On 6/5/19 1:47 PM, Andy Lutomirski wrote:

quoted

On Jun 5, 2019, at 10:01 AM, Casey Schaufler [off-list ref] wrote:

quoted

On 6/5/2019 9:04 AM, Andy Lutomirski wrote:

quoted

On Wed, Jun 5, 2019 at 7:51 AM Casey Schaufler [off-list ref] wrote:

quoted

On 6/5/2019 1:41 AM, David Howells wrote:
Casey Schaufler [off-list ref] wrote:

quoted

I will try to explain the problem once again. If process A
sends a signal (writes information) to process B the kernel
checks that either process A has the same UID as process B
or that process A has privilege to override that policy.
Process B is passive in this access control decision, while
process A is active. In the event delivery case, process A
does something (e.g. modifies a keyring) that generates an
event, which is then sent to process B's event buffer.

I think this might be the core sticking point here.  It looks like two
different situations:

(1) A explicitly sends event to B (eg. signalling, sendmsg, etc.)

(2) A implicitly and unknowingly sends event to B as a side effect of some
     other action (eg. B has a watch for the event A did).

The LSM treats them as the same: that is B must have MAC authorisation to send
a message to A.

YES!

Threat is about what you can do, not what you intend to do.

And it would be really great if you put some thought into what
a rational model would be for UID based controls, too.

quoted

But there are problems with not sending the event:

(1) B's internal state is then corrupt (or, at least, unknowingly invalid).

Then B is a badly written program.

Either I'm misunderstanding you or I strongly disagree.

A program needs to be aware of the conditions under
which it gets event, *including the possibility that
it may not get an event that it's not allowed*. Do you
regularly write programs that go into corrupt states
if an open() fails? Or where read() returns less than
the amount of data you ask for?

I do not regularly write programs that handle read() omitting data in the middle of a TCP stream.  I also don’t write programs that wait for processes to die and need to handle the case where a child is dead, waitid() can see it, but SIGCHLD wasn’t sent because “security”.

quoted

quoted

  If B has
authority to detect a certain action, and A has authority to perform
that action, then refusing to notify B because B is somehow missing
some special authorization to be notified by A is nuts.

You are hand-waving the notion of authority. You are assuming
that if A can read X and B can read X that A can write B.

No, read it again please. I’m assuming that if A can *write* X and B can read X then A can send information to B.

I guess the questions here are:

1) How do we handle recursive notification support, since we can't check 
that B can read everything below a given directory easily?  Perhaps we 
can argue that if I have watch permission to / then that implies 
visibility to everything below it but that is rather broad.

2) Is there always a corresponding labeled object in view for each of 
these notifications to which we can check access when the watch is set?

3) Are notifications only generated for write events or can they be 
generated by processes that only have read access to the object?