[PATCH v2 00/30] acl: add vfs posix acl api
Casey Schaufler
casey at schaufler-ca.com
Tue Sep 27 23:37:51 UTC 2022
On 9/27/2022 4:24 PM, Paul Moore wrote:
> On Tue, Sep 27, 2022 at 10:13 AM Casey Schaufler <casey at schaufler-ca.com> wrote:
>> On 9/27/2022 12:41 AM, Christoph Hellwig wrote:
>>> On Mon, Sep 26, 2022 at 05:22:45PM -0700, Casey Schaufler wrote:
>>>> I suggest that you might focus on the acl/evm interface rather than the entire
>>>> LSM interface. Unless there's a serious plan to make ima/evm into a proper LSM
>>>> I don't see how the breadth of this patch set is appropriate.
>>> Umm. The problem is the historically the Linux xattr interface was
>>> intended for unstructured data, while some of it is very much structured
>>> and requires interpretation by the VFS and associated entities. So
>>> splitting these out and add proper interface is absolutely the right
>>> thing to do and long overdue (also for other thing like capabilities).
>>> It might make things a little more verbose for LSM, but it fixes a very
>>> real problem.
>> Here's the problem I see. All of the LSMs see xattrs, except for their own,
>> as opaque objects. Introducing LSM hooks to address the data interpretation
>> issues between VFS and EVM, which is not an LSM, adds to an already overlarge
>> and interface. And the "real" users of the interface don't need the new hook.
>> I'm not saying that the ACL doesn't have problems. I'm not saying that the
>> solution you've proposed isn't better than what's there now. I am saying that
>> using LSM as a conduit between VFS and EVM at the expense of the rest of the
>> modules is dubious. A lot of change to LSM for no value to LSM.
> Let's take a step back and look not just at the LSM changes, but the
> patchset as a whole. Forgive my paraphrasing, but what Christian is
> trying to do here is introduce a proper ACL API in the kernel to
> remove a lot of kludges, special-cases, etc. in the VFS layer,
> enabling better type checking, code abstractions, and all the nice
> things you get when you have nice APIs. This is admirable work, even
> if it does result in some duplication at the LSM layer (and below).
>
> It is my opinion that the impact to the LSM, both at the LSM layer,
> and in the individual affected LSMs is not significant enough to
> outweigh the other advantages offered by this patchset.
Hey, in the end it's your call. I agree that cleaning up kludgy code
is inherently good. I'm willing to believe that putting further effort
into the patch set to make the LSM aspects cleaner isn't cost effective.
If everyone else thinks this is the right approach, I don't need to
question it further.
More information about the Linux-security-module-archive
mailing list