security: rework Mandatory Access Control

- Rework generic information
- Add information about SMACK and AppArmor
- Add References
- Add examples

Signed-off-by: Holger Dengler <dengler@linutronix.de>

1 files changed, 221 insertions, 111 deletions

diff --git a/security/advanced/frm_mac.tex b/security/advanced/frm_mac.tex
index 991470f..30c2a07 100644
--- a/security/advanced/frm_mac.tex
+++ b/security/advanced/frm_mac.tex
@@ -1,5 +1,5 @@
 % ----------------------------
-\subsubsection{Linux Security Modules}
+\subsubsection{Linux Security Modules Overview}
 
 % ----------------------------
 \begin{frame}[fragile]
@@ -10,24 +10,43 @@
  \begin{itemize}
  \item Categories: Subjects and Objects
  \item System-wide, static Rule-set
- \item Context sensitive Resource Access
+ \item Context/Domain sensitive Resource Access
  \end{itemize}
 \item Implementation
  \begin{itemize}
- \item SE-Linux
- \item AppArmor
- \item SMACK
- \item Tomoyo
+ \item Tag/Label-based
+  \begin{itemize}
+  \item SE-Linux
+  \item SMACK
+  \end{itemize}
+ \item Path-based
+  \begin{itemize}
+  \item AppArmor
+  \item Tomoyo
+  \end{itemize}
  \end{itemize}
 \end{itemize}
 \end{frame}
 
 % ----------------------------
-\subsubsection{Terms}
+\subsubsection{Concepts and Terms}
 
 % ----------------------------
 \begin{frame}[fragile]
-\frametitle{Mandatory Access Control: Terms}
+\frametitle{Access Control: Terms}
+\begin{itemize}
+\item Subject: Process, Actor
+\item Object: File, Directory, Device Node
+\item Identity: User, Group or Role
+\item Context/Domain: Subject Attribution
+\item Action: Access of a Subject to an Object
+\item Rule: Relation between Subject, Object and Action
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Access Control: Terms}
 \begin{figure}[h]
 \centering
 \includegraphics[width=8cm]{images/mac_terms.png}
@@ -36,24 +55,45 @@
 
 % ----------------------------
 \begin{frame}[fragile]
-\frametitle{Tomoyo: Domain}
+\frametitle{DAC vs. MAC}
 \begin{itemize}
-\item Domain transition for each starting Process
-\item Default: Inherit previous Domain
-\item Note: Domains are unique
+\item DAC: Discretionary Access Control
+ \begin{itemize}
+ \item in terms of: User defined, optional
+ \item Access Right based on Identity of Subject
+ \item Relation between Subject, Object and Action
+ \item Access Right Inheritance (Subject to Subject)
+ \end{itemize}
+\item MAC: Mandatory Access Control
+ \begin{itemize}
+ \item in terms of: System-wide, forcing
+ \item Access Right defined for Context
+ \item System-wide, Rule-based Access Control
+ \item Managed Context Switch
+ \end{itemize}
 \end{itemize}
-\begin{beamerboxesrounded}[shadow=true]{Example: Start via System Init}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Simple MAC Rule Examples}
+\begin{beamerboxesrounded}[shadow=true]{SMACK}
 \begin{scriptsize}
 \begin{verbatim}
-<kernel> /sbin/init /etc/rc.d/rcS /usr/local/bin/myappl
+# subjectlabel objectlabel mode
+Secret         Secret      rwx
+Secret         Public      rx
+Public         Secret      -
 \end{verbatim}
 \end{scriptsize}
 \end{beamerboxesrounded}
-\begin{beamerboxesrounded}[shadow=true]{Example: Start via Login-Shell}
+\begin{beamerboxesrounded}[shadow=true]{Tomoyo}
 \begin{scriptsize}
 \begin{verbatim}
-<kernel> /sbin/init /etc/rc.d/rcS /usr/bin/opensshd \
-                    /bin/bin/bash /usr/local/bin/myappl
+# rule: Access granted
+# no rule: Access denied
+# <action>  <object>
+file write  /var/log/mylog
 \end{verbatim}
 \end{scriptsize}
 \end{beamerboxesrounded}
@@ -61,94 +101,189 @@
 
 % ----------------------------
 \begin{frame}[fragile]
-\frametitle{Tomoyo: Domain Transition Management}
-\begin{itemize}
-\item Control Domain Transition Behavior
-\item Syntax: \\
+\frametitle{Simple MAC Access Rule Examples}
+\begin{beamerboxesrounded}[shadow=true]{SELinux}
+\begin{scriptsize}
 \begin{verbatim}
-<directive> <domain> from <domain>
+#     <domain> <type>:<class>    { <permissions> };
+allow auditd_t auditd_log_t:file { write };
 \end{verbatim}
-\item Directives:
+\end{scriptsize}
+\end{beamerboxesrounded}
+\begin{beamerboxesrounded}[shadow=true]{AppArmor}
+\begin{scriptsize}
+\begin{verbatim}
+# single files
+  /etc/passwd r,
+  deny /etc/nsswitch.conf r,
+# for different users
+  @{HOME}/ r,
+  owner @{HOME}/** rw,
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Subject Context/Domain}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{How do a Subject/Process get its Context/Domain?}
 \begin{itemize}
-\item initialize\_domain / no\_initialize\_domain
-\item keep\_domain / no\_keep\_domain
-\end{itemize}
+\item SELinux
+ \begin{itemize}
+ \item Default: Context Inheritance
+ \item Rules for Context Switch
+ \item Domain: based on Context and executing User
+ \item based on Extended File Attributes
+ \end{itemize}
+\item SMACK
+ \begin{itemize}
+ \item Default: Context Inheritance
+ \item Pre-defined Labels
+ \item Label child process (systemd)
+ \end{itemize}
 \end{itemize}
 \end{frame}
 
 % ----------------------------
 \begin{frame}[fragile]
-\frametitle{Tomoyo: Profile}
+\frametitle{How do a Subject/Process get its Context/Domain?}
 \begin{itemize}
-\item Profiles define Domain restriction behavior
-\item Profile Relation to Domain: n..m
-\item Up to 255 Profiles
-\item Profile Modes:
+\item Tomoyo
  \begin{itemize}
- \item disabled
- \item learning
- \item permissive
- \item enforcing
+ \item Default: new Context on each fork()/exec()
+ \item Based on File Path
+ \item Domain Transition Policy
+ \end{itemize}
+\item AppArmor
+ \begin{itemize}
+ \item Default: Defined by Path (of Executable)
  \end{itemize}
-\item Logging
 \end{itemize}
 \end{frame}
 
 % ----------------------------
 \begin{frame}[fragile]
-\frametitle{Tomoyo: Policy}
+\frametitle{Tomoyo: Default Domain Policy}
 \begin{itemize}
-\item Policies describe Domain restrictions
-\item Policy for each Domain
-\item Directives:
+\item Domain transition for each starting Process
+\item Default: Inherit previous Domain
+\item Note: Domains are unique
+\end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Example: Start via System Init}
+\begin{scriptsize}
+\begin{verbatim}
+<kernel> /sbin/init /etc/rc.d/rcS /usr/local/bin/myappl
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\begin{beamerboxesrounded}[shadow=true]{Example: Start via Login-Shell}
+\begin{scriptsize}
+\begin{verbatim}
+<kernel> /sbin/init /etc/rc.d/rcS /usr/bin/opensshd \
+                    /bin/bin/bash /usr/local/bin/myappl
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Tomoyo: Domain Transition Policy}
 \begin{itemize}
-\item file (read, write, execute, append, chown, chgrp, create, mkfifo, \dots)
-\item misc env
-\item network inet (stream, dgram, raw)
-\item network unix (stream, dgram, seqpacket)
+\item Describe the Domain Transition
 \end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Example: Keep Domain, ignore Call Chain }
+\begin{scriptsize}
+\begin{verbatim}
+initialize_domain <kernel> /sbin/init from any
+keep_domain any from <kernel> /sbin/init
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Conclusion: Context/Domain transition}
+\begin{itemize}
+\item Not at the discretion of the process
+\item Controlled by MAC
 \end{itemize}
 \end{frame}
 
 % ----------------------------
-\subsubsection{Tomoyo Example}
+\subsubsection{Object Typing}
 
 % ----------------------------
 \begin{frame}[fragile]
-\frametitle{Example: Profile Definition}
+\frametitle{How do an Object/File get its Type?}
 \begin{itemize}
-\item new Profile \#4
-\item Permissive Mode (rule violations will be logged)
-\item Scope: all file operations, except file::execute
+\item AppArmor/Tomoyo
+ \begin{itemize}
+ \item Defined by File Path (wildcards allowed)
+ \end{itemize}
+\item SELinux/SMACK
+ \begin{itemize}
+ \item Defined by Extended File Attribute
+ \end{itemize}
 \end{itemize}
-\begin{beamerboxesrounded}[shadow=true]{profile.conf:}
+\begin{beamerboxesrounded}[shadow=true]{File Labeling for SMACK}
 \begin{scriptsize}
 \begin{verbatim}
-PROFILE_VERSION=20110903
-[...]
-4-COMMENT=-----Permissive Mode File-only -----
-4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
-4-CONFIG::file={ mode=permissive grant_log=no reject_log=yes }
-4-CONFIG::file::execute={ mode=disabled grant_log=no reject_log=no }
-[...]
+# <cmd> <action> <attr-name> <attr-value> <file>
+/usr/bin/attr -S -s SMACK64  -V '*'       /dev/null
 \end{verbatim}
 \end{scriptsize}
 \end{beamerboxesrounded}
 \end{frame}
 
 % ----------------------------
+\subsubsection{Summary}
+
+% ----------------------------
 \begin{frame}[fragile]
-\frametitle{Example: Policy Definition I}
+\frametitle{Summary}
 \begin{itemize}
-\item Define new Domain \emph{/sbin/ldconfig}
-\item Each execve() from /sbin/ldconfig will be transfered to this Domain
-\item All follow-on processes will stay in this Domain
+\item Rule-set
+ \begin{itemize}
+ \item System-wide
+ \item Static
+ \item Build-in or load after Kernel-Init
+ \item Valid for all users, including root
+ \end{itemize}
+\item Whitelist
+ \begin{itemize}
+ \item Rules describe all allowed access'
+ \item All other access' can be tracked
+ \item Override other Security mechanisms
+ \end{itemize}
 \end{itemize}
-\begin{beamerboxesrounded}[shadow=true]{exception\_policy.conf: Domain Transition}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Examples}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Example I}
+\begin{itemize}
+\item Ruleset for a simple Application
+\item Context: File Path of the Application
+\item Objects: two Files in the Homedirectory and the /tmp Directory
+\end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Example: AppArmor, /etc/apparmor.d/}
 \begin{scriptsize}
 \begin{verbatim}
-initialize_domain /sbin/ldconfig from any
-keep_domain any from /sbin/ldconfig
+/usr/local/bin/myappl {
+    #include <abstractions/base>
+
+    /usr/local/bin/myappl r,
+    @{HOME}/.myappl.log   rw,
+    /tmp/myappl.backup    rw,
+}
 \end{verbatim}
 \end{scriptsize}
 \end{beamerboxesrounded}
@@ -156,56 +291,38 @@ keep_domain any from /sbin/ldconfig
 
 % ----------------------------
 \begin{frame}[fragile]
-\frametitle{Example: Policy Definition II}
+\frametitle{Example II}
 \begin{itemize}
-\item New ACL Group \#1
-\item All Files and Directories
-\item Read and getattr is allowed
+\item Ruleset for an update of the shared library cache
+\item Subject: ldconfig
+\item Object: /etc/ld.so.cache
 \end{itemize}
-\begin{beamerboxesrounded}[shadow=true]{exception\_policy.conf: ACL Definition}
+\begin{beamerboxesrounded}[shadow=true]{Profile (profile.conf)}
 \begin{scriptsize}
 \begin{verbatim}
-path_group ANY_PATHNAME /
-path_group ANY_PATHNAME /\*
-path_group ANY_PATHNAME /\{\*\}/
-path_group ANY_PATHNAME /\{\*\}/\*
-path_group ANY_PATHNAME \*:/
-path_group ANY_PATHNAME \*:/\*
-path_group ANY_PATHNAME \*:/\{\*\}/
-path_group ANY_PATHNAME \*:/\{\*\}/\*
-path_group ANY_PATHNAME \*:[\$]
-path_group ANY_PATHNAME socket:[family=\$:type=\$:protocol=\$]
-path_group ANY_DIRECTORY /
-path_group ANY_DIRECTORY /\{\*\}/
-path_group ANY_DIRECTORY \*:/
-path_group ANY_DIRECTORY \*:/\{\*\}/
-
-acl_group 1 file read/getattr @ANY_DIRECTORY
-acl_group 1 file read/getattr @ANY_PATHNAME
+4-COMMENT=-----Permissive Mode -----
+4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
+4-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
 \end{verbatim}
 \end{scriptsize}
 \end{beamerboxesrounded}
-\end{frame}
 
-% ----------------------------
-\begin{frame}[fragile]
-\frametitle{Example: Domain Policy}
-\begin{beamerboxesrounded}[shadow=true]{domain\_policy.conf: All Domains}
+\begin{beamerboxesrounded}[shadow=true]{Domain transition (exception\_policy.conf)}
 \begin{scriptsize}
 \begin{verbatim}
-<kernel>
-use_profile 4
-use_group 1
+initialize_domain /sbin/ldconfig from any
+keep_domain any from /sbin/ldconfig
 \end{verbatim}
 \end{scriptsize}
 \end{beamerboxesrounded}
 
-\begin{beamerboxesrounded}[shadow=true]{domain\_policy.conf: Exceptions for ldconfig}
+\begin{beamerboxesrounded}[shadow=true]{Rules (domain\_policy.conf)}
 \begin{scriptsize}
 \begin{verbatim}
 <kernel> /sbin/ldconfig
 use_profile 4
 use_group 1
+
 file create /etc/ld.so.cache~ 0600
 file write /etc/ld.so.cache~
 file chmod /etc/ld.so.cache~ 0644
@@ -216,25 +333,18 @@ file rename /etc/ld.so.cache~ /etc/ld.so.cache
 \end{frame}
 
 % ----------------------------
-\subsubsection{Summary}
-
-% ----------------------------
+\subsubsection*{}
 \begin{frame}[fragile]
-\frametitle{Summary}
+\frametitle{References}
 \begin{itemize}
-\item Rule-set
- \begin{itemize}
- \item System-wide
- \item Static
- \item Build-in or load after Kernel-Init
- \item Valid for all users, including root
- \end{itemize}
-\item Whitelist
+\item Kernel Source Documentation:
  \begin{itemize}
- \item Rules describe all allowed access'
- \item All other access' can be tracked
- \item Override other Security mechanisms
+ \item Documentation/admin-guide/LSM/Smack.rst
+ \item Documentation/admin-guide/LSM/SELinux.rst
+ \item Documentation/admin-guide/LSM/apparmor.rst
+ \item Documentation/admin-guide/LSM/tomoyo.rst
  \end{itemize}
+\item \url{https://wiki.gentoo.org/wiki/SELinux/Tutorials}
+\item \url{http://tomoyo.osdn.jp/2.5/index.html.en}
 \end{itemize}
 \end{frame}
-