On Mon, 2005-11-28 at 10:11 -0500, Stephen Smalley wrote: > With regard to low water mark, to elaborate slightly on my prior > comments, non-tranquility in the task security labels raises the obvious > concerns about revocation of access, e.g. do you ensure that a high > integrity process that is demoted truly loses all access to high > integrity resources it already holds (hint: you can't provide complete > revocation with LSM today, nor are you likely to ever do so in Linux - > complete revocation is rather difficult and made more so by the kernel > model and interface; see the Flask and Fluke papers). Automatic changes > in the task security labels raises obvious concerns about applications > failing in interesting ways upon such demotion, e.g. high integrity > process starts a transaction, reads low integrity data and is demoted, > and is unable to complete the transaction, thereby leaving the store > corrupted. BTW, in the case of Linux, it doesn't appear that you are dealing properly with tasks that share resources (such as the VM) via clone() when you demote processes based on reads and writes. And doing so is likely to be rather complicated... -- Stephen Smalley National Security Agency
This archive was generated by hypermail 2.1.3 : Mon Nov 28 2005 - 08:17:50 PST