| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Nov 2010 17:43:07 -0500 From: Eric Paris <eparis@...hat.com> To: James Morris <jmorris@...ei.org> Cc: Eric Paris <eparis@...isplace.org>, Linus Torvalds <torvalds@...ux-foundation.org>, Joe Perches <joe@...ches.com>, Dan Rosenberg <drosenberg@...curity.com>, LKML <linux-kernel@...r.kernel.org>, Ingo Molnar <mingo@...e.hu>, Eugene Teo <eugeneteo@...nel.org>, Kees Cook <kees.cook@...onical.com>, Andrew Morton <akpm@...ux-foundation.org>, LSM List <linux-security-module@...r.kernel.org> Subject: Re: [PATCH] Fix dmesg_restrict build failure with CONFIG_EMBEDDED=y and CONFIG_PRINTK=n On Tue, 2010-11-16 at 09:13 +1100, James Morris wrote: > On Mon, 15 Nov 2010, Eric Paris wrote: > > > On Mon, Nov 15, 2010 at 12:41 PM, Linus Torvalds > > <torvalds@...ux-foundation.org> wrote: > > > If the old rule should have been that you _have_ > > > to call cap_syslog(), then just eviscerating that entirely and putting > > > it in the generic code is definitely the right thing. > > > > That is the rule for ALL of the hooks in commoncap.c. The one time I > > tried to do something else *cough*mmap_min_addr*cough* I screwed it > > up. I'll put a note in my todo list about looking into lifting all of > > commoncap.c into the callers. > > If it's a requirement of the API that all of the cap calls are made > first, then build it into the API, so developers can't make a mistake. > e.g. have the LSM API do the secondary stacking of caps behind the scenes. At this point it's a defacto requirement since noone is doing anything like that. My mmap_min_addr screw up is, to the best of my knowledge, the only time anyone has intentionally not called the caps code... And I sorta like the idea of moving the cap_* calls directly into security_*. Great, another item on the todo list. Lift as many cap calls into the caller as is reasonable (I don't think there are many/any) and if not possible lift them directory into security_*. If someone else really wants to make a system truely without capabilities lets look at there solution then.... > I had thought that the idea was that some LSM may want to not implement > capabilities at all, on which case, it should still not be possible for > the API to weaken the default security with or without caps. Not sure how that's possible. I mean, I guess it's possible if the fabled LSM reimplements the cap call, but I'm not sure how you can remove a restrictive only security check without 'weakening' the system in some way. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists