Hi,
1. AppID and Resource Token are both a form of SMACK label. How does this translate to the rule "any access requested by a subject on an object with same label is permitted"? Can AppIDs and Tokens be both subjects and objects? I will leave this one to the creds experts. ... AppID will be represented by subject labels, but object can also be labeled with AppID, so the same rule would work. Just such objects will be primary accessible only for the particular application. Regarding resource tokens: they would be used only for object labels, not subject labels. Best Regards; Elena. From: [email protected] [mailto:[email protected]] On Behalf Of Schaufler Casey (Nokia-MS/SiliconValley) Sent: 22 January, 2011 01:25 To: [email protected]; [email protected] Subject: Re: [Meego-security-discussion] Access Control Question From: [email protected] [mailto:[email protected]] On Behalf Of ext Caluori, Vince Sent: Friday, January 21, 2011 2:49 PM To: [email protected] Subject: [Meego-security-discussion] Access Control Question Hi, I'm just thinking about a hypothetical instantiation of MSSF, and some questions occur: 2. I think most of the kernel should get the "_" label. But, my gut says the following should be off limits externally (i.e. to 3rd party apps) and should therefore get a different label: /root , /boot , /sys , /sbin. Possibly others? Is this reasonable thinking? Additionally, there may be other parts that only give up read access to external entities, as opposed to r+x? Certainly reasonable thinking. You will have usability/security trade-offs, especially with /root (what label should root login with if not floor ("_") and system processes that what to run at floor may need things from /boot, /sys or /sbin. It is very easy to fall into the trap of excessive granularity of access control. Be careful, for there be dragons. 3. What is the implication or rule for the "?" reserved label? The huh ("?") label is reserved for situations in which it is impossible to decide what label should be used. The intention is that accesses involving this should fail as a result. 4. If a file or process or interface has no label is it denied all requests and also not accessible? See the huh label in #2. There should always be a label, just like there should always be a uid. Unless there is a bug the question is not meaningful. 5. AppID and Resource Token are both a form of SMACK label. How does this translate to the rule "any access requested by a subject on an object with same label is permitted"? Can AppIDs and Tokens be both subjects and objects? I will leave this one to the creds experts. ... Thanks, Vince
_______________________________________________ MeeGo-security-discussion mailing list [email protected] http://lists.meego.com/listinfo/meego-security-discussion
