Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757185AbXFMTiP (ORCPT ); Wed, 13 Jun 2007 15:38:15 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752642AbXFMTh7 (ORCPT ); Wed, 13 Jun 2007 15:37:59 -0400 Received: from zombie.ncsc.mil ([144.51.88.131]:63094 "EHLO jazzdrum.ncsc.mil" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752594AbXFMTh6 (ORCPT ); Wed, 13 Jun 2007 15:37:58 -0400 Subject: Re: [RFC] TOMOYO Linux From: Stephen Smalley To: Toshiharu Harada Cc: Toshiharu Harada , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org In-Reply-To: <9d732d950706130722g12a22604p223381a8e281a4a1@mail.gmail.com> References: <466FA71C.1020309@nttdata.co.jp> <1181743635.17547.350.camel@moss-spartans.epoch.ncsc.mil> <9d732d950706130722g12a22604p223381a8e281a4a1@mail.gmail.com> Content-Type: text/plain Organization: National Security Agency Date: Wed, 13 Jun 2007 15:37:46 -0400 Message-Id: <1181763466.17547.502.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 X-Mailer: Evolution 2.8.3 (2.8.3-2.fc6) Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2754 Lines: 54 On Wed, 2007-06-13 at 23:22 +0900, Toshiharu Harada wrote: > 2007/6/13, Stephen Smalley : > > On Wed, 2007-06-13 at 17:13 +0900, Toshiharu Harada wrote: > > > Here are examples: > > > /bin/bash process invoked from mingetty: /sbin/mingetty /bin/bash > > > /bin/bash process invoked from sshd: /usr/sbin/sshd /bin/bash > > > /bin/bash process invoked from /bin/bash which was invoked from sshd: /usr/sbin/sshd /bin/bash /bin/bash > > > > Why can't you do this via SELinux domain transitions? That lets you do > > it by equivalence class rather than per-binary, and let's you just > > encode the security-relevant parts of the "invocation history" aka call > > chain. For example, the above could be expressed in SELinux policy > > already as: > > domain_auto_trans(getty_t, shell_exec_t, local_shell_t) > > domain_auto_trans(sshd_t, shell_exec_t, remote_shell_t) > > domain_auto_trans(remote_shell_t, shell_exec_t, remote_subshell_t) > > or whatever you like. But you don't have to keep extending it > > indefinitely when you don't need to distinguish in policy, so you might > > choose to entirely omit the last one, and just have it stay in > > remote_shell_t. > > The above SELinux policy looks similar to the one I wrote, but > that is not very true. Because in my example, path name corresponds to a file > while local_shell_t are bound to multiple. > I understand the advantages of label, but it needs to be > translated to human understandable form of path name. > So I think pathname based call chains are advantages for > at least auditing and profiling. Well, not to get into a debate, but think about whether "/usr/sbin/sshd /bin/bash" and "/sbin/mingetty /bin/bash" is more understandable to an administrator than "remote shell" vs. "local shell" - the label-based approach lets you map the low-level detail of individual programs/pathnames to abstract equivalence classes that are more understandable, not less. Further, think about the advantages of being able to encode only the security-relevant invocations, not all of them. On a different note, from a quick look, it looks like TOMOYO is AppArmor + invocation history from a user perspective. Plus a wider range of controls in your original implementation, but your LSM implementation seems to be just getting started and only deals with files. So what's the case for having a whole separate security module vs. a small extension to AppArmor? -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/