Re: [PATCH 3/7] SLIM main patch

[Kylene Jo Hall <kjhall@us.ibm.com>]

On Wed, 2006-08-23 at 15:27 -0400, Benjamin LaHaise wrote:
> On Wed, Aug 23, 2006 at 12:05:37PM -0700, Kylene Jo Hall wrote:
> > +/* 
> > + * Called with current->files->file_lock. There is not a great lock to grab
> > + * for demotion of this type.  The only place f_mode is changed after install
> > + * is in mark_files_ro in the filesystem code.  That function is also changing
> > + * taking away write rights so even if we race the outcome is the same.
> > + */
> > +static inline void do_revoke_file_wperm(struct file *file,
> > +					struct slm_file_xattr *cur_level)
> > +{
> > +	struct inode *inode;
> > +	struct slm_isec_data *isec;
> > +
> > +	inode = file->f_dentry->d_inode;
> > +	if (!S_ISREG(inode->i_mode) || !(file->f_mode && FMODE_WRITE))
> > +		return;
> > +
> > +	isec = inode->i_security;
> > +	spin_lock(&isec->lock);
> > +	if (is_lower_integrity(cur_level, &isec->level))
> > +		file->f_mode &= ~FMODE_WRITE;
> > +	spin_unlock(&isec->lock);
> > +}
> 
> This function does not do what you claim or hope it is supposed to do.  
> Looking at the races (you do nothing to shoot down writes that are in 
> progress) present, this does not instill confidence in the rest of the 
> code (as always seems to be the case with new security frameworks or 
> patches).  Cheers,
> 
This function is called in the process of authorizing the current
process to do something which would remove its right to write to the
given file. So it hasn't done anything at the lower integrity level yet
and therefore if a write gets through it can't possibly be of low
integrity data.

Example: The current process is running at the USER level and writing to
a USER file in /home/user/.  The process then attempts to read an
UNTRUSTED file.  The current process will become UNTRUSTED and the read
allowed to proceed but first write access to all USER files is revoked
including the ones it has open.

Thanks,
Kylie 

> 		-ben