From: Paul Moore <paul@paul-moore.com>
To: Stephen Smalley <sds@tycho.nsa.gov>,
Casey Schaufler <casey@schaufler-ca.com>
Cc: "John Johansen" <john.johansen@canonical.com>,
"José Bollo" <jobol@nonadev.net>,
selinux@tycho.nsa.gov, "James Morris" <james.l.morris@oracle.com>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 2/2] proc,security: move restriction on writing /proc/pid/attr nodes to proc
Date: Mon, 19 Dec 2016 20:23:43 -0500 [thread overview]
Message-ID: <CAHC9VhSK7nfsO4uKOSQAxgsHavZuE1afRoVx9qXFzxcO+DPC3g@mail.gmail.com> (raw)
In-Reply-To: <1482184239.28570.68.camel@tycho.nsa.gov>
On Mon, Dec 19, 2016 at 4:50 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Mon, 2016-12-19 at 13:25 -0800, Casey Schaufler wrote:
>> A brief look at the existing modules leads me to believe that
>> everyone ought to be happier if we moved the LSM task blob out
>> of the cred structure. SELinux keeps a small (6xu32) task blob
>> that has no reason to share and refcount. Smack has a couple of
>> lists in the task blob that really shouldn't be in the cred.
>> There would have to be some rework of the task_alloc and task_free
>> hooks to get the life of the blobs correct, but I think on the
>> whole it would be lots cleaner.
>
> Moving everything back to per-task security blob is inadvisable; the
> kernel now passes around cred structures, including to some of the
> security hooks, and you don't always want to check the credentials/sid
> of the current task (that's one of the reasons creds were introduced).
Casey, if you haven't looked at some of the stuff that we did recently
in SELinux for overlayfs, it might be a good idea to look at that,
especially with the world hurtling towards containers with wild
abandon. I can't say I know exactly how it will affect Smack, but my
guess is that you will end up with something very similar to what we
do in SELinux.
> You could perhaps move the SIDs other than the current one (e.g.
> exec_sid, create_sid, ...) to the per-task security blob without
> harm/confusion, but it is unclear what you gain from doing so; then we
> would need to look in two places to find all the information we need
> for certain hooks rather than one. And certainly we'd end up consuming
> more memory that way.
No thank you.
> No, I don't think we want SELinux changed in this regard.
Agreed. I have no object if other LSMs want to add a security blob to
the task struct, I just don't want to see it replace the cred blobs.
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2016-12-20 1:23 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-16 17:41 [PATCH 1/2] selinux: clean up cred usage and simplify Stephen Smalley
2016-12-16 17:41 ` [PATCH 2/2] proc, security: move restriction on writing /proc/pid/attr nodes to proc Stephen Smalley
2016-12-16 18:38 ` [PATCH 2/2] proc,security: " Casey Schaufler
2016-12-16 19:06 ` John Johansen
2016-12-16 22:06 ` Paul Moore
2016-12-16 22:13 ` Casey Schaufler
2016-12-20 1:30 ` Paul Moore
2016-12-20 1:51 ` Casey Schaufler
2016-12-20 10:36 ` José Bollo
2016-12-20 11:13 ` [PATCH 2/2] proc, security: " Tetsuo Handa
2016-12-20 12:14 ` [PATCH 2/2] proc,security: " José Bollo
2016-12-19 9:44 ` José Bollo
2016-12-19 14:33 ` Stephen Smalley
2016-12-19 15:00 ` José Bollo
2016-12-19 15:41 ` José Bollo
2016-12-19 15:52 ` Stephen Smalley
2016-12-19 16:32 ` Casey Schaufler
2016-12-19 17:09 ` Stephen Smalley
2016-12-19 18:00 ` Casey Schaufler
2016-12-19 18:18 ` José Bollo
2016-12-19 18:12 ` José Bollo
2016-12-19 20:36 ` John Johansen
2016-12-19 21:25 ` Casey Schaufler
2016-12-19 21:46 ` [PATCH 2/2] proc, security: move restriction on writing/proc/pid/attr " Tetsuo Handa
2016-12-19 21:50 ` [PATCH 2/2] proc,security: move restriction on writing /proc/pid/attr " Stephen Smalley
2016-12-19 22:31 ` Casey Schaufler
2016-12-19 22:45 ` John Johansen
2016-12-19 22:49 ` Casey Schaufler
2016-12-20 1:27 ` Paul Moore
2016-12-20 1:23 ` Paul Moore [this message]
2016-12-20 1:59 ` Casey Schaufler
2016-12-20 14:40 ` José Bollo
2016-12-20 16:21 ` Casey Schaufler
2016-12-20 16:14 ` Stephen Smalley
2016-12-20 16:39 ` José Bollo
2016-12-20 16:50 ` Stephen Smalley
2016-12-20 18:17 ` Casey Schaufler
2016-12-20 18:28 ` Stephen Smalley
2016-12-20 19:07 ` Casey Schaufler
2016-12-20 19:35 ` Stephen Smalley
2016-12-20 20:03 ` Casey Schaufler
2016-12-20 21:22 ` José Bollo
2016-12-20 21:35 ` Stephen Smalley
2016-12-20 21:38 ` John Johansen
2016-12-21 2:37 ` Paul Moore
2016-12-21 7:04 ` José Bollo
2016-12-21 15:15 ` Paul Moore
2016-12-16 22:02 ` [PATCH 1/2] selinux: clean up cred usage and simplify Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhSK7nfsO4uKOSQAxgsHavZuE1afRoVx9qXFzxcO+DPC3g@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=casey@schaufler-ca.com \
--cc=james.l.morris@oracle.com \
--cc=jobol@nonadev.net \
--cc=john.johansen@canonical.com \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.