fresh mac code report
Brian F. Feldman
green at FreeBSD.org
Mon Jan 21 19:02:25 GMT 2002
"Ilmar S. Habibulin" <ilmar at watson.org> wrote:
> On Fri, 18 Jan 2002, Robert Watson wrote:
> > My temptation in the short term is to support some sort of
> > ENABLE_MAC_INSTALL flag in make.conf (or make installworld command line)
> > that will apply appropriate labels on a file-by-file basis during the
> > installworld, pretty much as you suggest. For the long-term install,
> > we'll also need to have a tool to walk the filesystem and modify labels to
> > bring them in line with the default policies. Keeping the two policies in
> > sync will be important, and suggests that it might be desirable to have
> > them originate from the same database, and then be processed in both
> > situations. Perhaps a tool not unlike mtree for binary labeling.
> Well, lets hack mtree. What's a problem. IMHO, mtree is one of the perfect
> solutions, because it is one of (or the only) tool which is used to
> controls integrity of filesystems and file attributes.
How about adding "command" support for mtree, as a more generic way of
approaching it? I do like the idea of using mtree to install attributes,
regardless.
> > > I have problem - in order to use ssh(scp) and X(xauth) i had to switch fs
> > > enforcement off :(. Here is log messages:
> > > Jan 18 17:48:48 ws-ilmar kernel: vaccess_mac returned 13 for 272 (ssh) on unknown
> >
> > 'unknown' frequently results from access to either a removed file, or a
> > /dev entry, as /dev doesn't use the namecache. If I had to guess, that
> > would be an attempt by scp to talk directly to your current terminal.
> Ya, maybe it is trying to ask password. ;-)
>
> > Right now, the login process doesn't update the terminal label, but since
> > we enforce only at open(), the inherited reference can be successfully
> > used. As we move to enforcement at read/write on terminals, and for
> > situations like this, we'll need to have relabeling working. For MLS and
> > Biba, simply setting the label based on the subject label should be
> > straightforward; I'm less clear for TE how the label should be generated.
> Well, i'll look at login. Now what to do with TE - i don't know. I've read
> some TE docs and came to conclusion, that TE is a very general policy, so
> you can teoretically specify any type of access to any type of object. We
> have everything except experience in building systems based on TE.
> Unfortunately i was anable to get usenix96 TE paper, which describes the
> use of TE in UNIX system. Maybe you can get access to it?
You should be able to access any proceedings, really, for free from Usenix.
Are you perhaps looking for the 96 Security Symposium DTE paper? You can
get a copy of that at:
http://www.usenix.org/publications/library/proceedings/sec96/walker.html
> > > Jan 18 18:00:16 ws-ilmar kernel: vaccess_mac returned 13 for 344 (xauth) on /usr/home/ilmar
> >
> > I haven't tried using X stuff with the MAC implementation as yet. Is this
> > just the xauth that happens on an incoming ssh, or is this associated with
> > something else? If I had to guess, it would be that xauth is getting run
> > at the wrong time relative to the labeling operation: the OpenSSH code
> > does some fancy uid twiddling and currently the MAC labeling doesn't
> > reflect that. To support alternative security models, the OpenSSH code
> > probably needs to be restructured so that it sets the credentials *once*
> > when it has decided what they should be, rather than swapping back and
> > forth several times. I suspect fixing this, however, will be a fair
> > amount of work. There are some related problems with port forwarding
> > also, I think: the port forwarding is authorized based on a userland root
> > check, rather than setting appropriate credentials and then having the
> > kernel perform the authorization. This will need to be fixed to support
> > both MAC and CAP properly, as well as possibly Audit.
> No, i'm not using ssh for X, just startx from console. I think that
> biba denies access, because process has biba/low and home directory has
> biba/high, and as i understand xauth trys to write to some file (or create
> one) in my home directory.
If SSH were to actually attempt to support management of credentials above
and beyond standard UNIX DAC, it would probably have to be rewritten first.
The current SSH implementations are absolutely not conducive to this; and
indeed, it's probably quite bogus of a design for the implementation to want
to swap between different sets of credentials in the first place (not in the
least because attempting to swap between MAC labels could easily be totally
inappropriate for a given MAC system.
As far as XFree86 goes, the xdm model is something like:
xdm needs to
read from /etc and /usr/X11R6
fork and execute /usr/X11R6/bin/X
execute PAM modules
read (execute) $HOME/.xsession
create/write $HOME/.xsession-errors (later inherited as fd 1 and 2 by child
X clients specified in .xsession, and fd 0 as /dev/null)
create/modify $HOME/.Xauthority by default (alternately, $XAUTHORITY may be
anywhere)
/usr/X11R6/bin/X needs to
open /dev/io
modify /dev/mem
read any input devices
bind and accept from a local stream socket (/tmp/.X11-unix/X$n) and/or a
TCP stream socket
read/write on accepted sockets
create/modify /tmp/.X$n-lock
Note, of course, that xdm initially runs in its initial context, and
performs later operations (.xsession and beyond) after having initialized to
the user's context. XFree86 inherits its permissions from the initial xdm
and does not revoke them.
The startx model is somewhat different, and is on the order of:
startx needs to:
execute xinit
xinit needs to:
read from /etc and /usr/X11R6
fork and execute /usr/X11R6/bin/X (or Xwrapper)
read (execute) $HOME/.xinitrc
Note that in this case, startx starts with just the user's credentials, and
permissions needed by X are gained generally from a setuid flag on it or
Xwrapper. Also, fd 0, 1, and 2 are all inherited from the context of the
initial startx executed and not modified, so will generally be the terminal
device itself.
--
Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! /
green at FreeBSD.org `------------------------------'
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list