[prev in list] [next in list] [prev in thread] [next in thread]
List: opensolaris-security-discuss
Subject: [security-discuss] Porting TSOL8 application to Trusted Extensions
From: Mike John <mike.john () metanate ! com>
Date: 2007-09-24 12:20:20
Message-ID: 46F7AB84.30309 () metanate ! com
[Download RAW message or body]
I'd appreciate some advice on the porting of an existing evaluated
Trusted Solaris application to Solaris 10 with Trusted extensions.
Here's a brief description of the application:
It operates as a collection of compartments, each performing some
function on files which it receives from its input interface before
passing the result, again in a disk file, to its output interface. The
compartments are "plumbed" together in a chain, where the initial and
final compartments are associated with network interfaces. The
"plumbing" is implemented by a trusted (evaluated) mover process, which
is responsible for moving files from a compartment's output directory to
the subsequent compartment's input directory.
Each compartment has a distinct label with a single compartment set. The
"trusted mover" process operates with a dominant label (TMS) which has
all compartments available. The mover than uses label dominance to read
output files from compartments, and privilege (I think
priv_file_downgrade_sl and/or priv_file_mac_write) to write the file as
input to the subsequent compartment at the appropriate label.
We've done some research on zones and trusted extensions and had some
hands-on time and seen the obvious mapping of our compartment functions
and labels onto zones, but one fundamental question remains, relating to
how the trusted mover maps to the trusted extensions environment. We've
read comments which say that it is not possible for zones other than the
global zone to write-down, which implies that having a TMS zone in which
the trusted mover runs will not be practicable. However, we've also seen
tantalising remarks such as:
"A labeled zone can access global zone door servers if the global zone
rendezvous file is loopback-mounted into the labeled zone." ... giving
access to labeld from the non-global-zone.
The three options appear to be:
(1) Run the mover in the global zone at admin_high and dispense with the
TMS label
(2) Run the mover in the global zone at the TMS label (saw a remark
somewhere that there need not be a zone corresponding to each label)
(3) Run the mover in a TMS zone at label TMS
Anyone have any advice on which of these options are practicable/desirable?
Thanks
Mike
_______________________________________________
security-discuss mailing list
security-discuss@opensolaris.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic