linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Andreas Dilger <adilger@clusterfs.com>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: Chris Wright <chris@wirex.com>,
	Christoph Hellwig <hch@infradead.org>,
	Linus Torvalds <torvalds@transmeta.com>,
	"Ted Ts'o" <tytso@mit.edu>, Stephen Tweedie <sct@redhat.com>,
	lsm <linux-security-module@wirex.com>,
	Andreas Gruenbacher <a.gruenbacher@computer.org>,
	lkml <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] Extended Attributes for Security Modules against 2.5.68
Date: Thu, 24 Apr 2003 13:40:40 -0600	[thread overview]
Message-ID: <20030424134040.T26054@schatzie.adilger.int> (raw)
In-Reply-To: <1051210971.20300.89.camel@moss-huskers.epoch.ncsc.mil>; from sds@epoch.ncsc.mil on Thu, Apr 24, 2003 at 03:02:51PM -0400

On Apr 24, 2003  15:02 -0400, Stephen Smalley wrote:
> I don't think that would help.  As I mentioned during the earlier
> discussion with Andreas, you want to be able to allow the security
> module to call the inode getxattr and setxattr operations without
> restriction for internal management of the security labels, while
> applying access controls to user processes invoking the [gs]etxattr
> system calls.  Hence, you don't want the permission check implemented in
> the handler; it is better to handle the checking entirely via the LSM
> hooks in the [gs]etxattr calls and allow unrestricted internal use of
> the inode [gs]etxattr operations by the module.  Capability checks are
> also too coarse-grained; you want to be able to perform a permission
> check based on the process and the inode attributes, not just a
> process-based check.
> 
> If the intent of the trusted namespace is for attributes that can be
> managed by superuser processes (this is my impression), then I think it
> would be better to create a separate namespace and handler for security
> modules for clarity.  Or at least for MAC modules.

Wasn't part of the LSM setup done in a way that there would be "default"
handlers for the hooks for normal PID/capability checking in the absence
of another LSM module?  I thought that was one of the reasons LSM hooks
were accepted into the kernel, since this would allow even the default
file/process permission checks to be compiled out for, say, embedded
systems that only run as root anyways.

Couldn't that be used to do the trusted-namespace- means-CAP_SYS_ADMIN
checks, but it can be replaced by other LSM security modules if desired?

Cheers, Andreas
--
Andreas Dilger
http://sourceforge.net/projects/ext2resize/
http://www-mddsp.enel.ucalgary.ca/People/adilger/


  reply	other threads:[~2003-04-24 19:31 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-04-23 17:52 [PATCH] Extended Attributes for Security Modules against 2.5.68 Stephen Smalley
2003-04-23 18:17 ` Christoph Hellwig
2003-04-23 18:25   ` Chris Wright
2003-04-23 18:45     ` Christoph Hellwig
2003-04-23 19:17       ` Stephen Smalley
2003-04-23 19:26         ` Christoph Hellwig
2003-04-23 19:52           ` Stephen Smalley
2003-04-23 20:20             ` Christoph Hellwig
2003-04-24 12:55               ` Stephen Smalley
2003-04-24 13:03                 ` Christoph Hellwig
2003-04-24 13:49                   ` Stephen Smalley
2003-04-24 18:36                     ` Chris Wright
2003-04-24 19:02                       ` Stephen Smalley
2003-04-24 19:40                         ` Andreas Dilger [this message]
2003-04-24 20:04                           ` Stephen Smalley
2003-04-24 20:47                           ` Chris Wright
2003-04-24 19:47                         ` Chris Wright
2003-04-24 20:07                           ` Stephen Smalley
2003-04-23 20:07           ` richard offer
2003-04-23 18:54     ` Andreas Dilger
2003-04-23 19:14       ` Stephen Smalley
2003-04-23 19:15       ` Chris Wright
2003-04-23 19:28         ` Valdis.Kletnieks
2003-04-23 19:40           ` Chris Wright
2003-04-23 19:49             ` Valdis.Kletnieks
2003-04-23 18:35   ` Stephen Smalley
2003-04-23 18:42     ` Christoph Hellwig
2003-04-23 18:59       ` Stephen Smalley
2003-04-23 19:09         ` Christoph Hellwig
2003-04-24  5:02       ` Jakob Oestergaard
2003-04-28 15:59       ` Stephen C. Tweedie

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030424134040.T26054@schatzie.adilger.int \
    --to=adilger@clusterfs.com \
    --cc=a.gruenbacher@computer.org \
    --cc=chris@wirex.com \
    --cc=hch@infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@wirex.com \
    --cc=sct@redhat.com \
    --cc=sds@epoch.ncsc.mil \
    --cc=torvalds@transmeta.com \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).