Greg KH <gregat_private>: > On Tue, Jul 17, 2001 at 07:09:58AM -0700, richard offer wrote: [snip] > > The placement of some hooks has been modified to make it more consistant, > > so for example, we always call the post hook, rather than only if there was > > an error. Some hooks have been moved ahead of DAC checks (or capable() > > calls) in light of Stephen's comments on July 9th. > > About moving the hooks before the DAC checks, I don't really mind this, > but I know some people will have a real problem with this. Anyone else > want to comment on this? Speak up now, or have to change your security > module greatly later :) All of the systems I've used have MAC evaluated before DAC. This is partly to catch invalid attempts. Even if the DAC says it is permissible, that doesn't mean it isn't an insider attempting to go around some barriers. It can also be used as a flag for possible intrusions. It's also a bit more efficient for denial - there is no need to traverse directory trees if the MAC is going to deny access anyway. In the other mode, the directory tree is scanned looking for a deny (which may not be there) before the MAC does deny. This could effect the cache entries with significant amounts of overhead wasted if the access is denied, where checking the MAC entries usually have a lower overhead. ------------------------------------------------------------------------- Jesse I Pollard, II Email: pollardat_private Any opinions expressed are solely my own. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 10:01:29 PDT