Maintaining Zone Labels as ZFS Attributes

In Trusted Extensions each zone has a unique sensitivity label which is maintained as an entry in the tnzonecfg database. Since ZFS is used to instantiate zones, each zone also has a unique dataset. When the zone is started by  zoneadm, its dataset is mounted according to the pathname assigned to it when the zone was created.  This mount point is maintained as a ZFS attribute of the dataset. The zone's label is associated with its mount point label, which is determined by comparing its pathname to the root pathname of the currently active zones. So there is no automatic facility to determine the label of the zone's dataset until the zone's attributes are loaded into the kernel by zoneadm.

However, we can implement a means to display the label, even when the zone is not active, by assigning the label value as a ZFS attribute. The convention for naming such attributes is to use a colon in its name, so I've named the attribute mls:label. In order to automatically assign labels to these datasets, you need to modify the txzonemgr shell script. There are three functions in this shell script, install(), clone(), and copy() where zone datasets are created. In each of these functions I added the following one line at the end of the function, after the corresponding zoneadm operation completes:

 /usr/sbin/zfs set mls:label="$curlabel" \\ $ZDSET/$zonename

The value $curlabel contains the string that is assigned by the menu item Select Label , so it is necessary to perform that step before selecting Install, Clone, or Copy.

The value $ZDSET is automatically determined, and $zonename is set when you name your zone. If you are running OpenSolaris, or Solaris 10 update 6 (or newer) with ZFS as your root filesystem, then $ZDSET is rpool/zones. Otherwise it is simply zone.

Once your datasets are created, you can view all their labels and their corresponding mount points with this command:

zfs list -ro mountpoint,mls:label $ZDSET

In the above command, please substitute the appropriate value for $ZDSET. The -ro parameter specifies a recursive option, not read-only.

The output should look like this:

MOUNTPOINT           MLS:LABEL

/zone                ADMIN_HIGH

/zone/public         PUBLIC

/zone/internal       CONFIDENTIAL : INTERNAL USE ONLY

/zone/needtoknow     CONFIDENTIAL : NEED TO KNOW

Note that these attributes can only be changed by a root process in the global zone, and are inaccessible from within the labeled zones.

Comments:

Thanks for posting this, Glenn. Excellent contribution. The question how to do this just came up at the Virtualization Security workshop at the 24th Annucal Computer Security Applications Conference here in Anaheim, CA, when I presented MLS in the context of Solaris and OpenSolaris. Very timely.
-ChS

Posted by Christoph Schuba on December 11, 2008 at 06:37 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog explores some of the security features of Oracle Solaris. In particular, topics such as Role-Based Access Control and Labeled Security are my special interests.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks