On 6/6/2019 10:16 AM, Stephen Smalley wrote: > On 6/6/19 12:43 PM, Casey Schaufler wrote: >> ... >> I don't agree. That is, I don't believe it is sufficient. >> There is no guarantee that being able to set a watch on an >> object implies that every process that can trigger the event >> can send it to you. >> >> Watcher has Smack label W >> Triggerer has Smack label T >> Watched object has Smack label O >> >> Relevant Smack rules are >> >> W O rw >> T O rw >> >> The watcher will be able to set the watch, >> the triggerer will be able to trigger the event, >> but there is nothing that would allow the watcher >> to receive the event. This is not a case of watcher >> reading the watched object, as the event is delivered >> without any action by watcher. > > You are allowing arbitrary information flow between T and W above. Who cares about notifications? I do. If Watched object is /dev/null no data flow is possible. There are many objects on a modern Linux system for which this is true. Even if it's "just a file" the existence of one path for data to flow does not justify ignoring the rules for other data paths. > > How is it different from W and T mapping the same file as a shared mapping and communicating by reading and writing the shared memory? You aren't performing a permission check directly between W and T there. In this case there is one object O, two subjects, W and T and two accesses. W open O T open O They fiddle about with the data in O. In the event case, there are two objects, O and W, two subjects W and T, and three accesses. W watch O T trigger O T write-event W You can't wave away the flow of data. Different objects are involved. An analogy is that two processes with different UIDs can open a file, but still can't signal each other. Different mechanisms have different policies. I'm not saying that's good, but it's the context we're in.
