| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Oct 2023 09:35:24 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Roberto Sassu <roberto.sassu@...weicloud.com>,
viro@...iv.linux.org.uk, brauner@...nel.org,
chuck.lever@...cle.com, jlayton@...nel.org, neilb@...e.de,
kolga@...app.com, Dai.Ngo@...cle.com, tom@...pey.com,
dmitry.kasatkin@...il.com, paul@...l-moore.com, jmorris@...ei.org,
serge@...lyn.com, dhowells@...hat.com, jarkko@...nel.org,
stephen.smalley.work@...il.com, eparis@...isplace.org,
casey@...aufler-ca.com
Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-nfs@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
selinux@...r.kernel.org, Roberto Sassu <roberto.sassu@...wei.com>
Subject: Re: [PATCH v3 14/25] security: Introduce file_post_open hook
On Thu, 2023-10-12 at 14:45 +0200, Roberto Sassu wrote:
> On Thu, 2023-10-12 at 08:36 -0400, Mimi Zohar wrote:
> > On Mon, 2023-09-04 at 15:34 +0200, Roberto Sassu wrote:
> > > From: Roberto Sassu <roberto.sassu@...wei.com>
> > >
> > > In preparation to move IMA and EVM to the LSM infrastructure, introduce the
> > > file_post_open hook. Also, export security_file_post_open() for NFS.
> > >
> > > It is useful for IMA to calculate the dhigest of the file content, and to
> > > decide based on that digest whether the file should be made accessible to
> > > the requesting process.
> >
> > Please remove "It is usefile for". Perhaps something along the lines:
> >
> >
> > Based on policy, IMA calculates the digest of the file content and
> > decides ...
>
> Ok.
>
> > >
> > > LSMs should use this hook instead of file_open, if they need to make their
> > > decision based on an opened file (for example by inspecting the file
> > > content). The file is not open yet in the file_open hook.
Needing to inspect the file contents is a good example.
>
> > The security hooks were originally defined for enforcing access
> > control. As a result the hooks were placed before the action. The
> > usage of the LSM hooks is not limited to just enforcing access control
> > these days. For IMA/EVM to become full LSMs additional hooks are
> > needed post action. Other LSMs, probably non-access control ones,
> > could similarly take some action post action, in this case successful
> > file open.
>
> I don't know, I would not exclude LSMs to enforce access control. The
> post action can be used to update the state, which can be used to check
> next accesses (exactly what happens for EVM).
>
> > Having to justify the new LSM post hooks in terms of the existing LSMs,
> > which enforce access control, is really annoying and makes no sense.
> > Please don't.
>
> Well, there is a relationship between the pre and post. But if you
> prefer, I remove this comparison.
My comments, above, were a result of the wording of the hook
definition, below.
> > > +/**
> > > + * security_file_post_open() - Recheck access to a file after it has been opened
> >
> > The LSM post hooks aren't needed to enforce access control. Probably
> > better to say something along the lines of "take some action after
> > successful file open".
> >
> > > + * @file: the file
> > > + * @mask: access mask
> > > + *
> > > + * Recheck access with mask after the file has been opened. The hook is useful
> > > + * for LSMs that require the file content to be available in order to make
> > > + * decisions.
> >
> > And reword the above accordingly.
> >
> > > + *
> > > + * Return: Returns 0 if permission is granted.
> > > + */
> > > +int security_file_post_open(struct file *file, int mask)
> > > +{
> > > + return call_int_hook(file_post_open, 0, file, mask);
> > > +}
> > > +EXPORT_SYMBOL_GPL(security_file_post_open);
> > > +
> > > /**
> > > * security_file_truncate() - Check if truncating a file is allowed
> > > * @file: file
> >
>
Powered by blists - more mailing lists