lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4A8E169E.70009@schaufler-ca.com>
Date:	Thu, 20 Aug 2009 20:38:06 -0700
From:	Casey Schaufler <casey@...aufler-ca.com>
To:	"David P. Quigley" <dpquigl@...ho.nsa.gov>
CC:	jmorris@...ei.org, sds@...ho.nsa.gov, gregkh@...e.de,
	ebiederm@...ssion.com, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov,
	Casey Schaufler <casey@...aufler-ca.com>
Subject: Re: [PATCH] Security/sysfs: Enable security xattrs to be set on sysfs
 files, directories, and symlinks.

David P. Quigley wrote:
> Since Casey has withdrawn his NAK for the patch I guess the only other
> concern was about the generality of the solution from Eric. Did Steve's
> response adequately address this or are there any other questions that
> people need answered before Greg can take the patch.
>   

Well, I've withdrawn the NAK, but I would still like to see:

Use the xattr, not a secid. Really. An LSM that has multiple attributes
is going to get bitten by that one. Also, any LSM that does neither
networking nor audit has no need for secids, so I would be happier if
the use of secids didn't expand into the file system space. Plus,
if it is going to be rare for an xattr to be set in sysfs (Stephen's
claim, which is consistent with my experience) saving a real xattr
should be no big deal.

Replace the security_xattr_to_secid hook in any case. All this is doing
is exposing what should be a strictly LSM internal function. You can
do it with a combination of existing hooks, if you have the time to code
up the error conditions.

You can ignore these objections if you feel you must. I'll still buy
a round in Portland.


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ