Pavel Machek <[EMAIL PROTECTED]> wrote on 01/11/2007 09:35:37 AM: > Hi! > > > SLIM implements dynamic process labels, so when a process > > is demoted, we must be able to revoke write access to some > > resources to which it has previously valid handles. > > For example, if a shell reads an untrusted file, the > > shell is demoted, and write access to more trusted files > > revoked. Based on previous comments on lkml, we understand > > that this is not really possible in general, so SLIM only > > attempts to revoke access in certain simple cases. > > Are you saying that SLIM is useless by design because interested > parties can work around it? > Pavel
Sorry that we were unclear about what happens in the case revocation is not possible. In those cases, the unsafe requested read or exec that would normally trigger the demotion/revocation is denied, so there is no way around the integrity model. The goal of the low water mark integrity model is to be as transparent as possible to the user. If the user asks for something to be done, we allow it as much as possible, demoting the process as needed for security. If there is something that would need to be revoked, which can't safely be revoked, then we deny the read/exec request, which is secure, but possibly visible/annoying to the user. Fortunately in our testing, there are only a few cases where this happens, and the overall result is a model which is still much more transparent than other models which don't allow demotion at all. Mimi Zohar - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/