lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1250536052.3629.154.camel@moss-pluto.epoch.ncsc.mil>
Date:	Mon, 17 Aug 2009 15:07:32 -0400
From:	Stephen Smalley <sds@...ho.nsa.gov>
To:	OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>
Cc:	Amerigo Wang <amwang@...hat.com>, linux-kernel@...r.kernel.org,
	esandeen@...hat.com, eteo@...hat.com, eparis@...hat.com,
	linux-fsdevel@...r.kernel.org, akpm@...ux-foundation.org,
	viro@...iv.linux.org.uk
Subject: Re: [Patch 1/2] selinux: ajust rules for ATTR_FORCE

On Tue, 2009-08-18 at 03:46 +0900, OGAWA Hirofumi wrote:
> Stephen Smalley <sds@...ho.nsa.gov> writes:
> 
> > On Mon, 2009-08-17 at 03:07 -0400, Amerigo Wang wrote:
> >> As suggested by OGAWA Hirofumi in thread: http://lkml.org/lkml/2009/8/7/132,
> >> we should let selinux_inode_setattr() to match our ATTR_* rules.
> >> ATTR_FORCE should not force things like ATTR_SIZE.
> 
> [...]
> 
> >
> > This will only apply the setattr check if ATTR_FORCE was specified,
> > which is not the current behavior nor what we want.
> >
> > NAK.
> 
> How about this? I tweaked Amerigo's patch, and it is based on the
> original code is doing. This is only compile-test though.
> 
> [I'm still not sure what selinux want to do. normally inode_permission()
> should check truncate() permission, and this FILE__SIZE checks something
> again...? And we want to check FILE__WRITE for ATTR_[AMC]TIME?]

Explicit setting of mode, owner, group, or timestamps is to be checked
by the setattr permission, while implicit setting of timestamps or size
is mediated by the write permission.  Permission needs to be revalidated
on use to address potential file relabeling or policy change.
ATTR_FORCE is supposed to suppress permission checking altogether, and
shouldn't be mixed with multiple attribute changes if some should be
subject to permission checks while others should not.

-- 
Stephen Smalley
National Security Agency

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ