/*************************************************************************
 *
 * This file lists known LOMAC bugs, deficiencies, and correct behaviors
 * deemed sufficiently surprising to require explanation.
 *
 *************************************************************************/

o rpm - can't use rpm

  In order to use the rpm program to install software into the level-2
  part of the system, you must run rpm as root, at level 2.
  Unfortunately, rpm needs to create files in /tmp and read from them.
  Presently, LOMAC sets all files in /tmp to level 1, and rpm gets
  demoted to level-1 when it tries to read from its own /tmp files.

  This problem will go away once it's possible for a level-2 program to
  create level-2 files in /tmp.

o vi, emacs - can't use common editors for administration (workaround).

  In their default configuration, editors such as vi and emacs tend to
  create temporary files and lock files in the level-1 parts of the
  system.  When the administrator runs these editors at level 2, and
  the editors read from their own temporary and lock files, LOMAC
  demotes the editors to level 1.  Once demoted, the editors cannot
  write to level-2 files, which makes them useless for administration.
  The emacs editor also exhibits disturbing file truncation behavior
  in these situations, as described in the "cp - surprising behavior"
  entry, below.

  Eventually, LOMAC should be fixed to allow level-2 editors to create
  level-2 temporary and lock files.  However, until then, a workaround
  is available:  vi and emacs can be configured to make their temporary
  and lock files in the level-2 part of the system when run by the
  root user.  Use the following steps:

  (1) mkdir /root/tmp

  (2) Include the following aliases in the root user's .bashrc
      (or equivalent aliases for other shells):

      alias emacs='EMACSLOCKDIR=/root/tmp emacs'
      alias vi='TMPDIR=/root/tmp vi'
  
  (3) Include the following lines in root's .nexrc (vi resource) file:

      set dir=/root/tmp
      set recdir=/root/tmp/vi.recover

  The "set dir" command in .nexrc should allow you to do without the
  vi alias shown in step 2.  However, my version of vi (Debian release
  of 1.79 CSRG/UCB) seems to need the TMPDIR environment variable
  provided by the alias.

  Note that you probably don't want to set TMPDIR globally, since
  programs like man need to use a level-1 temporary directory (the
  default) in order to operate properly with LOMAC.


o XDM (logging in via X) - doesn't yet work with LOMAC's default policy

  From the LOMAC v0.3pre6 announcement on the lomac-users mailing list:

  The PLM is the "Path-Level Map" - the data structure that maps
  levels to files in the filesystem namespace.  Its default
  configuration presently has a problem concerning /var/log/lastlog.
  /sbin/init reads from this file.  This fact compels us to set
  /var/log/lastlog at the high level, since if /sbin/init ever reads a
  low file, it will be demoted, and will subsequently have
  insufficient privilege to shut down the machine.
  
  However, sessreg - part of the XDM suite of programs for managing X
  logins - needs /var/log/lastlog to be low so it can write to it at
  the start of each user session.  It seems (after a few minimal
  tests) that sessreg won't start a session unless it can write to
  /var/log/lastlog.  The present PLM configuration sets
  /var/log/lastlog high, so if you boot your machine into runlevel 5
  (X) and use an XDM configuration that uses sessreg, you will not be
  able to log in via X.  You can rescue yourself by hitting
  CTRL-ALT-F1 and logging in at a virtual console.
  
  If you boot your machine into runlevel 3 (multiuser) and start X
  manually via "xinit" or "startx", you will not experience this
  problem.  I hope to fix this sessreg problem, soon.

o Hardlinks - can confuse LOMAC

  LOMAC determines the proper level for a file based on its filename.
  If a file has two names (via hardlinks), where one name indicated
  level-1 and the other level-2, LOMAC will pick one level or the
  other depending on the name used to open the file.  Symbolic links
  do not confuse LOMAC.

o NFSD - mediation

  No mediation is done on the kernel nfsd.

o cp - surprising behavior

  There is a surprising (although correct) behavior when running cp at
  level 2, trying to copy a level-1 file over an existing level-2
  file:

  1.  cp asks, "overwrite?"  you answer yes.
  2.  cp (still at level 2) truncates existing level-2 file.
  3.  cp reads level-1 file and gets demoted.
  4.  cp, now at level 1, can't write new level-2 file.
  5.  you wind up with a 0-length level-2 file.  (ouch!)

o UNIX domain sockets - grandfathering 

  The UNIX domain socket grandfathering code for non-bound sockets
  needs to be improved.  (Grandfathering refers to assigning levels to
  pre-existing objects at LOMAC load time).  The current code is
  security-safe, but is overly pessimistic - some sockets get level 1
  when they could safely be given level 2.

o Bad copyin discipline

  The wrap_unlink() function still has a time-of-check/time-of-use
  error.  This is a security-relevant bug.  These bugs allow a
  malicious multithreaded level-1 program to attempt to bypass LOMAC's
  controls using the following algorithm:

  THREAD 1:                                 THREAD 2:
    DO                                        DO
      char *filename = "level1file"             filename = "level2file"
      unlink( filename )                      MANY TIMES
    MANY TIMES 

  The unlink will probably harmlessly unlink "level1file" for many
  iterations until the timing happens to work out as follows:
  
  THREAD1 filename = "level1file"
  THREAD1 make unlink( filename ) syscall
    LOMAC   copyin path "level1file"
    LOMAC   decide that unlink is permissible (this operation can block)
    THREAD2 filename = "level2file"
    KERNEL  copyin path "level2file" 
    KERNEL  unlink "level2file"   /* oops! */
  THREAD1 return from unlink syscall

  This problem can be fixed by eliminating the multiple copyins of the
  same parameter.


o SYS_SEND - insufficient mediation

  LOMAC does not control SYS_SEND, SYS_SENDTO, and SYS_SENDMSG calls
  used on UNIX-domain datagram sockets.

o System V IPC - no mediation or monitoring

  LOMAC does not control the use of System V IPC.

o Mediation - not all operations have sufficient controls.

  LOMAC presently controls (at least partially) these system calls:

    creat, ftruncate, kill, link, mkdir, mknod, mount, open, pipe,
    read, readv, reboot, rename, rmdir, setpgid, socketcall, truncate,
    umount, unlink, write, writev.

  A list of Linux system calls can be found in 

    /usr/src/linux/arch/<your arch>/kernel/entry.S

  Search for ENTRY(sys_call_table).  It shows many system calls that
  are not yet controlled by LOMAC.




