lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 30 Jul 2007 08:12:05 -0500
From:	"Serge E. Hallyn" <serue@...ibm.com>
To:	Adrian Bunk <bunk@...sta.de>
Cc:	chrisw@...s-sol.org, linux-security-module@...r.kernel.org,
	sds@...ho.nsa.gov, jmorris@...ei.org, eparis@...isplace.org,
	linux-ext4@...r.kernel.org, reiserfs-devel@...r.kernel.org,
	jfs-discussion@...ts.sourceforge.net, jffs-dev@...s.com,
	xfs-masters@....sgi.com
Subject: Re: [RFC: 2.6 patch] make the *FS_SECURITY options no longer user visible

Quoting Adrian Bunk (bunk@...sta.de):
> Please correct me if any of the following assumptions is wrong:
> - SELinux is currently the only user of filesystem security labels
>   shipped with the Linux kernel
> - if a user has SELinux enabled he wants his filesystems to support
>   security labels
> 
> Based on these assumption, it doesn't make sense to have the
> *FS_SECURITY user visible since we can perfectly determine automatically 
> when turning them on makes sense.

I'm not very knowledgeable on the niftier kconfig features.  Is there a
way to introduce some intermediate SECURITY_XATTR variable, which
SECURITY_SELINUX could select, and which *_FS_SECURITY could depend on?

That way patches for file capabilities (in -mm) and smack (being
discussed on linux-security-module) won't have to explicitly add
themselves to every one of those 'depends on' lines.

thanks,
-serge

> Signed-off-by: Adrian Bunk <bunk@...sta.de>
> 
> ---
> 
>  fs/Kconfig     |   82 +++++++++++++------------------------------------
>  fs/xfs/Kconfig |   13 +------
>  2 files changed, 25 insertions(+), 70 deletions(-)
> 
> --- linux-2.6.23-rc1-mm1/fs/Kconfig.old	2007-07-28 23:12:19.000000000 +0200
> +++ linux-2.6.23-rc1-mm1/fs/Kconfig	2007-07-28 23:17:33.000000000 +0200
> @@ -40,16 +40,10 @@ config EXT2_FS_POSIX_ACL
>  	  If you don't know what Access Control Lists are, say N
> 
>  config EXT2_FS_SECURITY
> -	bool "Ext2 Security Labels"
> -	depends on EXT2_FS_XATTR
> -	help
> -	  Security labels support alternative access control models
> -	  implemented by security modules like SELinux.  This option
> -	  enables an extended attribute handler for file security
> -	  labels in the ext2 filesystem.
> -
> -	  If you are not using a security module that requires using
> -	  extended attributes for file security labels, say N.
> +	bool
> +	depends on EXT2_FS && SECURITY_SELINUX
> +	select EXT2_FS_XATTR
> +	default y
> 
>  config EXT2_FS_XIP
>  	bool "Ext2 execute in place support"
> @@ -125,16 +119,10 @@ config EXT3_FS_POSIX_ACL
>  	  If you don't know what Access Control Lists are, say N
> 
>  config EXT3_FS_SECURITY
> -	bool "Ext3 Security Labels"
> -	depends on EXT3_FS_XATTR
> -	help
> -	  Security labels support alternative access control models
> -	  implemented by security modules like SELinux.  This option
> -	  enables an extended attribute handler for file security
> -	  labels in the ext3 filesystem.
> -
> -	  If you are not using a security module that requires using
> -	  extended attributes for file security labels, say N.
> +	bool
> +	depends on EXT3_FS && SECURITY_SELINUX
> +	select EXT3_FS_XATTR
> +	default y
> 
>  config EXT4DEV_FS
>  	tristate "Ext4dev/ext4 extended fs support development (EXPERIMENTAL)"
> @@ -190,16 +178,10 @@ config EXT4DEV_FS_POSIX_ACL
>  	  If you don't know what Access Control Lists are, say N
> 
>  config EXT4DEV_FS_SECURITY
> -	bool "Ext4dev Security Labels"
> -	depends on EXT4DEV_FS_XATTR
> -	help
> -	  Security labels support alternative access control models
> -	  implemented by security modules like SELinux.  This option
> -	  enables an extended attribute handler for file security
> -	  labels in the ext4dev/ext4 filesystem.
> -
> -	  If you are not using a security module that requires using
> -	  extended attributes for file security labels, say N.
> +	bool
> +	depends on EXT4DEV_FS && SECURITY_SELINUX
> +	select EXT4DEV_FS_XATTR
> +	default y
> 
>  config JBD
>  	tristate
> @@ -349,16 +331,10 @@ config REISERFS_FS_POSIX_ACL
>  	  If you don't know what Access Control Lists are, say N
> 
>  config REISERFS_FS_SECURITY
> -	bool "ReiserFS Security Labels"
> -	depends on REISERFS_FS_XATTR
> -	help
> -	  Security labels support alternative access control models
> -	  implemented by security modules like SELinux.  This option
> -	  enables an extended attribute handler for file security
> -	  labels in the ReiserFS filesystem.
> -
> -	  If you are not using a security module that requires using
> -	  extended attributes for file security labels, say N.
> +	bool
> +	depends on REISERFS_FS && SECURITY_SELINUX
> +	select REISERFS_FS_XATTR
> +	default y
> 
>  config JFS_FS
>  	tristate "JFS filesystem support"
> @@ -383,16 +359,9 @@ config JFS_POSIX_ACL
>  	  If you don't know what Access Control Lists are, say N
> 
>  config JFS_SECURITY
> -	bool "JFS Security Labels"
> -	depends on JFS_FS
> -	help
> -	  Security labels support alternative access control models
> -	  implemented by security modules like SELinux.  This option
> -	  enables an extended attribute handler for file security
> -	  labels in the jfs filesystem.
> -
> -	  If you are not using a security module that requires using
> -	  extended attributes for file security labels, say N.
> +	bool
> +	depends on JFS_FS && SECURITY_SELINUX
> +	default y
> 
>  config JFS_DEBUG
>  	bool "JFS debugging"
> @@ -1300,17 +1269,10 @@ config JFFS2_FS_POSIX_ACL
>  	  If you don't know what Access Control Lists are, say N
> 
>  config JFFS2_FS_SECURITY
> -	bool "JFFS2 Security Labels"
> -	depends on JFFS2_FS_XATTR
> +	bool
> +	depends on JFFS2_FS && SECURITY_SELINUX
> +	select JFFS2_FS_XATTR
>  	default y
> -	help
> -	  Security labels support alternative access control models
> -	  implemented by security modules like SELinux.  This option
> -	  enables an extended attribute handler for file security
> -	  labels in the jffs2 filesystem.
> -
> -	  If you are not using a security module that requires using
> -	  extended attributes for file security labels, say N.
> 
>  config JFFS2_COMPRESSION_OPTIONS
>  	bool "Advanced compression options for JFFS2"
> --- linux-2.6.23-rc1-mm1/fs/xfs/Kconfig.old	2007-07-28 23:19:13.000000000 +0200
> +++ linux-2.6.23-rc1-mm1/fs/xfs/Kconfig	2007-07-28 23:19:49.000000000 +0200
> @@ -36,16 +36,9 @@ config XFS_QUOTA
>  	  they are completely independent subsystems.
> 
>  config XFS_SECURITY
> -	bool "XFS Security Label support"
> -	depends on XFS_FS
> -	help
> -	  Security labels support alternative access control models
> -	  implemented by security modules like SELinux.  This option
> -	  enables an extended attribute namespace for inode security
> -	  labels in the XFS filesystem.
> -
> -	  If you are not using a security module that requires using
> -	  extended attributes for inode security labels, say N.
> +	bool
> +	depends on XFS_FS && SECURITY_SELINUX
> +	default y
> 
>  config XFS_POSIX_ACL
>  	bool "XFS POSIX ACL support"
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
-
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ