David Wheeler wrote: > Out of curiosity, what would be the implications of having _both_ "pre" and > "post" hooks? Obviously, this would add more hooks (maintenance pain) and > potentially impact performance (slightly?). How many hooks? Would that be a > solution? Every time we propose duplicate hooks as a solution to conflicts of interest within the LSM community, we make it harder for the kernel group to accept the LSM patch at all. It is worth the effort to find some compromise that solves all of our needs without duplicating hooks. Hence all the yacking :-) > I'd like to see this "third approach" considered. One advantage of having "pre" > and "post" hooks is that the "default" behavior is still in the kernel (not > requiring separate libraries or anything else, for which there's always the > danger of not calling them correctly). The third approach (which I think of as "punt") is a last resort. It is reserved for cases where conflicting interests cannot be reconciled, and both (all) parties absolutely need what they need, and can't work around. > [Wagner] >A better model: Just don't give that untrusted code access to the > >confidential data in the first place, and voila!, no more worries about > >covert channels. > > Great idea. Please write the program that can tell if arbitrary code will send > confidential information where it shouldn't go. Simple: don't run arbitrary code in trusted domains :-) Making that flippant remark LSM-relevant: if you care about the DAC/MAC covert channel, make sure that your MAC module returns the same error code as the DAC module. Otherwise, you are leaking information, and no sequence change will help you. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 22:38:30 PDT