Re: stacking get/setprocattr support patches

From: Stephen Smalley (sds@private)
Date: Tue May 31 2005 - 12:07:31 PDT


On Tue, 2005-05-31 at 12:56 -0500, serue@private wrote:
> Attached are two patches to make procattr shareable by >1
> LSM.  The first patch applies on top of the current set of
> stacker patches from sf.net/projects/lsm-stacker, and
> modifies stacker.c.  The second patch is to the sf.net
> libselinux sources.
> 
> Since I took Mimi's idea of switching from
> 	selinux: user:role:type
> to
> 	user:role:type (selinux)
> 
> for both get and setprocattr, no patch is needed for
> ps so long as it's ok to output the data from only the
> first LSM to output data.

Clever.  

> These patches have been tested
> 
> 	with stacker and an unpatched libselinux
> 	with stacker and a patched libselinux
> 	without stacker and a patched libselinux
> 
> and all worked as expected.
> 
> Any comments are much appreciated.

I think preserving -EACCES and -EPERM on getprocattr from the modules is
important.  More generally, if any of them return anything other than -
EINVAL, you should likely return immediately with the returned error, so
that e.g. if SELinux denies access, then no other module will end up
returning its attribute value.  Otherwise, you have an information flow
in violation of the MAC policy.

Doesn't look like you break out of your loop when the value buffer is
completely depleted by a module, although I suppose subsequent modules
would see a zero length and immediately return.  o_len unused?

-- 
Stephen Smalley
National Security Agency



This archive was generated by hypermail 2.1.3 : Tue May 31 2005 - 12:17:13 PDT