some questions (Re: mac-0.5.diff)

[Robert Watson]

On Fri, 28 Sep 2001, Ilmar S. Habibulin wrote:

> > Right now enforcement of MAC policies on files is done inside the UFS
> > implementation, and within procfs, so isn't implemented for devfs, or NFS
> > (or others).  I have some initial patches that provide generic
> > single-level labeling support for file systems that don't support MAC, and
> > hope to get that into the next patch.  It involves expanding the use of
> > vaccess() a bit so that the vfs mount is passed in for the vnode when a
> > decision is made, so that the mount label is available.  We probably also
> > need a VFS call to change the mount label (right now the default is to
> > copy the label from the credential authorizing the mount operation) --
> > perhaps vfs_relabel().

> Take a look at my old work. I have a higher level access control code,
> which intercepts system calls and makes decision based on
> subject(process)  and object(file,socket,pipe,ipc,etc) labels. So in FS
> case - if FS support labels, it will provide access control mechanism
> with the current label of the file, or if not - the label of file would
> be some default label. So you need not to hack every FS code to make MAC
> hooks there. Just teach FS to import/export labels and that's all.

I've thought some about this approach, although had some worries about
compound operations that occur in individual filesystems.  Another concern
is that vn_rdwr() is frequently not used in kern_*, instead, VOP_WRITE()
or VOP_READ().  Fixing that might be a good idea and make the task easier.

Is the tarball on your fledge home directory the code you're referring to?

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message