Re: 2001_05_09 patch against 2.4.4

From: Chris Evans (chrisat_private)
Date: Wed May 16 2001 - 14:30:56 PDT

  • Next message: Chris Evans: "Re: 2001_05_09 patch against 2.4.4"

    On Wed, 16 May 2001, Stephen Smalley wrote:
    > 1) Least privilege.  Some processes may legitimately be able to hold
    > and transfer a descriptor but have no legitimate reason to use it.  Think
    > of capability-based name servers.  Likewise, some processes may
    > legitimately be able to hold and use a descriptor but should not be
    > able to transfer it to others.  Finally, there is a mismatch between
    Fair enough. Better regularly audit all the system calls which deal with
    file descriptors, though :-/
    > 2) Revocation.  A change in the label of a process or a file or
    > a change in the security policy may require that existing open
    > file descriptors be revoked.  You could implement revocation
    > Of course, memory-mapped files are more difficult to address.
    > Since we can't really revalidate permission on use in that case,
    > SELinux must explicitly invalidate the page cache entries of
    > any files affected by a change in a file label or policy
    > and then revalidate permission on the subsequent page faults.
    Sounds like there is some re-usable code between this and a (much needed)
    revoke(2) syscall implementation. I'm not sure about revalidation on page
    faults - sounds expensive. Why not just unmap the pages from the process'
    virtual address space?
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Wed May 16 2001 - 14:32:28 PDT