Re: [RFC][PATCH 8/8] SLIM: documentation

[Mimi Zohar]

Pavel Machek wrote on 08/17/2006 07:02:14 PM:

> Hi!
>
> > Documentation.
>
> No, I still do not understand how this is supposed to work.

Yes, the documentation definitely needs more work.

> > +In normal operation, the system seems to stabilize with a roughly
> > +equal mixture of SYSTEM, USER, and UNTRUSTED processes. Most
>
> So you split processes to three classes (why three?), and
> automagically move them between classes based on some rules? (What
> rules?)
>
> Like if I'm UNTRUSTED process, I may not read ~/.ssh/private_key? So
> files get this kind of labels, too? And it is "mozilla starts as a
> USER, but when it accesses first web page it becomes UNTRUSTED"?

Processes are not moved from one integrity level to another, but are
demoted when they read from a lower integrity level object. By
definition sockets, are defined as UNTRUSTED, so reading from a
socket demotes the process to UNTRUSTED.  (Secrecy is a separate
attribute.) In the Mozilla example, /usr/bin/mozilla is defined as
SYSTEM, preventing any process with lesser integrity from modifying
it.  'level -s' displays the level of the current process or of a
given file.  For example,

[zohar@L3X098X ~]$ level -s /usr/bin/mozilla
/usr/bin/mozilla
        security.slim.level: SYSTEM PUBLIC

Both mozilla and firefox-bin are defined as SYSTEM, as soon as the
firefox-bin process opens a socket, the process is demoted to
UNTRUSTED.

I hope this answered some of your questions.  We're working on
more comprehensive documentation, which we'll post with the next
release.

Mimi Zohar

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/