% ---------------------------- \subsubsection{Linux Security Modules} % ---------------------------- \begin{frame}[fragile] \frametitle{Linux Security Modules} \begin{itemize} \item Problem: Malware, Exploits \item Solution: Mandatory Access Control \begin{itemize} \item Categories: Subjects and Objects \item System-wide, static Rule-set \item Context sensitive Resource Access \end{itemize} \item Implementation \begin{itemize} \item SE-Linux \item AppArmor \item SMACK \item Tomoyo \end{itemize} \end{itemize} \end{frame} % ---------------------------- \subsubsection{Terms} % ---------------------------- \begin{frame}[fragile] \frametitle{Mandatory Access Control: Terms} \begin{figure}[h] \centering \includegraphics[width=8cm]{images/mac_terms.png} \end{figure} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Tomoyo: Domain} \begin{itemize} \item Domain transition for each starting Process \item Default: Inherit previous Domain \item Note: Domains are unique \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Example: Start via System Init} \begin{scriptsize} \begin{verbatim} /sbin/init /etc/rc.d/rcS /usr/local/bin/myappl \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Example: Start via Login-Shell} \begin{scriptsize} \begin{verbatim} /sbin/init /etc/rc.d/rcS /usr/bin/opensshd \ /bin/bin/bash /usr/local/bin/myappl \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Tomoyo: Domain Transition Management} \begin{itemize} \item Control Domain Transition Behavior \item Syntax: \\ \begin{verbatim} from \end{verbatim} \item Directives: \begin{itemize} \item initialize\_domain / no\_initialize\_domain \item keep\_domain / no\_keep\_domain \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Tomoyo: Profile} \begin{itemize} \item Profiles define Domain restriction behavior \item Profile Relation to Domain: n..m \item Up to 255 Profiles \item Profile Modes: \begin{itemize} \item disabled \item learning \item permissive \item enforcing \end{itemize} \item Logging \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Tomoyo: Policy} \begin{itemize} \item Policies describe Domain restrictions \item Policy for each Domain \item Directives: \begin{itemize} \item file (read, write, execute, append, chown, chgrp, create, mkfifo, \dots) \item misc env \item network inet (stream, dgram, raw) \item network unix (stream, dgram, seqpacket) \end{itemize} \end{itemize} \end{frame} % ---------------------------- \subsubsection{Tomoyo Example} % ---------------------------- \begin{frame}[fragile] \frametitle{Example: Profile Definition} \begin{itemize} \item new Profile \#4 \item Permissive Mode (rule violations will be logged) \item Scope: all file operations, except file::execute \end{itemize} \begin{beamerboxesrounded}[shadow=true]{profile.conf:} \begin{scriptsize} \begin{verbatim} PROFILE_VERSION=20110903 [...] 4-COMMENT=-----Permissive Mode File-only ----- 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } 4-CONFIG::file={ mode=permissive grant_log=no reject_log=yes } 4-CONFIG::file::execute={ mode=disabled grant_log=no reject_log=no } [...] \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Example: Policy Definition I} \begin{itemize} \item Define new Domain \emph{/sbin/ldconfig} \item Each execve() from /sbin/ldconfig will be transfered to this Domain \item All follow-on processes will stay in this Domain \end{itemize} \begin{beamerboxesrounded}[shadow=true]{exception\_policy.conf: Domain Transition} \begin{scriptsize} \begin{verbatim} initialize_domain /sbin/ldconfig from any keep_domain any from /sbin/ldconfig \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Example: Policy Definition II} \begin{itemize} \item New ACL Group \#1 \item All Files and Directories \item Read and getattr is allowed \end{itemize} \begin{beamerboxesrounded}[shadow=true]{exception\_policy.conf: ACL Definition} \begin{scriptsize} \begin{verbatim} path_group ANY_PATHNAME / path_group ANY_PATHNAME /\* path_group ANY_PATHNAME /\{\*\}/ path_group ANY_PATHNAME /\{\*\}/\* path_group ANY_PATHNAME \*:/ path_group ANY_PATHNAME \*:/\* path_group ANY_PATHNAME \*:/\{\*\}/ path_group ANY_PATHNAME \*:/\{\*\}/\* path_group ANY_PATHNAME \*:[\$] path_group ANY_PATHNAME socket:[family=\$:type=\$:protocol=\$] path_group ANY_DIRECTORY / path_group ANY_DIRECTORY /\{\*\}/ path_group ANY_DIRECTORY \*:/ path_group ANY_DIRECTORY \*:/\{\*\}/ acl_group 1 file read/getattr @ANY_DIRECTORY acl_group 1 file read/getattr @ANY_PATHNAME \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Example: Domain Policy} \begin{beamerboxesrounded}[shadow=true]{domain\_policy.conf: All Domains} \begin{scriptsize} \begin{verbatim} use_profile 4 use_group 1 \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{domain\_policy.conf: Exceptions for ldconfig} \begin{scriptsize} \begin{verbatim} /sbin/ldconfig use_profile 4 use_group 1 file create /etc/ld.so.cache~ 0600 file write /etc/ld.so.cache~ file chmod /etc/ld.so.cache~ 0644 file rename /etc/ld.so.cache~ /etc/ld.so.cache \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsubsection{Summary} % ---------------------------- \begin{frame}[fragile] \frametitle{Summary} \begin{itemize} \item Rule-set \begin{itemize} \item System-wide \item Static \item Build-in or load after Kernel-Init \item Valid for all users, including root \end{itemize} \item Whitelist \begin{itemize} \item Rules describe all allowed access' \item All other access' can be tracked \item Override other Security mechanisms \end{itemize} \end{itemize} \end{frame}