"Stephen D. Smalley" wrote: > > Casey wrote: > > LSM is a Good Thing (tm) because it is explicitly present, and > > everyone has to deal with that, and not screw it up. > > You might have missed it, but LSM is now a configuration option, turned > off by default. Kernel developers are quite free to ignore it, > although that is obviously not what we would prefer. Well, it's getting closer at any rate. > ... Also, note that > some error checks that precede permission checks can convey information > about the file and do return other error codes (e.g. ENOTDIR, EISDIR, > ENOTEMPTY). Hence, your above statement about error checking always > occurring first isn't consistent with your stated goal for MAC. In order to get any of those messages you will have had to access the object to determine that it's a directory. The access check will have been done (it had better!) before you go looking around in the object. > Unclassified process trying to read top secret data is certainly more > interesting than Steve trying to read Casey's data (well, maybe Casey's > data is more interesting...). But there is also plenty of noise > generated by harmless probing/access testing that occurs as part of > normal operation of existing applications. /etc/shadow is the worst. > In any event, if the DAC logic is moved into the security module, this > all becomes a module issue and preferably a policy configuration issue. > You can then combine your DAC and MAC access control logic and auditing > however you wish. Which is exactly why we wanted authoritative modules from the beginning. -- Casey Schaufler Manager, Trust Technology, SGI caseyat_private voice: 650.933.1634 casey_pat_private Pager: 877.557.3184 _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 11:27:20 PST