Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks

[Kyle Moffett]

On Apr 18, 2006, at 21:48:56, Casey Schaufler wrote:
> --- James Morris <jmorris@xxxxxxxxx> wrote:
> > With pathnames, there is an unbounded and unknown number of  
> > effective security policies on the system, as there are an
> > unbounded and unknown number of ways of viewing the files via  
> > pathnames.
>
> I agree that for traditional DAC and MAC (including the flavors  
> supported by SELinux) inodes is the only way to go. SELinux is a  
> traditional Trusted OS architecture and addresses the traditional  
> Trusted OS issues.

Perhaps the SELinux model should be extended to handle (dir-inode,  
path-entry) pairs.  For example, if I want to protect the /etc/shadow  
file regardless of what tool is used to safely modify it, I would set  
up security as follows:

o  Protect the "/" and "/etc" directory inodes as usual under SELinux  
(with attributes on directory inodes).
o  Create pairs with (etc_inode,"shadow") and (etc_inode,"gshadow")  
and apply security attributes to those potentially nonexistent pairs.

I'm not terribly familiar with the exact internal semantics of  
SELinux, but that should provide a 90% solution (it fixes bind mounts  
and namespaces).  The remaining 2 issues are hardlinks and fd- 
passing.  For hardlinks you don't care about other links to that  
data, you're concerned with protecting a particular filesystem  
location, not particular contents, so you just need to prevent _new_  
hardlinks to a protected (dir_inode, path_elem) pair, which doesn't  
seem very hard.  For fd-passing, I don't know what to do.  Perhaps  
nothing.

Anyways, just a few ideas for consideration

Cheers,
Kyle Moffett

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/