--- Stephen Smalley <[EMAIL PROTECTED]> wrote:
> On Tue, 2007-07-17 at 15:28 -0400, Stephen Smalley wrote:
> > On Mon, 2007-07-16 at 21:18 -0700, Casey Schaufler wrote:
> > > Thank you for the valuable comments. I have incorporated a good number
> > > in the updated patch:
> > >
> > > http://www.schaufler-ca.com/data/smack-0716A-patch.tar
> >
> > - Duplication of interfaces between /smack/self
> > and /proc/self/attr/current?
Removed /smack/self
> > - Lack of CAP_MAC_OVERRIDE check in smack_setprocattr?
Fixed
> > - Lack of CAP_MAC_OVERRIDE checks on setxattr or removexattr for the
> > SMACK attribute? cap_inode_*xattr will check CAP_SYS_ADMIN, but is that
> > what you want?
Fixed
> > - Speaking of which, are you ok with your MAC model being overridden by
> > all uid 0 processes? Or do you plan to change securebits and use file
> > caps?
I've been tracking the file caps closely. I like file capabilities,
but I have had success with uid 0 MAC systems as well. Long term, yes
I want file caps, but the uid 0 world is important, too.
> > - I suspect use of _IOC_DIR() or IOC_IN/OUT/INOUT would suit you better
> > for file_ioctl. Just map each cmd to read/write/readwrite that way and
> > avoid having to encode specific knowledge there. SELinux should likely
> > do the same although compat may be a pain.
Done.
> > - Consistency nit: if not rechecking on read/write (file_permission),
> > why recheck on mmap? Likewise possibly for some if not all of the other
> > file_ hooks.
Consistency applied.
> Other question there is if you aren't going to recheck on use, then what
> story do you tell wrt relabeling of files and/or tasks changing labels,
> given that you permit both to happen?
It requires privilege. Really, that's the answer that's been used
on every B1/LSPP evaluation up until yours (Congratulations, BTW)
and an important aspect of the system is that labels don't change
very often, and only under controlled circumstances.
> > - On mmap, why always check readwrite, as prot may only be PROT_READ and
> > even a PROT_WRITE mapping won't actually write back to the file unless
> > the mapping is MAP_SHARED. See the selinux hook for comparison.
Dealt with mmap above.
Also, per Paul Moore's suggestions, converted to use the cipso
default domain rather than defining an otherwise uninteresting
domain. Made the CIPSO DOI and Direct-level configurable.
Updated patch:
http://www.schaufler-ca.com/data/smack-0717A-patch.tar
The change to drop /smack/self in favor of /proc/self/attr/current
requires an updated sshd.
http://www.schaufler-ca.com/data/smack-0717A-all.tar
is the whole smack ball of wax.
http://www.schaufler-ca.com/data/smack-base-0717A.tar
has the application space source.
Still lots to do! Thank you.
Casey Schaufler
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
