Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751761AbbEQDya (ORCPT <rfc822;w@1wt.eu>);
	Sat, 16 May 2015 23:54:30 -0400
Received: from www262.sakura.ne.jp ([202.181.97.72]:51574 "EHLO
	www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750849AbbEQDyX (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sat, 16 May 2015 23:54:23 -0400
To: casey@schaufler-ca.com
Cc: jmorris@namei.org, james.l.morris@oracle.com,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org,
        pmoore@redhat.com, john.johansen@canonical.com, sds@tycho.nsa.gov,
        eparis@redhat.com, keescook@chromium.org
Subject: Re: LSM: Basic module stacking infrastructure for security-next-Acked
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
References: <554D6BCD.7090009@schaufler-ca.com>
	<alpine.LRH.2.11.1505121501350.30679@namei.org>
	<5552D0ED.703@schaufler-ca.com>
	<201505152156.ICG18254.HFMOVJOOFLFStQ@I-love.SAKURA.ne.jp>
	<555780C3.7040303@schaufler-ca.com>
In-Reply-To: <555780C3.7040303@schaufler-ca.com>
Message-Id: <201505171253.DAJ51090.SOVOQOFJFtFHLM@I-love.SAKURA.ne.jp>
X-Mailer: Winbiff [Version 2.51 PL2]
X-Accept-Language: ja,en,zh
Date: Sun, 17 May 2015 12:53:55 +0900
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4239
Lines: 73

Casey Schaufler wrote:
> > I would like to propose revival of security_task_alloc()/security_task_free()
> > hooks. I have several single function modules which want to use these hooks.
> >
> > 4 years ago, I wrote
> > http://osdn.jp/projects/akari/scm/svn/blobs/head/branches/uuid4.c
> > which is targeted for restricting qemu processes managed via libvirtd process
> > with operations in case bugs like VENOM: QEMU vulnerability (CVE-2015-3456)
> > are discovered, without making system administrators' heads explode by
> > enforcing SELinux. When isolating processes, use of per "struct task_struct"
> > blob saves a lot of unnecessary duplication of per "struct cred" blob.
> >
> > Another module which want to use security_task_alloc()/security_task_free()
> > is kportreserve, which does not need to distinguish users but wants to cache
> > current thread's executable path. In general, my LSM modules try to distinguish
> > not users but processes. Therefore, per "struct task_struct" blob is convenient
> > for me.
> >
> > I could not afford proposing this kind of single function modules for mainline
> > at that time. But now, if we wish to accept this kind of modules, I can update
> > them and propose for mainline. (If we wish to keep this kind of modules away in
> > order to avoid getting security/ directory bloated, I'm OK with only exporting
> > security_hook_heads; I'll continue managing as out-of-tree LSM kernel modules.)
> >
> > If security_task_alloc()/security_task_free() come back (and optionally
> > "void *security" in "struct task_struct" also comes back), we can run
> > {SELinux,Smack,AppArmor}+TOMOYO now, for what TOMOYO is designed to use as
> > security blob is "struct task_struct"->security than "struct cred"->security.
> >
> > Can I again propose security_task_alloc()/security_task_free() hooks for
> > these single function modules and TOMOYO?
> 
> Although I agree with you that it makes more sense to hang task data
> off of the task structure than off of the cred structure I don't like
> the notion of having both. I wasn't heavily involved in the cred split
> (and was not then and not now a fan of it) and missed the discussion
> about why the security blob is included in the cred. But, that's where
> it ended up. I would have no objection to moving the blob from the cred
> to the task, although I expect there are reasons for it to remain
> where it is.

My understanding is that "struct cred" was introduced in order to allow
switching all user-related attributes atomically, and "struct cred"->security
was introduced because it was one of user-related attributes which should be
switched among with other user-related attributes. Also, subjective / objective
creds distinction was introduced in order to allow overriding these
user-related attributes without affecting inter-process operations.

> 
> For now at least, I propose that we leave the security blob in the cred.

We can't move "struct cred"->security back to "struct task_struct"->security
because SELinux wants to switch all user-related attributes atomically. But
TOMOYO can't utilize "struct cred"->security well because it is not allowed
to modify "struct cred"->security when TOMOYO wants to use it as per
"struct task_struct" attributes.

Yama uses security_task_free() but does not need security_task_alloc()
because Yama does not need to inherit per "struct task_struct" entry to
fork()ed process. But TOMOYO needs security_task_alloc() to inherit it.
Even without reviving "struct task_struct"->security , TOMOYO can manage like
Yama's "struct ptrace_relation" if security_task_alloc() is available.

> I will be proposing mechanisms for dealing with that pesky "void *security"
> shortly. During the time I've been working on stacking I've identified
> a veritable plethora of ways to address the issue. I am putting together
> a menu of options and a set of arguments to help guide an open debate on
> which suits the current state and direction of the kernel best.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/