Re: c2 (or c2-like) auditing for Linux

From: Stephen D. Smalley (sdsat_private)
Date: Thu Jan 30 2003 - 07:34:36 PST

  • Next message: Stephen D. Smalley: "Re: c2 (or c2-like) auditing for Linux"

    > The practical choice of order would likely depend on the frequency of failure.
    > It is faster to abort an operation as early as possible, with the cautionary 
    > note that if the MAC checks are done second, then it is possible to determine
    > what the DAC values existing on an object without violating MAC, and hence
    > providing a data leak.
    
    Only if a MAC failure returns a different error than the DAC failure.
    If both kinds of access denials return -EACCES (or -EPERM), then there
    is no leak.  This issue was previously discussed on the list a long time ago.
    
    If you perform your MAC check first, you'll get a lot of denials logged
    that would have been denied anyway by the DAC logic.  This is fairly
    common in a Unix environment, where programs and libraries will
    commonly probe their environment.  Consider the functions for accessing
    utmp, which _always_ try to open read-write and fall back to read-only
    if that fails, even when the application only uses functions for
    reading from utmp.
    
    
    --
    Stephen Smalley, NSA
    sdsat_private
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 07:27:55 PST