Re: [RFC][PATCH] Generic fallback for security xattrs

From: Stephen Smalley (sds@private)
Date: Mon Jul 25 2005 - 08:19:33 PDT

Previous message: Stephen Smalley: "Re: [RFC][PATCH] Generic fallback for security xattrs"
In reply to: Casey Schaufler: "Re: [RFC][PATCH] Generic fallback for security xattrs"
Next in thread: Casey Schaufler: "Re: [RFC][PATCH] Generic fallback for security xattrs"
Next in thread: Stephen Smalley: "Re: [RFC][PATCH] Generic fallback for security xattrs"
Reply: Casey Schaufler: "Re: [RFC][PATCH] Generic fallback for security xattrs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Mon, 2005-07-18 at 10:43 -0700, Casey Schaufler wrote:
> > In that
> > case, there is no
> > storage of xattrs at all, so there is nothing to do
> > besides calling the
> > security module.
> 
> Or whatever extended attribute you might want.
> That's my point, that xattrs are good for more
> than security policies (e.g. audit) and a
> special-for-security kludge is w r o n g.

I think you misunderstand.   We aren't precluding the implementation of
other kinds of xattrs for such pseudo filesystems (and in fact, the
xattr code consolidation work done by James Morris as part of adding
these handlers to tmpfs has made it easier to add such support in the
future).  But in the case of the security xattrs, interpretation has to
be handled by the security module, "storage" is done entirely in the
incore inode security structure managed by that module, and get/set
operations have to be resolved by that module.  The filesystem code
can't do it directly; at best, it just has to call into the security
module.  And this introduces an extra layer of indirection that serves
no real purpose.

IIRC, FreeBSD took a different approach; they have a separate kernel API
for getting/setting MAC labels than the xattr API (which is purely a
storage interface), and that MAC label API is handled directly by the
security framework/modules.  The security framework/modules are free to
then call the internal xattr API when the filesystem type supports
xattrs, but they are also free to just directly handle the request
themselves, which they would do in the case of pseudo filesystems where
there is no storage.  I'm not proposing that for Linux, but it does
allow them to unambiguously get the MAC label of an inode of any
filesystem.

> > The label is mapped to a SID and stored in the
> > incore inode's security
> > structure.
> 
> In which case the file system code has easy
> access to it.

No, because it cannot interpret the security structures, as they are
specific to the security modules.  It has to be handled via a LSM hook,
regardless of whether that hook is called by the fs code or by the VFS.

-- 
Stephen Smalley
National Security Agency

Previous message: Stephen Smalley: "Re: [RFC][PATCH] Generic fallback for security xattrs"
In reply to: Casey Schaufler: "Re: [RFC][PATCH] Generic fallback for security xattrs"
Next in thread: Casey Schaufler: "Re: [RFC][PATCH] Generic fallback for security xattrs"
Next in thread: Stephen Smalley: "Re: [RFC][PATCH] Generic fallback for security xattrs"
Reply: Casey Schaufler: "Re: [RFC][PATCH] Generic fallback for security xattrs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 25 2005 - 08:22:52 PDT