| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1200409128.9669.46.camel@moss-spartans.epoch.ncsc.mil>
Date: Tue, 15 Jan 2008 09:58:48 -0500
From: Stephen Smalley <sds@...ho.nsa.gov>
To: David Howells <dhowells@...hat.com>
Cc: Daniel J Walsh <dwalsh@...hat.com>, casey@...aufler-ca.com,
linux-kernel@...r.kernel.org, selinux@...ho.nsa.gov,
linux-security-module@...r.kernel.org
Subject: Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM
settings for task actions [try #2]
On Mon, 2008-01-14 at 14:06 +0000, David Howells wrote:
> David Howells <dhowells@...hat.com> wrote:
>
> > Okay... It looks like I want four security operations/hooks for cachefiles:
>
> FYI, I added the following vectors:
>
> # kernel services that need to override task security
> class kernel_service
> {
> use_as_override
> create_files_as
> }
>
> The first allows:
>
> avc_has_perm(daemon_tsec->sid, nominated_sid,
> SECCLASS_KERNEL_SERVICE,
> KERNEL_SERVICE__USE_AS_OVERRIDE,
> NULL);
>
> And the second something like:
>
> avc_has_perm(tsec->sid, inode->sid,
> SECCLASS_KERNEL_SERVICE,
> KERNEL_SERVICE__CREATE_FILES_AS,
> NULL);
>
> Rather than specifically dedicating them to the cache, I made them general.
Make sure that you or Dan submits a policy patch to register these
classes and permissions in the policy when the kernel patch is queued
for merge.
--
Stephen Smalley
National Security Agency
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists