PSARC Questions Version 1.22 Approved Oct. 2008 (PSARC/2008/625) The 20 questions outline serves several purposes. One is to present to the ARC in a uniform manner pertinent information about any case. Many of the answers to these questions can be direct and specific references to other case materials (although care must be taken to keep the references current). A second purpose is to allow an ARC member to get a concise overview of the case in an efficient manner. Another purpose is that the 20 questions should provoke thought and questions for project teams unfamiliar with the ARC process, by asking questions about aspects of the project that need be considered. Lastly, the 20 questions serves as a vehicle between the case owner and the project team as an indicator of preparedness. The 20 questions, as do other ARC materials, remain as documentation of the case plan of record. 1. What is the proposal being presented for review? * Give an overview of the project and its phase(s). Socket Filters provides a framework which makes it possible for modules to intercept user requests and transport events occurring on non-STREAMS sockets. Filters will be able to modify or deny socket operations; transform, delay and inject data, as well as defer the notification of new connections. Also part of this project is the conversion of an existing in-kernel SSL proxy (PSARC/2002/557, PSARC/2005/625) into a socket filter. * Describe the exposure (OpenSolaris), scope and type of review desired (overview, full case, etc.) Open exposure; full case. * Indicate the release binding requested by the project team. See: http://www.opensolaris.org/os/community/arc/policies/release-taxonomy/ 2. Describe user interactions. * Are new user interfaces being proposed, or existing interfaces being changed? No new user interface is being introduced, and no existing interface is being changed. * Explain the similarities in proposed interfaces with existing OS user interfaces (Solaris, Linux, Windows, etc.). N/A * Are there any install time changes? No. 3. What are the exported (defined by your project) and imported (defined by another project that your project then references) interfaces or protocols and their respective stability levels? See: http://www.opensolaris.org/os/community/arc/policies/interface-taxonomy/ Exported Interface Table +-----------------------+-----------------------+--------------------+ | Interface | Commitment | Comments | +-----------------------+-----------------------+--------------------+ | struct fil_info | Consolidation Private | | +-----------------------+-----------------------+--------------------+ | SOL_FILTER | Consolidation Private | | | FIL_ATTACH | Consolidation Private | | | FIL_DETACH | Consolidation Private | | | FIL_LIST | Consolidation Private | | +-----------------------+-----------------------+--------------------+ | sof_handle_t | Consolidation Private | | | sof_rval_t | Consolidation Private | | | sof_ops_t | Consolidation Private | | | sof_event_t | Consolidation Private | | +-----------------------+-----------------------+--------------------+ | sof_register | Consolidation Private | | | sof_unregister | Consolidation Private | | | sof_inject_data_in | Consolidation Private | | | sof_inject_data_out | Consolidation Private | | | sof_bypass | Consolidation Private | | | sof_newconn_ready | Consolidation Private | | | sof_newconn_move | Consolidation Private | | | sof_rcv_flowctrl | Consolidation Private | | | sof_snd_flowctrl | Consolidation Private | | | sof_get_cookie | Consolidation Private | | | sof_cas_cookie | Consolidation Private | | +-----------------------+-----------------------+--------------------+ | SOF_VERSION | Consolidation Private | | | SOF_RVAL_CONTINUE | Consolidation Private | | | SOF_RVAL_RETURN | Consolidation Private | | | SOF_RVAL_DETACH | Consolidation Private | | | SOF_RVAL_DEFER | Consolidation Private | | | SOF_RVAL_EINVAL | Consolidation Private | | | SOF_RVAL_EACCES | Consolidation Private | | | SOF_RVAL_ENOMEM | Consolidation Private | | | SOF_RVAL_ECONNABORTED | Consolidation Private | | | SOF_EV_CLOSING | Consolidation Private | | | SOF_EV_INJECT_DATA_IN_OK | Consolidation Private | | | SOF_EV_INJECT_DATA_OUT_OK | Consolidation Private || | SOF_EV_CONNECTED | Consolidation Private | | | SOF_EV_CONNECTFAILED | Consolidation Private | | | SOF_EV_DISCONNECTED | Consolidation Private | | | SOF_EV_CANTRECVMORE | Consolidation Private | | | SOF_EV_CANTSENDMORE | Consolidation Private | | +-----------------------+-----------------------+--------------------+ | svc://network/socket-filter/kssl | Unstable | KSSL socket filter | | | | service | +-----------------------+-----------------------+--------------------+ 4. Describe any dependencies on hardware (e.g. SPARC exclusive), and on other projects within Solaris. There are no hardware of project dependencies. 5. Projects need to be aware of the overall security of the system and how their components affect it. Which parts of this project are critical to the security of the system to avoid such unintended consequences such as unauthorized system entry, unauthorized access to or modification of data, elevation of privilege, denial of service, violation of labeled security, ...? Does this project require elevated privilege? A number of specific policies and practices address various aspects of the security of the system. They are found in appendix 1. Which of these are applicable to this project, and how are they addressed? This project changes the sockconfig() system call by adding new subcodes. The is audit subsystem will be updated such that it can parse the new events. 6. Describe means of observing project functionality and performance, by an end user or by a system administrator. Each filter has a kstat entry (sockfs::filter_). pfiles(1) can be used to list the socket filters that are attached to a socket. 7. How does the project deal with faults and interruptions? Initialization and restarting? 8. How does the project interact with Solaris virtualization technologies (xVM, LDOMs, zones, Branded zones, SunCluster, etc.)? The configuration of socket filters is tightly coupled with the socket configuration, which can only manipulated by the global zone. For that reason, socket filters can not be controlled from a non-global zone (although they can use socket filters configured by the global zone). 9. Does this project require administration (i.e., configuration or management)? If so, SMF is used to control socket filters. Each socket filter has an associated smf service (svc:/network/socket/filter:). The service for a filter needs to be enabled before an application is able to use it. Projects that require or deliver administrative interfaces are often by their nature security components of the system and should likely address the security question (#5 above, with attention to RBAC and Audit). (See also appendix 2). 10. Have you reviewed the Policies and Best Practices? Are there any exceptions this project needs? See http://www.opensolaris.org/os/community/arc/policies/ http://www.opensolaris.org/os/community/arc/bestpractices/ Appendix 1. Security references Plugable Authentication Modules http://opensolaris.org/os/community/arc/policies/PAM/ Audit Policy http://opensolaris.org/os/community/arc/policies/audit-policy/ Service Management Facility (SMF) usage http://opensolaris.org/os/community/arc/policies/SMF-policy/ Install-Time Security http://opensolaris.org/os/community/arc/policies/ITS/ Network Install-Time Security http://opensolaris.org/os/community/arc/policies/NITS-policy/ Secure - by - Default http://opensolaris.org/os/community/arc/policies/secure-by-default/ When to use setuid -vs - RBAC roles and profiles http://opensolaris.org/os/community/arc/bestpractices/rbac-intro/ Building RBAC Rights Profiles http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/ Adding RBAC Authorizations http://opensolaris.org/os/community/arc/bestpractices/rbac-auths/ Reusable Passwords in Command Line Arguments and Environment Variables http://opensolaris.org/os/community/arc/bestpractices/passwords-cli/ Storing Reusable Passwords on a FileSystem http://opensolaris.org/os/community/arc/bestpractices/passwords-files/ Administrative and Security Precedents and Policies http://opensolaris.org/os/community/arc/bestpractices/overview-admin-security/ Security Questions http://opensolaris.org/os/community/arc/bestpractices/security-questions/ Labeled Security: http://en.wikipedia.org/wiki/Multilevel_security See also PSARC/2002/762 Layered Trusted Solaris http://arc.opensolaris.org/caselog/PSARC/2002/762 Appendix 2. Administrative access and control RBAC (Role Based Access Control): See PSARC/1997/332 Execution Profiles for Restricted Environments http://arc.opensolaris.org/caselog/PSARC/1997/332 Privilege: See PSARC/2002/188 Least Privilege for Solaris http://arc.opensolaris.org/caselog/PSARC/2002/188 Appendix 3. Policies and Best Practices references http://www.opensolaris.org/os/community/arc/policies/ http://www.opensolaris.org/os/community/arc/bestpractices/