Check out the new USENIX Web site. next up previous
Next: Monitoring Processes Up: Application Previous: Application

Dividing the Filesystem

Section 3.2 explained how LOMAC uses a small set of rules to determine which parts of the filesystem are at the high integrity level, and which are at the low level. These rules are presently set at compile-time. Although future versions of LOMAC may provide a more configurable rule set, the goal of the present implementation is to deliver a single generic configuration that provides at least some protection on a wide variety of systems.

The division described by the current rule set reflects the tension between two competing goals: providing the maximum amount of protection, and maintaining the maximum amount of application compatibility. The first goal demands that all files be at the high level, where LOMAC will keep them safe from modification by low-level processes. However, the second goal demands that all files be at the low level, where LOMAC will never prevent low-level processes from modifying them. This second goal is important to compatibility - preventing file modifications can introduce incompatibilities by causing applications to fail.

LOMAC's present division is a compromise between these goals that emphasizes application compatibility. The division roughly parallels the traditional UNIX boundary between the portion of the filesystem owned by the root user (high), and the portion owned by local non-root users (low). This parallelism helps to reduce LOMAC's visibility to non-root users. For example, LOMAC tends to prevent the same operations as the traditional UNIX access control mechanisms: high-level files tend to be owned by the root user. Non-root user processes run at the low level. LOMAC prevents low-level processes from modifying high-level files. However, this behavior is often not surprising because the familiar UNIX access controls would also prevent these modifications as attempted non-root modifications of root-owned files. Only when a low-level process acquires root privileges does the difference become readily apparent - a low-level root process has greatly reduced powers in the presence of LOMAC.


next up previous
Next: Monitoring Processes Up: Application Previous: Application
2001-04-30