On Fri, Jan 13, 2012 at 11:45 AM, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > On Fri, Jan 13, 2012 at 11:39 AM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: >> >> Is the current exec_no_trans check enough for you? With my patch, >> selinux can already block the execve if it wants. > > If this feature has "selinux can do xyz if it wants", it is broken. > > The *whole* point is to get the f*^%ing crazy "security managers can > do xyz" things away from it. > > The flag - when set - should give a 100% guarantee that security > context doesn't change, and an operation that would change it would > error out. > > Not a "selinux can block it if it wants". None of that "wants" crap. > None of the "you can configure security rules to do xyz" crap. > > One simple rule: no security changes from the context that set the flag. > > Any other rule will inevitably cause random gray areas where some > random security manager does something stupid. We have enough of those > already. No more. I'm confused. The patch does "no security context changes on execve". My interpretation of the flag is "LSMs, file caps, and suid/sgid, stay away". It does that. Users are welcome to shoot themselves in the foot with this behavior (e.g. by setting the flag, running something that selinux would otherwise have restricted, and getting it without the restrictions). If you are *already* in a selinux context that is forbidden from executing something without changing security context, then you can't execute the program. If no_new_privs is set or if you ask (via selinuxfs) for no transition, then execve fails when selinux refuses exec_no_trans. The exec_no_trans callback cannot *change* context -- it just asks whether *not* changing context is okay. I think this is exactly the desired behavior. And I misunderstanding you? (I can't speak for the AppArmor part of the patch -- I haven't looked closely enough. But I think we want the equivalent behavior on AppArmor.) If this behavior is *not* okay, then I would rather just have the flag disable execve entirely and consider execve_nosecurity instead. I don't want a situation where fancy seccomp/chroot/whatever apps don't even run on Fedora because of the mere existence of selinux policy. If we go that route, I'd rather they didn't run anywhere so the sandbox authors work around the problem appropriately. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html