First, one quibble: This is not about the order of MAC and DAC,
but rather about in-module checks vs. in-kernel checks. Although
in your favorite policy, the in-kernel code is DAC and your module
does only MAC, these concepts are orthogonal, and there's nothing
that says they will always line up like this. Other people's modules
might do DAC, or indeed the distinction between DAC and MAC might
not even be meaningful in some cases.
That said, the main technical reason I heard you say about why you
prefer in-module checks before the in-kernel checks is for audit:
It is a higher priority to record failures of in-module policy
than to record failures of base-kernel-enforced policy. Meanwhile,
in SubDomain, those priorities are reversed.
So, let me propose a possible compromise solution. Has anyone
thought about doing something like the following?
int rv = 0;
if (... in-kernel check fails...)
rv = -EPERM;
rv = security_ops->hook(rv, ...);
if (rv < 0)
return rv;
This way, the module gets to see both whether the in-kernel checks
succeeded or not and whether the in-module checks succeeded or not,
and then the module can set the policy on which is to take priority.
For instance, SubDomain might instantiate its LSM hooks using a
wrapper function written like this:
int hook(int kernel_rv, ...) {
int our_rv;
if (kernel_rv < 0)
return kernel_rv;
our_rv = hook0(...); /* call the real in-module checks */
if (our_rv < 0)
audit();
return our_rv;
}
In comparison, SGI's B1 hooks might look like the following:
int hook(int dac_rv, ...) {
int mac_rv;
mac_rv = hook0(...); /* do the MAC checks (the real module code) */
if (mac_rv < 0) {
audit();
return mac_rv;
}
return dac_rv;
}
Does this work?
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 14:39:46 PDT