tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: secmodel_register(9) API
(removing Elad from CC)
On Tue, 6 Dec 2011 01:27:22 +0100, Christoph Badura wrote:
secmodel_suser doesn't know about securelevel. secmodel_securelevel
doesn't know about root. Complete decoupling between models.
Yep. What about secmodel_extensions?
Okay, let's put that differently: enabling/disabling a security
feature like curtain has nothing to do with secmodel_suser(9)
itself. Curtain is a feature that says: "only owners of an object
can query information about it." So securelevel, suser, or bsd44...
do not intervene in this process, _except_ when you are root
(pragmatism always add exceptions). That's it.
That ("_except_ when you are root") works only by strongly coupling
curtain with secmodel_suser. The coupling is actually so strong that
you
cannot bring yourself to consider that asking "is-root" is not the
only
possible approach.
OK. Assuming that is the only possible way for the moment...
What you really want to do amounts to calling suser_isroot. You
could just
as well make that call directly and let the linker resolve the
symbol.
And when the suser() module is not loaded, it will get attached
automagically to kauth and register listeners. So you are overriding the
current kauth(9) ACLs because you called suser_isroot() from curtain,
without giving a chance to curtain to handle the module's absence
gracefully.
That way you would satisfy the requirement that secmodel_suser is
loaded
in a simple way.
You are asking for trouble by loading secmodel(9) automagically.
Instead you create a baroque interface that doesn't scale
and ends up doing the same thing just more complex and costly.
Fine; please point me to the part of the code where you can make calls
to functions (or fetch a symbol) found in a module(7), while still
permitting it to fail in a graceful manner. Automagically loading
security models is bad(tm).
So far in my books that is more bloat for no discernable gain.
Maybe there is some additional gain that I have missed in your
descriptions.
If so, please provide concrete examples.
You have two in secmodel_extensions, heh:
http://nxr.netbsd.org/xref/src/sys/secmodel/extensions/secmodel_extensions.c#228
http://nxr.netbsd.org/xref/src/sys/secmodel/extensions/secmodel_extensions.c#390
I think calling the introduction of a variadic function as interface
in
the kernel certainly warrants describing it as baroque.
Huh? The prototype is by no means variadic:
int secmodel_eval(const char *id, const char *what, void *arg, void
*ret);
All I see there: 4 arguments.
But the "am I root?" evaluation is more an exception than the rule
(a weak dependency). Turning curtain into a full fledged suser
extension because there is one slight divergence is problematic.
How is it "more an exception than the rule"? AFAICT if you need to
make
an exception for root on all decisions made by curtain then "am I
root"
needs to be evaluated for every call for a decision by curtain.
I'm not clear what you mean by "there is one slight divergence" and
how it
is problematic. Can you explain that with a concrete example?
It's a slight divergence because you have to let curtain handle the
exceptional condition ("caller is privileged and has the right to see
all objects").
It's problematic because the kauth abstraction makes this leaky. Just
provide me a patch with a solution that implements the current bsd44
logic, which means:
- suser
- securelevel
- curtain (at least), which:
- hides objects from people not owning them except root,
- can be enabled whenever you want (regardless of securelevel), but
cannot be disabled when securelevel is above 0.
Of course, try keeping the secmodel(9) separate. The point of
abstraction is to provide interfaces, not blend everything together.
It isn't difficult to imagine that curtain and usermount be
implemented
as separate, full-fledged secmodels with no knowledge about the
internals
of other secmodels. Of course, we would need an API enhancement to
ask
through the kauth system if the credential at hand is considered
privileged. Using that API would mean asking all active secmodels
whether
they consider the credential as privileged.
See above.
FWIW, by "planting" I meant "implementing".
Now that would be an interesting addition. And it would let you do
things
that weren't possible before.
Please stop with that one; me and Elad agreed right from the start
(I can send the private mails if you want them) that
secmodel_eval(9) _is_ _not_ meant as an alternative for
authorization call, and should never be used as such. It allows a
secmodel to expose internal code evaluation logic to the outside
world at his own discretion.
I have difficulty following you. What possible weight could you and
Elad
agreeing on something beforehand have on the outcome of a technical
discussion? Please explain.
Let's put more pragmatism to this discussion. Propose a correct
alternative to this, so we can compare both implementations. The patch
shouldn't be that hard to pull out, now that
curtain/usermount/user_set_cpu_affinity do not pollute
suser/securelebel/bsd44 any more.
I prefer reading code with actual solutions than thoughts and words.
Nothing is perfect right from the beginning, I know that.
You saw our solution; let's see yours.
--
Jean-Yves Migeon
jeanyves.migeon%free.fr@localhost
Home |
Main Index |
Thread Index |
Old Index