Re: [RFC][PATCH 8/8] SLIM: documentation

From: Mimi Zohar
Date: Fri Aug 18 2006 - 13:39:05 EST

Pavel Machek wrote on 08/17/2006 07:02:14 PM:

> Hi!
> > Documentation.
> No, I still do not understand how this is supposed to work.

Yes, the documentation definitely needs more work.

> > +In normal operation, the system seems to stabilize with a roughly
> > +equal mixture of SYSTEM, USER, and UNTRUSTED processes. Most
> So you split processes to three classes (why three?), and
> automagically move them between classes based on some rules? (What
> rules?)
> Like if I'm UNTRUSTED process, I may not read ~/.ssh/private_key? So
> files get this kind of labels, too? And it is "mozilla starts as a
> USER, but when it accesses first web page it becomes UNTRUSTED"?

Processes are not moved from one integrity level to another, but are
demoted when they read from a lower integrity level object. By
definition sockets, are defined as UNTRUSTED, so reading from a
socket demotes the process to UNTRUSTED. (Secrecy is a separate
attribute.) In the Mozilla example, /usr/bin/mozilla is defined as
SYSTEM, preventing any process with lesser integrity from modifying
it. 'level -s' displays the level of the current process or of a
given file. For example,

[zohar@L3X098X ~]$ level -s /usr/bin/mozilla
security.slim.level: SYSTEM PUBLIC

Both mozilla and firefox-bin are defined as SYSTEM, as soon as the
firefox-bin process opens a socket, the process is demoted to

I hope this answered some of your questions. We're working on
more comprehensive documentation, which we'll post with the next

Mimi Zohar

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at