Re: c2 (or c2-like) auditing for Linux

From: Stephen D. Smalley (sdsat_private)
Date: Thu Jan 30 2003 - 07:34:36 PST

  • Next message: Stephen D. Smalley: "Re: c2 (or c2-like) auditing for Linux"

    > The practical choice of order would likely depend on the frequency of failure.
    > It is faster to abort an operation as early as possible, with the cautionary 
    > note that if the MAC checks are done second, then it is possible to determine
    > what the DAC values existing on an object without violating MAC, and hence
    > providing a data leak.
    Only if a MAC failure returns a different error than the DAC failure.
    If both kinds of access denials return -EACCES (or -EPERM), then there
    is no leak.  This issue was previously discussed on the list a long time ago.
    If you perform your MAC check first, you'll get a lot of denials logged
    that would have been denied anyway by the DAC logic.  This is fairly
    common in a Unix environment, where programs and libraries will
    commonly probe their environment.  Consider the functions for accessing
    utmp, which _always_ try to open read-write and fall back to read-only
    if that fails, even when the application only uses functions for
    reading from utmp.
    Stephen Smalley, NSA
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 07:27:55 PST