Re: Authoritative Hooks

• Previous message: Casey Schaufler: "Re: OpenWall SECURE_LINK as a LSM"
• In reply to: Casey Schaufler: "Re: Authoritative Hooks"
• Next in thread: David Wagner: "Re: Authoritative Hooks"
• Next in thread: Crispin Cowan: "Re: Authoritative Hooks"
• Reply: David Wagner: "Re: Authoritative Hooks"
• Reply: Casey Schaufler: "Re: Authoritative Hooks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To my mind the difference between C+R and Auth is based on
the impact it has on someone who is reading the code for some
reason other than adding security features. In the Auth case,
the reader would see something like ...

	if (!(uid-checks-out-okay) && !capable(CAP_XYZ))
		err = -EACCESS;
	err = hook(x,y,z,err);

All the logic is evident.

In the C+R case the code is very similar,

	if (!(uid-checks-out-okay) && !capable(CAP_XYZ))
		err = -EACCESS;
	else
		err = hook(x,y,z);

but the differences are important. If I'm tracking down
a behavior I don't understand in a process I know has no
capabilities, and I'm not a security guy who knows about
C+R, how will I ever be expected to consider that something
might be going on in hook()? I'm not just talking about
errors in the secuirty logic, it could be a locking issue,
an SMP "behavior", or someone curious about performance.
The change to the behavior of capable() is, in my mind,
a violation of the principle of least astonishment.

That's how I see it. Maybe I'm splitting hares, but I'd
rather sacrifice rabbits than unsuspecting kernel developers.

And hey, I've been wrong before, and I may be wrong again
some day. It's conceivable I'm wrong here, but I still
think Auth makes a clearer and more forthright interface
(not to mention better for Casey's Evil Plan for World
Domination) than C+R.

BTW: Are there any cases where there's a policy check
without a capable() call? I can imagine a policy that
is not SUperuser overridden. For example, root owns all
the objects, so the check for matching uids makes a call
to capable() unnecessary in today's scheme.

Thanks for your global patience. Sorry for taking so long
to come to grips with what y'all seem to agree on.



Casey Schaufler				Manager, Trust Technology, SGI
caseyat_private				voice: 650.933.1634
casey_pat_private			Pager: 888.220.0607

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Nick Bellinger: "OpenWall SECURE_FIFO as a LSM"
• Previous message: Casey Schaufler: "Re: OpenWall SECURE_LINK as a LSM"
• In reply to: Casey Schaufler: "Re: Authoritative Hooks"
• Next in thread: David Wagner: "Re: Authoritative Hooks"
• Next in thread: Crispin Cowan: "Re: Authoritative Hooks"
• Reply: David Wagner: "Re: Authoritative Hooks"
• Reply: Casey Schaufler: "Re: Authoritative Hooks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Nov 10 2001 - 11:03:47 PST