New version of capabilities patch online, some more status

Thu Apr 27 15:52:46 GMT 2000

> I'm very enthusiastic about the discussions of application-level support
> for mandatory access control interfaces, and with X-Windows which sits
> somewhere in between the system and user space.  I don't have much to
> bring to such a discussion, but think this would be an extremely useful
> direction to turn our attention to.  I guess the first thing that comes to
> mind is deciding in what ways X-Windows would benefit from being aware of
> operating system policies (primarily MAC labels and policy), and what
> implications this has from a user interface and application development
> perspective.

One thing that should be discussed about X is what multi-level functionality
is desired.  Typical CMW implementations are extremely limiting and only cause
frustration for users.   There are a few classes of users of X:

1) Single level - This should be the case with most users.  Most users on a
system will be isolated in a single sensitivity label (SL) and not be running
multi-level applications.  For this case the only thing that needs to be done
is to get X to run properly at a single level but be able to be launched at
more than one.  Typically, this means destroying the X tmp files and pipes
during shutdown so that when X starts up at a new level it will be able to
create new tmp files and pipes to communicate through.

2) Single level with Multi-Level applications - This can cause issues if the
application changes its level while trying to display to the Xserver.  This
will typically result in a dropped connection.  This will occur if the
tranquility prinicipal is applied to streams (MAC checks on all
reads/writes).  I am not a proponent of the tranquility principal as I think
it is more beneficial to not have it.  (This is a good side
discussion/debate).  If the tranquility principal is not in place then as long
as the multi-level application is started at the same level as the X server
and creates all of its X connections at this level then there will be no
issues when the application changes its level.

3) Multi level user - This user is typically an administrative user and will
have privilege (capabilities) that allow him to change his level.  This will
create issues when displaying to the X server and will require a multi-level
capable server.  The question is of course, is this worth the effort of
creating a multi-level X server?  In the end, I believe that the answer is
probably yes but I would focus more on functionality in its design than
dealing with issues of covert channels.

There is of course a third issue to be considered and that is the modification
of window managers to be multi-level aware.  Typically, window managers are
modified to display the label of each X window on each window.  An alternative
approach is to create a screen stripe that displays the label of the currently
in focus window.

Just some thoughts to chew on,

Jeff

Jeff Thompson
Software Evangelist and Visionary
Argus Systems Group, Inc.
Free B1 Trusted OS - www.argusrevolution.com

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message