| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Jun 2007 09:06:06 -0700 (PDT) From: Casey Schaufler <casey@...aufler-ca.com> To: Stephen Smalley <sds@...ho.nsa.gov>, Lars Marowsky-Bree <lmb@...e.de> Cc: James Morris <jmorris@...ei.org>, Pavel Machek <pavel@....cz>, Crispin Cowan <crispin@...ell.com>, Greg KH <greg@...ah.com>, Andreas Gruenbacher <agruen@...e.de>, jjohansen@...e.de, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, linux-fsdevel@...r.kernel.org Subject: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching --- Stephen Smalley <sds@...ho.nsa.gov> wrote: > Mandatory access control as historically understood has always meant > system-wide. Chapter and verse: TCSEC 3.1.1.4 Mandatory Access Control "The TCB shall enforce a mandatory access control policy over all subjects and storage objects under its control." Chapter and verse: TCSEC 3.2.1.4 Mandatory Access Control "The TCB shall enforce a mandatory access control policy over all resources that are directly or indirectly accessible by subjects external to the TCB." The first reference is in the definition of a B1 system, while the second is for a B2 system. It was made clear to those of us doing TCSEC evaluations that there is a very real distintion between these two requirements. In the history that I've been through, starting in 1987, the B1 requirement has been read to allow for things that are not storage objects to be uncontrolled while the B2 requirement does not. If everything is a storage object, which is the approach everybody took, yes, you're looking at system wide. If, on the other hand, you were to take a different model approach and say that networking does not use storage objects you would not have to account for them under the B1 rules, while you would still have to for B2. Historically, no one succeeded with B2, and the mindset of B1 prevailed. So, historically, the understanding was that it was easier to declare everything a storage object and code up some MAC for it than it was to provide a security model that explained networking as it really works. I suggest that if AA wants to declare that as far as they are concerned sockets, ports, and packets are none of them storage objects but are instead pregnant weasels that is their peragotive as system designers and that a B1 evaluation team would have accepted that, provided sufficient evidence and explaination of the relevence of pregnant weasels was provided. It would not have worked at B2, but historically everyone understood that B2 was out of reach. Stephen is correct in that historically everyone implemented system that put everything under MAC, but is not in that it was well understood that if you could define something as not being a storage object you didn't have to submit it to MAC. Then as now it was easier to get people to code MAC than to get them to write papers about the security properties of pregnant weasels. Casey Schaufler casey@...aufler-ca.com - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists