| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Aug 2007 19:30:42 -0400 From: Kyle Moffett <mrmacman_g4@....com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: David Howells <dhowells@...hat.com>, viro@....linux.org.uk, sds@...ho.nsa.gov, casey@...aufler-ca.com, linux-fsdevel@...r.kernel.org, nfsv4@...ux-nfs.org, linux-kernel@...r.kernel.org, selinux@...ho.nsa.gov, linux-security-module@...r.kernel.org Subject: Re: Adding a security parameter to VFS functions On Aug 16, 2007, at 18:57:24, Linus Torvalds wrote: > On Wed, 15 Aug 2007, David Howells wrote: >> Would you object greatly to functions like vfs_mkdir() gaining a >> security parameter? What I'm thinking of is this: >> int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode, >> struct security *security) > > I personally consider this an affront to everythign that is decent. > > Why the *hell* would mkdir() be so magical as to need something > like that? Not speaking directly for David, but I believe the reason is for background kernel code which needs to do filesystem access during a thread's execution with *completely* different security context from that of the thread. Examples should be reasonably obvious; kNFSd is one, but it also includes anything where the kernel would poke directly into the filesystem, such as network filesystem cachefiles. > Make it something sane, like a "struct nameidata" instead, and make > it at least try to look like the path creation that is done by "open > ()". Or create a "struct file *" or something. > > I can imagine having "mkdir()" being passed similar data as "open > ()" (ie "lookup()"), but I cannot _possibly_ imagine it ever being > valid to pass in something totally made-up to just mkdir(), and > nothing else. There's something fundamentally wrong there. I would offer the suggestion of using the described "struct security" in-place in the task struct, in place of using all those fields individually. That would be, in effect the "default" security context for any given task, if "NULL" is passed to the appropriate vfs function. For CacheFiles and kNFSd, they could each allocate their own during initialization or new-connection and pass that to any "mkdir()", etc that they do on behalf of a given client. > What makes mkdir() so magical? > > Also, what about all the other ops? Why is mkdir() special, but not > "mknod()"? Why is "mkdir()" special, but not "rmdir()"? Really, > none of this seems to make any sense unless you describe what is so > magical about mkdir(). I think mkdir() was just an example he was using, probably because it was the first VFS call he needed to set a security context on. Next would come anything which CacheFiles or NFSd call on the underlying filesystem. Cheers, Kyle Moffett - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists