Re: [PATCH] Fix dmesg_restrict build failure withCONFIG_EMBEDDED=y and CONFIG_PRINTK=n

From: Eric Paris
Date: Mon Nov 15 2010 - 17:44:36 EST

Next message: Arnd Bergmann: "Re: [PATCH 1/4] udf: Add missed protection for s_lvid_dirty"
Previous message: Alexey Zaytsev: "Re: A possible flaw in the fsnotify design."
In reply to: James Morris: "Re: [PATCH] Fix dmesg_restrict build failure with CONFIG_EMBEDDED=yand CONFIG_PRINTK=n"
Next in thread: James Morris: "Re: [PATCH] Fix dmesg_restrict build failure with CONFIG_EMBEDDED=yand CONFIG_PRINTK=n"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2010-11-16 at 09:13 +1100, James Morris wrote:
> On Mon, 15 Nov 2010, Eric Paris wrote:
>
> > On Mon, Nov 15, 2010 at 12:41 PM, Linus Torvalds
> > <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> > > If the old rule should have been that you _have_
> > > to call cap_syslog(), then just eviscerating that entirely and putting
> > > it in the generic code is definitely the right thing.
> >
> > That is the rule for ALL of the hooks in commoncap.c. The one time I
> > tried to do something else *cough*mmap_min_addr*cough* I screwed it
> > up. I'll put a note in my todo list about looking into lifting all of
> > commoncap.c into the callers.
>
> If it's a requirement of the API that all of the cap calls are made
> first, then build it into the API, so developers can't make a mistake.
> e.g. have the LSM API do the secondary stacking of caps behind the scenes.

At this point it's a defacto requirement since noone is doing anything
like that. My mmap_min_addr screw up is, to the best of my knowledge,
the only time anyone has intentionally not called the caps code...

And I sorta like the idea of moving the cap_* calls directly into
security_*. Great, another item on the todo list. Lift as many cap
calls into the caller as is reasonable (I don't think there are
many/any) and if not possible lift them directory into security_*. If
someone else really wants to make a system truely without capabilities
lets look at there solution then....

> I had thought that the idea was that some LSM may want to not implement
> capabilities at all, on which case, it should still not be possible for
> the API to weaken the default security with or without caps.

Not sure how that's possible. I mean, I guess it's possible if the
fabled LSM reimplements the cap call, but I'm not sure how you can
remove a restrictive only security check without 'weakening' the system
in some way.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Arnd Bergmann: "Re: [PATCH 1/4] udf: Add missed protection for s_lvid_dirty"
Previous message: Alexey Zaytsev: "Re: A possible flaw in the fsnotify design."
In reply to: James Morris: "Re: [PATCH] Fix dmesg_restrict build failure with CONFIG_EMBEDDED=yand CONFIG_PRINTK=n"
Next in thread: James Morris: "Re: [PATCH] Fix dmesg_restrict build failure with CONFIG_EMBEDDED=yand CONFIG_PRINTK=n"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]