Re: intercepting system calls

From: Crispin Cowan (crispinat_private)
Date: Fri Apr 27 2001 - 12:43:56 PDT

  • Next message: Greg KH: "2001_04_27 patch against 2.4.3"

    talgat_private wrote:
    
    > Crispin Cowan <crispinat_private> wrote:
    > > I disagree about "not the unix way".  Precisely because file descriptors
    > > are (kind of) capabilities, and they can be passed around in a lot of
    > > sloppy ways,
    >
    > So there is only few ways I know of to pass file descriptors between
    > processes.
    >
    > Through inheritance via. fork/clone.
    > Through shared descriptor tables via. clone.
    > Through descriptor passing via. sendmsg/recvmsg.
    
    Agreed.
    
    
    > > it is ineffective to pretend that restricting the right to
    > > create such capabilities restricts the right to access the files.
    >
    > Fair enough, one still has to worry about core dumps for example.
    > But there are few of these cases. In general I think that
    > controlling access to descriptors provides an extremely effective
    > mechanism for this.
    
    And you're free to think that.  I disagree.
    
    
    > >The
    > > capabilities themselves must be mediated via read & write.  Or at least
    > > the ability to allow some modules to mediate read & write must be
    > > provided.
    >
    > Why?,
    
    Because not everyone uses the same security model that you do.  Note that I'm
    not saying that your module must mediate read and write, just that my module
    (and I dare say others) do want to mediate read and write, and therefore the
    LSM must provide read and write hooks.
    
    In particular, quite apart from all the sneaky ways one can spread file
    descriptors across processes, SubDomain supports confinement
    WITHIN processes.  We do not believe that we can control the sharing of file
    descriptors within a single process, so we mediate read and write.
    
    As per my usual comment in this forum, I'm trying to confine myself to
    discussing what the LSM interface should support, and avoid debating the
    merits of one module (or model) over another.
    
    Crispin
    
    --
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com
    Security Hardened Linux Distribution:       http://immunix.org
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Apr 27 2001 - 12:46:01 PDT