Re: c2 (or c2-like) auditing for Linux

From: Casey Schaufler (caseyat_private)
Date: Thu Jan 30 2003 - 16:10:15 PST

  • Next message: James Morris: "Re: [PATCH] LSM networking: tcp hooks for 2.5.59 (8/8)"

    "Stephen D. Smalley" wrote:
    > 
    > > In order to get any of those messages you will have had to access
    > > the object to determine that it's a directory. The access check
    > > will have been done (it had better!) before you go looking around
    > > in the object.
    > 
    > Sorry, no.  Type checking often occurs before any kind of permission
    > check to the object, whether we are talking about DAC or the LSM hook call.
    
    And in a DAC only world that's understandable because you're
    allowed to look at the attributes even if the file mode is 000.
    In a MAC world, however, you won't be permitted to look at
    the attributes that tell you its a directory if you're not
    cleared to read the file. This is the way that all LSPP systems
    work today.
    
    From the model standpoint there are two policies involved
    when dealing with a file. The LSPP DAC policy regarding
    access to the file's attributes is to allow access
    and for MAC to allow access only to processes with
    dominating labels. For data the DAC policy depends on
    the mode bits and the MAC policy is the same as for
    attributes. This reflects read access, write access
    is more restrictive.
    
    Thus, in a system with MAC the user must never be told
    the type of a file (e.g. no EISDIR) she does not dominate,
    as that's an implicit read of the attributes. The obvious
    way to avoid such a problem is to do the MAC check first.
    This makes everybody happy. Sure, you could do the type
    check and then do a MAC check to see if you should obscure
    the error return (ESECPROBLEM - First battle I ever won
    with Olin Sibert) but Golly Gumpers, that's a lot a work
    to go through to avoid doing the right thing from the get go.
    
    -- 
    
    Casey Schaufler				Manager, Trust Technology, SGI
    caseyat_private				voice: 650.933.1634
    casey_pat_private			Pager: 877.557.3184
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 16:11:24 PST