Commit Graph

7 Commits

Author SHA1 Message Date
Robert Watson
dee57980c5 Rename Biba and MLS _single label elements to _effective, which more
accurately represents the intention of the 'single' label element in
Biba and MLS labels.  It also approximates the use of 'effective' in
traditional UNIX credentials, and avoids confusion with 'singlelabel'
in the context of file systems.

Inspired by:	trhodes
2004-07-16 02:03:50 +00:00
Robert Watson
f6a4109212 Update my personal copyrights and NETA copyrights in the kernel
to use the "year1-year3" format, as opposed to "year1, year2, year3".
This seems to make lawyers more happy, but also prevents the
lines from getting excessively long as the years start to add up.

Suggested by:	imp
2004-02-22 00:33:12 +00:00
Robert Watson
dc858fcabe License and wording updates: NAI has authorized the removal of clause
three from their BSD-style license.  Also, s/NAI Labs/Network Associates
Laboratories/.
2002-11-04 01:53:12 +00:00
Robert Watson
f30a9615fd Remove all reference to 'struct oldmac', since it's no longer required
with the new VFS/EA semantics in the MAC framework.  Move the per-policy
structures out to per-policy include files, removing all policy-specific
defines and structures out of the base framework includes and
implementation, making mac_biba and mac_mls entirely self-contained.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-28 19:44:05 +00:00
Robert Watson
24e8d0d07b Adapt MAC policies for the new user API changes; teach policies how
to parse their own label elements (some cleanup to occur here in the
future to use the newly added kernel strsep()).  Policies now
entirely encapsulate their notion of label in the policy module.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-22 14:31:34 +00:00
Robert Watson
2a1c79af92 Add compartment support to Biba and MLS policies. The logic of the
policies remains the same: subjects and objects are labeled for
integrity or sensitivity, and a dominance operator determines whether
or not subject/object accesses are permitted to limit inappropriate
information flow.  Compartments are a non-hierarchal component to
the label, so add a bitfield to the label element for each, and a
set check as part of the dominance operator.  This permits the
implementation of "need to know" elements of MLS.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-21 18:42:01 +00:00
Robert Watson
d8a7b7a3cd Introduce support for Mandatory Access Control and extensible
kernel access control.

Provide implementations of some sample operating system security
policy extensions.  These are not yet hooked up to the build as
other infrastructure is still being committed.  Most of these
work fairly well and are in daily use in our development and (limited)
production environments.  Some are not yet in their final form,
and a number of the labeled policies waste a lot of kernel memory
and will be fixed over the next month or so to be more conservative.
They do give good examples of the flexibility of the MAC framework
for implementing a variety of security policies.

mac_biba:	Implementation of fixed-label Biba integrity policy,
		similar to those found in a number of commercial
		trusted operating systems.  All subjects and objects
		are assigned integrity levels, and information flow
		is controlled based on a read-up, write-down
		policy.  Currently, purely hierarchal.

mac_bsdextended:	Implementation of a "file system firewall",
		which allows the administrator to specify a series
		of rules limiting access by users and groups to
		objects owned by other users and groups.  This
		policy is unlabeled, relying on existing system
		security labeling (file permissions/ownership,
		process credentials).

mac_ifoff:	Secure interface silencing.  Special-purpose module
		to limit inappropriate out-going network traffic
		for silent monitoring scenarios.  Prevents the
		various network stacks from generating any output
		despite an interface being live for reception.

mac_mls:	Implementation of fixed-label Multi-Level Security
		confidentiality policy, similar to those found in
		a number of commercial trusted operating systems.
		All subjects and objects are assigned confidentiality
		levels, and information flow is controlled based on
		a write-up, read-down policy.  Currently, purely
		hiearchal, although non-hierarchal support is in the
		works.

mac_none:	Policy module implementing all MAC policy entry
		points with empty stubs.  A good place to start if
		you want all the prototypes types in for you, and
		don't mind a bit of pruning.  Can be loaded, but
		has no access control impact.  Useful also for
		performance measurements.

mac_seeotheruids:	Policy module implementing a security service
		similar to security.bsd.seeotheruids, only a slightly
		more detailed policy involving exceptions for members
		of specific groups, etc.  This policy is unlabeled,
		relying on existing system security labeling
		(process credentials).

mac_test:	Policy module implementing basic sanity tests for
		label handling.  Attempts to ensure that labels are
		not freed multiple times, etc, etc.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-31 18:07:45 +00:00