RE: Hooks for MAC

• Previous message: Martin Stricker: "Re: Vacation Bots"
• In reply to: Crispin Cowan: "Re: Hooks for MAC"
• Next in thread: Chris Wright: "Re: Hooks for MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: crispinat_private [mailto:crispinat_private]
> Sent: Monday, July 30, 2001 5:52 PM
> To: lachlan.mcilroyat_private
> Cc: linux-security-moduleat_private
> Subject: Re: Hooks for MAC
> 
> 
> Lachlan McIlroy wrote:
> 
> > The attached patch contains hooks required for a MAC
> > system to moderate subject-subject control.  These hooks
> > can be used to ensure that only processes with read/write
> > label dominance can read/write attributes of another
> > process (ie GID, SID and scheduling parameters).  The
> > patch was generated from the 2.4.6 tree and I will post
> > a patch against 2.4.7 soon.
> 
> Could you elaborate a bit more on the design of this patch?  
> While LSM should
> support MLS label style modules, the MLS label concepts 
> themselves should not
> be embedded into the LSM interface.  From the above description, it is
> unclear whether the patch is specific to the notions of label 
> dominance, or
> if it is generic to inspecting security blobs when subjects attempt to
> read/write attributes of other subjects.

The hooks are meant to be generic and could be used for
a variety of purposes.  We (I'm assisting SGI with their
CAPP and LSPP implementations) require these hooks for MAC
so for an overall system picture just combine this patch
with SGI's intentions.  I have no intention of imposing
MLS concepts into the LSM interface so if anyone sees a
more appropriate way to moderate subject-subject control
in these system calls then I am happy to listen.

> 
> Crispin
> 
> P.S.  You appear to be posting from an address that is not 
> subscribed to the
> LSM mailing list.  This is fine, but introduces an arbitrary 
> amount of delay
> until I get around to approving the post.
> 

Sorry, my mistake - I've changed my email address to the
one I subscribed with.

> --
> Crispin Cowan, Ph.D.
> Chief Scientist, WireX Communications, Inc. http://wirex.com
> Security Hardened Linux Distribution:       http://immunix.org
> Available for purchase: 
> http://wirex.com/Products/Immunix/purchase.html
> 
> 
---
Lachlan McIlroy                    Phone: +61 3 9596 4155
Trusted Linux                        Fax: +61 3 9596 2960
Adacel Technologies Ltd                    www.adacel.com




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Lachlan McIlroy: "RE: Hooks for MAC"
• Previous message: Martin Stricker: "Re: Vacation Bots"
• In reply to: Crispin Cowan: "Re: Hooks for MAC"
• Next in thread: Chris Wright: "Re: Hooks for MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 18:17:23 PDT