Re: Security issues with local filesystem caching

From: David Howells
Date: Thu Oct 26 2006 - 18:56:30 EST


Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:

> When the daemon writes the context value (a string) to the cachefiles
> module interface for a given cache, the cachefiles module would do
> something like the following:

This looks reasonable.

> SELinux would then provide selinux_secctx_to_secid() and
> selinux_cache_set_context() implementations; the former would just be call to
> selinux_string_to_sid(),

That sounds fairly easy.

> while the latter would require some new permission check to be defined
> unless we can treat this as equivalent to some existing operation.

So what does this actually check? I assume it checks that the process's
current context permits the use of the specified secid in this snippet:

/* Check permission of current to set this context. */
rc = security_cache_set_context(secid);

> You'll find that there is already a security_secid_to_secctx() hook defined
> for LSM, so the first hook just adds the other direction.

Okay.

> cache->secid = secid;

I was wondering if the cache struct should have a "void *security" that the LSM
modules can set, free and assert temporarily, but this sounds like it will do.

> Later, when going to create a file in that cache, the cachefiles module
> would do something like:
> /* Save and switch the fs secid for creation. */
> fssecid = security_getfssecid();
> security_setfssecid(cache->secid);
> <create file>
> /* Restore the original fs secid. */
> security_setfssecid(fssecid);
> SELinux would then provide selinux_getfsecid() and selinux_setfssecid()
> implementations that are just:
> u32 selinux_getfssecid(void)
> {
> struct task_security_struct *tsec = current->security;
> return tsec->create_sid;
> }
> void selinux_setfssecid(u32 secid)
> {
> struct task_security_struct *tsec = current->security;
> tsec->create_sid = secid;
> }

That sounds doable. I presume I should attend to fsuid/fsgid myself, much as
I'm doing now?

David
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/