| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1228513998.21715.75.camel@localhost.localdomain> Date: Fri, 05 Dec 2008 16:53:18 -0500 From: Stephen Smalley <sds@...ho.nsa.gov> To: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp> Cc: serue@...ibm.com, jmorris@...ei.org, linux-security-module@...r.kernel.org, linux-fsdevel@...r.kernel.org, akpm@...ux-foundation.org, linux-kernel@...r.kernel.org, takedakn@...data.co.jp, haradats@...data.co.jp Subject: Re: [PATCH (mmotm-2008-12-02-17-08)] Introduce security_path_set/clear() hooks. On Thu, 2008-12-04 at 21:00 +0900, Tetsuo Handa wrote: > Hello. > > Stephen Smalley wrote: > > On Wed, 2008-12-03 at 17:56 +0900, Kentaro Takeda wrote: > > > Stephen, Serge, > > > Here is the patch for introducing new security_path_set()/clear() hooks. > > > > > > This patch enables LSM module to remember vfsmount's pathname so that it can > > > calculate absolute pathname in security_inode_*(). Since actual MAC can be > > > performed after DAC, there will not be any noise in auditing and learning > > > features. This patch currently assumes that the vfsmount's pathname is stored in > > > hash table in LSM module. (Should I use stack memory?) > > > > > > Since security_inode_*() are not always called after security_path_set(), > > > security_path_clear() hook is needed to free the remembered pathname. > > > > Your security_path_set()/security_path_clear() pairs look rather similar > > to mnt_want_write()/mnt_drop_write() pairs. What if you were to call > > your hooks from those functions, and then you would only need to add > > further hook calls in the case of read-only and execute/search checks? > > Right. Locations of inserting security_path_set()/security_path_clear() pairs > are subset of mnt_want_write()/mnt_drop_write() pairs. Thus, we can insert > security_path_set()/security_path_clear() pairs into > mnt_want_write()/mnt_drop_write() pairs, if we can tolerate performance > regression. According to our rough measurement, there is about 8 - 22% of > performance regression. But this approach needs minimum modification to the > existing kernel (only two hooks to be inserted). I assume you also need separate hooks to cover the read-only open case? As for your performance, your implementation of mp_* is clearly non-optimal, so I'd expect there is plenty of room for improvement there. <snip> > --- linux-2.6.28-rc7-mm1.orig/fs/namespace.c > +++ linux-2.6.28-rc7-mm1/fs/namespace.c > @@ -254,6 +254,10 @@ int mnt_want_write(struct vfsmount *mnt) > int ret = 0; > struct mnt_writer *cpu_writer; > > +#ifdef CONFIG_SECURITY_PATH > + if (security_path_set(mnt) < 0) > + return -ENOMEM; > +#endif No #ifdef's within the functions, of course. That gets handled by security.h. -- Stephen Smalley National Security Agency -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists