Re: A Comment from User Space

• Previous message: David Wagner: "Re: A Comment from User Space"
• In reply to: richard offer: "Re: A Comment from User Space"
• Next in thread: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Reply: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

richard offer wrote:
>If that's what you want, do it, but ~20% of the programs I have data on use
>access() broken or not.

I don't mean to be rude, but: So what?  The above fact doesn't seem
to harm the usability of Janus, in my experience.  If other policy
modules want to make their extended security policy visible through
access(), fine, but I have yet to hear a compelling argument why all
module-writers should be required to do so whether they want to or not.
This is a policy matter; leave it up to the policy modules to decide
what policy is best.

>"some applications (sendmail,id) because of their very nature, will need to
>make policy decisions or display policy specific information. We should bear
>this in mind when designing the LSM so that we do not stop this happening (we
>don't need to do it in this project, we just need to make sure we don't stop
>someone else from doing it).

Give me an example of an important, security-critical app that makes
security decisions based on the result of access().  I bet just about
every app that uses access() in this way is already broken, and I've
already explained why several times (TOCTOU holes,...).  access() is
a fundamentally insecure interface, and if you're relying on it for
security, you probably have a security hole.  Whether I want to support
apps with a security hole or not is a policy decision, and I want
policy module writers to be free to choose which policy they prefer.

If you believe it is important to make these policies visible to apps,
you may well be right, but (1) I'd argue that access() is probably not
the right interface for doing so; and (2) this is a matter of policy.
There's nothing preventing you from experimenting with ways of making
policies visible to apps in your module.  If you want to, feel free.
All I ask is that you not impose requirements on module-writers who
have a different policy in mind than yours.

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: David Wagner: "Re: linux-security-module digest, Vol 1 #41 - 7 msgs"
• Previous message: David Wagner: "Re: A Comment from User Space"
• In reply to: richard offer: "Re: A Comment from User Space"
• Next in thread: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Reply: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 17:04:06 PDT