[PATCH] fs/vfs/security: pass last path component to LSM on inode creation
Serge Hallyn
serge.hallyn at canonical.com
Thu Dec 9 11:05:49 EST 2010
Quoting John Stoffel (john at stoffel.org):
> >>>>> "Eric" == Eric Paris <eparis at redhat.com> writes:
>
> Eric> SELinux would like to implement a new labeling behavior of newly
> Eric> created inodes. We currently label new inodes based on the
> Eric> parent and the creating process. This new behavior would also
> Eric> take into account the name of the new object when deciding the
> Eric> new label. This is not the (supposed) full path, just the last
> Eric> component of the path.
>
> Eric> This is very useful because creating /etc/shadow is different
> Eric> than creating /etc/passwd but the kernel hooks are unable to
> Eric> differentiate these operations. We currently require that
> Eric> userspace realize it is doing some difficult operation like that
> Eric> and than userspace jumps through SELinux hoops to get things set
> Eric> up correctly. This patch does not implement new behavior, that
> Eric> is obviously contained in a seperate SELinux patch, but it does
> Eric> pass the needed name down to the correct LSM hook. If no such
> Eric> name exists it is fine to pass NULL.
>
> I've looked this patch over, and maybe I'm missing something, but how
> does knowing the name of the file really tell you anything, esp when
> you only get the filename, not the path? What threat are you
> addressing with this change?
Like you, I keep thinking back to this patch and going back and forth.
But to answer your question: in some cases, the name of the file
(plus the context of the directory in which it is created) can tell
you what assumptions userspace will make about it. And userspace most
definately is a part of the TCB, i.e. /bin/passwd and /bin/login.
-serge
More information about the linux-mtd
mailing list