1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
|
% ----------------------------
\subsubsection{Linux Security Modules Overview}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Linux Security Modules}
\begin{itemize}
\item Problem: Malware, Exploits
\item Solution: Mandatory Access Control
\begin{itemize}
\item Categories: Subjects and Objects
\item System-wide, static Rule-set
\item Context/Domain sensitive Resource Access
\end{itemize}
\item Implementation
\begin{itemize}
\item Tag/Label-based
\begin{itemize}
\item SE-Linux
\item SMACK
\end{itemize}
\item Path-based
\begin{itemize}
\item AppArmor
\item Tomoyo
\end{itemize}
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\subsubsection{Concepts and Terms}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Access Control: Terms}
\begin{itemize}
\item Subject: Process, Actor
\item Object: File, Directory, Device Node
\item Identity: User, Group or Role
\item Context/Domain: Subject Attribution
\item Action: Access of a Subject to an Object
\item Rule: Relation between Subject, Object and Action
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Access Control: Terms}
\begin{figure}[h]
\centering
\includegraphics[width=8cm]{images/mac_terms.png}
\end{figure}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{DAC vs. MAC}
\begin{itemize}
\item DAC: Discretionary Access Control
\begin{itemize}
\item in terms of: User defined, optional
\item Access Right based on Identity of Subject
\item Relation between Subject, Object and Action
\item Access Right Inheritance (Subject to Subject)
\end{itemize}
\item MAC: Mandatory Access Control
\begin{itemize}
\item in terms of: System-wide, forcing
\item Access Right defined for Context
\item System-wide, Rule-based Access Control
\item Managed Context Switch
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Simple MAC Rule Examples}
\begin{beamerboxesrounded}[shadow=true]{SMACK}
\begin{scriptsize}
\begin{verbatim}
# subjectlabel objectlabel mode
Secret Secret rwx
Secret Public rx
Public Secret -
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\begin{beamerboxesrounded}[shadow=true]{Tomoyo}
\begin{scriptsize}
\begin{verbatim}
# rule: Access granted
# no rule: Access denied
# <action> <object>
file write /var/log/mylog
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Simple MAC Access Rule Examples}
\begin{beamerboxesrounded}[shadow=true]{SELinux}
\begin{scriptsize}
\begin{verbatim}
# <domain> <type>:<class> { <permissions> };
allow auditd_t auditd_log_t:file { write };
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\begin{beamerboxesrounded}[shadow=true]{AppArmor}
\begin{scriptsize}
\begin{verbatim}
# single files
/etc/passwd r,
deny /etc/nsswitch.conf r,
# for different users
@{HOME}/ r,
owner @{HOME}/** rw,
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\subsubsection{Subject Context/Domain}
% ----------------------------
\begin{frame}[fragile]
\frametitle{How do a Subject/Process get its Context/Domain?}
\begin{itemize}
\item SELinux
\begin{itemize}
\item Default: Context Inheritance
\item Rules for Context Switch
\item Domain: based on Context and executing User
\item based on Extended File Attributes
\end{itemize}
\item SMACK
\begin{itemize}
\item Default: Context Inheritance
\item Pre-defined Labels
\item Label child process (systemd)
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{How do a Subject/Process get its Context/Domain?}
\begin{itemize}
\item Tomoyo
\begin{itemize}
\item Default: new Context on each fork()/exec()
\item Based on File Path
\item Domain Transition Policy
\end{itemize}
\item AppArmor
\begin{itemize}
\item Default: Defined by Path (of Executable)
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Tomoyo: Default Domain Policy}
\begin{itemize}
\item Domain transition for each starting Process
\item Default: Inherit previous Domain
\item Note: Domains are unique
\end{itemize}
\begin{beamerboxesrounded}[shadow=true]{Example: Start via System Init}
\begin{scriptsize}
\begin{verbatim}
<kernel> /sbin/init /etc/rc.d/rcS /usr/local/bin/myappl
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\begin{beamerboxesrounded}[shadow=true]{Example: Start via Login-Shell}
\begin{scriptsize}
\begin{verbatim}
<kernel> /sbin/init /etc/rc.d/rcS /usr/bin/opensshd \
/bin/bin/bash /usr/local/bin/myappl
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Tomoyo: Domain Transition Policy}
\begin{itemize}
\item Describe the Domain Transition
\end{itemize}
\begin{beamerboxesrounded}[shadow=true]{Example: Keep Domain, ignore Call Chain }
\begin{scriptsize}
\begin{verbatim}
initialize_domain <kernel> /sbin/init from any
keep_domain any from <kernel> /sbin/init
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Conclusion: Context/Domain transition}
\begin{itemize}
\item Not at the discretion of the process
\item Controlled by MAC
\end{itemize}
\end{frame}
% ----------------------------
\subsubsection{Object Typing}
% ----------------------------
\begin{frame}[fragile]
\frametitle{How do an Object/File get its Type?}
\begin{itemize}
\item AppArmor/Tomoyo
\begin{itemize}
\item Defined by File Path (wildcards allowed)
\end{itemize}
\item SELinux/SMACK
\begin{itemize}
\item Defined by Extended File Attribute
\end{itemize}
\end{itemize}
\begin{beamerboxesrounded}[shadow=true]{File Labeling for SMACK}
\begin{scriptsize}
\begin{verbatim}
# <cmd> <action> <attr-name> <attr-value> <file>
/usr/bin/attr -S -s SMACK64 -V '*' /dev/null
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\subsubsection{Summary}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Summary}
\begin{itemize}
\item Rule-set
\begin{itemize}
\item System-wide
\item Static
\item Build-in or load after Kernel-Init
\item Valid for all users, including root
\end{itemize}
\item Whitelist
\begin{itemize}
\item Rules describe all allowed access'
\item All other access' can be tracked
\item Override other Security mechanisms
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\subsubsection{Examples}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Example I}
\begin{itemize}
\item Ruleset for a simple Application
\item Context: File Path of the Application
\item Objects: two Files in the Homedirectory and the /tmp Directory
\end{itemize}
\begin{beamerboxesrounded}[shadow=true]{Example: AppArmor, /etc/apparmor.d/}
\begin{scriptsize}
\begin{verbatim}
/usr/local/bin/myappl {
#include <abstractions/base>
/usr/local/bin/myappl r,
@{HOME}/.myappl.log rw,
/tmp/myappl.backup rw,
}
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Example II}
\begin{itemize}
\item Ruleset for an update of the shared library cache
\item Subject: ldconfig
\item Object: /etc/ld.so.cache
\end{itemize}
\begin{beamerboxesrounded}[shadow=true]{Profile (profile.conf)}
\begin{scriptsize}
\begin{verbatim}
4-COMMENT=-----Permissive Mode -----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\begin{beamerboxesrounded}[shadow=true]{Domain transition (exception\_policy.conf)}
\begin{scriptsize}
\begin{verbatim}
initialize_domain /sbin/ldconfig from any
keep_domain any from /sbin/ldconfig
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\begin{beamerboxesrounded}[shadow=true]{Rules (domain\_policy.conf)}
\begin{scriptsize}
\begin{verbatim}
<kernel> /sbin/ldconfig
use_profile 4
use_group 1
file create /etc/ld.so.cache~ 0600
file write /etc/ld.so.cache~
file chmod /etc/ld.so.cache~ 0644
file rename /etc/ld.so.cache~ /etc/ld.so.cache
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\subsubsection*{}
\begin{frame}[fragile]
\frametitle{References}
\begin{itemize}
\item Kernel Source Documentation:
\begin{itemize}
\item Documentation/admin-guide/LSM/Smack.rst
\item Documentation/admin-guide/LSM/SELinux.rst
\item Documentation/admin-guide/LSM/apparmor.rst
\item Documentation/admin-guide/LSM/tomoyo.rst
\end{itemize}
\item \url{https://wiki.gentoo.org/wiki/SELinux/Tutorials}
\item \url{http://tomoyo.osdn.jp/2.5/index.html.en}
\end{itemize}
\end{frame}
|
