LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Complete coverage in Linux security modules

Complete coverage in Linux security modules

Posted Oct 6, 2005 20:13 UTC (Thu) by thoffman (subscriber, #3063)
Parent article: Complete coverage in Linux security modules

Why are there not published regression tests which would catch this sort of thing immediately?

Surely the NSA and other SELinux developers have (or should have!) test sets which load a variety of different security modules, and then run multiple sequences of user programs which both verify that what should be allowed IS allowed, and what should not be allowed is not allowed.

It's really an embarrassment that any bug like this could be unnoticed for so long, I can't think of any excuse for it other than lack of motivation to really test the code.

(Log in to post comments)

Complete coverage in Linux security modules

Posted Oct 7, 2005 9:01 UTC (Fri) by liljencrantz (subscriber, #28458) [Link]

I'd be surprised if a comprehensive test suite doesn't exist. This particular bug wouldn't show up in such a test since before you read or write to a file, you need to open it. If the checks on open work, then the checks on readv/writev will never do anything interesting. The only reason for implementing them, as far as I can see, is to limit the damage done if someone finds a way to break the security checks on open.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds