TrustedBSD progress

Robert Watson rwatson at FreeBSD.org
Sat Jan 12 14:24:27 GMT 2002 

On Fri, 11 Jan 2002, Andrew R. Reiter wrote:

> On Fri, 11 Jan 2002, Robert Watson wrote:
> :TrustedBSD MAC
> :  TODO:
> 
> Any plans for sysctl? 

Not currently, although there are probably at least two issues to address:

(1) How to integrate sysctl into the capability model: probably means
    allowing each sysctl node to specify the capability (or mask) required
    to modify the entry.  Alternatively, fall back on some generic
    capability for all of them, but I'm not sure that's satisfactory, but
    it is implemented as CAP_SYS_ADMIN.

(2) Allow MAC policies to define additional protections for nodes.  My
    temptation is to enforce this at access time, and not attempt to
    instrument sysctl node creation.  I don't know much about the sysctl
    implementation, but it seems to me that a reasonable approximated API
    from the perspective of a MAC policy implementor might be:

	int	mac_cred_can_sysctl(name, operation);

    Attempting to deal with old or new values might get us involved in
    introducing race conditions, but we'll have to look at some potential
    applications of MAC in sysctl handling.  Note that some sysctls
    already do rudimentary polyinstantiation for jail, something that I'm
    not sure we want to push behind the MAC interface.  The primary role
    of limiting here might be for MAC models that attempt to augment the
    UNIX security model while using aspects of the current security model:
    i.e., models that seek to hide information for users based on uids,
    etc.  An interesting continuing question will be how much of jail is
    appropriate to push behind the MAC interface.  Right now, very little,
    since we can't garbage collect labels in a manner that would allow us
    to deal with reference-counted prison structures.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org      NAI Labs, Safeport Network Services


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list