[PATCH v6 5/5] kernfs: initialize security of newly created nodes

Casey Schaufler casey at schaufler-ca.com
Thu Feb 21 16:52:33 UTC 2019

On 2/21/2019 1:13 AM, Ondrej Mosnacek wrote:
> On Tue, Feb 19, 2019 at 5:43 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
> .....
>> The state you're maintaining is kernfs state, not LSM
>> infrastructure state. The state should be maintained in
>> kernfs, not in the LSM infrastructure.
> But I'm not maintaining any state. I'm merely trying to answer the
> query "Is there anything that will handle this hook? Do I need to
> prepare stuff for it?", which is obviously a query about the LSM
> state. Granted, ideally we wouldn't need to do any preparatory work at
> all, but that would require exposing more of the kernfs internals
> (which brings its own issues, but maybe I'll need to look into that
> approach more...).

It sounds like you're bumping up against the limitations
of the finely honed optimized implementation of kernfs. :(
If it where still the pre-android era, when using an LSM
was rare, the check for an LSM might have made sense. Today,
with the vast majority of systems using LSMs*, optimizing for
the no LSM case is nonsensical.

* Android, Tizen, Fedora/RHEL, Ubuntu

> ...
> Kernfs is an important component of the kernel. So is
> the security infrastructure. I would hope you don't want
> to turn this into a contest to see which maintainer has
> the biggest clout.
> Oh, no, you misunderstood my intention. I just got a feeling that this
> thread was turning into a discussion about perceived code ugliness
> (and about which subsystem that ugliness ends up in), which is
> naturally a very subjective topic, so I wanted to know what is the
> opinion of the people that have the final decision about whether the
> code should get in or not. Anyway, I'll try to find a more elegant
> variant of the solution once again, hopefully I manage to get to
> something less controversial.

Thank you. I believe (which, of course, doesn't make it true)
that when a component goes outside the general system architecture
the way that kernfs does *even for performance reasons* that it is
responsible for the edge cases it encounters. I know that I've had
to do a good bit of that in Smack.

More information about the Linux-security-module-archive mailing list