Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5705456ybi; Tue, 4 Jun 2019 10:45:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqzJzKwHfrjBn394eEnksuRTMke5QM/753IL2CmSXe8sowNAWK0eIOVqpySeUEZpStstWaS9 X-Received: by 2002:a17:902:9885:: with SMTP id s5mr38122703plp.102.1559670313141; Tue, 04 Jun 2019 10:45:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559670313; cv=none; d=google.com; s=arc-20160816; b=TLSMVfqRpti4qRHg4B+0/xQScVJhf9E18CFG/pb1e1+98Ec92qBWpX2zfAbcfsJ5eu BjAN9q5XqmYgNJEhSjuIYrxK2tKHX1XUCen+qzH2A650ZtDpfWhrZnXFiS/Wsjb0JjtA udD70KH0/27ON9LSrl0316F5vYZCPpfphydusNIW4psjAoAxhqnO3uwBVVmDJ+Wxe0wZ JK6bBfAVE/4DF1i5lugdJ9ObloO1BXpxzMuCJqeyoNLDdMJbXFsrA1jn1bG+UpXk0th6 P1Ji/nz4SgvG/OSlfwouQrTTcd0OReO99BMRhaeUJKBJ8rgdcPln1DtmVMJHUi9fcdqV sJfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=bfgPfiaTGaxtYcGkcPY37EgFOGSithhxN+/KvB3pS2U=; b=OMpl1VeSeG2ql2jQQO9N4sEWCvNSoQtpHVmy84lNFWKNy+lYd8QAZHPbbyKwpECZP4 BhHvL89oa70VSKcjkfb/TS223O9kTNdMEn0hOY3kazluLuNIRI1uRkJZhHsFIHR6Jysd H2QlPgPGOuA7Xl8dqxFUAAo40bW3bdUhrM4hgvDD/pdb9B4GGEaOeyhIGw9VquGD7Q+T WXGdDXRaJ8X4vRkCzjCQ7kgqnPLrVnUJIP4SWReATxBXwUPpXRMJMLj48gRs9aLVwHhF MIxyhPPF1gV4dt4yL7zG/g1hPE2My/K3U3o/f8mbk0rCY158CwPKJjddzmMH6OiQCS2A 5GAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iUJtv0Hu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d35si19707223pla.79.2019.06.04.10.44.55; Tue, 04 Jun 2019 10:45:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iUJtv0Hu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726341AbfFDRnq (ORCPT + 99 others); Tue, 4 Jun 2019 13:43:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:52428 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725932AbfFDRnp (ORCPT ); Tue, 4 Jun 2019 13:43:45 -0400 Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 850E72070B for ; Tue, 4 Jun 2019 17:43:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1559670224; bh=q9FCF59QilTvzP7T56Okch9a0m+P6mELSmCw7lx2Jdg=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=iUJtv0HucSbDarovWS1Z7qwfmDSbs5V9BN4rc4AfZZPIhTLPWwcEgKdhs+XzNMK+s pP8EDf6d0HflzvWnlJ4iq2AvL5hnyP/MdAXApObUvjiErqeduqz/IyMephgucibraL 8s2h2J/D8oHyhQ7Laf/f2tfZG/DdDxC54JI8t/7o= Received: by mail-wm1-f53.google.com with SMTP id s3so963914wms.2 for ; Tue, 04 Jun 2019 10:43:44 -0700 (PDT) X-Gm-Message-State: APjAAAV65yTqMezWYy7epLLaekSkOPBGMf+8SHPSazCNUp4Sc5xjGzYD lJBUCKbIdCkh7yhyWsX6RDdHIX/k3pVsDtjgANGsUA== X-Received: by 2002:a1c:6242:: with SMTP id w63mr15439095wmb.161.1559670223114; Tue, 04 Jun 2019 10:43:43 -0700 (PDT) MIME-Version: 1.0 References: <155966609977.17449.5624614375035334363.stgit@warthog.procyon.org.uk> In-Reply-To: <155966609977.17449.5624614375035334363.stgit@warthog.procyon.org.uk> From: Andy Lutomirski Date: Tue, 4 Jun 2019 10:43:32 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC][PATCH 0/8] Mount, FS, Block and Keyrings notifications [ver #2] To: David Howells Cc: Al Viro , Casey Schaufler , raven@themaw.net, Linux FS Devel , Linux API , linux-block@vger.kernel.org, keyrings@vger.kernel.org, LSM List , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 4, 2019 at 9:35 AM David Howells wrote: > > > Hi Al, > > Here's a set of patches to add a general variable-length notification queue > concept and to add sources of events for: I asked before and didn't see a response, so I'll ask again. Why are you paying any attention at all to the creds that generate an event? It seems like the resulting security model will be vary hard to understand and probably buggy. Can't you define a sensible model in which only the listener creds matter? > LSM support is included: > > (1) The creds of the process that did the fput() that reduced the refcount > to zero are cached in the file struct. > > (2) __fput() overrides the current creds with the creds from (1) whilst > doing the cleanup, thereby making sure that the creds seen by the > destruction notification generated by mntput() appears to come from > the last fputter. That looks like duct tape that is, at best, likely to be very buggy. > > (3) security_post_notification() is called for each queue that we might > want to post a notification into, thereby allowing the LSM to prevent > covert communications. This seems like the wrong approach. If an LSM wants to prevent covert communication from, say, mount actions, then it shouldn't allow the watch to be set up in the first place.