Re: [PATCH 3/7] SLIM main patch

From: David Safford
Date: Thu Aug 24 2006 - 16:18:46 EST

Next message: Badari Pulavarty: "2.6.18-rc4 panic in fs/buffer.c: 2791"
Previous message: Paul Jackson: "fs cache patch breaks sparc build in 2.6.18-rc4-mm2"
In reply to: Serge E. Hallyn: "Re: [PATCH 3/7] SLIM main patch"
Next in thread: Mimi Zohar: "Re: [PATCH 3/7] SLIM main patch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2006-08-24 at 14:16 -0500, Serge E Hallyn wrote:
> Quoting David Safford (safford@xxxxxxxxxxxxxx):
> > On Thu, 2006-08-24 at 18:05 +0100, Alan Cox wrote:
> > > It is a matter of the timing and the device. You need to do revocation
> > > at the device level because your security state change must occur after
> > > the devices have all been dealt with. This is why I said you need the
> > > core of revoke() to do this.
> >
> > In a typical system, most applications are started at the correct level,
> > and we don't have to demote/promote them. In those cases where demotion
> > or promotion are needed, only a small number actually already have
> > access that needs to be revoked. Of those, most involve shmem, which
> > I believe we are revoking safely, as we don't have the same problems
> > with drivers and incomplete I/O. In the remaining cases, where we really
> > can't revoke safely, we could simply not allow the requested access, and
> > not demote/promote the process.
> >
> > I think this would give us a useful balance of allowing "safe" demotion
> > or promotions, while not requiring general revocation. Does this sound
> > like a reasonable approach?
>
> It sounds like you're saying "This should not be a problem unless the
> system is being abused/exploited so let's not worry about it."
>
> Assuming that wasn't your intent :), could you please rephrase?

Sorry about that - my explanation was unclear.

What I was trying to say was that I agreed that revocation was not
safe, and that we should block any access request that would cause
demotion/promotion if it would also cause revocation. This would
close the revocation hole for malicious code/data.

We could still safely demote/promote processes in the other cases
which would not trigger revocation, and the security model would
be not only safer from the removal of revocation, but would still be
useful, as in practice we found that many/most demotions/promotions do
not have anything to revoke.

dave

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Badari Pulavarty: "2.6.18-rc4 panic in fs/buffer.c: 2791"
Previous message: Paul Jackson: "fs cache patch breaks sparc build in 2.6.18-rc4-mm2"
In reply to: Serge E. Hallyn: "Re: [PATCH 3/7] SLIM main patch"
Next in thread: Mimi Zohar: "Re: [PATCH 3/7] SLIM main patch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]