LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

How much checking do you need to do?

How much checking do you need to do?

Posted Oct 5, 2009 10:43 UTC (Mon) by alex (subscriber, #1355)
In reply to: The causes of bloat? by nevets
Parent article: LinuxCon: Kernel roundtable covers more than just bloat

I'm all for increasing the security of the kernel. However I feel the ideal* case the kernel should be striving for is a compare/branch for the check. Does SELinux do any caching of it's authentication results?

For example once you have validated a process can read a given file descriptor do you need to re-run the whole capability checking logic for every sys_read()?

Of course any such caching probably introduces another attack vector so care would have to be taken with the implementation?

*ideal being a target even if you may never actually reach that goal.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds