Re: [PATCH v1] security: Add a new hook: inode_touch_atime

From: Christoph Hellwig
Date: Thu Dec 22 2016 - 04:07:08 EST

Next message: Juergen Gross: "Re: [PATCH] xen/evtchn: use rb_entry()"
Previous message: Michal Hocko: "Re: [PATCH V3 1/2] mm/memblock.c: trivial code refine in memblock_is_region_memory()"
In reply to: MickaÃl SalaÃn: "Re: [PATCH v1] security: Add a new hook: inode_touch_atime"
Next in thread: Christoph Hellwig: "Re: [PATCH v1] security: Add a new hook: inode_touch_atime"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Dec 22, 2016 at 09:58:42AM +0100, Mickaël Salaün wrote:
> Of course a read-only mount point can do the trick (except for anonymous
> inodes). However, a security policy (e.g. for SELinux) should not (and
> can't always) rely on mount options. For example, a security policy can
> come from a distro but they may not want to tie mount options with this
> policy. We may also not want a sandbox to being able to change mount
> options (even with user namespaces).
>
> Being able to write (meta-)data, whereas a security policy said that
> it's not allowed, seems like a flaw in this policy. Moreover, modifying
> access time is an easy way to create cover-channels without any LSM
> being able to notice it.

A security policy must not mess with the readonly state of a file system
or mount, period. You're overstepping your boundaries.

Next message: Juergen Gross: "Re: [PATCH] xen/evtchn: use rb_entry()"
Previous message: Michal Hocko: "Re: [PATCH V3 1/2] mm/memblock.c: trivial code refine in memblock_is_region_memory()"
In reply to: MickaÃl SalaÃn: "Re: [PATCH v1] security: Add a new hook: inode_touch_atime"
Next in thread: Christoph Hellwig: "Re: [PATCH v1] security: Add a new hook: inode_touch_atime"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]