--- Stephen Smalley <[EMAIL PROTECTED]> wrote: > On Fri, 2007-08-31 at 15:32 +0100, David Howells wrote: > > Stephen Smalley <[EMAIL PROTECTED]> wrote: > > > > > That's how mandatory access control is supposed to work; otherwise, a > > > flaw in A can leak the descriptor to B at will in violation of security > > > policy. > > > > Yeah, but by making it impossible to have the flaw, you've also made it > > impossible for A to validly pass to B a file descriptor B wouldn't > otherwise > > be able to access directly, but should be able to access on behalf of A. > > Let me say it again: that's how mandatory access control is supposed to > work. A program (or user) isn't supposed to be able to delegate access > under a mandatory policy.
Stephen is correct. Some of the Unix MLS systems went so far as to prohibit passing file descriptors all together. The ability to pass file descriptors is one of those things that make one wonder what could possibly have been going through the mind (or bloodstream) of the original author. Yes, I understand that it is useful. It is also one of those fringe cases that makes it really hard to protect a system against clever programmers. SELinux currently treats the mechanism with more respect than it needs to. I expect that in the grand scheme of things we'd all be better off if the mechanism where abandoned before the exploits get too thick and someone adds a half dozen layers of complexity to address the issues one by one. But, that's just me. Casey Schaufler [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
