| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Dec 2023 12:21:18 -0500 From: Stephen Smalley <stephen.smalley.work@...il.com> To: Maxime Coquelin <maxime.coquelin@...hat.com> Cc: mst@...hat.com, jasowang@...hat.com, xuanzhuo@...ux.alibaba.com, paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com, eparis@...isplace.org, xieyongji@...edance.com, virtualization@...ts.linux-foundation.org, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, selinux@...r.kernel.org, david.marchand@...hat.com, lulu@...hat.com, casey@...aufler-ca.com Subject: Re: [PATCH v5 4/4] vduse: Add LSM hook to check Virtio device type On Tue, Dec 12, 2023 at 8:17 AM Maxime Coquelin <maxime.coquelin@...hat.com> wrote: > > This patch introduces a LSM hook for devices creation, > destruction (ioctl()) and opening (open()) operations, > checking the application is allowed to perform these > operations for the Virtio device type. Can you explain why the existing LSM hooks and SELinux implementation are not sufficient? We already control the ability to open device nodes via selinux_inode_permission() and selinux_file_open(), and can support fine-grained per-cmd ioctl checking via selinux_file_ioctl(). And it should already be possible to label these nodes distinctly through existing mechanisms (file_contexts if udev-created/labeled, genfs_contexts if kernel-created). What exactly can't you do today that this hook enables?
Powered by blists - more mailing lists