Re: LSM Patch Additions for CAPP (C2) Audit Trails

From: Stephen Smalley (sdsat_private)
Date: Mon Jul 02 2001 - 13:04:16 PDT

  • Next message: Emily Ratliff: "Update - Re: Kernel Security Extensions USENIX BOF Summary"

    I looked through the CAPP patch again while at USENIX.  Some
    additional comments:
    
    Your patch adds various hooks in setattr-related calls that overlap with
    setattr hook. Are these calls really necessary?  
    
    Your patch moved the task free_security hook call to do_exit.  Problem:
    We want the task security field when it is reaped by the parent, so
    we can't free it at this point.
    
    Your patch moves some of the setcapability control logic into the module,
    but it still leaves a lot of the functional logic in place.  Doesn't most
    of setcapability/getcapability need to be moved into the module to really
    allow the capabilities implementation to evolve independently of the base
    kernel?
    
    Your patch makes the following changes that seemed reasonable to me:
    1) Added the request to the ptrace hook and call it on all requests.
    But I don't see value in passing the pid, since we pass the
    task_struct and you can extract the pid directly from it.
    2) Added a new hook for bdflush.  It would be good to add all the 
    parameters.
    3) Added a new hook for quotactl.  Can we move it after the kernel lookup
    of special to avoid race conditions on the pathname lookup?
    4) Added a new hook for nfsservctl.  It would be good to pass all
    parameters.
    5) Moved post_create/mkdir/mknod/etc to always be called and pass the
    error status.
    6) Moved setcapability logic into module, but see my comment above.
    7) Added a new hook for chroot.
    8) Added delete_module call in the automatic reaping case.
    9) Added which parameter to setnice.  But I don't see value in
    passing who, since we pass the task_struct.
    10) Added new hooks for getpgid, setpgid, getsid, setsid, prctl.
    11) Added old_rlim parameter to setrlimit.  However, notice
    that you can obtain old_rlim from within the hook if you want
    given the resource.
    
    One thing to watch for - we want to avoid passing user space
    pointers to modules, but it may not be easy to place the hooks
    after the kernel copy.
    
    --
    Stephen D. Smalley, NAI Labs
    ssmalleyat_private
    
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 13:23:17 PDT