Re: XP as a base for NetTop

[Luke Kenneth Casson Leighton <lkcl@lkcl.net>]

On Tue, Jun 01, 2004 at 01:39:44PM -0400, Stephen Smalley wrote:

> On Thu, 2004-05-27 at 19:52, Joshua Brindle wrote:
> > on the slide entitled seperation it says that ACL's are used to protect 
> > the disk files so that rogue apps in a vm can't affect other vm's, 
> > additionally each vm's disk file is encrypted so that only the 'level' 
> > user can access it.
> > 
> > Obviously both of these things can be done with (SE)Linux but it appears 
> >   they thought about this already.
> 
> ACLs are a poor substitute for MAC, e.g. see
> http://marc.theaimsgroup.com/?l=selinux&m=104508693312829&w=2
 

 NT Security Descriptors (which contain ACLs) were pinched pretty
 much wholesale from VME / VMS, and they are a lot more comprehensive
 than what is described at that reference.

 NT security descriptors contain four ACLS:

 - a system mandatory acl
 - a system discretionary acl
 - a [user?] mandatory acl
 - a [user?] discretionary acl

 bizarrely all of those are optional and the usual default behaviour
 of an empty SD is "allow everything" which is about the only
 stupidity of the NT security model.

 NT ACLs themselves contain ACEs (access control entries) which
 themselves contain a SID (security identifier) and an oh i forget
 what call it a.. a... access permission set.

 SIDs are up to 6 32-bit words in length and consist of a domain
 prefix (long) and a suffix (only one, the last one, of the 32-bit
 words).

 access permissions are 32-bit - 16 of those bits are "generic"
 and consist of things like generic read, generic write, generic
 execute, then delete, access, etc. pretty much like capabilities,
 and then there are 16-bits which are designated for "service-specific"
 things.

 so a service can create up to 16 separate "capabilities".


 the only thing about the use of NT security descriptors is that they
 are implemented pretty much exclusively in USER SPACE.

 usually in those lovely DCE/RPC applications.

 there is very little in the way of kernel-level support for NT
 security descriptors, and what there is is self-contained and
 uses the same API as the user-space applications e.g. the NT
 SMB file server is all in kernel-space *gibber*.

 
 so, what _most_ people think of in "ACLs" is user and group and
 other read-write-execute lists, whereas in NT it's a lot more
 comprehensive and pervasive.

 and, due to the default of "allow everything if there's no SD"
 it's a pretty moot issue, silly people.

 as a developer, you make one mistake (add a new function and
 forget to correct support the user-space SDs) and NT's toast.

 l.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.