From owner-trustedbsd-discuss@FreeBSD.ORG Tue Mar 7 17:01:49 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA7D616A420 for ; Tue, 7 Mar 2006 17:01:49 +0000 (GMT) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (vlsi00.si.noda.tus.ac.jp [133.31.130.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B30843D46 for ; Tue, 7 Mar 2006 17:01:48 +0000 (GMT) (envelope-from hrs@FreeBSD.org) Received: from delta.allbsd.org (p5180-ipbf304funabasi.chiba.ocn.ne.jp [125.170.156.180]) (authenticated bits=128) by mail.allbsd.org (8.13.4/8.13.4) with ESMTP id k27H1YQf023906 for ; Wed, 8 Mar 2006 02:01:47 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (alph.allbsd.org [192.168.0.10]) by delta.allbsd.org (8.13.4/8.13.4) with ESMTP id k27H1ECB006143 for ; Wed, 8 Mar 2006 02:01:14 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Wed, 08 Mar 2006 01:58:44 +0900 (JST) Message-Id: <20060308.015844.98687889.hrs@allbsd.org> To: trustedbsd-discuss@FreeBSD.org From: Hiroki Sato X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 4.2.52 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart0(Wed_Mar__8_01_58_44_2006_492)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on gatekeeper.allbsd.org X-Virus-Status: Clean Subject: question about MAC policy modules on 6.0 X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2006 17:01:49 -0000 ----Security_Multipart0(Wed_Mar__8_01_58_44_2006_492)-- Content-Type: Multipart/Mixed; boundary="--Next_Part(Wed_Mar__8_01_58_44_2006_494)--" Content-Transfer-Encoding: 7bit ----Next_Part(Wed_Mar__8_01_58_44_2006_494)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi, After testing some MAC policy modules on 6.0R, I have the following questions about the implementation and the startup script: 1) default value of security.mac.bsdextended.firstmatch_enabled mac_bsdextended(4) says the following: | security.mac.bsdextended.firstmatch_enabled | Toggle between the old all rules match functionality and the new | first rule matches functionality. This is enabled by default. however, the corresponding implementation is as follows: |static int |mac_bsdextended_firstmatch_enabled; |SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled, | CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1, | "Disable/enable match first rule functionality"); Which is intended? If the manual page is correct, the attached patch (the first one) is needed, I think. 2) rc.bsdextended Currently /etc/rc.bsdextended is used as the default rules when ugidfw_enable=yes in /etc/rc.conf, but this configuration is not so generic and problematic in some cases. For example, it includes rules for applications not in the base system, and especially "awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd" line does not work on systems which have a lot of users because the current ugidfw supports 256 slots only. Also, I am wondering why the "${CMD} add subject uid 0 object not uid 0 mode arxws;" is included. Does the mac_bsdextended module support rules for UID 0? I guess that this is still work-in-progress, but since it has been merged into the RELENG_6 branch, I think we have to polish the default script. So, I am just wondering: a) What is the master plan of rc.d scripts for MAC policy modules? I think it is better to have /etc/rc.d/mac_bsdextended, and knobs of $mac_bsdextended and $mac_bsdextended_script in rc.conf for more consistency, but we have /etc/rc.d/ugidfw, $ugidfw_enable, and $bsdextended_script. If there are some policies on that already discussed, I am interested in them. b) Is the current content of /etc/rc.bsdextended reasonable as an example? I think it is too aggressive and most of the rules should be commented out by default. c) Does mac_bsdextended really support rules for UID 0? The current /etc/rc.bsdextended script includes such rules, but the implementation does not support them as far as I know. Are they going to be supported in the near future (or just a mistake)? 3) src/share/security/* not installed setfsmac(8) mentions /usr/share/security/lomac-policy.contexts in the FILES section, but the actual file is not installed. That file is src/share/security/lomac-policy.contexts in the source tree. Are there any reason not to hook it up to the build? 4) mount_ufs(8) multilabel option mount_ufs(8) has multilabel option for the MAC label, but it seems broken ("tunefs -l enable" works, though). I am not sure the attached patch (the second one) is correct, but it should fix this. I am still not familiar with development of Trusted BSD feature, and maybe the above problems are solved already somewhere else or just I get wrong ideas, but if anyone knows the details or if I am missing something, please let me know. Thanks. -- | Hiroki SATO ----Next_Part(Wed_Mar__8_01_58_44_2006_494)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="mac_bsdextended.c.diff" Index: mac_bsdextended/mac_bsdextended.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac_bsdextended/mac_bsdextended.c,v retrieving revision 1.25.2.2 diff -d -u -I\$OpenBSD:.*\$ -I\$FreeBSD:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.25.2.2 mac_bsdextended.c --- mac_bsdextended/mac_bsdextended.c 24 Jan 2006 04:11:45 -0000 1.25.2.2 +++ mac_bsdextended/mac_bsdextended.c 25 Feb 2006 14:23:47 -0000 @@ -112,9 +112,9 @@ * functionality (all rules match). */ static int -mac_bsdextended_firstmatch_enabled; +mac_bsdextended_firstmatch_enabled = 1; SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled, - CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1, + CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 0, "Disable/enable match first rule functionality"); static int ----Next_Part(Wed_Mar__8_01_58_44_2006_494)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="mount.h.diff" Index: src/sys/sys/mount.h =================================================================== RCS file: /home/ncvs/src/sys/sys/mount.h,v retrieving revision 1.197.2.2 diff -d -u -I\$OpenBSD:.*\$ -I\$FreeBSD:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.197.2.2 mount.h --- src/sys/sys/mount.h 14 Jan 2006 01:18:02 -0000 1.197.2.2 +++ src/sys/sys/mount.h 7 Mar 2006 16:22:31 -0000 @@ -251,7 +251,7 @@ MNT_NOATIME | \ MNT_NOSYMFOLLOW | MNT_IGNORE | MNT_JAILDEVFS | \ MNT_NOCLUSTERR | MNT_NOCLUSTERW | MNT_SUIDDIR | \ - MNT_ACLS | MNT_USER) + MNT_ACLS | MNT_USER | MNT_MULTILABEL) /* * External filesystem command modifier flags. ----Next_Part(Wed_Mar__8_01_58_44_2006_494)---- ----Security_Multipart0(Wed_Mar__8_01_58_44_2006_492)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBEDbvETyzT2CeTzy0RAoZgAJ9gxCtW0JusixiRHE8j9Ma+HxSU3QCfQhMT uLW5xcrW9x3+ya7KkSKACRg= =7IoH -----END PGP SIGNATURE----- ----Security_Multipart0(Wed_Mar__8_01_58_44_2006_492)----