lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200806021524.51597.agruen@suse.de>
Date:	Mon, 2 Jun 2008 15:24:48 +0200
From:	Andreas Gruenbacher <agruen@...e.de>
To:	Matthew Wilcox <matthew@....cx>
Cc:	Miklos Szeredi <miklos@...redi.hu>, hch@...radead.org,
	linux-security-module@...r.kernel.org,
	linux-fsdevel@...r.kernel.org, jmorris@...ei.org,
	sds@...ho.nsa.gov, eparis@...hat.com, casey@...aufler-ca.com,
	jjohansen@...e.de, penguin-kernel@...ove.sakura.ne.jp,
	viro@...iv.linux.org.uk, linux-kernel@...r.kernel.org
Subject: Re: [patch 01/15] security: pass path to inode_create

On Monday 02 June 2008 14:49:06 Matthew Wilcox wrote:
> On Mon, Jun 02, 2008 at 02:45:10PM +0200, Andreas Gruenbacher wrote:
> > Without the vfsmount, when something is mounted in more than once place,
> > you cannot report which of the name aliases a process is accessing. This
> > is unacceptable; the logs would become unusable. With pathname-based, the
> > AppArmor and TOMOYO folks really mean pathname-based, not a hybrid
> > pathname / mount point model.
>
> audit_getname manages to do this.

You would assume, but no: audit_getname() grabs a reference to the pwd and the 
absolute or relative pathname. The vfs resolves this to a dentry, but there 
is no guarantee that the audit system will end up with the same pathname for 
reporting: the namespace may have changed arbitrarily in the meantime.

(I find it rather interesting that this is consistent enough for audit; in my 
opinion it isn't.)

On the other hand, AppArmor computes the path it uses for checking from the 
dentry/vfsmount atomically with respect to namespace changes, and so the path 
used for checking and reporting is always consistent (and it is guaranteed 
that the object has been reachable via this path at the time the path has 
been generated).

Andreas
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ