Append vs. write distinctions

From: Stephen Smalley (sdsat_private)
Date: Fri May 18 2001 - 12:57:35 PDT

  • Next message: Stephen Smalley: "Re: Some feedback on the hooks"

    The (non-LSM) SELinux prototype allows append vs. write distinctions for 
    files and directories.  For files, you can grant a process with
    a particular security label append access to a file
    with a particular security label without giving the
    process general write access to the file.  Likewise, for
    directories, you can allow a process to add links to
    a directory without granting it the ability to remove
    links from the directory.
    For directories, I was able to implement our 
    finer-grained permissions in the corresponding
    inode security operations (e.g. create, mkdir, link,
    etc), while checking a general-purpose write permission 
    in the inode permission hook.  So the SELinux
    LSM module requires both the general-purpose write
    permission and the appropriate finer-grained 
    permission to modify a directory.  The general-purpose
    write permission check is merely to ensure mediation in all
    cases, but shouldn't really be necessary.
    For files, I'm not sure how to provide the same distinction
    during the open checks with LSM, since LSM merely calls
    the permission function with the read/write access mode,
    so the module has no way of knowing if O_APPEND was
    specified.  I could implement some support for setting
    the S_APPEND flag on inodes based on their security
    label in accordance with the security policy, but
    that would yield different semantics - append-only
    access for all processes, not just processes with
    particular labels.  Suggestions?
    Stephen D. Smalley, NAI Labs
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Fri May 18 2001 - 12:59:24 PDT