Re: intercepting system calls

• Previous message: Stephen Smalley: "Re: intercepting system calls"
• In reply to: talgat_private: "Re: intercepting system calls"
• Next in thread: David Wagner: "Re: intercepting system calls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

talgat_private wrote:

> Crispin Cowan <crispinat_private> wrote:
> > I disagree about "not the unix way".  Precisely because file descriptors
> > are (kind of) capabilities, and they can be passed around in a lot of
> > sloppy ways,
>
> So there is only few ways I know of to pass file descriptors between
> processes.
>
> Through inheritance via. fork/clone.
> Through shared descriptor tables via. clone.
> Through descriptor passing via. sendmsg/recvmsg.

Agreed.


> > it is ineffective to pretend that restricting the right to
> > create such capabilities restricts the right to access the files.
>
> Fair enough, one still has to worry about core dumps for example.
> But there are few of these cases. In general I think that
> controlling access to descriptors provides an extremely effective
> mechanism for this.

And you're free to think that.  I disagree.


> >The
> > capabilities themselves must be mediated via read & write.  Or at least
> > the ability to allow some modules to mediate read & write must be
> > provided.
>
> Why?,

Because not everyone uses the same security model that you do.  Note that I'm
not saying that your module must mediate read and write, just that my module
(and I dare say others) do want to mediate read and write, and therefore the
LSM must provide read and write hooks.

In particular, quite apart from all the sneaky ways one can spread file
descriptors across processes, SubDomain supports confinement
WITHIN processes.  We do not believe that we can control the sharing of file
descriptors within a single process, so we mediate read and write.

As per my usual comment in this forum, I'm trying to confine myself to
discussing what the LSM interface should support, and avoid debating the
merits of one module (or model) over another.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Greg KH: "2001_04_27 patch against 2.4.3"
• Previous message: Stephen Smalley: "Re: intercepting system calls"
• In reply to: talgat_private: "Re: intercepting system calls"
• Next in thread: David Wagner: "Re: intercepting system calls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 27 2001 - 12:46:01 PDT