Tetsuo Handa
pengu****@I-lov*****
Thu Dec 23 14:17:38 JST 2010
David Howells wrote ( http://marc.info/?l=linux-security-module&m=129303225204910&w=2 ): > > Both kernels did not check other permissions (e.g. create, unlink, rename) > > at all (probably because security_path_*() are not called when cache files > > are manipulated). > > I think the security_path_*() functions postdate the inclusion of CacheFiles > upstream. This needs to be addressed. It's not affected me directly thus far, > so I haven't come across it yet. I proposed inserting security_path_*() functions into only pre VFS helper functions. This was my intention that only pathnames supplied from userspace are checked so that users can enumerate pathnames without being bothered by kernel internal business (e.g. filesystem needs to access pathname which was not supplied from userspace). > Furthermore, as mentioned above, CacheFiles needs updating to make use of > path-based security, and TOMOYO should offer the administrator the option to > nominate a context from which the kernel will manipulate the filesystem. Well, I prefer enabling both inode based MAC (e.g. SELinux/Smack) and name based MAC (e.g. TOMOYO/AppArmor) at the same time. The reason why name based MAC checks filename is that filename has meaning. Filename determines (1) whether application can find the file or not (2) for what purpose the file is used if access to that file is granted . Therefore, name based MAC strictly restricts pathname changes. However, checking filenames like /var/fscache/cache/@4a/I03nfs/@30/Ji000000000000000--fHg8hi8400/@75/Es0g000w...DB1ry makes little sense because they are merely sequential (or random) names. Our concerns regarding cachefilesd are mostly (3) whether application can access the cached files or not (4) what security label should be assigned to cached files . Definitely inode based MAC can do better. Anyway, we want below patch if we adopt your patch. ERROR: "security_path_rename" [fs/cachefiles/cachefiles.ko] undefined! ERROR: "security_path_unlink" [fs/cachefiles/cachefiles.ko] undefined! ERROR: "security_path_mkdir" [fs/cachefiles/cachefiles.ko] undefined! Regards. -------------------- From 861f928bff6de99e0cfad54fa0cf803d35080a29 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa <pengu****@I-lov*****> Date: Thu, 23 Dec 2010 11:33:16 +0900 Subject: [PATCH] Export security_path hooks for cachefiles. cachefiles module calls security_path hooks. Export them. Signed-off-by: Tetsuo Handa <pengu****@I-lov*****> --- security/security.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/security/security.c b/security/security.c index 1b798d3..568b98d 100644 --- a/security/security.c +++ b/security/security.c @@ -360,6 +360,7 @@ int security_path_mkdir(struct path *dir, struct dentry *dentry, int mode) return 0; return security_ops->path_mkdir(dir, dentry, mode); } +EXPORT_SYMBOL(security_path_mkdir); int security_path_rmdir(struct path *dir, struct dentry *dentry) { @@ -374,6 +375,7 @@ int security_path_unlink(struct path *dir, struct dentry *dentry) return 0; return security_ops->path_unlink(dir, dentry); } +EXPORT_SYMBOL(security_path_unlink); int security_path_symlink(struct path *dir, struct dentry *dentry, const char *old_name) @@ -400,6 +402,7 @@ int security_path_rename(struct path *old_dir, struct dentry *old_dentry, return security_ops->path_rename(old_dir, old_dentry, new_dir, new_dentry); } +EXPORT_SYMBOL(security_path_rename); int security_path_truncate(struct path *path) { -- 1.6.1