Re: [PATCH 3/7] SLIM main patch

On Thu, 2006-08-24 at 14:16 -0500, Serge E Hallyn wrote:
> Quoting David Safford ([email protected]):
> > On Thu, 2006-08-24 at 18:05 +0100, Alan Cox wrote:
> > > It is a matter of the timing and the device. You need to do revocation
> > > at the device level because your security state change must occur after
> > > the devices have all been dealt with. This is why I said you need the
> > > core of revoke() to do this.
> > 
> > In a typical system, most applications are started at the correct level,
> > and we don't have to demote/promote them. In those cases where demotion
> > or promotion are needed, only a small number actually already have
> > access that needs to be revoked. Of those, most involve shmem, which
> > I believe we are revoking safely, as we don't have the same problems
> > with drivers and incomplete I/O. In the remaining cases, where we really
> > can't revoke safely, we could simply not allow the requested access, and
> > not demote/promote the process.
> > 
> > I think this would give us a useful balance of allowing "safe" demotion
> > or promotions, while not requiring general revocation. Does this sound
> > like a reasonable approach?
> 
> It sounds like you're saying "This should not be a problem unless the
> system is being abused/exploited so let's not worry about it."
> 
> Assuming that wasn't your intent :), could you please rephrase?

Sorry about that - my explanation was unclear.

What I was trying to say was that I agreed that revocation was not 
safe, and that we should block any access request that would cause
demotion/promotion if it would also cause revocation. This would
close the revocation hole for malicious code/data.

We could still safely demote/promote processes in the other cases
which would not trigger revocation, and the security model would
be not only safer from the removal of revocation, but would still be
useful, as in practice we found that many/most demotions/promotions do
not have anything to revoke.

dave






-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• References:
  • [PATCH 3/7] SLIM main patch
    • From: Kylene Jo Hall <[email protected]>
  • Re: [PATCH 3/7] SLIM main patch
    • From: Benjamin LaHaise <[email protected]>
  • Re: [PATCH 3/7] SLIM main patch
    • From: Kylene Jo Hall <[email protected]>
  • Re: [PATCH 3/7] SLIM main patch
    • From: Alan Cox <[email protected]>
  • Re: [PATCH 3/7] SLIM main patch
    • From: "Serge E. Hallyn" <[email protected]>
  • Re: [PATCH 3/7] SLIM main patch
    • From: Alan Cox <[email protected]>
  • Re: [PATCH 3/7] SLIM main patch
    • From: "Serge E. Hallyn" <[email protected]>
  • Re: [PATCH 3/7] SLIM main patch
    • From: Alan Cox <[email protected]>
  • Re: [PATCH 3/7] SLIM main patch
    • From: David Safford <[email protected]>
  • Re: [PATCH 3/7] SLIM main patch
    • From: "Serge E. Hallyn" <[email protected]>

• Prev by Date: fs cache patch breaks sparc build in 2.6.18-rc4-mm2
• Next by Date: 2.6.18-rc4 panic in fs/buffer.c: 2791
• Previous by thread: Re: [PATCH 3/7] SLIM main patch
• Next by thread: Re: [PATCH 3/7] SLIM main patch
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]