From: Casey Schaufler <casey@schaufler-ca.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Oren Laadan <orenl@cs.columbia.edu>,
Linux Containers <containers@lists.osdl.org>,
David Howells <dhowells@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 0/8] a start to credentials c/r
Date: Wed, 27 May 2009 09:03:21 -0700 [thread overview]
Message-ID: <4A1D6449.4020906@schaufler-ca.com> (raw)
In-Reply-To: <20090527123728.GA27160@us.ibm.com>
Serge E. Hallyn wrote:
> Quoting Casey Schaufler (casey@schaufler-ca.com):
>
>> Serge E. Hallyn wrote:
>>
>>> Following is the next version of the credentials c/r patchset,
>>> on top of the c/r patchset at
>>> git://git.ncl.cs.columbia.edu/pub/git/linux-cr.git
>>>
>>> It implements checkpoint and restart of user, user namespaces,
>>> groups, supplementary groups, and struct cred.
>>>
>>> There is a question as to what to do about LSM data at
>>> restart. Right now I'm ignoring it, which means that
>>> prepare_creds() should ensure that the restart tasks get
>>> the context of the task calling sys_restart(). I
>>> suspect the right thing to do is to add two new LSM
>>> hooks, one which checks current's authorization to
>>> restart from the checkpoint file,
>>>
>> How would that work? Based on information in the file?
>> You have to assume that some number of checkpoint files
>> have been hand written by Elbonian ne'er do wells.
>>
>
> Not based on information in the file, but based on the
> credentials of the task which created the file, and
> whether an unprivileged task could have hand-edited the
> file before feeding it to sys_restart().
>
> So some example decisions in terms of selinux contexts might be,
> 1. a task of user_u may restart a file of type user_u
> if the checkpointed context is user_u
> 2. a task of user_u may NOT restart a file of type user_u
> if the checkpointed context is root_u
> 3. a task of root_u may restart a file of type root_u
> if the checkpointed context is user_u
>
> Uh, so yes, bsaed on info in the file as well :) Except
> of course the LSM would just be fed the checkpointed context
> and the checkpoint file context (and can deduce current's context).
>
And SELinux can do whatever calculations it likes based on the
three contexts and the loaded policy. Are you at all concerned
about the possibility that the policy may have changed? I can
envision scenarios in which it would be impossible for a process
to gain a particular context under current policy, but that a
checkpointed process may have stored away.
>
>>> and one which determines
>>> the task->cred->security filed based upon any of:
>>> 1. current_security() of the task calling sys_restart()
>>> 2. the task->cred->security checkpointed in the ckpt file
>>> 3. the ->security of the checkpoint file
>>>
>>>
>> For Smack the correct behavior would be:
>>
>> 1. for sys_restart() callers without CAP_MAC_ADMIN
>> 2. for sys_restart() callers with CAP_MAC_ADMIN
>> 3. never
>>
>
> That makes sense, and is basically analagous (if I'm thinking
> right) to how I'm doing capabilities.
>
> So the first (authorization hook) for smack would just always
> return TRUE?
>
I suggest that it needs to check for a valid Smack label. Even though
they're just text strings they do have limitations, including size
(> 0 < 24) and character set. A call to smk_import() is the right
way to do it, as it also makes sure the label is in the internal list.
If smk_import() returns NULL something's amiss.
> I can hook that up right now...
>
I bet you could do it even with the call to smk_import. (smiley here)
>
>> sys_restart() callers running with CAP_MAC_ADMIN would have to be
>> very very careful about the files they restart. But that's nothing
>> new in the MAC world.
>>
>
> Yup.
>
> Mind you eventually I expect a setup where some privileged program
> is asked (by privileged or unprivilegd tasks) to create a checkpoint
> and ask the TPM to sign it. No unprivileged program can sign an
> image directly, so then a restart of a task with privilege can be
> restricted to anything with a valid signature. In that case, it
> may be safe to have the checkpointed task's credentials completely
> restored, including LSM labels.
>
All of the current LSMs share the property that the access control
rules (SELinux policy, Smack access rules, TOMOYO policy) may change
between the time of checkpoint and the time of restart. If I had a
silver bullet answer to the concerns that raises I'd pass it along,
but as I don't I'll stick to the answer I have for Smack (The rules
of the moment are those that matter, and the architecture of Smack
supports that) and leave the other LSMs to their own devices.
> But that's a ways off.
>
It does look like a bit of work.
Thank you.
> thanks,
> -serge
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
>
next prev parent reply other threads:[~2009-05-27 16:03 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-26 17:32 [PATCH 0/8] a start to credentials c/r Serge E. Hallyn
2009-05-26 17:33 ` [PATCH 1/8] cr: break out new_user_ns() Serge E. Hallyn
2009-05-26 17:33 ` [PATCH 2/8] cr: split core function out of some set*{u,g}id functions Serge E. Hallyn
2009-05-26 17:33 ` [PATCH 3/8] cr: capabilities: define checkpoint and restore fns Serge E. Hallyn
2009-05-26 17:33 ` [PATCH 4/8] groups: move code to kernel/groups.c Serge E. Hallyn
2009-05-26 17:33 ` [PATCH 5/8] groups: allow compilation on s390x Serge E. Hallyn
2009-05-26 23:17 ` Serge E. Hallyn
[not found] ` <20090526173242.GA13757-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-05-26 17:33 ` [PATCH 6/8] cr: checkpoint and restore task credentials Serge E. Hallyn
2009-05-27 18:36 ` Alexey Dobriyan
2009-05-28 14:01 ` Serge E. Hallyn
2009-05-28 14:36 ` Alexey Dobriyan
2009-05-26 17:34 ` [PATCH 7/8] cr: restore file->f_cred Serge E. Hallyn
2009-05-26 17:34 ` [PATCH 8/8] user namespaces: debug refcounts Serge E. Hallyn
2009-05-27 3:05 ` [PATCH 0/8] a start to credentials c/r Casey Schaufler
2009-05-27 12:37 ` Serge E. Hallyn
2009-05-27 16:03 ` Casey Schaufler [this message]
2009-05-27 18:24 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A1D6449.4020906@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=adobriyan@gmail.com \
--cc=containers@lists.osdl.org \
--cc=dhowells@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=orenl@cs.columbia.edu \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.