Re: Security issues with local filesystem caching

From: Stephen Smalley
Date: Fri Oct 27 2006 - 12:10:42 EST

Next message: Evgeniy Polyakov: "[take21 2/4] kevent: poll/select() notifications."
Previous message: Andi Kleen: "Re: [PATCH] x86_64 add missing enter_idle() calls"
In reply to: David Howells: "Re: Security issues with local filesystem caching"
Next in thread: David Howells: "Re: Security issues with local filesystem caching"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2006-10-27 at 16:42 +0100, David Howells wrote:
> Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>
> > We might want more information passed into the hook, like the cache
> > directory itself,
>
> I can do that. I have the cache directory path and the cache tag name both
> available as strings.
>
> > int security_cache_set_context(struct vfsmount *mnt, struct dentry *dentry, u32 secid)
> > {
>
> Where are you envisioning this going? In SELinux, in the LSM core or in
> cachefiles?

Sorry, that should have been named selinux_cache_set_context(), a
SELinux-specific implementation of a security_cache_set_context() LSM
hook. The hook would be called after the cache directory pathname has
been looked up by your module, yielding a (mnt, dentry) pair and after
the security context string has been mapped to a secid.

> I was also wondering if I could generalise it to handle all cache
> types, but the permissions checks are probably going to be quite different for
> each type. For instance, CacheFiles uses files on a mounted fs, whilst CacheFS
> uses a block device.

So in the latter case, the daemon supplies the path of a block device
node? I suppose the hook could internally check the type of inode to
decide what checks to apply, using the checks I previously sketched when
it is a directory and using a different set of checks for the block
device (substituting a write check against the block device for the
directory-specific checks). The hook interface itself would look the
same IIUC, i.e. providing the (mnt, dentry) pair to which the path
resolved and the secid to which the context resolved.

> Also, with your multiple cache example, how would I bring each cachefilesd
> daemon up in a different context so that it could handle a different cache with
> a different context?

runcon will run a program in a specified context, so if you defined
cachesfilesd_internal_t and aachesfilesd_external_t domains in policy,
you could then do:
runcon -t cachefilesd_internal_t -- /path/to/cachefilesd args...

--
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Evgeniy Polyakov: "[take21 2/4] kevent: poll/select() notifications."
Previous message: Andi Kleen: "Re: [PATCH] x86_64 add missing enter_idle() calls"
In reply to: David Howells: "Re: Security issues with local filesystem caching"
Next in thread: David Howells: "Re: Security issues with local filesystem caching"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]