RE: [patch] IPC/Message Queues

• Previous message: Greg KH: "Re: quotactl hook"
• In reply to: richard offer: "Re: [patch] IPC/Message Queues"
• Next in thread: Chris Wright: "Re: [patch] IPC/Message Queues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: linux-security-module-adminat_private
> [mailto:linux-security-module-adminat_private]On Behalf Of 
> richard offer
> Sent: Tuesday, August 28, 2001 2:14 AM
> To: linux-security-moduleat_private
> Subject: Re: [patch] IPC/Message Queues
> 
> 
> 
> 
> * frm cvanceat_private "08/27/01 11:44:09 -0400" | sed '1,$s/^/* /'
> *
> * 
> 
> [snip]
> 
> 
> * 
> * Due to the surrounding kernel logic, we lose the security 
> module's return
> * code, but I don't think this is a problem.
> 
> On the whole I don't like losing return values, but in this 
> case it seems
> it wasn't useful due to the existing kernel code. Maybe we 
> should document
> that this hook really is a boolean type despite it having a 
> return type of
> "int".
If the current process does not have permission to access any
messages in the queue then it will either wait for a message
that it can receive or the system call will return -ENOMSG,
instead of -EPERM or -EACCES, which should be okay.

> 
> * 
> * Opinions?  If there are no objections, I can have Stephen 
> commit this
> * patch tomorrow.
> 
> I don't think I have any objections, but Lachlan knows this code much
> better than I do.
> 
> Off the top of my head, by making ipcperms() authoritative we 
> should be
> okay in leaving this one restrictive.
ipcperms() checks permission to access the queue but testmsg()
and the msgrcv() hook check permission to access individual
messages within the queue.  So if we can expect a scenario that
has messages with different security attributes but in the same
queue then we would be better off with the msgrcv() hook being
authoritative.

> 
> * 
> * chris.
> 
> richard.
> 
> --------------------------------------------------------------
> ---------
> Richard Offer                     Technical Lead, Trust 
> Technology, SGI
> "Specialization is for insects"
> ______________________________________________________________
> _________
> 
> 
> _______________________________________________
> linux-security-module mailing list
> linux-security-moduleat_private
> http://mail.wirex.com/mailman/listinfo/linux-security-module
> 


---
Lachlan McIlroy                    Phone: +61 3 9596 4155
Trusted Linux                        Fax: +61 3 9596 2960
Adacel Technologies Ltd                    www.adacel.com




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Lachlan McIlroy: "RE: quotactl hook"
• Previous message: Greg KH: "Re: quotactl hook"
• In reply to: richard offer: "Re: [patch] IPC/Message Queues"
• Next in thread: Chris Wright: "Re: [patch] IPC/Message Queues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 27 2001 - 20:30:51 PDT