[Top] [All Lists]

Re: [PATCH] fs/vfs/security: pass last path component to LSM on inode cr

To: John Stoffel <john@xxxxxxxxxxx>
Subject: Re: [PATCH] fs/vfs/security: pass last path component to LSM on inode creation
From: Eric Paris <eparis@xxxxxxxxxx>
Date: Thu, 09 Dec 2010 10:52:21 -0500
Cc: xfs-masters@xxxxxxxxxxx, linux-btrfs@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, linux-ext4@xxxxxxxxxxxxxxx, cluster-devel@xxxxxxxxxx, linux-mtd@xxxxxxxxxxxxxxxxxxx, jfs-discussion@xxxxxxxxxxxxxxxxxxxxx, ocfs2-devel@xxxxxxxxxxxxxx, reiserfs-devel@xxxxxxxxxxxxxxx, xfs@xxxxxxxxxxx, linux-mm@xxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, chris.mason@xxxxxxxxxx, jack@xxxxxxx, akpm@xxxxxxxxxxxxxxxxxxxx, adilger.kernel@xxxxxxxxx, tytso@xxxxxxx, swhiteho@xxxxxxxxxx, dwmw2@xxxxxxxxxxxxx, shaggy@xxxxxxxxxxxxxxxxxx, mfasheh@xxxxxxxx, joel.becker@xxxxxxxxxx, aelder@xxxxxxx, hughd@xxxxxxxxxx, jmorris@xxxxxxxxx, sds@xxxxxxxxxxxxx, eparis@xxxxxxxxxxxxxx, hch@xxxxxx, dchinner@xxxxxxxxxx, viro@xxxxxxxxxxxxxxxxxx, tao.ma@xxxxxxxxxx, shemminger@xxxxxxxxxx, jeffm@xxxxxxxx, paul.moore@xxxxxx, penguin-kernel@xxxxxxxxxxxxxxxxxxx, casey@xxxxxxxxxxxxxxxx, kees.cook@xxxxxxxxxxxxx, dhowells@xxxxxxxxxx
In-reply-to: <19712.61515.201226.938553@xxxxxxxxxxxxxxxxx>
References: <20101208194527.13537.77202.stgit@xxxxxxxxxxxxxxxxxxxx> <19712.61515.201226.938553@xxxxxxxxxxxxxxxxx>
On Thu, 2010-12-09 at 10:05 -0500, John Stoffel wrote:
> >>>>> "Eric" == Eric Paris <eparis@xxxxxxxxxx> writes:

> So what happens when I create a file /home/john/shadow, does selinux
> (or LSM in general) then run extra checks because the filename is
> 'shadow' in your model?  

It's entirely a question of labeling and one that was discussed on the
LSM list in some detail:


The basic synopsis is that when a new inode is created SELinux must
apply some label.  It makes the decision for what label to apply based
on 3 pieces of information.

The label of the parent inode.
The label of the process creating the new inode.
The 'class' of the inode, S_ISREG, S_ISDIR, S_ISLNK, etc

This patch adds a 4th piece of information, the name of the object being
created.  An obvious situation where this will be useful is devtmpfs
(although you'll find other examples in the above thread).  devtmpfs
when it creates char/block devices is unable to distinguish between kmem
and console and so they are created with a generic label.  hotplug/udev
is then called which does some pathname like matching and relabels them
to something more specific.  We've found that many people are able to
race against this particular updating and get spurious denials in /dev.
With this patch devtmpfs will be able to get the labels correct to begin

I'm certainly willing to discuss the security implications of this
patch, but that would probably be best done with a significantly
shortened cc-list.  You'll see in the above mentioned thread that a
number of 'security' people (even those who are staunchly anti-SELinux)
recognize there is value in this and that it is certainly much better
than we have today.

> I *think* the overhead shouldn't be there if SELINUX is disabled, but
> have you confirmed this?  How you run performance tests before/after
> this change when doing lots of creations of inodes to see what sort of
> performance changes might be there?

I've actually recently done some perf testing on creating large numbers
of inodes using bonnie++, since SELinux was a noticeable overhead in
that operation.  Doing that same test with SELinux disabled (or enabled)
I do not see a noticeable difference when this patch is applied or not.
It's just an extra argument to a function that goes unused.


<Prev in Thread] Current Thread [Next in Thread>