% ---------------------------- \subsubsection{Linux Security Modules} % ---------------------------- \begin{frame}[fragile] \frametitle{Linux Security Modules} \begin{itemize} \item Problem: Malware, Exploits \item Solution: Mandatory Access Control \begin{itemize} \item Categories: Subjects and Objects \item systemwide, static rule set \item Context sensitive Resource Access \end{itemize} \item Implementation \begin{itemize} \item SE-Linux \item AppArmor \item SMACK \item Tomoyo \end{itemize} \end{itemize} \end{frame} % ---------------------------- \subsubsection{Terms} % ---------------------------- \begin{frame}[fragile] \frametitle{Domain} \begin{figure}[h] \centering \includegraphics[width=8cm]{images/mac_terms.png} \end{figure} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Domain} \begin{itemize} \item Domain transition for each starting Process \item Default: Inherit previous Domain \item Note: Domains are unique \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Example:} \begin{small} \begin{verbatim} /sbin/init /etc/rc.d/rcS /usr/local/bin/myappl /sbin/init /etc/rc.d/rcS /usr/bin/opensshd \ /bin/bin/bash /usr/local/bin/myappl \end{verbatim} \end{small} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Domain Transition Management} \begin{itemize} \item Control Domain Transition Behavior \item Syntax: \\ \begin{verbatim} from \end{verbatim} \item Directives: \begin{itemize} \item initialize\_domain / no\_initialize\_domain \item keep\_domain / no\_keep\_domain \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Profile} \begin{itemize} \item Profiles define Domain restriction behavior \item Profile Relation to Domain: n..m \item Up to 255 Profiles \item Profile Modes: \begin{itemize} \item disabled \item learning \item permissive \item enforcing \end{itemize} \item Logging \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Policy} \begin{itemize} \item Policies describe Domain restrictions \item Policy for each Domain \item Directives: \begin{itemize} \item file (read, write, execute, append, chown, chgrp, create, mkfifo, \dots) \item misc env \item network inet (stream, dgram, raw) \item network unix (stream, dgram, seqpacket) \end{itemize} \end{itemize} \end{frame} % ---------------------------- \subsubsection{Examples} % ---------------------------- \begin{frame}[fragile] \frametitle{Example I} \begin{beamerboxesrounded}[shadow=true]{profile.conf:} \begin{tiny} \begin{verbatim} PROFILE_VERSION=20110903 0-COMMENT=-----Disabled Mode----- 0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } 0-CONFIG={ mode=disabled grant_log=no reject_log=yes } 1-COMMENT=-----Learning Mode----- 1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } 1-CONFIG={ mode=learning grant_log=no reject_log=yes } 2-COMMENT=-----Permissive Mode----- 2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } 2-CONFIG={ mode=permissive grant_log=no reject_log=yes } 3-COMMENT=-----Enforcing Mode----- 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } 3-CONFIG={ mode=enforcing grant_log=no reject_log=yes } 4-COMMENT=-----Permissive Mode File-only ----- 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } 4-CONFIG::file={ mode=permissive grant_log=no reject_log=yes } 4-CONFIG::file::execute={ mode=disabled grant_log=no reject_log=no } \end{verbatim} \end{tiny} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Example II} \begin{beamerboxesrounded}[shadow=true]{exception\_policy.conf:} \begin{tiny} \begin{verbatim} initialize_domain /sbin/ldconfig from any keep_domain any from /sbin/ldconfig path_group ANY_PATHNAME / path_group ANY_PATHNAME /\* path_group ANY_PATHNAME /\{\*\}/ path_group ANY_PATHNAME /\{\*\}/\* path_group ANY_PATHNAME \*:/ path_group ANY_PATHNAME \*:/\* path_group ANY_PATHNAME \*:/\{\*\}/ path_group ANY_PATHNAME \*:/\{\*\}/\* path_group ANY_PATHNAME \*:[\$] path_group ANY_PATHNAME socket:[family=\$:type=\$:protocol=\$] path_group ANY_DIRECTORY / path_group ANY_DIRECTORY /\{\*\}/ path_group ANY_DIRECTORY \*:/ path_group ANY_DIRECTORY \*:/\{\*\}/ acl_group 1 file read/getattr @ANY_DIRECTORY acl_group 1 file read/getattr @ANY_PATHNAME \end{verbatim} \end{tiny} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Example III} \begin{beamerboxesrounded}[shadow=true]{profile.conf:} \begin{tiny} \begin{verbatim} use_profile 4 use_group 1 /sbin/ldconfig use_profile 4 use_group 1 file create /etc/ld.so.cache~ 0600 file write /etc/ld.so.cache~ file chmod /etc/ld.so.cache~ 0644 file rename /etc/ld.so.cache~ /etc/ld.so.cache \end{verbatim} \end{tiny} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsubsection{Tools} % ---------------------------- \begin{frame}[fragile] \frametitle{Tools} \begin{itemize} \item tomoyo-editpolicy \item tomoyo-selectpolicy \item tomoyo-patternize \item tomoyo-diffpolicy \item tomoyo-sortpolicy \item tomoyo-loadpolicy \end{itemize} \end{frame}