panics :( Re: fresh mac code report

[Robert Watson]

On Fri, 25 Jan 2002, Bengt Richter wrote:

> Mention of panics makes me wonder what kind of policy you anticipate for
> repairing a system after a real crash, and whether that is hardcoded or
> data driven. Chicken/egg? Presumably you are keeping inevitable repair
> processes in mind as you define persistent data structures and what to
> do in what order during boot? 

Currently, we've attempted to take a fail-closed approach to the system: 
if corrupted labels are found, the result is an access denied.  Brian
Feldman has already reported some problems with this, when the MAC label
changed size and all of his existing persistent labels all became
corrupted.  The kernel then refused to execute /sbin/init :-). 
Fail-closed is presumably the right behavior for the system, but recovery
is an issue we must address.

Right now, I have vague notions of a recovery state in which the file
system is accessed only by a trusted recovery tool, which can be used to
manage and restore labels.  The trick is to avoid letting system failure
result in violation of security policies during recovery.  Any feedback on
what existing systems do here would be useful. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org      NAI Labs, Safeport Network Services


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message