Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: dynamic context transitions
From: Stephen Smalley <sds_at_epoch.ncsc.mil>
Date: Fri, 19 Nov 2004 09:33:02 -0500
Even in the single-threaded case, for a dynamic context transition, you have to trust the application to maintain any desired separation between the two security contexts since there is no kernel control over the inheritance of state or the initialization of the process in the new security context. So I don't see any difference in assurance burden on the application, given that we are allowing a dynamic context transition by the application in the first place. The benefit of per-thread contexts (like other Linux *id state) would be allowing each thread to perform privilege bracketing independently, so in a multi-threaded server, each thread could switch to a context derived from the client without any impact on any of the other server threads. Naturally, a bug in the application could inadvertently allow a client in one security context to observe or modify information in another security context contrary to policy, but that would also be true of a single-threaded server that switches back and forth between the main application context and a context derived from the client for each request. No difference in the trust required in the application, and debateable as to whether this is any more prone to programmer error than the single-threaded case. Regardless of what path is chosen, some change is required to the patch that was proposed. Either the kernel code needs to explicitly prohibit usage by multi-threaded applications or the libselinux code needs to use /proc/self/task/<tid>/attr/current to allow usage by multi-threaded applications. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Fri 19 Nov 2004 - 09:37:16 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |