% ---------------------------- \subsubsection{Linux Security Modules Overview} % ---------------------------- \begin{frame}[fragile] \frametitle{Linux Security Modules} \begin{itemize} \item Problem: Malware, Exploits \item Solution: Mandatory Access Control \begin{itemize} \item Categories: Subjects and Objects \item System-wide, static Rule-set \item Context/Domain sensitive Resource Access \end{itemize} \item Implementation \begin{itemize} \item Tag/Label-based \begin{itemize} \item SE-Linux \item SMACK \end{itemize} \item Path-based \begin{itemize} \item AppArmor \item Tomoyo \end{itemize} \end{itemize} \end{itemize} \end{frame} % ---------------------------- \subsubsection{Concepts and Terms} % ---------------------------- \begin{frame}[fragile] \frametitle{Access Control: Terms} \begin{itemize} \item Subject: Process, Actor \item Object: File, Directory, Device Node \item Identity: User, Group or Role \item Context/Domain: Subject Attribution \item Action: Access of a Subject to an Object \item Rule: Relation between Subject, Object and Action \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Access Control: Terms} \begin{figure}[h] \centering \includegraphics[width=8cm]{images/mac_terms.png} \end{figure} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{DAC vs. MAC} \begin{itemize} \item DAC: Discretionary Access Control \begin{itemize} \item in terms of: User defined, optional \item Access Right based on Identity of Subject \item Relation between Subject, Object and Action \item Access Right Inheritance (Subject to Subject) \end{itemize} \item MAC: Mandatory Access Control \begin{itemize} \item in terms of: System-wide, forcing \item Access Right defined for Context \item System-wide, Rule-based Access Control \item Managed Context Switch \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Simple MAC Rule Examples} \begin{beamerboxesrounded}[shadow=true]{SMACK} \begin{scriptsize} \begin{verbatim} # subjectlabel objectlabel mode Secret Secret rwx Secret Public rx Public Secret - \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Tomoyo} \begin{scriptsize} \begin{verbatim} # rule: Access granted # no rule: Access denied # file write /var/log/mylog \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Simple MAC Access Rule Examples} \begin{beamerboxesrounded}[shadow=true]{SELinux} \begin{scriptsize} \begin{verbatim} # : { }; allow auditd_t auditd_log_t:file { write }; \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{AppArmor} \begin{scriptsize} \begin{verbatim} # single files /etc/passwd r, deny /etc/nsswitch.conf r, # for different users @{HOME}/ r, owner @{HOME}/** rw, \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsubsection{Subject Context/Domain} % ---------------------------- \begin{frame}[fragile] \frametitle{How do a Subject/Process get its Context/Domain?} \begin{itemize} \item SELinux \begin{itemize} \item Default: Context Inheritance \item Rules for Context Switch \item Domain: based on Context and executing User \item based on Extended File Attributes \end{itemize} \item SMACK \begin{itemize} \item Default: Context Inheritance \item Pre-defined Labels \item Label child process (systemd) \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{How do a Subject/Process get its Context/Domain?} \begin{itemize} \item Tomoyo \begin{itemize} \item Default: new Context on each fork()/exec() \item Based on File Path \item Domain Transition Policy \end{itemize} \item AppArmor \begin{itemize} \item Default: Defined by Path (of Executable) \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Tomoyo: Default Domain Policy} \begin{itemize} \item Domain transition for each starting Process \item Default: Inherit previous Domain \item Note: Domains are unique \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Example: Start via System Init} \begin{scriptsize} \begin{verbatim} /sbin/init /etc/rc.d/rcS /usr/local/bin/myappl \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Example: Start via Login-Shell} \begin{scriptsize} \begin{verbatim} /sbin/init /etc/rc.d/rcS /usr/bin/opensshd \ /bin/bin/bash /usr/local/bin/myappl \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Tomoyo: Domain Transition Policy} \begin{itemize} \item Describe the Domain Transition \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Example: Keep Domain, ignore Call Chain } \begin{scriptsize} \begin{verbatim} initialize_domain /sbin/init from any keep_domain any from /sbin/init \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Conclusion: Context/Domain transition} \begin{itemize} \item Not at the discretion of the process \item Controlled by MAC \end{itemize} \end{frame} % ---------------------------- \subsubsection{Object Typing} % ---------------------------- \begin{frame}[fragile] \frametitle{How do an Object/File get its Type?} \begin{itemize} \item AppArmor/Tomoyo \begin{itemize} \item Defined by File Path (wildcards allowed) \end{itemize} \item SELinux/SMACK \begin{itemize} \item Defined by Extended File Attribute \end{itemize} \end{itemize} \begin{beamerboxesrounded}[shadow=true]{File Labeling for SMACK} \begin{scriptsize} \begin{verbatim} # /usr/bin/attr -S -s SMACK64 -V '*' /dev/null \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsubsection{Summary} % ---------------------------- \begin{frame}[fragile] \frametitle{Summary} \begin{itemize} \item Rule-set \begin{itemize} \item System-wide \item Static \item Build-in or load after Kernel-Init \item Valid for all users, including root \end{itemize} \item Whitelist \begin{itemize} \item Rules describe all allowed access' \item All other access' can be tracked \item Override other Security mechanisms \end{itemize} \end{itemize} \end{frame} % ---------------------------- \subsubsection{Examples} % ---------------------------- \begin{frame}[fragile] \frametitle{Example I} \begin{itemize} \item Ruleset for a simple Application \item Context: File Path of the Application \item Objects: two Files in the Homedirectory and the /tmp Directory \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Example: AppArmor, /etc/apparmor.d/} \begin{scriptsize} \begin{verbatim} /usr/local/bin/myappl { #include /usr/local/bin/myappl r, @{HOME}/.myappl.log rw, /tmp/myappl.backup rw, } \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Example II} \begin{itemize} \item Ruleset for an update of the shared library cache \item Subject: ldconfig \item Object: /etc/ld.so.cache \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Profile (profile.conf)} \begin{scriptsize} \begin{verbatim} 4-COMMENT=-----Permissive Mode ----- 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } 4-CONFIG={ mode=enforcing grant_log=no reject_log=yes } \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Domain transition (exception\_policy.conf)} \begin{scriptsize} \begin{verbatim} initialize_domain /sbin/ldconfig from any keep_domain any from /sbin/ldconfig \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Rules (domain\_policy.conf)} \begin{scriptsize} \begin{verbatim} /sbin/ldconfig use_profile 4 use_group 1 file create /etc/ld.so.cache~ 0600 file write /etc/ld.so.cache~ file chmod /etc/ld.so.cache~ 0644 file rename /etc/ld.so.cache~ /etc/ld.so.cache \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsubsection*{} \begin{frame}[fragile] \frametitle{References} \begin{itemize} \item Kernel Source Documentation: \begin{itemize} \item Documentation/admin-guide/LSM/Smack.rst \item Documentation/admin-guide/LSM/SELinux.rst \item Documentation/admin-guide/LSM/apparmor.rst \item Documentation/admin-guide/LSM/tomoyo.rst \end{itemize} \item \url{https://wiki.gentoo.org/wiki/SELinux/Tutorials} \item \url{http://tomoyo.osdn.jp/2.5/index.html.en} \end{itemize} \end{frame}