Selectively monitoring of 'information flow' events??

[Robert Watson]

On Tue, 22 Nov 2005, Robert Watson wrote:

> You could also do what you suggest regarding using the MAC Framework to 
> create a policy module that performs tracking as part of its operation. 
> One of the "tricky" things about tracking information flow is that IPC 
> is typically asynchronous: writes to one IPC object, such as a pipe, 
> file, socket, etc, occur asynchronously with respect to a later read by 
> another process.  You can either label and control conservatively (based 
> on expressed intent when attaching to the object), or you can track the 
> message itself for message-oriented communications methods, and then 
> generate the event when the receive occurs, using labeling of source 
> information.

One other thing to be aware of here, though -- the MAC Framework is 
intended to allow modules to influence access control decisions.  As such, 
what your policy could do is monitor requests for access, as opposed to 
accesses.  Another running policy, or for that matter DAC or a 
syntax/semantic check, might deny the request after it is seen by your 
module.  In the Perforce branch, we have some new entry points that allow 
you to hook the system call return path, so using that you could see the 
final result of a request, and these will be merged in the relatively near 
future to the FreeBSD CVS tree.

Robert N M Watson
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message