Re: [PATCH] Exporting capability code/name pairs

2008-01-02 Thread Andrew Morgan 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

There is also the issue of compiled code which explicitly raises and
lowers capabilities around critical code sections (ie., as they were
intended to be used) is also not well served by this change.

That is, unless the code was compiled with things like CAP_MAC_ADMIN
being #define'd then it won't be able to do things like cap_set_flag()
appropriately.

Cheers

Andrew

KaiGai Kohei wrote:
> Andrew Morgan wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> KaiGai Kohei wrote:
>>> Remaining issues:
>>> - We have to mount securityfs explicitly, or use /etc/fstab.
>>>   It can cause a matter when we want to use this feature on
>>>   very early phase on boot. (like /sbin/init)
>> I'm not altogether clear how you intend this to work.
>>
>> Are you saying that some future version of libcap will require that
>> securityfs be mounted before it (libcap) will work?
> 
> Yes, but implementing this feature on securityfs might be not good
> idea as as James said. If this feature is on procfs or sysfs, it is
> not necessary to mount securityfs explicitly.
> 
> Thanks,
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHfD7n+bHCR3gb8jsRAsgcAKDY6qXBR3JV2addHUg5sxyZHJEkDQCfdLOL
zJlf3T4SQsUNENr3kwR5pr8=
=v8C5
-END PGP SIGNATURE-
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Allow Kconfig to set default mmap_min_addr protection

2008-01-02 Thread Willy Tarreau 
On Wed, Jan 02, 2008 at 06:26:07PM +0100, Jan Engelhardt wrote:
> 
> On Jan 2 2008 12:09, Eric Paris wrote:
> >
> >So in the end we are all happy with the original patch I sent?
> >
> No objections at least :)

I agree too. BTW, I've intentionally not merged it into 2.4, I
prefer that admins deliberately set the sysctl on their servers
than using a kernel in which they forgot it was enabled. But I
agree that for wider use, the kernel option will help a lot.

Regards,
Willy

-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Allow Kconfig to set default mmap_min_addr protection

2008-01-02 Thread Jan Engelhardt 

On Jan 2 2008 12:09, Eric Paris wrote:
>
>So in the end we are all happy with the original patch I sent?
>
No objections at least :)
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Allow Kconfig to set default mmap_min_addr protection

2008-01-02 Thread Eric Paris 

On Fri, 2007-12-21 at 23:59 +0100, Jan Engelhardt wrote:
> On Dec 21 2007 14:35, Greg KH wrote:
> >> >> >I guess it could be, but the input for /proc/sys/vm/mmap_min_addr is
> >> >> >base 10 as well
> >> >> 
> >> >> sysfs is autobase, i.e. echo "0xb000" >/sys/foo will Do The Right Thing.
> >> >
> >> >yes but if you cat  /proc/sys/vm/mmap_min_addr, it returns in base 10.
> >> 
> >> sysfs should probably be tuned to output it in a preferred base.
> >
> >Again, this is sysctl, not sysfs.  two very different things...
> >
> Argh... :)  Just shows that /proc is the wrong place for system variables.
> 
> Well, module_params(integer) are autobase, and that's all I needed so 
> far :-D

So in the end we are all happy with the original patch I sent?

-Eric

-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 10/28] FS-Cache: Recruit a couple of page flags for cache management [try #2]

2008-01-02 Thread David Howells 
Nick Piggin <[EMAIL PROTECTED]> wrote:

> Then make a PG_private2 bit and use that.

To what end?  Are you suggesting I should have:

PG_private2 = PG_private | PG_fscache

That's redundant information and doesn't help anything really.

My suggestion (PG_private and PG_fscache separate and independent) is pretty
efficient to actually render into machine instructions, especially if the two
bits are placed in the lower part of the word.  On x86, the test for both bits
can be done with a single TEST instruction, and on most RISC archs, a MOVE and
a single AND will usually suffice.

David
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [patch, rfc] mm.h, security.h, key.h and preventing namespace poisoning

2008-01-02 Thread David Howells 
James Morris <[EMAIL PROTECTED]> wrote:

> I suspect it may be useful ensure all global identifiers for the key 
> subsystem are prefixed with key_, as 'copy_keys' does seem a little 
> generic.

Many of the fork helpers are called copy_xxx().

David
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Exporting capability code/name pairs

2008-01-02 Thread James Morris 
On Wed, 2 Jan 2008, KaiGai Kohei wrote:

> > Another issue is that securityfs depends on CONFIG_SECURITY, which might be
> > undesirable, given that capabilities are a standard feature.
> 
> We can implement this feature on another pseudo filesystems.
> Do you think what filesystem is the best candidate?
> I prefer procfs or sysfs instead.

Sysfs makes more sense, as this information is system-wide and does not 
relate to specific processes.


-- 
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Exporting capability code/name pairs

2008-01-02 Thread KaiGai Kohei 
Andrew Morgan wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> KaiGai Kohei wrote:
>> Remaining issues:
>> - We have to mount securityfs explicitly, or use /etc/fstab.
>>   It can cause a matter when we want to use this feature on
>>   very early phase on boot. (like /sbin/init)
> 
> I'm not altogether clear how you intend this to work.
> 
> Are you saying that some future version of libcap will require that
> securityfs be mounted before it (libcap) will work?

Yes, but implementing this feature on securityfs might be not good
idea as as James said. If this feature is on procfs or sysfs, it is
not necessary to mount securityfs explicitly.

Thanks,
-- 
KaiGai Kohei <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Exporting capability code/name pairs

2008-01-02 Thread KaiGai Kohei 

James Morris wrote:

On Fri, 28 Dec 2007, KaiGai Kohei wrote:


Remaining issues:
- We have to mount securityfs explicitly, or use /etc/fstab.
  It can cause a matter when we want to use this feature on
  very early phase on boot. (like /sbin/init)


Why can't early userspace itself mount securityfs?


Hmm,,,
It might be possible as load_policy() doing, if necessary.
Please forget the previous my opinion.

I'm not even sure this is a good idea at all.  Existing capabilities will 
never disappear, and, as with syscalls, it's probably up to userland to 
handle new ones not existing.


When we use libcap built on older kernel for newer kernel, libcap cannot
handle newly added capabilities, because it is not exist on the build 
environment.
Therefore, any available capabilities should be exported dynamically by the 
kernel.


In any case, some more technical issues:


kernel/cap_names.sh generates the body of cap_entries[] array,


This needs to be in the scripts directory.


OK, it will be moved.

The generated header should be made idempotent (#ifdef wrapping), and also 
include a warning that it is automatically generated (identifying the 
script which does so), and that is should not be edited.



+   d_caps = securityfs_create_dir("capability", NULL);
+   if (!d_caps)


Wrong way to check for error -- the function returns an ERR_PTR().


+   f_caps[i] = securityfs_create_file(cap_entries[i].name, 0444,
+  d_caps, &cap_entries[i],
+  &cap_entry_fops);
+   if (!f_caps[i])


Ditto.


OK,

Another issue is that securityfs depends on CONFIG_SECURITY, which might 
be undesirable, given that capabilities are a standard feature.


We can implement this feature on another pseudo filesystems.
Do you think what filesystem is the best candidate?
I prefer procfs or sysfs instead.

Thanks,
--
KaiGai Kohei <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html