From: Casey Schaufler <casey@schaufler-ca.com>
To: David Howells <dhowells@redhat.com>, Andy Lutomirski <luto@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
raven@themaw.net, Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
linux-block@vger.kernel.org, keyrings@vger.kernel.org,
LSM List <linux-security-module@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
casey@schaufler-ca.com
Subject: Re: [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2]
Date: Tue, 4 Jun 2019 14:11:45 -0700 [thread overview]
Message-ID: <3ca991d1-4056-c45b-dbae-9976fb5d81e0@schaufler-ca.com> (raw)
In-Reply-To: <1207.1559680778@warthog.procyon.org.uk>
On 6/4/2019 1:39 PM, David Howells wrote:
> Andy Lutomirski <luto@kernel.org> wrote:
>
>>> Here's a set of patches to add a general variable-length notification queue
>>> concept and to add sources of events for:
>> I asked before and didn't see a response, so I'll ask again. Why are you
>> paying any attention at all to the creds that generate an event?
> Casey responded to you. It's one of his requirements.
Process A takes an action. As a result of that action,
an event is written to Process B's event buffer. This isn't
a covert channel, it's a direct access, just like sending
a signal. Process A is the subject and the event buffer,
which is part of Process B, is the object.
> I'm not sure of the need, and I particularly don't like trying to make
> indirect destruction events (mount destruction keyed on fput, for instance)
> carry the creds of the triggerer. Indeed, the trigger can come from all sorts
> of places - including af_unix queue destruction, someone poking around in
> procfs, a variety of processes fputting simultaneously. Only one of them can
> win, and the LSM needs to handle *all* the possibilities.
Yes, it's a hairy problem. It was a significant factor in the
demise of kdbus.
> However, the LSMs (or at least SELinux) ignore f_cred and use current_cred()
> when checking permissions. See selinux_revalidate_file_permission() for
> example - it uses current_cred() not file->f_cred to re-evaluate the perms,
> and the fd might be shared between a number of processes with different creds.
>
>> This seems like the wrong approach. If an LSM wants to prevent covert
>> communication from, say, mount actions, then it shouldn't allow the
>> watch to be set up in the first place.
> Yeah, I can agree to that. Casey?
Back to your earlier point, you don't know where the
event is coming from when you create the event watch.
If you enforce a watch time, what are you going to check?
Isn't this going to be considered too restrictive?
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com>
To: David Howells <dhowells@redhat.com>, Andy Lutomirski <luto@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
raven@themaw.net, Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
linux-block@vger.kernel.org, keyrings@vger.kernel.org,
LSM List <linux-security-module@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
casey@schaufler-ca.com
Subject: Re: [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2]
Date: Tue, 04 Jun 2019 21:11:45 +0000 [thread overview]
Message-ID: <3ca991d1-4056-c45b-dbae-9976fb5d81e0@schaufler-ca.com> (raw)
In-Reply-To: <1207.1559680778@warthog.procyon.org.uk>
On 6/4/2019 1:39 PM, David Howells wrote:
> Andy Lutomirski <luto@kernel.org> wrote:
>
>>> Here's a set of patches to add a general variable-length notification queue
>>> concept and to add sources of events for:
>> I asked before and didn't see a response, so I'll ask again. Why are you
>> paying any attention at all to the creds that generate an event?
> Casey responded to you. It's one of his requirements.
Process A takes an action. As a result of that action,
an event is written to Process B's event buffer. This isn't
a covert channel, it's a direct access, just like sending
a signal. Process A is the subject and the event buffer,
which is part of Process B, is the object.
> I'm not sure of the need, and I particularly don't like trying to make
> indirect destruction events (mount destruction keyed on fput, for instance)
> carry the creds of the triggerer. Indeed, the trigger can come from all sorts
> of places - including af_unix queue destruction, someone poking around in
> procfs, a variety of processes fputting simultaneously. Only one of them can
> win, and the LSM needs to handle *all* the possibilities.
Yes, it's a hairy problem. It was a significant factor in the
demise of kdbus.
> However, the LSMs (or at least SELinux) ignore f_cred and use current_cred()
> when checking permissions. See selinux_revalidate_file_permission() for
> example - it uses current_cred() not file->f_cred to re-evaluate the perms,
> and the fd might be shared between a number of processes with different creds.
>
>> This seems like the wrong approach. If an LSM wants to prevent covert
>> communication from, say, mount actions, then it shouldn't allow the
>> watch to be set up in the first place.
> Yeah, I can agree to that. Casey?
Back to your earlier point, you don't know where the
event is coming from when you create the event watch.
If you enforce a watch time, what are you going to check?
Isn't this going to be considered too restrictive?
next prev parent reply other threads:[~2019-06-04 21:11 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-04 16:34 [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2] David Howells
2019-06-04 16:34 ` David Howells
2019-06-04 16:35 ` [PATCH 1/8] security: Override creds in __fput() with last fputter's creds " David Howells
2019-06-04 16:35 ` David Howells
2019-06-04 16:35 ` David Howells
2019-06-04 18:15 ` Andy Lutomirski
2019-06-04 18:15 ` Andy Lutomirski
2019-06-04 16:35 ` [PATCH 2/8] General notification queue with user mmap()'able ring buffer " David Howells
2019-06-04 16:35 ` David Howells
2019-06-04 16:35 ` [PATCH 3/8] keys: Add a notification facility " David Howells
2019-06-04 16:35 ` David Howells
2019-06-04 16:35 ` [PATCH 4/8] vfs: Add a mount-notification " David Howells
2019-06-04 16:35 ` David Howells
2019-06-04 16:35 ` [PATCH 5/8] vfs: Add superblock notifications " David Howells
2019-06-04 16:35 ` David Howells
2019-06-04 16:36 ` [PATCH 6/8] fsinfo: Export superblock notification counter " David Howells
2019-06-04 16:36 ` David Howells
2019-06-04 16:36 ` [PATCH 7/8] block: Add block layer notifications " David Howells
2019-06-04 16:36 ` David Howells
2019-06-04 16:36 ` [PATCH 8/8] Add sample notification program " David Howells
2019-06-04 16:36 ` David Howells
2019-06-04 17:43 ` [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications " Andy Lutomirski
2019-06-04 17:43 ` Andy Lutomirski
2019-06-04 20:31 ` Casey Schaufler
2019-06-04 20:31 ` Casey Schaufler
2019-06-04 21:05 ` Andy Lutomirski
2019-06-04 21:05 ` Andy Lutomirski
2019-06-04 22:03 ` Casey Schaufler
2019-06-04 22:03 ` Casey Schaufler
2019-06-05 8:41 ` David Howells
2019-06-05 8:41 ` David Howells
2019-06-05 14:50 ` Casey Schaufler
2019-06-05 14:50 ` Casey Schaufler
2019-06-05 16:04 ` Andy Lutomirski
2019-06-05 16:04 ` Andy Lutomirski
2019-06-05 17:01 ` Casey Schaufler
2019-06-05 17:01 ` Casey Schaufler
2019-06-05 17:47 ` Andy Lutomirski
2019-06-05 17:47 ` Andy Lutomirski
2019-06-05 18:12 ` Casey Schaufler
2019-06-05 18:12 ` Casey Schaufler
2019-06-05 18:25 ` Stephen Smalley
2019-06-05 18:25 ` Stephen Smalley
2019-06-05 19:28 ` Greg KH
2019-06-05 19:28 ` Greg KH
2019-06-05 21:01 ` Stephen Smalley
2019-06-05 21:01 ` Stephen Smalley
2019-06-05 16:56 ` Rational model for UID based controls David Howells
2019-06-05 16:56 ` David Howells
2019-06-05 17:40 ` Casey Schaufler
2019-06-05 17:40 ` Casey Schaufler
2019-06-05 21:06 ` David Howells
2019-06-05 21:06 ` David Howells
2019-06-05 17:21 ` [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2] David Howells
2019-06-05 17:21 ` David Howells
2019-06-04 20:39 ` David Howells
2019-06-04 20:39 ` David Howells
2019-06-04 20:57 ` Andy Lutomirski
2019-06-04 20:57 ` Andy Lutomirski
[not found] ` <CAB9W1A0AgMYOwGx9c-TmAt=1O6Bjsr2P3Nhd=2+QV39dgw0CrA@mail.gmail.com>
2019-06-05 4:19 ` Andy Lutomirski
2019-06-05 4:19 ` Andy Lutomirski
2019-06-05 13:47 ` Stephen Smalley
2019-06-05 13:47 ` Stephen Smalley
2019-06-04 21:11 ` Casey Schaufler [this message]
2019-06-04 21:11 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3ca991d1-4056-c45b-dbae-9976fb5d81e0@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=raven@themaw.net \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.