Downgrading labels

Robert Watson rwatson at FreeBSD.org
Tue Mar 29 13:42:28 GMT 2005 

On Tue, 29 Mar 2005, Ilmar S. Habibulin wrote:

> On Sun, 27 Mar 2005, Robert Watson wrote:
> 
> > If you set a subject label with high, effective, and low labels identical,
> > then there is no useful ability to relabel.  However, you can use this
> > mechanism to create daemons with limited privilege -- the ability to
> > relabel solely between a limited set of compartments or levels, for
> > example.  This is a bit more granular than a single "is privileged" bit,
> > and I think offers some useful benefits.
> 
> Robert, i know how your code works. I've just realized, that there is
> some covert channel, if user can develop own apps and downgrade (for
> ex.) mls label. He/she reads confidetial data in the apps internal
> buffer, then down grade its mls label and store data in some file. Now
> we have the same confidential information, but its label is downgraded. 
> 
> My question was -- is it normal situation and this is automated system
> developers/administrators/managers responsibility to bar such behaviour? 

I think we need to make sure we carefully distinguish two different
concepts: a notion of scoped privilege, and a notion of user roles.  In
our model:

- Scoped privilege is assigned to processes (although it is available to
  users via our configuration model), and is intended to be used for
  semi-trusted processes that can participate in
  upgrade/downgrade/cross-grade protocols.  Our scope mechanism in
  Biba/MLS might be described as "continuous", in that we define two
  endpoints as the scope, and the process can choose arbitrary points in
  the space defined by the endpoints.

- Roles are selected by users during login or other role selection points,
  and provide for a set of "discreet" label selections associated with
  authorized activities for the user, which are selected by the
  administrator(s).  A user may select one of the roles to execute the
  session (etc) as, but not choose arbitrary points "between" the
  available roles.  I.e., unless one of the roles is assigned a privileged
  scope, no downgrade (etc) is permitted using the basic system calls/etc.

Right now, the FreeBSD version of our implementation doesn't have a role
mechanism as described here for MLS/Biba.  In our SEBSD code base, we do
have role selection as used with Type Enforcement (et al), but that has
not been genericized to be MAC Framework policy agnostic.  In some of the
Darwin work, we've developed login-related pieces to allow roles at the
MLS/Biba level, and my hope is that we can bring this to FreeBSD in the
near future (as well as take it from "early prototype" to "something
useful").

Robert N M Watson

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list