On Mon, 2005-11-28 at 21:32 -0500, Tim Fraser wrote: > SLIM watches what privileged processes read, and "demotes" those that > read potentially-dangerous low-integrity data. T BTW, I think we need to distinguish between low water mark as a model and SLIM as a particular implementation in this discussion. It isn't clear whether SLIM is consistent with the above description. Is SLIM supposed to monitor actual data reads or just the descriptor acquisition (whether via open, inheritance, or local IPC transfer)? Monitoring actual data reads is naturally problematic (e.g. AIO, memory mapped files), but SLIM makes a partial effort via use of the file_permission hook (but oddly does not use file_mmap). SLIM also appears to adjust the task levels upon inode_permission, so it appears to apply the demotion at open time as well, but does nothing upon inheritance or local IPC transfer. SELinux, in comparison, checks access upon open, inheritance, and local IPC transfer (for complete control of rights propagation) as well as revalidating access when possible upon actual operations (for limited support for revocation for relabeled files or policy changes). -- Stephen Smalley National Security Agency
This archive was generated by hypermail 2.1.3 : Tue Nov 29 2005 - 06:05:54 PST