Re: Authoritative Hooks

From: Casey Schaufler (caseyat_private)
Date: Sat Nov 10 2001 - 11:08:50 PST

  • Next message: Nick Bellinger: "OpenWall SECURE_FIFO as a LSM"

    To my mind the difference between C+R and Auth is based on
    the impact it has on someone who is reading the code for some
    reason other than adding security features. In the Auth case,
    the reader would see something like ...
    	if (!(uid-checks-out-okay) && !capable(CAP_XYZ))
    		err = -EACCESS;
    	err = hook(x,y,z,err);
    All the logic is evident.
    In the C+R case the code is very similar,
    	if (!(uid-checks-out-okay) && !capable(CAP_XYZ))
    		err = -EACCESS;
    		err = hook(x,y,z);
    but the differences are important. If I'm tracking down
    a behavior I don't understand in a process I know has no
    capabilities, and I'm not a security guy who knows about
    C+R, how will I ever be expected to consider that something
    might be going on in hook()? I'm not just talking about
    errors in the secuirty logic, it could be a locking issue,
    an SMP "behavior", or someone curious about performance.
    The change to the behavior of capable() is, in my mind,
    a violation of the principle of least astonishment.
    That's how I see it. Maybe I'm splitting hares, but I'd
    rather sacrifice rabbits than unsuspecting kernel developers.
    And hey, I've been wrong before, and I may be wrong again
    some day. It's conceivable I'm wrong here, but I still
    think Auth makes a clearer and more forthright interface
    (not to mention better for Casey's Evil Plan for World
    Domination) than C+R.
    BTW: Are there any cases where there's a policy check
    without a capable() call? I can imagine a policy that
    is not SUperuser overridden. For example, root owns all
    the objects, so the check for matching uids makes a call
    to capable() unnecessary in today's scheme.
    Thanks for your global patience. Sorry for taking so long
    to come to grips with what y'all seem to agree on.
    Casey Schaufler				Manager, Trust Technology, SGI
    caseyat_private				voice: 650.933.1634
    casey_pat_private			Pager: 888.220.0607
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Sat Nov 10 2001 - 11:03:47 PST