I'd appreciate some advice on the porting of an existing evaluated Trusted Solaris application to Solaris 10 with Trusted extensions.
Here's a brief description of the application: It operates as a collection of compartments, each performing some function on files which it receives from its input interface before passing the result, again in a disk file, to its output interface. The compartments are "plumbed" together in a chain, where the initial and final compartments are associated with network interfaces. The "plumbing" is implemented by a trusted (evaluated) mover process, which is responsible for moving files from a compartment's output directory to the subsequent compartment's input directory. Each compartment has a distinct label with a single compartment set. The "trusted mover" process operates with a dominant label (TMS) which has all compartments available. The mover than uses label dominance to read output files from compartments, and privilege (I think priv_file_downgrade_sl and/or priv_file_mac_write) to write the file as input to the subsequent compartment at the appropriate label. We've done some research on zones and trusted extensions and had some hands-on time and seen the obvious mapping of our compartment functions and labels onto zones, but one fundamental question remains, relating to how the trusted mover maps to the trusted extensions environment. We've read comments which say that it is not possible for zones other than the global zone to write-down, which implies that having a TMS zone in which the trusted mover runs will not be practicable. However, we've also seen tantalising remarks such as: "A labeled zone can access global zone door servers if the global zone rendezvous file is loopback-mounted into the labeled zone." ... giving access to labeld from the non-global-zone. The three options appear to be: (1) Run the mover in the global zone at admin_high and dispense with the TMS label (2) Run the mover in the global zone at the TMS label (saw a remark somewhere that there need not be a zone corresponding to each label) (3) Run the mover in a TMS zone at label TMS Anyone have any advice on which of these options are practicable/desirable? Thanks Mike
