[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200901070634.n076YCxF061022@www262.sakura.ne.jp>
Date: Wed, 07 Jan 2009 15:34:12 +0900
From: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
To: sds@...ho.nsa.gov, serue@...ibm.com, spotter@...columbia.edu
Cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Add in_execve flag into task_struct.
Stephen Smalley wrote:
> As I understand it, they want to apply the exec check against the
> caller's credential as usual but not apply a read check against the
> caller's credential.
Right.
> Note btw that in the DAC case the dumpable flag gets cleared if the
> caller lacks read access to the program, so TOMOYO should do likewise if
> they are going to support this "execute-without-read" mode.
That's this "in_execve" flag.
Shaya Potter wrote:
> I assume this has been asked and answered by whats the advantage of this
> in_exec flag over a single function that set the security domain, oncee
> at the beginning of exec to set the new domain (B) and once in the
> fail/exit path to reset it back (to A) in case of failure.
Old implementation (where security_bprm_alloc() and security_bprm_free()
were available) used that approach.
But new implementation (where security_bprm_alloc() and security_bprm_free()
are no longer available) uses an approach which won't rollback.
> it just seems weird to say that we are technically in security domain A,
> but are going to treat the process as if its in security domain B when
> you can just as easily put it in security domain B and put it back in
> security domain A if the operation fails.
A LSM hook for doing rollback operation no longer exists.
If we can introduce security_start_execve()/security_finish_execve() hooks
in place of security_bprm_alloc() and security_bprm_free(),
TOMOYO can use that approach.
But by utilizing existing LSM hooks, TOMOYO finally came to the point
where TOMOYO can live without more LSM hooks if current process can
remember "whether I'm doing an execve() operation or not".
David Howells prefers this 'in_execve' approach over introducing
security_start_execve()/security_finish_execve() hooks.
Serge E. Hallyn wrote:
> I still don't like it. Now I gather the reason for this is that you
> want to allow a less trusted domain to execute a file (in a new domain)
> without giving it the right to read it? I'd be interested in hearing
> whether others think that's a worthy goal.
I see you don't like 'in_execve' flag.
But, this approach is the result of negotiation with David Howells
and was authorized by him.
Serge, will you please accept this 'in_execve' flag?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists