A potential issue in security_inode_init_security function

A potential issue in security_inode_init_security function

[Boshi Wang]

In security_inode_init_security function of security/security.c, lsm_xattr can be modified by multiple functions due to call_init_hook function. I think that it is a potential issue when inode_init_security list is associated with more security modules, although inode_init_security list is associated with only selinux and smack currrently and the two security modules usually are not used at the same time.


--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

A potential issue in security_inode_init_security function

[Casey Schaufler]

On 9/29/2017 5:37 AM, Boshi Wang wrote:
> In security_inode_init_security function of security/security.c, lsm_xattr can be modified by multiple functions due to call_init_hook function. I think that it is a potential issue when inode_init_security list is associated with more security modules, although inode_init_security list is associated with only selinux and smack currrently and the two security modules usually are not used at the same time.

Yes, this needs significant work for SELinux and Smack to work
together. Work is in progress on security module stacking. Please
see the current state of  this work at

	git://github.com/cschaufler/smack-next#stacking-4.13-rc2

Updates for 4.15 are in progress.

>
>
> -- 
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at? http://vger.kernel.org/majordomo-info.html
>


.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

A potential issue in security_inode_init_security function

[Boshi Wang]

Thank you for your reply. I await the update.


On 2017/9/30 1:47, Casey Schaufler wrote:
> On 9/29/2017 5:37 AM, Boshi Wang wrote:
>> In security_inode_init_security function of security/security.c, lsm_xattr can be modified by multiple functions due to call_init_hook function. I think that it is a potential issue when inode_init_security list is associated with more security modules, although inode_init_security list is associated with only selinux and smack currrently and the two security modules usually are not used at the same time.
> Yes, this needs significant work for SELinux and Smack to work
> together. Work is in progress on security module stacking. Please
> see the current state of  this work at
>
> 	git://github.com/cschaufler/smack-next#stacking-4.13-rc2
>
> Updates for 4.15 are in progress.
>
>>
>> -- 
>> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
>> the body of a message to majordomo at vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
> .


--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html