Re: [PATCH 3/7] SLIM main patch

From: Stephen Smalley
Date: Fri Oct 20 2006 - 13:59:07 EST


On Thu, 2006-10-19 at 13:48 -0700, Kylene Jo Hall wrote:
> --- linux-2.6.19-rc2/security/slim/slm_main.c 2006-10-19 12:05:58.000000000 -0700
> +++ linux-2.6.19-rc2/security/slim/slm_main.c 2006-10-19 12:11:37.000000000 -0700
> @@ -1130,6 +1103,34 @@ static int slm_socket_post_create(struct
> return 0;
> }
>
> +static int slm_file_receive(struct file *file)
> +{
> + struct slm_isec_data *isec = file->f_dentry->d_inode->i_security;
> + struct slm_tsec_data *tsec = current->security;
> + struct slm_file_xattr level;
> + int rc = 0;
> +
> + spin_lock(&isec->lock);
> + memcpy(&level, &isec->level, sizeof(struct slm_file_xattr));
> + spin_unlock(&isec->lock);
> +
> + spin_lock(&tsec->lock);
> + if (file->f_mode & FMODE_READ) { /* IRAC(process) <= IAC(object) */
> + if (!is_iac_less_than_or_exempt(&level, tsec->iac_r))
> + rc = -EPERM;
> + }
> + if (file->f_mode & FMODE_WRITE) { /* IWXAC(process) >= IAC(object) */
> + if (!is_iac_greater_than_or_exempt(&level, tsec->iac_wx))
> + rc = -EPERM;
> + }
> + if (file->f_mode & FMODE_EXEC) { /* IWXAC(process) <= IAC(object) */
> + if (!is_iac_less_than_or_exempt(&level, tsec->iac_wx))
> + rc = -EPERM;
> + }
> + spin_unlock(&tsec->lock);
> + return rc;
> +}

Also, given your security model, why do you always have this hook deny
access rather than attempting to demote the task?

--
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/