From: Andreas Dilger <adilger@clusterfs.com>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: Chris Wright <chris@wirex.com>,
Christoph Hellwig <hch@infradead.org>,
Linus Torvalds <torvalds@transmeta.com>,
"Ted Ts'o" <tytso@mit.edu>, Stephen Tweedie <sct@redhat.com>,
lsm <linux-security-module@wirex.com>,
Andreas Gruenbacher <a.gruenbacher@computer.org>,
lkml <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] Extended Attributes for Security Modules against 2.5.68
Date: Thu, 24 Apr 2003 13:40:40 -0600 [thread overview]
Message-ID: <20030424134040.T26054@schatzie.adilger.int> (raw)
In-Reply-To: <1051210971.20300.89.camel@moss-huskers.epoch.ncsc.mil>; from sds@epoch.ncsc.mil on Thu, Apr 24, 2003 at 03:02:51PM -0400
On Apr 24, 2003 15:02 -0400, Stephen Smalley wrote:
> I don't think that would help. As I mentioned during the earlier
> discussion with Andreas, you want to be able to allow the security
> module to call the inode getxattr and setxattr operations without
> restriction for internal management of the security labels, while
> applying access controls to user processes invoking the [gs]etxattr
> system calls. Hence, you don't want the permission check implemented in
> the handler; it is better to handle the checking entirely via the LSM
> hooks in the [gs]etxattr calls and allow unrestricted internal use of
> the inode [gs]etxattr operations by the module. Capability checks are
> also too coarse-grained; you want to be able to perform a permission
> check based on the process and the inode attributes, not just a
> process-based check.
>
> If the intent of the trusted namespace is for attributes that can be
> managed by superuser processes (this is my impression), then I think it
> would be better to create a separate namespace and handler for security
> modules for clarity. Or at least for MAC modules.
Wasn't part of the LSM setup done in a way that there would be "default"
handlers for the hooks for normal PID/capability checking in the absence
of another LSM module? I thought that was one of the reasons LSM hooks
were accepted into the kernel, since this would allow even the default
file/process permission checks to be compiled out for, say, embedded
systems that only run as root anyways.
Couldn't that be used to do the trusted-namespace- means-CAP_SYS_ADMIN
checks, but it can be replaced by other LSM security modules if desired?
Cheers, Andreas
--
Andreas Dilger
http://sourceforge.net/projects/ext2resize/
http://www-mddsp.enel.ucalgary.ca/People/adilger/
next prev parent reply other threads:[~2003-04-24 19:31 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-04-23 17:52 [PATCH] Extended Attributes for Security Modules against 2.5.68 Stephen Smalley
2003-04-23 18:17 ` Christoph Hellwig
2003-04-23 18:25 ` Chris Wright
2003-04-23 18:45 ` Christoph Hellwig
2003-04-23 19:17 ` Stephen Smalley
2003-04-23 19:26 ` Christoph Hellwig
2003-04-23 19:52 ` Stephen Smalley
2003-04-23 20:20 ` Christoph Hellwig
2003-04-24 12:55 ` Stephen Smalley
2003-04-24 13:03 ` Christoph Hellwig
2003-04-24 13:49 ` Stephen Smalley
2003-04-24 18:36 ` Chris Wright
2003-04-24 19:02 ` Stephen Smalley
2003-04-24 19:40 ` Andreas Dilger [this message]
2003-04-24 20:04 ` Stephen Smalley
2003-04-24 20:47 ` Chris Wright
2003-04-24 19:47 ` Chris Wright
2003-04-24 20:07 ` Stephen Smalley
2003-04-23 20:07 ` richard offer
2003-04-23 18:54 ` Andreas Dilger
2003-04-23 19:14 ` Stephen Smalley
2003-04-23 19:15 ` Chris Wright
2003-04-23 19:28 ` Valdis.Kletnieks
2003-04-23 19:40 ` Chris Wright
2003-04-23 19:49 ` Valdis.Kletnieks
2003-04-23 18:35 ` Stephen Smalley
2003-04-23 18:42 ` Christoph Hellwig
2003-04-23 18:59 ` Stephen Smalley
2003-04-23 19:09 ` Christoph Hellwig
2003-04-24 5:02 ` Jakob Oestergaard
2003-04-28 15:59 ` Stephen C. Tweedie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030424134040.T26054@schatzie.adilger.int \
--to=adilger@clusterfs.com \
--cc=a.gruenbacher@computer.org \
--cc=chris@wirex.com \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@wirex.com \
--cc=sct@redhat.com \
--cc=sds@epoch.ncsc.mil \
--cc=torvalds@transmeta.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).