lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 23 Jul 2008 00:46:00 +0900
From:	hooanon05@...oo.co.jp
To:	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
Cc:	linux-security-module@...r.kernel.org,
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC] Add a counter in task_struct for skipping permission check. (Was: Should LSM hooks be called by filesystem's requests?) 


Tetsuo Handa:
> I have a problem with unionfs and LSM.
> The unionfs causes NULL pointer dereference if copyup_dentry()
> failed by LSM's decision, so I'm searching for a solution.
	:::
> I think this patch can disable LSM checks if vfs_*() and
> notify_change() is called by unionfs's internal operations.
> This patch is just an idea, not tested at all.
> 
> Does somebody have a solution?

How about 'delegate' feature in AUFS?

(from the aufs manual)
If you do not want your application to access branches through aufs or
to be traced strictly by task I/O accounting, you can
use the kernel threads in aufs. If you enable CONFIG_AUFS_DLGT and
specify `dlgt' mount option, then
aufs delegates its internal
access to the branches to the kernel threads.

When you define CONFIG_SECURITY and use any type of Linux Security Module
(LSM), for example SUSE AppArmor, you may meet some errors or
warnings from your security module. Because aufs access its branches
internally, your security module may detect, report, or prohibit it.
The behaviour is highly depending upon your security module and its
configuration.
In this case, you can use `dlgt' mount option, too.
Your LSM will see the
aufs kernel threads access to the branch, instead of your
application.


Junjiro Okajima
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ