From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
To: Paul Moore <paul@paul-moore.com>,
Casey Schaufler <casey@schaufler-ca.com>
Cc: <mic@digikod.net>, <linux-security-module@vger.kernel.org>,
<yusongping@huawei.com>, <artem.kuzin@huawei.com>
Subject: Re: [RFC PATCH 0/2] Landlock network PoC implementation
Date: Thu, 30 Dec 2021 09:53:36 +0300 [thread overview]
Message-ID: <ea95a881-c3c7-eba1-520d-992b680a6b49@huawei.com> (raw)
In-Reply-To: <CAHC9VhTcbE0MYeNGwBYmWrk3NY4FQkDk33gzJjQv=wt6n6dJdw@mail.gmail.com>
Hi, Paul
Thanks for your comment.
12/11/2021 2:01 AM, Paul Moore wrote:
> On Fri, Dec 10, 2021 at 11:57 AM Casey Schaufler <casey@schaufler-ca.com> wrote:
>> As I think you've realized, *sockets are not objects*. There
>> isn't a way to justify them as objects without introducing
>> ethereal or magical subjects that don't exist. Sockets are
>> part of a process. OK, it's not that simple, and it would be
>> foolish to deny that a socket may have security relevant
>> properties. But they aren't objects.
>>
>> I strongly recommend that you follow Smack's example and
>> use the sending task and receiving task attributes to make
>> the decision. You may find that storing that information
>> in the socket security blob is convenient.
>>
>> BTW - not everyone agrees with me on this topic. I'll leave
>> the misguided to make their own arguments. ;)
>
> I'm running low on my lets-argue-on-the-internet motivation today, but
> I feel like I'm being goaded into some sort of comment so I will
> simply offer SELinux as a rebuttal to Casey's comments. I think that
> either approach can be acceptable, it depends on how your security
> model works and your comfort level with the various tradeoffs
> associated with each approach. I personally prefer the approach
> SELinux has taken (minus some of the compat cruft we are saddled with,
> not to mention that restrictions handed to use from netdev), but I'll
> admit a certain level of bias in this.
>
I just tried to follow Landlock's implementation concept: attaching
policy rules to kernel objects.
For filesystem "objects" are underlying inodes.
For socket the same approach could be used - using sockets' inodes as
"object".
I also read about this concept from some LSM papers:
https://www.usenix.org/legacy/events/sec02/full_papers/wright/wright.pdf
https://elinux.org/images/0/0a/ELC_Inside_LSM.pdf
> --
> paul moore
> www.paul-moore.com
> .
next prev parent reply other threads:[~2021-12-30 6:53 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-10 7:21 [RFC PATCH 0/2] Landlock network PoC implementation Konstantin Meskhidze
2021-12-10 16:57 ` Casey Schaufler
2021-12-10 23:01 ` Paul Moore
2021-12-30 6:53 ` Konstantin Meskhidze [this message]
2021-12-13 8:29 ` Mickaël Salaün
[not found] ` <12467d8418f04fbf9fd4a456a2a999f1@huawei.com>
2021-12-14 11:51 ` Mickaël Salaün
2021-12-17 9:39 ` Mickaël Salaün
2021-12-17 21:29 ` Willem de Bruijn
2021-12-18 10:59 ` Mickaël Salaün
2021-12-18 8:26 ` Konstantin Meskhidze
2021-12-18 11:01 ` Mickaël Salaün
2021-12-20 3:52 ` Konstantin Meskhidze
2021-12-21 21:15 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ea95a881-c3c7-eba1-520d-992b680a6b49@huawei.com \
--to=konstantin.meskhidze@huawei.com \
--cc=artem.kuzin@huawei.com \
--cc=casey@schaufler-ca.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).