On 2007-06-25T17:14:11, Pavel Machek [EMAIL PROTECTED] wrote:
Actually, I surprised Lars a lot by telling him ln /etc/shadow /tmp/
allows any user to make AA ineffective on large part of systems -- in
internal discussion. (It is not actually a _bug_, but it is certainly
unexpected).
Pavel,
Quoting Kyle Moffett ([EMAIL PROTECTED]):
On Jun 25, 2007, at 16:37:58, Andreas Gruenbacher wrote:
On Monday 25 June 2007 06:33, James Morris wrote:
Convert LSM into a static interface, as the ability to unload a
security module is not required by in-tree users and potentially
complicates
Quoting Adrian Bunk ([EMAIL PROTECTED]):
On Mon, Jun 25, 2007 at 10:57:31PM -0500, Serge E. Hallyn wrote:
Quoting James Morris ([EMAIL PROTECTED]):
On Mon, 25 Jun 2007, Andreas Gruenbacher wrote:
It's useful for some LSMs to be modular, and LSMs which are y/n options
won't
On Tue, Jun 26, 2007 at 09:06:44AM -0500, Serge E. Hallyn wrote:
Quoting Adrian Bunk ([EMAIL PROTECTED]):
On Mon, Jun 25, 2007 at 10:57:31PM -0500, Serge E. Hallyn wrote:
Quoting James Morris ([EMAIL PROTECTED]):
On Mon, 25 Jun 2007, Andreas Gruenbacher wrote:
It's useful for
--- Kazuki Omo(Company) [EMAIL PROTECTED] wrote:
Folks,
May I ask some foolish questions?
So long as you're not afraid of foolish answers.
I just want to make sure what do we need
if we want to put new security module(which is using LSM) in mainline.
1. Does it have to provide
On Tue, Jun 26, 2007 at 09:06:44AM -0500, Serge E. Hallyn wrote:
Quoting Adrian Bunk ([EMAIL PROTECTED]):
On Mon, Jun 25, 2007 at 10:57:31PM -0500, Serge E. Hallyn wrote:
Quoting James Morris ([EMAIL PROTECTED]):
On Mon, 25 Jun 2007, Andreas Gruenbacher wrote:
It's useful for
Quoting Greg KH ([EMAIL PROTECTED]):
On Tue, Jun 26, 2007 at 09:06:44AM -0500, Serge E. Hallyn wrote:
Quoting Adrian Bunk ([EMAIL PROTECTED]):
On Mon, Jun 25, 2007 at 10:57:31PM -0500, Serge E. Hallyn wrote:
Quoting James Morris ([EMAIL PROTECTED]):
On Mon, 25 Jun 2007, Andreas
Chris Wright wrote:
* Chris Mason ([EMAIL PROTECTED]) wrote:
I'm sure people there will have a different versions of events. The
one part that was discussed was if pathname based security was
useful, and a number of the people in the room (outside of
novell) said it was. Now, it could be
This post contains patches to include the AppArmor application security
framework, with request for inclusion into -mm for wider testing.
These patches are currently against lkml but we will gladly rebase them
against -mm so that they will apply cleanly.
Any comments and feedback to improve
The vfsmount parameter must be set appropriately for files visibile
outside the kernel. Files that are only used in a filesystem (e.g.,
reiserfs xattr files) will have a NULL vfsmount.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by:
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |2 +-
include/linux/security.h |9 ++---
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |2 +-
include/linux/security.h |8 ++--
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/ecryptfs/inode.c |5 -
fs/namei.c | 10
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |2 +-
include/linux/security.h |9 ++---
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/stat.c|2 +-
include/linux/security.h | 11 +++
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |3 ++-
include/linux/security.h | 18 +-
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/ecryptfs/inode.c |4 +++-
fs/namei.c|
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |2 +-
include/linux/security.h | 12
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/ecryptfs/inode.c |3 ++-
fs/namei.c|4
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |2 +-
include/linux/security.h | 12
If we unhash the dentry before calling the security_inode_rmdir hook,
we cannot compute the file's pathname in the hook anymore. AppArmor
needs to know the filename in order to decide whether a file may be
deleted, though.
Signed-off-by: John Johansen [EMAIL PROTECTED]
Signed-off-by: Andreas
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/nfsd/nfs4xdr.c |2 +-
fs/nfsd/vfs.c
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/nfsd/vfs.c | 16 +++-
fs/xattr.c
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/xattr.c |2 +-
include/linux/security.h | 12 +++-
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/ecryptfs/inode.c |9 +++--
fs/namei.c |
First, when __d_path() hits a lazily unmounted mount point, it tries to prepend
the name of the lazily unmounted dentry to the path name. It gets this wrong,
and also overwrites the slash that separates the name from the following
pathname component. This patch fixes that; if a process was in
This allows LSMs to also distinguish between file descriptor and path
access for the xattr operations. (The other relevant operations are
covered by the setattr hook.)
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/xattr.c
Update kenel audit range comments to show AppArmor's registered range of
1500-1599. This range used to be reserved for LSPP but LSPP uses the
SE Linux range and the range was given to AppArmor.
Adds necessary export symbols for audit subsystem routines.
Changes audit_log_vformat to be externally
The underlying functions by which the AppArmor LSM hooks are implemented.
Signed-off-by: John Johansen [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
---
security/apparmor/main.c | 1255 +++
1 file changed, 1255 insertions(+)
Module parameters, LSM hooks, initialization and teardown.
Signed-off-by: John Johansen [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
---
security/apparmor/lsm.c | 817
1 file changed, 817 insertions(+)
--- /dev/null
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/attr.c|4 ++--
include/linux/security.h |8 ++--
--
This post is a request for discussion on creating a second smaller
nameidata struct to eliminate conditionally passing of vfsmounts
to the LSM.
It contains a series of patches that apply on top of the AppArmor
patch series. These patches were previously post on May 14,
but received no
Create a nameidata2 struct in nfsd and mqueue so that vfs_create does
need to conditionally pass the vfsmnt.
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c|2 +-
fs/nfsd/vfs.c | 42
Construct a nameidata object and pass it down to permission(), so
that we can do the proper mount flag checks there.
Note that confining nfsd with AppArmor makes no sense, and so this
patch is not necessary for AppArmor alone.
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by:
On Tue, 26 Jun 2007 16:07:56 -0700
[EMAIL PROTECTED] wrote:
This post contains patches to include the AppArmor application security
framework, with request for inclusion into -mm for wider testing.
Patches 24 and 31 didn't come through.
Rolled-up diffstat (excluding 2431):
fs/attr.c
On Jun 26, 2007, at 09:47:12, Serge E. Hallyn wrote:
Quoting Kyle Moffett ([EMAIL PROTECTED]):
On Jun 25, 2007, at 16:37:58, Andreas Gruenbacher wrote:
It's useful for some LSMs to be modular, and LSMs which are y/n
options won't have any security architecture issues with
unloading at all.
In message [EMAIL PROTECTED], [EMAIL PROTECTED] writes:
The create, lookup, and permission inode operations are all passed a
full nameidata. This is unfortunate because in nfsd and the mqueue
filesystem, we must instantiate a struct nameidata but cannot provide
all of the same information
Kyle Moffett wrote:
Let's go over the differences between my fs and my LSM, and the
similarities between my VM and my LSM: Filesystems don't get
hooked from virtually every userspace-initiated operation, whereas
both VMs and LSMs do. VMs and LSMs attach anonymous state data to a
large
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/xattr.c |2 +-
include/linux/security.h | 13 -
On Jun 26, 2007, at 20:57:53, Crispin Cowan wrote:
Kyle Moffett wrote:
Let's go over the differences between my fs and my LSM, and
the similarities between my VM and my LSM: Filesystems don't
get hooked from virtually every userspace-initiated operation,
whereas both VMs and LSMs do. VMs
On Tue, 26 Jun 2007 19:24:03 -0700 John Johansen [EMAIL PROTECTED] wrote:
so... where do we stand with this? Fundamental, irreconcilable
differences over the use of pathname-based security?
There certainly seems to be some differences of opinion over the use
of
* Crispin Cowan ([EMAIL PROTECTED]) wrote:
and simple LSMs that can be
unloaded safely can permit it.
there are none, and making the above possible is prohibitively
expensive.
-
To unsubscribe from this list: send the line unsubscribe
linux-security-module in
the body of a message to [EMAIL
42 matches
Mail list logo