Re: [PATCH] Extended Attributes for Security Modules against 2.5.68

From: Stephen Smalley <sds@epoch.ncsc.mil>
To: Chris Wright <chris@wirex.com>
Cc: Christoph Hellwig <hch@infradead.org>,
	Linus Torvalds <torvalds@transmeta.com>,
	"Ted Ts'o" <tytso@mit.edu>, Stephen Tweedie <sct@redhat.com>,
	lsm <linux-security-module@wirex.com>,
	Andreas Gruenbacher <a.gruenbacher@computer.org>,
	lkml <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] Extended Attributes for Security Modules against 2.5.68
Date: 24 Apr 2003 15:02:51 -0400	[thread overview]
Message-ID: <1051210971.20300.89.camel@moss-huskers.epoch.ncsc.mil> (raw)
In-Reply-To: <20030424113615.F15094@figure1.int.wirex.com>

On Thu, 2003-04-24 at 14:36, Chris Wright wrote:
> Or perhaps introducing some of the CAP_MAC_* bits.

I don't think that would help.  As I mentioned during the earlier
discussion with Andreas, you want to be able to allow the security
module to call the inode getxattr and setxattr operations without
restriction for internal management of the security labels, while
applying access controls to user processes invoking the [gs]etxattr
system calls.  Hence, you don't want the permission check implemented in
the handler; it is better to handle the checking entirely via the LSM
hooks in the [gs]etxattr calls and allow unrestricted internal use of
the inode [gs]etxattr operations by the module.  Capability checks are
also too coarse-grained; you want to be able to perform a permission
check based on the process and the inode attributes, not just a
process-based check.

If the intent of the trusted namespace is for attributes that can be
managed by superuser processes (this is my impression), then I think it
would be better to create a separate namespace and handler for security
modules for clarity.  Or at least for MAC modules.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency