diff options
Diffstat (limited to 'lectures')
| -rw-r--r-- | lectures/05-advanced-access-control.org | 370 |
1 files changed, 370 insertions, 0 deletions
diff --git a/lectures/05-advanced-access-control.org b/lectures/05-advanced-access-control.org new file mode 100644 index 0000000..2fc801d --- /dev/null +++ b/lectures/05-advanced-access-control.org @@ -0,0 +1,370 @@ +#+title: Advanced Access Control +#+date: 2026-04-13 Mon +#+author: W. Kosior +#+email: wkosior@agh.edu.pl + +* BSD securelevel +- FreeBSD, OpenBSD, macOS +- normally booted system (securelevel 1): + - disallows writes to =/dev/mem= + - raw writes to mounted filesystems forbidden +- securelevel 2 + - raw writes to filesystems forbidden + - backwards clock changes forbidden + - firewall rule changes forbidden +- assumption of compromised root account + +* Apple System Integrity Protection ("rootless") +- not really "rootless" +- root powers restricted for usual root processes +- no write access to + - =/System= + - =/sbin= + - =/bin= + - =/usr= + - =/Applications= + +* DAC → MAC +- Discretionary Access Control + - based on users and their permissions + - identified with UNIX traditional model +- Mandatory Access Control + - user's access limited to work on specific task + - identified with later extensions to UNIX-like OSes + - Linux kernel: post-2000 +- DAC / MAC — naming from US government framework (70s) + - meaningful wrt OS access controls? + +* LSMs +- Linux Security Modules + - not really "modules" + - compiled-in extensions + - supplement normal UNIX controls + - major & minor LSMs + - possibly multiple LSMs active simultaneously + - at most one major LSM at a time + +* LSMs, Cont. +- Linux Security Modules + - not really "modules" + - compiled-in extensions + - supplement normal UNIX controls + - major & minor LSMs (+ capabilities) + - possibly multiple LSMs active simultaneously + - at most one major LSM at a time +- =security=LIST_OF_MODULES= kernel arg + - or compiled-in default list + +* LSMs, Cont… +- Linux Security Modules + - not really "modules" + - compiled-in extensions + - supplement normal UNIX controls + - major & minor LSMs (+ capabilities) + - possibly multiple LSMs active simultaneously + - at most one major LSM at a time +- =security=LIST_OF_MODULES= kernel arg + - or compile-in default list +- =/sys/kernel/security/= +- =/sys/kernel/security/lsm= +- =/proc/$PID/attr/$MODULE_NAME= + +* Selected LSMs +- /Capabilities (formely not an LSM)/ +- /Lockdown/ +- Integrity Policy Enforcement +- Landlock +- LoadPin +- SafeSetID +- TOMOYO +- Yama +- AppArmor +- SMACK +- SELinux + +* Selected LSMs, Cont. +- /Capabilities (formely not an LSM)/ +- /Lockdown/ +- Integrity Policy Enforcement (access control based on file origin) +- Landlock (sandboxing, inode-based) +- LoadPin (modules from RO devices only) +- SafeSetID (restricted =setuid()= as non-root) +- Yama (ptrace restrictions) +- AppArmor +- SMACK +- SELinux +- TOMOYO + +* Selected LSMs, Cont… +- /Capabilities (formely not an LSM)/ +- /Lockdown/ +- Integrity Policy Enforcement (access control based on file origin) +- Landlock (sandboxing, inode-based) +- LoadPin (modules from RO devices only) +- SafeSetID (restricted =setuid()= as non-root) +- Yama (ptrace restrictions) +- *SMACK* (legacy major) +- *AppArmor* (legacy major) +- *SELinux* (legacy major) +- TOMOYO (former legacy major) + +* Legacy Major LSMs +- *SMACK* + - used in Tizen OS (Samsung TVs) + - low complexity, policies based on file labels (xattrs) + +* Legacy Major LSMs, Cont. +- *SMACK* + - used in Tizen OS (Samsung TVs) + - low complexity, policies based on file labels (xattrs) +- *AppArmor* + - *presently* developed by Canonical + - on by default in Ubuntu + - moderately complex, policies based on paths (xattrs) + +* Legacy Major LSMs, Cont… +- *SMACK* + - used in Tizen OS (Samsung TVs) + - low complexity, policies based on file labels (xattrs) +- *AppArmor* + - *presently* developed by Canonical + - on by default in Ubuntu + - moderately complex, policies based on paths (xattrs) +- *SELinux* + - *initiated* by NSA + - on by default in Fedora & Red Hat + - high complexity, policies based on file labels (xattrs) + +* SMACK +- objects + - processes + - files + - IP packet sources/targets +- subjects + - processes + +* SMACK, Cont. +- objects + - processes + - files + - IP packet sources/targets +- subjects + - processes +- object / subject labels +- operations (actions of subjects on objects) + - read + - write + - execute + - append (on files) + +* SMACK, Cont… +- objects + - processes + - files + - IP packet sources/targets +- subjects + - processes +- object / subject labels +- operations (actions of subjects on objects) + - read + - write + - execute + - append (on files) +- access rules (additional restrictions on top of DAC) + - =label_X label_Y rwx= + - =/sys/fs/smackfs/= + +* SMACK Labels +- e.g., =Puppy3=, =my:label=, =a,b,c= + - ASCII, except =/=, =\=, ='=, ="=, and unprintables + - no assumed structure + - length up to 255 (or 23) +- processes + - =CAP_MAC_ADMIN= process can change to any label + - unprivileged process is restricted in label changes + +* SMACK Labels, Cont. +- e.g., =Puppy3=, =my:label=, =a,b,c= + - ASCII, except =/=, =\=, ='=, ="=, and unprintables + - no assumed structure + - length up to 255 (or 23) +- processes + - =CAP_MAC_ADMIN= process can change to any label + - unprivileged process restricted in label changes +- files / directories + - =security.SMACK64= xattr — resource's label + - =security.SMACK64EXEC= xattr — process' label after =exec()= + - similar to SET-UID binaries; files only + - =security.SMACK64TRANSMUTE= — new file's label + - similar to SET-GID directories; directories only + +* SMACK Labels, Cont… +- e.g., =Puppy3=, =my:label=, =a,b,c= + - ASCII, except =/=, =\=, ='=, ="=, and unprintables + - no assumed structure + - length up to 255 (or 23) +- processes + - =CAP_MAC_ADMIN= process can change to any label + - unprivileged process restricted in label changes +- files / directories + - =security.SMACK64= xattr — resource's label + - normally set to file creator process' label + - =security.SMACK64EXEC= xattr — process' label after =exec()= + - similar to SET-UID binaries; files only + - =security.SMACK64TRANSMUTE= — new child file's label + - similar to SET-GID directories; dirs only +- network packets can use label from IP CIPSO option + - configured through =/sys/fs/smackfs/netlabel= + +* SMACK Access Control Rules +- =subjectlabel objectlabel permissions=, e.g., + - =tiger musli rx= + - proces labeled =tiger= can read & execute objects labeled =musli= + - =:) tulip,bulb rawt-= + - =:)= can read & append & write to =tulip,bulb= + - =SMACK64TRANSMUTE= of =tulip,bulb= dirs takes effect (=t=) + - minus ("=-=") — placeholder (omittable) + - =Americano Bands -= + - =Americano= has no access to =Bands= + +* SMACK Access Control Rules, Cont. +- =subjectlabel objectlabel permissions=, e.g., + - =tiger musli rx= + - proces labeled =tiger= can read & execute objects labeled =musli= + - =:) tulip,bulb raw-= + - =:)= can read & append & write to =tulip,bulb= + - minus ("=-=") — placeholder (omittable) + - =Americano Bands -= + - =Americano= has no access to =Bands= +- =/sys/fs/smackfs/load2= — configure rules + - one rule per subject-object labels pair + - =echo 's_lbl o_lbl rwx' > /sys/fs/smackfs/load2= overrides old + - persistence typically in =/etc/smack/accesses= +- =/sys/fs/smackfs/access2= — check for access +- =/sys/fs/smackfs/load-self2= — extra restrictions, per-process + +* SMACK Special Labels +- =*= — can be accessed by all, cannot access any +- =^= — can read / execute everything +- =_= — can be read / executed by everyone +- mount options → default label for unlabeled files + +* SMACK Access Logic +- allow if subject has =CAP_MAC_OVERRIDE= +- deny if subject is labeled =*=, otherwise +- allow if this is a read / execution by =^=, otherwise +- allow if this is a read / execution on =_=, otherwise +- allow it object is labeled =*=, otherwise +- allow if =subject_label = object_label= +- deny if per-process rules configured and lack the permission +- allow if currently loaded (global) rules allow +- deny by default + +* SMACK Access Types +- process -> file +- process -> process (signal, ptrace) + - extra configuration regarding ptrace available +- process or remote subject -> process or remote subject + - packet sending = writing to target process + - can be configured differently + - socket attributes + +* SMACK Bringup Mode +- =CONFIG_SECURITY_SMACK_BRINGUP= kernel config option +- permit & log certain accesses normally blocked + - rule with =b= "permission" + - processes with label written to =/sys/fs/smackfs/unconfined= +- rule set development + - run new application with =b= rules or unconfined label + - see what accesses are logged + - prepare the rules adequately + - make rules effective + +* SMACK Process Relabeling +- =/proc/self/attr/{,smack/}current= — current process label + - readable + - writeable with =CAP_MAC_ADMIN= + - writeable *without* =CAP_MAC_ADMIN= *if*: + - target label written to =relabel-self= +- =/sys/fs/smackfs/relabel-self= — available target labels list + - writeable with =CAP_MAC_ADMIN= + +* SMACK — Summary +- simple + - can be configured from ground up by the administrator +- uses files' extended attributes + - can handle filesystems without these +- can be incrementally configured +- used in embedded systems +- suitable for securing containers +- not included in many distro's kernel binaries + +* AppArmor +- objects use labels *internally* (not visible to the administrator) +- rules in profiles, written in =/etc/apparmor.d= + - usually per-application +- userspace utilities used to (re)load profiles +- accesses allowed or blocked by path + +* AppArmor Profile Syntax +#+begin_example +# This is a comment. +# File should be named `/etc/apparmor.d/usr.local.bin.foo'. +# The following is not a comment. +#include <tunables/global> +/usr/local/bin/foo flags=(complain) { + # `complain' above inhibits blocking of access. Would-be + # violations are just logged. "Learning mode". + + #include <abstractions/base> + + capability mknod, # Note the necessary comma. + mount /dev/sd*, + /bin/local/bin/foo mixr, + /var/lib/foo/* rw, + /mnt/foobar/* rw, + link /var/lib/foo -> /mnt/foobar/, +} +#+end_example + +* AppArmor Permission Types +- =k= — lock file +- =l= — create hard links +- =m= — memory map as executable +- =r= — read +- =w= — write +- =x= — execute + - qualifiers: =p=, =P=, =c=, =C=, =u=, =U=, =i= + - uppercase letter = environment variable scrubbing + - fallbacks from =[pPcC]= to =[iuU]= possible + +* AppArmor Profile Changes +- subprofiles +- hats + - Apache =mod_apparmor=, dedicated profiles for + - virtualhosts + - URLs + - paths, CGI applications + +* AppArmor — Summary +- does not rely on extended attributes + - can optionally use them +- relatively complex + - configuration shipped with distro + - easy to extend / supplement +- according to some, suitable for web servers +- widely available (Debian, Ubuntu, (Open)Suse) + +* SELinux +- subects and objects have contexts + #+begin_example + foobar_u:foobar_r:foobar_t:= + ^^^^ ^^^^ ^^^^ + user role type + #+end_example +- subjects & objects can be + - processes + - files & directories + - ports +- context stored in xattrs + - relabeling needed when configuring SELinux |