lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 9 Oct 2019 17:53:41 -0700
From:   Casey Schaufler <casey@...aufler-ca.com>
To:     Joel Fernandes <joel@...lfernandes.org>
Cc:     James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org,
        Peter Zijlstra <peterz@...radead.org>, rostedt@...dmis.org,
        primiano@...gle.com, rsavitski@...gle.com, jeffv@...gle.com,
        kernel-team@...roid.com, Alexei Starovoitov <ast@...nel.org>,
        Arnaldo Carvalho de Melo <acme@...nel.org>,
        bpf@...r.kernel.org, Daniel Borkmann <daniel@...earbox.net>,
        Ingo Molnar <mingo@...hat.com>, Jiri Olsa <jolsa@...hat.com>,
        Kees Cook <keescook@...omium.org>,
        linux-security-module@...r.kernel.org,
        Matthew Garrett <matthewgarrett@...gle.com>,
        Namhyung Kim <namhyung@...nel.org>, selinux@...r.kernel.org,
        Song Liu <songliubraving@...com>,
        "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" <x86@...nel.org>,
        Yonghong Song <yhs@...com>, casey@...aufler-ca.com
Subject: Re: [PATCH RFC] perf_event: Add support for LSM and SELinux checks

On 10/9/2019 5:40 PM, Joel Fernandes wrote:
> On Wed, Oct 09, 2019 at 03:41:56PM -0700, Casey Schaufler wrote:
>> On 10/9/2019 3:14 PM, James Morris wrote:
>>> On Wed, 9 Oct 2019, Casey Schaufler wrote:
>>>
>>>> Please consider making the perf_alloc security blob maintained
>>>> by the infrastructure rather than the individual modules. This
>>>> will save it having to be changed later.
>>> Is anyone planning on using this with full stacking?
>>>
>>> If not, we don't need the extra code & complexity. Stacking should only 
>>> cover what's concretely required by in-tree users.
>> I don't believe it's any simpler for SELinux to do the allocation
>> than for the infrastructure to do it. I don't see anyone's head
>> exploding over the existing infrastructure allocation of blobs.
>> We're likely to want it at some point, so why not avoid the hassle
>> and delay by doing it the "new" way up front?
>>
> I don't see how it can be maintained by the users (assuming you meant
> infrastructure as perf_event subsystem).

No, I meant allocated in security.c. Look at how file blobs are allocated.

>  The blob contains a SID which as far
> as I know, is specific to SELinux. Do you have an in-tree example of this?
>
> Further, this is also exactly it is done for BPF objects which I used as a
> reference.

There's no real harm in doing it that way, just that it is a change that
I'll have to make at some point in the future* and it would be really nice
if I didn't have to.

> thanks,
>
>  - Joel

-----
* When? After I get the current AppArmor/SELinux stacking enabling in
  and can get to the Smack backlong, which includes BPF and perf_events.
 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ