Moore, (Wed Sep 5, 7:06 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Tetsuo Handa, (Thu Sep 6, 6:04 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Paul Moore, (Thu Sep 6, 8:25 am)


linux-kernel:
David Howells	[PATCH] KEYS: Use the variable 'key' in keyctl_describe_key()
Greg Kroah-Hartman	[PATCH 17/36] sysdev: detect multiple driver registrations
Sam Ravnborg	Re: [PATCH] kbuild: fix make V=1
Pierre Ossman	Re: sdio: enhance IO_RW_EXTENDED support
Nick Piggin	Re: [PATCH 0/24] make atomic_read() behave consistently across all architectures
git:
Mark Junker	git on MacOSX and files with decomposed utf-8 file names
Pat Thoyts	[PATCH] git-gui: use themed tk widgets with Tk 8.5
Johannes Schindelin	Re: [PATCH 2/2] git-svn: support fetch with autocrlf on
Jonathan Nieder	Re: [PATCH v2] git-send-email.perl: fix In-Reply-To for second and subsequent patc...
Stephen R. van den Berg	Re: [RFC] origin link for cherry-pick and revert
git-commits-head:
Linux Kernel Mailing List	ipv6: fix an oops when force unload ipv6 module
Linux Kernel Mailing List	tracing: protect reader of cmdline output
Linux Kernel Mailing List	KVM: VMX: Clear CR4.VMXE in hardware_disable
Linux Kernel Mailing List	kconfig: recalc symbol value before showing search results
Linux Kernel Mailing List	USB: set correct configuration in probe of ti_usb_3410_5052
linux-netdev:
David Miller	Re: [PATCH 32/53] netns xfrm: finding policy in netns
Jan Engelhardt	[PATCH 1/3] net: tcp: make hybla selectable as default congestion module
Lennert Buytenhek	Re: Distributed Switch Architecture(DSA)
Daniel Schaffrath	Re: tcp bw in 2.6
Matt Mackall	Re: [regression] nf_iterate(), BUG: unable to handle kernel NULL pointer dereference
openbsd-misc:
Stas Miasnikou	Re: Another question: device naming convention
Community First Financial	Teacher A+ Loan
Andrej Elizarov	Re: Web Browsers
Josh Grosse	ssh/sshd challenge-response seems to have stopped working in -current
Tomas Bodzar	bsd: uvm_mapent_alloc: out of static map entries