Re: [RFC] LSM changes for 2.5.38

From: Stephen Smalley (sdsat_private)
Date: Fri Sep 27 2002 - 12:00:03 PDT

  • Next message: Greg KH: "Re: [RFC] No more module_* hooks"

    On Fri, 27 Sep 2002, Christoph Hellwig wrote:
    
    > In 2.5 LSM hooks are part of the Linux access checks, and any reason to
    > make your patch less intrusive inb 2.4 doesn't apply anymore.  Having
    > two checks for the same thing is indeed very bad in will cause harm
    > and maintaince burden in the long term.  Don't do it.
    
    So you want to move the 'if (turn_on && !capable(CAP_SYS_RAWIO)) return
    -EPERM;' from the base kernel into the security module's ioperm() hook
    function, in addition to whatever additional logic the module may
    implement?  [Assuming for the moment that we kept the ioperm() hook, even
    though that isn't likely given its current lack of use and
    architecture-specific nature].
    
    If so, what about the rest of the kernel access checking logic?  Do you
    want all of the permission() logic pushed into the security module's
    inode_permission() hook function?  Do you want the bad_signal() logic
    pushed into the security module's task_kill() hook function?  That kind of
    change was considered and discussed on linux-security-module long ago, but
    it will yield a very invasive patch for very little gain.  It also
    requires cleanly separating all access checking logic from functional
    logic (it is sometimes fairly intertwined) and determining exactly which
    is which (e.g. is enforcing a read-only mount a security behavior or a
    functional behavior?).
    
    > Show me a useful example that needs this argument.
    
    Do you want every process that can use ioperm() to be able to access the
    full range of ports accessible by that call?  If not, then you need
    something finer-grained than CAP_SYS_RAWIO.  But as I said, we don't
    presently use this hook, and it is architecture-dependent.
    
    > And WTF is the use a security policy that checks module arguments?  Do
    > you want to disallow options that are quotes from books on the index
    > or not political correct enough for a US state agency?
    
    The LSM module_initialize hook is called with a pointer to the kernel's
    copy of the relocated module image with the struct module header.  Hence,
    the security module is free to perform whatever validation it wants on
    that image prior to the execution of the init function.  But if the
    criteria is that there must be a specific existing security module that
    uses the hook, then this one will go away too.
    
    --
    Stephen D. Smalley, NAI Labs
    ssmalleyat_private
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 12:02:40 PDT