Re: MAC before DAC vs DAC before MAC

• Previous message: richard offer: "Re: MAC before DAC vs DAC before MAC"
• In reply to: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Casey Schaufler: "Re: MAC before DAC vs DAC before MAC"
• Reply: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 26 Jul 2001, Crispin Cowan wrote:

> jmjonesat_private wrote:
> 
> > If the idea was to provide information only to the in-module checks
> > without allowing it to override the result authoritatively by allowing
> > permission where there was none, a kludge might be something like:
> >
> >    int rv1 = 0, rv2=0;
> >
> >    if (... in-kernel check fails...)
> >      rv1 = -EPERM;
> >
> >    rv2 = security_ops->hook(rv1, ...);
> >
> >    if (rv2) return rv2;
> >    if (rv1) return rv1;
> > ...
> > Other than allowing the module to override a restriction with a
> > permission, does this represent a "restrictive_only" compromise that
> > might be useful to anybody?
> 
> Allowing the module to override a restriction with a permission is precisely
> what makes it an authoritative hook.  Your proposal has no advantages over
> Wagner's that I can see (it appears to be semantically equivalent) and is more
> complex.

Yep.  This suggestion does NOT allow the module to override a restriction
with a permission that will return to the kernel.  Look again...  that's
the ONLY advantage of my suggestion over Dr. Wagner's.  I admit some
disadvantages... like more lines of code in the kernel side of the patch.
It gives the module information, but leaves logic in the kernel that does
NOT allow permissive override. 

If you can point to how it does become authoritative or permissive, I
accept your rebuke.

It DOES allow the module to return a DIFFERENT failure/error... switch the
last two lines if this is "too authoritative".  FAILURE vs. FAILURE is not
something I've seen defined thereas before.

Is the concern over -0?

> 
> Crispin
> 
> --
> Crispin Cowan, Ph.D.
> Chief Scientist, WireX Communications, Inc. http://wirex.com
> Security Hardened Linux Distribution:       http://immunix.org
> Available for purchase: http://wirex.com/Products/Immunix/purchase.html

J. Melvin Jones


|>------------------------------------------------------
||  J. MELVIN JONES            jmjonesat_private 
|>------------------------------------------------------
||  Microcomputer Systems Consultant  
||  Software Developer
||  Web Site Design, Hosting, and Administration
||  Network and Systems Administration
|>------------------------------------------------------
||  http://www.jmjones.com/
|>------------------------------------------------------


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: David Wagner: "Re: MAC before DAC vs DAC before MAC"
• Previous message: richard offer: "Re: MAC before DAC vs DAC before MAC"
• In reply to: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Casey Schaufler: "Re: MAC before DAC vs DAC before MAC"
• Reply: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 16:29:46 PDT