On Tue, 2007-07-17 at 15:28 -0400, Stephen Smalley wrote: > On Mon, 2007-07-16 at 21:18 -0700, Casey Schaufler wrote: > > Thank you for the valuable comments. I have incorporated a good number > > in the updated patch: > > > > http://www.schaufler-ca.com/data/smack-0716A-patch.tar > > - Duplication of interfaces between /smack/self > and /proc/self/attr/current? > > - Lack of CAP_MAC_OVERRIDE check in smack_setprocattr? > > - Lack of CAP_MAC_OVERRIDE checks on setxattr or removexattr for the > SMACK attribute? cap_inode_*xattr will check CAP_SYS_ADMIN, but is that > what you want? > > - Speaking of which, are you ok with your MAC model being overridden by > all uid 0 processes? Or do you plan to change securebits and use file > caps? > > - I suspect use of _IOC_DIR() or IOC_IN/OUT/INOUT would suit you better > for file_ioctl. Just map each cmd to read/write/readwrite that way and > avoid having to encode specific knowledge there. SELinux should likely > do the same although compat may be a pain. > > - Consistency nit: if not rechecking on read/write (file_permission), > why recheck on mmap? Likewise possibly for some if not all of the other > file_ hooks.
Other question there is if you aren't going to recheck on use, then what story do you tell wrt relabeling of files and/or tasks changing labels, given that you permit both to happen? > - On mmap, why always check readwrite, as prot may only be PROT_READ and > even a PROT_WRITE mapping won't actually write back to the file unless > the mapping is MAP_SHARED. See the selinux hook for comparison. > -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
