Re: [RFC][PATCH] Remove security_inode_post_create/mkdir/symlink/mknod hooks

From: serue@private
Date: Mon Jul 25 2005 - 05:56:38 PDT


Would it be possible to copy the parent's integrity information in the
child inode's xattrs?  You could do this when the child is created, or,
in the case of filesystem relabeling, when the child is labeled.

Of course I see two shortcomings.  First is the case of multiple parents
for other links to the inode.  This is also a problem if you dereference
dentry->d_parent.  How are you addressing this now?

Second is what to do when the parent's integrity level is updated.  Is
it possible to only slightly downgrade the integrity information?  If
not, then of course you can simply refuse traversal of a directory in
inode_permission() if its integrity has been compromised.  If so, then
perhaps you would have to walk the fs subtree from that point onward.

Also, how do you address open files right now if a parent directory
is compromised?  Do you intend to deny all access to those files from
then on, or only future open()s?

thanks,
-serge

Quoting Mimi Zohar (zohar@private):
> 
> >> On Thu, Jul 14, 2005 at 03:29:37PM -0400, Stephen Smalley wrote:
> >> > This patch removes the inode_post_create/mkdir/mknod/symlink LSM hooks
> >> > as they are obsoleted by the new inode_init_security hook that enables
> >> > atomic inode security labeling. If anyone sees any reason to retain
> these hooks,
> >> > please speak now. Also, is anyone using the post_rename/link hooks; if
> not,
> >> > those could also be removed.
> >> >
> >> The new inode_init_security hook doesn't receive the dentry information
> >> that the inode_post_create/mkdir/mknod/symlink LSM hooks receive. This
> is a
> >> problem for subdomain because we rely on dentry information.
> 
> This is also a problem for SLIM, which creates the new inode integrity
> level label based on
> the lesser of the integrity level of the parent directory and the current
> process.   The
> integrity level of the parent directory is an extended attribute label,
> which is currently
> accessible through getxattr() using the dentry->d_parent.  Removing the
> dentry parameter
> would require a corresponding function to set_handle, based on the inode,
> to get the
> extended integrity level attribute label of the parent.
> 
> Mimi
> 
> 



This archive was generated by hypermail 2.1.3 : Mon Jul 25 2005 - 05:57:47 PDT