Hi Dan,

Dan Price wrote On 12/12/06 13:59,:
On Tue 12 Dec 2006 at 10:47AM, Glenn Faden wrote:

Names pipes may be used between zones when Trusted Extensions is
enabled. The policy for data flow between zones is generally more
restrictive when TX is enabled, but in this case it is slightly more
open. The specific policy difference is implemented in the function
tsol_fifo_access().


Thanks Glenn.  Is there any reason not to make this work for all zones,
not just TX ones?

I don't see a security risk here, since explicit administrator
intervention is needed fromt he global zone to set this up.  I'm
not sure I follow all the bit about lofs though-- what would be
the set of steps needed to set this up from the global zone,
if this actually worked?

OTOH, it all seems a bit hokey.  Steffen, what problem are you
trying to solve?  Why not just use sockets?

I am trying to articulate to very security conscious folks what paths and barriers exist for communications between zones. The customer wants to use zones for Internet facing applications and is trying to understand the vulnerabilities to the global zone should a non-global zone be compromized.

Is it safe to generalize that non-LOFS file systems in Solaris 10 do not allow cross-zone interaction? procfs does not. namefs does not. tmpfs does not. sockfs does not. doors does not. What about all the others (I can't even name them all)?

As Glenn has pointed out, there are a number of exceptions that Trusted Extensions has, which makes it a little challenging to project TX's security evaluation onto non-extended zones for those who plan on running vanilla zones in hostile environments. Is there any 'official' vulnerability testing that can be used to 'certify' traditional zones? Something that might not be sufficient for TLA agencies, but OK for FLAs (five letter acronyms) such as CISSP (which I am not).

Thanks
Steffen


        -dp

_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to