diff options
| author | Casey Schaufler <casey@schaufler-ca.com> | 2008-02-05 01:29:50 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2008-02-05 12:44:20 -0500 |
| commit | e114e473771c848c3cfec05f0123e70f1cdbdc99 (patch) | |
| tree | 933b840f3ccac6860da56291c742094f9b5a20cb | |
| parent | eda61d32e8ad1d9102872f9a0abf3344bf9c5e67 (diff) | |
Smack: Simplified Mandatory Access Control Kernel
Smack is the Simplified Mandatory Access Control Kernel.
Smack implements mandatory access control (MAC) using labels
attached to tasks and data containers, including files, SVIPC,
and other tasks. Smack is a kernel based scheme that requires
an absolute minimum of application support and a very small
amount of configuration data.
Smack uses extended attributes and
provides a set of general mount options, borrowing technics used
elsewhere. Smack uses netlabel for CIPSO labeling. Smack provides
a pseudo-filesystem smackfs that is used for manipulation of
system Smack attributes.
The patch, patches for ls and sshd, a README, a startup script,
and x86 binaries for ls and sshd are also available on
http://www.schaufler-ca.com
Development has been done using Fedora Core 7 in a virtual machine
environment and on an old Sony laptop.
Smack provides mandatory access controls based on the label attached
to a task and the label attached to the object it is attempting to
access. Smack labels are deliberately short (1-23 characters) text
strings. Single character labels using special characters are reserved
for system use. The only operation applied to Smack labels is equality
comparison. No wildcards or expressions, regular or otherwise, are
used. Smack labels are composed of printable characters and may not
include "/".
A file always gets the Smack label of the task that created it.
Smack defines and uses these labels:
"*" - pronounced "star"
"_" - pronounced "floor"
"^" - pronounced "hat"
"?" - pronounced "huh"
The access rules enforced by Smack are, in order:
1. Any access requested by a task labeled "*" is denied.
2. A read or execute access requested by a task labeled "^"
is permitted.
3. A read or execute access requested on an object labeled "_"
is permitted.
4. Any access requested on an object labeled "*" is permitted.
5. Any access requested by a task on an object with the same
label is permitted.
6. Any access requested that is explicitly defined in the loaded
rule set is permitted.
7. Any other access is denied.
Rules may be explicitly defined by writing subject,object,access
triples to /smack/load.
Smack rule sets can be easily defined that describe Bell&LaPadula
sensitivity, Biba integrity, and a variety of interesting
configurations. Smack rule sets can be modified on the fly to
accommodate changes in the operating environment or even the time
of day.
Some practical use cases:
Hierarchical levels. The less common of the two usual uses
for MLS systems is to define hierarchical levels, often
unclassified, confidential, secret, and so on. To set up smack
to support this, these rules could be defined:
C Unclass rx
S C rx
S Unclass rx
TS S rx
TS C rx
TS Unclass rx
A TS process can read S, C, and Unclass data, but cannot write it.
An S process can read C and Unclass. Note that specifying that
TS can read S and S can read C does not imply TS can read C, it
has to be explicitly stated.
Non-hierarchical categories. This is the more common of the
usual uses for an MLS system. Since the default rule is that a
subject cannot access an object with a different label no
access rules are required to implement compartmentalization.
A case that the Bell & LaPadula policy does not allow is demonstrated
with this Smack access rule:
A case that Bell&LaPadula does not allow that Smack does:
ESPN ABC r
ABC ESPN r
On my portable video device I have two applications, one that
shows ABC programming and the other ESPN programming. ESPN wants
to show me sport stories that show up as news, and ABC will
only provide minimal information about a sports story if ESPN
is covering it. Each side can look at the other's info, neither
can change the other. Neither can see what FOX is up to, which
is just as well all things considered.
Another case that I especially like:
SatData Guard w
Guard Publish w
A program running with the Guard label opens a UDP socket and
accepts messages sent by a program running with a SatData label.
The Guard program inspects the message to ensure it is wholesome
and if it is sends it to a program running with the Publish label.
This program then puts the information passed in an appropriate
place. Note that the Guard program cannot write to a Publish
file system object because file system semanitic require read as
well as write.
The four cases (categories, levels, mutual read, guardbox) here
are all quite real, and problems I've been asked to solve over
the years. The first two are easy to do with traditonal MLS systems
while the last two you can't without invoking privilege, at least
for a while.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: Joshua Brindle <method@manicmethod.com>
Cc: Paul Moore <paul.moore@hp.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: James Morris <jmorris@namei.org>
Cc: "Ahmed S. Darwish" <darwish.07@gmail.com>
Cc: Andrew G. Morgan <morgan@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | Documentation/Smack.txt | 493 | ||||
| -rw-r--r-- | include/linux/capability.h | 26 | ||||
| -rw-r--r-- | security/Kconfig | 1 | ||||
| -rw-r--r-- | security/Makefile | 2 | ||||
| -rw-r--r-- | security/smack/Kconfig | 10 | ||||
| -rw-r--r-- | security/smack/Makefile | 7 | ||||
| -rw-r--r-- | security/smack/smack.h | 220 | ||||
| -rw-r--r-- | security/smack/smack_access.c | 356 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 2518 | ||||
| -rw-r--r-- | security/smack/smackfs.c | 981 |
10 files changed, 4611 insertions, 3 deletions
diff --git a/Documentation/Smack.txt b/Documentation/Smack.txt new file mode 100644 index 00000000000..989c2fcd811 --- /dev/null +++ b/Documentation/Smack.txt | |||
| @@ -0,0 +1,493 @@ | |||
| 1 | |||
| 2 | |||
| 3 | "Good for you, you've decided to clean the elevator!" | ||
| 4 | - The Elevator, from Dark Star | ||
| 5 | |||
| 6 | Smack is the the Simplified Mandatory Access Control Kernel. | ||
| 7 | Smack is a kernel based implementation of mandatory access | ||
| 8 | control that includes simplicity in its primary design goals. | ||
| 9 | |||
| 10 | Smack is not the only Mandatory Access Control scheme | ||
| 11 | available for Linux. Those new to Mandatory Access Control | ||
| 12 | are encouraged to compare Smack with the other mechanisms | ||
| 13 | available to determine which is best suited to the problem | ||
| 14 | at hand. | ||
| 15 | |||
| 16 | Smack consists of three major components: | ||
| 17 | - The kernel | ||
| 18 | - A start-up script and a few modified applications | ||
| 19 | - Configuration data | ||
| 20 | |||
| 21 | The kernel component of Smack is implemented as a Linux | ||
| 22 | Security Modules (LSM) module. It requires netlabel and | ||
| 23 | works best with file systems that support extended attributes, | ||
| 24 | although xattr support is not strictly required. | ||
| 25 | It is safe to run a Smack kernel under a "vanilla" distribution. | ||
| 26 | Smack kernels use the CIPSO IP option. Some network | ||
| 27 | configurations are intolerant of IP options and can impede | ||
| 28 | access to systems that use them as Smack does. | ||
| 29 | |||
| 30 | The startup script etc-init.d-smack should be installed | ||
| 31 | in /etc/init.d/smack and should be invoked early in the | ||
| 32 | start-up process. On Fedora rc5.d/S02smack is recommended. | ||
| 33 | This script ensures that certain devices have the correct | ||
| 34 | Smack attributes and loads the Smack configuration if | ||
| 35 | any is defined. This script invokes two programs that | ||
| 36 | ensure configuration data is properly formatted. These | ||
| 37 | programs are /usr/sbin/smackload and /usr/sin/smackcipso. | ||
| 38 | The system will run just fine without these programs, | ||
| 39 | but it will be difficult to set access rules properly. | ||
| 40 | |||
| 41 | A version of "ls" that provides a "-M" option to display | ||
| 42 | Smack labels on long listing is available. | ||
| 43 | |||
| 44 | A hacked version of sshd that allows network logins by users | ||
| 45 | with specific Smack labels is available. This version does | ||
| 46 | not work for scp. You must set the /etc/ssh/sshd_config | ||
| 47 | line: | ||
| 48 | UsePrivilegeSeparation no | ||
| 49 | |||
| 50 | The format of /etc/smack/usr is: | ||
| 51 | |||
| 52 | username smack | ||
| 53 | |||
| 54 | In keeping with the intent of Smack, configuration data is | ||
| 55 | minimal and not strictly required. The most important | ||
| 56 | configuration step is mounting the smackfs pseudo filesystem. | ||
| 57 | |||
| 58 | Add this line to /etc/fstab: | ||
| 59 | |||
| 60 | smackfs /smack smackfs smackfsdef=* 0 0 | ||
| 61 | |||
| 62 | and create the /smack directory for mounting. | ||
| 63 | |||
| 64 | Smack uses extended attributes (xattrs) to store file labels. | ||
| 65 | The command to set a Smack label on a file is: | ||
| 66 | |||
| 67 | # attr -S -s SMACK64 -V "value" path | ||
| 68 | |||
| 69 | NOTE: Smack labels are limited to 23 characters. The attr command | ||
| 70 | does not enforce this restriction and can be used to set | ||
| 71 | invalid Smack labels on files. | ||
| 72 | |||
| 73 | If you don't do anything special all users will get the floor ("_") | ||
| 74 | label when they log in. If you do want to log in via the hacked ssh | ||
| 75 | at other labels use the attr command to set the smack value on the | ||
| 76 | home directory and it's contents. | ||
| 77 | |||
| 78 | You can add access rules in /etc/smack/accesses. They take the form: | ||
| 79 | |||
| 80 | subjectlabel objectlabel access | ||
| 81 | |||
| 82 | access is a combination of the letters rwxa which specify the | ||
| 83 | kind of access permitted a subject with subjectlabel on an | ||
| 84 | object with objectlabel. If there is no rule no access is allowed. | ||
| 85 | |||
| 86 | A process can see the smack label it is running with by | ||
| 87 | reading /proc/self/attr/current. A privileged process can | ||
| 88 | set the process smack by writing there. | ||
| 89 | |||
| 90 | Look for additional programs on http://schaufler-ca.com | ||
| 91 | |||
| 92 | From the Smack Whitepaper: | ||
| 93 | |||
| 94 | The Simplified Mandatory Access Control Kernel | ||
| 95 | |||
| 96 | Casey Schaufler | ||
| 97 | casey@schaufler-ca.com | ||
| 98 | |||
| 99 | Mandatory Access Control | ||
| 100 | |||
| 101 | Computer systems employ a variety of schemes to constrain how information is | ||
| 102 | shared among the people and services using the machine. Some of these schemes | ||
| 103 | allow the program or user to decide what other programs or users are allowed | ||
| 104 | access to pieces of data. These schemes are called discretionary access | ||
| 105 | control mechanisms because the access control is specified at the discretion | ||
| 106 | of the user. Other schemes do not leave the decision regarding what a user or | ||
| 107 | program can access up to users or programs. These schemes are called mandatory | ||
| 108 | access control mechanisms because you don't have a choice regarding the users | ||
| 109 | or programs that have access to pieces of data. | ||
| 110 | |||
| 111 | Bell & LaPadula | ||
| 112 | |||
| 113 | From the middle of the 1980's until the turn of the century Mandatory Access | ||
| 114 | Control (MAC) was very closely associated with the Bell & LaPadula security | ||
| 115 | model, a mathematical description of the United States Department of Defense | ||
| 116 | policy for marking paper documents. MAC in this form enjoyed a following | ||
| 117 | within the Capital Beltway and Scandinavian supercomputer centers but was | ||
| 118 | often sited as failing to address general needs. | ||
| 119 | |||
| 120 | Domain Type Enforcement | ||
| 121 | |||
| 122 | Around the turn of the century Domain Type Enforcement (DTE) became popular. | ||
| 123 | This scheme organizes users, programs, and data into domains that are | ||
| 124 | protected from each other. This scheme has been widely deployed as a component | ||
| 125 | of popular Linux distributions. The administrative overhead required to | ||
| 126 | maintain this scheme and the detailed understanding of the whole system | ||
| 127 | necessary to provide a secure domain mapping leads to the scheme being | ||
| 128 | disabled or used in limited ways in the majority of cases. | ||
| 129 | |||
| 130 | Smack | ||
| 131 | |||
| 132 | Smack is a Mandatory Access Control mechanism designed to provide useful MAC | ||
| 133 | while avoiding the pitfalls of its predecessors. The limitations of Bell & | ||
| 134 | LaPadula are addressed by providing a scheme whereby access can be controlled | ||
| 135 | according to the requirements of the system and its purpose rather than those | ||
| 136 | imposed by an arcane government policy. The complexity of Domain Type | ||
| 137 | Enforcement and avoided by defining access controls in terms of the access | ||
| 138 | modes already in use. | ||
| 139 | |||
| 140 | Smack Terminology | ||
| 141 | |||
| 142 | The jargon used to talk about Smack will be familiar to those who have dealt | ||
| 143 | with other MAC systems and shouldn't be too difficult for the uninitiated to | ||
| 144 | pick up. There are four terms that are used in a specific way and that are | ||
| 145 | especially important: | ||
| 146 | |||
| 147 | Subject: A subject is an active entity on the computer system. | ||
| 148 | On Smack a subject is a task, which is in turn the basic unit | ||
| 149 | of execution. | ||
| 150 | |||
| 151 | Object: An object is a passive entity on the computer system. | ||
| 152 | On Smack files of all types, IPC, and tasks can be objects. | ||
| 153 | |||
| 154 | Access: Any attempt by a subject to put information into or get | ||
| 155 | information from an object is an access. | ||
| 156 | |||
| 157 | Label: Data that identifies the Mandatory Access Control | ||
| 158 | characteristics of a subject or an object. | ||
| 159 | |||
| 160 | These definitions are consistent with the traditional use in the security | ||
| 161 | community. There are also some terms from Linux that are likely to crop up: | ||
| 162 | |||
| 163 | Capability: A task that possesses a capability has permission to | ||
| 164 | violate an aspect of the system security policy, as identified by | ||
| 165 | the specific capability. A task that possesses one or more | ||
| 166 | capabilities is a privileged task, whereas a task with no | ||
| 167 | capabilities is an unprivileged task. | ||
| 168 | |||
| 169 | Privilege: A task that is allowed to violate the system security | ||
| 170 | policy is said to have privilege. As of this writing a task can | ||
| 171 | have privilege either by possessing capabilities or by having an | ||
| 172 | effective user of root. | ||
| 173 | |||
| 174 | Smack Basics | ||
| 175 | |||
| 176 | Smack is an ex | ||
