From: Casey Schaufler <casey@schaufler-ca.com> To: "Serge E. Hallyn" <serge@hallyn.com>, Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: "Matt Brown" <matt@nmatt.com>, "Salvatore Mesoraca" <s.mesoraca16@gmail.com>, "Mickaël Salaün" <mic@digikod.net>, "kernel list" <linux-kernel@vger.kernel.org>, linux-security-module <linux-security-module@vger.kernel.org>, "Kernel Hardening" <kernel-hardening@lists.openwall.com>, "Brad Spengler" <spender@grsecurity.net>, "PaX Team" <pageexec@freemail.hu>, "Kees Cook" <keescook@chromium.org>, "James Morris" <james.l.morris@oracle.com> Subject: Re: [kernel-hardening] [PATCH 00/11] S.A.R.A. a new stacked LSM Date: Sun, 23 Jul 2017 17:58:56 -0700 [thread overview] Message-ID: <6be222da-79b3-b406-53c9-10ee691bb9c6@schaufler-ca.com> (raw) In-Reply-To: <20170713195106.GD4895@mail.hallyn.com> On 7/13/2017 12:51 PM, Serge E. Hallyn wrote: > Quoting Mimi Zohar (zohar@linux.vnet.ibm.com): >> On Thu, 2017-07-13 at 08:39 -0400, Matt Brown wrote: >> The question is really from a security perspective which is better? >> Obviously, as v2 of the patch set changed from using pathnames to >> inodes, it's pretty clear that I think inodes would be better. Kees, >> Serge, Casey any comments? > Yes, inode seems clearly better. Paths are too easily worked around. An inode identifies the object, while a pathname identifies the intent. Using the inode will be easier to code and easier to model. Using the pathname will be much more likely to reflect what the human means to accomplish, provided all the idiosyncrasies of the Linux filesystem namespace are taken into account. Ever since the link count on an inode was allowed to exceed 1* this has been difficult to accomplish. ---- * The link count has always been allowed to exceed 1. Then there are symlinks, mount points, overlay filesystems and all manner of other slick features that make the filesystem namespace difficult to deal with from the security standpoint. > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >
WARNING: multiple messages have this Message-ID (diff)
From: casey@schaufler-ca.com (Casey Schaufler) To: linux-security-module@vger.kernel.org Subject: [kernel-hardening] [PATCH 00/11] S.A.R.A. a new stacked LSM Date: Sun, 23 Jul 2017 17:58:56 -0700 [thread overview] Message-ID: <6be222da-79b3-b406-53c9-10ee691bb9c6@schaufler-ca.com> (raw) In-Reply-To: <20170713195106.GD4895@mail.hallyn.com> On 7/13/2017 12:51 PM, Serge E. Hallyn wrote: > Quoting Mimi Zohar (zohar at linux.vnet.ibm.com): >> On Thu, 2017-07-13 at 08:39 -0400, Matt Brown wrote: >> The question is really from a security perspective which is better? >> Obviously, as v2 of the patch set changed from using pathnames to >> inodes, it's pretty clear that I think inodes would be better. Kees, >> Serge, Casey any comments? > Yes, inode seems clearly better. Paths are too easily worked around. An inode identifies the object, while a pathname identifies the intent. Using the inode will be easier to code and easier to model. Using the pathname will be much more likely to reflect what the human means to accomplish, provided all the idiosyncrasies of the Linux filesystem namespace are taken into account. Ever since the link count on an inode was allowed to exceed 1* this has been difficult to accomplish. ---- * The link count has always been allowed to exceed 1. Then there are symlinks, mount points, overlay filesystems and all manner of other slick features that make the filesystem namespace difficult to deal with from the security standpoint. > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo at vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-07-24 0:59 UTC|newest] Thread overview: 124+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-06-12 16:56 [PATCH 00/11] S.A.R.A. a new stacked LSM Salvatore Mesoraca 2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-12 16:56 ` Salvatore Mesoraca 2017-06-12 16:56 ` [PATCH 01/11] S.A.R.A. Documentation Salvatore Mesoraca 2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-12 16:56 ` Salvatore Mesoraca 2017-06-12 17:49 ` [kernel-hardening] " Jann Horn 2017-06-12 17:49 ` Jann Horn 2017-06-13 7:43 ` Salvatore Mesoraca 2017-06-13 7:43 ` Salvatore Mesoraca 2017-06-27 22:51 ` Kees Cook 2017-06-27 22:51 ` [kernel-hardening] " Kees Cook 2017-06-27 22:51 ` Kees Cook 2017-06-27 22:54 ` Kees Cook 2017-06-27 22:54 ` [kernel-hardening] " Kees Cook 2017-06-27 22:54 ` Kees Cook 2017-07-04 10:12 ` Salvatore Mesoraca 2017-07-04 10:12 ` [kernel-hardening] " Salvatore Mesoraca 2017-07-04 10:12 ` Salvatore Mesoraca 2017-06-12 16:56 ` [PATCH 02/11] S.A.R.A. framework creation Salvatore Mesoraca 2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-12 16:56 ` Salvatore Mesoraca 2017-06-12 16:56 ` [PATCH 03/11] Creation of "usb_device_auth" LSM hook Salvatore Mesoraca 2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-12 16:56 ` Salvatore Mesoraca 2017-06-12 17:35 ` Krzysztof Opasiak 2017-06-12 17:35 ` [kernel-hardening] " Krzysztof Opasiak 2017-06-12 17:35 ` Krzysztof Opasiak 2017-06-13 7:47 ` Salvatore Mesoraca 2017-06-13 7:47 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-13 7:47 ` Salvatore Mesoraca 2017-06-12 19:38 ` Greg Kroah-Hartman 2017-06-12 19:38 ` [kernel-hardening] " Greg Kroah-Hartman 2017-06-12 19:38 ` Greg Kroah-Hartman 2017-06-13 7:50 ` Salvatore Mesoraca 2017-06-13 7:50 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-13 7:50 ` Salvatore Mesoraca 2017-06-12 21:31 ` Casey Schaufler 2017-06-12 21:31 ` [kernel-hardening] " Casey Schaufler 2017-06-12 21:31 ` Casey Schaufler 2017-06-13 7:51 ` Salvatore Mesoraca 2017-06-13 7:51 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-13 7:51 ` Salvatore Mesoraca 2017-06-13 1:15 ` kbuild test robot 2017-06-13 1:15 ` [kernel-hardening] " kbuild test robot 2017-06-13 1:15 ` kbuild test robot 2017-06-13 3:11 ` kbuild test robot 2017-06-13 3:11 ` [kernel-hardening] " kbuild test robot 2017-06-13 3:11 ` kbuild test robot 2017-06-12 16:56 ` [PATCH 04/11] S.A.R.A. USB Filtering Salvatore Mesoraca 2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-12 16:56 ` Salvatore Mesoraca 2017-06-20 7:07 ` Pavel Machek 2017-06-20 7:07 ` [kernel-hardening] " Pavel Machek 2017-06-20 7:53 ` Salvatore Mesoraca 2017-06-20 7:53 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-20 7:53 ` Salvatore Mesoraca 2017-06-12 16:56 ` [PATCH 05/11] Creation of "check_vmflags" LSM hook Salvatore Mesoraca 2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-12 16:56 ` Salvatore Mesoraca 2017-06-12 16:56 ` Salvatore Mesoraca 2017-06-12 21:31 ` Casey Schaufler 2017-06-12 21:31 ` [kernel-hardening] " Casey Schaufler 2017-06-12 21:31 ` Casey Schaufler 2017-06-12 21:31 ` Casey Schaufler 2017-06-13 7:55 ` Salvatore Mesoraca 2017-06-13 7:55 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-13 7:55 ` Salvatore Mesoraca 2017-06-13 7:55 ` Salvatore Mesoraca 2017-06-13 6:34 ` Christoph Hellwig 2017-06-13 6:34 ` [kernel-hardening] " Christoph Hellwig 2017-06-13 6:34 ` Christoph Hellwig 2017-06-13 6:34 ` Christoph Hellwig 2017-06-13 7:52 ` Salvatore Mesoraca 2017-06-13 7:52 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-13 7:52 ` Salvatore Mesoraca 2017-06-13 7:52 ` Salvatore Mesoraca 2017-06-12 16:56 ` [PATCH 06/11] S.A.R.A. cred blob management Salvatore Mesoraca 2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-12 16:56 ` Salvatore Mesoraca 2017-06-12 16:56 ` [PATCH 07/11] S.A.R.A. WX Protection Salvatore Mesoraca 2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-12 16:56 ` Salvatore Mesoraca 2017-06-12 16:56 ` [PATCH 08/11] Creation of "pagefault_handler_x86" LSM hook Salvatore Mesoraca 2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-12 16:56 ` Salvatore Mesoraca 2017-06-12 17:32 ` Thomas Gleixner 2017-06-12 17:32 ` [kernel-hardening] " Thomas Gleixner 2017-06-12 17:32 ` Thomas Gleixner 2017-06-13 7:41 ` Salvatore Mesoraca 2017-06-13 7:41 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-13 7:41 ` Salvatore Mesoraca 2017-06-12 16:56 ` [PATCH 09/11] Trampoline emulation Salvatore Mesoraca 2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-12 16:56 ` Salvatore Mesoraca 2017-06-13 0:02 ` kbuild test robot 2017-06-13 0:02 ` [kernel-hardening] " kbuild test robot 2017-06-13 0:02 ` kbuild test robot 2017-06-12 16:56 ` [PATCH 10/11] Allowing for stacking procattr support in S.A.R.A Salvatore Mesoraca 2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-12 16:56 ` Salvatore Mesoraca 2017-06-12 16:57 ` [PATCH 11/11] S.A.R.A. WX Protection procattr interface Salvatore Mesoraca 2017-06-12 16:57 ` [kernel-hardening] " Salvatore Mesoraca 2017-06-12 16:57 ` Salvatore Mesoraca 2017-07-09 19:35 ` [kernel-hardening] [PATCH 00/11] S.A.R.A. a new stacked LSM Mickaël Salaün 2017-07-10 7:59 ` Salvatore Mesoraca 2017-07-10 7:59 ` Salvatore Mesoraca 2017-07-10 23:40 ` Mickaël Salaün 2017-07-11 16:58 ` Salvatore Mesoraca 2017-07-11 16:58 ` Salvatore Mesoraca 2017-07-11 17:49 ` Matt Brown 2017-07-11 17:49 ` Matt Brown 2017-07-11 19:31 ` Mimi Zohar 2017-07-11 19:31 ` Mimi Zohar 2017-07-13 12:39 ` Matt Brown 2017-07-13 12:39 ` Matt Brown 2017-07-13 15:19 ` Mimi Zohar 2017-07-13 15:19 ` Mimi Zohar 2017-07-13 19:51 ` Serge E. Hallyn 2017-07-13 19:51 ` Serge E. Hallyn 2017-07-13 22:33 ` Matt Brown 2017-07-13 22:33 ` Matt Brown 2017-07-24 0:58 ` Casey Schaufler [this message] 2017-07-24 0:58 ` Casey Schaufler
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=6be222da-79b3-b406-53c9-10ee691bb9c6@schaufler-ca.com \ --to=casey@schaufler-ca.com \ --cc=james.l.morris@oracle.com \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=matt@nmatt.com \ --cc=mic@digikod.net \ --cc=pageexec@freemail.hu \ --cc=s.mesoraca16@gmail.com \ --cc=serge@hallyn.com \ --cc=spender@grsecurity.net \ --cc=zohar@linux.vnet.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.