Subject & Object Tranquility

I was at a meeting the other day and was asked to explain why object tranquility must be maintained. I knew why but had a difficult time explaining it. After returning to Tresys and discussing the issue with Josh we arrived at a fairly concise answer:

Relabeling subjects and objects means that the security policy that is installed does not necessarily reflect what is being enforced on the system. For example, suppose policy permits ProcessA to read a file. This read permission is checked when ProcessA tries to mmap the file. The file is subsequently relabeled. ProcessA does not have acccess to this new label. However, the mmaping is still valid and fully accessible until a munmap() call on the address range. Even if ProcessA closes the file handle it still has unchecked access to the file via the address range. This example is very useful since permissions granted during the mmap process are irrevocable. While it might be possible to insert additional permission checks in the memory subsystem to facilitate revocation this would have a serious impact on the overall system performance and would probably not be very portable. A discussion about revocation will have to wait until later…

Moving on, relabeling of subjects and objects adds the complexity of time to the policy. The operations that can be performed on any object could vary with time as the relabeling occurs. The relabeling of objects also make policy analysis much more difficult. Analysis of non-tranquil subjects (such as processes using dynamic transitions) and objects must either combine the two types or some how indicate a full weight read/write relationship between the two types. Either way this may not accurately represent the information flows.
OK so that wasn’t too concise? Hows this:

Solution: the subjects and object should remain tranquil. To maintain object tranquility copy the data to a new object with that has the proper label. For subject tranquility don’t use dynamic transitions. OK so domain transitions are required (at least in Type Enforcement) but those happen on the execve where the address space of the calling application is being overwritten, hey if we can’t trust the kernel who can we trust! ;)

EDIT: Robert Love is concerned that his shoelaces are untied. Rob, I’ve got a suggestion, why don’t you just stop trying? I gave up on my laces several months ago and I’m much happier. Just buy shorter laces so you don’t trip on them. This freedom also enables a person to remove their shoes quickly and without fuss. I think I spend ½ my day at work without my shoes. You don’t know relaxation at work until you kick your shoes off and put your feet up on a mini-tower under your desk.

Spencer Shimko 13 October 2005