From: Andy Lutomirski <email@example.com> To: Casey Schaufler <firstname.lastname@example.org> Cc: Andy Lutomirski <email@example.com>, David Howells <firstname.lastname@example.org>, Al Viro <email@example.com>, firstname.lastname@example.org, Linux FS Devel <email@example.com>, Linux API <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org, LSM List <email@example.com>, LKML <firstname.lastname@example.org> Subject: Re: [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2] Date: Tue, 4 Jun 2019 14:05:57 -0700 Message-ID: <CALCETrWFBA8H0RiZPikLtEi8xg-cqJLtQgnU2CGTuwByrHN7Dw@mail.gmail.com> (raw) In-Reply-To: <email@example.com> On Tue, Jun 4, 2019 at 1:31 PM Casey Schaufler <firstname.lastname@example.org> wrote: > > n 6/4/2019 10:43 AM, Andy Lutomirski wrote: > > On Tue, Jun 4, 2019 at 9:35 AM David Howells <email@example.com> wrote: > >> > >> Hi Al, > >> > >> Here's a set of patches to add a general variable-length notification queue > >> concept and to add sources of events for: > > I asked before and didn't see a response, so I'll ask again. Why are > > you paying any attention at all to the creds that generate an event? > > It seems like the resulting security model will be vary hard to > > understand and probably buggy. Can't you define a sensible model in > > which only the listener creds matter? > > We've spent the last 18 months reeling from the implications > of what can happen when one process has the ability to snoop > on another. Introducing yet another mechanism that is trivial > to exploit is a very bad idea. If you're talking about Spectre, etc, this is IMO entirely irrelevant. Among other things, setting these watches can and should require some degree of privilege. > > I will try to explain the problem once again. If process A > sends a signal (writes information) to process B the kernel > checks that either process A has the same UID as process B > or that process A has privilege to override that policy. > Process B is passive in this access control decision, while > process A is active. Are you stating what you see to be a requirement? > Process A must have write access > (defined by some policy) to process B's event buffer. No, stop right here. Process B is monitoring some aspect of the system. Process A is doing something. Process B should need permission to monitor whatever it's monitoring, and process A should have permission to do whatever it's doing. I don't think it makes sense to try to ascribe an identity to the actor doing some action to decide to omit it from the watch -- this has all kinds of correctness issues. If you're writing a policy and you don't like letting process B spy on processes doing various things, then disallow that type of spying. > To > implement such a policy requires A's credential, You may not design a new mechanism that looks at the credential in a context where looking at a credential is invalid unless you have some very strong justification for why all of the known reasons that it's a bad idea don't apply to what you're doing. So, without a much stronger justification, NAK.
next prev parent reply index Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-06-04 16:34 David Howells 2019-06-04 16:35 ` [PATCH 1/8] security: Override creds in __fput() with last fputter's creds " David Howells 2019-06-04 18:15 ` Andy Lutomirski 2019-06-04 16:35 ` [PATCH 2/8] General notification queue with user mmap()'able ring buffer " David Howells 2019-06-04 16:35 ` [PATCH 3/8] keys: Add a notification facility " David Howells 2019-06-04 16:35 ` [PATCH 4/8] vfs: Add a mount-notification " David Howells 2019-06-04 16:35 ` [PATCH 5/8] vfs: Add superblock notifications " David Howells 2019-06-04 16:36 ` [PATCH 6/8] fsinfo: Export superblock notification counter " David Howells 2019-06-04 16:36 ` [PATCH 7/8] block: Add block layer notifications " David Howells 2019-06-04 16:36 ` [PATCH 8/8] Add sample notification program " David Howells 2019-06-04 17:43 ` [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications " Andy Lutomirski 2019-06-04 20:31 ` Casey Schaufler 2019-06-04 21:05 ` Andy Lutomirski [this message] 2019-06-04 22:03 ` Casey Schaufler 2019-06-05 8:41 ` David Howells 2019-06-05 14:50 ` Casey Schaufler 2019-06-05 16:04 ` Andy Lutomirski 2019-06-05 17:01 ` Casey Schaufler 2019-06-05 17:47 ` Andy Lutomirski 2019-06-05 18:12 ` Casey Schaufler 2019-06-05 18:25 ` Stephen Smalley 2019-06-05 19:28 ` Greg KH 2019-06-05 21:01 ` Stephen Smalley 2019-06-05 16:56 ` Rational model for UID based controls David Howells 2019-06-05 17:40 ` Casey Schaufler 2019-06-05 21:06 ` David Howells 2019-06-05 17:21 ` [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2] David Howells 2019-06-04 20:39 ` David Howells 2019-06-04 20:57 ` Andy Lutomirski [not found] ` <CAB9W1A0AgMYOwGx9c-TmAt=1O6Bjsr2P3Nhd=2+QV39dgw0CrA@mail.gmail.com> 2019-06-05 4:19 ` Andy Lutomirski 2019-06-05 13:47 ` Stephen Smalley 2019-06-04 21:11 ` Casey Schaufler
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CALCETrWFBA8H0RiZPikLtEi8xg-cqJLtQgnU2CGTuwByrHN7Dw@mail.gmail.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
LKML Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git git clone --mirror https://lore.kernel.org/lkml/8 lkml/git/8.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \ email@example.com public-inbox-index lkml Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel AGPL code for this site: git clone https://public-inbox.org/public-inbox.git