Re: quotactl hook

• Previous message: Greg KH: "Re: quotactl hook"
• In reply to: David Wagner: "Re: quotactl hook"
• Next in thread: Crispin Cowan: "Re: quotactl hook"
• Next in thread: Greg KH: "Re: quotactl hook"
• Reply: Crispin Cowan: "Re: quotactl hook"
• Reply: Chris Wright: "Re: quotactl hook"
• Reply: David Wagner: "Re: quotactl hook"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Wagner wrote:
> 
> Casey Schaufler  wrote:
> > Symantics require an authoritative hook. [...]
> > The capable() function
> > does not have enough information (it lacks the file attributes
> > and the type of access) to intercede.
> 
> I think maybe Smalley's point about how to use capable() deserves to
> be repeated.  The idea is that you implement a capable() hook that
> returns "ALLOWED" on everything (thus this hook doesn't need access to
> file attributes), which will override the kernel's mode bit checks.
> Then, you implement a restrictive hook that uses the information it
> has about file attributes and type of access to make the authoritative
> decision on whether the file access should be allowed.  This approach
> allows you to simulate everything you'd get from authoritative hooks,
> with no changes to the existing LSM (restrictive hook) code.  Thus, I
> think what you want can already be achieved without any changes to LSM.
> Am I missing something?

The capable()+restrictive scheme fails if the existing kernel
code short circuits out on failure, and there's no reason it
shouldn't if hooks are documented as restrictive. Any performance
optimizer (and the Linux community is full of 'em) will look
at code which calls a restrictive hook after a failure case and
"fix" it, in what for our nefarious purposes would be the
veterinary sense.

If the hooks are restrictive we have to allow that developers
will code according to the design rules, which say the hooks
don't need to be called once a failure is detected. When that's
done, the scheme won't work, and it won't be the non-LSM developer's
fault, because she will have played by the rules.

Unless, of course, it's clear that the hooks are never optional,
because in some cases they have to be called anyway, even though
they are supposed to be restrictive. That's the rule for
authoritative hooks, which seems to be the bone of contention.

-- 

Casey Schaufler				Manager, Trust Technology, SGI
caseyat_private				voice: 650.933.1634
casey_pat_private			Pager: 888.220.0607

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Crispin Cowan: "Re: quotactl hook"
• Previous message: Greg KH: "Re: quotactl hook"
• In reply to: David Wagner: "Re: quotactl hook"
• Next in thread: Crispin Cowan: "Re: quotactl hook"
• Next in thread: Greg KH: "Re: quotactl hook"
• Reply: Crispin Cowan: "Re: quotactl hook"
• Reply: Chris Wright: "Re: quotactl hook"
• Reply: David Wagner: "Re: quotactl hook"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 15:58:34 PDT