mac_partition and /sbin/init

Robert Watson rwatson at FreeBSD.org
Thu Sep 25 00:41:24 GMT 2003 

On Wed, 24 Sep 2003, Kenny Freeman wrote:

> Hello, I haven't received any emails on this mailing list yet. Kinda
> makes me wonder if it is dead or just low traffic...Should I be asking
> this on another list perhaps?

Not dead, just low-traffic :-).

> I'm curious about the mac_partition module and why it somehow decides to
> put /sbin/init into partition 0 instead of partition none, which is what
> I would like. I'm running about a dozen jails on a test server and would
> like to partition jail processes into a seperate partition per jail. 

mac_partition treats 0 as the none partition.  The basic logic for
inter-partition access control is:

        if (SLOT(subject) == 0)
                return (0);

        if (SLOT(subject) == SLOT(object))
                return (0);

        return (EPERM);

I.e., if the subject is in partition 0, access control isn't modified.  If
the subject is in the same partition as the object, fine.  Otherwise,
generate a protection error.

> To do this I have created seperate login.conf classes with
> :label=partition/x,mls/low\(low-low\):\ entries.  I have also created
> entries that have :label=partition/none,mls/low\(low-high\): for root
> and default. I guess this doesn't take affect until init decides to run
> /etc/rc

Per-user labels are set as part of the user context during a login or
related event.  Right now, the scenarios where labels are set are events
such as:

/usr/sbin/sshd switches to the user's account for their login shell
/usr/bin/login switches to the user's account for their login shell
/usr/sbin/cron switches to the user's account to run a cron tab entry
/usr/sbin/sendmail switches to the user's account for mail delivery
/usr/sbin/inetd switches to a user's account to run a daemon as them
/usr/bin/su switches to the user's account to run a shell

If you're starting programs using rc, you'll need to manually set the MAC
label, either by using su, or by using setpmac.  I generally use setpmac
to run specific commands at a specific label:

/usr/sbin/setpmac mls/low touch /tmp/as_low

> I am unable to set the processes partition when the base system init is
> in partition 0 it seems... suggestions? 

The logic to check a relabel request for partition is as follows:

(1) A target partition of "0" is treated as a no-op, so no change will
    occur.

(2) If the new label is not "0", then privilege is required to change the
    partition label.

A good test is:

  # setpmac partition/1 ps ax

or:

  # setpmac partition/1 getpmac

BTW, if you're interested in commit/merge activity relating to the
TrustedBSD work, there's a trustedbsd-cvs mailing list, which picks up
most branch commits relating to TrustedBSD (including the main MAC branch,
ACL branch, and SEBSD branch).  Merges to the FreeBSD tree can be seen on
the FreeBSD commit mailing lists.  More traffic on trustedbsd-discuss
would be welcome, of course, also :-).

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Network Associates Laboratories


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list