Re: [PATCH] selinux: Inode label revalidation performance fix

and that inode_security_revalidate can be removed entirely, which brings us back to roughly the original performance. Signed-off-by: Andreas Gruenbacher <agrue...@redhat.com> Acked-by: Stephen Smalley <s...@tycho.nsa.gov> --- security/selinux/hooks.c | 10 ++ 1 file changed, 2 insertions(+), 8 deleti

Re: Exposing secid to secctx mapping to user-space

On 12/15/2015 11:06 AM, Casey Schaufler wrote: On 12/15/2015 7:00 AM, Stephen Smalley wrote: On 12/14/2015 05:57 PM, Roberts, William C wrote: If I understand correctly, the goal here is to avoid the lookup from pid to context. If we somehow Had the context or a token to a context during

Re: Exposing secid to secctx mapping to user-space

On 12/15/2015 12:19 PM, Joe Nall wrote: On Dec 15, 2015, at 10:06 AM, Casey Schaufler wrote: ... I have long wondered why SELinux generates the context string of the secid more than once. Audit performance alone would justify keeping it around. The variable length

Re: Exposing secid to secctx mapping to user-space

On 12/14/2015 05:57 PM, Roberts, William C wrote: If I understand correctly, the goal here is to avoid the lookup from pid to context. If we somehow Had the context or a token to a context during the ipc transaction to userspace, we could just use that In computing the access decision. If

Re: Exposing secid to secctx mapping to user-space

On 12/14/2015 12:03 PM, Mike Palmiotto wrote: On Sun, Dec 13, 2015 at 5:06 PM, Paul Moore <p...@paul-moore.com> wrote: On Friday, December 11, 2015 05:14:38 PM Stephen Smalley wrote: Perhaps we could provide a new fixed-size tokenized version of the security context string for

Re: Exposing secid to secctx mapping to user-space

On 12/11/2015 02:55 PM, Paul Moore wrote: On Fri, Dec 11, 2015 at 1:37 PM, Daniel Cashman wrote: Hello, I would like to write a patch that would expose, via selinuxfs, the mapping between secids in the kernel and security contexts to user-space, but before doing so

Re: [PATCH v5 6/7] selinux: Revalidate invalid inode security labels

, or when we can't find a dentry for the inode. (Reloading happens via iop->getxattr which takes a dentry parameter.) When reloading fails, continue using the old, invalid label. Signed-off-by: Andreas Gruenbacher <agrue...@redhat.com> Acked-by: Stephen Smalley <s...@tycho.nsa.gov> Ge

Re: [PATCH v4 3/7] security: Make inode argument of inode_getsecid non-const

On 10/28/2015 08:47 PM, Andreas Gruenbacher wrote: Make the inode argument of the inode_getsecid hook non-const so that we can use it to revalidate invalid security labels. Signed-off-by: Andreas Gruenbacher <agrue...@redhat.com> Acked-by: Stephen Smalley <s...@tycho.nsa.gov> -

Re: [PATCH v4 4/7] selinux: Add accessor functions for inode->i_security

;agrue...@redhat.com> Acked-by: Stephen Smalley <s...@tycho.nsa.gov> --- security/selinux/hooks.c | 97 1 file changed, 56 insertions(+), 41 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a8f09af.

Re: [PATCH v4 6/7] selinux: Revalidate invalid inode security labels

happens via iop->getxattr which takes a dentry parameter.) When reloading fails, continue using the old, invalid label. Signed-off-by: Andreas Gruenbacher <agrue...@redhat.com> Could probably use inode_security_novalidate() for all of the SOCK_INODE() cases, right? Otherwise, Acked-by

Re: [PATCH v4 5/7] security: Add hook to invalidate inode security labels

viewed-by: James Morris <james.l.mor...@oracle.com> Acked-by: Stephen Smalley <s...@tycho.nsa.gov> --- include/linux/lsm_hooks.h | 6 ++ include/linux/security.h | 5 + security/security.c | 8 security/selinux/hoo

Re: [PATCH v3 3/7] selinux: Get rid of file_path_has_perm

On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote: > On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: >>> >>> Use path_has_perm directly instead. &g

Re: [PATCH v3 3/7] selinux: Get rid of file_path_has_perm

On 10/28/2015 01:31 PM, Stephen Smalley wrote: On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote: On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Use path_has_perm directly instead. This reverts:

Re: [PATCH v2] selinux: export validatetrans decisions

On 10/27/2015 04:48 PM, Andrew Perepechko wrote: Make validatetrans decisions available through selinuxfs. "/validatetrans" is added to selinuxfs for this purpose. This functionality is needed by file system servers implemented in userspace or kernelspace without the VFS layer. Writing

Re: [PATCH v3 0/7] Inode security label invalidation

On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Here is another version of the patch queue to make gfs2 and similar file systems work with SELinux. As suggested by Stephen Smalley [*], the relevant uses of inode->security are wrapped in function calls that try to revalidate invalid lab

Re: [PATCH v3 3/7] selinux: Get rid of file_path_has_perm

On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Use path_has_perm directly instead. This reverts: commit 13f8e9810bff12d01807b6f92329111f45218235 Author: David Howells Date: Thu Jun 13 23:37:55 2013 +0100 SELinux: Institute file_path_has_perm() Create a

Re: [PATCH] selinux: export validatetrans decisions

On 10/27/2015 02:27 PM, Andrew Perepechko wrote: + if (rc) + goto out; + + rc = -ENOMEM; + if (count >= PAGE_SIZE - 1) + goto out; Why PAGE_SIZE-1? This is to avoid allocation of more than a single page. Yes, but you don't need PAGE_SIZE - 1

Re: [PATCH v3 2/7] selinux: Add accessor functions for inode->i_security

On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Add functions dentry_security and inode_security for accessing inode->i_security. These functions initially don't do much, but they will later be used to revalidate the security labels when necessary. Signed-off-by: Andreas Gruenbacher

Re: [RFC PATCH v3 2/5] lsm: introduce hooks for kdbus

On Mon, Oct 19, 2015 at 6:29 PM, Paul Moore <pmo...@redhat.com> wrote: > On Friday, October 09, 2015 10:56:12 AM Stephen Smalley wrote: >> On 10/07/2015 07:08 PM, Paul Moore wrote: >> > diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c >> > index ef63d

Re: [RFC PATCH v3 1/5] kdbus: add creator credentials to the endpoints

On 10/07/2015 07:08 PM, Paul Moore wrote: In order to effectively enforce LSM based access controls we need to have more information about the kdbus endpoint creator than the uid/gid currently stored in the kdbus_node_type struct. This patch replaces the uid/gid values with a reference to the

Re: [RFC PATCH v3 2/5] lsm: introduce hooks for kdbus

the security label on a kdbusfs inode Signed-off-by: Paul Moore <pmo...@redhat.com> --- ChangeLog: - v3 * Ported to the 4.3-rc4 based kdbus tree - v2 * Implemented suggestions by Stephen Smalley * call security_kdbus_conn_new() sooner * reworked hook inside kdbus_conn_policy_ow

Re: [RFC PATCH v3 3/5] lsm: add support for auditing kdbus service names

On 10/07/2015 07:08 PM, Paul Moore wrote: The kdbus service names will be recorded using 'service', similar to the existing dbus audit records. Signed-off-by: Paul Moore --- ChangeLog: - v3 * Ported to the 4.3-rc4 based kdbus tree - v2 * Initial draft ---

Re: [RFC PATCH v3 5/5] selinux: introduce kdbus access controls

On 10/07/2015 07:08 PM, Paul Moore wrote: Add the SELinux access control implementation for the new kdbus LSM hooks using the new kdbus object class and the following permissions: [NOTE: permissions below are based on kdbus code from Aug 2015] * kdbus:impersonate Send a different

Re: [PATCH] security: selinux: Use a kmem_cache for allocation struct file_security_struct

e | Slack Size | Allocation Count > --- > 770048 |192512| 577536 | 12032 > > At the result, this change reduce memory usage 42bytes per each > file_security_struct > > Signed-off-by: Sangwoo <sangwoo2.p...

Re: [PATCH 0/5] Security: Provide unioned file support

On 09/29/2015 05:03 PM, Stephen Smalley wrote: On 09/28/2015 04:00 PM, David Howells wrote: The attached patches provide security support for unioned files where the security involves an object-label-based LSM (such as SELinux) rather than a path-based LSM. [Note that a number of the bits

Re: NFS/LSM: allow NFS to control all of its own mount options

= selinux_mount, .sb_umount =selinux_umount, - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html -- Stephen

Re: [PATCH] [RFC] Smack update for file capabilities

, int sig, u32 secid) { + int rc; + + rc = cap_task_kill(p, info, sig, secid); + if (rc != 0) + return rc; /* * Special cases where signals really ought to go through * in spite of policy. Stephen Smalley suggests it may @@ -1778,6 +1810,27

Re: [PATCH 07/37] Security: De-embed task security record from task and use refcounting

for its existence? Looks unused now. Similarly for some of the other security structs. Only inode, superblock, and sock back pointers still seem to be in use. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

submits a policy patch to register these classes and permissions in the policy when the kernel patch is queued for merge. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

On Tue, 2008-01-15 at 16:03 +, David Howells wrote: Stephen Smalley [EMAIL PROTECTED] wrote: (3) Check that the kernel may create files as a particular secid (this could be specified indirectly by specifying an inode, which would hide the secid inside the LSM). I

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

On Tue, 2008-01-15 at 10:10 -0800, Casey Schaufler wrote: --- David Howells [EMAIL PROTECTED] wrote: Stephen Smalley [EMAIL PROTECTED] wrote: (3) Check that the kernel may create files as a particular secid (this could be specified indirectly by specifying an inode, which

Re: [RFC PATCH] Adding prctl override support for LSMs

(e.g. the capability bitmaps weren't pushed into LSM's security blobs). Or add a node to /proc/pid/attr for it. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

, ala: svn co http://oss.tresys.com/repos/refpolicy/trunk refpolicy cd refpolicy/policy/flask vi security_classes access_vectors add new class to end make make LINUX_D=/path/to/linux-2.6 tokern Dan knows how to do that. -- Stephen Smalley National Security Agency - To unsubscribe from

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

On Wed, 2008-01-09 at 18:56 +, David Howells wrote: Stephen Smalley [EMAIL PROTECTED] wrote: Right, the latter is reasonable. Requires adding the class and permission definition to policy/flask/security_classes and policy/flask/access_vectors and then regenerating the kernel

Re: [RFC PATCH v9 12/18] SELinux: Add a new peer class and permissions to the Flask definitions

as the message. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

On Tue, 2007-12-18 at 19:28 -0800, Crispin Cowan wrote: Stephen Smalley wrote: It is if I have to maintain a special pieces of code for each possible LSM. One piece for SELinux, one piece for AppArmour, one piece for Smack, one piece for Casey's security system. That sounds like a pain

Re: [RFC PATCH v8 10/18] SELinux: Add a network node caching mechanism similar to the sel_netif_*() functions

On Mon, 2007-12-17 at 15:56 -0500, Paul Moore wrote: On Monday 17 December 2007 3:35:28 pm Stephen Smalley wrote: On Fri, 2007-12-14 at 16:50 -0500, Paul Moore wrote: This patch adds a SELinux IP address/node SID caching mechanism similar to the sel_netif_*() functions. The node SID

Re: [RFC PATCH v8 18/18] SELinux: Add network ingress and egress control permission checks

On Tue, 2007-12-18 at 08:59 -0500, Paul Moore wrote: On Monday 17 December 2007 3:05:37 pm Stephen Smalley wrote: On Sun, 2007-12-16 at 11:47 -0500, Paul Moore wrote: We should probably have different permissions for the interface and node cases. Take the example of an admin who is only

Re: [RFC PATCH v8 06/18] LSM: Add inet_sys_snd_skb() LSM hook

mailing list. If you no longer wish to subscribe, send mail to [EMAIL PROTECTED] with the words unsubscribe selinux without quotes as the message. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message

Re: [RFC PATCH v8 05/18] LSM: Add secctx_to_secid() LSM hook

On Fri, 2007-12-14 at 16:50 -0500, Paul Moore wrote: Add a secctx_to_secid() LSM hook to go along with the existing secid_to_secctx() LSM hook. This patch also includes the SELinux implementation for this hook. Acked-by: Stephen Smalley [EMAIL PROTECTED] This one can go up anytime, as we

Re: [RFC PATCH v8 09/18] SELinux: Only store the network interface's ifindex

-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to [EMAIL PROTECTED] with the words unsubscribe selinux without quotes as the message. -- Stephen Smalley National Security Agency - To unsubscribe from this list

Re: [RFC PATCH v8 10/18] SELinux: Add a network node caching mechanism similar to the sel_netif_*() functions

. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

On Wed, 2007-12-12 at 22:49 +, David Howells wrote: Stephen Smalley [EMAIL PROTECTED] wrote: Have you example code for the security hook you mention? I'm not sure I understand why security_secctx_to_secid() is not sufficient. security_secctx_to_secid() would just validate

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

On Wed, 2007-12-12 at 22:55 +, David Howells wrote: Stephen Smalley [EMAIL PROTECTED] wrote: More likely, run it at build time in your .spec file to generate cachefiles.conf, I don't think sticking it in cachefiles.conf is a good idea necessarily. That has to be an administrator

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

On Thu, 2007-12-13 at 17:01 +, David Howells wrote: Stephen Smalley [EMAIL PROTECTED] wrote: They would correspond with the operations provided by the /dev/cachefiles interface, at the granularity you want to support distinctions to be made. Can this be made simpler by the fact

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

On Wed, 2007-12-12 at 08:51 -0800, Casey Schaufler wrote: --- Stephen Smalley [EMAIL PROTECTED] wrote: On Tue, 2007-12-11 at 15:04 -0800, Casey Schaufler wrote: --- David Howells [EMAIL PROTECTED] wrote: Stephen Smalley [EMAIL PROTECTED] wrote: All your code has to do

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

On Wed, 2007-12-12 at 18:29 +, David Howells wrote: Stephen Smalley [EMAIL PROTECTED] wrote: That sounds workable, although I think he will want a more specific hook than security_secctx_to_secid(), or possibly a second hook call, that would not only validate the context but authorize

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

] -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

/cachefiles.conf. Have cachefilesd read it and pass it downward. More likely, run it at build time in your .spec file to generate cachefiles.conf, then run it again maybe upon a policy update or if the user selects a different policy. -- Stephen Smalley National Security Agency - To unsubscribe from

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

On Mon, 2007-12-10 at 14:26 -0800, Casey Schaufler wrote: --- Stephen Smalley [EMAIL PROTECTED] wrote: On Mon, 2007-12-10 at 21:08 +, David Howells wrote: Stephen Smalley [EMAIL PROTECTED] wrote: Otherwise, only other issue I have with this interface is it won't generalize

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

On Mon, 2007-12-10 at 23:36 +, David Howells wrote: Stephen Smalley [EMAIL PROTECTED] wrote: From a config file whose pathname would be provided by libselinux (ala the way in which dbusd imports contexts), or directly as a context returned by a libselinux function. That sounds too

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

, .task_setgid = selinux_task_setgid, -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to [EMAIL PROTECTED] with the words unsubscribe selinux without quotes as the message. -- Stephen Smalley

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

On Mon, 2007-12-10 at 17:07 +, David Howells wrote: Stephen Smalley [EMAIL PROTECTED] wrote: + tsec-create_sid = SECINITSID_UNLABELED; + tsec-keycreate_sid = SECINITSID_UNLABELED; + tsec-sockcreate_sid = SECINITSID_UNLABELED; Cleared means what? Setting to 0? Or is there some

Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]

On Mon, 2007-12-10 at 21:08 +, David Howells wrote: Stephen Smalley [EMAIL PROTECTED] wrote: Otherwise, only other issue I have with this interface is it won't generalize to dealing with nfsd, where we want to set the acting context to a context we obtain from or determine based upon

Re: [PATCH 4/7] KEYS: Add keyctl function to get a security label

of the selinux mailing list. If you no longer wish to subscribe, send mail to [EMAIL PROTECTED] with the words unsubscribe selinux without quotes as the message. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body

Re: [PATCH 1/2] namespaces: introduce sys_hijack (v10)

On Tue, 2007-11-27 at 16:38 -0600, Serge E. Hallyn wrote: Quoting Stephen Smalley ([EMAIL PROTECTED]): On Tue, 2007-11-27 at 10:11 -0600, Serge E. Hallyn wrote: Quoting Crispin Cowan ([EMAIL PROTECTED]): Just the name sys_hijack makes me concerned. This post describes a bunch

Re: Path of task via LSM

and vfsmnt from the current task_struct via the d_path() lookup function. audit_log_task_info() is an example. It isn't a perfect technique, but usually yields the expected answer. But I wouldn't recommend doing that on every LSM hook call. -- Stephen Smalley National Security Agency - To unsubscribe

Re: [PATCH 1/2] namespaces: introduce sys_hijack (v10)

sure alarm bells went off :) bc it's definately still worrisome. But at this point I believe it is the safest solution suggested so far. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message

Re: Missing security_file_permission() check from sys_splice()

in sock_sendpage(). -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH] file capabilities: allow sigcont within session (v2)

is permitted within same session */ + if (sig == SIGCONT (task_session_nr(current)==task_session_nr(p))) + return 0; + if (secid) /* * Signal sent as a particular user. -- Stephen Smalley National Security Agency - To unsubscribe from

Re: [PATCH RFC 1/2] capabilities: fix compilation with strict type checking (v2)

is, if we open up to 64, how quickly will we hit 65. Perhaps a generic bitmask is better, and then we need a stricter type mode anyway. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL

Re: [PATCH 1/2] VFS/Security: Rework inode_getsecurity and callers to return resulting buffer

. Of course they could get around that by sending in a 'reasonably large' buffer for a first try. That's what current userland does. libselinux always tries with an initial buffer first (and usually succeeds), thereby avoiding the second call to getxattr in the common case. -- Stephen Smalley

Re: [RFC] [PATCH 2/2] capabilities: implement 64-bit capabilities

) rc = inode-i_op-getxattr(dentry, XATTR_NAME_CAPS, incaps, XATTR_CAPS_SZ); else -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

for userland so that you don't need separate versions of ls, ps, sshd, etc for Smack vs SELinux vs. whatever. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

than a strict subset of SELinux (MAC, label-based, should be easily emulated on top of SELinux or via fairly simple extension to it to make such emulation simpler or more optimal), then what isn't mergeable as a separate security module? -- Stephen Smalley National Security Agency

Re: [PATCH 2/3] CRED: Split the task security data and move part of it into struct cred

On Wed, 2007-09-26 at 14:30 +0100, David Howells wrote: Stephen Smalley [EMAIL PROTECTED] wrote: Precisely when to use one identity vs. the other though isn't always clear, and the potential for accidental divergence is also a concern. What should auditing use in audit_filter_rules

Re: [RFC]selinux: Improving SELinux read/write performance

On Wed, 2007-09-12 at 17:51 +0900, Yuichi Nakamura wrote: Hi. Stephen Smalley pointed out possibility of race condition in off-list discussion. Stephen Smalley said: One other observation about the patch: it presently leaves open a (small) race window in which the file could get

Re: [RFC]selinux: Improving SELinux read/write performance

(unsigned long clone_flags) { return 0; Regards, -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [RFC]selinux: Improving SELinux read/write performance

a overhead in selinux_file_permission function. This is a function that is called in read/write calls, and does SELinux permission check. SELinux checks permission both in open and read/write time. Stephen Smalley sugessted that we can usually skip permission check in selinux_file_permission

Re: [PATCH 00/16] Permit filesystem local caching [try #3]

there). So even that would have to be encapsulated within a hook. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo

Re: [PATCH 00/16] Permit filesystem local caching [try #3]

that the task's security context would have to be able to store acting security IDs for everything, but I don't think that's too much of a stretch resourcewise. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body

Re: [PATCH 00/16] Permit filesystem local caching [try #3]

level of context. What was the objection again to the original interface, aside from replacing u32 secids with void* security blobs? -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL

Re: LSM: memory and user-space interaction

. - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux

Re: [PATCH][RFC] V2 Remove SELinux dependencies from linux-audit via LSM

On Sun, 2007-08-05 at 17:03 -0700, Casey Schaufler wrote: From: Casey Schaufler [EMAIL PROTECTED] This patch interposes LSM interfaces between the audit system and SELinux. This helps make SELinux a cleaner LSM and clarifies the interfaces provided by the audit system. The audit system no

Re: [PATCH][RFC] V1 Remove SELinux dependencies from linux-audit via LSM

the selinux_enabled check from them, as the hook function will only be registered if SELinux is enabled. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http

Re: [PATCH][RFC] V1 Remove SELinux dependencies from linux-audit via LSM

specific. Any problem with making the security_audit_rule interfaces use a void * ? The audit code appears to be accomodating. The struct is already opaque outside of the security module, so you can just rename it and implement your own version of the struct in your module. -- Stephen Smalley

Re: [PATCH RFC] file capabilities: clear fcaps on inode change

entities from writing to the labels of trusted programs in the first place in one's policy. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http

Re: [xfs-masters] [RFC: 2.6 patch] make the *FS_SECURITY options no longer user visible

) just to test the security xattr namespace is a bit of a pain. You can enable SECURITY_SELINUX in the kernel config but still have it boot disabled by default via SECURITY_SELINUX_BOOTPARAM_VALUE=0. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line

Re: [RFC][PATCH] Version5 - Simplified mandatory access control kernel implementation

the responsibility to the filesystems, e.g. define some new flags for file_system_type struct that indicate the right behavior for labeling inodes, and have the security module only use those flags rather than needing to know about individual filesystem types. -- Stephen Smalley National Security

Re: [RFC][PATCH] Simplified mandatory access control kernel implementation

for login/sshd and newrole. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [RFC][PATCH] Version3 - Simplified mandatory access control kernel implementation

On Wed, 2007-07-18 at 20:46 -0700, Casey Schaufler wrote: --- Stephen Smalley [EMAIL PROTECTED] wrote: On Tue, 2007-07-17 at 19:59 -0700, Casey Schaufler wrote: - Speaking of which, are you ok with your MAC model being overridden by all uid 0 processes? Or do you plan

Re: [RFC][PATCH] Simplified mandatory access control kernel implementation

On Thu, 2007-07-19 at 08:26 -0700, Casey Schaufler wrote: --- Stephen Smalley [EMAIL PROTECTED] wrote: On Wed, 2007-07-18 at 18:15 -0700, Casey Schaufler wrote: --- Joshua Brindle [EMAIL PROTECTED] wrote: Casey Schaufler wrote: ... I do have a hackish newsmack

Re: [RFC][PATCH] Version3 - Simplified mandatory access control kernel implementation

an existing one. Obviously those key hooks need to be filled in (or dropped). -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org

Re: [RFC] [PATCH 2/2] file capabilities: change fE to a bool

succeeded? Could you do an ls -i on /bin/ping and ~/ping before and after the copy to make sure? Or just echo $? after the cp? -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL

Re: [RFC] [PATCH 2/2] file capabilities: change fE to a bool

On Wed, 2007-07-18 at 14:03 -0400, Stephen Smalley wrote: On Wed, 2007-07-18 at 12:53 -0500, Serge E. Hallyn wrote: Quoting Andrew Morgan ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serge, I spent the evening getting my local build of libcap (building

Re: [RFC][PATCH] Simplified mandatory access control kernel implementation

= current-security; + return 0; +} And if the socket outlives the task? -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org

Re: [RFC][PATCH] Simplified mandatory access control kernel implementation

On Mon, 2007-07-16 at 07:41 -0700, Casey Schaufler wrote: --- Stephen Smalley [EMAIL PROTECTED] wrote: On Sat, 2007-07-14 at 14:47 -0700, Casey Schaufler wrote: The patch exceeds the 40k size rule, coming in at about 100k. I would be happy to send the patch to anyone who has trouble

Re: [RFC][PATCH] Simplified mandatory access control kernel implementation

On Mon, 2007-07-16 at 08:32 -0700, Casey Schaufler wrote: --- Stephen Smalley [EMAIL PROTECTED] wrote: On Mon, 2007-07-16 at 07:41 -0700, Casey Schaufler wrote: --- Stephen Smalley [EMAIL PROTECTED] wrote: On Sat, 2007-07-14 at 14:47 -0700, Casey Schaufler wrote: The patch

Re: What kind of feature does New LSM security model need?

security module back in 2004, Andrew Morton indicated that acceptance of any new code into mainline requires that it have a real user base: http://marc.info/?l=linux-kernelm=109717928411882w=2 -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe

Re: What kind of feature does New LSM security model need?

On Wed, 2007-07-11 at 10:30 -0700, Casey Schaufler wrote: --- Stephen Smalley [EMAIL PROTECTED] wrote: On Wed, 2007-07-11 at 08:54 +0900, Kazuki Omo(Company) wrote: Dear, Sir, Sorry for my poorly English. I've just wanted to make sure the process how can we put other security

Re: [AppArmor 32/44] Enable LSM hooks to distinguish operations on file descriptors from operations on pathnames

not be authorized to access the file anymore, even via an already opened descriptor. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http

Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

On Thu, 2007-06-21 at 23:17 +0200, Lars Marowsky-Bree wrote: On 2007-06-21T16:59:54, Stephen Smalley [EMAIL PROTECTED] wrote: Or can access the data under a different path to which their profile does give them access, whether in its final destination or in some temporary file processed

Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

authorizations to access multiple kinds of information with differing security requirements without compromising those security requirements. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL

Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

On Fri, 2007-06-22 at 01:06 -0700, John Johansen wrote: On Thu, Jun 21, 2007 at 04:59:54PM -0400, Stephen Smalley wrote: On Thu, 2007-06-21 at 21:54 +0200, Lars Marowsky-Bree wrote: On 2007-06-21T15:42:28, James Morris [EMAIL PROTECTED] wrote: And now, yes, I know AA doesn't

Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

On Fri, 2007-06-22 at 13:37 +0200, Lars Marowsky-Bree wrote: On 2007-06-22T07:19:39, Stephen Smalley [EMAIL PROTECTED] wrote: Or can access the data under a different path to which their profile does give them access, whether in its final destination or in some temporary file

Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

On Fri, 2007-06-22 at 14:42 +0200, Lars Marowsky-Bree wrote: On 2007-06-22T07:53:47, Stephen Smalley [EMAIL PROTECTED] wrote: No the incomplete mediation does not flow from the design. We have deliberately focused on doing the necessary modifications for pathname based mediation

Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

files via that path, but showing that it can never read or write your mail is a rather different matter. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info

Re: [RFC] TOMOYO Linux

and fair-minded comparison. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

real requirement but merely because they are tied to their implementation specifics. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http

Re: New to LSM list. A few questions.

kernel code at all. The configuration language for SELinux is quite flexible. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org

  1   2   >