lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 16 Nov 2007 23:46:28 -0500
From:	Trond Myklebust <trond.myklebust@....uio.no>
To:	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
Cc:	akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org
Subject: Re: [TOMOYO #5 02/18] Add wrapper functions for VFShelperfunctions.


On Sat, 2007-11-17 at 13:04 +0900, Tetsuo Handa wrote:
> Hello.
> 
> Trond Myklebust wrote:
> > The problem is that you have thrown away the main tool for documenting
> > the requirement, and for enforcing correctness (i.e. function argument
> > checking by the compiler).
> I'm sorry. I wanted to know whether the below approach is possible.

"Possible" is completely irrelevant. The question you _should_ be asking
is "is it maintainable".

> > The old functions are still there, are still exported, and still take
> > the same arguments as before, but you have now added a hidden
> > requirement that I have to set last_vfsmount when I call them. If I
> > haven't read your patch, and just call one of those vfs_* functions as
> > before, without setting last_vfsmount, I break your model, and I won't
> > find out until someone reports an obscure bug at runtime.
> I don't care if some kernel module calls vfs_* without setting last_vfsmount
> because there is no reason to reject requests from kernel code.
> Setting last_vfsmount is required for requests from userland process.
> This approach makes it possible to
> (1) tell whether the vfs_* calls are from userland or kernel
> and
> (2) leave kernel modules that are not called from userland unchanged.
> This is why this patch doesn't and needn't to modify fs/*/ files.

I'm confused. How do you tell the difference between a 'userland'
request and a 'kernel' request, and why is the latter safe from a
security perspective?

Trond

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ