Hi Christoph,
On Mon, Aug 02, 2010 at 08:24:21AM -0400, Christoph Hellwig wrote:
I would love to have these "hacks" in the subsystem directly. But no one
has stepped forward to decode Al Viro's hints.
I'm getting pretty tired of moving this logic back and forth between the
subsystems and an LSM. You yourself told me to put these things in an
LSM[1], and yet now you're saying I shouldn't.
This is patently false. "Very clear advice" would have included actionable
instructions. He (and everyone else) has ignored my requests for
clarification[2]. If you see how the check should be implemented, please
send a patch demonstrating how. I would greatly prefer having these
protections in the VFS itself.
I can see how one might disagree with it, but anyone who handles day-to-day
security threats understands this protection to be a clear and obvious
solution for the past decade.
I've seen two so far. Both are addressed with a one line fix. And I would
stress that no other existing subsystem in the kernel can provide the same
level of control that my ptrace exception logic provides. SELinux cannot do
this.
This advice is precisely counter to prior advise. It would seem that no one
knows how to handle these patches. I find it very simple; either:
- let me put them in an LSM that people can choose to enable
- help me get the patches into shape for the subsystems directly
Since the latter has been repeatedly denied, the former was suggested to
me, which I implemented. The option "give up" is not available to me.
Perhaps there is another option I could choose from so I can get these
protections into the mainline kernel?
-Kees
[1] http://lkml.org/lkml/2010/6/1/78
[2] http://lkml.org/lkml/2010/6/4/44
--
Kees Cook
Ubuntu Security Team
--
