diff options
| author | Holger Dengler <dengler@linutronix.de> | 2016-10-21 09:54:47 +0200 |
|---|---|---|
| committer | Holger Dengler <dengler@linutronix.de> | 2016-10-21 09:55:55 +0200 |
| commit | 16a8a2f09197f88867d6e0a665f81b95445847c7 (patch) | |
| tree | 7ca5482fd268e8fc3c06ce4933d83113ba5a7a66 /security | |
| parent | d560aea44f67dd1c99dcffedfc261db7a0d3c7cf (diff) | |
security: mac: Rework MAC slides
- remove tomoyo tooling
- split-up example slides
Signed-off-by: Holger Dengler <dengler@linutronix.de>
Diffstat (limited to 'security')
| -rw-r--r-- | security/advanced/frm_mac.tex | 116 |
1 files changed, 75 insertions, 41 deletions
diff --git a/security/advanced/frm_mac.tex b/security/advanced/frm_mac.tex index 31a3915..991470f 100644 --- a/security/advanced/frm_mac.tex +++ b/security/advanced/frm_mac.tex @@ -9,7 +9,7 @@ \item Solution: Mandatory Access Control \begin{itemize} \item Categories: Subjects and Objects - \item systemwide, static rule set + \item System-wide, static Rule-set \item Context sensitive Resource Access \end{itemize} \item Implementation @@ -27,7 +27,7 @@ % ---------------------------- \begin{frame}[fragile] -\frametitle{Domain} +\frametitle{Mandatory Access Control: Terms} \begin{figure}[h] \centering \includegraphics[width=8cm]{images/mac_terms.png} @@ -36,26 +36,32 @@ % ---------------------------- \begin{frame}[fragile] -\frametitle{Domain} +\frametitle{Tomoyo: Domain} \begin{itemize} \item Domain transition for each starting Process \item Default: Inherit previous Domain \item Note: Domains are unique \end{itemize} -\begin{beamerboxesrounded}[shadow=true]{Example:} -\begin{small} +\begin{beamerboxesrounded}[shadow=true]{Example: Start via System Init} +\begin{scriptsize} \begin{verbatim} <kernel> /sbin/init /etc/rc.d/rcS /usr/local/bin/myappl +\end{verbatim} +\end{scriptsize} +\end{beamerboxesrounded} +\begin{beamerboxesrounded}[shadow=true]{Example: Start via Login-Shell} +\begin{scriptsize} +\begin{verbatim} <kernel> /sbin/init /etc/rc.d/rcS /usr/bin/opensshd \ /bin/bin/bash /usr/local/bin/myappl \end{verbatim} -\end{small} +\end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] -\frametitle{Domain Transition Management} +\frametitle{Tomoyo: Domain Transition Management} \begin{itemize} \item Control Domain Transition Behavior \item Syntax: \\ @@ -72,7 +78,7 @@ % ---------------------------- \begin{frame}[fragile] -\frametitle{Profile} +\frametitle{Tomoyo: Profile} \begin{itemize} \item Profiles define Domain restriction behavior \item Profile Relation to Domain: n..m @@ -90,7 +96,7 @@ % ---------------------------- \begin{frame}[fragile] -\frametitle{Policy} +\frametitle{Tomoyo: Policy} \begin{itemize} \item Policies describe Domain restrictions \item Policy for each Domain @@ -105,45 +111,60 @@ \end{frame} % ---------------------------- -\subsubsection{Examples} +\subsubsection{Tomoyo Example} % ---------------------------- \begin{frame}[fragile] -\frametitle{Example I} +\frametitle{Example: Profile Definition} +\begin{itemize} +\item new Profile \#4 +\item Permissive Mode (rule violations will be logged) +\item Scope: all file operations, except file::execute +\end{itemize} \begin{beamerboxesrounded}[shadow=true]{profile.conf:} -\begin{tiny} +\begin{scriptsize} \begin{verbatim} PROFILE_VERSION=20110903 -0-COMMENT=-----Disabled Mode----- -0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } -0-CONFIG={ mode=disabled grant_log=no reject_log=yes } -1-COMMENT=-----Learning Mode----- -1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } -1-CONFIG={ mode=learning grant_log=no reject_log=yes } -2-COMMENT=-----Permissive Mode----- -2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } -2-CONFIG={ mode=permissive grant_log=no reject_log=yes } -3-COMMENT=-----Enforcing Mode----- -3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } -3-CONFIG={ mode=enforcing grant_log=no reject_log=yes } +[...] 4-COMMENT=-----Permissive Mode File-only ----- 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } 4-CONFIG::file={ mode=permissive grant_log=no reject_log=yes } 4-CONFIG::file::execute={ mode=disabled grant_log=no reject_log=no } +[...] \end{verbatim} -\end{tiny} +\end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] -\frametitle{Example II} -\begin{beamerboxesrounded}[shadow=true]{exception\_policy.conf:} -\begin{tiny} +\frametitle{Example: Policy Definition I} +\begin{itemize} +\item Define new Domain \emph{/sbin/ldconfig} +\item Each execve() from /sbin/ldconfig will be transfered to this Domain +\item All follow-on processes will stay in this Domain +\end{itemize} +\begin{beamerboxesrounded}[shadow=true]{exception\_policy.conf: Domain Transition} +\begin{scriptsize} \begin{verbatim} initialize_domain /sbin/ldconfig from any keep_domain any from /sbin/ldconfig +\end{verbatim} +\end{scriptsize} +\end{beamerboxesrounded} +\end{frame} +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Example: Policy Definition II} +\begin{itemize} +\item New ACL Group \#1 +\item All Files and Directories +\item Read and getattr is allowed +\end{itemize} +\begin{beamerboxesrounded}[shadow=true]{exception\_policy.conf: ACL Definition} +\begin{scriptsize} +\begin{verbatim} path_group ANY_PATHNAME / path_group ANY_PATHNAME /\* path_group ANY_PATHNAME /\{\*\}/ @@ -162,20 +183,26 @@ path_group ANY_DIRECTORY \*:/\{\*\}/ acl_group 1 file read/getattr @ANY_DIRECTORY acl_group 1 file read/getattr @ANY_PATHNAME \end{verbatim} -\end{tiny} +\end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] -\frametitle{Example III} -\begin{beamerboxesrounded}[shadow=true]{profile.conf:} -\begin{tiny} +\frametitle{Example: Domain Policy} +\begin{beamerboxesrounded}[shadow=true]{domain\_policy.conf: All Domains} +\begin{scriptsize} \begin{verbatim} <kernel> use_profile 4 use_group 1 +\end{verbatim} +\end{scriptsize} +\end{beamerboxesrounded} +\begin{beamerboxesrounded}[shadow=true]{domain\_policy.conf: Exceptions for ldconfig} +\begin{scriptsize} +\begin{verbatim} <kernel> /sbin/ldconfig use_profile 4 use_group 1 @@ -184,23 +211,30 @@ file write /etc/ld.so.cache~ file chmod /etc/ld.so.cache~ 0644 file rename /etc/ld.so.cache~ /etc/ld.so.cache \end{verbatim} -\end{tiny} +\end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- -\subsubsection{Tools} +\subsubsection{Summary} % ---------------------------- \begin{frame}[fragile] -\frametitle{Tools} +\frametitle{Summary} \begin{itemize} -\item tomoyo-editpolicy -\item tomoyo-selectpolicy -\item tomoyo-patternize -\item tomoyo-diffpolicy -\item tomoyo-sortpolicy -\item tomoyo-loadpolicy +\item Rule-set + \begin{itemize} + \item System-wide + \item Static + \item Build-in or load after Kernel-Init + \item Valid for all users, including root + \end{itemize} +\item Whitelist + \begin{itemize} + \item Rules describe all allowed access' + \item All other access' can be tracked + \item Override other Security mechanisms + \end{itemize} \end{itemize} \end{frame} |