Nicolas Williams wrote:
> On Mon, Oct 29, 2007 at 06:29:30PM -0400, Jeffrey Hutzelman wrote:
>>> Well, I think we could support a label range this way though. The sshd
>>> monitor would run in the global zone and its child would zone_enter()
>>> the user's clearance zone.
>> Yes, you certainly could do this. You might push most of the protocol
>> handling into such a child, the way openssh's privsep does, or do it only
>> when spawning the shell or other processes that run as the user. Doing the
>> latter would open up interesting possibilities for...
>
> Well, we already do this in SunSSH's privsep. What we don't yet do is
> support figuring out the label to enter and then zone_enter()ing it.
In your global (or other auth zone) where ssh is MLP do:
getpeerucred()
PAM including pam_tsol_account with cred->label
zone_find_by_label(cred->label)
some cleanup then a fork
zone_enter(zoneid)
apply privileges, etc.
The question is whether it is how to keep the socket past the cleanup.
Traditionally everything must be closed to do a zone_enter.
If done cleverly this could be done within PAM modules to avoid daemon
awareness (the admin gives it the right stack and defines it as mlp.)
But the restrictions on zone_enter might make this pretty hard.
> In the GUI login case the user is asked which label in their label range
> to run in. There's no equivalent in SSHv2, but we could certainly add
> one as an extension.
If the ssh client is also MLP it will send each thing at the right
label. If it is not MLP it was invoked at a specific label (or on an
unlabeled system with a specific label.) There is no need for (and it
would be harmful to introduce) user selected labels in sshd.
A multilabel ssh session would be appropriate with a privileged ssh
client that could support MLP and then it is communicating the labels to
sshd.
-Will
