[apparmor] [RFC][PATCH 0/7] File descriptor labeling
Casey Schaufler
casey at schaufler-ca.com
Wed May 4 17:34:51 UTC 2011
On 5/4/2011 1:47 AM, Roberto Sassu wrote:
> On Wednesday, May 04, 2011 01:58:00 AM John Johansen wrote:
>> ....
>> I have to agree with Casey, Generally looping back through the vfs should
>> be using the user's credentials. This doesn't even stop you opening the
>> lower file with a different set of permissions (eg. rw while the upper
>> is opened with r).
> Hi Casey and John
>
> my patch set does not modify this behavior: VFS calls on upper inodes
> made by user processes and VFS calls (read/write) made by eCryptfs
> on lower inodes still use the user's credentials.
>
> In addition, SELinux provide a model for file descriptors. They may be
> opened by another subject (which provided its own credentials) and
> other processes need the 'use' permission for those file descriptors
> other than permissions for related inodes.
>
> This means that, even if eCryptfs opens lower inodes with its own
> credentials, user processes still need permissions to read/write both
> upper and lower inodes.
>
> One benefit of allowing eCryptfs to provide its own credentials is that
> user processes must have granted only strictly required permissions.
>
> Roberto Sassu
My point is that you should be able to achieve all of what you
say you want to do without introducing the LSM changes you are
proposing.
More information about the AppArmor
mailing list