A thread titled "[RFC PATCH 0/3] System call to switch user credentials" has started at https://lkml.org/lkml/2013/10/16/820 , and switch_cred() syscall was proposed which will never be acceptable for TOMOYO. TOMOYO's security context must not be switched by anything but successful do_execve() and successful writing to securityfs interface. Let me explain again. TOMOYO's security context represents the history of programs current thread has successfully execve()d. That is, TOMOYO's security context is by definition per a task_struct. TOMOYO's security context is always subjective == objective. TOMOYO's security context must not be switched, even temporarily, by any means other than successful do_execve() and successful writing to securityfs interface. This patchset is a repost of https://lkml.org/lkml/2013/6/11/258 for fixing two of TOMOYO's long-standing bugs which exists since Linux 2.6.30, and also protects TOMOYO from subjective != objective problem described above. Bug 1: TOMOYO has been unable to check binary loader's permission upon execve() because TOMOYO uses different permission for the program passed to execve() request and the binary loader requested by the program passed to the execve() request, but TOMOYO was not able to distinguish them due to lack of ability to pass the proposed credential argument. Some attempt to pass the proposed credential was made but was not successful because it breaks DAC's behavior. Bug 2: TOMOYO has been unable to remember that the current thread was once granted for managing policy, for there is no mechanism for cleanly allocating per a task_struct variables. As a result, TOMOYO needlessly has to check permission for updating policy whenever a line of policy was written. Also, if the userspace once deleted a line that is needed for updating policy, the current thread (which should be able to update policy) fails to write the rest of lines. Variables associated with copy on write credential do not help for fixing this bug because TOMOYO may not be allowed to modify it when TOMOYO wants to modify it. This patchset has four patches. Patch 1 and 2 are essentially revival of LSM hooks which existed until Linux 2.6.28. [PATCH 1/4] LSM: Add security_bprm_aborting_creds() hook. [PATCH 2/4] LSM: Revive security_task_alloc() hook. [PATCH 3/4] TOMOYO: Remember the proposed domain while in execve() request. [PATCH 4/4] TOMOYO: Allow caching policy manager's state until execve() request. b/fs/exec.c | 1 b/include/linux/security.h | 11 +++ b/kernel/fork.c | 7 + b/security/capability.c | 5 + b/security/security.c | 5 + b/security/tomoyo/common.c | 22 +++++- b/security/tomoyo/common.h | 34 +++++++++ b/security/tomoyo/tomoyo.c | 163 +++++++++++++++++++++++++++++++++++++++++++-- include/linux/security.h | 10 ++ security/capability.c | 6 + security/security.c | 5 + security/tomoyo/common.h | 6 + security/tomoyo/tomoyo.c | 32 ++++++++ 13 files changed, 298 insertions(+), 9 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
