Date: Wed, 19 Jul 2017 20:35:46 +0200 From: Martin Beran <martin@mber.cz> To: freebsd-hackers@freebsd.org Subject: Re: mac_sofi: a proof of concept MAC module Message-ID: <ca50bcb7-f662-5022-2539-6c3fda77fcb3@mber.cz> In-Reply-To: <5f10fbd6-f8aa-0e47-0861-9bfebff0ca74@heuristicsystems.com.au> References: <c12f4b21-ca87-c958-349d-475d51d61d88@mber.cz> <5f10fbd6-f8aa-0e47-0861-9bfebff0ca74@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/19/17 03:26, Dewayne Geraghty wrote: > Would it be possible to expand on how SOFI is better/different to MAC > lomac? As it seems that the testing program is the differentiator? 1. LOMAC integrity is essentially a single number. SOFI integrity is a set of integrity attributes. This provides integrity values that are only partially ordered. For example, there is usually no ordering between "trusted by user A" and "trusted by user B", and a file can be also trusted by both users simultaneously. Then, if user A changes the file, it remains "trusted by A", but ceases to be "trusted by B", until user B verifies its new content. 2. LOMAC demotes only subjects (processes) upon reading from objects (files). SOFI demotes the reader side of each operation, that is, the subject of a read operation, the object of a write operation, and both the subject and the object of a read/write operation. 3. SOFI integrity values, which form a lattice instead of a simple linear ordering, provide "more interesting" combining of integrities of subjects and objects. Integrity demotion is based on intersection of integrities. Granting of integrity attributes is based on union. In my opinion, it supports real world needs of integrity enforcement better than LOMAC. 4. LOMAC uses a single integrity value both for following information flow and for making access decisions. SOFI uses and updates subject's and object's integrity values for tracking information flow, but makes its access decisions by comparing subject's integrity with object's ACLs, which are not changed by normal operations. 5. SOFI provides two "escape paths" from strict integrity checking: An integrity checking function allows a reader to keep a subset of integrity attributes, which would be otherwise removed by a low integrity writer. For example, an antivirus engine can read a downloaded, potentially infected, hence low-integrity file without reducing its own integrity needed for further functioning. Integrity granting and accepting functions allow transfer of integrity attributes from readers to writers. It is similar to a set-uid bit or to LOMAC relabeling of a process upon execution of a file. Unlike set-uid or LOMAC, integrity granting in SOFI is not limited to processes. For example, if an antivirus engine checks a file successfully, it can grant it a higher integrity. > Aside: Also you may not be aware that system namespace extended > attributes do not function within a jail, though this is the same as the > rest of MAC. I'm told that SELinux uses "security" and others use > "trusted" namespaces, perhaps for some future FreeBSD...? As my implementation is only a demonstration of ideas of the SOFI model, I did not take jails into account. -- Martin Beran
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ca50bcb7-f662-5022-2539-6c3fda77fcb3>