On Thursday 30 January 2003 12:55 am, Crispin Cowan wrote: [snip] > > Question for Casey & other Orange Book folk: the above proposal > *assumes* that it is C2 compliant to do checks in this order: > > 1. error checks (no audit records if they fail) > 2. DAC checks (audit records) > 3. MAC checks (audit records) > > Does this assumption hold? I though it would switch 2 and 3: 1. error checks (no audit records if they fail) This refers to the request error (improper buffer, request out of range, ...) 2. MAC checks (audit records) Because some MAC checks can immediately deny access 3. DAC checks (audit records) The usual stuff. Note: there is still the problem of capabilities overriding evaluations of 2 and 3 results. The practical choice of order would likely depend on the frequency of failure. It is faster to abort an operation as early as possible, with the cautionary note that if the MAC checks are done second, then it is possible to determine what the DAC values existing on an object without violating MAC, and hence providing a data leak. -- ------------------------------------------------------------------------- Jesse I Pollard, II Email: pollardat_private Any opinions expressed are solely my own. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 07:04:51 PST