Re: Changes to LSM phase 1 for audit.

From: Jesse Pollard (pollardat_private)
Date: Tue Jul 17 2001 - 10:00:13 PDT

  • Next message: Stephen Smalley: "Re: Changes to LSM phase 1 for audit."

    Greg KH <gregat_private>:
    > On Tue, Jul 17, 2001 at 07:09:58AM -0700, richard offer wrote:
    [snip]
    > > The placement of some hooks has been modified to make it more consistant,
    > > so for example, we always call the post hook, rather than only if there was
    > > an error. Some hooks have been moved ahead of DAC checks (or capable()
    > > calls) in light of Stephen's comments on July 9th.
    > 
    > About moving the hooks before the DAC checks, I don't really mind this,
    > but I know some people will have a real problem with this.  Anyone else
    > want to comment on this?  Speak up now, or have to change your security
    > module greatly later :)
    
    All of the systems I've used have MAC evaluated before DAC. This is partly
    to catch invalid attempts. Even if the DAC says it is permissible, that
    doesn't mean it isn't an insider attempting to go around some barriers.
    It can also be used as a flag for possible intrusions.
    
    It's also a bit more efficient for denial - there is no need to traverse
    directory trees if the MAC is going to deny access anyway. In the other
    mode, the directory tree is scanned looking for a deny (which may not
    be there) before the MAC does deny. This could effect the cache entries
    with significant amounts of overhead wasted if the access is denied, where
    checking the MAC entries usually have a lower overhead.
    
    -------------------------------------------------------------------------
    Jesse I Pollard, II
    Email: pollardat_private
    
    Any opinions expressed are solely my own.
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 10:01:29 PDT