Chris Wright wrote: > > * Scott Leerssen (leerssenat_private) wrote: > > David Wagner wrote: > > > > > > Scott Leerssen wrote: > > > >3) let process credentials follow objects involved in IPC, such as > > > > sockets, semaphores, shared memory. A simple void * on things such > > > > as sk_buf would allow security devlepers to tag along security > > > > attributes. > > > > > > Yup, I like this quite a bit. > > > > > > However, one slightly tricky bit is how to deal with incoming > > > messages before you know who the eventual recipient will be, > > > if your 'void *' depends on the recipient. Any ideas how to > > > deal with this? Does this come up in practice? Can we punt? > > > > > > > Basically, for incoming messages, you create credentials for the > > interface on which the message entered. So, if, say, eth0 sends up a > > message with eth0's credentials, the process receiving the message must > > have permission to accept a message with such credentials attached. > > Sure, there's some hand waving there, but it does indeed work in > > practice. See "An Operating System Approach to Securing E-Services" in > > the Feb. 2001 issue of Communications of the ACM. > > Yes, we wanted to do this, especially for TCP connections where the > device the packet came in on may change throughout the lifetime of the > stream. Given current facilities, it is possible to "misinterpret" > which interface a packet came in on, so tagging it on the way in would > be nice. I'm not sure the credential piece is needed. Sticking with > TCP as an example, it seems like all you care about is the stream's > unique tuple, plus which interface it came through (i.e. it's cool if > you come in on the ethX interfaces, but a pppX is spoofed and bad). > > BTW, in our current implementation we sort of half-punted for devices on > incoming TCP connection requests. ;-) > I mention "credentials" as more of an opaque object that hangs on to IPC objects. I can see someone developing a layer that allows "trusted" systems to network together. In such a case, you might want to slap some extra stuff on a packet coming up through the sockets layer so that someone upstream can make an intelligent decision based on what system and, possibly, what user sent the message. I suppose I'm just more interested in the opaque data type so folks can use whatever flavor of tagging mechanism they see fit. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Apr 16 2001 - 06:33:02 PDT