On Tue, 5 Feb 2002, Antony Edwards wrote: > I added the hook to mmap page faults to make the checks performed for file > access via mmap consistent as for via open/read/write. I think that adding > a hook to sys_read is giving module writers a false sense of security if > the application can circumvent this check by mmaping the file. The fact that the file_security_ops permission hook does not address revalidation of permissions for memory-mapped files is noted in the hook documentation in security.h. Hence, no one should have a false sense of security. > MMAP_SHARED obviously changes this -- but to me the new aspects are shared > memory > semantics, and the existing protection is the same as that for normal > shared memory. Shared mappings are the point. If you want to revoke access to an already mapped file, then you also need to deal with any shared mappings, and hooking filemap_nopage doesn't solve that problem. > Agreed. But I do think that the permission hooks in sys_read/sys_write are > useless without an equivalent hook in the page fault. They are insufficient for fully supporting revocation. However, there are other ways to implement revocation than revalidating access on each read/write call or on each page fault. So perhaps you should be arguing for the removal of the file_security_ops permission hook calls entirely. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Feb 05 2002 - 12:34:33 PST