[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensolaris-security-discuss
Subject:    [security-discuss] Porting TSOL8 application to Trusted Extensions
From:       Mike John <mike.john () metanate ! com>
Date:       2007-09-24 12:20:20
Message-ID: 46F7AB84.30309 () metanate ! com
[Download RAW message or body]

I'd appreciate some advice on the porting of an existing evaluated 
Trusted Solaris application to Solaris 10 with Trusted extensions.

Here's a brief description of the application:

It operates as a collection of compartments, each performing some 
function on files which it receives from its input interface before 
passing the result, again in a disk file, to its output interface. The 
compartments are "plumbed" together in a chain, where the initial and 
final compartments are associated with network interfaces. The 
"plumbing" is implemented by a trusted (evaluated) mover process, which 
is responsible for moving files from a compartment's output directory to 
the subsequent compartment's input directory.

Each compartment has a distinct label with a single compartment set. The 
"trusted mover" process operates with a dominant label (TMS) which has 
all compartments available. The mover than uses label dominance to read 
output files from compartments, and privilege (I think 
priv_file_downgrade_sl and/or priv_file_mac_write) to write the file as 
input to the subsequent compartment at the appropriate label.

We've done some research on zones and trusted extensions and had some 
hands-on time and seen the obvious mapping of our compartment functions 
and labels onto zones, but one fundamental question remains, relating to 
how the trusted mover maps to the trusted extensions environment. We've 
read comments which say that it is not possible for zones other than the 
global zone to write-down, which implies that having a TMS zone in which 
the trusted mover runs will not be practicable. However, we've also seen 
tantalising remarks such as:

"A labeled zone can access global zone door servers if the global zone 
rendezvous file is  loopback-mounted into the labeled zone." ... giving 
access to labeld from the non-global-zone.

The three options appear to be:
(1) Run the mover in the global zone at admin_high and dispense with the 
TMS label
(2) Run the mover in the global zone at the TMS label (saw a remark 
somewhere that there need not be a zone corresponding to each label)
(3) Run the mover in a TMS zone at label TMS

Anyone have any advice on which of these options are practicable/desirable?

Thanks
Mike

_______________________________________________
security-discuss mailing list
security-discuss@opensolaris.org
[prev in list] [next in list] [prev in thread] [next in thread]