Kernel Newbies archive on lore.kernel.org
 help / Atom feed
* Kernel default security configuration - how it affects LSM policy?
@ 2018-11-21 14:20 levonshe
  2018-11-21 14:20 ` Lev Olshvang
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: levonshe @ 2018-11-21 14:20 UTC (permalink / raw)
  To: kernelnewbies

An HTML attachment was scrubbed...
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20181121/61152fa4/attachment.html>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Kernel default security configuration - how it affects LSM policy?
  2018-11-21 14:20 Kernel default security configuration - how it affects LSM policy? levonshe
@ 2018-11-21 14:20 ` Lev Olshvang
  2018-11-24 16:55 ` levonshe
  2018-11-26  3:26 ` valdis.kletnieks
  2 siblings, 0 replies; 6+ messages in thread
From: Lev Olshvang @ 2018-11-21 14:20 UTC (permalink / raw)
  To: linux-il, kernelnewbies

[-- Attachment #1: Type: text/html, Size: 2499 bytes --]

<div xmlns="http://www.w3.org/1999/xhtml">One of the  choices of security options proposes to select default security</div><div xmlns="http://www.w3.org/1999/xhtml">CONFIG_DEFAULT_SECURITY</div><div xmlns="http://www.w3.org/1999/xhtml">User can select  traditional Unix DAC or one of LSMs.</div><div xmlns="http://www.w3.org/1999/xhtml">Suppose CONFIG_DEFAULT_SECURITY_DAC=y  selected.</div><div xmlns="http://www.w3.org/1999/xhtml">I wonder how it affects LSM policy decisions?</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">Lets take file permissions</div><div xmlns="http://www.w3.org/1999/xhtml">file fs/namei.c, kernel 4.8</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">__inode_permission ---&gt; do_inode_permission --&gt; generic_permission :</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml"><div>/*</div><div>         * Do the basic permission checks.</div><div>         */</div><div>        ret = acl_permission_check(inode, mask);</div><div>     <div>       if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))</div><div>                        return 0;</div><div> </div><div>         <div>do_inode_permission(inode, mask);</div><div>        if (retval)</div><div>                return retval;</div><div> </div><div>       ...</div><div> </div><div>        retval = devcgroup_inode_permission(inode, mask);</div><div>        if (retval)</div><div>                return retval;</div><div> </div><div>        return security_inode_permission(inode, mask);</div></div></div><div> </div></div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">from reading the code we see that first file ACL is consulted, then unix UID/GID then</div><div xmlns="http://www.w3.org/1999/xhtml">capabilties and finally security_inode_permissions, i.e LSM</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">So the questioned config option seems obsolete ?</div><div xmlns="http://www.w3.org/1999/xhtml">Wheher LSM always consulted last ?</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">Am I write ? Perhaps I miss another code path?</div><div xmlns="http://www.w3.org/1999/xhtml"> </div>

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Kernel default security configuration - how it affects LSM policy?
  2018-11-21 14:20 Kernel default security configuration - how it affects LSM policy? levonshe
  2018-11-21 14:20 ` Lev Olshvang
@ 2018-11-24 16:55 ` levonshe
  2018-11-24 16:55   ` Lev Olshvang
  2018-11-26  3:26 ` valdis.kletnieks
  2 siblings, 1 reply; 6+ messages in thread
From: levonshe @ 2018-11-24 16:55 UTC (permalink / raw)
  To: kernelnewbies

An HTML attachment was scrubbed...
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20181124/d24f7b83/attachment.html>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Kernel default security configuration - how it affects LSM policy?
  2018-11-24 16:55 ` levonshe
@ 2018-11-24 16:55   ` Lev Olshvang
  0 siblings, 0 replies; 6+ messages in thread
From: Lev Olshvang @ 2018-11-24 16:55 UTC (permalink / raw)
  To: kernelnewbies

[-- Attachment #1: Type: text/html, Size: 2643 bytes --]

<div><br /></div><div><br /></div><div>21.11.2018, 17:20, "Lev Olshvang" &lt;levonshe@yandex.com&gt;:</div><blockquote type="cite"><div xmlns="http://www.w3.org/1999/xhtml">One of the  choices of security options proposes to select default security</div><div xmlns="http://www.w3.org/1999/xhtml">CONFIG_DEFAULT_SECURITY</div><div xmlns="http://www.w3.org/1999/xhtml">User can select  traditional Unix DAC or one of LSMs.</div><div xmlns="http://www.w3.org/1999/xhtml">Suppose CONFIG_DEFAULT_SECURITY_DAC=y  selected.</div><div xmlns="http://www.w3.org/1999/xhtml">I wonder how it affects LSM policy decisions?</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">Lets take file permissions</div><div xmlns="http://www.w3.org/1999/xhtml">file fs/namei.c, kernel 4.8</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">__inode_permission ---&gt; do_inode_permission --&gt; generic_permission :</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml"><div>/*</div><div>         * Do the basic permission checks.</div><div>         */</div><div>        ret = acl_permission_check(inode, mask);</div><div>     <div>       if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))</div><div>                        return 0;</div><div> </div><div>         <div>do_inode_permission(inode, mask);</div><div>        if (retval)</div><div>                return retval;</div><div> </div><div>       ...</div><div> </div><div>        retval = devcgroup_inode_permission(inode, mask);</div><div>        if (retval)</div><div>                return retval;</div><div> </div><div>        return security_inode_permission(inode, mask);</div></div></div><div> </div></div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">from reading the code we see that first file ACL is consulted, then unix UID/GID then</div><div xmlns="http://www.w3.org/1999/xhtml">capabilties and finally security_inode_permissions, i.e LSM</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">So the questioned config option seems obsolete ?</div><div xmlns="http://www.w3.org/1999/xhtml">Wheher LSM always consulted last ?</div><div xmlns="http://www.w3.org/1999/xhtml"> </div><div xmlns="http://www.w3.org/1999/xhtml">Am I write ? Perhaps I miss another code path?</div><div xmlns="http://www.w3.org/1999/xhtml"> </div></blockquote>

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Kernel default security configuration - how it affects LSM policy?
  2018-11-21 14:20 Kernel default security configuration - how it affects LSM policy? levonshe
  2018-11-21 14:20 ` Lev Olshvang
  2018-11-24 16:55 ` levonshe
@ 2018-11-26  3:26 ` valdis.kletnieks
  2018-11-26  3:26   ` valdis.kletnieks
  2 siblings, 1 reply; 6+ messages in thread
From: valdis.kletnieks @ 2018-11-26  3:26 UTC (permalink / raw)
  To: kernelnewbies

On Wed, 21 Nov 2018 17:20:50 +0300, Lev Olshvang said:

> So the questioned config option seems obsolete ?
> Wheher LSM always consulted last ?

If an LSM is configured/loaded, it is always consulted *after* applying
standard DAC file permission bits checks. (Discretionary Access Control- the
owner of the file/object is allowed to make their own decisions)

LSMs are always restrictive MAC (Mandatory access control - they are applied by
the system regardless of what the user/owner wants) calls. Restrictive means
they can only prohibit a call that has already passed the DAC check, they
cannot allow a call that would otherwise be failed by DAC.

LSMs are called after DAC checks for a number of reasons. One big one
is that when the LSM hooks were designed, the file permission checks were
(and still are) incredibly cheap - 3-4 opcodes or so.  So it makes sense to
do the cheap check first, as things like SELinux or AppArmor take a lot
more cycles to do the check. (There's also a few oddball corner cases where
doing the MAC check first results in non-intuitive results)



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 486 bytes
Desc: not available
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20181125/0873d1ad/attachment.sig>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Kernel default security configuration - how it affects LSM policy?
  2018-11-26  3:26 ` valdis.kletnieks
@ 2018-11-26  3:26   ` valdis.kletnieks
  0 siblings, 0 replies; 6+ messages in thread
From: valdis.kletnieks @ 2018-11-26  3:26 UTC (permalink / raw)
  To: Lev Olshvang; +Cc: linux-il, kernelnewbies

[-- Attachment #1.1: Type: text/plain, Size: 1082 bytes --]

On Wed, 21 Nov 2018 17:20:50 +0300, Lev Olshvang said:

> So the questioned config option seems obsolete ?
> Wheher LSM always consulted last ?

If an LSM is configured/loaded, it is always consulted *after* applying
standard DAC file permission bits checks. (Discretionary Access Control- the
owner of the file/object is allowed to make their own decisions)

LSMs are always restrictive MAC (Mandatory access control - they are applied by
the system regardless of what the user/owner wants) calls. Restrictive means
they can only prohibit a call that has already passed the DAC check, they
cannot allow a call that would otherwise be failed by DAC.

LSMs are called after DAC checks for a number of reasons. One big one
is that when the LSM hooks were designed, the file permission checks were
(and still are) incredibly cheap - 3-4 opcodes or so.  So it makes sense to
do the cheap check first, as things like SELinux or AppArmor take a lot
more cycles to do the check. (There's also a few oddball corner cases where
doing the MAC check first results in non-intuitive results)




[-- Attachment #1.2: Type: application/pgp-signature, Size: 486 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-21 14:20 Kernel default security configuration - how it affects LSM policy? levonshe
2018-11-21 14:20 ` Lev Olshvang
2018-11-24 16:55 ` levonshe
2018-11-24 16:55   ` Lev Olshvang
2018-11-26  3:26 ` valdis.kletnieks
2018-11-26  3:26   ` valdis.kletnieks

Kernel Newbies archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/kernelnewbies/0 kernelnewbies/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 kernelnewbies kernelnewbies/ https://lore.kernel.org/kernelnewbies \
		kernelnewbies@kernelnewbies.org kernelnewbies@archiver.kernel.org
	public-inbox-index kernelnewbies


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernelnewbies.kernelnewbies


AGPL code for this site: git clone https://public-inbox.org/ public-inbox