From: Chris PeBenito <pebenito@ieee.org>
To: Stephen Smalley <stephen.smalley.work@gmail.com>,
Paul Moore <paul@paul-moore.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
Jeffrey Vander Stoep <jeffv@google.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [RFC PATCH] selinux: use SECINITSID_KERNEL as the subj/obj in the lockdown hook
Date: Sat, 25 Sep 2021 17:07:41 -0400 [thread overview]
Message-ID: <38bc94ba-b200-e141-2423-6c7f64234a10@ieee.org> (raw)
In-Reply-To: <CAEjxPJ7wkCyPZb7h3C_U3zVmJtiVtm4FAi5K+6U7kS63g0Vm-w@mail.gmail.com>
On 9/24/21 11:12 AM, Stephen Smalley wrote:
> On Fri, Sep 24, 2021 at 10:22 AM Paul Moore <paul@paul-moore.com> wrote:
>>> On Thu, Sep 23, 2021 at 5:18 PM Paul Moore <paul@paul-moore.com> wrote:
>>>> The original SELinux lockdown implementation in 59438b46471a
>>>> ("security,lockdown,selinux: implement SELinux lockdown") used the
>>>> current task's credentials as both the subject and object in the
>>>> SELinux lockdown hook, selinux_lockdown(). Unfortunately that
>>>> proved to be incorrect in a number of cases as the core kernel was
>>>> calling the LSM lockdown hook in places where the credentials from
>>>> the "current" task_struct were not the correct credentials to use
>>>> in the SELinux access check.
>>>>
>>>> Attempts were made to resolve this by adding a credential pointer
>>>> to the LSM lockdown hook as well as suggesting that the single hook
>>>> be split into two: one for user tasks, one for kernel tasks; however
>>>> neither approach was deemed acceptable by Linus.
>>>>
>>>> In order to resolve the problem of an incorrect SELinux domain being
>>>> used in the lockdown check, this patch makes the decision to perform
>>>> all of the lockdown access control checks against the
>>>> SECINITSID_KERNEL domain. This is far from ideal, but it is what
>>>> we have available to us at this point in time.
> Can we get Linux distro and Android folks to speak as to whether they
> consider the check in this reduced form to still be useful or whether
> we should just remove it altogether?
FWIW, I think the check should be removed.
--
Chris PeBenito
next prev parent reply other threads:[~2021-09-25 21:07 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-23 21:18 [RFC PATCH] selinux: use SECINITSID_KERNEL as the subj/obj in the lockdown hook Paul Moore
2021-09-24 13:08 ` Stephen Smalley
2021-09-24 14:22 ` Paul Moore
2021-09-24 15:12 ` Stephen Smalley
2021-09-24 16:38 ` Ondrej Mosnacek
2021-09-24 19:10 ` Paul Moore
2021-09-24 19:03 ` Paul Moore
2021-09-25 21:07 ` Chris PeBenito [this message]
2021-09-27 14:07 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=38bc94ba-b200-e141-2423-6c7f64234a10@ieee.org \
--to=pebenito@ieee.org \
--cc=jeffv@google.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.