inode_security_revalidate can be
removed entirely, which brings us back to roughly the original
performance.
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
---
security/selinux/hooks.c | 10 ++
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/security/selinux/hooks.c b
On 12/15/2015 12:19 PM, Joe Nall wrote:
On Dec 15, 2015, at 10:06 AM, Casey Schaufler wrote:
...
I have long wondered why SELinux generates the context string
of the secid more than once. Audit performance alone would
justify keeping it around. The variable length issue isn't
so difficult as
On 12/15/2015 11:06 AM, Casey Schaufler wrote:
On 12/15/2015 7:00 AM, Stephen Smalley wrote:
On 12/14/2015 05:57 PM, Roberts, William C wrote:
If I understand correctly, the goal here is to avoid the lookup from
pid to context. If we somehow Had the context or a token to a context
during
On 12/14/2015 05:57 PM, Roberts, William C wrote:
If I understand correctly, the goal here is to avoid the lookup from
pid to context. If we somehow Had the context or a token to a context
during the ipc transaction to userspace, we could just use that In
computing the access decision. If that
On 12/14/2015 04:29 PM, Roberts, William C wrote:
Subject: Re: Exposing secid to secctx mapping to user-space
On 12/13/2015 2:06 PM, Paul Moore wrote:
On Friday, December 11, 2015 05:14:38 PM Stephen Smalley wrote:
Perhaps we could provide a new fixed-size tokenized version of the
security
On 12/14/2015 12:03 PM, Mike Palmiotto wrote:
On Sun, Dec 13, 2015 at 5:06 PM, Paul Moore wrote:
On Friday, December 11, 2015 05:14:38 PM Stephen Smalley wrote:
Perhaps we could provide a new fixed-size tokenized version of the
security context string for export to userspace that could be
On 12/11/2015 02:55 PM, Paul Moore wrote:
On Fri, Dec 11, 2015 at 1:37 PM, Daniel Cashman wrote:
Hello,
I would like to write a patch that would expose, via selinuxfs, the
mapping between secids in the kernel and security contexts to
user-space, but before doing so wanted to get some feedback
eeping, or when we can't find a dentry for
the inode. (Reloading happens via iop->getxattr which takes a dentry
parameter.) When reloading fails, continue using the old, invalid
label.
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Generally I would say that you made enou
de. (Reloading happens via iop->getxattr which takes a dentry
parameter.) When reloading fails, continue using the old, invalid
label.
Signed-off-by: Andreas Gruenbacher
Could probably use inode_security_novalidate() for all of the
SOCK_INODE() cases, right? Otherwise,
Acked-by: Stephen Smalley
orris
Acked-by: Stephen Smalley
---
include/linux/lsm_hooks.h | 6 ++
include/linux/security.h | 5 +
security/security.c | 8
security/selinux/hooks.c | 30 --
security/selinux/include/objsec.h | 6 +
enbacher
Acked-by: Stephen Smalley
---
security/selinux/hooks.c | 97
1 file changed, 56 insertions(+), 41 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a8f09af..48d1908 100644
--- a/security/selinux/hooks
On 10/28/2015 08:47 PM, Andreas Gruenbacher wrote:
Make the inode argument of the inode_getsecid hook non-const so that we
can use it to revalidate invalid security labels.
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
---
include/linux/audit.h | 8
include
On 10/28/2015 08:47 PM, Andreas Gruenbacher wrote:
Make the inode argument of the inode_getsecurity hook non-const so that
we can use it to revalidate invalid security labels.
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
---
include/linux/lsm_hooks.h | 2 +-
include
.
Writing "$oldcontext $newcontext $tclass $taskcontext"
to /validatetrans is expected to return 0 if the transition
is allowed and -EPERM otherwise.
Signed-off-by: Andrew Perepechko
Acked-by: Stephen Smalley
CC: andrew.perepec...@seagate.com
---
security/selinux/include/classmap.
On 10/27/2015 04:48 PM, Andrew Perepechko wrote:
Make validatetrans decisions available through selinuxfs.
"/validatetrans" is added to selinuxfs for this purpose.
This functionality is needed by file system servers
implemented in userspace or kernelspace without the VFS
layer.
Writing "$oldcont
On 10/28/2015 01:31 PM, Stephen Smalley wrote:
On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote:
On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley wrote:
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
Use path_has_perm directly instead.
This reverts:
commit
On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote:
> On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley wrote:
>> On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
>>>
>>> Use path_has_perm directly instead.
>>
>>
>> This reverts:
>>
>>
On 10/27/2015 02:27 PM, Andrew Perepechko wrote:
+ if (rc)
+ goto out;
+
+ rc = -ENOMEM;
+ if (count >= PAGE_SIZE - 1)
+ goto out;
Why PAGE_SIZE-1?
This is to avoid allocation of more than a single page.
Yes, but you don't need PAGE_SIZE - 1 fo
On 10/27/2015 01:07 PM, Andrew Perepechko wrote:
Make validatetrans decisions available through selinuxfs.
"/transition" is added to selinuxfs for this purpose.
This functionality is needed by file system servers
implemented in userspace or kernelspace without the VFS
layer.
Writing "$oldcontext
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
Add functions dentry_security and inode_security for accessing
inode->i_security. These functions initially don't do much, but they
will later be used to revalidate the security labels when necessary.
Signed-off-by: Andreas Gruenbacher
---
s
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
Use path_has_perm directly instead.
This reverts:
commit 13f8e9810bff12d01807b6f92329111f45218235
Author: David Howells
Date: Thu Jun 13 23:37:55 2013 +0100
SELinux: Institute file_path_has_perm()
Create a file_path_has_perm() fun
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
---
security/selinux/hooks.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e4369d8..fc8f626 100644
--- a
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
Here is another version of the patch queue to make gfs2 and similar file
systems work with SELinux. As suggested by Stephen Smalley [*], the relevant
uses of inode->security are wrapped in function calls that try to revalidate
invalid lab
On Mon, Oct 19, 2015 at 6:29 PM, Paul Moore wrote:
> On Friday, October 09, 2015 10:56:12 AM Stephen Smalley wrote:
>> On 10/07/2015 07:08 PM, Paul Moore wrote:
>> > diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c
>> > index ef63d65..1cb87b3 100644
>&g
task
context into a form suitable for file objects, but also allow the
policy writer to specify a different label through policy
transition rules.
Pieced together from code snippets provided by Stephen Smalley.
Signed-off-by: Seth Forshee
Acked-by: Stephen Smalley
---
security/selinux
On 10/09/2015 11:39 AM, Paul Moore wrote:
On Friday, October 09, 2015 11:05:58 AM Stephen Smalley wrote:
On 10/07/2015 07:08 PM, Paul Moore wrote:
+static int selinux_kdbus_init_inode(struct inode *inode,
+ const struct cred *creds)
+{
+ struct
On 10/09/2015 12:25 PM, Steve Grubb wrote:
On Friday, October 09, 2015 10:57:44 AM Stephen Smalley wrote:
On 10/07/2015 07:08 PM, Paul Moore wrote:
The kdbus service names will be recorded using 'service', similar to
the existing dbus audit records.
Signed-off-by: Paul Moore
---
On 10/07/2015 07:08 PM, Paul Moore wrote:
SELinux treats kdbus service names as objects and therefore needs a
mechanism to map service names to security labels. This patch adds
support for loading kdbus name/label matches with the security policy.
The patch supports service name prefix matching
On 10/07/2015 07:08 PM, Paul Moore wrote:
Add the SELinux access control implementation for the new kdbus LSM
hooks using the new kdbus object class and the following permissions:
[NOTE: permissions below are based on kdbus code from Aug 2015]
* kdbus:impersonate
Send a different securi
On 10/07/2015 07:08 PM, Paul Moore wrote:
The kdbus service names will be recorded using 'service', similar to
the existing dbus audit records.
Signed-off-by: Paul Moore
---
ChangeLog:
- v3
* Ported to the 4.3-rc4 based kdbus tree
- v2
* Initial draft
---
include/linux/lsm_audit.h |2
Set the security label on a kdbusfs inode
Signed-off-by: Paul Moore
---
ChangeLog:
- v3
* Ported to the 4.3-rc4 based kdbus tree
- v2
* Implemented suggestions by Stephen Smalley
* call security_kdbus_conn_new() sooner
* reworked hook inside kdbus_conn_policy_own_name()
* fix
On 10/07/2015 07:08 PM, Paul Moore wrote:
In order to effectively enforce LSM based access controls we need to
have more information about the kdbus endpoint creator than the
uid/gid currently stored in the kdbus_node_type struct. This patch
replaces the uid/gid values with a reference to the no
e | Slack Size | Allocation Count
> ---
> 770048 |192512| 577536 | 12032
>
> At the result, this change reduce memory usage 42bytes per each
> file_security_struct
>
> Signed-off-by: Sangwoo
Acked-by: Stephen Smalley
On 09/29/2015 05:03 PM, Stephen Smalley wrote:
On 09/28/2015 04:00 PM, David Howells wrote:
The attached patches provide security support for unioned files where the
security involves an object-label-based LSM (such as SELinux) rather
than a
path-based LSM.
[Note that a number of the bits
_copy_data = selinux_sb_copy_data,
> .sb_kern_mount =selinux_sb_kern_mount,
> + .sb_show_options = selinux_sb_show_options,
> .sb_statfs =selinux_sb_statfs,
> .sb_mount = selinux_m
e original approach to context
mounts was introduced and approved by nfs folks long ago. So regardless
of what happens wrt the text mount options, this patch needs to get
merged.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe
linux-sec
093,6 +1120,11 @@ static int smack_task_movememory(struct
> static int smack_task_kill(struct task_struct *p, struct siginfo *info,
> int sig, u32 secid)
> {
> + int rc;
> +
> + rc = cap_task_kill(p, info, sig, secid);
> + if (rc != 0
outlive the task it points
> back to.
>
> It seems that the backpointer can be dispensed with. Nothing particularly
> seems to use it. Do you know the reason for its existence?
Looks unused now.
Similarly for some of the other security structs.
Only inode, superblock, and sock ba
sufficiently big. This is included in the returned count. If no LSM is
> in force then an empty string will be returned.
>
> A process must have view permission on the key for this function to be
> successful.
>
> Signed-off-by: David Howells <[EMAIL
On Tue, 2008-01-15 at 10:10 -0800, Casey Schaufler wrote:
> --- David Howells <[EMAIL PROTECTED]> wrote:
>
> > Stephen Smalley <[EMAIL PROTECTED]> wrote:
> >
> > > > (3) Check that the kernel may create files as a particular secid (this
> > >
On Tue, 2008-01-15 at 16:03 +, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > > (3) Check that the kernel may create files as a particular secid (this
> > > could be specified indirectly by specifying an inode, which would
> &
NULL);
>
> Rather than specifically dedicating them to the cache, I made them general.
Make sure that you or Dan submits a policy patch to register these
classes and permissions in the policy when the kernel patch is queued
for merge.
--
Stephen Smalley
National Security Agen
On Mon, 2008-01-14 at 14:01 +, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > > avc_has_perm(daemon_tsec->sid, nominated_sid,
> > >SECCLASS_CACHE, CACHE__USE_AS_OVERRIDE, NULL);
> > >
> > > And I
l's syscall interface.
I think you are better off directly implementing what you want in
prctl() without worrying about LSM, as capabilities are still deeply
intertwined with the core kernel (e.g. the capability bitmaps weren't
pushed into LSM's security blobs). Or add a node to /pro
On Wed, 2008-01-09 at 18:56 +, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > Right, the latter is reasonable.
> > Requires adding the class and permission definition to
> > policy/flask/security_classes and policy/flask/access_vectors
th Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHhPjP+bHCR3gb8jsRAsYQAJ9hA/SvYNDi1F4ARGH/HGcXEamJEwCglJX6
> KjTVxS0qlTd5LGWY2yt9ulY=
> =/bv4
> -END PGP SIGNATURE-
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe
s and permission definition to
policy/flask/security_classes and policy/flask/access_vectors and then
regenerating the kernel headers from those files, ala:
svn co http://oss.tresys.com/repos/refpolicy/trunk refpolicy
cd refpolicy/policy/flask
vi security_classes access_vectors
make
.h
> index a9c2b20..09e9dd2 100644
> --- a/security/selinux/include/flask.h
> +++ b/security/selinux/include/flask.h
> @@ -50,6 +50,7 @@
> #define SECCLASS_KEY 58
> #define SECCLASS_DCCP_SOCKET 60
> #define SECCLA
On Tue, 2007-12-18 at 19:28 -0800, Crispin Cowan wrote:
> Stephen Smalley wrote:
> >> It is if I have to maintain a special pieces of code for each possible LSM.
> >> One piece for SELinux, one piece for AppArmour, one piece for Smack, one
> >> piece
> >> fo
On Tue, 2007-12-18 at 08:59 -0500, Paul Moore wrote:
> On Monday 17 December 2007 3:05:37 pm Stephen Smalley wrote:
> > On Sun, 2007-12-16 at 11:47 -0500, Paul Moore wrote:
> > > We should probably have different permissions for the interface and node
> > > cases. Take
On Mon, 2007-12-17 at 15:56 -0500, Paul Moore wrote:
> On Monday 17 December 2007 3:35:28 pm Stephen Smalley wrote:
> > On Fri, 2007-12-14 at 16:50 -0500, Paul Moore wrote:
> > > This patch adds a SELinux IP address/node SID caching mechanism similar
> > > to the sel_net
7;m thinking we should split the permissions
> like this:
>
> allow netif_t peer_t:peer if_egress;
> allow netnode_t peer_t: peer node_egress;
>
> ... and do something similar for the ingress side. Thoughts?
That starts to sound a lot like using netif and node classes instead of
the peer class.
allow peer_t netif_t:netif egress;
allow peer_t netnode_t:node egress;
>
> > + }
> > +
> > + return err;
> > +}
>
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
d)
> +{
> + struct sel_netnode *node;
> +
> + rcu_read_lock();
> + node = sel_netnode_find(addr, family);
> + if (node != NULL) {
> + *sid = node->nsec.sid;
> + rcu_read_unlock();
> + return 0;
> + }
> + rcu_read_unlock();
> +
> + return sel_netnode_sid_slow(addr, family, sid);
> +}
> +
> +/**
> + * sel_netnode_flush - Flush the entire network address table
> + *
> + * Description:
> + * Remove all entries from the network address table.
> + *
> + */
> +static void sel_netnode_flush(void)
> +{
> + u32 idx;
> + struct sel_netnode *node;
> +
> + spin_lock_bh(&sel_netnode_lock);
> + for (idx = 0; idx < SEL_NETNODE_HASH_SIZE; idx++)
> + list_for_each_entry(node, &sel_netnode_hash[idx], list)
> + sel_netnode_destroy(node);
> + spin_unlock_bh(&sel_netnode_lock);
> +}
> +
> +static int sel_netnode_avc_callback(u32 event, u32 ssid, u32 tsid,
> + u16 class, u32 perms, u32 *retained)
> +{
> + if (event == AVC_CALLBACK_RESET) {
> + sel_netnode_flush();
> + synchronize_net();
> + }
> + return 0;
> +}
> +
> +static __init int sel_netnode_init(void)
> +{
> + int iter;
> + int ret;
> +
> + if (!selinux_enabled)
> + return 0;
> +
> + for (iter = 0; iter < SEL_NETNODE_HASH_SIZE; iter++)
> + INIT_LIST_HEAD(&sel_netnode_hash[iter]);
> +
> + ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET,
> +SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
> + if (ret != 0)
> + panic("avc_add_callback() failed, error %d\n", ret);
> +
> + return ret;
> +}
> +
> +__initcall(sel_netnode_init);
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to [EMAIL PROTECTED] with
> the words "unsubscribe selinux" without quotes as the message.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
t; \
> + if ((_d)->type == AVC_AUDIT_DATA_NET) \
> + (_d)->u.net.netif = -1; }
As a minor nit, at the same time you do this, turn this into a static
inline function please.
>
> /*
> * AVC statistics
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to [EMAIL PROTECTED] with
> the words "unsubscribe selinux" without quotes as the message.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, 2007-12-14 at 16:50 -0500, Paul Moore wrote:
> Add a secctx_to_secid() LSM hook to go along with the existing
> secid_to_secctx() LSM hook. This patch also includes the SELinux
> implementation for this hook.
Acked-by: Stephen Smalley <[EMAIL PROTECTED]>
This one can go
et_sys_snd_skb(struct sk_buff *skb, int family)
> +{
> + return security_ops->inet_sys_snd_skb(skb, family);
> +}
> +EXPORT_SYMBOL(security_inet_sys_snd_skb);
> +
> void security_sock_graft(struct sock *sk, struct socket *parent)
> {
> security_ops->sock_graft(sk, parent);
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to [EMAIL PROTECTED] with
> the words "unsubscribe selinux" without quotes as the message.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, 2007-12-13 at 17:01 +, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > They would correspond with the operations provided by the /dev/cachefiles
> > interface, at the granularity you want to support distinctions to be made.
>
> C
On Thu, 2007-12-13 at 15:36 +, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > It is just a way of carving up the permission space, typically based on
> > object type, but it can essentially be arbitrary. The check in this
> > case seem
On Wed, 2007-12-12 at 22:55 +, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > More likely, run it at build time in your .spec file to generate
> > cachefiles.conf,
>
> I don't think sticking it in cachefiles.conf is a good id
On Wed, 2007-12-12 at 22:49 +, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > > Have you example code for the security hook you mention? I'm not sure I
> > > understand why security_secctx_to_secid() is not sufficient.
> >
s the
> > particular cache context that a particular instance of a running daemon is
> > using.
>
> Yes, but forgive me being slow, I don't see the problem.
>
>
> Casey Schaufler
> [EMAIL PROTECTED]
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
? Spat out to
> > where?
>
> Put it in /etc/init.d/cachefiles and run it at boot time. Put the
> result into /etc/cachefiles.conf. Have cachefilesd read it and pass
> it downward.
More likely, run it at build time in your .spec file to generate
cachefiles.conf, then run it again
On Wed, 2007-12-12 at 18:29 +, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > That sounds workable, although I think he will want a more specific hook
> > than security_secctx_to_secid(), or possibly a second hook call, that
> > would not
On Wed, 2007-12-12 at 08:51 -0800, Casey Schaufler wrote:
> --- Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > On Tue, 2007-12-11 at 15:04 -0800, Casey Schaufler wrote:
> > > --- David Howells <[EMAIL PROTECTED]> wrote:
> > >
> &g
On Tue, 2007-12-11 at 15:04 -0800, Casey Schaufler wrote:
> --- David Howells <[EMAIL PROTECTED]> wrote:
>
> > Stephen Smalley <[EMAIL PROTECTED]> wrote:
> >
> > > All your code has to do is invoke a function provided by libselinux.
> >
> >
On Tue, 2007-12-11 at 20:42 +, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > > That sounds too SELinux specific. How do I do it so that it works for any
> > > LSM?
> >
> > You can't. There is no LSM for users
On Tue, 2007-12-11 at 11:26 -0800, Casey Schaufler wrote:
> --- Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > On Mon, 2007-12-10 at 14:26 -0800, Casey Schaufler wrote:
> > > --- Stephen Smalley <[EMAIL PROTECTED]> wrote:
> > >
> > > >
On Mon, 2007-12-10 at 15:46 -0800, Casey Schaufler wrote:
> --- David Howells <[EMAIL PROTECTED]> wrote:
>
> > Stephen Smalley <[EMAIL PROTECTED]> wrote:
> >
> > > From a config file whose pathname would be provided by libselinux (ala
> > > the w
On Mon, 2007-12-10 at 23:36 +, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > From a config file whose pathname would be provided by libselinux (ala
> > the way in which dbusd imports contexts), or directly as a context
> > returned by a
On Mon, 2007-12-10 at 14:26 -0800, Casey Schaufler wrote:
> --- Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > On Mon, 2007-12-10 at 21:08 +, David Howells wrote:
> > > Stephen Smalley <[EMAIL PROTECTED]> wrote:
> > >
> > > > Otherw
On Mon, 2007-12-10 at 21:08 +, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > Otherwise, only other issue I have with this interface is it won't
> > generalize to dealing with nfsd, where we want to set the acting context
> > to a
On Mon, 2007-12-10 at 17:07 +, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > > + tsec->create_sid = SECINITSID_UNLABELED;
> > > + tsec->keycreate_sid = SECINITSID_UNLABELED;
> > > + tsec->sockcreate_sid = SECINITSID_U
*inode)
> +{
> + struct task_security_struct *tsec = sec->security;
> + struct inode_security_struct *isec = inode->i_security;
> +
> + tsec->create_sid = isec->sid;
> + return 0;
> +}
> +
> static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
> {
> /* Since setuid only affects the current process, and
> @@ -4884,6 +4927,8 @@ static struct security_operations selinux_ops = {
> .task_alloc_security = selinux_task_alloc_security,
> .task_free_security = selinux_task_free_security,
> .task_dup_security =selinux_task_dup_security,
> + .task_kernel_act_as = selinux_task_kernel_act_as,
> + .task_create_files_as = selinux_task_create_files_as,
> .task_setuid = selinux_task_setuid,
> .task_post_setuid = selinux_task_post_setuid,
> .task_setgid = selinux_task_setgid,
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to [EMAIL PROTECTED] with
> the words "unsubscribe selinux" without quotes as the message.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
security/security.c b/security/security.c
> > index 0e1f1f1..16213e3 100644
> > --- a/security/security.c
> > +++ b/security/security.c
> > @@ -1079,4 +1079,9 @@ int security_key_permission(key_ref_t key_ref,
> > return security_ops->key_permission(key_ref, context, perm);
On Tue, 2007-11-27 at 16:38 -0600, Serge E. Hallyn wrote:
> Quoting Stephen Smalley ([EMAIL PROTECTED]):
> > On Tue, 2007-11-27 at 10:11 -0600, Serge E. Hallyn wrote:
> > > Quoting Crispin Cowan ([EMAIL PROTECTED]):
> > > > Just the name "sys_hijack" makes
olling a process
already within the container (hence in theory already limited to its
container), and it continues to execute within that container. What's
the issue there?
> That's where the hijack idea came from. Yes, I called it hijack to make
> sure alarm bells went off :) b
e been unsuccessful in using dentry and vfsmnt from the current
> task_struct via the d_path() lookup function.
audit_log_task_info() is an example.
It isn't a perfect technique, but usually yields the expected answer.
But I wouldn't recommend doing that on every LSM hook call.
--
rm(current, current, PROCESS__FORK);
> > }
> >
> > -static int selinux_task_alloc_security(struct task_struct *tsk)
> > +static int selinux_task_alloc_security(struct task_struct *tsk,
> > + struct task_struct *hijack_src)
>
On Wed, 2007-11-21 at 09:21 -0800, Casey Schaufler wrote:
> --- Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > On Wed, 2007-11-21 at 09:48 -0600, Serge E. Hallyn wrote:
> > > Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]):
> > > > +/*
> > > >
pen when the protocol implementation implements its own
sendpage operations, of course. So possibly there should be a socket
security hook call in sock_sendpage().
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
illing a
process with more capabilities, even if they have the same uid, so that
when you have a program marked with file capabilities instead of a
setuid-0 program, that program can't be sent arbitrary signals by the
caller.
> +
> + /* sigcont is permitted within same session */
> +
se
> + strncpy(smack, smack_net_ambient, SMK_MAXLEN);
> + netlbl_secattr_destroy(&secattr);
> + /*
> + * Receiving a packet requires that the other end
> + * be able to write here. Read access is not required.
> + * This is the simplist poss
> userspace does two getxattrs, one to get the length, then another to get
> the value, selinux will be kmallocing twice.
>
> For a file manager doing a listing on a huge directory and wanting to
> list the selinux type, i could see that being a performance issue. Of
> course th
EC, NULL);
> if (error)
> return error;
> @@ -1509,6 +1513,8 @@ static inline int may_create(struct inod
> return -EEXIST;
> if (IS_DEADDIR(dir))
> return -ENOENT;
> + if (nd)
> + nd->flags |= LOOKUP_CONTIN
; > and refer anyone who's need isn't pretty obvious there.
> > This means that the folks who want to divide CAP_SYSADMIN
> > are going to be disappointed with what they get, but some
> > level of restraint is important.
>
> Sure, I guess my point is, if we ope
On Wed, 2007-10-24 at 20:46 -0700, Casey Schaufler wrote:
> From: Casey Schaufler <[EMAIL PROTECTED]>
>
> Smack is the Simplified Mandatory Access Control Kernel.
>
> Smack implements mandatory access control (MAC) using labels
> attached to tasks and data containers, including files, SVIPC,
> an
return 0;
> default:
> return -EINVAL;
> @@ -220,7 +241,7 @@ static int get_file_caps(struct linux_binprm *bprm)
> {
> struct dentry *dentry;
> int rc = 0;
> - struct vfs_cap_data incaps;
> + union vfs_cap_union incaps;
> s
ermission system.
A LSM implements a security model, where that model may encompass all
processes and objects. SELinux (and Smack) in particular implement
mandatory access control and thus need to enforce consistent policy over
all processes and objects based on their security labels.
--
Stephen Sm
to do it.
Note that Serge said "SELinux re-written on top of Smack", not "rewrite
Smack to be more like SELinux". I don't believe the former is even
possible, given that Smack is strictly less expressive and granular by
design. Rewriting Smack to be more like SELinux shou
esent in the system, and gives
you the option of controlling it. Your choice as to at what granularity
to apply it.
> SELinux is designed to increase in complexity as it evolves. Making
> it simpler would conflict with the design goal of finer granularity.
>
> > >> Probabl
ense to merge no security modules at all than to
have LSM and many different security modules.
If Smack is mergeable despite likely being nothing more than a strict
subset of SELinux (MAC, label-based, should be easily emulated on top of
SELinux or via fairly simple extension to it to make such emula
On Wed, 2007-09-26 at 14:30 +0100, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > Precisely when to use one identity vs. the other though isn't always
> > clear, and the potential for accidental divergence is also a concern.
>
changed since the open-time check. A new LSM
> hook, security_dentry_open, is added to capture the necessary state at
> open time to allow this optimization.
>
> Signed-off-by: Yuichi Nakamura<[EMAIL PROTECTED]>
Thanks, looks good.
Acked-by: Stephen Smalley <[EMAIL
On Wed, 2007-09-12 at 17:51 +0900, Yuichi Nakamura wrote:
> Hi.
>
> Stephen Smalley pointed out possibility of race condition
> in off-list discussion.
> Stephen Smalley said:
> > One other observation about the patch: it presently leaves open a
> > (small) race win
rity_file_receive
> return security_ops->file_receive (file);
> }
>
> +static inline int security_dentry_open (struct file *file, int flags)
> +{
> + return security_ops->dentry_open (file, flags);
> +}
> +
> static inline int security_task_create (unsigned long clone_flags)
> {
> return security_ops->task_create (clone_flags);
> @@ -2529,6 +2540,11 @@ static inline int security_file_receive
> return 0;
> }
>
> +static inline int security_dentry_open (struct file *file, int flags)
> +{
> + return 0;
> +}
> +
> static inline int security_task_create (unsigned long clone_flags)
> {
> return 0;
>
> Regards,
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
I changed some kernel configs.
>
> Overhead more than 100%
> I also found about 70-90% overhead in ARM.
>
> 2. About patch
> I found a overhead in selinux_file_permission function.
> This is a function that is called in read/write calls,
> and does SELinux permission check
On Fri, 2007-08-31 at 15:32 +0100, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > That's how mandatory access control is supposed to work; otherwise, a
> > flaw in A can leak the descriptor to B at will in violation of security
> >
changed since
open-time check).
> At least, that's how I interpret the code.
>
>
> If I'm right, and this is incorrect behaviour, then I have most of a patch
> that I'm working on to pass the appropriate credentials around.
--
Stephen Smalley
National Securi
daemon into a process label that the kernel, and only the kernel, can use.
> >
> > The kernel's label gives it, amongst other things, the additional rights to
> > do
> > mkdir, creat, open, read, write, setxattr, getxattr, rename - things the
> > daemon isn'
set the file label using the xattr interfaces.
xattr interfaces don't help with the initial labeling of the file when
it is created.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
1 - 100 of 173 matches
Mail list logo
