Re: bounds domain

[KaiGai Kohei <kaigai@ak.jp.nec.com>]

michel m wrote:
> hi,
> 
> as I was studying on how to assign different security context on
> threads defined in a process, I found that there is a concept named
> BOUNDS DOMAIN which does this for me.
> now I would like to know for implementing a userspace object manager
> that uses this mechanism for its threads, how requests for OS
> resources are protected. that is, if my single OS process changes its
> security context per thread request or I should consult AVC before any
> action taken by my threads if that action is legal.

I seems to me you are confusing about different two concepts.
The one is bounds-domain, the other is userspace object manager.

Once a thread changes its domain to the bounded one, its privileges
are more restrictive than the original domain. Then, SELinux checks
the given actions based on the restricted privileges.

> I should consult AVC before any
> action taken by my threads if that action is legal.

It goes against to the assumption of SELinux.
How do you make sure the checks are well comprehensive?
Since it is near to impossible to check and eliminate any bugs in
userspace, so we check violated accesses in kernel space.

As long as your application does not manage shared objects in userspace,
you don't need to consult userspace AVC before actions.

> is there any documentation on this topic?

You can set a new domain on the thread using setcon(3) API.
The only difference from dynamic domain transition is that
the newer domain has to be bounded by the older domain.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.