Date: Mon, 13 Oct 1997 17:15:55 -0400 (EDT) From: Brian Mitchell <brian@firehouse.net> To: Christopher Petrilli <petrilli@amber.org> Cc: Colman Reilly <careilly@monoid.cs.tcd.ie>, Douglas Carmichael <dcarmich@mcs.com>, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: C2 Trusted FreeBSD? Message-ID: <Pine.BSI.3.95.971013171308.24189A-100000@shell.firehouse.net> In-Reply-To: <199710132110.RAA29578@dworkin.amber.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 13 Oct 1997, Christopher Petrilli wrote: > >I'm fairly certain acl is _not_ a requirement in the dcl segment of c2. > >acl is, after all, just another form of group control at its very base. > > It is not "mandatory," however the following paragraph exerpted from the > TCSEC does make it clear that the exisintg group mechanism is NOT > acceptable: > > "The access controls shall be capable of including or excluding > access > to the granulairty of a single user." > > This exclusion part is what makes it very difficult. You must be capable > of giving access to everyone BUT a specific user. While theoretically I > guess you could do it by managing billions of sepereate groups, I think > it would fail none the less because of practical enforcement concerns. no, it isnt. make a group, put users that cant access it in the group, chmod g-rwx file bang, groups are perfectly able of supporting the needed dac > > THat having been said, there is one other requirement that would need to > be addressed: > > * Object Reuse (2.2.1.2) > > THis is defined as follows: > > "All authorizations to the information contained iwthin a storage object > shall be revoked prior to initial assignment, allocation or reallocation > to a subject from the TCB's pool of unused storage objects. No > information, including encrypted representations of information, produced > by a prior subject's actions is to be available to any subject that > obtains access to an object that has been released back to the system." > > Basically, we need to purge all memor when it is allocated, or > deallocated. > yah, when we release something back into a system, we have to bzero() the contents, or something similar. > Other than that, it's mostly documentation, and audit. I would really > prefer to do an ACL extension to the file system, as I think it's useful > as it is :-) > I think it is useful as well, I just dont think it is a c2 requirement.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.95.971013171308.24189A-100000>