Date: Wed, 08 Mar 2006 01:58:44 +0900 (JST) From: Hiroki Sato <hrs@FreeBSD.org> To: trustedbsd-discuss@FreeBSD.org Subject: question about MAC policy modules on 6.0 Message-ID: <20060308.015844.98687889.hrs@allbsd.org>
next in thread | raw e-mail | index | archive | help
----Security_Multipart0(Wed_Mar__8_01_58_44_2006_492)--
Content-Type: Multipart/Mixed;
boundary="--Next_Part(Wed_Mar__8_01_58_44_2006_494)--"
Content-Transfer-Encoding: 7bit
----Next_Part(Wed_Mar__8_01_58_44_2006_494)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
After testing some MAC policy modules on 6.0R, I have the following
questions about the implementation and the startup script:
1) default value of security.mac.bsdextended.firstmatch_enabled
mac_bsdextended(4) says the following:
| security.mac.bsdextended.firstmatch_enabled
| Toggle between the old all rules match functionality and the new
| first rule matches functionality. This is enabled by default.
however, the corresponding implementation is as follows:
|static int
|mac_bsdextended_firstmatch_enabled;
|SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled,
| CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1,
| "Disable/enable match first rule functionality");
Which is intended? If the manual page is correct, the attached patch (the
first one) is needed, I think.
2) rc.bsdextended
Currently /etc/rc.bsdextended is used as the default rules when
ugidfw_enable=yes in /etc/rc.conf, but this configuration is
not so generic and problematic in some cases. For example,
it includes rules for applications not in the base system, and
especially "awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }'
/etc/passwd" line does not work on systems which have a lot of
users because the current ugidfw supports 256 slots only.
Also, I am wondering why the "${CMD} add subject uid 0 object not
uid 0 mode arxws;" is included. Does the mac_bsdextended module
support rules for UID 0?
I guess that this is still work-in-progress, but since it has
been merged into the RELENG_6 branch, I think we have to polish
the default script. So, I am just wondering:
a) What is the master plan of rc.d scripts for MAC policy
modules? I think it is better to have /etc/rc.d/mac_bsdextended,
and knobs of $mac_bsdextended and $mac_bsdextended_script in rc.conf
for more consistency, but we have /etc/rc.d/ugidfw, $ugidfw_enable,
and $bsdextended_script. If there are some policies on
that already discussed, I am interested in them.
b) Is the current content of /etc/rc.bsdextended reasonable
as an example? I think it is too aggressive and most of the
rules should be commented out by default.
c) Does mac_bsdextended really support rules for UID 0? The current
/etc/rc.bsdextended script includes such rules, but the implementation
does not support them as far as I know. Are they going to be supported
in the near future (or just a mistake)?
3) src/share/security/* not installed
setfsmac(8) mentions /usr/share/security/lomac-policy.contexts in
the FILES section, but the actual file is not installed.
That file is src/share/security/lomac-policy.contexts in the source
tree. Are there any reason not to hook it up to the build?
4) mount_ufs(8) multilabel option
mount_ufs(8) has multilabel option for the MAC label, but it
seems broken ("tunefs -l enable" works, though). I am not sure
the attached patch (the second one) is correct, but it should
fix this.
I am still not familiar with development of Trusted BSD feature,
and maybe the above problems are solved already somewhere else or
just I get wrong ideas, but if anyone knows the details or if
I am missing something, please let me know. Thanks.
--
| Hiroki SATO
----Next_Part(Wed_Mar__8_01_58_44_2006_494)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="mac_bsdextended.c.diff"
Index: mac_bsdextended/mac_bsdextended.c
===================================================================
RCS file: /home/ncvs/src/sys/security/mac_bsdextended/mac_bsdextended.c,v
retrieving revision 1.25.2.2
diff -d -u -I\$OpenBSD:.*\$ -I\$FreeBSD:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.25.2.2 mac_bsdextended.c
--- mac_bsdextended/mac_bsdextended.c 24 Jan 2006 04:11:45 -0000 1.25.2.2
+++ mac_bsdextended/mac_bsdextended.c 25 Feb 2006 14:23:47 -0000
@@ -112,9 +112,9 @@
* functionality (all rules match).
*/
static int
-mac_bsdextended_firstmatch_enabled;
+mac_bsdextended_firstmatch_enabled = 1;
SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled,
- CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1,
+ CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 0,
"Disable/enable match first rule functionality");
static int
----Next_Part(Wed_Mar__8_01_58_44_2006_494)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="mount.h.diff"
Index: src/sys/sys/mount.h
===================================================================
RCS file: /home/ncvs/src/sys/sys/mount.h,v
retrieving revision 1.197.2.2
diff -d -u -I\$OpenBSD:.*\$ -I\$FreeBSD:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.197.2.2 mount.h
--- src/sys/sys/mount.h 14 Jan 2006 01:18:02 -0000 1.197.2.2
+++ src/sys/sys/mount.h 7 Mar 2006 16:22:31 -0000
@@ -251,7 +251,7 @@
MNT_NOATIME | \
MNT_NOSYMFOLLOW | MNT_IGNORE | MNT_JAILDEVFS | \
MNT_NOCLUSTERR | MNT_NOCLUSTERW | MNT_SUIDDIR | \
- MNT_ACLS | MNT_USER)
+ MNT_ACLS | MNT_USER | MNT_MULTILABEL)
/*
* External filesystem command modifier flags.
----Next_Part(Wed_Mar__8_01_58_44_2006_494)----
----Security_Multipart0(Wed_Mar__8_01_58_44_2006_492)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQBEDbvETyzT2CeTzy0RAoZgAJ9gxCtW0JusixiRHE8j9Ma+HxSU3QCfQhMT
uLW5xcrW9x3+ya7KkSKACRg=
=7IoH
-----END PGP SIGNATURE-----
----Security_Multipart0(Wed_Mar__8_01_58_44_2006_492)----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060308.015844.98687889.hrs>