#+title: Advanced Access Control #+date: 2026-04-13 Mon #+author: W. Kosior #+email: wkosior@agh.edu.pl * BSD securelevel - FreeBSD, OpenBSD, macOS - normally booted system (securelevel 1): - disallows writes to =/dev/mem= - raw writes to mounted filesystems forbidden - securelevel 2 - raw writes to filesystems forbidden - backwards clock changes forbidden - firewall rule changes forbidden - assumption of compromised root account * Apple System Integrity Protection ("rootless") - not really "rootless" - root powers restricted for usual root processes - no write access to - =/System= - =/sbin= - =/bin= - =/usr= - =/Applications= * DAC → MAC - Discretionary Access Control - based on users and their permissions - identified with UNIX traditional model - Mandatory Access Control - user's access limited to work on specific task - identified with later extensions to UNIX-like OSes - Linux kernel: post-2000 - DAC / MAC — naming from US government framework (70s) - meaningful wrt OS access controls? * LSMs - Linux Security Modules - not really "modules" - compiled-in extensions - supplement normal UNIX controls - major & minor LSMs - possibly multiple LSMs active simultaneously - at most one major LSM at a time * LSMs, Cont. - Linux Security Modules - not really "modules" - compiled-in extensions - supplement normal UNIX controls - major & minor LSMs (+ capabilities) - possibly multiple LSMs active simultaneously - at most one major LSM at a time - =security=LIST_OF_MODULES= kernel arg - or compiled-in default list * LSMs, Cont… - Linux Security Modules - not really "modules" - compiled-in extensions - supplement normal UNIX controls - major & minor LSMs (+ capabilities) - possibly multiple LSMs active simultaneously - at most one major LSM at a time - =security=LIST_OF_MODULES= kernel arg - or compile-in default list - =/sys/kernel/security/= - =/sys/kernel/security/lsm= - =/proc/$PID/attr/$MODULE_NAME= * Selected LSMs - /Capabilities (formely not an LSM)/ - /Lockdown/ - Integrity Policy Enforcement - Landlock - LoadPin - SafeSetID - TOMOYO - Yama - AppArmor - SMACK - SELinux * Selected LSMs, Cont. - /Capabilities (formely not an LSM)/ - /Lockdown/ - Integrity Policy Enforcement (access control based on file origin) - Landlock (sandboxing, inode-based) - LoadPin (modules from RO devices only) - SafeSetID (restricted =setuid()= as non-root) - Yama (ptrace restrictions) - AppArmor - SMACK - SELinux - TOMOYO * Selected LSMs, Cont… - /Capabilities (formely not an LSM)/ - /Lockdown/ - Integrity Policy Enforcement (access control based on file origin) - Landlock (sandboxing, inode-based) - LoadPin (modules from RO devices only) - SafeSetID (restricted =setuid()= as non-root) - Yama (ptrace restrictions) - *SMACK* (legacy major) - *AppArmor* (legacy major) - *SELinux* (legacy major) - TOMOYO (former legacy major) * Legacy Major LSMs - *SMACK* - used in Tizen OS (Samsung TVs) - low complexity, policies based on file labels (xattrs) * Legacy Major LSMs, Cont. - *SMACK* - used in Tizen OS (Samsung TVs) - low complexity, policies based on file labels (xattrs) - *AppArmor* - *presently* developed by Canonical - on by default in Ubuntu - moderately complex, policies based on paths (xattrs) * Legacy Major LSMs, Cont… - *SMACK* - used in Tizen OS (Samsung TVs) - low complexity, policies based on file labels (xattrs) - *AppArmor* - *presently* developed by Canonical - on by default in Ubuntu - moderately complex, policies based on paths (xattrs) - *SELinux* - *initiated* by NSA - on by default in Fedora & Red Hat - high complexity, policies based on file labels (xattrs) * SMACK - objects - processes - files - IP packet sources/targets - subjects - processes * SMACK, Cont. - objects - processes - files - IP packet sources/targets - subjects - processes - object / subject labels - operations (actions of subjects on objects) - read - write - execute - append (on files) * SMACK, Cont… - objects - processes - files - IP packet sources/targets - subjects - processes - object / subject labels - operations (actions of subjects on objects) - read - write - execute - append (on files) - access rules (additional restrictions on top of DAC) - =label_X label_Y rwx= - =/sys/fs/smackfs/= * SMACK Labels - e.g., =Puppy3=, =my:label=, =a,b,c= - ASCII, except =/=, =\=, ='=​, ="=, and unprintables - no assumed structure - length up to 255 (or 23) - processes - =CAP_MAC_ADMIN= process can change to any label - unprivileged process is restricted in label changes * SMACK Labels, Cont. - e.g., =Puppy3=, =my:label=, =a,b,c= - ASCII, except =/=, =\=, ='=​, ="=, and unprintables - no assumed structure - length up to 255 (or 23) - processes - =CAP_MAC_ADMIN= process can change to any label - unprivileged process restricted in label changes - files / directories - =security.SMACK64= xattr — resource's label - =security.SMACK64EXEC= xattr — process' label after =exec()= - similar to SET-UID binaries; files only - =security.SMACK64TRANSMUTE= — new file's label - similar to SET-GID directories; directories only * SMACK Labels, Cont… - e.g., =Puppy3=, =my:label=, =a,b,c= - ASCII, except =/=, =\=, ='=​, ="=, and unprintables - no assumed structure - length up to 255 (or 23) - processes - =CAP_MAC_ADMIN= process can change to any label - unprivileged process restricted in label changes - files / directories - =security.SMACK64= xattr — resource's label - normally set to file creator process' label - =security.SMACK64EXEC= xattr — process' label after =exec()= - similar to SET-UID binaries; files only - =security.SMACK64TRANSMUTE= — new child file's label - similar to SET-GID directories; dirs only - network packets can use label from IP CIPSO option - configured through =/sys/fs/smackfs/netlabel= * SMACK Access Control Rules - =subjectlabel objectlabel permissions=, e.g., - =tiger musli rx= - proces labeled =tiger= can read & execute objects labeled =musli= - =:) tulip,bulb rawt-= - =:)= can read & append & write to =tulip,bulb= - =SMACK64TRANSMUTE= of =tulip,bulb= dirs takes effect (=t=) - minus ("=-=") — placeholder (omittable) - =Americano Bands -= - =Americano= has no access to =Bands= * SMACK Access Control Rules, Cont. - =subjectlabel objectlabel permissions=, e.g., - =tiger musli rx= - proces labeled =tiger= can read & execute objects labeled =musli= - =:) tulip,bulb raw-= - =:)= can read & append & write to =tulip,bulb= - minus ("=-=") — placeholder (omittable) - =Americano Bands -= - =Americano= has no access to =Bands= - =/sys/fs/smackfs/load2= — configure rules - one rule per subject-object labels pair - =echo 's_lbl o_lbl rwx' > /sys/fs/smackfs/load2= overrides old - persistence typically in =/etc/smack/accesses= - =/sys/fs/smackfs/access2= — check for access - =/sys/fs/smackfs/load-self2= — extra restrictions, per-process * SMACK Special Labels - =*= — can be accessed by all, cannot access any - =^= — can read / execute everything - =_= — can be read / executed by everyone - mount options → default label for unlabeled files * SMACK Access Logic - allow if subject has =CAP_MAC_OVERRIDE= - deny if subject is labeled =*=, otherwise - allow if this is a read / execution by =^=, otherwise - allow if this is a read / execution on =_=, otherwise - allow it object is labeled =*=, otherwise - allow if =subject_label = object_label= - deny if per-process rules configured and lack the permission - allow if currently loaded (global) rules allow - deny by default * SMACK Access Types - process -> file - process -> process (signal, ptrace) - extra configuration regarding ptrace available - process or remote subject -> process or remote subject - packet sending = writing to target process - can be configured differently - socket attributes * SMACK Bringup Mode - =CONFIG_SECURITY_SMACK_BRINGUP= kernel config option - permit & log certain accesses normally blocked - rule with =b= "permission" - processes with label written to =/sys/fs/smackfs/unconfined= - rule set development - run new application with =b= rules or unconfined label - see what accesses are logged - prepare the rules adequately - make rules effective * SMACK Process Relabeling - =/proc/self/attr/{,smack/}current= — current process label - readable - writeable with =CAP_MAC_ADMIN= - writeable *without* =CAP_MAC_ADMIN= *if*: - target label written to =relabel-self= - =/sys/fs/smackfs/relabel-self= — available target labels list - writeable with =CAP_MAC_ADMIN= * SMACK — Summary - simple - can be configured from ground up by the administrator - uses files' extended attributes - can handle filesystems without these - can be incrementally configured - used in embedded systems - suitable for securing containers - not included in many distro's kernel binaries * AppArmor - objects use labels *internally* (not visible to the administrator) - rules in profiles, written in =/etc/apparmor.d= - usually per-application - userspace utilities used to (re)load profiles - accesses allowed or blocked by path * AppArmor Profile Syntax #+begin_example # This is a comment. # File should be named `/etc/apparmor.d/usr.local.bin.foo'. # The following is not a comment. #include /usr/local/bin/foo flags=(complain) { # `complain' above inhibits blocking of access. Would-be # violations are just logged. "Learning mode". #include capability mknod, # Note the necessary comma. mount /dev/sd*, /bin/local/bin/foo mixr, /var/lib/foo/* rw, /mnt/foobar/* rw, link /var/lib/foo -> /mnt/foobar/, } #+end_example * AppArmor Permission Types - =k= — lock file - =l= — create hard links - =m= — memory map as executable - =r= — read - =w= — write - =x= — execute - qualifiers: =p=, =P=, =c=, =C=, =u=, =U=, =i= - uppercase letter = environment variable scrubbing - fallbacks from =[pPcC]= to =[iuU]= possible * AppArmor Profile Changes - subprofiles - hats - Apache =mod_apparmor=, dedicated profiles for - virtualhosts - URLs - paths, CGI applications * AppArmor — Summary - does not rely on extended attributes - can optionally use them - relatively complex - configuration shipped with distro - easy to extend / supplement - according to some, suitable for web servers - widely available (Debian, Ubuntu, (Open)Suse) * SELinux - subects and objects have contexts #+begin_example foobar_u:foobar_r:foobar_t:= ^^^^ ^^^^ ^^^^ user role type #+end_example - subjects & objects can be - processes - files & directories - ports - context stored in xattrs - relabeling needed when configuring SELinux