From: Paul Moore <paul@paul-moore.com>
To: John Johansen <john.johansen@canonical.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
linux-audit@redhat.com
Subject: Re: [RFC PATCH 1/4] lsm: separate security_task_getsecid() into subjective and objective variants
Date: Tue, 9 Mar 2021 19:28:26 -0500 [thread overview]
Message-ID: <CAHC9VhRVxFiMTzrdtNzKy=1KN10JXU=JC-rohTNH1bGSNj9K_w@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhTn33cSX=n7a6kr-5=TKeEx8iRbTY8-2XGxG0YC+GhvaA@mail.gmail.com>
On Wed, Mar 3, 2021 at 7:44 PM Paul Moore <paul@paul-moore.com> wrote:
> On Sun, Feb 21, 2021 at 7:51 AM John Johansen
> <john.johansen@canonical.com> wrote:
> > On 2/19/21 3:29 PM, Paul Moore wrote:
> > > Of the three LSMs that implement the security_task_getsecid() LSM
> > > hook, all three LSMs provide the task's objective security
> > > credentials. This turns out to be unfortunate as most of the hook's
> > > callers seem to expect the task's subjective credentials, although
> > > a small handful of callers do correctly expect the objective
> > > credentials.
> > >
> > > This patch is the first step towards fixing the problem: it splits
> > > the existing security_task_getsecid() hook into two variants, one
> > > for the subjective creds, one for the objective creds.
> > >
> > > void security_task_getsecid_subj(struct task_struct *p,
> > > u32 *secid);
> > > void security_task_getsecid_obj(struct task_struct *p,
> > > u32 *secid);
> > >
> > > While this patch does fix all of the callers to use the correct
> > > variant, in order to keep this patch focused on the callers and to
> > > ease review, the LSMs continue to use the same implementation for
> > > both hooks. The net effect is that this patch should not change
> > > the behavior of the kernel in any way, it will be up to the latter
> > > LSM specific patches in this series to change the hook
> > > implementations and return the correct credentials.
> > >
> > > Signed-off-by: Paul Moore <paul@paul-moore.com>
> >
> > So far this looks good. I want to take another stab at it and give
> > it some testing
>
> Checking in as I know you said you needed to fix/release the AppArmor
> patch in this series ... is this patch still looking okay to you? If
> so, can I get an ACK at least on this patch?
Hi John,
Any objections if I merge the LSM, SELinux, and Smack patches into the
selinux/next tree so that we can start getting some wider testing? If
I leave out my poor attempt at an AppArmor patch, the current in-tree
AppArmor code should behave exactly as it does today with the
apparmor_task_getsecid() function handling both the subjective and
objective creds. I can always merge the AppArmor patch later when you
have it ready, or you can merge it via your AppArmor tree at a later
date.
--
paul moore
www.paul-moore.com
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul@paul-moore.com>
To: John Johansen <john.johansen@canonical.com>
Cc: selinux@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-audit@redhat.com
Subject: Re: [RFC PATCH 1/4] lsm: separate security_task_getsecid() into subjective and objective variants
Date: Tue, 9 Mar 2021 19:28:26 -0500 [thread overview]
Message-ID: <CAHC9VhRVxFiMTzrdtNzKy=1KN10JXU=JC-rohTNH1bGSNj9K_w@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhTn33cSX=n7a6kr-5=TKeEx8iRbTY8-2XGxG0YC+GhvaA@mail.gmail.com>
On Wed, Mar 3, 2021 at 7:44 PM Paul Moore <paul@paul-moore.com> wrote:
> On Sun, Feb 21, 2021 at 7:51 AM John Johansen
> <john.johansen@canonical.com> wrote:
> > On 2/19/21 3:29 PM, Paul Moore wrote:
> > > Of the three LSMs that implement the security_task_getsecid() LSM
> > > hook, all three LSMs provide the task's objective security
> > > credentials. This turns out to be unfortunate as most of the hook's
> > > callers seem to expect the task's subjective credentials, although
> > > a small handful of callers do correctly expect the objective
> > > credentials.
> > >
> > > This patch is the first step towards fixing the problem: it splits
> > > the existing security_task_getsecid() hook into two variants, one
> > > for the subjective creds, one for the objective creds.
> > >
> > > void security_task_getsecid_subj(struct task_struct *p,
> > > u32 *secid);
> > > void security_task_getsecid_obj(struct task_struct *p,
> > > u32 *secid);
> > >
> > > While this patch does fix all of the callers to use the correct
> > > variant, in order to keep this patch focused on the callers and to
> > > ease review, the LSMs continue to use the same implementation for
> > > both hooks. The net effect is that this patch should not change
> > > the behavior of the kernel in any way, it will be up to the latter
> > > LSM specific patches in this series to change the hook
> > > implementations and return the correct credentials.
> > >
> > > Signed-off-by: Paul Moore <paul@paul-moore.com>
> >
> > So far this looks good. I want to take another stab at it and give
> > it some testing
>
> Checking in as I know you said you needed to fix/release the AppArmor
> patch in this series ... is this patch still looking okay to you? If
> so, can I get an ACK at least on this patch?
Hi John,
Any objections if I merge the LSM, SELinux, and Smack patches into the
selinux/next tree so that we can start getting some wider testing? If
I leave out my poor attempt at an AppArmor patch, the current in-tree
AppArmor code should behave exactly as it does today with the
apparmor_task_getsecid() function handling both the subjective and
objective creds. I can always merge the AppArmor patch later when you
have it ready, or you can merge it via your AppArmor tree at a later
date.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2021-03-10 0:29 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-19 23:28 [RFC PATCH 0/4] Split security_task_getsecid() into subj and obj variants Paul Moore
2021-02-19 23:28 ` Paul Moore
2021-02-19 23:29 ` [RFC PATCH 1/4] lsm: separate security_task_getsecid() into subjective and objective variants Paul Moore
2021-02-19 23:29 ` Paul Moore
2021-02-20 2:55 ` James Morris
2021-02-20 2:55 ` James Morris
2021-02-20 14:44 ` Paul Moore
2021-02-20 14:44 ` Paul Moore
2021-03-04 10:04 ` Jeffrey Vander Stoep
2021-03-04 10:04 ` Jeffrey Vander Stoep
2021-03-04 23:43 ` Paul Moore
2021-03-04 23:43 ` Paul Moore
2021-03-10 8:21 ` Jeffrey Vander Stoep
2021-03-10 8:21 ` Jeffrey Vander Stoep
2021-03-11 1:56 ` Paul Moore
2021-03-11 1:56 ` Paul Moore
2021-02-21 12:51 ` John Johansen
2021-02-21 12:51 ` John Johansen
2021-02-21 22:09 ` Paul Moore
2021-02-21 22:09 ` Paul Moore
2021-03-04 0:44 ` Paul Moore
2021-03-04 0:44 ` Paul Moore
2021-03-10 0:28 ` Paul Moore [this message]
2021-03-10 0:28 ` Paul Moore
2021-03-10 3:09 ` John Johansen
2021-03-10 3:09 ` John Johansen
2021-02-24 16:49 ` Mimi Zohar
2021-02-24 16:49 ` Mimi Zohar
2021-03-08 19:25 ` Richard Guy Briggs
2021-03-08 19:25 ` Richard Guy Briggs
2021-03-10 0:23 ` Paul Moore
2021-03-10 0:23 ` Paul Moore
2021-03-10 1:03 ` John Johansen
2021-03-10 1:03 ` John Johansen
2021-03-11 1:55 ` Paul Moore
2021-03-11 1:55 ` Paul Moore
2021-02-19 23:29 ` [RFC PATCH 2/4] selinux: clarify task subjective and objective credentials Paul Moore
2021-02-19 23:29 ` Paul Moore
2021-02-21 12:55 ` John Johansen
2021-02-21 12:55 ` John Johansen
2021-03-08 19:26 ` Richard Guy Briggs
2021-03-08 19:26 ` Richard Guy Briggs
2021-03-10 3:05 ` John Johansen
2021-03-10 3:05 ` John Johansen
2021-03-11 4:32 ` Paul Moore
2021-03-11 4:32 ` Paul Moore
2021-03-17 22:56 ` Paul Moore
2021-03-17 22:56 ` Paul Moore
2021-02-19 23:29 ` [RFC PATCH 3/4] smack: differentiate between subjective and objective task credentials Paul Moore
2021-02-19 23:29 ` Paul Moore
2021-02-21 12:56 ` John Johansen
2021-02-21 12:56 ` John Johansen
2021-03-08 19:26 ` Richard Guy Briggs
2021-03-08 19:26 ` Richard Guy Briggs
2021-03-10 1:04 ` John Johansen
2021-03-10 1:04 ` John Johansen
2021-02-19 23:29 ` [RFC PATCH 4/4] apparmor: " Paul Moore
2021-02-19 23:29 ` Paul Moore
2021-02-21 12:57 ` John Johansen
2021-02-21 12:57 ` John Johansen
2021-02-21 22:12 ` Paul Moore
2021-02-21 22:12 ` Paul Moore
2021-02-20 1:49 ` [RFC PATCH 0/4] Split security_task_getsecid() into subj and obj variants Casey Schaufler
2021-02-20 1:49 ` Casey Schaufler
2021-02-20 14:41 ` Paul Moore
2021-02-20 14:41 ` Paul Moore
2021-02-22 23:58 ` Casey Schaufler
2021-02-22 23:58 ` Casey Schaufler
2021-02-23 14:14 ` Mimi Zohar
2021-02-23 14:14 ` Mimi Zohar
2021-02-24 0:03 ` Paul Moore
2021-02-24 0:03 ` Paul Moore
2021-03-04 0:46 ` Paul Moore
2021-03-04 0:46 ` Paul Moore
2021-03-04 2:21 ` Casey Schaufler
2021-03-04 2:21 ` Casey Schaufler
2021-03-04 23:41 ` Paul Moore
2021-03-04 23:41 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhRVxFiMTzrdtNzKy=1KN10JXU=JC-rohTNH1bGSNj9K_w@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=casey@schaufler-ca.com \
--cc=john.johansen@canonical.com \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.