Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20110620154429.GA12879@albatros>
Date: Mon, 20 Jun 2011 19:44:29 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: Serge Hallyn <serge.hallyn@...onical.com>
Cc: Eric Paris <eparis@...hat.com>, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org, apparmor@...ts.ubuntu.com,
	"selinux@...ho.nsa.gov Stephen Smalley" <sds@...ho.nsa.gov>,
	James Morris <jmorris@...ei.org>,
	Eric Paris <eparis@...isplace.org>,
	John Johansen <john.johansen@...onical.com>,
	kernel-hardening@...ts.openwall.com, serge@...lyn.com
Subject: Re: [RFC v2] security: intoduce ptrace_task_may_access_current

On Mon, Jun 20, 2011 at 10:00 -0500, Serge Hallyn wrote:
> > >diff --git a/kernel/capability.c b/kernel/capability.c
> > >index 283c529..bc9b07f 100644
> > >--- a/kernel/capability.c
> > >+++ b/kernel/capability.c
> > >@@ -356,6 +356,30 @@ bool capable(int cap)
> > >  }
> > >  EXPORT_SYMBOL(capable);
> > >
> > >+bool task_capable(struct task_struct *task, int cap)
> > >+{
> > >+	return ns_task_capable(task,&init_user_ns, cap);
> > >+}
> > >+EXPORT_SYMBOL(task_capable);
> > 
> > Why do we keep adding things like task_capable?  Can't we just stop
> > adding non-lsm functions and just call the right LSM functions from
> > now on?  This is my original comments mostly directed at Serge.  I'm
> > to the point where I want to NAK anything new in kernel/capability.c
> > (and yes, I know i'm guilty in the paste)
> > 
> > >+bool ns_task_capable(struct task_struct *task, struct user_namespace *ns, int cap)
> 
> Can you just use has_ns_capability() at the places where you wanted to
> use your new ns_task_capable()?  It won't set PF_SUPERPRIV, but you
> can't set that on another task anyway IIRC.

has_ns_capability() doesn't touch LSMs, but ns_task_capable() uses
security_task_capable() which uses LSMs.

Actually, I'm a bit confused in sense of what capable functions should
be used in specific cases.  Where we need to inform LSM and where not.
I don't want to bypass LSMs where it should not do it otherwise.  In the
patch I've copied alredy existing behaviour leaving LSM iteraction
as-is.


Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.