On Thursday 30 January 2003 09:15 am, Russell Coker wrote: > On Thu, 30 Jan 2003 16:02, Jesse Pollard wrote: > > cautionary note that if the MAC checks are done second, then it is > > possible to determine what the DAC values existing on an object without > > violating MAC, and hence providing a data leak. > > What exactly do you mean by this? I'm looking at it as being able to to a DAC access check - look at permissions for access to a file/directory; if the MAC will deny access, but the DAC grant it then the DAC test would succeed (or fail for that matter), returning the value used for evaluation. (short circuit evaluation - quit evaluating on first denial) Now if (as pointed out in Stephens' followup) the MAC returns the same error as DAC, then there is no leak. But a protect check (as in stat) could return the DAC without examining the MAC unless both MAC and DAC are always evaluated. This would make access to the inode be treated the same as access to the data. Some systems do this, some do not. -- ------------------------------------------------------------------------- Jesse I Pollard, II Email: pollardat_private Any opinions expressed are solely my own. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 09:48:18 PST