Re: MAC before DAC vs DAC before MAC

• Previous message: richard offer: "Re: MAC before DAC vs DAC before MAC"
• In reply to: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Casey Schaufler: "Re: MAC before DAC vs DAC before MAC"
• Reply: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 25 Jul 2001, Crispin Cowan wrote:

> David Wagner wrote:
> 
> > So, let me propose a possible compromise solution.  Has anyone thought
> > about doing something like the following?
> >    int rv = 0;
> >    if (... in-kernel check fails...)
> >      rv = -EPERM;
> >    rv = security_ops->hook(rv, ...);
> >    if (rv < 0)
> >      return rv;
> > This way, the module gets to see both whether the in-kernel checks
> > succeeded or not and whether the in-module checks succeeded or not, and
> > then the module can set the policy on which is to take priority.
> 
> That looks like an authoritative hook to me.  Bad logic in the module could
> result in an override of kernel DAC logic.
>

If the idea was to provide information only to the in-module checks
without allowing it to override the result authoritatively by allowing
permission where there was none, a kludge might be something like: 

   int rv1 = 0, rv2=0;

   if (... in-kernel check fails...)
     rv1 = -EPERM;

   rv2 = security_ops->hook(rv1, ...);

   if (rv2) return rv2;
   if (rv1) return rv1;

* Providing the module with both results.

* Allowing a module to simply not do it's own checks if the kernel 
  has already spoken and that's important to the module design.

* Allowing the module to record for audit either, neither, or both.

* Allowing the module to modify the error code returned, but not to 
  eradicate it... so if there are two different failure reasons: the 
  module decides which passes back (rv2 trips the return first).

Other than allowing the module to override a restriction with a
permission, does this represent a "restrictive_only" compromise that 
might be useful to anybody?  Taking the two example implementations from
Dr. Wagner's suggestion, it would seem, trivially, to allow either
strategy.

> 
> Crispin
> 
> --
> Crispin Cowan, Ph.D.
> Chief Scientist, WireX Communications, Inc. http://wirex.com
> Security Hardened Linux Distribution:       http://immunix.org
> Available for purchase: http://wirex.com/Products/Immunix/purchase.html

J. Melvin Jones


|>------------------------------------------------------
||  J. MELVIN JONES            jmjonesat_private 
|>------------------------------------------------------
||  Microcomputer Systems Consultant  
||  Software Developer
||  Web Site Design, Hosting, and Administration
||  Network and Systems Administration
|>------------------------------------------------------
||  http://www.jmjones.com/
|>------------------------------------------------------









_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Casey Schaufler: "Re: MAC before DAC vs DAC before MAC"
• Previous message: richard offer: "Re: MAC before DAC vs DAC before MAC"
• In reply to: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Casey Schaufler: "Re: MAC before DAC vs DAC before MAC"
• Reply: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 08:14:32 PDT