Re: c2 (or c2-like) auditing for Linux

From: Chris Wright (chrisat_private)
Date: Fri Jan 31 2003 - 11:47:12 PST

  • Next message: Casey Schaufler: "Re: c2 (or c2-like) auditing for Linux"

    * Russell Coker (russellat_private) wrote:
    > On Fri, 31 Jan 2003 01:10, Casey Schaufler wrote:
    > > And in a DAC only world that's understandable because you're
    > > allowed to look at the attributes even if the file mode is 000.
    > > In a MAC world, however, you won't be permitted to look at
    > > the attributes that tell you its a directory if you're not
    > > cleared to read the file. This is the way that all LSPP systems
    > > work today.
    > 
    > With the way that SE Linux works you can't stop readdir() from showing the 
    > name of a file or directory if the parent directory is readable.  Does this 
    > come from SE Linux or LSM?
    
    LSM only checks on read for a dir during readdir/getdents.  Of course,
    if you later try and open, stat, or otherwise use the name to access the
    inode, you will have to pass more checks.
    
    > Isn't the name of a directory entry more important than the type of object it 
    > is?
    
    Could be, just depends.  If the name is well-known, probing
    techniques that let you know can be problematic.  But if it's called,
    joes_pink_slip.txt, just knowing the filename could be an information
    leak ;-)  LSM does not try to close covert channels.
    
    thanks,
    -chris
    -- 
    Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 11:49:40 PST