Re: [PATCH] remove sys_security

From: Stephen C. Tweedie (sctat_private)
Date: Wed Oct 23 2002 - 04:59:07 PDT

  • Next message: Stephen Smalley: "Re: [PATCH] remove sys_security"

    On Wed, Oct 23, 2002 at 01:43:55PM +0200, Russell Coker wrote:
    > On Wed, 23 Oct 2002 02:35, Stephen C. Tweedie wrote:
    > > > "system_u:object_r:var_log_t") then how would I go about doing it other
    > > > than through a modified open system call?
    > > With a "setesid(2)" syscall to set the effective sid.
    > Good idea, however there are two potential problems that I can see.
    > When creating a file the UID/GID name space for the file is the same as that 
    > for the process.  In SE Linux the name space for files to be created does not 
    > intersect the name space of the processes.  This makes it much less clean 
    > than setfsuid().
    setfsuid() creates credentials which are _only_ applied to file
    operations.  The namespace happens to be the same one that applies to
    processes, but there's nothing that requires that to be the case, and
    if you have a corresponding setfssid() to set the effective set for fs
    access, you're explicitly requesting the fs namespace, not the process
    > Secondly there is the issue of a lack of atomicity.  Is there a potential for 
    > a signal handler to create a file between the setesid() and creat() in the 
    > main code?  I guess the API open_secure() could remain the same and block all 
    > signals for it's operation...
    Definitely.  Application writers will need to be aware of that, just
    as they have to be aware of the same for setfsuid today.  But when
    you've got signal handlers doing complex work, you've got all sorts of
    races opening up, and trying to fix every single one of them by
    inventing new syscalls for every single combination of operation that
    the app might want to do atomically makes no sense!
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 05:00:39 PDT