lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0706091307590.6313@asgard.lang.hm>
Date:	Sat, 9 Jun 2007 13:43:20 -0700 (PDT)
From:	david@...g.hm
To:	Kyle Moffett <mrmacman_g4@....com>
cc:	Greg KH <greg@...ah.com>, Andreas Gruenbacher <agruen@...e.de>,
	Stephen Smalley <sds@...ho.nsa.gov>,
	Pavel Machek <pavel@....cz>, jjohansen@...e.de,
	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-fsdevel@...r.kernel.org
Subject: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation,
 pathname matching

On Sat, 9 Jun 2007, Kyle Moffett wrote:

> On Jun 09, 2007, at 13:32:05, david@...g.hm wrote:
>> On Sat, 9 Jun 2007, Kyle Moffett wrote:
>> > On Jun 09, 2007, at 12:46:40, david@...g.hm wrote:
>> > > so as I understand this with SELinux you will have lots of labels 
>> > > around your system (more as you lock down the system more) you need to 
>> > > define policy so that your unrestricted users must have access to every 
>> > > label, and every time you create a new label you need to go back to all 
>> > > your policies to see if the new label needs to be allowed from that 
>> > > policy
>> > 
>> > Actually, it's easier than that.  There are type attributes which may be 
>> > assigned to an arbitrary set of types, and each "type" field in an access 
>> > rule may use either a type or an attribute.  So you don't actually need 
>> > to modify existing rules when adding new types, you just add the 
>> > appropriate existing attributes to your new type.  For example, you could 
>> > set up a "logfile" attribute which allows logrotate to archive old 
>> > versions and allows audit-admin users to modify/delete them, then 
>> > whenever you need to add a new logfile you just declare the 
>> > "my_foo_log_t" type to have the "logfile" attribute.
>> 
>> isn't this just the flip side of the same problem?
>> 
>> every time you define a new attribute you need to go through all the files 
>> and decide if the new attribute needs to be given to that file.
>
> No you don't, you can add attributes to a type after-the-fact.  In concept 
> this problem is very similar to programming:  You have various documented 
> interfaces used by different policy files to interact with each other.  As 
> long as your policy files conform to the documented interfaces then you 
> *DONT* have to manually inspect each file because you can make basic 
> assumptions.  On the other hand, when you break that interface "contract" you 
> will get very unexpected results.  For the above example:
>
> My syslog policy file would create a "logfile" attribute and types for 
> "/var/log/auth/auth.log", "/var/log/kern/kern.log", and "/var/log/messages". 
> It would also create a "logdaemon" attribute which has automatic type 
> transitions to create files in different "/var/log/*" directories  Finally, 
> it would allow the syslogd type to create and append to its specific file 
> types for "auth.log", "kern.log", and "messages".
>
> My logrotate policy file would depend on the syslog policy and would declare 
> the logrotate daemon type as a "logdaemon", and additionally allow logrotate 
> to read, rename, append, and delete "logfile" types.  Since logrotate is a 
> "logdaemon", it already has the appropriate type transitions for new types.
>
> My samba policy file would depend on the syslog policy and would declare the 
> samba daemon type as a "logdaemon" and the "/var/log/samba/*" type as a 
> "logfile".  Then it would add a type transition rule so when "logdaemon" 
> creates new files in "samba_log_dir_t", they have the appropriate 
> "samba_log_t" label.  Finally, samba would allow itself to append to 
> "samba_log_t" files.

if you have your policy figured out and then go and apply it to 
applications then you are correct.

I'm talking about the situation where you start off by defining a policy 
for Samba, and then afterwords decide that you want to have seperate 
"logfile" and "logdaemon" type then you would need to go back and 
re-examine all the files to tell what needs to be labeled as what.

if you can do all the policy design in advance (and get it right) then 
SELinux is a great solution. if you don't have that time and have to do 
the policy incrementaly you will end up revisiting and revising your 
entire policy each time you go to add something.

> Note that now when "logrotate" runs and rotates files in /var/log/samba, it 
> will automatically create the new files with type "samba_log_t", even though 
> there are no *direct* associations between those types.  If the syslog policy 
> file was poorly written it could seriously adversely affect the security of 
> the system, but hopefully that's obvious :-D.  Policy development is _hard_, 
> it's a whole separate state-machine and pseudo-programming-language that 
> should mostly be left to security professionals or very experienced 
> developers/sysadmins.

I _am_ a security professional. I've been doing security sysadmin work on 
Linux for over a decade now. From your description I'm exactly the type of 
person you are saying should be figuring this out. So please back off of 
the 'this is hard, you should leave it to the professionals' line a 
little bit ;-)

if the AA policies can be compiled into SELinux policies that would work 
(currently they can't and many SELinux people oppose the features that 
would need to be added to make it possible) but the compile process leaves 
room for more bugs in an areas that's going to be hard to investigate. 
(This isn't a fault of SELinux, it's a common issue with compilers, the 
compiled 'thing' is designed to be machine friendly, not user friendly. it 
doesn't matte if it's compiling C into machine code or high-level firewall 
rules into iptables commands or AA policies into SELinux labels and 
policies). adding a complex intermediate layer does not nessasarily add 
security, but it definantly adds complication.

once SELinux has a way for a trusted user to edit a security sensitive 
file (via the process of creating a file and renameing it into place) 
without needing SELinux aware tools and have the result accepted as valid 
by the rest of the system then it becomes possible to implement an AA to 
SELinux policy compiler, but saying that AA should not be accepted becouse 
it's possible to modify SELinux and write such a compile with sufficant 
effort is not reasonable. While there are many cases where multiple ways 
of doing something are not allowed into the kernel (suspend/hibernate is 
an example) there are also cases where multiple ways of doing things are 
allowed, and the LSM hooks are in place explicitly to permit different 
types of security modules to use them.

David Lang
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ