From: Casey Schaufler <casey@schaufler-ca.com> To: David Howells <dhowells@redhat.com>, Andy Lutomirski <luto@kernel.org> Cc: Al Viro <viro@zeniv.linux.org.uk>, raven@themaw.net, Linux FS Devel <linux-fsdevel@vger.kernel.org>, Linux API <linux-api@vger.kernel.org>, linux-block@vger.kernel.org, keyrings@vger.kernel.org, LSM List <linux-security-module@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>, casey@schaufler-ca.com Subject: Re: [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2] Date: Tue, 4 Jun 2019 14:11:45 -0700 [thread overview] Message-ID: <3ca991d1-4056-c45b-dbae-9976fb5d81e0@schaufler-ca.com> (raw) In-Reply-To: <1207.1559680778@warthog.procyon.org.uk> On 6/4/2019 1:39 PM, David Howells wrote: > Andy Lutomirski <luto@kernel.org> wrote: > >>> Here's a set of patches to add a general variable-length notification queue >>> concept and to add sources of events for: >> I asked before and didn't see a response, so I'll ask again. Why are you >> paying any attention at all to the creds that generate an event? > Casey responded to you. It's one of his requirements. Process A takes an action. As a result of that action, an event is written to Process B's event buffer. This isn't a covert channel, it's a direct access, just like sending a signal. Process A is the subject and the event buffer, which is part of Process B, is the object. > I'm not sure of the need, and I particularly don't like trying to make > indirect destruction events (mount destruction keyed on fput, for instance) > carry the creds of the triggerer. Indeed, the trigger can come from all sorts > of places - including af_unix queue destruction, someone poking around in > procfs, a variety of processes fputting simultaneously. Only one of them can > win, and the LSM needs to handle *all* the possibilities. Yes, it's a hairy problem. It was a significant factor in the demise of kdbus. > However, the LSMs (or at least SELinux) ignore f_cred and use current_cred() > when checking permissions. See selinux_revalidate_file_permission() for > example - it uses current_cred() not file->f_cred to re-evaluate the perms, > and the fd might be shared between a number of processes with different creds. > >> This seems like the wrong approach. If an LSM wants to prevent covert >> communication from, say, mount actions, then it shouldn't allow the >> watch to be set up in the first place. > Yeah, I can agree to that. Casey? Back to your earlier point, you don't know where the event is coming from when you create the event watch. If you enforce a watch time, what are you going to check? Isn't this going to be considered too restrictive?
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com> To: David Howells <dhowells@redhat.com>, Andy Lutomirski <luto@kernel.org> Cc: Al Viro <viro@zeniv.linux.org.uk>, raven@themaw.net, Linux FS Devel <linux-fsdevel@vger.kernel.org>, Linux API <linux-api@vger.kernel.org>, linux-block@vger.kernel.org, keyrings@vger.kernel.org, LSM List <linux-security-module@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>, casey@schaufler-ca.com Subject: Re: [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2] Date: Tue, 04 Jun 2019 21:11:45 +0000 [thread overview] Message-ID: <3ca991d1-4056-c45b-dbae-9976fb5d81e0@schaufler-ca.com> (raw) In-Reply-To: <1207.1559680778@warthog.procyon.org.uk> On 6/4/2019 1:39 PM, David Howells wrote: > Andy Lutomirski <luto@kernel.org> wrote: > >>> Here's a set of patches to add a general variable-length notification queue >>> concept and to add sources of events for: >> I asked before and didn't see a response, so I'll ask again. Why are you >> paying any attention at all to the creds that generate an event? > Casey responded to you. It's one of his requirements. Process A takes an action. As a result of that action, an event is written to Process B's event buffer. This isn't a covert channel, it's a direct access, just like sending a signal. Process A is the subject and the event buffer, which is part of Process B, is the object. > I'm not sure of the need, and I particularly don't like trying to make > indirect destruction events (mount destruction keyed on fput, for instance) > carry the creds of the triggerer. Indeed, the trigger can come from all sorts > of places - including af_unix queue destruction, someone poking around in > procfs, a variety of processes fputting simultaneously. Only one of them can > win, and the LSM needs to handle *all* the possibilities. Yes, it's a hairy problem. It was a significant factor in the demise of kdbus. > However, the LSMs (or at least SELinux) ignore f_cred and use current_cred() > when checking permissions. See selinux_revalidate_file_permission() for > example - it uses current_cred() not file->f_cred to re-evaluate the perms, > and the fd might be shared between a number of processes with different creds. > >> This seems like the wrong approach. If an LSM wants to prevent covert >> communication from, say, mount actions, then it shouldn't allow the >> watch to be set up in the first place. > Yeah, I can agree to that. Casey? Back to your earlier point, you don't know where the event is coming from when you create the event watch. If you enforce a watch time, what are you going to check? Isn't this going to be considered too restrictive?
next prev parent reply other threads:[~2019-06-04 21:11 UTC|newest] Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-06-04 16:34 [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2] David Howells 2019-06-04 16:34 ` David Howells 2019-06-04 16:35 ` [PATCH 1/8] security: Override creds in __fput() with last fputter's creds " David Howells 2019-06-04 16:35 ` David Howells 2019-06-04 16:35 ` David Howells 2019-06-04 18:15 ` Andy Lutomirski 2019-06-04 18:15 ` Andy Lutomirski 2019-06-04 16:35 ` [PATCH 2/8] General notification queue with user mmap()'able ring buffer " David Howells 2019-06-04 16:35 ` David Howells 2019-06-04 16:35 ` [PATCH 3/8] keys: Add a notification facility " David Howells 2019-06-04 16:35 ` David Howells 2019-06-04 16:35 ` [PATCH 4/8] vfs: Add a mount-notification " David Howells 2019-06-04 16:35 ` David Howells 2019-06-04 16:35 ` [PATCH 5/8] vfs: Add superblock notifications " David Howells 2019-06-04 16:35 ` David Howells 2019-06-04 16:36 ` [PATCH 6/8] fsinfo: Export superblock notification counter " David Howells 2019-06-04 16:36 ` David Howells 2019-06-04 16:36 ` [PATCH 7/8] block: Add block layer notifications " David Howells 2019-06-04 16:36 ` David Howells 2019-06-04 16:36 ` [PATCH 8/8] Add sample notification program " David Howells 2019-06-04 16:36 ` David Howells 2019-06-04 17:43 ` [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications " Andy Lutomirski 2019-06-04 17:43 ` Andy Lutomirski 2019-06-04 20:31 ` Casey Schaufler 2019-06-04 20:31 ` Casey Schaufler 2019-06-04 21:05 ` Andy Lutomirski 2019-06-04 21:05 ` Andy Lutomirski 2019-06-04 22:03 ` Casey Schaufler 2019-06-04 22:03 ` Casey Schaufler 2019-06-05 8:41 ` David Howells 2019-06-05 8:41 ` David Howells 2019-06-05 14:50 ` Casey Schaufler 2019-06-05 14:50 ` Casey Schaufler 2019-06-05 16:04 ` Andy Lutomirski 2019-06-05 16:04 ` Andy Lutomirski 2019-06-05 17:01 ` Casey Schaufler 2019-06-05 17:01 ` Casey Schaufler 2019-06-05 17:47 ` Andy Lutomirski 2019-06-05 17:47 ` Andy Lutomirski 2019-06-05 18:12 ` Casey Schaufler 2019-06-05 18:12 ` Casey Schaufler 2019-06-05 18:25 ` Stephen Smalley 2019-06-05 18:25 ` Stephen Smalley 2019-06-05 19:28 ` Greg KH 2019-06-05 19:28 ` Greg KH 2019-06-05 21:01 ` Stephen Smalley 2019-06-05 21:01 ` Stephen Smalley 2019-06-05 16:56 ` Rational model for UID based controls David Howells 2019-06-05 16:56 ` David Howells 2019-06-05 17:40 ` Casey Schaufler 2019-06-05 17:40 ` Casey Schaufler 2019-06-05 21:06 ` David Howells 2019-06-05 21:06 ` David Howells 2019-06-05 17:21 ` [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2] David Howells 2019-06-05 17:21 ` David Howells 2019-06-04 20:39 ` David Howells 2019-06-04 20:39 ` David Howells 2019-06-04 20:57 ` Andy Lutomirski 2019-06-04 20:57 ` Andy Lutomirski [not found] ` <CAB9W1A0AgMYOwGx9c-TmAt=1O6Bjsr2P3Nhd=2+QV39dgw0CrA@mail.gmail.com> 2019-06-05 4:19 ` Andy Lutomirski 2019-06-05 4:19 ` Andy Lutomirski 2019-06-05 13:47 ` Stephen Smalley 2019-06-05 13:47 ` Stephen Smalley 2019-06-04 21:11 ` Casey Schaufler [this message] 2019-06-04 21:11 ` Casey Schaufler
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=3ca991d1-4056-c45b-dbae-9976fb5d81e0@schaufler-ca.com \ --to=casey@schaufler-ca.com \ --cc=dhowells@redhat.com \ --cc=keyrings@vger.kernel.org \ --cc=linux-api@vger.kernel.org \ --cc=linux-block@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=luto@kernel.org \ --cc=raven@themaw.net \ --cc=viro@zeniv.linux.org.uk \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.