On 21 Apr 2001, David Wagner wrote: > Crispin Cowan wrote: > >Applications that do want to learn this kind of thing normally use the > >access() system call, and that call should continue to function. > > It may be relevant to also mention that applications that want to > call access() or equivalent are also often broken, so any policy > module that supports such apps might also be referred to as "broken" > from another viewpoint. :-) "What we have here, is a failure to communicate..." It seems to me that we're at the end of a resolution of two schools of thought with regard to application design: security-aware-politeness and security-confident-directness. Some of us have stated we'd like our applications to be able to query the module about their permissions/capabilities and code the applications to make decisions about how to proceed and provide meaningful information to the user over and above "permission denied.", others (mostly on the kernel hacking / security side) don't think it's desirable to provide this information because "information is power" and you don't want to hand off that sort of power to userspace. I've jumped the fence, personally, after careful consideration. I don't see any persuasive reason WHY an application NEEDS to have the ability to map out policies in such a manner unless it's actually looking for holes. Just go ahead and open or bind or fork/exec ... and if it comes back failure tell the user/admin ... who would *theoretically* know about the policies and can make a decision about if it's appropriate for the program to do what it tried to do. I don't think security-aware-polite programs are "broken" if they want to use access() to "size up the situation", but, it would seem to me, an advantage of an LSM in the first place is to harden the underbelly enough that applications DON'T REALLY NEED to provide too much of their own security checking on an application by application basis. Good programs will never see the policy restrictions (once the poor bedraggled admin has them set up properly to support the program), and a cracked program... well, hopefully it'll run into a brick wall. (Sorry, I tend to think in English before I think in C, but I'm setting up a system today stand alone and will apply the patches as they come along, and hopefully get some insight as to the "strategy" in a reverse sort of way... and generate less "noise" here. :)) Sincerely, J. Melvin Jones |>------------------------------------------------------ || J. MELVIN JONES jmjonesat_private |>------------------------------------------------------ || Microcomputer Systems Consultant || Software Developer || Web Site Design, Hosting, and Administration || Network and Systems Administration |>------------------------------------------------------ || http://www.jmjones.com/ |>------------------------------------------------------ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sat Apr 21 2001 - 06:26:03 PDT