Re: [PATCH 01/10] security: Override creds in __fput() with last fputter's... | linux-api

[RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
[PATCH 03/10] keys: Add a notification facility [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
[PATCH 02/10] General notification queue with user mmap()'able ring buffer [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
[PATCH 01/10] security: Override creds in __fput() with last fputter's creds [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
Re: [PATCH 01/10] security: Override creds in __fput() with last fputter's creds [ver #3] · Andy Lutomirski <luto@amacapital.net> · 2019-06-06
Re: [PATCH 01/10] security: Override creds in __fput() with last fputter's creds [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
Re: [PATCH 01/10] security: Override creds in __fput() with last fputter's creds [ver #3] · Andy Lutomirski <luto@kernel.org> · 2019-06-06
Re: [PATCH 01/10] security: Override creds in __fput() with last fputter's creds [ver #3] · Casey Schaufler <casey@schaufler-ca.com> · 2019-06-06
Re: [PATCH 01/10] security: Override creds in __fput() with last fputter's creds [ver #3] · Andy Lutomirski <luto@kernel.org> · 2019-06-06
[PATCH 05/10] vfs: Add superblock notifications [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
[PATCH 04/10] vfs: Add a mount-notification facility [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
[PATCH 06/10] fsinfo: Export superblock notification counter [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
[PATCH 07/10] Add a general, global device notification watch list [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
[PATCH 08/10] block: Add block layer notifications [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
[PATCH 09/10] usb: Add USB subsystem notifications [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
Re: [PATCH 09/10] usb: Add USB subsystem notifications [ver #3] · Alan Stern <stern@rowland.harvard.edu> · 2019-06-06
Re: [PATCH 09/10] usb: Add USB subsystem notifications [ver #3] · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2019-06-06
Re: [PATCH 09/10] usb: Add USB subsystem notifications [ver #3] · Alan Stern <stern@rowland.harvard.edu> · 2019-06-06
Re: [PATCH 09/10] usb: Add USB subsystem notifications [ver #3] · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2019-06-06
Re: [PATCH 09/10] usb: Add USB subsystem notifications [ver #3] · Felipe Balbi <hidden> · 2019-06-07
Re: [PATCH 09/10] usb: Add USB subsystem notifications [ver #3] · Alan Stern <stern@rowland.harvard.edu> · 2019-06-07
Re: [PATCH 09/10] usb: Add USB subsystem notifications [ver #3] · Felipe Balbi <hidden> · 2019-06-11
Re: [PATCH 09/10] usb: Add USB subsystem notifications [ver #3] · Alan Stern <stern@rowland.harvard.edu> · 2019-06-11
Re: [PATCH 09/10] usb: Add USB subsystem notifications [ver #3] · Felipe Balbi <hidden> · 2019-06-12
[PATCH 10/10] Add sample notification program [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
Re: [PATCH 10/10] Add sample notification program [ver #3] · Eugeniu Rosca <hidden> · 2019-06-06
Re: [PATCH 10/10] Add sample notification program [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
Re: [PATCH 10/10] Add sample notification program [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-07
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · Stephen Smalley <hidden> · 2019-06-06
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · Stephen Smalley <hidden> · 2019-06-06
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · Casey Schaufler <casey@schaufler-ca.com> · 2019-06-06
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · Andy Lutomirski <luto@kernel.org> · 2019-06-06
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · Casey Schaufler <casey@schaufler-ca.com> · 2019-06-06
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · Andy Lutomirski <luto@amacapital.net> · 2019-06-06
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · Stephen Smalley <hidden> · 2019-06-06
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · Casey Schaufler <casey@schaufler-ca.com> · 2019-06-06
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · Andy Lutomirski <luto@kernel.org> · 2019-06-06
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · Andy Lutomirski <luto@amacapital.net> · 2019-06-06
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · Andy Lutomirski <luto@amacapital.net> · 2019-06-06
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · David Howells <dhowells@redhat.com> · 2019-06-06
Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] · Christian Brauner <christian@brauner.io> · 2019-06-06

Re: [PATCH 01/10] security: Override creds in __fput() with last fputter's creds [ver #3]

From: Casey Schaufler <casey@schaufler-ca.com>
Date: 2019-06-06 19:09:25
Also in: keyrings, linux-block, linux-fsdevel, linux-security-module, lkml

On 6/6/2019 10:18 AM, Andy Lutomirski wrote:

On Thu, Jun 6, 2019 at 8:06 AM David Howells [off-list ref] wrote:

quoted

Andy Lutomirski [off-list ref] wrote:

quoted

So that the LSM can see the credentials of the last process to do an fput()
on a file object when the file object is being dismantled, do the following
steps:

I still maintain that this is a giant design error.

Yes, I know.  This was primarily a post so that Greg could play with the USB
notifications stuff I added.  The LSM support isn't resolved and is unchanged.

quoted

Can someone at least come up with a single valid use case that isn't
entirely full of bugs?

"Entirely full of bugs"?

I can say "hey, I have this policy that the person who triggered an
event needs such-and-such permission, otherwise the event gets
suppressed".  But this isn't a full use case, and it's buggy.  It's
not a full use case because I haven't specified what my actual goal is
and why this particular policy achieves my goals.  And it's entirely
full of bugs because, as this patch so nicely illustrates, it's not
well defined who triggered the event.  For example, if I exec a setuid
process, who triggers the close?  What if I send the fd to systemd
over a socket and immediately close my copy before systemd gets (and
ignores) the message?  Or if I send it to Wayland, or to any other
process?

A file is closed when everyone is done with it.  Trying to figure out
who the last intentional user of the file was seems little better than
random guessing.  Defining a security policy based on it seems like a
poor idea.

quoted

How would you propose I deal with Casey's requirement?  I'm getting the
feeling you're going to nak it if I try to fulfil that and he's going to nak
it if I don't.

Casey, I think you need to state your requirement in a way that's well
defined, and I think you need to make a compelling case that your
requirement is indeed worth dictating the design of parts of the
kernel outside LSM.

Err, no, I don't believe so. There's a whole lot more
going on in this discussion than just what's going on
within the LSMs. Using examples from the LSMs makes it
easier, because their policies are better defined than
the "legacy" policies are. The most important part of the
discussion is about ensuring that the event mechanism
doesn't circumvent the legacy policies. Yes, I understand
that you don't know what that means, or has to do with
anything.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help