sensitivefilesystemobject

filesystemobject  时间:2021-04-03  阅读:()
1TheSimplifiedMandatoryAccessControlKernelCaseySchauflercasey@schaufler-ca.
comMandatoryAccessControlComputersystemsemployavarietyofschemestoconstrainhowinformationissharedamongthepeopleandservicesusingthemachine.
Someoftheseschemesallowtheprogramorusertodecidewhatotherprogramsorusersareallowedaccesstopiecesofdata.
Theseschemesarecalleddiscretionaryaccesscontrolmechanismsbecausetheaccesscontrolisspecifiedatthediscretionoftheuser.
Otherschemesdonotleavethedecisionregardingwhatauserorprogramcanaccessuptousersorprograms.
Theseschemesarecalledmandatoryaccesscontrolmechanismsbecauseyoudon'thaveachoiceregardingtheusersorprogramsthathaveaccesstopiecesofdata.
Bell&LaPadulaFromthemiddleofthe1980'suntiltheturnofthecenturyMandatoryAccessControl(MAC)wasverycloselyassociatedwiththeBell&LaPadulasecuritymodel,amathematicaldescriptionoftheUnitedStatesDepartmentofDefensepolicyformarkingpaperdocuments.
MACinthisformenjoyedafollowingwithintheCapitalBeltwayandScandinaviansupercomputercentersbutwasoftensitedasfailingtoaddressgeneralneeds.
DomainTypeEnforcementAroundtheturnofthecenturyDomainTypeEnforcement(DTE)becamepopular.
Thisschemeorganizesusers,programs,anddataintodomainsthatareprotectedfromeachother.
ThisschemehasbeenwidelydeployedasacomponentofpopularLinuxdistributions.
Theadministrativeoverheadrequiredtomaintainthisschemeandthedetailedunderstandingofthewholesystemnecessarytoprovideasecuredomainmappingleadstotheschemebeingdisabledorusedinlimitedwaysinthemajorityofcases.
SmackSmackisaMandatoryAccessControlmechanismdesignedtoprovideusefulMACwhileavoidingthepitfallsofitspredecessors.
ThelimitationsofBell&LaPadulaareaddressedbyprovidingaschemewherebyaccesscanbecontrolledaccordingtotherequirementsofthesystemanditspurposeratherthanthoseimposedbyanarcanegovernmentpolicy.
ThecomplexityofDomainTypeEnforcementandavoidedbydefiningaccesscontrolsintermsoftheaccessmodesalreadyinuse.
2SmackTerminologyThejargonusedtotalkaboutSmackwillbefamiliartothosewhohavedealtwithotherMACsystemsandshouldn'tbetoodifficultfortheuninitiatedtopickup.
Therearefourtermsthatareusedinaspecificwayandthatareespeciallyimportant:Subject:Asubjectisanactiveentityonthecomputersystem.
OnSmackasubjectisatask,whichisinturnthebasicunitofexecution.
Object:Anobjectisapassiveentityonthecomputersystem.
OnSmackfilesofalltypes,IPC,andtaskscanbeobjects.
Access:Anyattemptbyasubjecttoputinformationintoorgetinformationfromanobjectisanaccess.
Label:DatathatidentifiestheMandatoryAccessControlcharacteristicsofasubjectoranobject.
Thesedefinitionsareconsistentwiththetraditionaluseinthesecuritycommunity.
TherearealsosometermsfromLinuxthatarelikelytocropup:Capability:Ataskthatpossessesacapabilityhaspermissiontoviolateanaspectofthesystemsecuritypolicy,asidentifiedbythespecificcapability.
Ataskthatpossessesoneormorecapabilitiesisaprivilegedtask,whereasataskwithnocapabilitiesisanunprivilegedtask.
Privilege:Ataskthatisallowedtoviolatethesystemsecuritypolicyissaidtohaveprivilege.
Asofthiswritingataskcanhaveprivilegeeitherbypossessingcapabilitiesorbyhavinganeffectiveuserofroot.
SmackBasicsSmackisanextensiontoaLinuxsystem.
Itenforcesadditionalrestrictionsonwhatsubjectscanaccesswhichobjects,basedonthelabelsattachedtoeachofthesubjectandtheobject.
LabelsSmacklabelsareASCIIcharacterstrings,onetotwenty-threecharactersinlength.
Singlecharacterlabelsusingspecialcharacters,thatbeinganythingotherthanaletterordigit,arereservedforusebytheSmackdevelopmentteam.
Smacklabelsareunstructured,casesensitive,andtheonlyoperationeverperformedonthemiscomparisonforequality.
Therearesomepredefinedlabels:_Pronounced"floor",asingleunderscorecharacter.
^Pronounced"hat",asinglecircumflexcharacter.
*Pronounced"star",asingleasteriskcharacter.
Pronounced"huh",asinglequestionmarkcharacter.
3EverytaskonaSmacksystemisassignedalabel.
Systemtasks,suchasinit(8)andsystemsdaemons,arerunwiththefloor("_")label.
Usertasksareassignedlabelsaccordingtothespecificationfoundinthe/etc/smack/userconfigurationfile.
AccessRulesSmackusesthetraditionalaccessmodesofLinux.
Thesemodesareread,execute,write,andoccasionallyappend.
Thereareafewcaseswheretheaccessmodemaynotbeobvious.
Theseinclude:Signals:Asignalisawriteoperationfromthesubjecttasktotheobjecttask.
InternetDomainIPC:Transmissionofapacketisconsideredawriteoperationfromthesourcetasktothedestinationtask.
Smackrestrictsaccessbasedonthelabelattachedtoasubjectandthelabelattachedtotheobjectitistryingtoaccess.
Therulesenforcedare,inorder:1.
Anyaccessrequestedbyatasklabeled"*"isdenied.
2.
Areadorexecuteaccessrequestedbyatasklabeled"^"ispermitted.
3.
Areadorexecuteaccessrequestedonanobjectlabeled"_"ispermitted.
4.
Anyaccessrequestedonanobjectlabeled"*"ispermitted.
5.
Anyaccessrequestedbyataskonanobjectwiththesamelabelispermitted.
6.
Anyaccessrequestedthatisexplicitlydefinedintheloadedrulesetispermitted.
7.
Anyotheraccessisdenied.
InFigure1auserbarneyhasbeenassignedtheSmacklabelRubble.
Thisusercanreadorexecutethefloorlabeledsystemprogramsanddata.
Hecanalsoreadfromandwritetothespecialdevice/dev/null,whichhasthestarlabel.
SystemprocessesrunningwiththefloorlabeldonothaveanyaccesstoBarney'sdata.
Asystemprocessrunningwiththehatlabelisallowedreadaccesstotheuser'sdatabutnotwriteaccess.
4Figure1–BasicSmackAccessPolicyWiththebasicrulessystemtasksrunningwiththefloorlabelareprotectedfromuserprocessesrunningwithotherlabels.
Figure2demonstratestheaccessesallowedwhentwouserlabelsareinuse.
InthisexampletheJavalabeledtaskcanreadandwritetheJavalabeleddata,theMP3labeledtaskhasreadandwriteaccesstotheMP3labeleddata,whilethesystemfloorlabeledtaskhasthesameaccesstoitsfloorlabeleddata.
BoththeJavaandMP3taskshavereadaccesstothefloorsystemdata.
Thetwousertaskshavenoaccesstoeachother'sdata.
_/,/bin,/bin/sh*/dev/nullRubble~barney*^Rubble_5Figure2-BasicUserLabelInteractionsSmackAccessRulesWiththeisolationprovidedbySmackaccessseparationissimple.
Therearemanyinterestingcaseswherelimitedaccessbysubjectstoobjectswithdifferentlabelsisdesired.
Oneexampleisthefamiliarspymodelofsensitivity,whereascientistworkingonahighlyclassifiedprojectwouldbeabletoreaddocumentsoflowerclassificationsandanythingshewriteswillbe"born"highlyclassified.
ToaccommodatesuchschemesSmackincludesamechanismforspecifyingrulesallowingaccessbetweenlabels.
AccessRuleFormatTheformatofanaccessruleis:subject-labelobject-labelaccessWheresubject-labelistheSmacklabelofthetask,object-labelistheSmacklabelofthethingbeingaccessed,andaccessisastringspecifyingthesortofaccessallowed.
TheSmacklabelsarelimitedto23characters.
Theaccessspecificationissearchedforlettersthatdescribeaccessmodes:a:indicatesthatappendaccessshouldbegranted.
r:indicatesthatreadaccessshouldbegranted.
w:indicatesthatwriteaccessshouldbegranted.
x:indicatesthatexecuteaccessshouldbegranted.
Accessmodespecificationscanbeinanyorder.
Examplesofacceptablerulesare:TopSecretSecretrxSystemDataJavaSandboxMP3DataSystemProcessJavaProcessMP3Process6SecretUnclassrManagerGamexUserHRwNewOldrRrrrClosedOff-Examplesofunacceptablerulesare:TopSecretSecretrxTS/Alpha,OmegaOverloardrxAceAcerOddspellswaxbeansSpacesarenotallowedinlabels.
Theslashcharacter"/"isnotallowedinlabels.
Sinceasubjectalwayshasaccesstofileswiththesamelabelspecifyingaruleforthatcaseispointless.
Lettersthatdonotspecifylegitimateaccessmodesarenotallowed.
ApplyingAccessRulesThedevelopersofLinuxrarelydefinenewsortsofthings,usuallyimportingschemesandconceptsfromothersystems.
Mostoften,theothersystemsarevariantsofUnix.
Unixhasmanyendearingproperties,butconsistencyofaccesscontrolmodelsisnotoneofthem.
Smackstrivestotreataccessesasuniformlyasissensiblewhilekeepingwiththespiritoftheunderlyingmechanism.
Filesystemobjectsincludingfiles,directories,namedpipes,symboliclinks,anddevicesrequireaccesspermissionsthatcloselymatchthoseusedbymodebitaccess.
Toopenafileforreadingreadaccessisrequiredonthefile.
Tosearchadirectoryrequiresexecuteaccess.
Creatingafilewithwriteaccessrequiresbothreadandwriteaccessonthecontainingdirectory.
Deletingafilerequiresreadandwriteaccesstothefileandtothecontainingdirectory.
Itispossiblethatausermaybeabletoseethatafileexistsbutnotanyofitsattributesbythecircumstanceofhavingreadaccesstothecontainingdirectorybutnottothedifferentlylabeledfile.
Thisisanartifactofthefilenamebeingdatainthedirectory,notapartofthefile.
IPCobjects,messagequeues,semaphoresets,andmemorysegmentsexistinflatnamespacesandaccessrequestsareonlyrequiredtomatchtheobjectinquestion.
ProcessobjectsreflecttasksonthesystemandtheSmacklabelusedtoaccessthemisthesameSmacklabelthatthetaskwoulduseforitsownaccessattempts.
Sendingasignalviathekill()systemcallisawriteoperationfromthesignalertotherecipient.
Debuggingaprocessrequiresbothreadingandwriting.
CreatinganewtaskisaninternaloperationthatresultsintwotaskswithidenticalSmacklabelsandrequiresnoaccesschecks.
7Socketsaredatastructuresattachedtoprocessesandsendingapacketfromoneprocesstoanotherrequiresthatthesenderhavewriteaccesstothereceiver.
Thereceiverisnotrequiredtohavereadaccesstothesender.
SettingAccessRulesTheconfigurationfile/etc/smack/accessescontainstherulestobesetatsystemstartup.
Thecontentsarewrittentothespecialfile/smack/load.
Rulescanbewrittento/smack/loadatanytimeandtakeeffectimmediately.
Foranypairofsubjectandobjectlabelstherecanbeonlyonerule,withthemostrecentlyspecifiedoverridinganyearlierspecification.
Inordertoensurethatrulesarewrittenproperlyaprogramsmackloadisprovided.
TaskAttributeTheSmacklabelofaprocesscanbereadfrom/proc//attr/current.
AprocesscanreaditsownSmacklabelfrom/proc/self/attr/current.
AprivilegedprocesscanchangeitsownSmacklabelbywritingto/proc/self/attr/currentbutnotthelabelofanotherprocess.
FileAttributeTheSmacklabelofafilesystemobjectisstoredasanextendedattributenamedSMACK64onthefile.
Thisattributeisinthesecuritynamespace.
Itcanonlybechangedbyaprocesswithprivilege.
PrivilegeTherearetwocapabilitiesusedexplicitlybySmack.
CAP_MAC_ADMINallowsaprocesstoperformadministrativefunctionssuchasloadingaccessrules.
CAP_MAC_OVERRIDEexemptsaprocessfromallaccesscontrolrules.
SmackNetworkingAsmentionedbefore,Smackenforcesaccesscontrolonnetworkprotocoltransmissions.
UsuallyapacketsentbyaSmackprocessistaggedwithitsSmacklabel,howeverpacketsthatwouldgettheambientlabelaresentwithoutatag.
ThisisdonebyaddingaCIPSOtagtotheheaderoftheIPpacket.
EachpacketreceivedisexpectedtohaveaCIPSOtagthatidentifiesthelabelandifitlackssuchatagthenetworkambientlabelisassumed.
Beforethepacketisdeliveredacheckismadetodeterminethatasubjectwiththelabelonthepackethaswriteaccesstothereceivingprocessandifthatisnotthecasethepacketisdropped.
CIPSOConfigurationItisnormallyunnecessarytospecifytheCIPSOconfiguration.
Thedefaultvaluesusedbythesystemhandleallinternalcases.
SmackwillcomposeCIPSOlabelvaluestomatchtheSmacklabelsbeingusedwithoutadministrativeintervention.
Unlabeled8packetsthatcomeintothesystemwillbegiventheambientlabel,andoutgoingpacketsthatwouldgettheambientlabelaresentunlabeled.
SmackrequiresconfigurationinthecasewherepacketsfromasystemthatisnotSmackthatspeaksCIPSOmaybeencountered.
UsuallythiswillbeaTrustedSolarissystem,butthereareother,lesswidelydeployedsystemsoutthere.
CIPSOprovides3importantvalues,aDomainOfInterpretation(DOI),alevel,andacategorysetwitheachpacket.
TheDOIisintendedtoidentifyagroupofsystemsthatusecompatiblelabelingschemes,andtheDOIspecifiedonthesmacksystemmustmatchthatoftheremotesystemorpacketswillbediscarded.
TheDOIis3bydefault.
Thevaluecanbereadfrom/smack/doiandcanbechangedbywritingto/smack/doi.
ThelabelandcategorysetaremappedtoaSmacklabelasdefinedin/etc/smack/cipso.
ASmack/CIPSOmappinghastheform:smacklevel[category[category]…]Smackdoesnotexpectthelevelorcategorysetstoberelatedinanyparticularwayanddoesnotassumeorassignaccessesbasedonthem.
Someexamplesofmappings:TopSecret7TS:A,B712SecBDE546RAFTERS71226The":"and","charactersarepermittedinaSmacklabelbuthavenospecialmeaning.
ThemappingofSmacklabelstoCIPSOvaluesisdefinedbywritingto/smack/cipso,andtoensurecorrectformattingtheprogramsmackcipsoisprovided.
InadditiontoexplicitmappingsSmacksupportsdirectCIPSOmappings.
OneCIPSOlevelisusedtoindicatethatthecategorysetpassedinthepacketisinfactanencodingoftheSmacklabel.
Thelevelusedis250bydefault.
Thevaluecanbereadfrom/smack/directandchangedbywritingto/smack/direct.
SocketAttributesTherearetwoattributesthatareassociatedwithsockets.
Theseattributescanonlybesetbyprivilegedtasks,butanytaskcanreadthemfortheirownsockets.
SMACK64IPIN:TheSmacklabelofthetaskobject.
Aprivilegedprogramthatwillenforcepolicymaysetthistothestarlabel.
9SMACK64IPOUT:TheSmacklabeltransmittedwithoutgoingpackets.
Aprivilegedprogrammaysetthistomatchthelabelofanothertaskwithwhichithopestocommunicate.
PacketAttributesTheSmacklabelthatcamewithanetworkpacketisobtaineddifferentlydependingonthetypeofsocketinvolved.
Onlyaprivilegedprocesswilleverneedtodothis,andthenonlyifitistrustedtoenforcetheSmackaccesscontrolrules.
ForaUDSsocketthelabelwillmatchthatofthefilesystemobject.
Itcanbeobtainedbycallingfgetxattr(sock,"security.
SMACK64",…).
ThelabelofaTCPconnectioncanbeobtainedbycallinggetsockopt(sock,SOL_SOCKET,SO_PEERSEC,…)ThelabelusedbyaprocessshouldneverchangeduringaTCPsession.
Itrequiresprivilegetodosoandaprogramthatchangeslabelsmustdosowithaccesscontrolinmind.
ThelabelofindividualUDPpacketsmustbedealtwithastheycomein,becausethereisnoconnectionnegotiatedbetweenthetasks.
Aprogramthatwantstodealwithincomingpacketsatmultiplelabelsfirstneedstocallsetsockopt(sock,SOL_IP,IP_PASSSEC,…)andthenparsethemessageheaderswitheachpacketreceived.
Thefunctionsmackrecvmsg()isavailabletoprovidetheparsing.
Itcanbeusedinsteadofrecvmsg().
WritingApplicationsforSmackTherearethreesortsofapplicationsthatwillrunonaSmacksystem.
HowanapplicationinteractswithSmackwilldeterminewhatitwillhavetodotoworkproperlyunderSmack.
SmackIgnorantApplicationsByfarthemajorityofapplicationshavenoreasonwhatevertocareabouttheuniquepropertiesofSmack.
SinceinvokingaprogramhasnoimpactontheSmacklabelassociatedwiththeprocesstheonlyconcernlikelytoariseiswhethertheprocesshasexecuteaccesstotheprogram.
10SmackRelevantApplicationsSomeprogramscanbeimprovedbyteachingthemaboutSmack,butdonotmakeanysecuritydecisionsthemselves.
Theutilityls(1)isoneexampleofsuchaprogram.
SmackEnforcingApplicationsThesearespecialprogramsthatnotonlyknowaboutSmack,butparticipateintheenforcementofsystempolicy.
Inmostcasesthesearetheprogramsthatsetupusersessions.
Therearealsonetworkservicesthatprovideinformationtoprocessesrunningwithvariouslabels.
FileSystemInterfacesSmackmaintainslabelsonfilesystemobjectsusingextendedattributes.
TheSmacklabelofafile,directory,orotherfilesystemobjectcanbeobtainedusinggetxattr(2).
getxattr("/","security.
SMACK64",value,sizeof(value));willputtheSmacklabeloftherootdirectoryintovalue.
AprivilegedprocesscansettheSmacklabelofafilesystemobjectwithsetxattr(2).
rc=setxattr("/foo","security.
SMACK64","Rubble",strlen("Rubble"),0);ThiswillsettheSmacklabelof/footoRubbleiftheprogramhasappropriateprivilege.
SocketInterfacesThesocketattributescanbereadusingfgetxattr(2).
AprivilegedprocesscansettheSmacklabelofoutgoingpacketswithfsetxattr(2).
rc=fsetxattr(fd,"security.
SMACK64IPOUT","Rubble",strlen("Rubble"),0);ThiswillsettheSmacklabel"Rubble"onpacketsgoingoutfromthesocketiftheprogramhasappropriateprivilege.
rc=fsetxattr(fd,"security.
SMACK64IPIN,"*",strlen("*"),0);ThiswillsettheSmacklabel"*"astheobjectlabelagainstwhichincomingpacketswillbecheckediftheprogramhasappropriateprivilege.
11AdministrationSmacksupportssomemountoptions:smackfsdef=label:specifiesthelabeltogivefilesthatlacktheSmacklabelextendedattribute.
smackfsroot=label:specifiesthelabeltoassigntherootofthefilesystemifitlackstheSmackextendedattribute.
smackfshat=label:specifiesalabelthatmusthavereadaccesstoalllabelssetonthefilesystem.
Notyetenforced.
smackfsfloor=label:specifiesalabeltowhichalllabelssetonthefilesystemmusthavereadaccess.
Notyetenforced.
ThesemountoptionsapplytoallfilesystemtypeswiththecurrentexceptionofNFS.

Friendhosting全场VDS主机45折,虚拟主机4折,老用户续费9折

Friendhosting发布了今年黑色星期五促销活动,针对全场VDS主机提供45折优惠码,虚拟主机4折,老用户续费可获9折加送1个月使用时长,优惠后VDS最低仅€14.53/年起,商家支持PayPal、信用卡、支付宝等付款方式。这是一家成立于2009年的老牌保加利亚主机商,提供的产品包括虚拟主机、VPS/VDS和独立服务器租用等,数据中心可选美国、保加利亚、乌克兰、荷兰、拉脱维亚、捷克、瑞士和波...

JustHost俄罗斯VPS有HDD、SSD、NVMe SSD,不限流量低至约9.6元/月

justhost怎么样?justhost服务器好不好?JustHost是一家成立于2006年的俄罗斯服务器提供商,支持支付宝付款,服务器价格便宜,200Mbps大带宽不限流量,支持免费更换5次IP,支持控制面板自由切换机房,目前JustHost有俄罗斯6个机房可以自由切换选择,最重要的还是价格真的特别便宜,最低只需要87卢布/月,约8.5元/月起!总体来说,性价比很高,性价比不错,有需要的朋友可以...

BuyVM迈阿密KVM上线,AMD Ryzen 3900X+NVMe硬盘$2/月起

BuyVM在昨天宣布上线了第四个数据中心产品:迈阿密,基于KVM架构的VPS主机,采用AMD Ryzen 3900X CPU,DDR4内存,NVMe硬盘,1Gbps带宽,不限制流量方式,最低$2/月起,支持Linux或者Windows操作系统。这是一家成立于2010年的国外主机商,提供基于KVM架构的VPS产品,数据中心除了新上的迈阿密外还包括美国拉斯维加斯、新泽西和卢森堡等,主机均为1Gbps带...

filesystemobject为你推荐
网络访问最近电脑老是连不上网 提示说 无网络访问 无INTERNET访问是怎么回事啊。公司网络被攻击最近企业受到网络攻击的事件特别多,怎么才能有效地保护企业的网络安全呢?硬盘工作原理硬盘的工作原理是什么?关键字关键词标签里写多少个关键词为最好罗伦佐娜维洛娜毛周角化修复液治疗毛周角化有用吗?谁用过?能告诉我吗?百度关键词分析怎样对关键词进行分析和选择百度关键词分析如何正确分析关键词?www.522av.com我的IE浏览器一打开就是这个网站http://www.522dh.com/?mu怎么改成百度啊 怎么用注册表改啊sss17.com为什么GAO17.COM网站打不开了www.zhiboba.com上什么网看哪个电视台直播NBA
虚拟主机mysql 主机域名 yaokan永久域名经常更换 重庆vps租用 花生壳免费域名申请 快速域名备案 腾讯云盘 荣耀欧洲 香港bgp机房 oneasiahost 狗爹 香港机房 10t等于多少g realvnc parseerror 网站实时监控 服务器架设 圣诞节促销 台湾谷歌地址 100x100头像 更多