Re: [PATCH 00/16] Permit filesystem local caching [try #3]
From: Stephen Smalley
Date: Mon Aug 13 2007 - 11:19:21 EST
On Sat, 2007-08-11 at 08:56 -0700, Casey Schaufler wrote:
> --- David Howells <dhowells@xxxxxxxxxx> wrote:
>
> > Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
> >
> > > How would you expect an LSM that is not SELinux to interface with
> > > CacheFiles?
> >
> > You have to understand that I didn't know that much about the LSM interface,
> > so I asked advice of the Red Hat security people, who, naturally, pointed me
> > at the SELinux mailing list. I knew my stuff would have to work with SELinux
> > to be used with RH stuff.
>
> Sigh. So it's not only SELinux specific, but RedHat specific as well.
>
> > Furthermore, as you pointed out, there aren't any other LSM modules upstream
> > yet for me to work against. I would like CacheFiles to work with all LSM
> > modules in general, but I don't know how to do that yet.
>
> While neither is upstream you can certainly look at AppArmor and Smack,
> both of which have nefarious plans for getting upstream.
>
> > I'm open to suggestion as to how to modify things to support any LSM.
>
> It's been a long time since I dealt with file system cacheing, and
> that was under Unix, and I don't claim to have a working understanding
> of the internals of CacheFiles, but ...
>
> > Btw, do you understand the problems that CacheFiles has to deal with? If I
> > set this down clearly, this may help you or someone else suggest a better way
> > to do things.
> >
> > (1) Some random process tries to access a file on a network filesystem
> > (NFS example).
> >
> > (2) NFS goes to the cache to attempt to read the data from there prior to
> > going to the network.
> >
> > (3) The cache driver wants to access the files in the cache, but it's
> > running in the security context of either the aforementioned random
> > process, or one of FS-Cache's thread pool.
>
> I think that this is the point you should attack. Control the security
> characteristics of the cache driver properly and you shouldn't need the
> complexity that you're asking to introduce.
>
> > This security context, however, doesn't necessarily give it the rights
> > to access what's in the cache, so the driver has to be permitted to act
> > as a context appropriate to accessing the cache, without changing the
> > overall security context of the random process (which would impact
> > things trying to act on that process - kill() for example).
>
> Can you run the cache as an independent thread and send it messages
> rather than trying to do things in the context of the calling process?
> I know that that involves extra bookkeeppingg, but it's lots safer.
>
> > (4) Assuming the data is found in the cache, all well and good, but if it
> > isn't, the cache driver will have to create some files in the cache.
> >
> > Now, if the cache driver just went ahead and created the files, they
> > could end up with their own security contexts being derived from the
> > random process's security context, thus potentially making it
> > impossible
> > for other processes to access the cache.
>
> Yes, and the SELinux semantics for what label to give a file don't
> help much, either. The problem with the "act_as" interfaces is that
> I wouldn't expect them to be any more reliable than the old access()
> system call, which never really gave you a helpful answer.
>
> > So the file-creation part of the security context must also be
> > overridden temporarily, assuming that whatever LSM is in force has such
> > a concept.
>
> Ideally you want to be running in the right context to create the
> new file so that no one can use it and then label it "correctly"
> and make it available.
>
> > Part of the problem is that the VFS does not pass around the security context
> > as which the VFS routines act, but rather gets them from the task_struct.
>
> That's by design.
>
> > For
> > the most part, this is entirely sufficient, but in the cache driver case,
> > it's
> > a problem.
>
> The cache driver is a unique case with an unusual function. It's pretty
> obvious that the kernel architecture, the VFS architecture, LSM, SELinux,
> NFS and pretty much everyone else has given no thought whatever to the
> implications of their designs on file system cacheing. For all concerned,
> I'll say "sorry 'bout that".
Parts of it are unique, but some of the same issues crop up in nfs - we
will need a way there as well for nfsd to assume the client process'
label for permission checking and new file labeling purposes, and the
act_as hook is not fundamentally different than what nfsd does today
with the fsuid/fsguid, just applied to the security label.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/