lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <08F0A127-BBEE-4B80-8AE7-1EB7CB815C16@mac.com>
Date:	Thu, 16 Aug 2007 19:30:42 -0400
From:	Kyle Moffett <mrmacman_g4@....com>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
Cc:	David Howells <dhowells@...hat.com>, viro@....linux.org.uk,
	sds@...ho.nsa.gov, casey@...aufler-ca.com,
	linux-fsdevel@...r.kernel.org, nfsv4@...ux-nfs.org,
	linux-kernel@...r.kernel.org, selinux@...ho.nsa.gov,
	linux-security-module@...r.kernel.org
Subject: Re: Adding a security parameter to VFS functions

On Aug 16, 2007, at 18:57:24, Linus Torvalds wrote:
> On Wed, 15 Aug 2007, David Howells wrote:
>> Would you object greatly to functions like vfs_mkdir() gaining a  
>> security parameter?  What I'm thinking of is this:
>> int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode,  
>> struct security *security)
>
> I personally consider this an affront to everythign that is decent.
>
> Why the *hell* would mkdir() be so magical as to need something  
> like that?

Not speaking directly for David, but I believe the reason is for  
background kernel code which needs to do filesystem access during a  
thread's execution with *completely* different security context from  
that of the thread.  Examples should be reasonably obvious; kNFSd is  
one, but it also includes anything where the kernel would poke  
directly into the filesystem, such as network filesystem cachefiles.

> Make it something sane, like a "struct nameidata" instead, and make  
> it at least try to look like the path creation that is done by "open 
> ()".  Or create a "struct file *" or something.
>
> I can imagine having "mkdir()" being passed similar data as "open 
> ()" (ie "lookup()"), but I cannot _possibly_ imagine it ever being  
> valid to pass in something totally made-up to just mkdir(), and  
> nothing else. There's something fundamentally wrong there.

I would offer the suggestion of using the described "struct security"  
in-place in the task struct, in place of using all those fields  
individually.  That would be, in effect the "default" security  
context for any given task, if "NULL" is passed to the appropriate  
vfs function.  For CacheFiles and kNFSd, they could each allocate  
their own during initialization or new-connection and pass that to  
any "mkdir()", etc that they do on behalf of a given client.


> What makes mkdir() so magical?
>
> Also, what about all the other ops? Why is mkdir() special, but not  
> "mknod()"? Why is "mkdir()" special, but not "rmdir()"? Really,  
> none of this seems to make any sense unless you describe what is so  
> magical about mkdir().

I think mkdir() was just an example he was using, probably because it  
was the first VFS call he needed to set a security context on.   Next  
would come anything which CacheFiles or NFSd call on the underlying  
filesystem.

Cheers,
Kyle Moffett

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ