Re: State of Audit Proposal ?

From: Chris Wright (chrisat_private)
Date: Mon Jul 23 2001 - 18:46:19 PDT

  • Next message: Crispin Cowan: "Re: linux-security-module digest, Vol 1 #175 - 9 msgs"

    * KRAMER,STEVEN (HP-USA,ex1) (steven_kramerat_private) wrote:
    > 
    > 
    > > -----Original Message-----
    > > From: Seth Arnold [mailto:sarnoldat_private] 
    > > 
    > > On Mon, Jul 23, 2001 at 06:17:55AM -0700, KRAMER,STEVEN 
    > > (HP-USA,ex1) wrote:
    > > > Why is it that MAC and DAC both must return the same error messages?
    > > > I can easily envision a MAC policy that returns more errno values
    > > > than the access errors.  Given that it is a possibility to have
    > > > different MAC and DAC return codes, it becomes an issue of storage 
    > > > channels, not only timing channels.
    > > 
    > > Simply that many syscalls are expected to return one of -EPERM or
    > > -EACCES if a process doesn't have the required credentials to access a
    > > file. Pity the poor application programmer who assumes creat(2) will
    > > never return -EPERM, only -EACCES.
    > 
    > Are we to use the Linux man pages as a functional spec for the interfaces
    > that LSM must continue to respect?  Has anyone taken the LSM
    > changes, looked at the current state of the hooks, and made sure you're not
    > creating situations where an incorrect errno will be returned?
    > As an example, I'm looking at the sys_read call.  In the man page, there
    > is no EACCES failure, nor do I see it in the sys_read kernel code.
    > So, what kind of error value will the permission(file, MAY_READ) hook
    > return?  Usually you'd think of EACCES failure with such a hook, but
    > you said that it's your understanding that LSM hooks won't return
    > EACCES there because an application wouldn't know how to use such a
    > failure with read(2).
    > 
    > Furthermore, will the meanings for the errnos (such as EACCES) still
    > have the same meaning in the man pages with MAC as they do w/o MAC?
    
    earlier lsm code did watch the POSIX allowed return codes and honored
    them.  when the permissive/restrictive inconsistency was highlighted
    this started to change.  the permissive hooks were collapsed into
    the capable call, and the kernel code that called capable() was not
    changed to capture a module providied return code.  so these hooks
    preserve error codes as they are (pre lsm).  the restrictive hooks
    used to return the appropriate POSIX error code, but now they return
    whatever the module wants to return.  hence, it is up to the module
    writer to think about what they return.
    
    -chris
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 18:50:39 PDT