Re: [PATCH] BSD Secure Levels LSM

From: Chris Wright (chrisw@private)
Date: Mon Nov 24 2003 - 15:04:36 PST

Next message: Chris Wright: "Re: [PATCH] BSD Secure Levels LSM"

Previous message: Chris Wright: "Re: [PATCH] BSD Secure Levels LSM"
In reply to: Michael A. Halcrow: "[PATCH] BSD Secure Levels LSM"
Next in thread: Serge E. Hallyn: "Re: [PATCH] BSD Secure Levels LSM"
Next in thread: Chris Wright: "Re: [PATCH] BSD Secure Levels LSM"
Reply: Serge E. Hallyn: "Re: [PATCH] BSD Secure Levels LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Michael A. Halcrow (mahalcro@private) wrote:
> Attached are patches against the 2.6.0-test kernel to implement BSD
> Secure Levels as an LSM.  seclvl-hooks.diff contains requisite hooks

Thanks very much for splitting the patch like that.

> to implement some of the Secure Levels policies.  Note that a settime
> hook currently exists in the LSM BK tree.  It is not, however, in the

Yes, it's in the LSM BK tree, and it's done slightly differently.  The
warp_clock() bit is not done until after it's passed the hook in the BK
tree.

Some simple notes on the hooks:

> diff -Pru linux-2.6.0-test7/include/linux/security.h linux-2.6.0-test7-hooks/include/linux/security.h
> --- linux-2.6.0-test7/include/linux/security.h	2003-10-08 14:24:26.000000000 -0500
> +++ linux-2.6.0-test7-hooks/include/linux/security.h	2003-10-20 11:47:53.000000000 -0500
> @@ -91,6 +91,24 @@
>   *
>   * Security hooks for program execution operations.
>   *
> + *
> + * @settime:
> + *	Check permission to reset the system time.
> + *	@tv contains the new time
> + *	Return 0 if permission is granted
> + *
> + * @module_load:
> + *	Check permission for the current process to load the kernel
> + * 	module @mod.
> + *	@mod is the module whose deletion has been requested.  Is
> + *	only the @mod->name trustworthy?
> + *	Return 0 if permission is granted.
> + * @module_delete:
> + *	Check permission for the current process to unload the kernel
> + * 	module @mod.
> + *	@mod is the module whose deletion has been requested.
> + *	Return 0 if permission is granted.

The reason all three of these hooks were rejected is because they are
too redundant with the existing capability check.  In these cases, the
right thing to do is to collapse the capability check into the hook.  So
this means, the security_module_delete() hook implementation in the
capability code would be a simple cap_capable(current, CAP_SYS_MODULE)
or smth. like that.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

Next message: Chris Wright: "Re: [PATCH] BSD Secure Levels LSM"
Previous message: Chris Wright: "Re: [PATCH] BSD Secure Levels LSM"
In reply to: Michael A. Halcrow: "[PATCH] BSD Secure Levels LSM"
Next in thread: Serge E. Hallyn: "Re: [PATCH] BSD Secure Levels LSM"
Next in thread: Chris Wright: "Re: [PATCH] BSD Secure Levels LSM"
Reply: Serge E. Hallyn: "Re: [PATCH] BSD Secure Levels LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 24 2003 - 15:05:21 PST