lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20081009042814.398846861@nttdata.co.jp>
Date:	Thu, 09 Oct 2008 13:28:14 +0900
From:	Kentaro Takeda <takedakn@...data.co.jp>
To:	Stephen Smalley <sds@...ho.nsa.gov>,
	James Morris <jmorris@...ei.org>,
	Chris Wright <chrisw@...s-sol.org>
Cc:	"Serge E. Hallyn" <serue@...ibm.com>,
	David Howells <dhowells@...hat.com>,
	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Toshiharu Harada <haradats@...data.co.jp>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: [TOMOYO #10 (linux-next) 0/8] TOMOYO Linux

TOMOYO Linux is a pathname-based MAC extension (LSM module) for the 
Linux kernel.

Since the latest mmotm (2008-10-02-16-17) lacks CRED patchset by 
David Howells, we used linux-next (-next-20080919) which includes 
CRED patchset.

Diffrences from previous version are as follows.

*about LSM interfaces:
 -added a new LSM hook security_path_clear() for clearing hash 
  table after VFS helper functions. It is needed to perform DAC 
  before MAC.
 -added a new config option CONFIG_SECURITY_PATH for new LSM hooks.

*about task_struct:
 -added in_execve flag to allow LSM modules to determine whether 
  current process is in an execve operation or not so that they can 
  behave differently while an execve operation is in progress.

*about TOMOYO body:
 -made security_inode_*() return result of security_path_*() and 
  removed code clone of DAC.
 -modified to check permisson of interpreter using 
  bprm->cred->security and current->in_execve flag.
 -modified to use get_task_cred() for reading objective LSM context 
  of a task.
 -modified to use bprm->cred->security to know the first call of 
  security_bprm_check() .
 -modified to pass current->cred->security or bprm->cred->security as 
  parameter.

Thanks to Serge for sugguesting DAC-before-MAC workaround.
Thanks to David for patiently reviewing in_execve patch.

Stephen, James, Chris, please review and respond (hopefully Ack).

Regards,
--

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ