Ok, so what I described was actually secure. Good.
30 minutes during installation does not seem "silly" to me.
And that race does not make it insecure, because of the open file
descriptors. Good.
You seem to imply it is security related, it is not. I can have open
files for hours or days.
And you do that exactly how, without the race? I do not think ve have
three_way_rename(name1, name2, name3) system call.
Notice that
1) mv can take minutes already if you move cross filesystem.
2) this is easily avoided by mv-ing somewhere with "same" permissons,
then doing quick moves when daemon is done.
So you run inotify everywhere. IIRC beagle does it already.
Talking about dead ends... "just put path-based security module into
kernel" recently got pretty strong "NACK" from Christoph Hellwig (see
TOMOYO Linux thread), and I believe there was similar comment from Al
Viro in past. That seems to me as dead-endy as it gets. "mv takes 30
minutes" is road slightly covered with bushes... compared to that.
So we can either forget about AA completely, or take a way Christoph
did not "NACK". restorecond is such a way, and with inotify it should
be acceptable. find does _not_ take that long, not even for git trees.
pavel@amd:/data/l/linux$ time find . > /dev/null
0.04user 0.37system 11.50 (0m11.504s) elapsed 3.56%CPU
(If you wanted to be super-nice, you could introduce rename() helper
into glibc, that would do re-labeling synchronously, and only return
when it is done. All the nice applications call glibc anyway, and all
the exploits can't take advantage of it, because it is secure
already.).
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
-
