From: David Safford <safford@watson.ibm.com>
To: Serge E Hallyn <sergeh@us.ibm.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>,
kjhall@us.ibm.com, Benjamin LaHaise <bcrl@kvack.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
LSM ML <linux-security-module@vger.kernel.org>,
David Safford <safford@us.ibm.com>, Mimi Zohar <zohar@us.ibm.com>
Subject: Re: [PATCH 3/7] SLIM main patch
Date: Thu, 24 Aug 2006 16:21:14 -0400 [thread overview]
Message-ID: <1156450874.2476.75.camel@localhost.localdomain> (raw)
In-Reply-To: <20060824191611.GB1625@sergelap.austin.ibm.com>
On Thu, 2006-08-24 at 14:16 -0500, Serge E Hallyn wrote:
> Quoting David Safford (safford@watson.ibm.com):
> > On Thu, 2006-08-24 at 18:05 +0100, Alan Cox wrote:
> > > It is a matter of the timing and the device. You need to do revocation
> > > at the device level because your security state change must occur after
> > > the devices have all been dealt with. This is why I said you need the
> > > core of revoke() to do this.
> >
> > In a typical system, most applications are started at the correct level,
> > and we don't have to demote/promote them. In those cases where demotion
> > or promotion are needed, only a small number actually already have
> > access that needs to be revoked. Of those, most involve shmem, which
> > I believe we are revoking safely, as we don't have the same problems
> > with drivers and incomplete I/O. In the remaining cases, where we really
> > can't revoke safely, we could simply not allow the requested access, and
> > not demote/promote the process.
> >
> > I think this would give us a useful balance of allowing "safe" demotion
> > or promotions, while not requiring general revocation. Does this sound
> > like a reasonable approach?
>
> It sounds like you're saying "This should not be a problem unless the
> system is being abused/exploited so let's not worry about it."
>
> Assuming that wasn't your intent :), could you please rephrase?
Sorry about that - my explanation was unclear.
What I was trying to say was that I agreed that revocation was not
safe, and that we should block any access request that would cause
demotion/promotion if it would also cause revocation. This would
close the revocation hole for malicious code/data.
We could still safely demote/promote processes in the other cases
which would not trigger revocation, and the security model would
be not only safer from the removal of revocation, but would still be
useful, as in practice we found that many/most demotions/promotions do
not have anything to revoke.
dave
next prev parent reply other threads:[~2006-08-24 20:21 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-23 19:05 [PATCH 3/7] SLIM main patch Kylene Jo Hall
2006-08-23 19:27 ` Benjamin LaHaise
2006-08-23 20:35 ` Kylene Jo Hall
2006-08-23 20:41 ` Benjamin LaHaise
2006-08-23 22:20 ` Kylene Jo Hall
2006-08-24 8:31 ` Arjan van de Ven
2006-08-24 11:26 ` Alan Cox
2006-08-24 13:32 ` Serge E. Hallyn
2006-08-24 13:37 ` Benjamin LaHaise
2006-08-24 13:58 ` Serge E. Hallyn
2006-08-24 14:00 ` Benjamin LaHaise
2006-08-24 14:16 ` Serge E. Hallyn
2006-08-24 14:15 ` Alan Cox
2006-08-24 15:23 ` Serge E. Hallyn
2006-08-24 17:05 ` Alan Cox
2006-08-24 17:34 ` David Safford
2006-08-24 19:16 ` Serge E. Hallyn
2006-08-24 20:21 ` David Safford [this message]
2006-08-24 20:41 ` Mimi Zohar
2006-08-24 22:13 ` Alan Cox
-- strict thread matches above, loose matches on Subject: below --
2006-09-12 17:57 Kylene Jo Hall
2006-09-14 23:52 ` Andrew Morton
2006-09-15 16:57 ` Kylene Jo Hall
2006-09-26 18:44 ` Stephen Smalley
2006-10-19 20:48 ` Kylene Jo Hall
2006-10-20 15:32 ` Stephen Smalley
2006-10-20 17:58 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1156450874.2476.75.camel@localhost.localdomain \
--to=safford@watson.ibm.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bcrl@kvack.org \
--cc=kjhall@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=safford@us.ibm.com \
--cc=sergeh@us.ibm.com \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox