Re: [PATCH] split security_key_alloc into two functions
From: Stephen Smalley
Date: Tue Mar 28 2006 - 09:11:23 EST
On Tue, 2006-03-28 at 07:53 -0600, Serge E. Hallyn wrote:
> Quoting Stephen Smalley (sds@xxxxxxxxxxxxx):
> > Are you sure that the key cannot be accessed (looked up) by another
> > process as soon as it is assigned a serial number? If it can be, then
> > you risk having it accessed before its security structure is set up.
>
> Ah, that makes sense, and even rings a bell.
>
> So if we were to add a post_alloc() hook, it should likely go into
> key_alloc_serial() under the key_serial_lock?
>
> Still assuming that storing the serial number is desirable...
I'm not sure how/why SELinux would want that information, as we would
just be labeling the key based on its creator (possibly via a transition
computation to allow derived types), and then later possibly support
explicit labeling by security-aware applications as permitted by policy.
Serial number wouldn't be used for access control, and audit is being
handled separately these days (e.g. one might introduce audit hooks to
collect the serial number at the right points for later inclusion in
audit records emitted at syscall exit).
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/