"Stephen D. Smalley" wrote: > > > In order to get any of those messages you will have had to access > > the object to determine that it's a directory. The access check > > will have been done (it had better!) before you go looking around > > in the object. > > Sorry, no. Type checking often occurs before any kind of permission > check to the object, whether we are talking about DAC or the LSM hook call. And in a DAC only world that's understandable because you're allowed to look at the attributes even if the file mode is 000. In a MAC world, however, you won't be permitted to look at the attributes that tell you its a directory if you're not cleared to read the file. This is the way that all LSPP systems work today. From the model standpoint there are two policies involved when dealing with a file. The LSPP DAC policy regarding access to the file's attributes is to allow access and for MAC to allow access only to processes with dominating labels. For data the DAC policy depends on the mode bits and the MAC policy is the same as for attributes. This reflects read access, write access is more restrictive. Thus, in a system with MAC the user must never be told the type of a file (e.g. no EISDIR) she does not dominate, as that's an implicit read of the attributes. The obvious way to avoid such a problem is to do the MAC check first. This makes everybody happy. Sure, you could do the type check and then do a MAC check to see if you should obscure the error return (ESECPROBLEM - First battle I ever won with Olin Sibert) but Golly Gumpers, that's a lot a work to go through to avoid doing the right thing from the get go. -- Casey Schaufler Manager, Trust Technology, SGI caseyat_private voice: 650.933.1634 casey_pat_private Pager: 877.557.3184 _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 16:11:24 PST