> The practical choice of order would likely depend on the frequency of failure. > It is faster to abort an operation as early as possible, with the cautionary > note that if the MAC checks are done second, then it is possible to determine > what the DAC values existing on an object without violating MAC, and hence > providing a data leak. Only if a MAC failure returns a different error than the DAC failure. If both kinds of access denials return -EACCES (or -EPERM), then there is no leak. This issue was previously discussed on the list a long time ago. If you perform your MAC check first, you'll get a lot of denials logged that would have been denied anyway by the DAC logic. This is fairly common in a Unix environment, where programs and libraries will commonly probe their environment. Consider the functions for accessing utmp, which _always_ try to open read-write and fall back to read-only if that fails, even when the application only uses functions for reading from utmp. -- Stephen Smalley, NSA sdsat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 07:27:55 PST