Downgrading labels
Robert Watson
rwatson at FreeBSD.org
Tue Mar 29 13:42:28 GMT 2005
On Tue, 29 Mar 2005, Ilmar S. Habibulin wrote:
> On Sun, 27 Mar 2005, Robert Watson wrote:
>
> > If you set a subject label with high, effective, and low labels identical,
> > then there is no useful ability to relabel. However, you can use this
> > mechanism to create daemons with limited privilege -- the ability to
> > relabel solely between a limited set of compartments or levels, for
> > example. This is a bit more granular than a single "is privileged" bit,
> > and I think offers some useful benefits.
>
> Robert, i know how your code works. I've just realized, that there is
> some covert channel, if user can develop own apps and downgrade (for
> ex.) mls label. He/she reads confidetial data in the apps internal
> buffer, then down grade its mls label and store data in some file. Now
> we have the same confidential information, but its label is downgraded.
>
> My question was -- is it normal situation and this is automated system
> developers/administrators/managers responsibility to bar such behaviour?
I think we need to make sure we carefully distinguish two different
concepts: a notion of scoped privilege, and a notion of user roles. In
our model:
- Scoped privilege is assigned to processes (although it is available to
users via our configuration model), and is intended to be used for
semi-trusted processes that can participate in
upgrade/downgrade/cross-grade protocols. Our scope mechanism in
Biba/MLS might be described as "continuous", in that we define two
endpoints as the scope, and the process can choose arbitrary points in
the space defined by the endpoints.
- Roles are selected by users during login or other role selection points,
and provide for a set of "discreet" label selections associated with
authorized activities for the user, which are selected by the
administrator(s). A user may select one of the roles to execute the
session (etc) as, but not choose arbitrary points "between" the
available roles. I.e., unless one of the roles is assigned a privileged
scope, no downgrade (etc) is permitted using the basic system calls/etc.
Right now, the FreeBSD version of our implementation doesn't have a role
mechanism as described here for MLS/Biba. In our SEBSD code base, we do
have role selection as used with Type Enforcement (et al), but that has
not been genericized to be MAC Framework policy agnostic. In some of the
Darwin work, we've developed login-related pieces to allow roles at the
MLS/Biba level, and my hope is that we can bring this to FreeBSD in the
near future (as well as take it from "early prototype" to "something
useful").
Robert N M Watson
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list