(MAC/DAC) RE: Future Linux devel. Kernels

From: Linda Walsh (law@sgi.com)
Date: Tue May 09 2000 - 11:20:46 EST


> [Filled for readability]

---
	Sorry -- I tend to expand my compose window over time so quoted
text appears all on one line, then things keep floating wider and wider
after that....*snort*.

> Interesting idea. Is this a standard? How does it interact with UID/GID? --- LSPP is a published protection program under Common Criteria which is ISO standard "ISO International Standard #15408" ( see: http://csrc.nist.gov/cc/ccv20/ccv2list.htm).

As for interaction, both are checked, first MAC, then Discretionary Access Control (DAC) (UID/GID). DAC is call discretionary because it is at the user's discretion, whereas MAC is not. Files a user creates are only at their current sens/int level. W/o special privileges, they can't change those levels.

> > > Only a login @ console can root log in and gain sens=250, int=250. Root > > ID daemons don't (they run at 5,5 or 5,0). Root deamons don't run with > > CAP_MAC_OVERRIDE -- again, console only function. > > How do I change my password then? --- I forget the exact semantics, but it is something like: password program (INT=250), sens=5 or 0, has CAP_SENS_UPGRADE and CAP_INT_UPGRADE) so it can create files w/higher Sens/Int.

This is really protection a cracker would *not* want to see in the kernel. It makes the whole *game* of "cracking the perimeter defense" no where near as valuable. It be like the game of guessing a vaults combination lock, getting the door open and discoving a stone wall -- the real entrance to the vault is a tunnel that comes out in the nearest police station and is protected there by titanium steel and a banker's hours - time lock! :-)

Inside the bank are individual lock boxes for each class of user and/or each user (remember MAC is supplemented by DAC -- on a CAPP/LSPP compliant system, default umask is 007). The safe *may* have individual locks on the outside in the bank (still a 'trusted' environment, just not as safe as the 'console' in police headquarters) of the safe. Each user key only access their own compartment on the outside wall of the safe (athenticated access from within a trusted site - intranet) or a user could have a safe with an outside door -- (authenticated access from external environment - internet).

All of it configurable to meet the user's particular situation.

This is something we (sgi) have a goal of having by Q2 of next year and *hopefully* having available to people in the mainline kernel as a configurable option. The cost of a MAC check on a file open or Stat is negligible.

-l

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:13 EST