sensitivefilesystemobject
filesystemobject 时间:2021-04-03 阅读:()
1TheSimplifiedMandatoryAccessControlKernelCaseySchauflercasey@schaufler-ca.
comMandatoryAccessControlComputersystemsemployavarietyofschemestoconstrainhowinformationissharedamongthepeopleandservicesusingthemachine.
Someoftheseschemesallowtheprogramorusertodecidewhatotherprogramsorusersareallowedaccesstopiecesofdata.
Theseschemesarecalleddiscretionaryaccesscontrolmechanismsbecausetheaccesscontrolisspecifiedatthediscretionoftheuser.
Otherschemesdonotleavethedecisionregardingwhatauserorprogramcanaccessuptousersorprograms.
Theseschemesarecalledmandatoryaccesscontrolmechanismsbecauseyoudon'thaveachoiceregardingtheusersorprogramsthathaveaccesstopiecesofdata.
Bell&LaPadulaFromthemiddleofthe1980'suntiltheturnofthecenturyMandatoryAccessControl(MAC)wasverycloselyassociatedwiththeBell&LaPadulasecuritymodel,amathematicaldescriptionoftheUnitedStatesDepartmentofDefensepolicyformarkingpaperdocuments.
MACinthisformenjoyedafollowingwithintheCapitalBeltwayandScandinaviansupercomputercentersbutwasoftensitedasfailingtoaddressgeneralneeds.
DomainTypeEnforcementAroundtheturnofthecenturyDomainTypeEnforcement(DTE)becamepopular.
Thisschemeorganizesusers,programs,anddataintodomainsthatareprotectedfromeachother.
ThisschemehasbeenwidelydeployedasacomponentofpopularLinuxdistributions.
Theadministrativeoverheadrequiredtomaintainthisschemeandthedetailedunderstandingofthewholesystemnecessarytoprovideasecuredomainmappingleadstotheschemebeingdisabledorusedinlimitedwaysinthemajorityofcases.
SmackSmackisaMandatoryAccessControlmechanismdesignedtoprovideusefulMACwhileavoidingthepitfallsofitspredecessors.
ThelimitationsofBell&LaPadulaareaddressedbyprovidingaschemewherebyaccesscanbecontrolledaccordingtotherequirementsofthesystemanditspurposeratherthanthoseimposedbyanarcanegovernmentpolicy.
ThecomplexityofDomainTypeEnforcementandavoidedbydefiningaccesscontrolsintermsoftheaccessmodesalreadyinuse.
2SmackTerminologyThejargonusedtotalkaboutSmackwillbefamiliartothosewhohavedealtwithotherMACsystemsandshouldn'tbetoodifficultfortheuninitiatedtopickup.
Therearefourtermsthatareusedinaspecificwayandthatareespeciallyimportant:Subject:Asubjectisanactiveentityonthecomputersystem.
OnSmackasubjectisatask,whichisinturnthebasicunitofexecution.
Object:Anobjectisapassiveentityonthecomputersystem.
OnSmackfilesofalltypes,IPC,andtaskscanbeobjects.
Access:Anyattemptbyasubjecttoputinformationintoorgetinformationfromanobjectisanaccess.
Label:DatathatidentifiestheMandatoryAccessControlcharacteristicsofasubjectoranobject.
Thesedefinitionsareconsistentwiththetraditionaluseinthesecuritycommunity.
TherearealsosometermsfromLinuxthatarelikelytocropup:Capability:Ataskthatpossessesacapabilityhaspermissiontoviolateanaspectofthesystemsecuritypolicy,asidentifiedbythespecificcapability.
Ataskthatpossessesoneormorecapabilitiesisaprivilegedtask,whereasataskwithnocapabilitiesisanunprivilegedtask.
Privilege:Ataskthatisallowedtoviolatethesystemsecuritypolicyissaidtohaveprivilege.
Asofthiswritingataskcanhaveprivilegeeitherbypossessingcapabilitiesorbyhavinganeffectiveuserofroot.
SmackBasicsSmackisanextensiontoaLinuxsystem.
Itenforcesadditionalrestrictionsonwhatsubjectscanaccesswhichobjects,basedonthelabelsattachedtoeachofthesubjectandtheobject.
LabelsSmacklabelsareASCIIcharacterstrings,onetotwenty-threecharactersinlength.
Singlecharacterlabelsusingspecialcharacters,thatbeinganythingotherthanaletterordigit,arereservedforusebytheSmackdevelopmentteam.
Smacklabelsareunstructured,casesensitive,andtheonlyoperationeverperformedonthemiscomparisonforequality.
Therearesomepredefinedlabels:_Pronounced"floor",asingleunderscorecharacter.
^Pronounced"hat",asinglecircumflexcharacter.
*Pronounced"star",asingleasteriskcharacter.
Pronounced"huh",asinglequestionmarkcharacter.
3EverytaskonaSmacksystemisassignedalabel.
Systemtasks,suchasinit(8)andsystemsdaemons,arerunwiththefloor("_")label.
Usertasksareassignedlabelsaccordingtothespecificationfoundinthe/etc/smack/userconfigurationfile.
AccessRulesSmackusesthetraditionalaccessmodesofLinux.
Thesemodesareread,execute,write,andoccasionallyappend.
Thereareafewcaseswheretheaccessmodemaynotbeobvious.
Theseinclude:Signals:Asignalisawriteoperationfromthesubjecttasktotheobjecttask.
InternetDomainIPC:Transmissionofapacketisconsideredawriteoperationfromthesourcetasktothedestinationtask.
Smackrestrictsaccessbasedonthelabelattachedtoasubjectandthelabelattachedtotheobjectitistryingtoaccess.
Therulesenforcedare,inorder:1.
Anyaccessrequestedbyatasklabeled"*"isdenied.
2.
Areadorexecuteaccessrequestedbyatasklabeled"^"ispermitted.
3.
Areadorexecuteaccessrequestedonanobjectlabeled"_"ispermitted.
4.
Anyaccessrequestedonanobjectlabeled"*"ispermitted.
5.
Anyaccessrequestedbyataskonanobjectwiththesamelabelispermitted.
6.
Anyaccessrequestedthatisexplicitlydefinedintheloadedrulesetispermitted.
7.
Anyotheraccessisdenied.
InFigure1auserbarneyhasbeenassignedtheSmacklabelRubble.
Thisusercanreadorexecutethefloorlabeledsystemprogramsanddata.
Hecanalsoreadfromandwritetothespecialdevice/dev/null,whichhasthestarlabel.
SystemprocessesrunningwiththefloorlabeldonothaveanyaccesstoBarney'sdata.
Asystemprocessrunningwiththehatlabelisallowedreadaccesstotheuser'sdatabutnotwriteaccess.
4Figure1–BasicSmackAccessPolicyWiththebasicrulessystemtasksrunningwiththefloorlabelareprotectedfromuserprocessesrunningwithotherlabels.
Figure2demonstratestheaccessesallowedwhentwouserlabelsareinuse.
InthisexampletheJavalabeledtaskcanreadandwritetheJavalabeleddata,theMP3labeledtaskhasreadandwriteaccesstotheMP3labeleddata,whilethesystemfloorlabeledtaskhasthesameaccesstoitsfloorlabeleddata.
BoththeJavaandMP3taskshavereadaccesstothefloorsystemdata.
Thetwousertaskshavenoaccesstoeachother'sdata.
_/,/bin,/bin/sh*/dev/nullRubble~barney*^Rubble_5Figure2-BasicUserLabelInteractionsSmackAccessRulesWiththeisolationprovidedbySmackaccessseparationissimple.
Therearemanyinterestingcaseswherelimitedaccessbysubjectstoobjectswithdifferentlabelsisdesired.
Oneexampleisthefamiliarspymodelofsensitivity,whereascientistworkingonahighlyclassifiedprojectwouldbeabletoreaddocumentsoflowerclassificationsandanythingshewriteswillbe"born"highlyclassified.
ToaccommodatesuchschemesSmackincludesamechanismforspecifyingrulesallowingaccessbetweenlabels.
AccessRuleFormatTheformatofanaccessruleis:subject-labelobject-labelaccessWheresubject-labelistheSmacklabelofthetask,object-labelistheSmacklabelofthethingbeingaccessed,andaccessisastringspecifyingthesortofaccessallowed.
TheSmacklabelsarelimitedto23characters.
Theaccessspecificationissearchedforlettersthatdescribeaccessmodes:a:indicatesthatappendaccessshouldbegranted.
r:indicatesthatreadaccessshouldbegranted.
w:indicatesthatwriteaccessshouldbegranted.
x:indicatesthatexecuteaccessshouldbegranted.
Accessmodespecificationscanbeinanyorder.
Examplesofacceptablerulesare:TopSecretSecretrxSystemDataJavaSandboxMP3DataSystemProcessJavaProcessMP3Process6SecretUnclassrManagerGamexUserHRwNewOldrRrrrClosedOff-Examplesofunacceptablerulesare:TopSecretSecretrxTS/Alpha,OmegaOverloardrxAceAcerOddspellswaxbeansSpacesarenotallowedinlabels.
Theslashcharacter"/"isnotallowedinlabels.
Sinceasubjectalwayshasaccesstofileswiththesamelabelspecifyingaruleforthatcaseispointless.
Lettersthatdonotspecifylegitimateaccessmodesarenotallowed.
ApplyingAccessRulesThedevelopersofLinuxrarelydefinenewsortsofthings,usuallyimportingschemesandconceptsfromothersystems.
Mostoften,theothersystemsarevariantsofUnix.
Unixhasmanyendearingproperties,butconsistencyofaccesscontrolmodelsisnotoneofthem.
Smackstrivestotreataccessesasuniformlyasissensiblewhilekeepingwiththespiritoftheunderlyingmechanism.
Filesystemobjectsincludingfiles,directories,namedpipes,symboliclinks,anddevicesrequireaccesspermissionsthatcloselymatchthoseusedbymodebitaccess.
Toopenafileforreadingreadaccessisrequiredonthefile.
Tosearchadirectoryrequiresexecuteaccess.
Creatingafilewithwriteaccessrequiresbothreadandwriteaccessonthecontainingdirectory.
Deletingafilerequiresreadandwriteaccesstothefileandtothecontainingdirectory.
Itispossiblethatausermaybeabletoseethatafileexistsbutnotanyofitsattributesbythecircumstanceofhavingreadaccesstothecontainingdirectorybutnottothedifferentlylabeledfile.
Thisisanartifactofthefilenamebeingdatainthedirectory,notapartofthefile.
IPCobjects,messagequeues,semaphoresets,andmemorysegmentsexistinflatnamespacesandaccessrequestsareonlyrequiredtomatchtheobjectinquestion.
ProcessobjectsreflecttasksonthesystemandtheSmacklabelusedtoaccessthemisthesameSmacklabelthatthetaskwoulduseforitsownaccessattempts.
Sendingasignalviathekill()systemcallisawriteoperationfromthesignalertotherecipient.
Debuggingaprocessrequiresbothreadingandwriting.
CreatinganewtaskisaninternaloperationthatresultsintwotaskswithidenticalSmacklabelsandrequiresnoaccesschecks.
7Socketsaredatastructuresattachedtoprocessesandsendingapacketfromoneprocesstoanotherrequiresthatthesenderhavewriteaccesstothereceiver.
Thereceiverisnotrequiredtohavereadaccesstothesender.
SettingAccessRulesTheconfigurationfile/etc/smack/accessescontainstherulestobesetatsystemstartup.
Thecontentsarewrittentothespecialfile/smack/load.
Rulescanbewrittento/smack/loadatanytimeandtakeeffectimmediately.
Foranypairofsubjectandobjectlabelstherecanbeonlyonerule,withthemostrecentlyspecifiedoverridinganyearlierspecification.
Inordertoensurethatrulesarewrittenproperlyaprogramsmackloadisprovided.
TaskAttributeTheSmacklabelofaprocesscanbereadfrom/proc//attr/current.
AprocesscanreaditsownSmacklabelfrom/proc/self/attr/current.
AprivilegedprocesscanchangeitsownSmacklabelbywritingto/proc/self/attr/currentbutnotthelabelofanotherprocess.
FileAttributeTheSmacklabelofafilesystemobjectisstoredasanextendedattributenamedSMACK64onthefile.
Thisattributeisinthesecuritynamespace.
Itcanonlybechangedbyaprocesswithprivilege.
PrivilegeTherearetwocapabilitiesusedexplicitlybySmack.
CAP_MAC_ADMINallowsaprocesstoperformadministrativefunctionssuchasloadingaccessrules.
CAP_MAC_OVERRIDEexemptsaprocessfromallaccesscontrolrules.
SmackNetworkingAsmentionedbefore,Smackenforcesaccesscontrolonnetworkprotocoltransmissions.
UsuallyapacketsentbyaSmackprocessistaggedwithitsSmacklabel,howeverpacketsthatwouldgettheambientlabelaresentwithoutatag.
ThisisdonebyaddingaCIPSOtagtotheheaderoftheIPpacket.
EachpacketreceivedisexpectedtohaveaCIPSOtagthatidentifiesthelabelandifitlackssuchatagthenetworkambientlabelisassumed.
Beforethepacketisdeliveredacheckismadetodeterminethatasubjectwiththelabelonthepackethaswriteaccesstothereceivingprocessandifthatisnotthecasethepacketisdropped.
CIPSOConfigurationItisnormallyunnecessarytospecifytheCIPSOconfiguration.
Thedefaultvaluesusedbythesystemhandleallinternalcases.
SmackwillcomposeCIPSOlabelvaluestomatchtheSmacklabelsbeingusedwithoutadministrativeintervention.
Unlabeled8packetsthatcomeintothesystemwillbegiventheambientlabel,andoutgoingpacketsthatwouldgettheambientlabelaresentunlabeled.
SmackrequiresconfigurationinthecasewherepacketsfromasystemthatisnotSmackthatspeaksCIPSOmaybeencountered.
UsuallythiswillbeaTrustedSolarissystem,butthereareother,lesswidelydeployedsystemsoutthere.
CIPSOprovides3importantvalues,aDomainOfInterpretation(DOI),alevel,andacategorysetwitheachpacket.
TheDOIisintendedtoidentifyagroupofsystemsthatusecompatiblelabelingschemes,andtheDOIspecifiedonthesmacksystemmustmatchthatoftheremotesystemorpacketswillbediscarded.
TheDOIis3bydefault.
Thevaluecanbereadfrom/smack/doiandcanbechangedbywritingto/smack/doi.
ThelabelandcategorysetaremappedtoaSmacklabelasdefinedin/etc/smack/cipso.
ASmack/CIPSOmappinghastheform:smacklevel[category[category]…]Smackdoesnotexpectthelevelorcategorysetstoberelatedinanyparticularwayanddoesnotassumeorassignaccessesbasedonthem.
Someexamplesofmappings:TopSecret7TS:A,B712SecBDE546RAFTERS71226The":"and","charactersarepermittedinaSmacklabelbuthavenospecialmeaning.
ThemappingofSmacklabelstoCIPSOvaluesisdefinedbywritingto/smack/cipso,andtoensurecorrectformattingtheprogramsmackcipsoisprovided.
InadditiontoexplicitmappingsSmacksupportsdirectCIPSOmappings.
OneCIPSOlevelisusedtoindicatethatthecategorysetpassedinthepacketisinfactanencodingoftheSmacklabel.
Thelevelusedis250bydefault.
Thevaluecanbereadfrom/smack/directandchangedbywritingto/smack/direct.
SocketAttributesTherearetwoattributesthatareassociatedwithsockets.
Theseattributescanonlybesetbyprivilegedtasks,butanytaskcanreadthemfortheirownsockets.
SMACK64IPIN:TheSmacklabelofthetaskobject.
Aprivilegedprogramthatwillenforcepolicymaysetthistothestarlabel.
9SMACK64IPOUT:TheSmacklabeltransmittedwithoutgoingpackets.
Aprivilegedprogrammaysetthistomatchthelabelofanothertaskwithwhichithopestocommunicate.
PacketAttributesTheSmacklabelthatcamewithanetworkpacketisobtaineddifferentlydependingonthetypeofsocketinvolved.
Onlyaprivilegedprocesswilleverneedtodothis,andthenonlyifitistrustedtoenforcetheSmackaccesscontrolrules.
ForaUDSsocketthelabelwillmatchthatofthefilesystemobject.
Itcanbeobtainedbycallingfgetxattr(sock,"security.
SMACK64",…).
ThelabelofaTCPconnectioncanbeobtainedbycallinggetsockopt(sock,SOL_SOCKET,SO_PEERSEC,…)ThelabelusedbyaprocessshouldneverchangeduringaTCPsession.
Itrequiresprivilegetodosoandaprogramthatchangeslabelsmustdosowithaccesscontrolinmind.
ThelabelofindividualUDPpacketsmustbedealtwithastheycomein,becausethereisnoconnectionnegotiatedbetweenthetasks.
Aprogramthatwantstodealwithincomingpacketsatmultiplelabelsfirstneedstocallsetsockopt(sock,SOL_IP,IP_PASSSEC,…)andthenparsethemessageheaderswitheachpacketreceived.
Thefunctionsmackrecvmsg()isavailabletoprovidetheparsing.
Itcanbeusedinsteadofrecvmsg().
WritingApplicationsforSmackTherearethreesortsofapplicationsthatwillrunonaSmacksystem.
HowanapplicationinteractswithSmackwilldeterminewhatitwillhavetodotoworkproperlyunderSmack.
SmackIgnorantApplicationsByfarthemajorityofapplicationshavenoreasonwhatevertocareabouttheuniquepropertiesofSmack.
SinceinvokingaprogramhasnoimpactontheSmacklabelassociatedwiththeprocesstheonlyconcernlikelytoariseiswhethertheprocesshasexecuteaccesstotheprogram.
10SmackRelevantApplicationsSomeprogramscanbeimprovedbyteachingthemaboutSmack,butdonotmakeanysecuritydecisionsthemselves.
Theutilityls(1)isoneexampleofsuchaprogram.
SmackEnforcingApplicationsThesearespecialprogramsthatnotonlyknowaboutSmack,butparticipateintheenforcementofsystempolicy.
Inmostcasesthesearetheprogramsthatsetupusersessions.
Therearealsonetworkservicesthatprovideinformationtoprocessesrunningwithvariouslabels.
FileSystemInterfacesSmackmaintainslabelsonfilesystemobjectsusingextendedattributes.
TheSmacklabelofafile,directory,orotherfilesystemobjectcanbeobtainedusinggetxattr(2).
getxattr("/","security.
SMACK64",value,sizeof(value));willputtheSmacklabeloftherootdirectoryintovalue.
AprivilegedprocesscansettheSmacklabelofafilesystemobjectwithsetxattr(2).
rc=setxattr("/foo","security.
SMACK64","Rubble",strlen("Rubble"),0);ThiswillsettheSmacklabelof/footoRubbleiftheprogramhasappropriateprivilege.
SocketInterfacesThesocketattributescanbereadusingfgetxattr(2).
AprivilegedprocesscansettheSmacklabelofoutgoingpacketswithfsetxattr(2).
rc=fsetxattr(fd,"security.
SMACK64IPOUT","Rubble",strlen("Rubble"),0);ThiswillsettheSmacklabel"Rubble"onpacketsgoingoutfromthesocketiftheprogramhasappropriateprivilege.
rc=fsetxattr(fd,"security.
SMACK64IPIN,"*",strlen("*"),0);ThiswillsettheSmacklabel"*"astheobjectlabelagainstwhichincomingpacketswillbecheckediftheprogramhasappropriateprivilege.
11AdministrationSmacksupportssomemountoptions:smackfsdef=label:specifiesthelabeltogivefilesthatlacktheSmacklabelextendedattribute.
smackfsroot=label:specifiesthelabeltoassigntherootofthefilesystemifitlackstheSmackextendedattribute.
smackfshat=label:specifiesalabelthatmusthavereadaccesstoalllabelssetonthefilesystem.
Notyetenforced.
smackfsfloor=label:specifiesalabeltowhichalllabelssetonthefilesystemmusthavereadaccess.
Notyetenforced.
ThesemountoptionsapplytoallfilesystemtypeswiththecurrentexceptionofNFS.
comMandatoryAccessControlComputersystemsemployavarietyofschemestoconstrainhowinformationissharedamongthepeopleandservicesusingthemachine.
Someoftheseschemesallowtheprogramorusertodecidewhatotherprogramsorusersareallowedaccesstopiecesofdata.
Theseschemesarecalleddiscretionaryaccesscontrolmechanismsbecausetheaccesscontrolisspecifiedatthediscretionoftheuser.
Otherschemesdonotleavethedecisionregardingwhatauserorprogramcanaccessuptousersorprograms.
Theseschemesarecalledmandatoryaccesscontrolmechanismsbecauseyoudon'thaveachoiceregardingtheusersorprogramsthathaveaccesstopiecesofdata.
Bell&LaPadulaFromthemiddleofthe1980'suntiltheturnofthecenturyMandatoryAccessControl(MAC)wasverycloselyassociatedwiththeBell&LaPadulasecuritymodel,amathematicaldescriptionoftheUnitedStatesDepartmentofDefensepolicyformarkingpaperdocuments.
MACinthisformenjoyedafollowingwithintheCapitalBeltwayandScandinaviansupercomputercentersbutwasoftensitedasfailingtoaddressgeneralneeds.
DomainTypeEnforcementAroundtheturnofthecenturyDomainTypeEnforcement(DTE)becamepopular.
Thisschemeorganizesusers,programs,anddataintodomainsthatareprotectedfromeachother.
ThisschemehasbeenwidelydeployedasacomponentofpopularLinuxdistributions.
Theadministrativeoverheadrequiredtomaintainthisschemeandthedetailedunderstandingofthewholesystemnecessarytoprovideasecuredomainmappingleadstotheschemebeingdisabledorusedinlimitedwaysinthemajorityofcases.
SmackSmackisaMandatoryAccessControlmechanismdesignedtoprovideusefulMACwhileavoidingthepitfallsofitspredecessors.
ThelimitationsofBell&LaPadulaareaddressedbyprovidingaschemewherebyaccesscanbecontrolledaccordingtotherequirementsofthesystemanditspurposeratherthanthoseimposedbyanarcanegovernmentpolicy.
ThecomplexityofDomainTypeEnforcementandavoidedbydefiningaccesscontrolsintermsoftheaccessmodesalreadyinuse.
2SmackTerminologyThejargonusedtotalkaboutSmackwillbefamiliartothosewhohavedealtwithotherMACsystemsandshouldn'tbetoodifficultfortheuninitiatedtopickup.
Therearefourtermsthatareusedinaspecificwayandthatareespeciallyimportant:Subject:Asubjectisanactiveentityonthecomputersystem.
OnSmackasubjectisatask,whichisinturnthebasicunitofexecution.
Object:Anobjectisapassiveentityonthecomputersystem.
OnSmackfilesofalltypes,IPC,andtaskscanbeobjects.
Access:Anyattemptbyasubjecttoputinformationintoorgetinformationfromanobjectisanaccess.
Label:DatathatidentifiestheMandatoryAccessControlcharacteristicsofasubjectoranobject.
Thesedefinitionsareconsistentwiththetraditionaluseinthesecuritycommunity.
TherearealsosometermsfromLinuxthatarelikelytocropup:Capability:Ataskthatpossessesacapabilityhaspermissiontoviolateanaspectofthesystemsecuritypolicy,asidentifiedbythespecificcapability.
Ataskthatpossessesoneormorecapabilitiesisaprivilegedtask,whereasataskwithnocapabilitiesisanunprivilegedtask.
Privilege:Ataskthatisallowedtoviolatethesystemsecuritypolicyissaidtohaveprivilege.
Asofthiswritingataskcanhaveprivilegeeitherbypossessingcapabilitiesorbyhavinganeffectiveuserofroot.
SmackBasicsSmackisanextensiontoaLinuxsystem.
Itenforcesadditionalrestrictionsonwhatsubjectscanaccesswhichobjects,basedonthelabelsattachedtoeachofthesubjectandtheobject.
LabelsSmacklabelsareASCIIcharacterstrings,onetotwenty-threecharactersinlength.
Singlecharacterlabelsusingspecialcharacters,thatbeinganythingotherthanaletterordigit,arereservedforusebytheSmackdevelopmentteam.
Smacklabelsareunstructured,casesensitive,andtheonlyoperationeverperformedonthemiscomparisonforequality.
Therearesomepredefinedlabels:_Pronounced"floor",asingleunderscorecharacter.
^Pronounced"hat",asinglecircumflexcharacter.
*Pronounced"star",asingleasteriskcharacter.
Pronounced"huh",asinglequestionmarkcharacter.
3EverytaskonaSmacksystemisassignedalabel.
Systemtasks,suchasinit(8)andsystemsdaemons,arerunwiththefloor("_")label.
Usertasksareassignedlabelsaccordingtothespecificationfoundinthe/etc/smack/userconfigurationfile.
AccessRulesSmackusesthetraditionalaccessmodesofLinux.
Thesemodesareread,execute,write,andoccasionallyappend.
Thereareafewcaseswheretheaccessmodemaynotbeobvious.
Theseinclude:Signals:Asignalisawriteoperationfromthesubjecttasktotheobjecttask.
InternetDomainIPC:Transmissionofapacketisconsideredawriteoperationfromthesourcetasktothedestinationtask.
Smackrestrictsaccessbasedonthelabelattachedtoasubjectandthelabelattachedtotheobjectitistryingtoaccess.
Therulesenforcedare,inorder:1.
Anyaccessrequestedbyatasklabeled"*"isdenied.
2.
Areadorexecuteaccessrequestedbyatasklabeled"^"ispermitted.
3.
Areadorexecuteaccessrequestedonanobjectlabeled"_"ispermitted.
4.
Anyaccessrequestedonanobjectlabeled"*"ispermitted.
5.
Anyaccessrequestedbyataskonanobjectwiththesamelabelispermitted.
6.
Anyaccessrequestedthatisexplicitlydefinedintheloadedrulesetispermitted.
7.
Anyotheraccessisdenied.
InFigure1auserbarneyhasbeenassignedtheSmacklabelRubble.
Thisusercanreadorexecutethefloorlabeledsystemprogramsanddata.
Hecanalsoreadfromandwritetothespecialdevice/dev/null,whichhasthestarlabel.
SystemprocessesrunningwiththefloorlabeldonothaveanyaccesstoBarney'sdata.
Asystemprocessrunningwiththehatlabelisallowedreadaccesstotheuser'sdatabutnotwriteaccess.
4Figure1–BasicSmackAccessPolicyWiththebasicrulessystemtasksrunningwiththefloorlabelareprotectedfromuserprocessesrunningwithotherlabels.
Figure2demonstratestheaccessesallowedwhentwouserlabelsareinuse.
InthisexampletheJavalabeledtaskcanreadandwritetheJavalabeleddata,theMP3labeledtaskhasreadandwriteaccesstotheMP3labeleddata,whilethesystemfloorlabeledtaskhasthesameaccesstoitsfloorlabeleddata.
BoththeJavaandMP3taskshavereadaccesstothefloorsystemdata.
Thetwousertaskshavenoaccesstoeachother'sdata.
_/,/bin,/bin/sh*/dev/nullRubble~barney*^Rubble_5Figure2-BasicUserLabelInteractionsSmackAccessRulesWiththeisolationprovidedbySmackaccessseparationissimple.
Therearemanyinterestingcaseswherelimitedaccessbysubjectstoobjectswithdifferentlabelsisdesired.
Oneexampleisthefamiliarspymodelofsensitivity,whereascientistworkingonahighlyclassifiedprojectwouldbeabletoreaddocumentsoflowerclassificationsandanythingshewriteswillbe"born"highlyclassified.
ToaccommodatesuchschemesSmackincludesamechanismforspecifyingrulesallowingaccessbetweenlabels.
AccessRuleFormatTheformatofanaccessruleis:subject-labelobject-labelaccessWheresubject-labelistheSmacklabelofthetask,object-labelistheSmacklabelofthethingbeingaccessed,andaccessisastringspecifyingthesortofaccessallowed.
TheSmacklabelsarelimitedto23characters.
Theaccessspecificationissearchedforlettersthatdescribeaccessmodes:a:indicatesthatappendaccessshouldbegranted.
r:indicatesthatreadaccessshouldbegranted.
w:indicatesthatwriteaccessshouldbegranted.
x:indicatesthatexecuteaccessshouldbegranted.
Accessmodespecificationscanbeinanyorder.
Examplesofacceptablerulesare:TopSecretSecretrxSystemDataJavaSandboxMP3DataSystemProcessJavaProcessMP3Process6SecretUnclassrManagerGamexUserHRwNewOldrRrrrClosedOff-Examplesofunacceptablerulesare:TopSecretSecretrxTS/Alpha,OmegaOverloardrxAceAcerOddspellswaxbeansSpacesarenotallowedinlabels.
Theslashcharacter"/"isnotallowedinlabels.
Sinceasubjectalwayshasaccesstofileswiththesamelabelspecifyingaruleforthatcaseispointless.
Lettersthatdonotspecifylegitimateaccessmodesarenotallowed.
ApplyingAccessRulesThedevelopersofLinuxrarelydefinenewsortsofthings,usuallyimportingschemesandconceptsfromothersystems.
Mostoften,theothersystemsarevariantsofUnix.
Unixhasmanyendearingproperties,butconsistencyofaccesscontrolmodelsisnotoneofthem.
Smackstrivestotreataccessesasuniformlyasissensiblewhilekeepingwiththespiritoftheunderlyingmechanism.
Filesystemobjectsincludingfiles,directories,namedpipes,symboliclinks,anddevicesrequireaccesspermissionsthatcloselymatchthoseusedbymodebitaccess.
Toopenafileforreadingreadaccessisrequiredonthefile.
Tosearchadirectoryrequiresexecuteaccess.
Creatingafilewithwriteaccessrequiresbothreadandwriteaccessonthecontainingdirectory.
Deletingafilerequiresreadandwriteaccesstothefileandtothecontainingdirectory.
Itispossiblethatausermaybeabletoseethatafileexistsbutnotanyofitsattributesbythecircumstanceofhavingreadaccesstothecontainingdirectorybutnottothedifferentlylabeledfile.
Thisisanartifactofthefilenamebeingdatainthedirectory,notapartofthefile.
IPCobjects,messagequeues,semaphoresets,andmemorysegmentsexistinflatnamespacesandaccessrequestsareonlyrequiredtomatchtheobjectinquestion.
ProcessobjectsreflecttasksonthesystemandtheSmacklabelusedtoaccessthemisthesameSmacklabelthatthetaskwoulduseforitsownaccessattempts.
Sendingasignalviathekill()systemcallisawriteoperationfromthesignalertotherecipient.
Debuggingaprocessrequiresbothreadingandwriting.
CreatinganewtaskisaninternaloperationthatresultsintwotaskswithidenticalSmacklabelsandrequiresnoaccesschecks.
7Socketsaredatastructuresattachedtoprocessesandsendingapacketfromoneprocesstoanotherrequiresthatthesenderhavewriteaccesstothereceiver.
Thereceiverisnotrequiredtohavereadaccesstothesender.
SettingAccessRulesTheconfigurationfile/etc/smack/accessescontainstherulestobesetatsystemstartup.
Thecontentsarewrittentothespecialfile/smack/load.
Rulescanbewrittento/smack/loadatanytimeandtakeeffectimmediately.
Foranypairofsubjectandobjectlabelstherecanbeonlyonerule,withthemostrecentlyspecifiedoverridinganyearlierspecification.
Inordertoensurethatrulesarewrittenproperlyaprogramsmackloadisprovided.
TaskAttributeTheSmacklabelofaprocesscanbereadfrom/proc//attr/current.
AprocesscanreaditsownSmacklabelfrom/proc/self/attr/current.
AprivilegedprocesscanchangeitsownSmacklabelbywritingto/proc/self/attr/currentbutnotthelabelofanotherprocess.
FileAttributeTheSmacklabelofafilesystemobjectisstoredasanextendedattributenamedSMACK64onthefile.
Thisattributeisinthesecuritynamespace.
Itcanonlybechangedbyaprocesswithprivilege.
PrivilegeTherearetwocapabilitiesusedexplicitlybySmack.
CAP_MAC_ADMINallowsaprocesstoperformadministrativefunctionssuchasloadingaccessrules.
CAP_MAC_OVERRIDEexemptsaprocessfromallaccesscontrolrules.
SmackNetworkingAsmentionedbefore,Smackenforcesaccesscontrolonnetworkprotocoltransmissions.
UsuallyapacketsentbyaSmackprocessistaggedwithitsSmacklabel,howeverpacketsthatwouldgettheambientlabelaresentwithoutatag.
ThisisdonebyaddingaCIPSOtagtotheheaderoftheIPpacket.
EachpacketreceivedisexpectedtohaveaCIPSOtagthatidentifiesthelabelandifitlackssuchatagthenetworkambientlabelisassumed.
Beforethepacketisdeliveredacheckismadetodeterminethatasubjectwiththelabelonthepackethaswriteaccesstothereceivingprocessandifthatisnotthecasethepacketisdropped.
CIPSOConfigurationItisnormallyunnecessarytospecifytheCIPSOconfiguration.
Thedefaultvaluesusedbythesystemhandleallinternalcases.
SmackwillcomposeCIPSOlabelvaluestomatchtheSmacklabelsbeingusedwithoutadministrativeintervention.
Unlabeled8packetsthatcomeintothesystemwillbegiventheambientlabel,andoutgoingpacketsthatwouldgettheambientlabelaresentunlabeled.
SmackrequiresconfigurationinthecasewherepacketsfromasystemthatisnotSmackthatspeaksCIPSOmaybeencountered.
UsuallythiswillbeaTrustedSolarissystem,butthereareother,lesswidelydeployedsystemsoutthere.
CIPSOprovides3importantvalues,aDomainOfInterpretation(DOI),alevel,andacategorysetwitheachpacket.
TheDOIisintendedtoidentifyagroupofsystemsthatusecompatiblelabelingschemes,andtheDOIspecifiedonthesmacksystemmustmatchthatoftheremotesystemorpacketswillbediscarded.
TheDOIis3bydefault.
Thevaluecanbereadfrom/smack/doiandcanbechangedbywritingto/smack/doi.
ThelabelandcategorysetaremappedtoaSmacklabelasdefinedin/etc/smack/cipso.
ASmack/CIPSOmappinghastheform:smacklevel[category[category]…]Smackdoesnotexpectthelevelorcategorysetstoberelatedinanyparticularwayanddoesnotassumeorassignaccessesbasedonthem.
Someexamplesofmappings:TopSecret7TS:A,B712SecBDE546RAFTERS71226The":"and","charactersarepermittedinaSmacklabelbuthavenospecialmeaning.
ThemappingofSmacklabelstoCIPSOvaluesisdefinedbywritingto/smack/cipso,andtoensurecorrectformattingtheprogramsmackcipsoisprovided.
InadditiontoexplicitmappingsSmacksupportsdirectCIPSOmappings.
OneCIPSOlevelisusedtoindicatethatthecategorysetpassedinthepacketisinfactanencodingoftheSmacklabel.
Thelevelusedis250bydefault.
Thevaluecanbereadfrom/smack/directandchangedbywritingto/smack/direct.
SocketAttributesTherearetwoattributesthatareassociatedwithsockets.
Theseattributescanonlybesetbyprivilegedtasks,butanytaskcanreadthemfortheirownsockets.
SMACK64IPIN:TheSmacklabelofthetaskobject.
Aprivilegedprogramthatwillenforcepolicymaysetthistothestarlabel.
9SMACK64IPOUT:TheSmacklabeltransmittedwithoutgoingpackets.
Aprivilegedprogrammaysetthistomatchthelabelofanothertaskwithwhichithopestocommunicate.
PacketAttributesTheSmacklabelthatcamewithanetworkpacketisobtaineddifferentlydependingonthetypeofsocketinvolved.
Onlyaprivilegedprocesswilleverneedtodothis,andthenonlyifitistrustedtoenforcetheSmackaccesscontrolrules.
ForaUDSsocketthelabelwillmatchthatofthefilesystemobject.
Itcanbeobtainedbycallingfgetxattr(sock,"security.
SMACK64",…).
ThelabelofaTCPconnectioncanbeobtainedbycallinggetsockopt(sock,SOL_SOCKET,SO_PEERSEC,…)ThelabelusedbyaprocessshouldneverchangeduringaTCPsession.
Itrequiresprivilegetodosoandaprogramthatchangeslabelsmustdosowithaccesscontrolinmind.
ThelabelofindividualUDPpacketsmustbedealtwithastheycomein,becausethereisnoconnectionnegotiatedbetweenthetasks.
Aprogramthatwantstodealwithincomingpacketsatmultiplelabelsfirstneedstocallsetsockopt(sock,SOL_IP,IP_PASSSEC,…)andthenparsethemessageheaderswitheachpacketreceived.
Thefunctionsmackrecvmsg()isavailabletoprovidetheparsing.
Itcanbeusedinsteadofrecvmsg().
WritingApplicationsforSmackTherearethreesortsofapplicationsthatwillrunonaSmacksystem.
HowanapplicationinteractswithSmackwilldeterminewhatitwillhavetodotoworkproperlyunderSmack.
SmackIgnorantApplicationsByfarthemajorityofapplicationshavenoreasonwhatevertocareabouttheuniquepropertiesofSmack.
SinceinvokingaprogramhasnoimpactontheSmacklabelassociatedwiththeprocesstheonlyconcernlikelytoariseiswhethertheprocesshasexecuteaccesstotheprogram.
10SmackRelevantApplicationsSomeprogramscanbeimprovedbyteachingthemaboutSmack,butdonotmakeanysecuritydecisionsthemselves.
Theutilityls(1)isoneexampleofsuchaprogram.
SmackEnforcingApplicationsThesearespecialprogramsthatnotonlyknowaboutSmack,butparticipateintheenforcementofsystempolicy.
Inmostcasesthesearetheprogramsthatsetupusersessions.
Therearealsonetworkservicesthatprovideinformationtoprocessesrunningwithvariouslabels.
FileSystemInterfacesSmackmaintainslabelsonfilesystemobjectsusingextendedattributes.
TheSmacklabelofafile,directory,orotherfilesystemobjectcanbeobtainedusinggetxattr(2).
getxattr("/","security.
SMACK64",value,sizeof(value));willputtheSmacklabeloftherootdirectoryintovalue.
AprivilegedprocesscansettheSmacklabelofafilesystemobjectwithsetxattr(2).
rc=setxattr("/foo","security.
SMACK64","Rubble",strlen("Rubble"),0);ThiswillsettheSmacklabelof/footoRubbleiftheprogramhasappropriateprivilege.
SocketInterfacesThesocketattributescanbereadusingfgetxattr(2).
AprivilegedprocesscansettheSmacklabelofoutgoingpacketswithfsetxattr(2).
rc=fsetxattr(fd,"security.
SMACK64IPOUT","Rubble",strlen("Rubble"),0);ThiswillsettheSmacklabel"Rubble"onpacketsgoingoutfromthesocketiftheprogramhasappropriateprivilege.
rc=fsetxattr(fd,"security.
SMACK64IPIN,"*",strlen("*"),0);ThiswillsettheSmacklabel"*"astheobjectlabelagainstwhichincomingpacketswillbecheckediftheprogramhasappropriateprivilege.
11AdministrationSmacksupportssomemountoptions:smackfsdef=label:specifiesthelabeltogivefilesthatlacktheSmacklabelextendedattribute.
smackfsroot=label:specifiesthelabeltoassigntherootofthefilesystemifitlackstheSmackextendedattribute.
smackfshat=label:specifiesalabelthatmusthavereadaccesstoalllabelssetonthefilesystem.
Notyetenforced.
smackfsfloor=label:specifiesalabeltowhichalllabelssetonthefilesystemmusthavereadaccess.
Notyetenforced.
ThesemountoptionsapplytoallfilesystemtypeswiththecurrentexceptionofNFS.
- sensitivefilesystemobject相关文档
- 单据filesystemobject
- widgetfilesystemobject
- 支出filesystemobject
- 职位filesystemobject
- 主要负责人filesystemobject
- 蒙古族filesystemobject
美得云(15元/月)美国cera 2核4G 15元/月 香港1核 1G 3M独享
美得云怎么样?美得云好不好?美得云是第一次来推广软文,老板人脾气特别好,能感觉出来会用心对待用户。美得云这次为大家提供了几款性价比十分高的产品,美国cera 2核4G 15元/月 香港1核 1G 3M独享 15元/月,并且还提供了免费空间给大家使用。嘻嘻 我也打算去白嫖一个空间了。新用户注册福利-8折优惠码:H2dmBKbF 截止2021.10.1结束。KVM架构,99.99%高可用性,依托BGP...
TmhHost 全场八折优惠且充值返10% 多款CN2线路
TmhHost 商家是一家成立于2019年的国人主机品牌。目前主营的是美国VPS以及美国、香港、韩国、菲律宾的独立服务器等,其中VPS业务涵盖香港CN2、香港NTT、美国CN2回程高防、美国CN2 GIA、日本软银、韩国cn2等,均为亚太中国直连优质线路,TmhHost提供全中文界面,支持支付宝付款。 TmhHost黑五优惠活动发布了,全场云服务器、独立服务器提供8折,另有充值返现、特价服务器促销...
野草云99元/月 ,香港独立服务器 E3-1230v2 16G 30M 299元/月 香港云服务器 4核 8G
野草云月末准备了一些促销,主推独立服务器,也有部分云服务器,价格比较有性价比,佣金是10%循环,如果有时间请帮我们推推,感谢!公司名:LucidaCloud Limited官方网站:https://www.yecaoyun.com/香港独立服务器:CPU型号内存硬盘带宽价格购买地址E3-1230v216G240GB SSD或1TB 企盘30M299元/月点击购买E5-265016G240GB SS...
filesystemobject为你推荐
-
京沪高铁上市首秀哪些企业建设京沪高铁?www.e12.com.cn上海高中除了四大名校,接下来哪所高中最好?顺便讲下它的各方面情况partnersonline电脑内一切浏览器无法打开yinrentangweichentang万艾可正品的作用真的不错吗javlibrary.comsony home network library官方下载地址dpscycle魔兽世界国服,求几个暗影MS的输出宏猴山条约中国近代史领土被割占去了多少,包括战争中失去的和吞并的总数猴山条约尼布楚条约,是我们割地,为什么说是公平条约呢红玉头冠急求,wow中红玉头冠的第一个任务是什么呀。。韩宫窥春元稹的《梦游春》的准确译文?