| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Sep 2008 09:58:43 -0700 (PDT) From: david@...g.hm To: Stephen Smalley <sds@...ho.nsa.gov> cc: "Eric W. Biederman" <ebiederm@...ssion.com>, Andrew Morton <akpm@...ux-foundation.org>, Paul Moore <paul.moore@...com>, jmorris@...ei.org, rjw@...k.pl, linux-kernel@...r.kernel.org, kernel-testers@...r.kernel.org, netdev@...r.kernel.org, Eric Paris <eparis@...isplace.org> Subject: Re: [Bug #11500] /proc/net bug related to selinux On Thu, 18 Sep 2008, Stephen Smalley wrote: > On Thu, 2008-09-18 at 11:09 -0700, Eric W. Biederman wrote: >> Stephen Smalley <sds@...ho.nsa.gov> writes: >> >>> On Thu, 2008-09-18 at 08:38 -0400, Stephen Smalley wrote: >>>> I do however think that the mantra that we can't require users to update >>>> policy for kernel changes is unsupportable in general. The precise set >>>> of permission checks on a given operation is not set in stone and it is >>>> not part of the kernel/userland interface/contract. Policy isn't >>>> "userspace"; it governs what userspace can do, and it has to adapt to >>>> kernel changes. >>> >>> I should note here that for changes to SELinux, we have gone out of our >>> way to avoid such breakage to date through the introduction of >>> compatibility switches, policy flags to enable any new checks, etc >>> (albeit at a cost in complexity and ever creeping compatibility code). >>> But changes to the rest of the kernel can just as easily alter the set >>> of permission checks that get applied on a given operation, and I don't >>> think we are always going to be able to guarantee that new kernel + old >>> policy will Just Work. >> >> I know of at least 2 more directories that I intend to turn into >> symlinks into somewhere under /proc/self. How do we keep from >> breaking selinux policies when I do that? > > I suspect we could tweak the logic in selinux_proc_get_sid() to always > label all symlinks under /proc with the base proc_t type already used > for e.g. /proc/self, at which point existing policies would be ok. so if proc is mounted anywhere other then /proc the selinux policy would do odd things? David Lang >> For comparison how do we handle sysfs? > > Unresolved; presently has a single label for all nodes. > See https://bugzilla.redhat.com/show_bug.cgi?id=228902 > for prior discussion of fine-grained labeling support for sysfs. > >> How do we handle device nodes in tmpfs? > > udev has selinux support - looks up the appropriate context in a > userland config file (file_contexts) via libselinux matchpathcon(3) and > sets it upon creation. tmpfs has long supported getting/setting > security.* attributes. > >> Ultimately do we want to implement xattrs and inotify on /proc? >> Or is there another way that would simplify maintenance? > > If proc supported setxattr, then I suppose early userspace could label > it instead of the kernel needing to determine a label internally. But > not sure how we'd cleanly migrate to avoid breakage with old userspace. > > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists