[RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3]
Andy Lutomirski
luto at amacapital.net
Thu Jun 6 18:51:01 UTC 2019
> On Jun 6, 2019, at 11:33 AM, Casey Schaufler <casey at schaufler-ca.com> wrote:
>
>> On 6/6/2019 10:11 AM, Andy Lutomirski wrote:
>>> On Thu, Jun 6, 2019 at 9:43 AM Casey Schaufler <casey at schaufler-ca.com> wrote:
>>> ...
>>> I don't agree. That is, I don't believe it is sufficient.
>>> There is no guarantee that being able to set a watch on an
>>> object implies that every process that can trigger the event
>>> can send it to you.
>>>
>>> Watcher has Smack label W
>>> Triggerer has Smack label T
>>> Watched object has Smack label O
>>>
>>> Relevant Smack rules are
>>>
>>> W O rw
>>> T O rw
>>>
>>> The watcher will be able to set the watch,
>>> the triggerer will be able to trigger the event,
>>> but there is nothing that would allow the watcher
>>> to receive the event. This is not a case of watcher
>>> reading the watched object, as the event is delivered
>>> without any action by watcher.
>> I think this is an example of a bogus policy that should not be
>> supported by the kernel.
>
> At this point it's pretty hard for me to care much what
> you think. You don't seem to have any insight into the
> implications of the features you're advocating, or their
> potential consequences.
>
>
Can you try to spell it out, then? A mostly or fully worked out example might help.
As Stephen said, it looks like you are considering cases where there is already a full communication channel between two processes, and you’re concerned that this new mechanism might add a side channel too. If this is wrong, can you explain how?
More information about the Linux-security-module-archive
mailing list