sensitivefilesystemobject
filesystemobject 时间:2021-04-03 阅读:()
1TheSimplifiedMandatoryAccessControlKernelCaseySchauflercasey@schaufler-ca.
comMandatoryAccessControlComputersystemsemployavarietyofschemestoconstrainhowinformationissharedamongthepeopleandservicesusingthemachine.
Someoftheseschemesallowtheprogramorusertodecidewhatotherprogramsorusersareallowedaccesstopiecesofdata.
Theseschemesarecalleddiscretionaryaccesscontrolmechanismsbecausetheaccesscontrolisspecifiedatthediscretionoftheuser.
Otherschemesdonotleavethedecisionregardingwhatauserorprogramcanaccessuptousersorprograms.
Theseschemesarecalledmandatoryaccesscontrolmechanismsbecauseyoudon'thaveachoiceregardingtheusersorprogramsthathaveaccesstopiecesofdata.
Bell&LaPadulaFromthemiddleofthe1980'suntiltheturnofthecenturyMandatoryAccessControl(MAC)wasverycloselyassociatedwiththeBell&LaPadulasecuritymodel,amathematicaldescriptionoftheUnitedStatesDepartmentofDefensepolicyformarkingpaperdocuments.
MACinthisformenjoyedafollowingwithintheCapitalBeltwayandScandinaviansupercomputercentersbutwasoftensitedasfailingtoaddressgeneralneeds.
DomainTypeEnforcementAroundtheturnofthecenturyDomainTypeEnforcement(DTE)becamepopular.
Thisschemeorganizesusers,programs,anddataintodomainsthatareprotectedfromeachother.
ThisschemehasbeenwidelydeployedasacomponentofpopularLinuxdistributions.
Theadministrativeoverheadrequiredtomaintainthisschemeandthedetailedunderstandingofthewholesystemnecessarytoprovideasecuredomainmappingleadstotheschemebeingdisabledorusedinlimitedwaysinthemajorityofcases.
SmackSmackisaMandatoryAccessControlmechanismdesignedtoprovideusefulMACwhileavoidingthepitfallsofitspredecessors.
ThelimitationsofBell&LaPadulaareaddressedbyprovidingaschemewherebyaccesscanbecontrolledaccordingtotherequirementsofthesystemanditspurposeratherthanthoseimposedbyanarcanegovernmentpolicy.
ThecomplexityofDomainTypeEnforcementandavoidedbydefiningaccesscontrolsintermsoftheaccessmodesalreadyinuse.
2SmackTerminologyThejargonusedtotalkaboutSmackwillbefamiliartothosewhohavedealtwithotherMACsystemsandshouldn'tbetoodifficultfortheuninitiatedtopickup.
Therearefourtermsthatareusedinaspecificwayandthatareespeciallyimportant:Subject:Asubjectisanactiveentityonthecomputersystem.
OnSmackasubjectisatask,whichisinturnthebasicunitofexecution.
Object:Anobjectisapassiveentityonthecomputersystem.
OnSmackfilesofalltypes,IPC,andtaskscanbeobjects.
Access:Anyattemptbyasubjecttoputinformationintoorgetinformationfromanobjectisanaccess.
Label:DatathatidentifiestheMandatoryAccessControlcharacteristicsofasubjectoranobject.
Thesedefinitionsareconsistentwiththetraditionaluseinthesecuritycommunity.
TherearealsosometermsfromLinuxthatarelikelytocropup:Capability:Ataskthatpossessesacapabilityhaspermissiontoviolateanaspectofthesystemsecuritypolicy,asidentifiedbythespecificcapability.
Ataskthatpossessesoneormorecapabilitiesisaprivilegedtask,whereasataskwithnocapabilitiesisanunprivilegedtask.
Privilege:Ataskthatisallowedtoviolatethesystemsecuritypolicyissaidtohaveprivilege.
Asofthiswritingataskcanhaveprivilegeeitherbypossessingcapabilitiesorbyhavinganeffectiveuserofroot.
SmackBasicsSmackisanextensiontoaLinuxsystem.
Itenforcesadditionalrestrictionsonwhatsubjectscanaccesswhichobjects,basedonthelabelsattachedtoeachofthesubjectandtheobject.
LabelsSmacklabelsareASCIIcharacterstrings,onetotwenty-threecharactersinlength.
Singlecharacterlabelsusingspecialcharacters,thatbeinganythingotherthanaletterordigit,arereservedforusebytheSmackdevelopmentteam.
Smacklabelsareunstructured,casesensitive,andtheonlyoperationeverperformedonthemiscomparisonforequality.
Therearesomepredefinedlabels:_Pronounced"floor",asingleunderscorecharacter.
^Pronounced"hat",asinglecircumflexcharacter.
*Pronounced"star",asingleasteriskcharacter.
Pronounced"huh",asinglequestionmarkcharacter.
3EverytaskonaSmacksystemisassignedalabel.
Systemtasks,suchasinit(8)andsystemsdaemons,arerunwiththefloor("_")label.
Usertasksareassignedlabelsaccordingtothespecificationfoundinthe/etc/smack/userconfigurationfile.
AccessRulesSmackusesthetraditionalaccessmodesofLinux.
Thesemodesareread,execute,write,andoccasionallyappend.
Thereareafewcaseswheretheaccessmodemaynotbeobvious.
Theseinclude:Signals:Asignalisawriteoperationfromthesubjecttasktotheobjecttask.
InternetDomainIPC:Transmissionofapacketisconsideredawriteoperationfromthesourcetasktothedestinationtask.
Smackrestrictsaccessbasedonthelabelattachedtoasubjectandthelabelattachedtotheobjectitistryingtoaccess.
Therulesenforcedare,inorder:1.
Anyaccessrequestedbyatasklabeled"*"isdenied.
2.
Areadorexecuteaccessrequestedbyatasklabeled"^"ispermitted.
3.
Areadorexecuteaccessrequestedonanobjectlabeled"_"ispermitted.
4.
Anyaccessrequestedonanobjectlabeled"*"ispermitted.
5.
Anyaccessrequestedbyataskonanobjectwiththesamelabelispermitted.
6.
Anyaccessrequestedthatisexplicitlydefinedintheloadedrulesetispermitted.
7.
Anyotheraccessisdenied.
InFigure1auserbarneyhasbeenassignedtheSmacklabelRubble.
Thisusercanreadorexecutethefloorlabeledsystemprogramsanddata.
Hecanalsoreadfromandwritetothespecialdevice/dev/null,whichhasthestarlabel.
SystemprocessesrunningwiththefloorlabeldonothaveanyaccesstoBarney'sdata.
Asystemprocessrunningwiththehatlabelisallowedreadaccesstotheuser'sdatabutnotwriteaccess.
4Figure1–BasicSmackAccessPolicyWiththebasicrulessystemtasksrunningwiththefloorlabelareprotectedfromuserprocessesrunningwithotherlabels.
Figure2demonstratestheaccessesallowedwhentwouserlabelsareinuse.
InthisexampletheJavalabeledtaskcanreadandwritetheJavalabeleddata,theMP3labeledtaskhasreadandwriteaccesstotheMP3labeleddata,whilethesystemfloorlabeledtaskhasthesameaccesstoitsfloorlabeleddata.
BoththeJavaandMP3taskshavereadaccesstothefloorsystemdata.
Thetwousertaskshavenoaccesstoeachother'sdata.
_/,/bin,/bin/sh*/dev/nullRubble~barney*^Rubble_5Figure2-BasicUserLabelInteractionsSmackAccessRulesWiththeisolationprovidedbySmackaccessseparationissimple.
Therearemanyinterestingcaseswherelimitedaccessbysubjectstoobjectswithdifferentlabelsisdesired.
Oneexampleisthefamiliarspymodelofsensitivity,whereascientistworkingonahighlyclassifiedprojectwouldbeabletoreaddocumentsoflowerclassificationsandanythingshewriteswillbe"born"highlyclassified.
ToaccommodatesuchschemesSmackincludesamechanismforspecifyingrulesallowingaccessbetweenlabels.
AccessRuleFormatTheformatofanaccessruleis:subject-labelobject-labelaccessWheresubject-labelistheSmacklabelofthetask,object-labelistheSmacklabelofthethingbeingaccessed,andaccessisastringspecifyingthesortofaccessallowed.
TheSmacklabelsarelimitedto23characters.
Theaccessspecificationissearchedforlettersthatdescribeaccessmodes:a:indicatesthatappendaccessshouldbegranted.
r:indicatesthatreadaccessshouldbegranted.
w:indicatesthatwriteaccessshouldbegranted.
x:indicatesthatexecuteaccessshouldbegranted.
Accessmodespecificationscanbeinanyorder.
Examplesofacceptablerulesare:TopSecretSecretrxSystemDataJavaSandboxMP3DataSystemProcessJavaProcessMP3Process6SecretUnclassrManagerGamexUserHRwNewOldrRrrrClosedOff-Examplesofunacceptablerulesare:TopSecretSecretrxTS/Alpha,OmegaOverloardrxAceAcerOddspellswaxbeansSpacesarenotallowedinlabels.
Theslashcharacter"/"isnotallowedinlabels.
Sinceasubjectalwayshasaccesstofileswiththesamelabelspecifyingaruleforthatcaseispointless.
Lettersthatdonotspecifylegitimateaccessmodesarenotallowed.
ApplyingAccessRulesThedevelopersofLinuxrarelydefinenewsortsofthings,usuallyimportingschemesandconceptsfromothersystems.
Mostoften,theothersystemsarevariantsofUnix.
Unixhasmanyendearingproperties,butconsistencyofaccesscontrolmodelsisnotoneofthem.
Smackstrivestotreataccessesasuniformlyasissensiblewhilekeepingwiththespiritoftheunderlyingmechanism.
Filesystemobjectsincludingfiles,directories,namedpipes,symboliclinks,anddevicesrequireaccesspermissionsthatcloselymatchthoseusedbymodebitaccess.
Toopenafileforreadingreadaccessisrequiredonthefile.
Tosearchadirectoryrequiresexecuteaccess.
Creatingafilewithwriteaccessrequiresbothreadandwriteaccessonthecontainingdirectory.
Deletingafilerequiresreadandwriteaccesstothefileandtothecontainingdirectory.
Itispossiblethatausermaybeabletoseethatafileexistsbutnotanyofitsattributesbythecircumstanceofhavingreadaccesstothecontainingdirectorybutnottothedifferentlylabeledfile.
Thisisanartifactofthefilenamebeingdatainthedirectory,notapartofthefile.
IPCobjects,messagequeues,semaphoresets,andmemorysegmentsexistinflatnamespacesandaccessrequestsareonlyrequiredtomatchtheobjectinquestion.
ProcessobjectsreflecttasksonthesystemandtheSmacklabelusedtoaccessthemisthesameSmacklabelthatthetaskwoulduseforitsownaccessattempts.
Sendingasignalviathekill()systemcallisawriteoperationfromthesignalertotherecipient.
Debuggingaprocessrequiresbothreadingandwriting.
CreatinganewtaskisaninternaloperationthatresultsintwotaskswithidenticalSmacklabelsandrequiresnoaccesschecks.
7Socketsaredatastructuresattachedtoprocessesandsendingapacketfromoneprocesstoanotherrequiresthatthesenderhavewriteaccesstothereceiver.
Thereceiverisnotrequiredtohavereadaccesstothesender.
SettingAccessRulesTheconfigurationfile/etc/smack/accessescontainstherulestobesetatsystemstartup.
Thecontentsarewrittentothespecialfile/smack/load.
Rulescanbewrittento/smack/loadatanytimeandtakeeffectimmediately.
Foranypairofsubjectandobjectlabelstherecanbeonlyonerule,withthemostrecentlyspecifiedoverridinganyearlierspecification.
Inordertoensurethatrulesarewrittenproperlyaprogramsmackloadisprovided.
TaskAttributeTheSmacklabelofaprocesscanbereadfrom/proc//attr/current.
AprocesscanreaditsownSmacklabelfrom/proc/self/attr/current.
AprivilegedprocesscanchangeitsownSmacklabelbywritingto/proc/self/attr/currentbutnotthelabelofanotherprocess.
FileAttributeTheSmacklabelofafilesystemobjectisstoredasanextendedattributenamedSMACK64onthefile.
Thisattributeisinthesecuritynamespace.
Itcanonlybechangedbyaprocesswithprivilege.
PrivilegeTherearetwocapabilitiesusedexplicitlybySmack.
CAP_MAC_ADMINallowsaprocesstoperformadministrativefunctionssuchasloadingaccessrules.
CAP_MAC_OVERRIDEexemptsaprocessfromallaccesscontrolrules.
SmackNetworkingAsmentionedbefore,Smackenforcesaccesscontrolonnetworkprotocoltransmissions.
UsuallyapacketsentbyaSmackprocessistaggedwithitsSmacklabel,howeverpacketsthatwouldgettheambientlabelaresentwithoutatag.
ThisisdonebyaddingaCIPSOtagtotheheaderoftheIPpacket.
EachpacketreceivedisexpectedtohaveaCIPSOtagthatidentifiesthelabelandifitlackssuchatagthenetworkambientlabelisassumed.
Beforethepacketisdeliveredacheckismadetodeterminethatasubjectwiththelabelonthepackethaswriteaccesstothereceivingprocessandifthatisnotthecasethepacketisdropped.
CIPSOConfigurationItisnormallyunnecessarytospecifytheCIPSOconfiguration.
Thedefaultvaluesusedbythesystemhandleallinternalcases.
SmackwillcomposeCIPSOlabelvaluestomatchtheSmacklabelsbeingusedwithoutadministrativeintervention.
Unlabeled8packetsthatcomeintothesystemwillbegiventheambientlabel,andoutgoingpacketsthatwouldgettheambientlabelaresentunlabeled.
SmackrequiresconfigurationinthecasewherepacketsfromasystemthatisnotSmackthatspeaksCIPSOmaybeencountered.
UsuallythiswillbeaTrustedSolarissystem,butthereareother,lesswidelydeployedsystemsoutthere.
CIPSOprovides3importantvalues,aDomainOfInterpretation(DOI),alevel,andacategorysetwitheachpacket.
TheDOIisintendedtoidentifyagroupofsystemsthatusecompatiblelabelingschemes,andtheDOIspecifiedonthesmacksystemmustmatchthatoftheremotesystemorpacketswillbediscarded.
TheDOIis3bydefault.
Thevaluecanbereadfrom/smack/doiandcanbechangedbywritingto/smack/doi.
ThelabelandcategorysetaremappedtoaSmacklabelasdefinedin/etc/smack/cipso.
ASmack/CIPSOmappinghastheform:smacklevel[category[category]…]Smackdoesnotexpectthelevelorcategorysetstoberelatedinanyparticularwayanddoesnotassumeorassignaccessesbasedonthem.
Someexamplesofmappings:TopSecret7TS:A,B712SecBDE546RAFTERS71226The":"and","charactersarepermittedinaSmacklabelbuthavenospecialmeaning.
ThemappingofSmacklabelstoCIPSOvaluesisdefinedbywritingto/smack/cipso,andtoensurecorrectformattingtheprogramsmackcipsoisprovided.
InadditiontoexplicitmappingsSmacksupportsdirectCIPSOmappings.
OneCIPSOlevelisusedtoindicatethatthecategorysetpassedinthepacketisinfactanencodingoftheSmacklabel.
Thelevelusedis250bydefault.
Thevaluecanbereadfrom/smack/directandchangedbywritingto/smack/direct.
SocketAttributesTherearetwoattributesthatareassociatedwithsockets.
Theseattributescanonlybesetbyprivilegedtasks,butanytaskcanreadthemfortheirownsockets.
SMACK64IPIN:TheSmacklabelofthetaskobject.
Aprivilegedprogramthatwillenforcepolicymaysetthistothestarlabel.
9SMACK64IPOUT:TheSmacklabeltransmittedwithoutgoingpackets.
Aprivilegedprogrammaysetthistomatchthelabelofanothertaskwithwhichithopestocommunicate.
PacketAttributesTheSmacklabelthatcamewithanetworkpacketisobtaineddifferentlydependingonthetypeofsocketinvolved.
Onlyaprivilegedprocesswilleverneedtodothis,andthenonlyifitistrustedtoenforcetheSmackaccesscontrolrules.
ForaUDSsocketthelabelwillmatchthatofthefilesystemobject.
Itcanbeobtainedbycallingfgetxattr(sock,"security.
SMACK64",…).
ThelabelofaTCPconnectioncanbeobtainedbycallinggetsockopt(sock,SOL_SOCKET,SO_PEERSEC,…)ThelabelusedbyaprocessshouldneverchangeduringaTCPsession.
Itrequiresprivilegetodosoandaprogramthatchangeslabelsmustdosowithaccesscontrolinmind.
ThelabelofindividualUDPpacketsmustbedealtwithastheycomein,becausethereisnoconnectionnegotiatedbetweenthetasks.
Aprogramthatwantstodealwithincomingpacketsatmultiplelabelsfirstneedstocallsetsockopt(sock,SOL_IP,IP_PASSSEC,…)andthenparsethemessageheaderswitheachpacketreceived.
Thefunctionsmackrecvmsg()isavailabletoprovidetheparsing.
Itcanbeusedinsteadofrecvmsg().
WritingApplicationsforSmackTherearethreesortsofapplicationsthatwillrunonaSmacksystem.
HowanapplicationinteractswithSmackwilldeterminewhatitwillhavetodotoworkproperlyunderSmack.
SmackIgnorantApplicationsByfarthemajorityofapplicationshavenoreasonwhatevertocareabouttheuniquepropertiesofSmack.
SinceinvokingaprogramhasnoimpactontheSmacklabelassociatedwiththeprocesstheonlyconcernlikelytoariseiswhethertheprocesshasexecuteaccesstotheprogram.
10SmackRelevantApplicationsSomeprogramscanbeimprovedbyteachingthemaboutSmack,butdonotmakeanysecuritydecisionsthemselves.
Theutilityls(1)isoneexampleofsuchaprogram.
SmackEnforcingApplicationsThesearespecialprogramsthatnotonlyknowaboutSmack,butparticipateintheenforcementofsystempolicy.
Inmostcasesthesearetheprogramsthatsetupusersessions.
Therearealsonetworkservicesthatprovideinformationtoprocessesrunningwithvariouslabels.
FileSystemInterfacesSmackmaintainslabelsonfilesystemobjectsusingextendedattributes.
TheSmacklabelofafile,directory,orotherfilesystemobjectcanbeobtainedusinggetxattr(2).
getxattr("/","security.
SMACK64",value,sizeof(value));willputtheSmacklabeloftherootdirectoryintovalue.
AprivilegedprocesscansettheSmacklabelofafilesystemobjectwithsetxattr(2).
rc=setxattr("/foo","security.
SMACK64","Rubble",strlen("Rubble"),0);ThiswillsettheSmacklabelof/footoRubbleiftheprogramhasappropriateprivilege.
SocketInterfacesThesocketattributescanbereadusingfgetxattr(2).
AprivilegedprocesscansettheSmacklabelofoutgoingpacketswithfsetxattr(2).
rc=fsetxattr(fd,"security.
SMACK64IPOUT","Rubble",strlen("Rubble"),0);ThiswillsettheSmacklabel"Rubble"onpacketsgoingoutfromthesocketiftheprogramhasappropriateprivilege.
rc=fsetxattr(fd,"security.
SMACK64IPIN,"*",strlen("*"),0);ThiswillsettheSmacklabel"*"astheobjectlabelagainstwhichincomingpacketswillbecheckediftheprogramhasappropriateprivilege.
11AdministrationSmacksupportssomemountoptions:smackfsdef=label:specifiesthelabeltogivefilesthatlacktheSmacklabelextendedattribute.
smackfsroot=label:specifiesthelabeltoassigntherootofthefilesystemifitlackstheSmackextendedattribute.
smackfshat=label:specifiesalabelthatmusthavereadaccesstoalllabelssetonthefilesystem.
Notyetenforced.
smackfsfloor=label:specifiesalabeltowhichalllabelssetonthefilesystemmusthavereadaccess.
Notyetenforced.
ThesemountoptionsapplytoallfilesystemtypeswiththecurrentexceptionofNFS.
comMandatoryAccessControlComputersystemsemployavarietyofschemestoconstrainhowinformationissharedamongthepeopleandservicesusingthemachine.
Someoftheseschemesallowtheprogramorusertodecidewhatotherprogramsorusersareallowedaccesstopiecesofdata.
Theseschemesarecalleddiscretionaryaccesscontrolmechanismsbecausetheaccesscontrolisspecifiedatthediscretionoftheuser.
Otherschemesdonotleavethedecisionregardingwhatauserorprogramcanaccessuptousersorprograms.
Theseschemesarecalledmandatoryaccesscontrolmechanismsbecauseyoudon'thaveachoiceregardingtheusersorprogramsthathaveaccesstopiecesofdata.
Bell&LaPadulaFromthemiddleofthe1980'suntiltheturnofthecenturyMandatoryAccessControl(MAC)wasverycloselyassociatedwiththeBell&LaPadulasecuritymodel,amathematicaldescriptionoftheUnitedStatesDepartmentofDefensepolicyformarkingpaperdocuments.
MACinthisformenjoyedafollowingwithintheCapitalBeltwayandScandinaviansupercomputercentersbutwasoftensitedasfailingtoaddressgeneralneeds.
DomainTypeEnforcementAroundtheturnofthecenturyDomainTypeEnforcement(DTE)becamepopular.
Thisschemeorganizesusers,programs,anddataintodomainsthatareprotectedfromeachother.
ThisschemehasbeenwidelydeployedasacomponentofpopularLinuxdistributions.
Theadministrativeoverheadrequiredtomaintainthisschemeandthedetailedunderstandingofthewholesystemnecessarytoprovideasecuredomainmappingleadstotheschemebeingdisabledorusedinlimitedwaysinthemajorityofcases.
SmackSmackisaMandatoryAccessControlmechanismdesignedtoprovideusefulMACwhileavoidingthepitfallsofitspredecessors.
ThelimitationsofBell&LaPadulaareaddressedbyprovidingaschemewherebyaccesscanbecontrolledaccordingtotherequirementsofthesystemanditspurposeratherthanthoseimposedbyanarcanegovernmentpolicy.
ThecomplexityofDomainTypeEnforcementandavoidedbydefiningaccesscontrolsintermsoftheaccessmodesalreadyinuse.
2SmackTerminologyThejargonusedtotalkaboutSmackwillbefamiliartothosewhohavedealtwithotherMACsystemsandshouldn'tbetoodifficultfortheuninitiatedtopickup.
Therearefourtermsthatareusedinaspecificwayandthatareespeciallyimportant:Subject:Asubjectisanactiveentityonthecomputersystem.
OnSmackasubjectisatask,whichisinturnthebasicunitofexecution.
Object:Anobjectisapassiveentityonthecomputersystem.
OnSmackfilesofalltypes,IPC,andtaskscanbeobjects.
Access:Anyattemptbyasubjecttoputinformationintoorgetinformationfromanobjectisanaccess.
Label:DatathatidentifiestheMandatoryAccessControlcharacteristicsofasubjectoranobject.
Thesedefinitionsareconsistentwiththetraditionaluseinthesecuritycommunity.
TherearealsosometermsfromLinuxthatarelikelytocropup:Capability:Ataskthatpossessesacapabilityhaspermissiontoviolateanaspectofthesystemsecuritypolicy,asidentifiedbythespecificcapability.
Ataskthatpossessesoneormorecapabilitiesisaprivilegedtask,whereasataskwithnocapabilitiesisanunprivilegedtask.
Privilege:Ataskthatisallowedtoviolatethesystemsecuritypolicyissaidtohaveprivilege.
Asofthiswritingataskcanhaveprivilegeeitherbypossessingcapabilitiesorbyhavinganeffectiveuserofroot.
SmackBasicsSmackisanextensiontoaLinuxsystem.
Itenforcesadditionalrestrictionsonwhatsubjectscanaccesswhichobjects,basedonthelabelsattachedtoeachofthesubjectandtheobject.
LabelsSmacklabelsareASCIIcharacterstrings,onetotwenty-threecharactersinlength.
Singlecharacterlabelsusingspecialcharacters,thatbeinganythingotherthanaletterordigit,arereservedforusebytheSmackdevelopmentteam.
Smacklabelsareunstructured,casesensitive,andtheonlyoperationeverperformedonthemiscomparisonforequality.
Therearesomepredefinedlabels:_Pronounced"floor",asingleunderscorecharacter.
^Pronounced"hat",asinglecircumflexcharacter.
*Pronounced"star",asingleasteriskcharacter.
Pronounced"huh",asinglequestionmarkcharacter.
3EverytaskonaSmacksystemisassignedalabel.
Systemtasks,suchasinit(8)andsystemsdaemons,arerunwiththefloor("_")label.
Usertasksareassignedlabelsaccordingtothespecificationfoundinthe/etc/smack/userconfigurationfile.
AccessRulesSmackusesthetraditionalaccessmodesofLinux.
Thesemodesareread,execute,write,andoccasionallyappend.
Thereareafewcaseswheretheaccessmodemaynotbeobvious.
Theseinclude:Signals:Asignalisawriteoperationfromthesubjecttasktotheobjecttask.
InternetDomainIPC:Transmissionofapacketisconsideredawriteoperationfromthesourcetasktothedestinationtask.
Smackrestrictsaccessbasedonthelabelattachedtoasubjectandthelabelattachedtotheobjectitistryingtoaccess.
Therulesenforcedare,inorder:1.
Anyaccessrequestedbyatasklabeled"*"isdenied.
2.
Areadorexecuteaccessrequestedbyatasklabeled"^"ispermitted.
3.
Areadorexecuteaccessrequestedonanobjectlabeled"_"ispermitted.
4.
Anyaccessrequestedonanobjectlabeled"*"ispermitted.
5.
Anyaccessrequestedbyataskonanobjectwiththesamelabelispermitted.
6.
Anyaccessrequestedthatisexplicitlydefinedintheloadedrulesetispermitted.
7.
Anyotheraccessisdenied.
InFigure1auserbarneyhasbeenassignedtheSmacklabelRubble.
Thisusercanreadorexecutethefloorlabeledsystemprogramsanddata.
Hecanalsoreadfromandwritetothespecialdevice/dev/null,whichhasthestarlabel.
SystemprocessesrunningwiththefloorlabeldonothaveanyaccesstoBarney'sdata.
Asystemprocessrunningwiththehatlabelisallowedreadaccesstotheuser'sdatabutnotwriteaccess.
4Figure1–BasicSmackAccessPolicyWiththebasicrulessystemtasksrunningwiththefloorlabelareprotectedfromuserprocessesrunningwithotherlabels.
Figure2demonstratestheaccessesallowedwhentwouserlabelsareinuse.
InthisexampletheJavalabeledtaskcanreadandwritetheJavalabeleddata,theMP3labeledtaskhasreadandwriteaccesstotheMP3labeleddata,whilethesystemfloorlabeledtaskhasthesameaccesstoitsfloorlabeleddata.
BoththeJavaandMP3taskshavereadaccesstothefloorsystemdata.
Thetwousertaskshavenoaccesstoeachother'sdata.
_/,/bin,/bin/sh*/dev/nullRubble~barney*^Rubble_5Figure2-BasicUserLabelInteractionsSmackAccessRulesWiththeisolationprovidedbySmackaccessseparationissimple.
Therearemanyinterestingcaseswherelimitedaccessbysubjectstoobjectswithdifferentlabelsisdesired.
Oneexampleisthefamiliarspymodelofsensitivity,whereascientistworkingonahighlyclassifiedprojectwouldbeabletoreaddocumentsoflowerclassificationsandanythingshewriteswillbe"born"highlyclassified.
ToaccommodatesuchschemesSmackincludesamechanismforspecifyingrulesallowingaccessbetweenlabels.
AccessRuleFormatTheformatofanaccessruleis:subject-labelobject-labelaccessWheresubject-labelistheSmacklabelofthetask,object-labelistheSmacklabelofthethingbeingaccessed,andaccessisastringspecifyingthesortofaccessallowed.
TheSmacklabelsarelimitedto23characters.
Theaccessspecificationissearchedforlettersthatdescribeaccessmodes:a:indicatesthatappendaccessshouldbegranted.
r:indicatesthatreadaccessshouldbegranted.
w:indicatesthatwriteaccessshouldbegranted.
x:indicatesthatexecuteaccessshouldbegranted.
Accessmodespecificationscanbeinanyorder.
Examplesofacceptablerulesare:TopSecretSecretrxSystemDataJavaSandboxMP3DataSystemProcessJavaProcessMP3Process6SecretUnclassrManagerGamexUserHRwNewOldrRrrrClosedOff-Examplesofunacceptablerulesare:TopSecretSecretrxTS/Alpha,OmegaOverloardrxAceAcerOddspellswaxbeansSpacesarenotallowedinlabels.
Theslashcharacter"/"isnotallowedinlabels.
Sinceasubjectalwayshasaccesstofileswiththesamelabelspecifyingaruleforthatcaseispointless.
Lettersthatdonotspecifylegitimateaccessmodesarenotallowed.
ApplyingAccessRulesThedevelopersofLinuxrarelydefinenewsortsofthings,usuallyimportingschemesandconceptsfromothersystems.
Mostoften,theothersystemsarevariantsofUnix.
Unixhasmanyendearingproperties,butconsistencyofaccesscontrolmodelsisnotoneofthem.
Smackstrivestotreataccessesasuniformlyasissensiblewhilekeepingwiththespiritoftheunderlyingmechanism.
Filesystemobjectsincludingfiles,directories,namedpipes,symboliclinks,anddevicesrequireaccesspermissionsthatcloselymatchthoseusedbymodebitaccess.
Toopenafileforreadingreadaccessisrequiredonthefile.
Tosearchadirectoryrequiresexecuteaccess.
Creatingafilewithwriteaccessrequiresbothreadandwriteaccessonthecontainingdirectory.
Deletingafilerequiresreadandwriteaccesstothefileandtothecontainingdirectory.
Itispossiblethatausermaybeabletoseethatafileexistsbutnotanyofitsattributesbythecircumstanceofhavingreadaccesstothecontainingdirectorybutnottothedifferentlylabeledfile.
Thisisanartifactofthefilenamebeingdatainthedirectory,notapartofthefile.
IPCobjects,messagequeues,semaphoresets,andmemorysegmentsexistinflatnamespacesandaccessrequestsareonlyrequiredtomatchtheobjectinquestion.
ProcessobjectsreflecttasksonthesystemandtheSmacklabelusedtoaccessthemisthesameSmacklabelthatthetaskwoulduseforitsownaccessattempts.
Sendingasignalviathekill()systemcallisawriteoperationfromthesignalertotherecipient.
Debuggingaprocessrequiresbothreadingandwriting.
CreatinganewtaskisaninternaloperationthatresultsintwotaskswithidenticalSmacklabelsandrequiresnoaccesschecks.
7Socketsaredatastructuresattachedtoprocessesandsendingapacketfromoneprocesstoanotherrequiresthatthesenderhavewriteaccesstothereceiver.
Thereceiverisnotrequiredtohavereadaccesstothesender.
SettingAccessRulesTheconfigurationfile/etc/smack/accessescontainstherulestobesetatsystemstartup.
Thecontentsarewrittentothespecialfile/smack/load.
Rulescanbewrittento/smack/loadatanytimeandtakeeffectimmediately.
Foranypairofsubjectandobjectlabelstherecanbeonlyonerule,withthemostrecentlyspecifiedoverridinganyearlierspecification.
Inordertoensurethatrulesarewrittenproperlyaprogramsmackloadisprovided.
TaskAttributeTheSmacklabelofaprocesscanbereadfrom/proc//attr/current.
AprocesscanreaditsownSmacklabelfrom/proc/self/attr/current.
AprivilegedprocesscanchangeitsownSmacklabelbywritingto/proc/self/attr/currentbutnotthelabelofanotherprocess.
FileAttributeTheSmacklabelofafilesystemobjectisstoredasanextendedattributenamedSMACK64onthefile.
Thisattributeisinthesecuritynamespace.
Itcanonlybechangedbyaprocesswithprivilege.
PrivilegeTherearetwocapabilitiesusedexplicitlybySmack.
CAP_MAC_ADMINallowsaprocesstoperformadministrativefunctionssuchasloadingaccessrules.
CAP_MAC_OVERRIDEexemptsaprocessfromallaccesscontrolrules.
SmackNetworkingAsmentionedbefore,Smackenforcesaccesscontrolonnetworkprotocoltransmissions.
UsuallyapacketsentbyaSmackprocessistaggedwithitsSmacklabel,howeverpacketsthatwouldgettheambientlabelaresentwithoutatag.
ThisisdonebyaddingaCIPSOtagtotheheaderoftheIPpacket.
EachpacketreceivedisexpectedtohaveaCIPSOtagthatidentifiesthelabelandifitlackssuchatagthenetworkambientlabelisassumed.
Beforethepacketisdeliveredacheckismadetodeterminethatasubjectwiththelabelonthepackethaswriteaccesstothereceivingprocessandifthatisnotthecasethepacketisdropped.
CIPSOConfigurationItisnormallyunnecessarytospecifytheCIPSOconfiguration.
Thedefaultvaluesusedbythesystemhandleallinternalcases.
SmackwillcomposeCIPSOlabelvaluestomatchtheSmacklabelsbeingusedwithoutadministrativeintervention.
Unlabeled8packetsthatcomeintothesystemwillbegiventheambientlabel,andoutgoingpacketsthatwouldgettheambientlabelaresentunlabeled.
SmackrequiresconfigurationinthecasewherepacketsfromasystemthatisnotSmackthatspeaksCIPSOmaybeencountered.
UsuallythiswillbeaTrustedSolarissystem,butthereareother,lesswidelydeployedsystemsoutthere.
CIPSOprovides3importantvalues,aDomainOfInterpretation(DOI),alevel,andacategorysetwitheachpacket.
TheDOIisintendedtoidentifyagroupofsystemsthatusecompatiblelabelingschemes,andtheDOIspecifiedonthesmacksystemmustmatchthatoftheremotesystemorpacketswillbediscarded.
TheDOIis3bydefault.
Thevaluecanbereadfrom/smack/doiandcanbechangedbywritingto/smack/doi.
ThelabelandcategorysetaremappedtoaSmacklabelasdefinedin/etc/smack/cipso.
ASmack/CIPSOmappinghastheform:smacklevel[category[category]…]Smackdoesnotexpectthelevelorcategorysetstoberelatedinanyparticularwayanddoesnotassumeorassignaccessesbasedonthem.
Someexamplesofmappings:TopSecret7TS:A,B712SecBDE546RAFTERS71226The":"and","charactersarepermittedinaSmacklabelbuthavenospecialmeaning.
ThemappingofSmacklabelstoCIPSOvaluesisdefinedbywritingto/smack/cipso,andtoensurecorrectformattingtheprogramsmackcipsoisprovided.
InadditiontoexplicitmappingsSmacksupportsdirectCIPSOmappings.
OneCIPSOlevelisusedtoindicatethatthecategorysetpassedinthepacketisinfactanencodingoftheSmacklabel.
Thelevelusedis250bydefault.
Thevaluecanbereadfrom/smack/directandchangedbywritingto/smack/direct.
SocketAttributesTherearetwoattributesthatareassociatedwithsockets.
Theseattributescanonlybesetbyprivilegedtasks,butanytaskcanreadthemfortheirownsockets.
SMACK64IPIN:TheSmacklabelofthetaskobject.
Aprivilegedprogramthatwillenforcepolicymaysetthistothestarlabel.
9SMACK64IPOUT:TheSmacklabeltransmittedwithoutgoingpackets.
Aprivilegedprogrammaysetthistomatchthelabelofanothertaskwithwhichithopestocommunicate.
PacketAttributesTheSmacklabelthatcamewithanetworkpacketisobtaineddifferentlydependingonthetypeofsocketinvolved.
Onlyaprivilegedprocesswilleverneedtodothis,andthenonlyifitistrustedtoenforcetheSmackaccesscontrolrules.
ForaUDSsocketthelabelwillmatchthatofthefilesystemobject.
Itcanbeobtainedbycallingfgetxattr(sock,"security.
SMACK64",…).
ThelabelofaTCPconnectioncanbeobtainedbycallinggetsockopt(sock,SOL_SOCKET,SO_PEERSEC,…)ThelabelusedbyaprocessshouldneverchangeduringaTCPsession.
Itrequiresprivilegetodosoandaprogramthatchangeslabelsmustdosowithaccesscontrolinmind.
ThelabelofindividualUDPpacketsmustbedealtwithastheycomein,becausethereisnoconnectionnegotiatedbetweenthetasks.
Aprogramthatwantstodealwithincomingpacketsatmultiplelabelsfirstneedstocallsetsockopt(sock,SOL_IP,IP_PASSSEC,…)andthenparsethemessageheaderswitheachpacketreceived.
Thefunctionsmackrecvmsg()isavailabletoprovidetheparsing.
Itcanbeusedinsteadofrecvmsg().
WritingApplicationsforSmackTherearethreesortsofapplicationsthatwillrunonaSmacksystem.
HowanapplicationinteractswithSmackwilldeterminewhatitwillhavetodotoworkproperlyunderSmack.
SmackIgnorantApplicationsByfarthemajorityofapplicationshavenoreasonwhatevertocareabouttheuniquepropertiesofSmack.
SinceinvokingaprogramhasnoimpactontheSmacklabelassociatedwiththeprocesstheonlyconcernlikelytoariseiswhethertheprocesshasexecuteaccesstotheprogram.
10SmackRelevantApplicationsSomeprogramscanbeimprovedbyteachingthemaboutSmack,butdonotmakeanysecuritydecisionsthemselves.
Theutilityls(1)isoneexampleofsuchaprogram.
SmackEnforcingApplicationsThesearespecialprogramsthatnotonlyknowaboutSmack,butparticipateintheenforcementofsystempolicy.
Inmostcasesthesearetheprogramsthatsetupusersessions.
Therearealsonetworkservicesthatprovideinformationtoprocessesrunningwithvariouslabels.
FileSystemInterfacesSmackmaintainslabelsonfilesystemobjectsusingextendedattributes.
TheSmacklabelofafile,directory,orotherfilesystemobjectcanbeobtainedusinggetxattr(2).
getxattr("/","security.
SMACK64",value,sizeof(value));willputtheSmacklabeloftherootdirectoryintovalue.
AprivilegedprocesscansettheSmacklabelofafilesystemobjectwithsetxattr(2).
rc=setxattr("/foo","security.
SMACK64","Rubble",strlen("Rubble"),0);ThiswillsettheSmacklabelof/footoRubbleiftheprogramhasappropriateprivilege.
SocketInterfacesThesocketattributescanbereadusingfgetxattr(2).
AprivilegedprocesscansettheSmacklabelofoutgoingpacketswithfsetxattr(2).
rc=fsetxattr(fd,"security.
SMACK64IPOUT","Rubble",strlen("Rubble"),0);ThiswillsettheSmacklabel"Rubble"onpacketsgoingoutfromthesocketiftheprogramhasappropriateprivilege.
rc=fsetxattr(fd,"security.
SMACK64IPIN,"*",strlen("*"),0);ThiswillsettheSmacklabel"*"astheobjectlabelagainstwhichincomingpacketswillbecheckediftheprogramhasappropriateprivilege.
11AdministrationSmacksupportssomemountoptions:smackfsdef=label:specifiesthelabeltogivefilesthatlacktheSmacklabelextendedattribute.
smackfsroot=label:specifiesthelabeltoassigntherootofthefilesystemifitlackstheSmackextendedattribute.
smackfshat=label:specifiesalabelthatmusthavereadaccesstoalllabelssetonthefilesystem.
Notyetenforced.
smackfsfloor=label:specifiesalabeltowhichalllabelssetonthefilesystemmusthavereadaccess.
Notyetenforced.
ThesemountoptionsapplytoallfilesystemtypeswiththecurrentexceptionofNFS.
- sensitivefilesystemobject相关文档
- 单据filesystemobject
- widgetfilesystemobject
- 支出filesystemobject
- 职位filesystemobject
- 主要负责人filesystemobject
- 蒙古族filesystemobject
无忧云:服务器100G高防云服务器,bgpBGP云,洛阳BGP云服务器2核2G仅38.4元/月起
无忧云怎么样?无忧云值不值得购买?无忧云,无忧云是一家成立于2017年的老牌商家旗下的服务器销售品牌,现由深圳市云上无忧网络科技有限公司运营,是正规持证IDC/ISP/IRCS商家,主要销售国内、中国香港、国外服务器产品,线路有腾讯云国外线路、自营香港CN2线路等,都是中国大陆直连线路,非常适合免备案建站业务需求和各种负载较高的项目,同时国内服务器也有多个BGP以及高防节点。目前,四川雅安机房,4...
pia云低至20/月,七折美国服务器
Pia云是一家2018的开办的国人商家,原名叫哔哔云,目前整合到了魔方云平台上,商家主要销售VPS服务,采用KVM虚拟架构 ,机房有美国洛杉矶、中国香港和深圳地区,洛杉矶为crea机房,三网回程CN2 GIA,带20G防御,常看我测评的朋友应该知道,一般带防御去程都是骨干线路,香港的线路也是CN2直连大陆,目前商家重新开业,价格非常美丽,性价比较非常高,有需要的朋友可以关注一下。活动方案...
半月湾($59.99/年),升级带宽至200M起步 三网CN2 GIA线路
在前面的文章中就有介绍到半月湾Half Moon Bay Cloud服务商有提供洛杉矶DC5数据中心云服务器,这个堪比我们可能熟悉的某服务商,如果我们有用过的话会发现这个服务商的价格比较贵,而且一直缺货。这里,于是半月湾服务商看到机会来了,于是有新增同机房的CN2 GIA优化线路。在之前的文章中介绍到Half Moon Bay Cloud DC5机房且进行过测评。这次的变化是从原来基础的年付49....
filesystemobject为你推荐
-
ip购买买一个电信的固定IP多少钱啊?安徽汽车网安徽什么汽车网站比较好?今日油条油条是怎样由来firetrap我发现好多外贸店都卖其乐的原单,有怎么多原单吗巫正刚阿迪三叶草彩虹板鞋的鞋带怎么穿?详细点,最后有图解。高分求sss17.com一玩棋牌吧(www.17wqp.com)怎么样?杨丽晓博客杨丽晓哪一年出生的?bbs2.99nets.com让(bbs www)*****.cn进入同一个站www.hyyan.comDOTA6.51新手选什么英雄为好,请详细讲述出装备顺序,加点顺序,以及注意事项。谢谢www.javlibrary.com跪求一个JAVHD.com的帐号