Downgrading labels

[Robert Watson]

On Fri, 25 Mar 2005, Ilmar S. Habibulin wrote:

> Lately I've made a detailed look at MAC mls/biba relabel functions and
> found out, that user can downgrade MAC label. Is it correct behaviour? I
> feel comfortable with label upgrading for everybody and downgrading only
> for privileged users? Maybe i'm missing something? 
> 
> Any thoughts, comments, direction? 

Currently, subject labels in MLS and Biba consist of two parts:

- An "effective" label, which is used for the majority of access control
  decisions.

- A "range" label, which defines the privileges of the subject with
  respect to the policy.

So access to a file, etc, will be authorized by comparing the effective
subject label and the object label.  However, relabel operations are
authorized using the "range", which provides a scope for what relabel
operations are permitted for the subject, both in terms of of the original
object label and new object label.  The logic for a pipe relable operation
looks like this:

(1) Check validity of the new label

(2) Check that the existing object label is in the "range" of the subject

(3) Check that the new object label is in the "range" of the subject

(4) If the new object label is the 'equal' label, we do a subject
    privilege label (label of or equivalent to 'equal').

A range is defined in terms of two endpoint labels, and we define a
label as being "in" a range using the normal dominance operator:

    range_high >= effective >= range_low

If you set a subject label with high, effective, and low labels identical,
then there is no useful ability to relabel.  However, you can use this
mechanism to create daemons with limited privilege -- the ability to
relabel solely between a limited set of compartments or levels, for
example.  This is a bit more granular than a single "is privileged" bit,
and I think offers some useful benefits.

Robert N M Watson

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message