Date: Thu, 01 Feb 2018 17:35:29 +0100 From: ASV <asv@inhio.net> To: freebsd-questions@freebsd.org Subject: MAC BIBA/MLS Compartments Message-ID: <1517502929.27269.3.camel@inhio.net>
next in thread | raw e-mail | index | archive | help
Hi everyone, I'm experiencing something which is making me doubting completely about my understanding of compartments through BIBA and MLS models. I'm working in /home/shared # setpmac biba/equal,mls/equal ls -lZ /home/ drwxrwxrwt 2 root wheel biba/equal,mls/equal 512 Feb 1 16:43 shared ...... playing with file "class2" within "shared" # setpmac biba/equal,mls/equal ls -lZ /home/shared/ total 24 -rw-rw-r-- 1 lld wheel biba/10:1+2,mls/10:1+2 42 Jan 30 20:56 class0 -rw-rw-r-- 1 asv wheel biba/10:1+2+3,mls/10:1+2+3 31 Jan 31 10:49 class1 -rw-rw-r-- 1 asv wheel biba/10:1+2+3,mls/10:1+2+3 106 Feb 1 17:05 class2 which contains a line for testing # setpmac biba/equal,mls/equal cat /home/shared/class2 classified content working as user asv $ getpmac biba/10:1+2+3(8:1+2-12:1+2+3+4),mls/10:1+2+3(8:1+2- 12:1+2+3+4),partition/5 $ setpmac biba/12:1+2+3,mls/8:1+2 echo "blablabla2" >> shared/class2 $ setpmac biba/12:1+2+3,mls/8:1+2+3 echo "blablabla3" >> shared/class2 $ setpmac biba/12:1+2+3,mls/8:1+2+3+4 echo "blablabla4" >> shared/class2 $ setpmac biba/12:1+2+3,mls/8:1+2+3+4+5 echo "blablabla5" >> shared/class2 biba/12:1+2+3,mls/8:1+2+3+4+5: Operation not permitted (ok as subject isn’t in compartment 5) $ setpmac biba/12:1+2+3+4,mls/8:1+2+3+4 echo "blablabla5" >> shared/class2 $ setpmac biba/12:1+2,mls/8:1+2+3+4 echo "blablabla6" >> shared/class2 $ setpmac biba/12:1,mls/8:1+2+3+4 echo "blablabla7" >> shared/class2 biba/12:1,mls/8:1+2+3+4: Operation not permitted (WHY?! if "biba/12:1+2" worked why "12:1" failed?) $ setpmac biba/12:1+2,mls/8:1+2+3+4 echo "blablabla7" >> shared/class2 $ setpmac biba/12:1+2,mls/8:1+2+3 echo "blablabla8" >> shared/class2 $ setpmac biba/12:1+2,mls/8:1+2 echo "blablabla9" >> shared/class2 $ setpmac biba/12:1+2,mls/8:1 echo "blablabla10" >> shared/class2 biba/12:1+2,mls/8:1: Operation not permitted (again, why?) $ setpmac biba/12:1+2+3,mls/8:1 echo "blablabla10" >> shared/class2 biba/12:1+2+3,mls/8:1: Operation not permitted (?) $ setpmac biba/12:1+2+3+4,mls/8:1 echo "blablabla10" >> shared/class2 biba/12:1+2+3+4,mls/8:1: Operation not permitted (?) I feel like blind. The idea of the LABEL:GRADE it's fine, I see consistency with the "no write up" and "no read down" for BIBA and the "no read up" and "no write down" for MLS according to the assigned subject and grade. But this compartmentalization still looks like a mistery to me. As documentation on this subject (especially compartments) and its implementation on FreeBSD is largely insufficient (to be very politically correct) I need to try to bother somebody around here. :) Some of mine highly likely wrong assumptions: 1) numbers in compartments are not representing an order of importance (2>1, 3<4) but are only identifiers 2) an object which is labeled "biba/10:1+2,mls/10:1+2+3" should be accessed by a subject which not only matches the r/w requirements dictated by the GRADE but which belongs to at least one of the respective BIBA/MLS compartments the object belongs to. So subject "biba/9:1+2,mls/11:1+2+3" should be able to read objects labeled as follows: "biba/10:1+2,mls/10:1+2+3" "biba/10:1+2,mls/10:3" "biba/10:1,mls/10:1+2" "biba/10:1+2,mls/10:1" 3) the BIBA declaration "biba/10:1+2+3(8:1+2-12:1+2+3+4)" states that: - biba grade is 10 and has default access for compartments 1, 2 and 3 - biba grade 8 has access to compartments 1 and 2 - biba grade from 9 to 11 (which aren't explicitly declared) fall back to default compartments 1,2 and 3 - the above biba declaration allows to access an object which is at least in one of the compartments of the respective labels, if the GRADE actually allows that I know it's a tricky matter and MAC on FreeBSD is kind of a very niche topic but I have to try. MANY thanks in advance to whoever would help me on this.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1517502929.27269.3.camel>