David Wagner wrote: > Crispin Cowan wrote: > >In SubDomain, we need to know the absolute path name of a file that a > >process is trying to open. > > Would you consider the following strategy? If you want to support > denying access to all pathnames that match /var/log/*, To correct an (apparently common todya) misconception, SubDomain does not deny access to specified names. SubDomain grants access to specified names, and denies access to everything else. This is a subtle but important consideration with respect to the validity of denying access to a file based on its name, when in fact the file could be aliased under a different name with a hard link. > then rather than > trying to reconstruct the pathname to open() and pattern-matching, maybe > one alternative could be to monitor the directory traversal (is this > lookup_dentry() or somesuch?) and deny access preemptorily as soon as > you see an access to the directory "/var/log". We thought of that. It results in a huge "hematoma of reimplementation" (in the terminology of Gregor Kiczales http://www.parc.xerox.com/csl/groups/sda/projects/oi/ieee-software/ ) where we end up building a shadow file system name space in kernel data structures. I'm skeptical that such a thing can be done with sufficient correctness that it will be secure. So how is Janus going to handle this? Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sat Jul 21 2001 - 00:00:25 PDT