On Wed, 16 May 2001, Stephen Smalley wrote: > 1) Least privilege. Some processes may legitimately be able to hold > and transfer a descriptor but have no legitimate reason to use it. Think > of capability-based name servers. Likewise, some processes may > legitimately be able to hold and use a descriptor but should not be > able to transfer it to others. Finally, there is a mismatch between Fair enough. Better regularly audit all the system calls which deal with file descriptors, though :-/ > 2) Revocation. A change in the label of a process or a file or > a change in the security policy may require that existing open > file descriptors be revoked. You could implement revocation [...] > Of course, memory-mapped files are more difficult to address. > Since we can't really revalidate permission on use in that case, > SELinux must explicitly invalidate the page cache entries of > any files affected by a change in a file label or policy > and then revalidate permission on the subsequent page faults. Sounds like there is some re-usable code between this and a (much needed) revoke(2) syscall implementation. I'm not sure about revalidation on page faults - sounds expensive. Why not just unmap the pages from the process' virtual address space? Cheers Chris _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 14:32:28 PDT