summaryrefslogtreecommitdiff
path: root/security/advanced/frm_mac.tex
diff options
context:
space:
mode:
Diffstat (limited to 'security/advanced/frm_mac.tex')
-rw-r--r--security/advanced/frm_mac.tex206
1 files changed, 206 insertions, 0 deletions
diff --git a/security/advanced/frm_mac.tex b/security/advanced/frm_mac.tex
new file mode 100644
index 0000000..31a3915
--- /dev/null
+++ b/security/advanced/frm_mac.tex
@@ -0,0 +1,206 @@
+% ----------------------------
+\subsubsection{Linux Security Modules}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Linux Security Modules}
+\begin{itemize}
+\item Problem: Malware, Exploits
+\item Solution: Mandatory Access Control
+ \begin{itemize}
+ \item Categories: Subjects and Objects
+ \item systemwide, static rule set
+ \item Context sensitive Resource Access
+ \end{itemize}
+\item Implementation
+ \begin{itemize}
+ \item SE-Linux
+ \item AppArmor
+ \item SMACK
+ \item Tomoyo
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Terms}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Domain}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/mac_terms.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Domain}
+\begin{itemize}
+\item Domain transition for each starting Process
+\item Default: Inherit previous Domain
+\item Note: Domains are unique
+\end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Example:}
+\begin{small}
+\begin{verbatim}
+<kernel> /sbin/init /etc/rc.d/rcS /usr/local/bin/myappl
+<kernel> /sbin/init /etc/rc.d/rcS /usr/bin/opensshd \
+ /bin/bin/bash /usr/local/bin/myappl
+\end{verbatim}
+\end{small}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Domain Transition Management}
+\begin{itemize}
+\item Control Domain Transition Behavior
+\item Syntax: \\
+\begin{verbatim}
+<directive> <domain> from <domain>
+\end{verbatim}
+\item Directives:
+\begin{itemize}
+\item initialize\_domain / no\_initialize\_domain
+\item keep\_domain / no\_keep\_domain
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Profile}
+\begin{itemize}
+\item Profiles define Domain restriction behavior
+\item Profile Relation to Domain: n..m
+\item Up to 255 Profiles
+\item Profile Modes:
+ \begin{itemize}
+ \item disabled
+ \item learning
+ \item permissive
+ \item enforcing
+ \end{itemize}
+\item Logging
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Policy}
+\begin{itemize}
+\item Policies describe Domain restrictions
+\item Policy for each Domain
+\item Directives:
+\begin{itemize}
+\item file (read, write, execute, append, chown, chgrp, create, mkfifo, \dots)
+\item misc env
+\item network inet (stream, dgram, raw)
+\item network unix (stream, dgram, seqpacket)
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Examples}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Example I}
+\begin{beamerboxesrounded}[shadow=true]{profile.conf:}
+\begin{tiny}
+\begin{verbatim}
+PROFILE_VERSION=20110903
+0-COMMENT=-----Disabled Mode-----
+0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
+0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
+1-COMMENT=-----Learning Mode-----
+1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
+1-CONFIG={ mode=learning grant_log=no reject_log=yes }
+2-COMMENT=-----Permissive Mode-----
+2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
+2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
+3-COMMENT=-----Enforcing Mode-----
+3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
+3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
+4-COMMENT=-----Permissive Mode File-only -----
+4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
+4-CONFIG::file={ mode=permissive grant_log=no reject_log=yes }
+4-CONFIG::file::execute={ mode=disabled grant_log=no reject_log=no }
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Example II}
+\begin{beamerboxesrounded}[shadow=true]{exception\_policy.conf:}
+\begin{tiny}
+\begin{verbatim}
+initialize_domain /sbin/ldconfig from any
+keep_domain any from /sbin/ldconfig
+
+path_group ANY_PATHNAME /
+path_group ANY_PATHNAME /\*
+path_group ANY_PATHNAME /\{\*\}/
+path_group ANY_PATHNAME /\{\*\}/\*
+path_group ANY_PATHNAME \*:/
+path_group ANY_PATHNAME \*:/\*
+path_group ANY_PATHNAME \*:/\{\*\}/
+path_group ANY_PATHNAME \*:/\{\*\}/\*
+path_group ANY_PATHNAME \*:[\$]
+path_group ANY_PATHNAME socket:[family=\$:type=\$:protocol=\$]
+path_group ANY_DIRECTORY /
+path_group ANY_DIRECTORY /\{\*\}/
+path_group ANY_DIRECTORY \*:/
+path_group ANY_DIRECTORY \*:/\{\*\}/
+
+acl_group 1 file read/getattr @ANY_DIRECTORY
+acl_group 1 file read/getattr @ANY_PATHNAME
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Example III}
+\begin{beamerboxesrounded}[shadow=true]{profile.conf:}
+\begin{tiny}
+\begin{verbatim}
+<kernel>
+use_profile 4
+use_group 1
+
+<kernel> /sbin/ldconfig
+use_profile 4
+use_group 1
+file create /etc/ld.so.cache~ 0600
+file write /etc/ld.so.cache~
+file chmod /etc/ld.so.cache~ 0644
+file rename /etc/ld.so.cache~ /etc/ld.so.cache
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Tools}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Tools}
+\begin{itemize}
+\item tomoyo-editpolicy
+\item tomoyo-selectpolicy
+\item tomoyo-patternize
+\item tomoyo-diffpolicy
+\item tomoyo-sortpolicy
+\item tomoyo-loadpolicy
+\end{itemize}
+\end{frame}
+
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-10 19:58:59 +0000