lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080307181431.GA4915@kroah.com>
Date:	Fri, 7 Mar 2008 10:14:31 -0800
From:	Greg KH <greg@...ah.com>
To:	"Serge E. Hallyn" <serue@...ibm.com>
Cc:	Pavel Emelyanov <xemul@...nvz.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org, menage@...gle.com, sukadev@...ibm.com
Subject: Re: [PATCH 5/9] Make use of permissions, returned by kobj_lookup

On Fri, Mar 07, 2008 at 11:35:42AM -0600, Serge E. Hallyn wrote:
> > Do you really want to run other LSMs within a containerd kernel?  Is
> > that a requirement?  It would seem to run counter to the main goal of
> > containers to me.
> 
> Until user namespaces are complete, selinux seems the only good solution
> to offer isolation.

Great, use that instead :)

> > > 2. Turning CONFIG_SECURITY on immediately causes all the other hooks
> > >    to get called. This affects performance on critical paths, like
> > >    process creation/destruction, network flow and so on. This impact
> > >    is small, but noticeable;
> > 
> > The last time this was brought up, it was not noticable, except for some
> > network paths.  And even then, the number was lost in the noise from
> > what I saw.  I think with a containered machine, you have bigger things
> > to be worried about :)
> > 
> > > 3. With LSM turned on we'll have to "virtualize" it, i.e. make its
> > >    work safe in a container. I don't presume to judge how much work
> > >    will have to be done in this area, so the result patch would be
> > >    even larger and maybe will duplicate functionality, which is currently
> > >    in cgroups. OTOH, cgroups already provide the ways to correctly 
> > >    delegate proper rights to containers.
> > 
> > No, your lsm would be your "virtualize" policy.  I don't think you would
> > have to do any additional work here, but could be wrong.  Would like to
> > see the code to prove it.
> > 
> > > > Opening a dev node is not on any "fast path" that you need to be
> > > > concerned about a few extra calls within the kernel.
> > > > 
> > > > And, I think in the end your patch would be much smaller and easier to
> > > > understand and review and maintain overall.
> > > 
> > > Hardly - the largest part of my patch is cgroup manipulations. The part
> > > that makes the char and block layers switch to new map ac check the 
> > > permissions is 10-20 lines of new code.
> > > 
> > > But with LSM I will still need this API.
> > 
> > Yes, but your LSM hooks will be smaller than the code modifications to
> > the map logic :)
> > 
> > Again, I object to this as you are driving a new security policy
> > infrastructure into the device node logic where it does not belong as we
> > already have this functionality in the LSM interface today.  Please use
> > that one instead and don't clutter up the kernel with "one-off" security
> > changes like this one.
> > 
> > Please try the LSM interface and see what happens.  If, after you have
> 
> https://lists.linux-foundation.org/pipermail/containers/2007-November/008589.html
> 
> This was just a proof of concept for discussion.

I don't see the LSM patch in that posting, only a Makefile change that
adds it to the build.

> Our conclusion (including my own) was that it would be nicer to have the
> controls not be shoed in using lsm but rather at the level Pavel was
> doing.

Why?  What is the difference?  I don't see that discussion anywhere in
that post.

Why add add-hock security stuff to the kernel all over the place and not
use the LSM interface that we already have?  If LSM doesn't provide the
exact right hooks needed, we can always change it (and no, we should not
be adding kobj_maps hooks to LSM).

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ