Re: State of Audit Proposal ?

• Previous message: Chris Wright: "Re: State of Audit Proposal ?"
• In reply to: KRAMER,STEVEN (HP-USA,ex1): "RE: State of Audit Proposal ?"
• Next in thread: KRAMER,STEVEN (HP-USA,ex1): "RE: State of Audit Proposal ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* KRAMER,STEVEN (HP-USA,ex1) (steven_kramerat_private) wrote:
> 
> 
> > -----Original Message-----
> > From: Seth Arnold [mailto:sarnoldat_private] 
> > 
> > On Mon, Jul 23, 2001 at 06:17:55AM -0700, KRAMER,STEVEN 
> > (HP-USA,ex1) wrote:
> > > Why is it that MAC and DAC both must return the same error messages?
> > > I can easily envision a MAC policy that returns more errno values
> > > than the access errors.  Given that it is a possibility to have
> > > different MAC and DAC return codes, it becomes an issue of storage 
> > > channels, not only timing channels.
> > 
> > Simply that many syscalls are expected to return one of -EPERM or
> > -EACCES if a process doesn't have the required credentials to access a
> > file. Pity the poor application programmer who assumes creat(2) will
> > never return -EPERM, only -EACCES.
> 
> Are we to use the Linux man pages as a functional spec for the interfaces
> that LSM must continue to respect?  Has anyone taken the LSM
> changes, looked at the current state of the hooks, and made sure you're not
> creating situations where an incorrect errno will be returned?
> As an example, I'm looking at the sys_read call.  In the man page, there
> is no EACCES failure, nor do I see it in the sys_read kernel code.
> So, what kind of error value will the permission(file, MAY_READ) hook
> return?  Usually you'd think of EACCES failure with such a hook, but
> you said that it's your understanding that LSM hooks won't return
> EACCES there because an application wouldn't know how to use such a
> failure with read(2).
> 
> Furthermore, will the meanings for the errnos (such as EACCES) still
> have the same meaning in the man pages with MAC as they do w/o MAC?

earlier lsm code did watch the POSIX allowed return codes and honored
them.  when the permissive/restrictive inconsistency was highlighted
this started to change.  the permissive hooks were collapsed into
the capable call, and the kernel code that called capable() was not
changed to capture a module providied return code.  so these hooks
preserve error codes as they are (pre lsm).  the restrictive hooks
used to return the appropriate POSIX error code, but now they return
whatever the module wants to return.  hence, it is up to the module
writer to think about what they return.

-chris

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Crispin Cowan: "Re: linux-security-module digest, Vol 1 #175 - 9 msgs"
• Previous message: Chris Wright: "Re: State of Audit Proposal ?"
• In reply to: KRAMER,STEVEN (HP-USA,ex1): "RE: State of Audit Proposal ?"
• Next in thread: KRAMER,STEVEN (HP-USA,ex1): "RE: State of Audit Proposal ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 18:50:39 PDT