lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 07 May 2024 16:27:33 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Roberto Sassu <roberto.sassu@...weicloud.com>, dmitry.kasatkin@...il.com,
        eric.snowberg@...cle.com, paul@...l-moore.com, jmorris@...ei.org,
        serge@...lyn.com, john.johansen@...onical.com,
        stephen.smalley.work@...il.com, casey@...aufler-ca.com,
        eparis@...hat.com
Cc: linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org, guozihua@...wei.com, omosnace@...hat.com,
        audit@...r.kernel.org, apparmor@...ts.ubuntu.com,
        selinux@...r.kernel.org, Roberto Sassu <roberto.sassu@...wei.com>
Subject: Re: [RFC][PATCH] ima: Use sequence number to wait for policy updates

Hi Roberto,

On Tue, 2024-05-07 at 11:32 +0200, Roberto Sassu wrote:
> On Tue, 2024-05-07 at 11:28 +0200, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@...wei.com>
> > 
> > Maintain a global sequence number, and set it to individual policy rules,
> > when they are created.
> 
> Just did an attempt, to see if this path is viable.
> 
> This patch would be an alternative to:
> 
> [PATCH v3] ima: Avoid blocking in RCU read-side critical section

Stephen had said,
   "Sidebar: the refactoring of the SELinux policy loading logic may have
   made it possible to revisit the approaches here to permit holding a
   reference to the policy from which the rule was derived so that we
   don't have to return -ESTALE in this scenario."

Removing -ESTALE would be the best solution.  We could then remove the -ESTALE
detection.

I assume the change would be in selinux_policy_commit(). Instead of freeing the
old policy, define and increment a per policy reference count for each
registered notifier callback.

        /* Free the old policy */
        synchronize_rcu();
        selinux_policy_free(oldpolicy);
        kfree(load_state->convert_data);

        /* Notify others of the policy change */
        selinux_notify_policy_change(seqno);

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ