Re: gnome-keyring Question about ACL per storage item

[Stef Walter <stefw collabora co uk>]

On 2011-10-24 10:58, Elena Reshetova wrote:
> Thank you for the reply and explanations!
>  I fully agree that making ACL for applications without a reliable way
> to identify an application
>  (that maybe a collection of binaries, libraries and etc.) is pointless.
> However, I think current
> Linux already have mechanisms in place for doing this. Mainstream LSMs
> allow you to group
> applications to separate security contexts and therefore being able to
> distinguish between
>  them in a secure and reliable way. We are using Smack as our AC module
> and group applications
> in certain AC domains. In a run-time the smack label of a process
> defines the security context of this
> process. This is smth you can reply upon. Even if all applications are
> ruining with user session uid/gids,
> smack labels can be different and allow you to separate between
> applications. Also, update case is
> handled: updated application will get to run in the same domain, and
> therefore can access to the
> same set of security credentials/keys and etc.

Interesting, I'll do more reading about that. But I'm not looking
forward to the selinux - apparmor - smack debates.

> Handing shared libraries and plug-ins is smth really interesting, but
> can be solved for example
> via additional checks on mmap (LD_PRELOAD and similar mechanism are
> still going through
> the same mmap hook). There are other alternatives to solve a problem of
> loading untrusted code
>  to trusted applications, too.
> 
> Now about the X session. This maybe the only one actual current problem.
> However, if you run
> gnome-keyring-daemon with a separate smack label, things may become easier.
> I know that Casey has recently looked inside X server and he might have
> better suggestions on
> solving this problem.

Right, not an unsolveable problem, but one that needs a lot of work :)

Cheers,

Stef