linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Chris Wright <chrisw@sous-sol.org>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
	viro@ZenIV.linux.org.uk, akpm@linux-foundation.org,
	linux-security-module@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	takedakn@nttdata.co.jp, haradats@nttdata.co.jp
Subject: Re: [TOMOYO #8 (2.6.25-mm1) 1/7] Introduce new LSM hooks.
Date: Thu, 01 May 2008 12:45:33 -0400	[thread overview]
Message-ID: <1209660333.25678.495.camel@moss-spartans.epoch.ncsc.mil> (raw)
In-Reply-To: <20080501154716.GL30511@sequoia.sous-sol.org>


On Thu, 2008-05-01 at 08:47 -0700, Chris Wright wrote:
> * Tetsuo Handa (penguin-kernel@I-love.SAKURA.ne.jp) wrote:
> > The MAY_WRITE flag is not passed to security_inode_permission()
> > if security_inode_permission() is called from __open_namei_create().
> > Since TOMOYO Linux doesn't check MAY_READ/MAY_WRITE permissions for individual
> > read()/write() requests, the permission checks at open() time (i.e. may_open())
> > is the only chance to check MAY_WRITE flag. If I can't check MAY_WRITE flag
> > here, TOMOYO Linux can't control open(O_WRONLY | O_CREATE | O_EXCL).
> > 
> > Also, the O_TRUNC flag is not passed to security_inode_permission() because
> > vfs_permission() receives only MAY_READ/MAY_WRITE/MAY_APPEND flags, but
> > I have to check O_TRUNC flag before do_truncate().
> > 
> > So, I inserted a new hook here so that this hook can check all
> > MAY_READ/MAY_WRITE/O_APPEND/O_TRUNC flags together in a single place.
> 
> The reason I ask is because it doesn't check.  It only checks O_APPEND,
> but that's already passed in (MAY_APPEND).  So AFAICT, it's only O_TRUNC
> that you are trying to special case.  But in that case...all that is
> being asked for is MAY_WRITE permission.  Anything else doesn't make
> sense, especially since that's all you get from the truncate(2) path.
> 
> <snip>
> > This is an inevitable duplication since I want to do conventional checks
> > (DAC checks and inode operation existence checks) before TOMOYO Linux's check.
> > 
> > By the way, Stephen Smalley thinks it is better to copy codes which is needed by
> > pre_vfs_*() (i.e. may_create()/may_delete()/check_sticky()) into
> > security/tomoyo/ directory and leave vfs_*() untouched rather than
> > extract pre_vfs_*() from vfs_*() and call pre_vfs_*() from vfs_*().
> 
> I'm not sure he means literally copy.  Typically we take existing
> functionality and make it externally usable.

I didn't think splitting pre functions out of all of the vfs helpers was
such a good idea.   Making may_create/delete() available might make
sense.  And for complex combinations of DAC logic, perhaps introducing
may_link(), may_rename(), etc. might make sense.  

> Also, all the changes you make that are not in vfs_* helpers won't get
> picked up by NFS.

-- 
Stephen Smalley
National Security Agency


  reply	other threads:[~2008-05-01 16:46 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-05-01  5:54 [TOMOYO #8 (2.6.25-mm1) 0/7] TOMOYO Linux Toshiharu Harada
2008-05-01  5:54 ` [TOMOYO #8 (2.6.25-mm1) 1/7] Introduce new LSM hooks Toshiharu Harada
2008-05-01  8:01   ` Chris Wright
2008-05-01 15:07     ` Tetsuo Handa
2008-05-01 15:17       ` Stephen Smalley
2008-05-01 15:47       ` Chris Wright
2008-05-01 16:45         ` Stephen Smalley [this message]
2008-05-07 15:15     ` Tetsuo Handa
2008-05-01  5:54 ` [TOMOYO #8 (2.6.25-mm1) 2/7] LSM adapter functions Toshiharu Harada
2008-05-01  5:54 ` [TOMOYO #8 (2.6.25-mm1) 3/7] Memory and pathname management functions Toshiharu Harada
2008-05-01  5:54 ` [TOMOYO #8 (2.6.25-mm1) 4/7] Common functions for TOMOYO Linux Toshiharu Harada
2008-05-01  5:54 ` [TOMOYO #8 (2.6.25-mm1) 5/7] Domain transition handler Toshiharu Harada
2008-05-01  5:54 ` [TOMOYO #8 (2.6.25-mm1) 6/7] File operation restriction part Toshiharu Harada
2008-05-01  5:54 ` [TOMOYO #8 (2.6.25-mm1) 7/7] Kconfig and Makefile Toshiharu Harada

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1209660333.25678.495.camel@moss-spartans.epoch.ncsc.mil \
    --to=sds@tycho.nsa.gov \
    --cc=akpm@linux-foundation.org \
    --cc=chrisw@sous-sol.org \
    --cc=haradats@nttdata.co.jp \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=penguin-kernel@I-love.SAKURA.ne.jp \
    --cc=takedakn@nttdata.co.jp \
    --cc=viro@ZenIV.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).