Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7]implementation of LSM hooks)

From: Arjan van de Ven
Date: Mon Apr 24 2006 - 10:07:27 EST


On Mon, 2006-04-24 at 08:54 -0500, Serge E. Hallyn wrote:
> Quoting Arjan van de Ven (arjan@xxxxxxxxxxxxx):
> > On Mon, 2006-04-24 at 08:29 -0500, Serge E. Hallyn wrote:
> > > Quoting Arjan van de Ven (arjan@xxxxxxxxxxxxx):
> > > > On Mon, 2006-04-24 at 08:09 -0500, Serge E. Hallyn wrote:
> > > > > Quoting Arjan van de Ven (arjan@xxxxxxxxxxxxx):
> > > > > > for all such things in the first place. In fact, we already know that to
> > > > > > do auditing, LSM is the wrong thing to do (and that's why audit doesn't
> > > > > > use LSM). It's one of those fundamental linux truths: Trying to be
> > > > >
> > > > > As I recall it was simply decided that LSM must be "access control
> > > > > only", and that was why it wasn't used for audit.
> > > >
> > > > no you recall incorrectly.
> > > > Audit needs to audit things that didn't work out, like filenames that
> > > > don't exist. Audit needs to know what is going to happen before the
> > > > entire "is this allowed" chain is going to be followed. SELInux and
> > > > other LSM parts are just one part of that chain, and there's zero
> > > > guarantee that you get to the LSM part in the chain..... Now of course
> > >
> > > Ah yes. It needed to be authoritative. I did recall incorrectly.
> > >
> > > I suspect some would argue that you are right that LSM is broken, but
> > > only because it wasn't allowed to be authoritative.
> >
> > authoritative isn't enough; think about it. The VFS isn't ever going to
> > ask "can I open this file" if the file doesn't exist in the first place;
>
> Current audit doesn't do that either, does it?

As far as I know, it actually does. (assuming you configure it do audit
such events obviously)

> It labels the parent
> inode, so if /var/spool/mail doesn't exist, and you look up
> /var/spool/mail/hallyn, you won't get an audit record.


> You'd have to do
> that by auditing all open syscalls at the syscall level.

That's a wrong assumption. There is one level below the syscall level as
well in Linux, and that is where you need to audit for this, and afaik
audit actually does that.



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/