Re: [RFC] [PATCH] Stacking through chaining (v3)

From: Valdis.Kletnieks@private
Date: Tue Nov 30 2004 - 12:44:36 PST

On Tue, 30 Nov 2004 14:08:27 CST, "Serge E. Hallyn" said:
> I don't think that calling of capable from modules is a problem, because it
> is not actually called from any module's capable itself.  It's used to
> check for specific privileges, and if any stacked LSM does not want to
> grant that privilege, then any action depending on that privilege should
> probably be refused.

Hmm.. so whatever is running the hooks calls LSM A, which decides to check
whether CAP_FOO is asserted.  As a result, it ends up calling LSM B's code -
quite possibly getting us into a situation where:

1) LSM A denies the request because LSM B's code said "no".
2) even though LSM B's code didn't see a problem with granting the request,
because it never even bothers to check for CAP_FOO in the hook for that request.

Consider a secondary LSM that doesn't check for inode xattrs, but SELinux
calls it for CAP_SYS_ADMIN anyhow in selinux_inode_setxattr().  (Fortunately
for us, the current commoncap.c *does* do The Same Check in its cap_inode_setxattr()).

Either that, or I just threw a -ENOCAFFEINE.. ;)

This archive was generated by hypermail 2.1.3 : Tue Nov 30 2004 - 12:45:00 PST