tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: secmodel_register(9) API
hi,
> On Tue, 29 Nov 2011 11:13:01 +0000 (UTC), yamt%mwd.biglobe.ne.jp@localhost
> wrote:
>>> Reviews before merge welcome. If nobody raises his voice, I'll
>>> proceed
>>> to commit it at the end of the week.
>>
>> i hesitate to complicate kauth related locking rules, given that it's
>> already broken. have you checked if it's safe for these listeners
>> sleep?
>> (rw_enter can sleep.)
>
> I would say yes; the current patch uses secmodel_eval(9) for "curtain"
> mode, and its only applicable to kauth(9) listeners for:
> - socket "cansee" KAUTH_REQ_NETWORK_SOCKET_CANSEE
> - process KAUTH_REQ_PROCESS_CANSEE_{ARGS,ENTRY,OPENFILES}.
>
> All these listeners should have process context, so may sleep.
>
> Perhaps I can put pserialize(9) to good use there. Updates to
> secmodel(9) are not expected to happen that much often... You want me to
> have a look? That would make it lock-free even from softints.
if you are interested in, please.
see XXX in kauth_authorize_action_internal.
>
>> i thought the purpose of these secmodels are localize the knowledge
>> of
>> suser, securelevel, etc. secmodel_eval seems contradict.
>
> Exactly, that's the point. See below.
>
>> if anyone outside of the securelevel secmodel really needs to query
>> securelevel, doesn't it mean the variable just ought to be exported
>> in a normal way?
>
> "normal way" is quite difficult to define in the context of modules
> dynamic loading.
>
> Consider user_set_cpu_affinity: if the sysctl cannot be set any more
> when securelevel is above or below a threshold, checking for the
> securelevel variable means that this sysctl has a strong dependency on
> securelevel (or else, it won't be able to get the variable). So if you
> want to still provide this sysctl but without having securelevel loaded,
> you are screwed: it's part of this module.
>
> There are orthogonal requirements there: secmodels define a security
> policy, but there are situations where one would like to allow certain
> operations (different from default policy), but without putting a strong
> requirement on a specific secmodel(9). having to load securelevel just
> to provide this sysctl is non sense.
i don't understand the example.
your diff doesn't seem to do secmodel_eval("securelevel") at all.
>
> Same goes for suser (which controls rights for superuser):
> curtain/usermounts are not really a suser policy, rather an extension
> from it. Hence the secmodel_extensions stuff.
i don't understand what would be a suser policy and what would be an extension.
can you explain your criteria?
YAMAMOTO Takashi
>
> --
> Jean-Yves Migeon
> jeanyves.migeon%free.fr@localhost
Home |
Main Index |
Thread Index |
Old Index