Selectively monitoring of 'information flow' events??
Robert Watson
rwatson at FreeBSD.org
Tue Nov 22 18:49:38 GMT 2005
On Tue, 22 Nov 2005, Robert Watson wrote:
> You could also do what you suggest regarding using the MAC Framework to
> create a policy module that performs tracking as part of its operation.
> One of the "tricky" things about tracking information flow is that IPC
> is typically asynchronous: writes to one IPC object, such as a pipe,
> file, socket, etc, occur asynchronously with respect to a later read by
> another process. You can either label and control conservatively (based
> on expressed intent when attaching to the object), or you can track the
> message itself for message-oriented communications methods, and then
> generate the event when the receive occurs, using labeling of source
> information.
One other thing to be aware of here, though -- the MAC Framework is
intended to allow modules to influence access control decisions. As such,
what your policy could do is monitor requests for access, as opposed to
accesses. Another running policy, or for that matter DAC or a
syntax/semantic check, might deny the request after it is seen by your
module. In the Perforce branch, we have some new entry points that allow
you to hook the system call return path, so using that you could see the
final result of a request, and these will be merged in the relatively near
future to the FreeBSD CVS tree.
Robert N M Watson
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list