Re: MAC before DAC vs DAC before MAC

• Previous message: Chris Wright: "Re: Mail Outage"
• In reply to: Casey Schaufler: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Casey Schaufler: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Reply: Casey Schaufler: "Re: MAC before DAC vs DAC before MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Casey Schaufler  wrote:
>Assume a file with both a POSIX ACL and a MAC label.
>The MAC label is small enough to fit in a XFS inode,
>the ACL is not. The file hasn't been accessed in so
>long its not only not cached, it's been archived
>by the HMS. The inode remains on disk, but the extended
>information, in this case the ACL, is off line.

Am I confused?  Doesn't this example actually argue that in-kernel checks
("DAC") should precede module-based checks ("MAC", if we must use that
terminology)?  The kernel's inode check (which uses the "DAC" mode bits
stored in the inode) will execute quickly, but the module's ACL check
will take a long time, so if we're really talking about optimizing any
way possible, then we want the kernel's check to come first.  Right?

Anyway, we could probably discuss at length about whether the right fix
for this type of example is a modification of the caching strategy,
a tweak to the security architecture, or education of customers and
management of their expectations.  Nevertheless, the most compelling
point for me is that this scenario is an event that I believe we can
expect to be rare.  My objection is the following: I'm not convinced
that such a pervasive change to the security subsystem is justified
by optimizing for such a rare event (invoke Amdahl's law here as to the
questionable utility of optimizing for rare cases...).  Such optimizations
seem particularly troublesome when they might negatively impact other
properties we care about.

If we're going to allow performance arguments based on rare cases to
have such a large say in the architecture debate, what prevents some
other module writer from coming up with an argument that in-kernel checks
should come first because he has some scenario where the module ("MAC")
takes forever but the kernel ("DAC") is fast?

For the record, I'm not convinced that SubDomain's application would
justify a sweeping change to the architecture, either, as SubDomain's
use of the current ordering might be viewed by some as a special case of
'audit'.  From this point of view, you might be able to make a case that
there is no strong argument either way.

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Greg KH: "Re: MAC before DAC vs DAC before MAC"
• Previous message: Chris Wright: "Re: Mail Outage"
• In reply to: Casey Schaufler: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Casey Schaufler: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Reply: Casey Schaufler: "Re: MAC before DAC vs DAC before MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 27 2001 - 17:22:50 PDT