Re: The Demise of Simple Assurance?

• Previous message: Crispin Cowan: "Re: The Demise of Simple Assurance?"
• In reply to: Crispin Cowan: "Re: The Demise of Simple Assurance?"
• Next in thread: jmjonesat_private: "Re: The Demise of Simple Assurance?"
• Next in thread: jmjonesat_private: "Re: The Demise of Simple Assurance?"
• Next in thread: richard offer: "Re: The Demise of Simple Assurance?"
• Reply: jmjonesat_private: "Re: The Demise of Simple Assurance?"
• Reply: Seth Arnold: "Re: The Demise of Simple Assurance?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* frm crispinat_private "07/31/01 17:18:27 -0700" | sed '1,$s/^/* /'
*
* Valdis.Kletnieksat_private wrote:
* 
* 
*> OK... riddle me this:  Do any of the various contingents have security
*> models/plans that would *not* be recast in terms of authoritative hooks
*> (possibly in conjunction with internal programming style guides such as
*> "always set EPERM first, and clear it if it SHOULD be allowed")?  Are
*> all flavors of permissive/restrictive doable via authoritative, or is
*> there some subtle issue regarding hook placement/etc?
* 
* Here's some hook placement issues that do come up, following a discussion
* with Chris Wright:
* 
*    * MAC/DAC sequence:  making the hooks authoritative means universally
* doing the      DAC checks first.  To be authoritative, the hook must be
* the very last thing      checked before access proceeds.  SGI may not
* like this.
*    * Being fully authoritative:  there are code paths where an early DAC
* check that      fails short circuits out of the kernel.  With our current
* hook placement, we      won't catch all of those short circuits out of
* the kernel.  Therefore, the hooks      won't really be universally
* authoritative, unless we go place a lot more hooks.      Chris is unsure
* of how many additional hooks would need to be placed.

I thought we agreed to not call it MAC/DAC sequence, but module/in-kernel
sequence :-)

I thought that being fully authoritative using a single hook implied moving
current kernel logic out into a module. There would be no issues with
module/in-kernel sequence since there would be no in-kernel.

Of course I'm probably wrong.

* 
* Crispin

richard.

-----------------------------------------------------------------------
Richard Offer                     Technical Lead, Trust Technology, SGI
"Specialization is for insects"
_______________________________________________________________________


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: jmjonesat_private: "Re: The Demise of Simple Assurance?"
• Previous message: Crispin Cowan: "Re: The Demise of Simple Assurance?"
• In reply to: Crispin Cowan: "Re: The Demise of Simple Assurance?"
• Next in thread: jmjonesat_private: "Re: The Demise of Simple Assurance?"
• Next in thread: jmjonesat_private: "Re: The Demise of Simple Assurance?"
• Next in thread: richard offer: "Re: The Demise of Simple Assurance?"
• Reply: jmjonesat_private: "Re: The Demise of Simple Assurance?"
• Reply: Seth Arnold: "Re: The Demise of Simple Assurance?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 17:30:22 PDT