sensitivefilesystemobject
filesystemobject 时间:2021-04-03 阅读:()
1TheSimplifiedMandatoryAccessControlKernelCaseySchauflercasey@schaufler-ca.
comMandatoryAccessControlComputersystemsemployavarietyofschemestoconstrainhowinformationissharedamongthepeopleandservicesusingthemachine.
Someoftheseschemesallowtheprogramorusertodecidewhatotherprogramsorusersareallowedaccesstopiecesofdata.
Theseschemesarecalleddiscretionaryaccesscontrolmechanismsbecausetheaccesscontrolisspecifiedatthediscretionoftheuser.
Otherschemesdonotleavethedecisionregardingwhatauserorprogramcanaccessuptousersorprograms.
Theseschemesarecalledmandatoryaccesscontrolmechanismsbecauseyoudon'thaveachoiceregardingtheusersorprogramsthathaveaccesstopiecesofdata.
Bell&LaPadulaFromthemiddleofthe1980'suntiltheturnofthecenturyMandatoryAccessControl(MAC)wasverycloselyassociatedwiththeBell&LaPadulasecuritymodel,amathematicaldescriptionoftheUnitedStatesDepartmentofDefensepolicyformarkingpaperdocuments.
MACinthisformenjoyedafollowingwithintheCapitalBeltwayandScandinaviansupercomputercentersbutwasoftensitedasfailingtoaddressgeneralneeds.
DomainTypeEnforcementAroundtheturnofthecenturyDomainTypeEnforcement(DTE)becamepopular.
Thisschemeorganizesusers,programs,anddataintodomainsthatareprotectedfromeachother.
ThisschemehasbeenwidelydeployedasacomponentofpopularLinuxdistributions.
Theadministrativeoverheadrequiredtomaintainthisschemeandthedetailedunderstandingofthewholesystemnecessarytoprovideasecuredomainmappingleadstotheschemebeingdisabledorusedinlimitedwaysinthemajorityofcases.
SmackSmackisaMandatoryAccessControlmechanismdesignedtoprovideusefulMACwhileavoidingthepitfallsofitspredecessors.
ThelimitationsofBell&LaPadulaareaddressedbyprovidingaschemewherebyaccesscanbecontrolledaccordingtotherequirementsofthesystemanditspurposeratherthanthoseimposedbyanarcanegovernmentpolicy.
ThecomplexityofDomainTypeEnforcementandavoidedbydefiningaccesscontrolsintermsoftheaccessmodesalreadyinuse.
2SmackTerminologyThejargonusedtotalkaboutSmackwillbefamiliartothosewhohavedealtwithotherMACsystemsandshouldn'tbetoodifficultfortheuninitiatedtopickup.
Therearefourtermsthatareusedinaspecificwayandthatareespeciallyimportant:Subject:Asubjectisanactiveentityonthecomputersystem.
OnSmackasubjectisatask,whichisinturnthebasicunitofexecution.
Object:Anobjectisapassiveentityonthecomputersystem.
OnSmackfilesofalltypes,IPC,andtaskscanbeobjects.
Access:Anyattemptbyasubjecttoputinformationintoorgetinformationfromanobjectisanaccess.
Label:DatathatidentifiestheMandatoryAccessControlcharacteristicsofasubjectoranobject.
Thesedefinitionsareconsistentwiththetraditionaluseinthesecuritycommunity.
TherearealsosometermsfromLinuxthatarelikelytocropup:Capability:Ataskthatpossessesacapabilityhaspermissiontoviolateanaspectofthesystemsecuritypolicy,asidentifiedbythespecificcapability.
Ataskthatpossessesoneormorecapabilitiesisaprivilegedtask,whereasataskwithnocapabilitiesisanunprivilegedtask.
Privilege:Ataskthatisallowedtoviolatethesystemsecuritypolicyissaidtohaveprivilege.
Asofthiswritingataskcanhaveprivilegeeitherbypossessingcapabilitiesorbyhavinganeffectiveuserofroot.
SmackBasicsSmackisanextensiontoaLinuxsystem.
Itenforcesadditionalrestrictionsonwhatsubjectscanaccesswhichobjects,basedonthelabelsattachedtoeachofthesubjectandtheobject.
LabelsSmacklabelsareASCIIcharacterstrings,onetotwenty-threecharactersinlength.
Singlecharacterlabelsusingspecialcharacters,thatbeinganythingotherthanaletterordigit,arereservedforusebytheSmackdevelopmentteam.
Smacklabelsareunstructured,casesensitive,andtheonlyoperationeverperformedonthemiscomparisonforequality.
Therearesomepredefinedlabels:_Pronounced"floor",asingleunderscorecharacter.
^Pronounced"hat",asinglecircumflexcharacter.
*Pronounced"star",asingleasteriskcharacter.
Pronounced"huh",asinglequestionmarkcharacter.
3EverytaskonaSmacksystemisassignedalabel.
Systemtasks,suchasinit(8)andsystemsdaemons,arerunwiththefloor("_")label.
Usertasksareassignedlabelsaccordingtothespecificationfoundinthe/etc/smack/userconfigurationfile.
AccessRulesSmackusesthetraditionalaccessmodesofLinux.
Thesemodesareread,execute,write,andoccasionallyappend.
Thereareafewcaseswheretheaccessmodemaynotbeobvious.
Theseinclude:Signals:Asignalisawriteoperationfromthesubjecttasktotheobjecttask.
InternetDomainIPC:Transmissionofapacketisconsideredawriteoperationfromthesourcetasktothedestinationtask.
Smackrestrictsaccessbasedonthelabelattachedtoasubjectandthelabelattachedtotheobjectitistryingtoaccess.
Therulesenforcedare,inorder:1.
Anyaccessrequestedbyatasklabeled"*"isdenied.
2.
Areadorexecuteaccessrequestedbyatasklabeled"^"ispermitted.
3.
Areadorexecuteaccessrequestedonanobjectlabeled"_"ispermitted.
4.
Anyaccessrequestedonanobjectlabeled"*"ispermitted.
5.
Anyaccessrequestedbyataskonanobjectwiththesamelabelispermitted.
6.
Anyaccessrequestedthatisexplicitlydefinedintheloadedrulesetispermitted.
7.
Anyotheraccessisdenied.
InFigure1auserbarneyhasbeenassignedtheSmacklabelRubble.
Thisusercanreadorexecutethefloorlabeledsystemprogramsanddata.
Hecanalsoreadfromandwritetothespecialdevice/dev/null,whichhasthestarlabel.
SystemprocessesrunningwiththefloorlabeldonothaveanyaccesstoBarney'sdata.
Asystemprocessrunningwiththehatlabelisallowedreadaccesstotheuser'sdatabutnotwriteaccess.
4Figure1–BasicSmackAccessPolicyWiththebasicrulessystemtasksrunningwiththefloorlabelareprotectedfromuserprocessesrunningwithotherlabels.
Figure2demonstratestheaccessesallowedwhentwouserlabelsareinuse.
InthisexampletheJavalabeledtaskcanreadandwritetheJavalabeleddata,theMP3labeledtaskhasreadandwriteaccesstotheMP3labeleddata,whilethesystemfloorlabeledtaskhasthesameaccesstoitsfloorlabeleddata.
BoththeJavaandMP3taskshavereadaccesstothefloorsystemdata.
Thetwousertaskshavenoaccesstoeachother'sdata.
_/,/bin,/bin/sh*/dev/nullRubble~barney*^Rubble_5Figure2-BasicUserLabelInteractionsSmackAccessRulesWiththeisolationprovidedbySmackaccessseparationissimple.
Therearemanyinterestingcaseswherelimitedaccessbysubjectstoobjectswithdifferentlabelsisdesired.
Oneexampleisthefamiliarspymodelofsensitivity,whereascientistworkingonahighlyclassifiedprojectwouldbeabletoreaddocumentsoflowerclassificationsandanythingshewriteswillbe"born"highlyclassified.
ToaccommodatesuchschemesSmackincludesamechanismforspecifyingrulesallowingaccessbetweenlabels.
AccessRuleFormatTheformatofanaccessruleis:subject-labelobject-labelaccessWheresubject-labelistheSmacklabelofthetask,object-labelistheSmacklabelofthethingbeingaccessed,andaccessisastringspecifyingthesortofaccessallowed.
TheSmacklabelsarelimitedto23characters.
Theaccessspecificationissearchedforlettersthatdescribeaccessmodes:a:indicatesthatappendaccessshouldbegranted.
r:indicatesthatreadaccessshouldbegranted.
w:indicatesthatwriteaccessshouldbegranted.
x:indicatesthatexecuteaccessshouldbegranted.
Accessmodespecificationscanbeinanyorder.
Examplesofacceptablerulesare:TopSecretSecretrxSystemDataJavaSandboxMP3DataSystemProcessJavaProcessMP3Process6SecretUnclassrManagerGamexUserHRwNewOldrRrrrClosedOff-Examplesofunacceptablerulesare:TopSecretSecretrxTS/Alpha,OmegaOverloardrxAceAcerOddspellswaxbeansSpacesarenotallowedinlabels.
Theslashcharacter"/"isnotallowedinlabels.
Sinceasubjectalwayshasaccesstofileswiththesamelabelspecifyingaruleforthatcaseispointless.
Lettersthatdonotspecifylegitimateaccessmodesarenotallowed.
ApplyingAccessRulesThedevelopersofLinuxrarelydefinenewsortsofthings,usuallyimportingschemesandconceptsfromothersystems.
Mostoften,theothersystemsarevariantsofUnix.
Unixhasmanyendearingproperties,butconsistencyofaccesscontrolmodelsisnotoneofthem.
Smackstrivestotreataccessesasuniformlyasissensiblewhilekeepingwiththespiritoftheunderlyingmechanism.
Filesystemobjectsincludingfiles,directories,namedpipes,symboliclinks,anddevicesrequireaccesspermissionsthatcloselymatchthoseusedbymodebitaccess.
Toopenafileforreadingreadaccessisrequiredonthefile.
Tosearchadirectoryrequiresexecuteaccess.
Creatingafilewithwriteaccessrequiresbothreadandwriteaccessonthecontainingdirectory.
Deletingafilerequiresreadandwriteaccesstothefileandtothecontainingdirectory.
Itispossiblethatausermaybeabletoseethatafileexistsbutnotanyofitsattributesbythecircumstanceofhavingreadaccesstothecontainingdirectorybutnottothedifferentlylabeledfile.
Thisisanartifactofthefilenamebeingdatainthedirectory,notapartofthefile.
IPCobjects,messagequeues,semaphoresets,andmemorysegmentsexistinflatnamespacesandaccessrequestsareonlyrequiredtomatchtheobjectinquestion.
ProcessobjectsreflecttasksonthesystemandtheSmacklabelusedtoaccessthemisthesameSmacklabelthatthetaskwoulduseforitsownaccessattempts.
Sendingasignalviathekill()systemcallisawriteoperationfromthesignalertotherecipient.
Debuggingaprocessrequiresbothreadingandwriting.
CreatinganewtaskisaninternaloperationthatresultsintwotaskswithidenticalSmacklabelsandrequiresnoaccesschecks.
7Socketsaredatastructuresattachedtoprocessesandsendingapacketfromoneprocesstoanotherrequiresthatthesenderhavewriteaccesstothereceiver.
Thereceiverisnotrequiredtohavereadaccesstothesender.
SettingAccessRulesTheconfigurationfile/etc/smack/accessescontainstherulestobesetatsystemstartup.
Thecontentsarewrittentothespecialfile/smack/load.
Rulescanbewrittento/smack/loadatanytimeandtakeeffectimmediately.
Foranypairofsubjectandobjectlabelstherecanbeonlyonerule,withthemostrecentlyspecifiedoverridinganyearlierspecification.
Inordertoensurethatrulesarewrittenproperlyaprogramsmackloadisprovided.
TaskAttributeTheSmacklabelofaprocesscanbereadfrom/proc//attr/current.
AprocesscanreaditsownSmacklabelfrom/proc/self/attr/current.
AprivilegedprocesscanchangeitsownSmacklabelbywritingto/proc/self/attr/currentbutnotthelabelofanotherprocess.
FileAttributeTheSmacklabelofafilesystemobjectisstoredasanextendedattributenamedSMACK64onthefile.
Thisattributeisinthesecuritynamespace.
Itcanonlybechangedbyaprocesswithprivilege.
PrivilegeTherearetwocapabilitiesusedexplicitlybySmack.
CAP_MAC_ADMINallowsaprocesstoperformadministrativefunctionssuchasloadingaccessrules.
CAP_MAC_OVERRIDEexemptsaprocessfromallaccesscontrolrules.
SmackNetworkingAsmentionedbefore,Smackenforcesaccesscontrolonnetworkprotocoltransmissions.
UsuallyapacketsentbyaSmackprocessistaggedwithitsSmacklabel,howeverpacketsthatwouldgettheambientlabelaresentwithoutatag.
ThisisdonebyaddingaCIPSOtagtotheheaderoftheIPpacket.
EachpacketreceivedisexpectedtohaveaCIPSOtagthatidentifiesthelabelandifitlackssuchatagthenetworkambientlabelisassumed.
Beforethepacketisdeliveredacheckismadetodeterminethatasubjectwiththelabelonthepackethaswriteaccesstothereceivingprocessandifthatisnotthecasethepacketisdropped.
CIPSOConfigurationItisnormallyunnecessarytospecifytheCIPSOconfiguration.
Thedefaultvaluesusedbythesystemhandleallinternalcases.
SmackwillcomposeCIPSOlabelvaluestomatchtheSmacklabelsbeingusedwithoutadministrativeintervention.
Unlabeled8packetsthatcomeintothesystemwillbegiventheambientlabel,andoutgoingpacketsthatwouldgettheambientlabelaresentunlabeled.
SmackrequiresconfigurationinthecasewherepacketsfromasystemthatisnotSmackthatspeaksCIPSOmaybeencountered.
UsuallythiswillbeaTrustedSolarissystem,butthereareother,lesswidelydeployedsystemsoutthere.
CIPSOprovides3importantvalues,aDomainOfInterpretation(DOI),alevel,andacategorysetwitheachpacket.
TheDOIisintendedtoidentifyagroupofsystemsthatusecompatiblelabelingschemes,andtheDOIspecifiedonthesmacksystemmustmatchthatoftheremotesystemorpacketswillbediscarded.
TheDOIis3bydefault.
Thevaluecanbereadfrom/smack/doiandcanbechangedbywritingto/smack/doi.
ThelabelandcategorysetaremappedtoaSmacklabelasdefinedin/etc/smack/cipso.
ASmack/CIPSOmappinghastheform:smacklevel[category[category]…]Smackdoesnotexpectthelevelorcategorysetstoberelatedinanyparticularwayanddoesnotassumeorassignaccessesbasedonthem.
Someexamplesofmappings:TopSecret7TS:A,B712SecBDE546RAFTERS71226The":"and","charactersarepermittedinaSmacklabelbuthavenospecialmeaning.
ThemappingofSmacklabelstoCIPSOvaluesisdefinedbywritingto/smack/cipso,andtoensurecorrectformattingtheprogramsmackcipsoisprovided.
InadditiontoexplicitmappingsSmacksupportsdirectCIPSOmappings.
OneCIPSOlevelisusedtoindicatethatthecategorysetpassedinthepacketisinfactanencodingoftheSmacklabel.
Thelevelusedis250bydefault.
Thevaluecanbereadfrom/smack/directandchangedbywritingto/smack/direct.
SocketAttributesTherearetwoattributesthatareassociatedwithsockets.
Theseattributescanonlybesetbyprivilegedtasks,butanytaskcanreadthemfortheirownsockets.
SMACK64IPIN:TheSmacklabelofthetaskobject.
Aprivilegedprogramthatwillenforcepolicymaysetthistothestarlabel.
9SMACK64IPOUT:TheSmacklabeltransmittedwithoutgoingpackets.
Aprivilegedprogrammaysetthistomatchthelabelofanothertaskwithwhichithopestocommunicate.
PacketAttributesTheSmacklabelthatcamewithanetworkpacketisobtaineddifferentlydependingonthetypeofsocketinvolved.
Onlyaprivilegedprocesswilleverneedtodothis,andthenonlyifitistrustedtoenforcetheSmackaccesscontrolrules.
ForaUDSsocketthelabelwillmatchthatofthefilesystemobject.
Itcanbeobtainedbycallingfgetxattr(sock,"security.
SMACK64",…).
ThelabelofaTCPconnectioncanbeobtainedbycallinggetsockopt(sock,SOL_SOCKET,SO_PEERSEC,…)ThelabelusedbyaprocessshouldneverchangeduringaTCPsession.
Itrequiresprivilegetodosoandaprogramthatchangeslabelsmustdosowithaccesscontrolinmind.
ThelabelofindividualUDPpacketsmustbedealtwithastheycomein,becausethereisnoconnectionnegotiatedbetweenthetasks.
Aprogramthatwantstodealwithincomingpacketsatmultiplelabelsfirstneedstocallsetsockopt(sock,SOL_IP,IP_PASSSEC,…)andthenparsethemessageheaderswitheachpacketreceived.
Thefunctionsmackrecvmsg()isavailabletoprovidetheparsing.
Itcanbeusedinsteadofrecvmsg().
WritingApplicationsforSmackTherearethreesortsofapplicationsthatwillrunonaSmacksystem.
HowanapplicationinteractswithSmackwilldeterminewhatitwillhavetodotoworkproperlyunderSmack.
SmackIgnorantApplicationsByfarthemajorityofapplicationshavenoreasonwhatevertocareabouttheuniquepropertiesofSmack.
SinceinvokingaprogramhasnoimpactontheSmacklabelassociatedwiththeprocesstheonlyconcernlikelytoariseiswhethertheprocesshasexecuteaccesstotheprogram.
10SmackRelevantApplicationsSomeprogramscanbeimprovedbyteachingthemaboutSmack,butdonotmakeanysecuritydecisionsthemselves.
Theutilityls(1)isoneexampleofsuchaprogram.
SmackEnforcingApplicationsThesearespecialprogramsthatnotonlyknowaboutSmack,butparticipateintheenforcementofsystempolicy.
Inmostcasesthesearetheprogramsthatsetupusersessions.
Therearealsonetworkservicesthatprovideinformationtoprocessesrunningwithvariouslabels.
FileSystemInterfacesSmackmaintainslabelsonfilesystemobjectsusingextendedattributes.
TheSmacklabelofafile,directory,orotherfilesystemobjectcanbeobtainedusinggetxattr(2).
getxattr("/","security.
SMACK64",value,sizeof(value));willputtheSmacklabeloftherootdirectoryintovalue.
AprivilegedprocesscansettheSmacklabelofafilesystemobjectwithsetxattr(2).
rc=setxattr("/foo","security.
SMACK64","Rubble",strlen("Rubble"),0);ThiswillsettheSmacklabelof/footoRubbleiftheprogramhasappropriateprivilege.
SocketInterfacesThesocketattributescanbereadusingfgetxattr(2).
AprivilegedprocesscansettheSmacklabelofoutgoingpacketswithfsetxattr(2).
rc=fsetxattr(fd,"security.
SMACK64IPOUT","Rubble",strlen("Rubble"),0);ThiswillsettheSmacklabel"Rubble"onpacketsgoingoutfromthesocketiftheprogramhasappropriateprivilege.
rc=fsetxattr(fd,"security.
SMACK64IPIN,"*",strlen("*"),0);ThiswillsettheSmacklabel"*"astheobjectlabelagainstwhichincomingpacketswillbecheckediftheprogramhasappropriateprivilege.
11AdministrationSmacksupportssomemountoptions:smackfsdef=label:specifiesthelabeltogivefilesthatlacktheSmacklabelextendedattribute.
smackfsroot=label:specifiesthelabeltoassigntherootofthefilesystemifitlackstheSmackextendedattribute.
smackfshat=label:specifiesalabelthatmusthavereadaccesstoalllabelssetonthefilesystem.
Notyetenforced.
smackfsfloor=label:specifiesalabeltowhichalllabelssetonthefilesystemmusthavereadaccess.
Notyetenforced.
ThesemountoptionsapplytoallfilesystemtypeswiththecurrentexceptionofNFS.
comMandatoryAccessControlComputersystemsemployavarietyofschemestoconstrainhowinformationissharedamongthepeopleandservicesusingthemachine.
Someoftheseschemesallowtheprogramorusertodecidewhatotherprogramsorusersareallowedaccesstopiecesofdata.
Theseschemesarecalleddiscretionaryaccesscontrolmechanismsbecausetheaccesscontrolisspecifiedatthediscretionoftheuser.
Otherschemesdonotleavethedecisionregardingwhatauserorprogramcanaccessuptousersorprograms.
Theseschemesarecalledmandatoryaccesscontrolmechanismsbecauseyoudon'thaveachoiceregardingtheusersorprogramsthathaveaccesstopiecesofdata.
Bell&LaPadulaFromthemiddleofthe1980'suntiltheturnofthecenturyMandatoryAccessControl(MAC)wasverycloselyassociatedwiththeBell&LaPadulasecuritymodel,amathematicaldescriptionoftheUnitedStatesDepartmentofDefensepolicyformarkingpaperdocuments.
MACinthisformenjoyedafollowingwithintheCapitalBeltwayandScandinaviansupercomputercentersbutwasoftensitedasfailingtoaddressgeneralneeds.
DomainTypeEnforcementAroundtheturnofthecenturyDomainTypeEnforcement(DTE)becamepopular.
Thisschemeorganizesusers,programs,anddataintodomainsthatareprotectedfromeachother.
ThisschemehasbeenwidelydeployedasacomponentofpopularLinuxdistributions.
Theadministrativeoverheadrequiredtomaintainthisschemeandthedetailedunderstandingofthewholesystemnecessarytoprovideasecuredomainmappingleadstotheschemebeingdisabledorusedinlimitedwaysinthemajorityofcases.
SmackSmackisaMandatoryAccessControlmechanismdesignedtoprovideusefulMACwhileavoidingthepitfallsofitspredecessors.
ThelimitationsofBell&LaPadulaareaddressedbyprovidingaschemewherebyaccesscanbecontrolledaccordingtotherequirementsofthesystemanditspurposeratherthanthoseimposedbyanarcanegovernmentpolicy.
ThecomplexityofDomainTypeEnforcementandavoidedbydefiningaccesscontrolsintermsoftheaccessmodesalreadyinuse.
2SmackTerminologyThejargonusedtotalkaboutSmackwillbefamiliartothosewhohavedealtwithotherMACsystemsandshouldn'tbetoodifficultfortheuninitiatedtopickup.
Therearefourtermsthatareusedinaspecificwayandthatareespeciallyimportant:Subject:Asubjectisanactiveentityonthecomputersystem.
OnSmackasubjectisatask,whichisinturnthebasicunitofexecution.
Object:Anobjectisapassiveentityonthecomputersystem.
OnSmackfilesofalltypes,IPC,andtaskscanbeobjects.
Access:Anyattemptbyasubjecttoputinformationintoorgetinformationfromanobjectisanaccess.
Label:DatathatidentifiestheMandatoryAccessControlcharacteristicsofasubjectoranobject.
Thesedefinitionsareconsistentwiththetraditionaluseinthesecuritycommunity.
TherearealsosometermsfromLinuxthatarelikelytocropup:Capability:Ataskthatpossessesacapabilityhaspermissiontoviolateanaspectofthesystemsecuritypolicy,asidentifiedbythespecificcapability.
Ataskthatpossessesoneormorecapabilitiesisaprivilegedtask,whereasataskwithnocapabilitiesisanunprivilegedtask.
Privilege:Ataskthatisallowedtoviolatethesystemsecuritypolicyissaidtohaveprivilege.
Asofthiswritingataskcanhaveprivilegeeitherbypossessingcapabilitiesorbyhavinganeffectiveuserofroot.
SmackBasicsSmackisanextensiontoaLinuxsystem.
Itenforcesadditionalrestrictionsonwhatsubjectscanaccesswhichobjects,basedonthelabelsattachedtoeachofthesubjectandtheobject.
LabelsSmacklabelsareASCIIcharacterstrings,onetotwenty-threecharactersinlength.
Singlecharacterlabelsusingspecialcharacters,thatbeinganythingotherthanaletterordigit,arereservedforusebytheSmackdevelopmentteam.
Smacklabelsareunstructured,casesensitive,andtheonlyoperationeverperformedonthemiscomparisonforequality.
Therearesomepredefinedlabels:_Pronounced"floor",asingleunderscorecharacter.
^Pronounced"hat",asinglecircumflexcharacter.
*Pronounced"star",asingleasteriskcharacter.
Pronounced"huh",asinglequestionmarkcharacter.
3EverytaskonaSmacksystemisassignedalabel.
Systemtasks,suchasinit(8)andsystemsdaemons,arerunwiththefloor("_")label.
Usertasksareassignedlabelsaccordingtothespecificationfoundinthe/etc/smack/userconfigurationfile.
AccessRulesSmackusesthetraditionalaccessmodesofLinux.
Thesemodesareread,execute,write,andoccasionallyappend.
Thereareafewcaseswheretheaccessmodemaynotbeobvious.
Theseinclude:Signals:Asignalisawriteoperationfromthesubjecttasktotheobjecttask.
InternetDomainIPC:Transmissionofapacketisconsideredawriteoperationfromthesourcetasktothedestinationtask.
Smackrestrictsaccessbasedonthelabelattachedtoasubjectandthelabelattachedtotheobjectitistryingtoaccess.
Therulesenforcedare,inorder:1.
Anyaccessrequestedbyatasklabeled"*"isdenied.
2.
Areadorexecuteaccessrequestedbyatasklabeled"^"ispermitted.
3.
Areadorexecuteaccessrequestedonanobjectlabeled"_"ispermitted.
4.
Anyaccessrequestedonanobjectlabeled"*"ispermitted.
5.
Anyaccessrequestedbyataskonanobjectwiththesamelabelispermitted.
6.
Anyaccessrequestedthatisexplicitlydefinedintheloadedrulesetispermitted.
7.
Anyotheraccessisdenied.
InFigure1auserbarneyhasbeenassignedtheSmacklabelRubble.
Thisusercanreadorexecutethefloorlabeledsystemprogramsanddata.
Hecanalsoreadfromandwritetothespecialdevice/dev/null,whichhasthestarlabel.
SystemprocessesrunningwiththefloorlabeldonothaveanyaccesstoBarney'sdata.
Asystemprocessrunningwiththehatlabelisallowedreadaccesstotheuser'sdatabutnotwriteaccess.
4Figure1–BasicSmackAccessPolicyWiththebasicrulessystemtasksrunningwiththefloorlabelareprotectedfromuserprocessesrunningwithotherlabels.
Figure2demonstratestheaccessesallowedwhentwouserlabelsareinuse.
InthisexampletheJavalabeledtaskcanreadandwritetheJavalabeleddata,theMP3labeledtaskhasreadandwriteaccesstotheMP3labeleddata,whilethesystemfloorlabeledtaskhasthesameaccesstoitsfloorlabeleddata.
BoththeJavaandMP3taskshavereadaccesstothefloorsystemdata.
Thetwousertaskshavenoaccesstoeachother'sdata.
_/,/bin,/bin/sh*/dev/nullRubble~barney*^Rubble_5Figure2-BasicUserLabelInteractionsSmackAccessRulesWiththeisolationprovidedbySmackaccessseparationissimple.
Therearemanyinterestingcaseswherelimitedaccessbysubjectstoobjectswithdifferentlabelsisdesired.
Oneexampleisthefamiliarspymodelofsensitivity,whereascientistworkingonahighlyclassifiedprojectwouldbeabletoreaddocumentsoflowerclassificationsandanythingshewriteswillbe"born"highlyclassified.
ToaccommodatesuchschemesSmackincludesamechanismforspecifyingrulesallowingaccessbetweenlabels.
AccessRuleFormatTheformatofanaccessruleis:subject-labelobject-labelaccessWheresubject-labelistheSmacklabelofthetask,object-labelistheSmacklabelofthethingbeingaccessed,andaccessisastringspecifyingthesortofaccessallowed.
TheSmacklabelsarelimitedto23characters.
Theaccessspecificationissearchedforlettersthatdescribeaccessmodes:a:indicatesthatappendaccessshouldbegranted.
r:indicatesthatreadaccessshouldbegranted.
w:indicatesthatwriteaccessshouldbegranted.
x:indicatesthatexecuteaccessshouldbegranted.
Accessmodespecificationscanbeinanyorder.
Examplesofacceptablerulesare:TopSecretSecretrxSystemDataJavaSandboxMP3DataSystemProcessJavaProcessMP3Process6SecretUnclassrManagerGamexUserHRwNewOldrRrrrClosedOff-Examplesofunacceptablerulesare:TopSecretSecretrxTS/Alpha,OmegaOverloardrxAceAcerOddspellswaxbeansSpacesarenotallowedinlabels.
Theslashcharacter"/"isnotallowedinlabels.
Sinceasubjectalwayshasaccesstofileswiththesamelabelspecifyingaruleforthatcaseispointless.
Lettersthatdonotspecifylegitimateaccessmodesarenotallowed.
ApplyingAccessRulesThedevelopersofLinuxrarelydefinenewsortsofthings,usuallyimportingschemesandconceptsfromothersystems.
Mostoften,theothersystemsarevariantsofUnix.
Unixhasmanyendearingproperties,butconsistencyofaccesscontrolmodelsisnotoneofthem.
Smackstrivestotreataccessesasuniformlyasissensiblewhilekeepingwiththespiritoftheunderlyingmechanism.
Filesystemobjectsincludingfiles,directories,namedpipes,symboliclinks,anddevicesrequireaccesspermissionsthatcloselymatchthoseusedbymodebitaccess.
Toopenafileforreadingreadaccessisrequiredonthefile.
Tosearchadirectoryrequiresexecuteaccess.
Creatingafilewithwriteaccessrequiresbothreadandwriteaccessonthecontainingdirectory.
Deletingafilerequiresreadandwriteaccesstothefileandtothecontainingdirectory.
Itispossiblethatausermaybeabletoseethatafileexistsbutnotanyofitsattributesbythecircumstanceofhavingreadaccesstothecontainingdirectorybutnottothedifferentlylabeledfile.
Thisisanartifactofthefilenamebeingdatainthedirectory,notapartofthefile.
IPCobjects,messagequeues,semaphoresets,andmemorysegmentsexistinflatnamespacesandaccessrequestsareonlyrequiredtomatchtheobjectinquestion.
ProcessobjectsreflecttasksonthesystemandtheSmacklabelusedtoaccessthemisthesameSmacklabelthatthetaskwoulduseforitsownaccessattempts.
Sendingasignalviathekill()systemcallisawriteoperationfromthesignalertotherecipient.
Debuggingaprocessrequiresbothreadingandwriting.
CreatinganewtaskisaninternaloperationthatresultsintwotaskswithidenticalSmacklabelsandrequiresnoaccesschecks.
7Socketsaredatastructuresattachedtoprocessesandsendingapacketfromoneprocesstoanotherrequiresthatthesenderhavewriteaccesstothereceiver.
Thereceiverisnotrequiredtohavereadaccesstothesender.
SettingAccessRulesTheconfigurationfile/etc/smack/accessescontainstherulestobesetatsystemstartup.
Thecontentsarewrittentothespecialfile/smack/load.
Rulescanbewrittento/smack/loadatanytimeandtakeeffectimmediately.
Foranypairofsubjectandobjectlabelstherecanbeonlyonerule,withthemostrecentlyspecifiedoverridinganyearlierspecification.
Inordertoensurethatrulesarewrittenproperlyaprogramsmackloadisprovided.
TaskAttributeTheSmacklabelofaprocesscanbereadfrom/proc//attr/current.
AprocesscanreaditsownSmacklabelfrom/proc/self/attr/current.
AprivilegedprocesscanchangeitsownSmacklabelbywritingto/proc/self/attr/currentbutnotthelabelofanotherprocess.
FileAttributeTheSmacklabelofafilesystemobjectisstoredasanextendedattributenamedSMACK64onthefile.
Thisattributeisinthesecuritynamespace.
Itcanonlybechangedbyaprocesswithprivilege.
PrivilegeTherearetwocapabilitiesusedexplicitlybySmack.
CAP_MAC_ADMINallowsaprocesstoperformadministrativefunctionssuchasloadingaccessrules.
CAP_MAC_OVERRIDEexemptsaprocessfromallaccesscontrolrules.
SmackNetworkingAsmentionedbefore,Smackenforcesaccesscontrolonnetworkprotocoltransmissions.
UsuallyapacketsentbyaSmackprocessistaggedwithitsSmacklabel,howeverpacketsthatwouldgettheambientlabelaresentwithoutatag.
ThisisdonebyaddingaCIPSOtagtotheheaderoftheIPpacket.
EachpacketreceivedisexpectedtohaveaCIPSOtagthatidentifiesthelabelandifitlackssuchatagthenetworkambientlabelisassumed.
Beforethepacketisdeliveredacheckismadetodeterminethatasubjectwiththelabelonthepackethaswriteaccesstothereceivingprocessandifthatisnotthecasethepacketisdropped.
CIPSOConfigurationItisnormallyunnecessarytospecifytheCIPSOconfiguration.
Thedefaultvaluesusedbythesystemhandleallinternalcases.
SmackwillcomposeCIPSOlabelvaluestomatchtheSmacklabelsbeingusedwithoutadministrativeintervention.
Unlabeled8packetsthatcomeintothesystemwillbegiventheambientlabel,andoutgoingpacketsthatwouldgettheambientlabelaresentunlabeled.
SmackrequiresconfigurationinthecasewherepacketsfromasystemthatisnotSmackthatspeaksCIPSOmaybeencountered.
UsuallythiswillbeaTrustedSolarissystem,butthereareother,lesswidelydeployedsystemsoutthere.
CIPSOprovides3importantvalues,aDomainOfInterpretation(DOI),alevel,andacategorysetwitheachpacket.
TheDOIisintendedtoidentifyagroupofsystemsthatusecompatiblelabelingschemes,andtheDOIspecifiedonthesmacksystemmustmatchthatoftheremotesystemorpacketswillbediscarded.
TheDOIis3bydefault.
Thevaluecanbereadfrom/smack/doiandcanbechangedbywritingto/smack/doi.
ThelabelandcategorysetaremappedtoaSmacklabelasdefinedin/etc/smack/cipso.
ASmack/CIPSOmappinghastheform:smacklevel[category[category]…]Smackdoesnotexpectthelevelorcategorysetstoberelatedinanyparticularwayanddoesnotassumeorassignaccessesbasedonthem.
Someexamplesofmappings:TopSecret7TS:A,B712SecBDE546RAFTERS71226The":"and","charactersarepermittedinaSmacklabelbuthavenospecialmeaning.
ThemappingofSmacklabelstoCIPSOvaluesisdefinedbywritingto/smack/cipso,andtoensurecorrectformattingtheprogramsmackcipsoisprovided.
InadditiontoexplicitmappingsSmacksupportsdirectCIPSOmappings.
OneCIPSOlevelisusedtoindicatethatthecategorysetpassedinthepacketisinfactanencodingoftheSmacklabel.
Thelevelusedis250bydefault.
Thevaluecanbereadfrom/smack/directandchangedbywritingto/smack/direct.
SocketAttributesTherearetwoattributesthatareassociatedwithsockets.
Theseattributescanonlybesetbyprivilegedtasks,butanytaskcanreadthemfortheirownsockets.
SMACK64IPIN:TheSmacklabelofthetaskobject.
Aprivilegedprogramthatwillenforcepolicymaysetthistothestarlabel.
9SMACK64IPOUT:TheSmacklabeltransmittedwithoutgoingpackets.
Aprivilegedprogrammaysetthistomatchthelabelofanothertaskwithwhichithopestocommunicate.
PacketAttributesTheSmacklabelthatcamewithanetworkpacketisobtaineddifferentlydependingonthetypeofsocketinvolved.
Onlyaprivilegedprocesswilleverneedtodothis,andthenonlyifitistrustedtoenforcetheSmackaccesscontrolrules.
ForaUDSsocketthelabelwillmatchthatofthefilesystemobject.
Itcanbeobtainedbycallingfgetxattr(sock,"security.
SMACK64",…).
ThelabelofaTCPconnectioncanbeobtainedbycallinggetsockopt(sock,SOL_SOCKET,SO_PEERSEC,…)ThelabelusedbyaprocessshouldneverchangeduringaTCPsession.
Itrequiresprivilegetodosoandaprogramthatchangeslabelsmustdosowithaccesscontrolinmind.
ThelabelofindividualUDPpacketsmustbedealtwithastheycomein,becausethereisnoconnectionnegotiatedbetweenthetasks.
Aprogramthatwantstodealwithincomingpacketsatmultiplelabelsfirstneedstocallsetsockopt(sock,SOL_IP,IP_PASSSEC,…)andthenparsethemessageheaderswitheachpacketreceived.
Thefunctionsmackrecvmsg()isavailabletoprovidetheparsing.
Itcanbeusedinsteadofrecvmsg().
WritingApplicationsforSmackTherearethreesortsofapplicationsthatwillrunonaSmacksystem.
HowanapplicationinteractswithSmackwilldeterminewhatitwillhavetodotoworkproperlyunderSmack.
SmackIgnorantApplicationsByfarthemajorityofapplicationshavenoreasonwhatevertocareabouttheuniquepropertiesofSmack.
SinceinvokingaprogramhasnoimpactontheSmacklabelassociatedwiththeprocesstheonlyconcernlikelytoariseiswhethertheprocesshasexecuteaccesstotheprogram.
10SmackRelevantApplicationsSomeprogramscanbeimprovedbyteachingthemaboutSmack,butdonotmakeanysecuritydecisionsthemselves.
Theutilityls(1)isoneexampleofsuchaprogram.
SmackEnforcingApplicationsThesearespecialprogramsthatnotonlyknowaboutSmack,butparticipateintheenforcementofsystempolicy.
Inmostcasesthesearetheprogramsthatsetupusersessions.
Therearealsonetworkservicesthatprovideinformationtoprocessesrunningwithvariouslabels.
FileSystemInterfacesSmackmaintainslabelsonfilesystemobjectsusingextendedattributes.
TheSmacklabelofafile,directory,orotherfilesystemobjectcanbeobtainedusinggetxattr(2).
getxattr("/","security.
SMACK64",value,sizeof(value));willputtheSmacklabeloftherootdirectoryintovalue.
AprivilegedprocesscansettheSmacklabelofafilesystemobjectwithsetxattr(2).
rc=setxattr("/foo","security.
SMACK64","Rubble",strlen("Rubble"),0);ThiswillsettheSmacklabelof/footoRubbleiftheprogramhasappropriateprivilege.
SocketInterfacesThesocketattributescanbereadusingfgetxattr(2).
AprivilegedprocesscansettheSmacklabelofoutgoingpacketswithfsetxattr(2).
rc=fsetxattr(fd,"security.
SMACK64IPOUT","Rubble",strlen("Rubble"),0);ThiswillsettheSmacklabel"Rubble"onpacketsgoingoutfromthesocketiftheprogramhasappropriateprivilege.
rc=fsetxattr(fd,"security.
SMACK64IPIN,"*",strlen("*"),0);ThiswillsettheSmacklabel"*"astheobjectlabelagainstwhichincomingpacketswillbecheckediftheprogramhasappropriateprivilege.
11AdministrationSmacksupportssomemountoptions:smackfsdef=label:specifiesthelabeltogivefilesthatlacktheSmacklabelextendedattribute.
smackfsroot=label:specifiesthelabeltoassigntherootofthefilesystemifitlackstheSmackextendedattribute.
smackfshat=label:specifiesalabelthatmusthavereadaccesstoalllabelssetonthefilesystem.
Notyetenforced.
smackfsfloor=label:specifiesalabeltowhichalllabelssetonthefilesystemmusthavereadaccess.
Notyetenforced.
ThesemountoptionsapplytoallfilesystemtypeswiththecurrentexceptionofNFS.
- sensitivefilesystemobject相关文档
- 单据filesystemobject
- widgetfilesystemobject
- 支出filesystemobject
- 职位filesystemobject
- 主要负责人filesystemobject
- 蒙古族filesystemobject
青果网络-618阿里云,腾讯云特惠优惠折上折!
官方网站:点击访问青果云官方网站活动方案:—————————–活动规则—————————1、选购活动产品并下单(先不要支付)2、联系我司在线客服修改价格或领取赠送时间3、确认价格已按活动政策修改正确后,支付订单,到此产品开设成功4、本活动产品可以升级,升级所需费用按产品原价计算若发生退款,按资源实际使用情况折算为产品原价再退还剩余余额! 美国洛杉矶CN2_GIACPU内存系统盘流量宽带i...
Tudcloud(月付7.2美元),香港VPS,可选大带宽或不限流量
Tudcloud是一家新开的主机商,提供VPS和独立服务器租用,数据中心在中国香港(VPS和独立服务器)和美国洛杉矶(独立服务器),商家VPS基于KVM架构,开设在香港机房,可以选择限制流量大带宽或者限制带宽不限流量套餐。目前提供8折优惠码,优惠后最低每月7.2美元起。虽然主机商网站为英文界面,但是支付方式仅支付宝和Stripe,可能是国人商家。下面列出部分VPS主机套餐配置信息。CPU:1cor...
美国G口/香港CTG/美国T级超防云/物理机/CDN大促销 1核 1G 24元/月
[六一云迎国庆]转盘活动实物礼品美国G口/香港CTG/美国T级超防云/物理机/CDN大促销六一云 成立于2018年,归属于西安六一网络科技有限公司,是一家国内正规持有IDC ISP CDN IRCS电信经营许可证书的老牌商家。大陆持证公司受大陆各部门监管不好用支持退款退现,再也不怕被割韭菜了!主要业务有:国内高防云,美国高防云,美国cera大带宽,香港CTG,香港沙田CN2,海外站群服务,物理机,...
filesystemobject为你推荐
-
沙滩捡12块石头价值近百万圣经中约旦河边的十二个石头funnymudpee京东的显卡什么时候能降回正常价格啊,想买个1060中老铁路一带一路的火车是什么火车甲骨文不满赔偿工作不满半年被辞退,请问赔偿金是怎么算的?18comic.fun18岁以后男孩最喜欢的网站lunwenjiancewritecheck论文检测准吗?rawtools闪迪32Gsd卡,无法格式化,显示只有30M,并且是raw格式。如何恢复?www.javmoo.comjavimdb怎么看汴京清谈都城汴京,数百万家,尽仰石炭,无一燃薪者的翻译4399宠物连连看2.54399游戏里的宠物连连看3.1版本,电脑网页有,为什么手机里没有呢?我想下这个版本在手机上,因为