Re: [Keyrings] [PATCH] Keys: Add LSM hooks for key management

From: James Morris
Date: Thu Oct 06 2005 - 03:04:44 EST

Next message: Steven Rostedt: "Re: 2.6.14-rc3-rt2"
Previous message: subbie subbie: "Re: 3Ware 9500S-12 RAID controller -- poor performance"
In reply to: Chris Wright: "Re: [Keyrings] [PATCH] Keys: Add LSM hooks for key management"
Next in thread: David Howells: "Re: [Keyrings] [PATCH] Keys: Add LSM hooks for key management"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 5 Oct 2005, Chris Wright wrote:

> What case causes context != current?

Indeed, this is critical: we always need to know which task initiated the
current action. If it's not current, then we need the calling task struct
passed into the security hook.

> > + /* do a final security check before publishing the key */
> > + ret = security_key_alloc(key);
>
> This may simply be allocating space for the label (and possibly labelling)
> not necessarily a security check.

Agree, in fact, I think we should always aim to keep housekeeping hooks
separate from access control hooks.

Access checks seem to be usually done before this point via
lookup_user_key(), which is ideal.

> > - error:
> > + /* let the security module know the key has been published */
> > + security_key_post_alloc(key);
>
> This is odd, esp since nothing could have failed between alloc and
> publish. Only state change is serial number. Would you expect the
> security module to update a label based on serial number?

I don't think SELinux would care about this yet. If so, the hook can be
added later.

> > + /* if we're not the sysadmin, we can only change a key that we own */
> > + if (capable(CAP_SYS_ADMIN) || key->uid == current->fsuid)
> > + ret = security_key_set_security(key, name, data, dlen);
>
> Are you sure this is right? Normally I'd expect users can _not_ set the
> security labels of their own keys. But perhaps I've missed the point
> of this one, could you give a use case?

I think this is like xattrs on files, where the user can set and view
security attributes.

In any case, I don't see why you'd use a DAC check here at all, as this is
a complete passthrough to the security module.

key_get_security() has no DAC check.

> This would be a whole lot easier if keys were available in keyfs ;-)

Yes, then standard setxattr() getxattr() syscalls could be used, and we
can avoid two new multiplexed syscalls.

David, admit it, this key stuff is all really a filesystem :-)

- James
--
James Morris
<jmorris@xxxxxxxxx>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Steven Rostedt: "Re: 2.6.14-rc3-rt2"
Previous message: subbie subbie: "Re: 3Ware 9500S-12 RAID controller -- poor performance"
In reply to: Chris Wright: "Re: [Keyrings] [PATCH] Keys: Add LSM hooks for key management"
Next in thread: David Howells: "Re: [Keyrings] [PATCH] Keys: Add LSM hooks for key management"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]