Michael Halcrow wrote: >On Mon, Aug 18, 2003 at 11:16:36AM -0700, Seth Arnold wrote: > > >>I guess I don't understand your security goals. >> >> >Perhaps I should have made myself more clear on this. I want to >implement BSD Secure Levels as an LSM. > >I want my policies to be enforced whenever I am in a secure level >greater than or equal to 1, except when an atomic shutdown operation >is taking place. That is, once the security has been relaxed to allow >shutdown-related operations, an attacker cannot stop or otherwise >hijack the shutdown process to obtain unauthorized control. > I still don't understand the goal, but that's because I never understood the idea behind BSD Secure Levels. The pseudo code you provided doesn't help, because I don't understand the implicit semantics of the seclvl_capable function. So, there you are in Secure Level 1 (or greater). You want to shut down. The Secure Level thingie largely prevents Joe User from calling umount, shutdown, & such nasties, and prevents Joe User from driving the Secure Level below 1. Back to Seth's question: who or what is authorized to either shut the machine down, or drive the Secure Level below 1 so that the machine can be shut down? You need to define a policy of who or what is authorized to disable security (drive Secure Level below 1) or bypass security (shut down despite Secure Level >= 1). Then you need to implement some stuff that enforces that policy. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 15:22:02 PDT