Re: Security issues with local filesystem caching
From: David Howells
Date: Thu Oct 26 2006 - 18:56:30 EST
Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> When the daemon writes the context value (a string) to the cachefiles
> module interface for a given cache, the cachefiles module would do
> something like the following:
This looks reasonable.
> SELinux would then provide selinux_secctx_to_secid() and
> selinux_cache_set_context() implementations; the former would just be call to
> selinux_string_to_sid(),
That sounds fairly easy.
> while the latter would require some new permission check to be defined
> unless we can treat this as equivalent to some existing operation.
So what does this actually check? I assume it checks that the process's
current context permits the use of the specified secid in this snippet:
/* Check permission of current to set this context. */
rc = security_cache_set_context(secid);
> You'll find that there is already a security_secid_to_secctx() hook defined
> for LSM, so the first hook just adds the other direction.
Okay.
> cache->secid = secid;
I was wondering if the cache struct should have a "void *security" that the LSM
modules can set, free and assert temporarily, but this sounds like it will do.
> Later, when going to create a file in that cache, the cachefiles module
> would do something like:
> /* Save and switch the fs secid for creation. */
> fssecid = security_getfssecid();
> security_setfssecid(cache->secid);
> <create file>
> /* Restore the original fs secid. */
> security_setfssecid(fssecid);
> SELinux would then provide selinux_getfsecid() and selinux_setfssecid()
> implementations that are just:
> u32 selinux_getfssecid(void)
> {
> struct task_security_struct *tsec = current->security;
> return tsec->create_sid;
> }
> void selinux_setfssecid(u32 secid)
> {
> struct task_security_struct *tsec = current->security;
> tsec->create_sid = secid;
> }
That sounds doable. I presume I should attend to fsuid/fsgid myself, much as
I'm doing now?
David
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/