Implementing security with SELinux

From: John Richard Moser (nigelenki@private)
Date: Mon Sep 26 2005 - 23:14:55 PDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've looked at PaX and GrSecurity a lot, and briefly touched RSBAC.  Now
I have a simple, but profound question.  (keep Ingo Molnar and Linus
Torvalds away from here if you don't want to see a holy war)

How much *!@# can I implement with SELinux?

I'd figure, I could do some crazy stuff like teach it to mimic
grsecurity's linking restrictions, say:

====
Hardlinks to files not owned by the current user cannot be created
without CAP_FOWNER:

 - If a hardlink is to be created
  + and the target file is owned by the current user
   * creation of the hardlink is not disallowed
  + and the target file is not owned by the current user
   = and capability CAP_FOWNER is granted
    * creation of the hardlink is not disallowed
   = and capability CAP_FOWNER is not granted
    * creation of the hardlink is disallowed

Symbolic links in directories with the sticky bit and write permission
for "others" cannot be followed unless they are labeled with type
t_follow_symlink:

 - If a symlink is to be followed
  + and it is not in a sticky directory
   = following of the symlink is not disallowed
  + and it is in a sticky directory
   = and it is not in a directory writable by "others"
    * following of the symlink is not disallowed
   = and it is in a directory writable by "others"
    * and it is labeled with type t_follow_symlink
     % following of the symlink is not disallowed
    * and it is not labeled with type t_follow_symlink
     % following of the symlink is disallowed
====

Of course the above would have to be turned into a fragment of SELinux
policy, but would it work?  Probably.

I'm thinking, you may be able to mimic PaX mprotect() restrictions (a
specific memory protection policy to separate data and code strictly),
GrSecurity /proc restrictions, linking restrictions, access to
/dev/{k,}mem, privileged IO, and a bunch of other stuff with SELinux
policy.  Other things need to go right into kernel.

The /dev/kmem restrictions in GrSecurity allow for /dev/kmem to be
accessed for video memory ONLY; this requires some kernel code to
duplicate, rather than pure policy.  Of course, once that code is
written, it can be hooked into by LSM; thus, a policy to constrict
things down and still let X work would be possible.

Address space layout randomization in the kernel is minimal and weak.
(if Ingo, Arjan, or Linus see this, there's going to be a holy war.)
It's basically no heap randomization, 12 bits on libraries and mmap(),
and around 20 bits for the stack.  The stack is randomized back and
forth in a 64KiB area which will later become a 2MiB area; a relatively
short NOP slide (CERT) or NOP sled (Erickson) or whatever you want to
call it will turn that 20 bits into 5 or 10.

For address space layout randomization to be stronger, kernel-side code
would have to be written to supply the PaX-esque 256MiB range of
randomization for the stack, as well as heap randomization, and
potentially better mmap() randomization.  Then hooks would have to be
added for LSM to force the minimum randomization quality for each part
(i.e. 0, 64KiB, 2MiB, or 256MiB for stack).  The logic here is that the
program might want to run with 256MiB stack randomization and SELinux
says it needs to run with at least 2MiB stack randomization, so it gets
its 256MiB; but if it wants to run with 0MiB of stack randomization
range, it will be forced to run with 2MiB.  Obviously it's typically
going to run with 0MiB by default, and the policy would say, "Hey!  Up
the randomization!"

(note with the size of randomization, it'd be rather architecture
specific.  Athlon/PPC/Sparc 64 machines can take advantage of a huge VM
space and use much bigger randomization ranges)

Another thing written in the kernel would be a hook to control fork()
and implement complex brute force deterrence similar to what GrSecurity
supplies.  Due to its complexity (it's actually a set of defined logic
that operates under conditions that have passed instead of just
immediate conditions), this may need to be fully written in kernel code
and hooked by LSM for use in SELinux.

So, pretty much, I'm wondering how much of GrSecurity and PaX can be
mimicked in a policy, and how much will need some solid kernel coding.
I don't know how to write SELinux policies unfortunately, or I'd
probably be able to answer my own question.

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

    Creative brains are a valuable, limited resource. They shouldn't be
    wasted on re-inventing the wheel when there are so many fascinating
    new problems waiting out there.
                                                 -- Eric Steven Raymond
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDOONehDd4aOud5P8RAmzLAJsE7IiLQHCcPpC+7PjN+12D+MVd+QCeO0oU
mECZYt7qVxZQC2TKgmNS5Wg=
=rzRk
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2.1.3 : Mon Sep 26 2005 - 23:16:34 PDT