[RFC PATCH 0/2] Landlock network PoC implementation
Paul Moore
paul at paul-moore.com
Fri Dec 10 23:01:19 UTC 2021
On Fri, Dec 10, 2021 at 11:57 AM Casey Schaufler <casey at schaufler-ca.com> wrote:
> As I think you've realized, *sockets are not objects*. There
> isn't a way to justify them as objects without introducing
> ethereal or magical subjects that don't exist. Sockets are
> part of a process. OK, it's not that simple, and it would be
> foolish to deny that a socket may have security relevant
> properties. But they aren't objects.
>
> I strongly recommend that you follow Smack's example and
> use the sending task and receiving task attributes to make
> the decision. You may find that storing that information
> in the socket security blob is convenient.
>
> BTW - not everyone agrees with me on this topic. I'll leave
> the misguided to make their own arguments. ;)
I'm running low on my lets-argue-on-the-internet motivation today, but
I feel like I'm being goaded into some sort of comment so I will
simply offer SELinux as a rebuttal to Casey's comments. I think that
either approach can be acceptable, it depends on how your security
model works and your comfort level with the various tradeoffs
associated with each approach. I personally prefer the approach
SELinux has taken (minus some of the compat cruft we are saddled with,
not to mention that restrictions handed to use from netdev), but I'll
admit a certain level of bias in this.
--
paul moore
www.paul-moore.com
More information about the Linux-security-module-archive
mailing list