lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <29015.1187178055@redhat.com>
Date:	Wed, 15 Aug 2007 12:40:55 +0100
From:	David Howells <dhowells@...hat.com>
To:	torvalds@...l.org, viro@....linux.org.uk
cc:	dhowells@...hat.com, sds@...ho.nsa.gov, casey@...aufler-ca.com,
	linux-fsdevel@...r.kernel.org, nfsv4@...ux-nfs.org,
	linux-kernel@...r.kernel.org, selinux@...ho.nsa.gov,
	linux-security-module@...r.kernel.org
Subject: Adding a security parameter to VFS functions


Hi Linus, Al,

Would you object greatly to functions like vfs_mkdir() gaining a security
parameter?  What I'm thinking of is this:

	int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode,
		      struct security *security)

Where the security context is the state of the context at the time the call
was issued:

	struct security {
		uid_t			fsuid;
		git_t			fsgid;
		struct group_info	*group_info;
		void			*security;
		struct key		*session_keyring;
		struct key		*process_keyring;
		struct key		*thread_keyring;

And perhaps:

		struct audit_context	*audit_context;
		seccomp_t		seccomp;
	};

This would, for the most part, be a temporary affair, being set up by such as
sys_mkdir()/sys_mkdirat() from data held in task_struct.

This information would then be passed into the filesystem and LSM layers so
that files, directories, etc. can be created, opened, deleted, or otherwise
mangled based on these security items, rather than the one in whichever
task_struct is current.


The reason for doing this would be to support an act-as interface, so that
services such as nfsd and cachefiles could act with different security details
to the ones attached to the task.  This would have a couple of potential
benefits:

 (1) nfsd threads don't have to keep changing their security contexts.

 (2) cachefiles can act on behalf of a process without changing its security
     context.


Note that I/O operations such as read, write and ioctl would *not* be passed
this data as the file struct should contain the relevant security information.
Similarly, page I/O operations would also not need alteration as the VMA
covering the region points to a file struct, which holds the appropriate
security.

David
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ