Re: 2001_05_09 patch against 2.4.4

From: Jesse Pollard (pollardat_private)
Date: Thu May 17 2001 - 07:10:38 PDT

  • Next message: jmjonesat_private: "LSMEXAMPLE.C(.GZ)"

    Chris Evans <chrisat_private>:
    > On Wed, 16 May 2001, Jesse Pollard wrote:
    > > > /etc/very/secret open.  I'd like to be able to support tcp connect/accept
    > > > and udp send/recv to/from host:port via device (howz that for non-sense? ;-)
    > >
    > > Nope - very reasonable. It calls for IPSec layers on TCP, and CIPSO like
    > > identification as well. The packet filter firewall rules appear to be acting
    > > in the place of IPSec.
    > >
    > > I would like even more integration....
    > >
    > > local user (running secret on host W) attempts to connect to host X.
    > >
    > > 1. capability test locally determines that user is allowed network access...
    > >
    > > 2. MLS combines access request with security label (secret) and passed to
    > >    IPSec.
    > >
    > > 3. IPSec security association (SA) determines that encryptions of session
    > >    (or packet) is mandatory - policy decision between the local facility
    > >    and the remote facility containing X (and the requirements of the local
    > >    security label and encryption negotiation between W and X...).
    > If Linux had the capability to set up virtual encrypted network interfaces
    > (cipe?), why not simply
    > - label cipe0 as a device providing cryptographic transfers
    > - label your sensitive files as requiring a cryptographic transfer
    > => try and send over eth0 => EPERM
    1. The number of connections is unknown and encryption negotiation
       needs to be handled (it can also be optional depending on the destination)
    2. The data being exchanged may not be a file (database server composite
       retrieval, or results of computation)
    3. Some data being exchanged would not require encryption between the same
       two hosts.
    4. Must not be bypassed by the user.
    5. Also need audit trail.
    6. Simpler administration (only need some static SA entries, user IDs, and
       security labels defined between local facility agreements and the remote
    7. Some users would not be allowed to use the network (no external
       socket/bind allowed ...)
    I realize this is extreme, but I've been asked for this level before (and
    on other OS types too)
    Jesse I Pollard, II
    Email: pollardat_private
    Any opinions expressed are solely my own.
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu May 17 2001 - 07:11:32 PDT