Re: c2 (or c2-like) auditing for Linux

From: Jesse Pollard (pollardat_private)
Date: Thu Jan 30 2003 - 09:46:22 PST

  • Next message: Stephen D. Smalley: "Re: c2 (or c2-like) auditing for Linux"

    On Thursday 30 January 2003 09:15 am, Russell Coker wrote:
    > On Thu, 30 Jan 2003 16:02, Jesse Pollard wrote:
    > > cautionary note that if the MAC checks are done second, then it is
    > > possible to determine what the DAC values existing on an object without
    > > violating MAC, and hence providing a data leak.
    > What exactly do you mean by this?
    I'm looking at it as being able to to a DAC access check - look at permissions
    for access to a file/directory; if the MAC will deny access, but the DAC grant
    it then the DAC test would succeed (or fail for that matter), returning the 
    value used for evaluation. (short circuit evaluation - quit evaluating on 
    first denial)
    Now if (as pointed out in  Stephens' followup) the MAC returns the
    same error as DAC, then there is no leak. But a protect check (as in stat)
    could return the DAC without examining the MAC unless both MAC and
    DAC are always evaluated. This would make access to the inode be treated the 
    same as access to the data. Some systems do this, some do not.
    Jesse I Pollard, II
    Email: pollardat_private
    Any opinions expressed are solely my own.
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 09:48:18 PST