Date: Tue, 11 Feb 2014 11:28:22 +0100 From: Borja Marcos <borjam@sarenet.es> To: freebsd-security@freebsd.org Subject: Proposal: tunable default/init label for MAC policies Message-ID: <5C244CC2-A0D5-43B9-BA30-6B54E02F1C0F@sarenet.es>
next in thread | raw e-mail | index | archive | help
(I've just sent this to trustedbsd-discuss but the list is probably =
dead, so I am crossposting)
Hello,
I am using a combination of mac_biba, mac_mls and mac_bsdextended to =
secure a shared hosting web server. The goals of each policy are:
- mac_biba: Protect the integrity of the OS and configuration files =
against actions derived of a security breach of a user's website. =
Example, the typical PHP crap. Any descendant of a user process should =
be unable to modify anything but the files in that user's directory.
- mac_mls: Protect certain sensible files against read access by =
descendants of user processes. For example, we wish to protect key =
system files from Apache and its descendants, and Apache configuration =
files themselves from PHP/CGI processes or, of course, their =
descendants.
- mac_bsdextended so that users whose uid falls inside the "hosting =
users" set, imagine, 10000-20000, can't see processes or files belonging =
to other uids within that set.
The intent is to minimize surprise (hence, no need for a lot of =
technical support to adapt crappy CGI/PHP code for security =
requirements) but, at the same time, keeping good security measures.
This scheme has been used for years with very good results, without the =
mls policy, but we have stumbled upon an obstacle with MLS. The mls =
module defines a default mls label of mls/low, which gets applied to =
processes that haven't been spawned after a setusercontext() call. So, =
for example, applying a mls/high label to the ssh private keys makes =
sshd inoperable, as it's launched by init, and gets a mls/low label, =
unable to read its private keys.
A tunable like security.mac.{mls,biba...}.default_label or, maybe, more =
appropiately, security.{mac,biba...}.init_lable would allow the =
administrator to, for example, limit the usage of the MAC policies to =
descendants of certain processes. In our case, with most of the OS =
having the usual Unix security requirements, except for the intrinsicly =
dangerous stuff such as Apache and PHP/CGIs, init labels of =
{mls,biba}/equal would be more than enough, applying the necessary =
labels to the untrusted processes.
What do you think? I am sure this makes the MAC policies much more =
useful, and much easier to integrate with the typical Unix software =
without unnecessary incompatibilities, and of course not just for our =
particular scenario.
Borja.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5C244CC2-A0D5-43B9-BA30-6B54E02F1C0F>