On Mon, Oct 29, 2007 at 06:29:30PM -0400, Jeffrey Hutzelman wrote: > >Well, I think we could support a label range this way though. The sshd > >monitor would run in the global zone and its child would zone_enter() > >the user's clearance zone. > > Yes, you certainly could do this. You might push most of the protocol > handling into such a child, the way openssh's privsep does, or do it only > when spawning the shell or other processes that run as the user. Doing the > latter would open up interesting possibilities for...
Well, we already do this in SunSSH's privsep. What we don't yet do is support figuring out the label to enter and then zone_enter()ing it. > >The actual labelled zone in which each shell/command session would run > >would be determined.... how? I would think that we'd need some SSHv2 > >extension to allow multiple channels running at different labels. But > >that's a smaller problem than whether sshd should be label aware. > > I don't know if it's smaller, but it's certainly different. I could > certainly see SSH extensions allowing different channels to carry > differently-labelled data. Depending on what you want to do, you could > either authorize the user for a label range, or put the SSH protocol > engines on both ends into the TP and authenticate the labels in some other > fashion. This becomes especially interesting if you want to prevent the > use of ssh to bypass access controls and upgrade or downgrade labelled data. We don't authenticate labels. Label ranges are looked up (getuserrange(), a private libtsol function that uses getusername(3SECDB) to look up a user's clearance and min_label attributes. In the GUI login case the user is asked which label in their label range to run in. There's no equivalent in SSHv2, but we could certainly add one as an extension.
