some questions (Re: mac-0.5.diff)
Robert Watson
rwatson at FreeBSD.org
Thu Oct 4 15:08:31 GMT 2001
On Fri, 28 Sep 2001, Ilmar S. Habibulin wrote:
> > Right now enforcement of MAC policies on files is done inside the UFS
> > implementation, and within procfs, so isn't implemented for devfs, or NFS
> > (or others). I have some initial patches that provide generic
> > single-level labeling support for file systems that don't support MAC, and
> > hope to get that into the next patch. It involves expanding the use of
> > vaccess() a bit so that the vfs mount is passed in for the vnode when a
> > decision is made, so that the mount label is available. We probably also
> > need a VFS call to change the mount label (right now the default is to
> > copy the label from the credential authorizing the mount operation) --
> > perhaps vfs_relabel().
> Take a look at my old work. I have a higher level access control code,
> which intercepts system calls and makes decision based on
> subject(process) and object(file,socket,pipe,ipc,etc) labels. So in FS
> case - if FS support labels, it will provide access control mechanism
> with the current label of the file, or if not - the label of file would
> be some default label. So you need not to hack every FS code to make MAC
> hooks there. Just teach FS to import/export labels and that's all.
I've thought some about this approach, although had some worries about
compound operations that occur in individual filesystems. Another concern
is that vn_rdwr() is frequently not used in kern_*, instead, VOP_WRITE()
or VOP_READ(). Fixing that might be a good idea and make the task easier.
Is the tarball on your fledge home directory the code you're referring to?
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list