On 18 Aug 2003, Magosányi Árpád wrote: > I would like to notify you on Richard Offer's papers on an approach of a > user space security API definition, especially the rationale paper. > > http://reality.sgiweb.org/offer/papers/PACM/ We've taken an approach similar to this for the TrustedBSD MAC Framework, and in fact a lot of our API came out of a couple of conversations we had with Richard at various points :-). It also bares some resemblence to the POSIX.1e MAC label API. The interface is intended to provide for the management of multiple simultaneously loaded policies using their own independent labels. We had the goal of supporting two classes of applications: (1) Applications that are label-aware but policy-agnostic. I.e., ifconfig, ls, getfmac, setfmac, ps, et al. (2) Applications that are both label-aware and policy-aware -- tools that interface with specific policies. The API has evolved some over time, and it's far from handling everything we need, but it does handle some interesting cases; we've been through a few generations of the API refining it. The basic upshot is that user applications interact with a set of kernel-defined objects using APIs that query or set labels on those objects. The userland label abstraction, mac_t, represents "a label derived from or intended for an object". Labels consist of a set of name and value pairs, refered to as label elements. For our implementation, labels are entirely string-based because we didn't want to force policies to include both user and kernel elements to render strings in userspace. Userland applications can rely on central defaults for the labels manipulated, or provide their own set of label elements they are aware of. Here's the sample label use from getfmac(8), a simple tool to query the labels from a file: if (labellist != NULL) error = mac_prepare(&label, labellist); else error = mac_prepare_file_label(&label); if (error != 0) { perror("mac_prepare") return (-1); } if (hflag) error = mac_get_link(argv[i], label); else error = mac_get_file(argv[i], label); if (error) { perror(argv[i]); mac_free(label); continue; } error = mac_to_text(label, &string); if (error != 0) perror("mac_to_text"); else { printf("%s: %s\n", argv[i], string); free(string); } mac_free(label); The "labellist" argument is an optional command line argument that users may specify to indicate what label elements they want to inspect. In the getfmac(8) code, if no labels are specified, we use the default labels for the object class, which are read from /etc/mac.conf. A sample mac.conf is attached below; the "?" in front of an element name indicates that if the kernel doesn't support that policy element name, the failure should be ignored rather than generating a label query failure. Here's some sample output from policy-agnostic but label-aware applications: crash2> ifconfig fxp1 fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet6 fe80::200:e2ff:fe3c:7064%fxp1 prefixlen 64 tentative scopeid 0x2 inet 10.33.40.96 netmask 0xffff0000 broadcast 10.33.255.255 ether 00:00:e2:3c:70:64 media: Ethernet autoselect (10baseT/UTP) status: active maclabel biba/high(high-high),mls/low(low-low) crash2# getpmac biba/high(low-high),mls/low(low-high) crash2# getpmac -l mls mls/low(low-high) crash2# ls -lZ /tmp | head -4 crash2# ls -lZ /tmp total 440 -rw------- 1 root wheel biba/high,mls/low 0 May 29 14:25 .nfsA02fd4.4 -rw------- 1 rwatson wheel biba/high,mls/low 0 May 29 16:49 .nfsA03544.4 -rw------- 1 root wheel biba/high,mls/low 0 May 12 02:35 .nfsA5d184. We have an implementation of the Biba integrity policy, MLS confidentiality, and the FLASK/TE module ported from SELinux to run on FreeBSD all using these abstracted interfaces. We also have several custom labeled policies, including a process-only system partition policy loosely based on the FreeBSD jail model. The interfaces defined are: mac_get_fd(), mac_get_file(), mac_get_link(), mac_set_fd(), mac_set_file(), mac_set_link(), mac_get_proc(), mac_get_pid(), mac_set_proc(), mac_free(), mac_from_text(), mac_to_text(), mac_prepare(), mac_prepare_file_label() mac_prepare_ifnet_label(), mac_prepare_process_label(), mac_exec(). In addition, we support ioctls to get/set labels on sockets and network interfaces. We have in-progress changes to allow labels to be set on IPsec security associations using PF_KEY. We have modifications to the BSD credential management mechanism in userland to bind labels to users and set them along with other credentials during login, in cron, etc, etc. Our SEBSD module doesn't currently rely on those interfaces due to differences between the TE "transition on exec" model vs. more traditional MAC policies, but we're working on improving the abstractions to handle that. The user database abstraction for labels on users is currently merged with the BSD login.conf mechanism, but we'd like to break it out into separate databases and improve our support for roles. In our SEBSD development branch, we have modified login, sshd, etc, to use the abstracted label changes (mac_execve() rather than execve_secure()), but using the SELinux mechanisms to select default labels for users and inspect possible roles. Our API is still not finalized for 5.x-STABLE on FreeBSD since our needs are evolving based on our starting a port of the MAC Framework to the Darwin/OS X platform, and updates for the SEBSD policy implementation as it evolves, but it might be a useful starting point for what you're looking for. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robertat_private Network Associates Laboratories # # $FreeBSD: src/etc/mac.conf,v 1.2 2003/04/20 03:09:35 rwatson Exp $ # # TrustedBSD MAC userland policy configuration file. Kernel modules # export label information, and mac.conf indicates to userland # applications what defaults they should use in the absense of any # other user-provided information. # # # Default label set to be used by simple MAC applications # default_labels file ?biba,?mls,?sebsd default_labels ifnet ?biba,?mls,?sebsd default_labels process ?biba,?mls,?partition,?sebsd _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 09:13:35 PDT