Re: [PATCH] permission hook in filemap_nopage

• Previous message: Chris Wright: "Re: [PATCH] extended attribute support"
• In reply to: Antony Edwards: "Re: [PATCH] permission hook in filemap_nopage"
• Next in thread: jmjonesat_private: "Re: [PATCH] permission hook in filemap_nopage"
• Next in thread: Stephen Smalley: "Re: [PATCH] permission hook in filemap_nopage"
• Reply: jmjonesat_private: "Re: [PATCH] permission hook in filemap_nopage"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Antony Edwards wrote:

>>>Yes you're right -- the hook would have to be in handle_pte_fault or
>>>establish_pte.
>>>
>>Have you run any benchmarks with such a hook in either place?  I think
>>the overhead involved in doing this would be very noticable.
>>
>Not yet -- got sidetracked -- getting around to it now. Though, I
>assume that having the hook in handle_pte_fault will be very (probably
>prohibitively) expensive.
>
I agree with that, but now that you've done the implementation, I'm 
eager to see the evidence either way.

>If that turns out to be true I think
>removing sys_read/sys_write hooks isn't such a bad idea -- is anyone
>using them? And if so, how are you dealing with memory mapped files?
>
Yes, we are using them. Here's my post on the subject the last time this 
came up 
http://mail.wirex.com/pipermail/linux-security-module/2001-April/000435.html 


We believe that mediating read/write is effective in the context of 
sub-process confinement.  Consider:

    * Some parts of my process get access to stuff, while other parts do
      not.
    * I mediate open, so that only the privileged parts of my process
      can open the sensitive files.
    * I do *not* believe that I can control the spread of file
      descriptors within a process, so I need to mediate access by
      mediating read/write.
    * I can also prevent the non-privileged parts of the process from
      mmap'ing by mediating mmap.

Yes, we really do do this. For all the gory details, see our SubDomain 
paper in USENIX LISA 2000 http://immunix.org/subdomain.pdf

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

        The Olympic Games: A Century of Corruption and Graft
	     The FIS: Crushing the soul of snowboarding


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Chris Wright: "Re: [PATCH] add lock hook to prevent race"
• Previous message: Chris Wright: "Re: [PATCH] extended attribute support"
• In reply to: Antony Edwards: "Re: [PATCH] permission hook in filemap_nopage"
• Next in thread: jmjonesat_private: "Re: [PATCH] permission hook in filemap_nopage"
• Next in thread: Stephen Smalley: "Re: [PATCH] permission hook in filemap_nopage"
• Reply: jmjonesat_private: "Re: [PATCH] permission hook in filemap_nopage"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 05 2002 - 16:24:48 PST