lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110603022100.GA561@dastard>
Date:	Fri, 3 Jun 2011 12:21:00 +1000
From:	Dave Chinner <david@...morbit.com>
To:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc:	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
	James Morris <jmorris@...ei.org>,
	David Safford <safford@...son.ibm.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Greg KH <greg@...ah.com>,
	Dmitry Kasatkin <dmitry.s.kasatkin@...il.com>,
	Mimi Zohar <zohar@...ibm.com>
Subject: Re: [PATCH v6 08/20] evm: evm_inode_post_init

On Thu, Jun 02, 2011 at 08:23:31AM -0400, Mimi Zohar wrote:
> Initialize 'security.evm' for new files. Reduce number of arguments
> by defining 'struct xattr'.

why does this need a new security callout from every filesystem?
Once the security xattr is initialised, the name, len and value is
not going to change so surely the evm xattr can be initialised at
the same time the lsm xattr is initialised.

Then all you need to do in each filesystem is add the evm_xattr
structure to the existing security init call and a:

#ifdef CONFIG_EVM
	/* set evm.xattr */
#endif

to avoid adding code that is never executed when EVM is not
configured into the kernel.

That way you don't create the lsm_xattr at all if the evm_xattr is
not created, and then the file creation should fail in an atomic
manner, right?  i.e. you don't leave files with unverified security
attributes around when interesting failure corner cases occur (e.g.
ENOSPC).

And while you are there, it's probably also be a good idea to add
support for all filesystems that support xattrs, not just a random
subset of them...

Cheers,

Dave.
-- 
Dave Chinner
david@...morbit.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ