Re: [PATCH 5/9] Make use of permissions, returned by kobj_lookup

From: Serge E. Hallyn
Date: Mon Mar 10 2008 - 16:35:57 EST

Next message: Hiroshi Shimamoto: "Re: [PATCH] sched: fix race in schedule"
Previous message: Peter Zijlstra: "Re: [PATCH] sched: fix race in schedule"
In reply to: Greg KH: "Re: [PATCH 5/9] Make use of permissions, returned by kobj_lookup"
Next in thread: Pavel Emelyanov: "Re: [PATCH 5/9] Make use of permissions, returned by kobj_lookup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Greg KH (greg@xxxxxxxxx):
> On Sat, Mar 08, 2008 at 03:47:57PM -0600, Serge E. Hallyn wrote:
> > Quoting Greg KH (greg@xxxxxxxxx):
> > > On Fri, Mar 07, 2008 at 12:50:52PM -0600, Serge E. Hallyn wrote:
> > > > Quoting Greg KH (greg@xxxxxxxxx):
> > > > > On Fri, Mar 07, 2008 at 11:35:42AM -0600, Serge E. Hallyn wrote:
> > > > > > > Do you really want to run other LSMs within a containerd kernel? Is
> > > > > > > that a requirement? It would seem to run counter to the main goal of
> > > > > > > containers to me.
> > > > > >
> > > > > > Until user namespaces are complete, selinux seems the only good solution
> > > > > > to offer isolation.
> > > > >
> > > > > Great, use that instead :)
> > > >
> > > > That can't work as is since you can't specify major:minor in policy.
> > >
> > > Your LSM can not, or the LSM interface does not allow this to happen?
> >
> > No my lsm in fact does, you just can't do it with selinux policy at the
> > moment. I was still responding to your "just use selinux" :)
>
> I never said "use selinux", do you think I am crazy? :)
>
> Just use your own lsm, that's all I recommended.
>
> > > > So all we could do again is simply refuse all mknod, which we can
> > > > already do with per-process capability bounding sets.
> > >
> > > I thought we passed that info down to the LSM module, can't you do your
> > > selection at that point in time?
> > >
> > > And then, just mediate open() like always, right?
> >
> > Yup, the patch I included inline does that.
>
> Great. But don't put that other file in the core kernel, put it in
> security/ please.
>
> > An LSM can address the problem. It just felt like more of a
> > patch-over-the-real-problem kind of solution.
>
> I disagree, it sounds exactly like what LSM is for.

Ok, I went ahead and recreated the two files I had lost by not
git-adding them. I suspect if we were to use this in place of Pavel's
patch, we'd want to switch the API over to what he was using? I think
Pavel and Paul Menage had fine-tuned his somewhat... If Pavel doesn't
gag, maybe we could just use his cgroup code minus the kobject code
plus the two LSM hooks?

-serge

Next message: Hiroshi Shimamoto: "Re: [PATCH] sched: fix race in schedule"
Previous message: Peter Zijlstra: "Re: [PATCH] sched: fix race in schedule"
In reply to: Greg KH: "Re: [PATCH 5/9] Make use of permissions, returned by kobj_lookup"
Next in thread: Pavel Emelyanov: "Re: [PATCH 5/9] Make use of permissions, returned by kobj_lookup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]