The Simplified Mandatory
Access Control Kernel
Casey Schaufler
January 2008
Casey Schaufler
• Ported Unix Version 6 to 32bit
• Started Development of TSOL
• Architect of Trusted Irix
– B1, CAPP, LSPP evaluated
• US NSA’s Trusix Group
• POSIX P1003.1e/2c
• TSIG
Today’s Talk
•
•
•
•
•
Mandatory Access Control (MAC)
What MAC is good for
How Smack implements MAC
What Smack is good for
Details of Smack
Mandatory Access Control
• Concepts
– Subject is an active entity
– Object is a passive entity
– Access is an operation preformed on an
object by a subject
Mandatory Access Control
• Principles
– User has no say in it
– Based on system controlled attributes
Mandatory Access Control
• Jargon
– MAC
– Label
– Bell & LaPadula
– Multilevel Security
– CIPSO
Mandatory Access Control
MAC Implementations
• Bell & LaPadula Sensitivity
– Multics, Unix
• Type Enforcement
– SELinux
• Pathname Controls
– AppArmor, TOMOYO
Uses of MAC Systems
• Security Checkbox
• Sharing an expensive machine
• Disjoint sets of users
– B&L Catagories
• Hierarchical use of shared data
– B&L Levels
Where Did Smack Come From?
• Traditionally
– Label relationships hard coded
– Names map to label values
• Mythtory:TopSecret,Skeeve,Ahz,Chumly
• Level=4,Catagories=17,49,113
– Users only use names
• Why use anything but names?
Smack Label Mechanism
•
•
•
•
•
•
Labels and label names are the same
No implicit relationship between labels
List of explicit access relationships
Every subject gets a label
Every object gets a label
Objects get creating Subject’s label
Subjects Access Objects
•
•
•
•
lstat() reads a file object’s attributes
kill() writes to a process object
send() writes to a process object
bind() is uninteresting
System Labels
^
• _ floor
• ^ hat
• * star
– Objects Only
• Any single special
character
*
_
User Labels
^
SEAsia
*
_
Dap
Explicit Access Rules
• Dap SEAsia r
• Med Pop
w
SEAsia
Dap
Pop
Med
Access Rule Specification
• /etc/smack/accesses
– Subject Object [–rwxa]
• /smack/load
– Strict fixed format
• /sbin/smackload
– Writes to /smack/load
Bell & LaPadula Levels
• Secret more sensitive than Unclass
• TopSecret more sensitive than Secret
• Secret Unclass rx
• TopSecret Secret rx
• TopSecret Unclass rx
• All relationships must be specified
Bell & LaPadula Categories
• Categories Skeeve and Ahz
• Labels:
– “Skeeve,Ahz”
– “Skeeve”
– “Ahz”
• Skeeve,Ahz Skeeve rx
• Skeeve,Ahz Ahz rx
Biba Integrity
• Floor is highest integrity
• Hat is lowest Integrity
Ring of Vigilance
SEAsia
Med
Dap
• SEAsia Dap r
• Med SEAsia r
• Dap Med
r
Messaging
• Informant Reporter w
• Reporter Editor
w
• Editor
Reporter w
Time of Day
• At 17:00
– WorkerBee Game x
• At 08:00
– WorkerBee Game –
Implementation
•
•
•
•
•
•
Label Scheme
Access Checks
File Systems
Networking
The LSM
Audit
Label Scheme
• Labels are short text strings
• Compared for equality
• Stored in a list
– secid
– Optional CIPSO value
– Never forgotten
Access Checks
•
•
•
•
•
Rules written to /smack/load
Hard Coded Labels
Subject and object equal
Find the subject/object pair
Check the request against the rule
File Systems
• Use xattrs if supported
• Hard coded behavior
– smackfs, pipefs, sockfs, procfs, devpts
• Superblock values
– File system root
– File system default
– File system floor and hat
• Not yet implemented
Networking Model
• Sender writes to receiver
– Sender is subject, receiver is object
• Socket, packet not policy components
• William Janet
w
– Allows a UDP packet
• Janet
William r
– Does not allow a UDP Packet
Packet Labeling
• Unlabeled packets get ambient label
• CIPSO option on every local packet
• CIPSO value from the label list
– Set via /smack/cipso
• CIPSO direct mapping
– Level 250
– Label copied into category bits
• Same CIPSO as SELinux
The LSM
• Provides a restrictive interface
• Evolved in step with SELinux
• Imperfectly defined
– Networking
– Audit
– USB
• Module Stacking
Programming interfaces
• getxattr(), setxattr()
– SMACK64
• /proc/<pid>/attr/current
Socket Interfaces
• Socket Attributes
– fgetxattr(), fsetxattr()
– SMACK64.IPIN
– SMACK64.IPOUT
• Packet Attributes
– SO_PEERSEC
• TCP
– SCM_SECURITY
• UDP
Administrative Interfaces
• /smack/load
• /smack/cipso
• /smack/doi
• /smack/direct
• /smack/nltype
What Have You Learned?
• Smack is a modern implementation of old
school Mandatory Access Control with the
mistakes omitted.
• Smack is designed for simplicity
• Smack is designed as a kernel mechanism
Special Thank You
• Paul Moore – Network interfaces
• Ahmed S. Darwish – Work on smackfs
• And a host of reviewers, including
– Stephen Smalley, Seth Arnold,
– Joshua Brindle, Al Viro,
– James Morris, Kyle Moffett,
– Pavel Machek
Contact Information
• http://schaufler-ca.com
• [email protected]
• [email protected]