mac_mls mac_biba mac_lomac patches to fix ptys_equal mib support for new /dev/pts in FreeBSD 8

Selphie Keller selphie.keller at gmail.com
Tue Mar 2 15:06:21 UTC 2010


Hi Robert,

- (1) It looks like you didn't need to set any special label on /dev/ptmx
-     itself?

I didn't have any issues with /dev/ptmx being defaulted to mls/low, also
didn't have any problem with /dev/pts device path itself, just the
/dev/pts/* 0 - 99 if they where defaulted to mls/low where my staff accounts
would be logging in as mls/2(low-high), so I took a look at the code and
noticed the sysctl's for ttys being equal weren't being applied to
/dev/pts/* so modified the code, and also went ahead and applied the same
concept to mac_biba and mac_lomac, even though the server only uses mac_mls
policy.

- (2) Could you let me know how your login.conf + user labels are
configured, and show me the output of "ps -axZ | grep sshd"?

/etc/login.conf label configurations I use

Staff users: label=mls/2(low-high)
Deamons: label=mls/equal(equal-equal)
Insecure users: label=mls/low(low-low)

If you need the exact data from login.conf I can provide it, but is a bit
tricky as I use tc= to call from one class to another class and override, in
which default class is mls/low.

mls/equal(equal-equal)  7341  ??  Is     0:00.10 sshd: Enya [priv] (sshd)
mls/2(low-high)         7770  ??  IN     0:00.05 sshd: Enya at notty (sshd)
mls/equal(equal-equal) 26415  ??  Ss     0:00.05 sshd: lyra [priv] (sshd)
mls/low(low-low)       27006  ??  SN     0:00.01 sshd: lyra at pts/4 (sshd)
mls/equal(equal-equal) 31537  ??  Is     0:00.11 sshd: Enya [priv] (sshd)
mls/equal(equal-equal) 31886  ??  Is     0:00.11 sshd: Enya [priv] (sshd)
mls/2(low-high)        31908  ??  IN     0:00.04 sshd: Enya at pts/0 (sshd)
mls/2(low-high)        32506  ??  SN     0:00.17 sshd: Enya at pts/3 (sshd)
mls/equal(equal-equal) 50202  ??  Ss     0:00.02 /usr/sbin/sshd
mls/equal(equal-equal) 70343  ??  Is     0:00.11 sshd: Enya [priv] (sshd)
mls/2(low-high)        70706  ??  SN     0:00.21 sshd: Enya at pts/1 (sshd)


-We need to rethink how we deal with ttys anyway, and I'd like to understand

-how the specific case you're running into comes about.

The problem I had was only when using mac_mls to where a staff user would
login and be set to mls/2(low-high) then their /dev/pts/* would be set to
mls/low which would prevent writing to the device which would introduce sshd
errors as: 

> Feb 25 21:42:16 labyrinth sshd[30965]: error: /dev/pts/5: Permission
denied
> Feb 25 21:42:16 labyrinth sshd[30965]: error: open /dev/tty failed - could

> not set controlling tty: Permission denied

However, if my insecure users logged in they would be set to
mls/low(low-low) and their device would be set to mls/low and no errors
would present themselves. And users who's class was mls/equal(equal-equal)
had no errors as they are exempted from the policy. 

+-[root at labyrinth.mystagic.net]-[06:27:11]--[0]---
+[/usr/src/sys]-> lo /dev/pts
total 1
dr-xr-xr-x  2 root  wheel  - mls/low        512 Feb 25 22:42 ./
dr-xr-xr-x  5 root  wheel  - mls/low        512 Feb 25 14:39 ../
crw--w----  1 Enya  tty    - mls/equal   0,  86 Mar  2 06:10 0
crw--w----  1 Enya  tty    - mls/equal   0,  87 Mar  2 06:35 1
crw-rw-rw-  1 root  wheel  - mls/equal   0,  76 Feb 26 00:15 2
crw--w----  1 Enya  tty    - mls/equal   0,  88 Mar  2 05:11 3
crw--w----  1 lyra  tty    - mls/equal   0,  85 Mar  2 06:21 4
crw-rw-rw-  1 root  wheel  - mls/equal   0,  81 Mar  1 06:01 7

The device path with the mac_mls patched and security.mac.mls.ptys_equal=1,
if it's not set to 1, then the devices are set to mls/low. 

If you need any further information just let me know, be more then happy to
help.  

-Selphie (Estella Mystagic)

-----Original Message-----
From: owner-freebsd-hackers at freebsd.org
[mailto:owner-freebsd-hackers at freebsd.org] On Behalf Of Robert Watson
Sent: Tuesday, March 02, 2010 3:32 AM
To: Estella Mystagic
Cc: freebsd-hackers at freebsd.org
Subject: Re: mac_mls mac_biba mac_lomac patches to fix ptys_equal mib
support for new /dev/pts in FreeBSD 8


On Mon, 1 Mar 2010, Estella Mystagic wrote:

> Found issues with sysctl mibs security.mac.biba.ptys_equal, 
> security.mac.lomac.ptys_equal, security.mac.mls.ptys_equal, not supporting

> new /dev/pts terminal system in FreeBSD 8, proposed fix for issue.
>
> When using a higher security grade/clearance with mac_mls it prevents 
> writing to the /dev/pts/5 as its set as mls/low and subjects may not write

> to objects with a lower classification level than its own clearance level.
>
> Feb 25 21:42:16 labyrinth sshd[30965]: error: /dev/pts/5: Permission
denied
>
> Feb 25 21:42:16 labyrinth sshd[30965]: error: open /dev/tty failed - could

> not set controlling tty: Permission denied

Hi Selphie:

Thanks for this patch.  I'll go ahead and merge it, but had two questions:

(1) It looks like you didn't need to set any special label on /dev/ptmx
     itself?

(2) Could you let me know how your login.conf + user labels are configured,
     and show me the output of "ps -axZ | grep sshd"?

We need to rethink how we deal with ttys anyway, and I'd like to understand 
how the specific case you're running into comes about.

Robert N M Watson
Computer Laboratory
University of Cambridge

_______________________________________________
freebsd-hackers at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"



More information about the freebsd-hackers mailing list