Re: A Comment from User Space

• Previous message: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• In reply to: Seth Arnold: "Re: A Comment from User Space"
• Next in thread: Seth Arnold: "Re: A Comment from User Space"
• Reply: Seth Arnold: "Re: A Comment from User Space"
• Reply: Stephen Smalley: "Re: A Comment from User Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 23 Apr 2001 20:07:30 PDT, Seth Arnold <sarnoldat_private>  said:
> Between t_0 and t_1, program Q could change the floor out from
> underneath P. When t_1 finally roles around, the security domain D
> *would prevent* the execution. But at t_0, the security domain D said it
> *would allow* the execution.

On a related issue:

from http://www.nsa.gov/selinux/doc/slinux-200104121417/node13.html

"One additional access vector is returned if notification support is
enabled in the kernel configuration. The notify access vector contains the
set of permissions for which the security_notify_perm function should be
called when the operation associated with the permission has successfully
completed. This vector permits the security server to request that the
AVC component notify the security server of the successful completion
of operations so that the security server may base its decisions on the
history of operations in the system. This differs from merely basing
decisions on the history of granted permissions, since an operation may
still fail due to other conditions even if permission is granted for that
operation. ....."

We may need another few hooks here and there - their logic is correct.
An LSM might get called on a hook for a socket()/connect() call to an
external host, give an OK - but the connect() fails for *other* reasons
(host unreachable, etc).  The LSM may want to know that, as additional
information - if the process then does another connect() to another host,
after a failure on the first, that indicates a process working its way
down multiple A records for a host.  If the first connect() *worked*, and
the process is opening another connection *anyhow*, that might be a scanner
or other bad things in progress.. An open() might be authorized but then fail
because a file system is out of inodes - the LSM may want to know that,
because it may indicate a DOS attack in progress..  And so on...

/Valdis

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: David Wagner: "Re: A Comment from User Space"
• Previous message: Valdis.Kletnieksat_private: "Re: A Comment from User Space"
• In reply to: Seth Arnold: "Re: A Comment from User Space"
• Next in thread: Seth Arnold: "Re: A Comment from User Space"
• Reply: Seth Arnold: "Re: A Comment from User Space"
• Reply: Stephen Smalley: "Re: A Comment from User Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 22:11:04 PDT