|
To support multilevel security, a PFS must provide the following
capabilities: - vn_link:
If a link is attempted to a
character special file, and there is a security label on the file
or on the directory for the new link, the vn_link call will fail with
EPERM. If the ZCredSeclablActive flag is on, the following checks
should be done: - If zCredSeclablRequired is on and the object has no security label,
the zCredROSeclabel should be used as the object security label for
all subsequent checks.
- If the directory for the new link has a security label of SYSMULTI,
no further security label checking is necessary.
- If the directory for the new link has no security label, or has
a security label other than SYSMULTI, a check for equality must
be done between the security label of the directory and the security
label of the file. If the values are equal, no further security label
checking is necessary.
- If the equality check fails, a dominance check must be made to
check that the security label of the directory and the security label
of the file are equivalent. The call to check security label equivalence
should look like this:
RACROUTE REQUEST=DIRAUTH,RSECLABEL=(x),TYPE=EQUALMAC,USERSECLABEL=(y)
where x and y are registers that contain
the addresses for the security labels.
- vn_readdir:
If the ZCredSeclablActive
flag is set, the following checks should be done: - If zCredSeclablRequired is on and the directory has no security
label, the zCredROSeclabel should be used as the object security label
for all subsequent checks.
- If the directory has a security label of SYSMULTI, a dominance
for read should be made between the user's security label and the
security label of each entry in the directory. The user's security
label is passed in the ZCredSeclabel field. If the security label
of the directory entry is SYSMULTI or SYSLOW, the dominance check
can be bypassed. If the dominance check fails, the directory entry
should be excluded from the output buffer. The dominance check should
look like this:
RACROUTE REQUEST=DIRAUTH,RSECLABEL=(x),ACCESS=READ,USERSECLABEL=(y)
where x and y are registers that contain
the addresses for the security labels.
Note: - The PFS may cache object security labels to avoid rechecking for
labels that have already passed the dominance check. A good cache
is likely to result in a single check for each unique security label
per readdir call.
- No indication will be returned from the PFS if some names were
excluded from the output buffer.
- Discrepancy between the apparent number of entries in a directory
and the number that can be read is acceptable.
- The LFS will not filter names based on security label when it
does a readdir2 for a PFS that does not support security labels.
Any PFS that supports security labels must also support readdir2.
- When the index method is used to read a directory, the meaning
of the index is not the relative name in the directory, but the relative
name that the user can access. For example, if the request is to
return entries beginning with entry 10, the PFS must start at the
first entry and verify dominance on each name until the 10th name
that the user is permitted to see is found, and start returning names
that can be seen from that point.
- vn_readlink:
If the zCredSeclablActive
flag is set, the following checks should be done: - If zCredSeclablRequired is on and the directory has no security
label, the zCredROSeclabel should be used as the object security label
for all subsequent checks. If this flag is on, and the resulting
object security label continues to be null because no value was provided
by zCredROSeclabel, vn_readlink should return with a failure of EACCES.
- A dominance check should be performed between the user's security
label and the security label of the symbolic link. The user's security
label is passed in the zCredSeclabel field. If the security label
of the directory entry is SYSMULTI or SYSLOW, the dominance check
can be bypassed. If the dominance check fails, the vn_readlink should
return with a failure of EPERM. The dominance check should look like
this:
RACROUTE REQUEST=DIRAUTH,RSECLABEL=(x),ACCESS=READ,USERSECLABEL=(y)
where x and y are registers that contain
the addresses for the security labels.
- vn_setattr:
If the AttrSeclabelChg flag
is set, a call to the SAF callable service IRRSSB00 should be made
to set the security label for the file. The new security label is
passed in the zCredSeclabel field, which is passed to SAF. The PFS
does not have to access the new or the old security label.
|