Re: [Keyrings] [PATCH] Keys: Add LSM hooks for key management

From: James Morris
Date: Thu Oct 06 2005 - 10:05:13 EST


On Thu, 6 Oct 2005, David Howells wrote:

> > Agree, in fact, I think we should always aim to keep housekeeping hooks
> > separate from access control hooks.
>
> What do you mean by separate? And this provides a chance for the LSM to deny
> the creation of a key before it's published.

Separate in terms of providing clear semantics in the API, so that you
know a hook is either used for housekeeping (allocation, deallocation etc)
or for access control. But this is only an aim, an if it makes sense to
combine housekeeping and access control functions in some specific
instance, then so be it.


> > Access checks seem to be usually done before this point via
> > lookup_user_key(), which is ideal.
>
> Eh? lookup_user_key()? That's not necessarily called before, not if you're
> creating a key.

I thought this was generally called before key operations.

For example, sys_add_key() calls it with KEY_WRITE against the destination
keyring.

> > > This is odd, esp since nothing could have failed between alloc and
> > > publish. Only state change is serial number. Would you expect the
> > > security module to update a label based on serial number?
> >
> > I don't think SELinux would care about this yet. If so, the hook can be
> > added later.
>
> Auditing?

SELinux does not audit object creation, it will sometimes use a _post hook
to update its internal state or perform the access control check for
creating the object.


- James
--
James Morris
<jmorris@xxxxxxxxx>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/