programming interface for mandatory access controls

n0g0013 fergus at cobbled.net
Mon Aug 25 21:58:48 GMT 2003


On 25.08-15:28, Evan S. wrote:
> That sounds interesting. Can you explain what you
> mean? I'm not sure I quite understand.

i'll try -- it's fairly simple really.

assume we have an MLS policy with 3 distinct labels,
made from 2 classifications and two compartments.

SEC: [ a     b ]
PUB: [ a ] [ b ]

and that [ a b ] can read [ a ] and [ b ] BUT
[ a ] cannot read [ b ] and vice-versa (i.e.
standard BellLaPadula model).

if i have a login process (e.g. sshd) with label
[ a b ] that forks when a user logs in - then i
want the ability to also move that users process
into compartment [ a ].

i suspect we could install an mpo_syscall handler
that will match the relevant fork call and alter
the resulting shell's label.  thus the user/s in
[ a ] can not read from [ b ] (i.e. distinct
compartments).

there would most likely also be privilages
associated with change that could also be dropped.

the result is that, not only can we apply MAC to
normal processes/programs, but also manage MAC
policy behaviour based on known, associated program
behaviour.

i realise that my knowledge of the internals is
lacking here but hope that is clear.  perhaps i
may even get the time to implement it someday
(don't hold your breath).

-- 
: fergus cameron                :   [ .]        cobbled    :
: ^^^^^^@cobbled.net            : [ ~][ ]             .net :

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message



More information about the trustedbsd-discuss mailing list