| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 31 Oct 2014 15:21:39 +0100 From: Karol Lewandowski <k.lewandowsk@...sung.com> To: Paul Moore <pmoore@...hat.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org> Cc: Jiri Kosina <jkosina@...e.cz>, Linux API <linux-api@...r.kernel.org>, linux-kernel@...r.kernel.org, John Stultz <john.stultz@...aro.org>, Arnd Bergmann <arnd@...db.de>, Tejun Heo <tj@...nel.org>, Ryan Lortie <desrt@...rt.ca>, Simon McVittie <simon.mcvittie@...labora.co.uk>, daniel@...que.org, David Herrmann <dh.herrmann@...il.com>, "casey.schaufler@...el.com" <casey.schaufler@...el.com>, marcel@...tmann.org, tixxdz@...ndz.org, javier.martinez@...labora.co.uk, alban.crequy@...labora.co.uk, linux-security-module@...r.kernel.org, Karol Lewandowski <lmctlx@...il.com> Subject: Re: [PATCH 00/12] Add kdbus implementation On 2014-10-31 00:39, Paul Moore wrote: > On Thursday, October 30, 2014 08:55:56 PM Karol Lewandowski wrote: >> On 2014-10-30 15:47, Greg Kroah-Hartman wrote: >>> Other than that, I don't know exactly what your patches do, or why they >>> are needed, care to go into details? >> >> Patches in question were supposed to add few hooks for kdbus-specific >> operations that doesn't seem to have compatible semantics with hooks >> currently available in LSM. >> >> kdbus' bus introduces quite a few new concepts that we wanted to be able >> to limit based on MAC label/context, eg. >> >> - check flags at HELO stage (say disallow fd passing), >> >> - restrict ability to acquire name to certain subjects (for system bus), >> >> - disallow creation of new buses, >> >> - limit scope of broadcasts, >> >> - etc. >> >> Please take a look at hook list - I think most of names are >> self-explanatory: >> >> >> https://github.com/lmctl/linux/blob/a9fe4c33b6e5ab25a243e0590df406aabb6add1 >> 2/include/linux/security.h#L1874 >> >> kdbus modifications were pretty light - with most visible change being >> addition of opaque security pointer to kdbus_bus and similar structs. > > [NOTE: we really should add the LSM list to this discussion and future > patchset postings.] > > Also, to be completely honest, I don't think we ever really arrived at any > final conclusion about those LSM/kdbus hooks either. At least I don't think I > ever really satisfied myself that what we had was the "right" solution. Agreed, "hooks" are far from being complete. I think that patches were and still are - a starting point for discussion, not "a solution" itself. Timing wasn't good either - since our last discussion (Apr/May 2014) kdbus policy engine has been completely rewritten and few core concepts changed too. > We both got busy and kinda drifted away from this effort. Karol, did you do > any further work on the hooks? I didn't. I was waiting for the peace of change in kdbus to slow down a bit and, honestly, wasn't expecting submission in few next months... I'll do my best to post RFC patchset today or tomorrow. Thanks -- Karol Lewandowski, Samsung R&D Institute Poland -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists