Mandatory access control (MAC) is a mechanism by which an operating system provides a secure computing environment by restricting the ability of processes or threads to perform operations on objects. Objects are provided with type labels and a policy that governs how interactions between labeled objects may occur. MAC systems enforce a centralized policy that governs access to the entire system and is incompatible with operating systems where components are separately owned and upgraded.
This disclosure provides techniques to write security policies for objects that are accessed by both platform and non-platform components. Per techniques disclosed, secure access to objects within separately owned components is provided by converting labels assigned to OS objects to versioned attributes that are inherited by future labels of those objects. A mapping is created and maintained between different versions of a label. The mapping is used to ensure that security policy works across versions of objects. The techniques enable new policies to be implemented, or old policies to be changed, without affecting non-platform components, and permit non-platform components to upgrade and eventually lose deprecated rules.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Cashman, Daniel, "Independent Partially Upgradable Mandatory Access Control System", Technical Disclosure Commons, (May 01, 2017)