Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1763006AbXF1ASM (ORCPT ); Wed, 27 Jun 2007 20:18:12 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1754884AbXF1AR6 (ORCPT ); Wed, 27 Jun 2007 20:17:58 -0400 Received: from x35.xmailserver.org ([64.71.152.41]:2422 "EHLO x35.xmailserver.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753192AbXF1AR5 (ORCPT ); Wed, 27 Jun 2007 20:17:57 -0400 X-AuthUser: davidel@xmailserver.org Date: Wed, 27 Jun 2007 17:17:54 -0700 (PDT) From: Davide Libenzi X-X-Sender: davide@alien.or.mcafeemobile.com To: Nicholas Miell cc: Hugh Dickins , Ulrich Drepper , blaisorblade@yahoo.it, Linux Kernel Mailing List Subject: Re: [patch 2/3] MAP_NOZERO - implement sys_brk2() In-Reply-To: <1182982309.2737.9.camel@entropy> Message-ID: References: <1182982309.2737.9.camel@entropy> X-GPG-FINGRPRINT: CFAE 5BEE FD36 F65E E640 56FE 0974 BF23 270F 474E X-GPG-PUBLIC_KEY: http://www.xmailserver.org/davidel.asc MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1982 Lines: 47 On Wed, 27 Jun 2007, Nicholas Miell wrote: > 1) euid is not sufficient, you need to store away arbitrary LSM > information and call LSM hooks to decide security equivalence. The same > applies to VServer or whatever other container system you use. The EUID that is used now, can easily be any cookie. It can be an LSM cookie (if LSM is active in the system). We don't do complex checks, like group permission & Co. We assume that if a UID-cookie had such data available (or it generated it), it can have it back uncleared. > 2) Two processes, A and B, are in separate VFS namespaces but have > equivalent security identity according to LSM. Process A reads data from > file F which is not visible in process's B's namespace. You have to > prevent process B from ever getting a page that once contained data from > file F. They have the *same* security identity. It means that at any time such security identity can access resources on both VFS (if it is allowed to access such resources - according to security rules in place, LSM or not). Data is either generated by the security identity, or it is faulted in (and it means that the security identity had the GO from the security provisioning to access such resource). > 3) mlock() is often used by programs like GPG to prevent decrypted > secret keys from ever getting swapped out. You need to zero all > once-mlocked pages before they get reused to prevent that page from > getting swapped to disk or application bugs from leaking the key. GPG and other security software do also memclear on top of mlock, to prevent such memory staying alive at all. Just for example, you don't want in any case that after an munlock you app core and data goes down. - Davide - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/