Re: [PATCH 3/7] SLIM main patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2006-08-24 at 14:16 -0500, Serge E Hallyn wrote:
> Quoting David Safford ([email protected]):
> > On Thu, 2006-08-24 at 18:05 +0100, Alan Cox wrote:
> > > It is a matter of the timing and the device. You need to do revocation
> > > at the device level because your security state change must occur after
> > > the devices have all been dealt with. This is why I said you need the
> > > core of revoke() to do this.
> > 
> > In a typical system, most applications are started at the correct level,
> > and we don't have to demote/promote them. In those cases where demotion
> > or promotion are needed, only a small number actually already have
> > access that needs to be revoked. Of those, most involve shmem, which
> > I believe we are revoking safely, as we don't have the same problems
> > with drivers and incomplete I/O. In the remaining cases, where we really
> > can't revoke safely, we could simply not allow the requested access, and
> > not demote/promote the process.
> > 
> > I think this would give us a useful balance of allowing "safe" demotion
> > or promotions, while not requiring general revocation. Does this sound
> > like a reasonable approach?
> 
> It sounds like you're saying "This should not be a problem unless the
> system is being abused/exploited so let's not worry about it."
> 
> Assuming that wasn't your intent :), could you please rephrase?

Sorry about that - my explanation was unclear.

What I was trying to say was that I agreed that revocation was not 
safe, and that we should block any access request that would cause
demotion/promotion if it would also cause revocation. This would
close the revocation hole for malicious code/data.

We could still safely demote/promote processes in the other cases
which would not trigger revocation, and the security model would
be not only safer from the removal of revocation, but would still be
useful, as in practice we found that many/most demotions/promotions do
not have anything to revoke.

dave






-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux