tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: secmodel_register(9) API



On Mon,  5 Dec 2011 03:19:23 +0000 (UTC), yamt%mwd.biglobe.ne.jp@localhost 
wrote:
Perhaps I can put pserialize(9) to good use there. Updates to
secmodel(9) are not expected to happen that much often... You want me to
have a look? That would make it lock-free even from softints.

if you are interested in, please.
see XXX in kauth_authorize_action_internal.

Yep, saw that. Thanks.

Consider user_set_cpu_affinity: if the sysctl cannot be set any more
when securelevel is above or below a threshold, checking for the
securelevel variable means that this sysctl has a strong dependency on securelevel (or else, it won't be able to get the variable). So if you want to still provide this sysctl but without having securelevel loaded,
you are screwed: it's part of this module.

There are orthogonal requirements there: secmodels define a security
policy, but there are situations where one would like to allow certain operations (different from default policy), but without putting a strong requirement on a specific secmodel(9). having to load securelevel just
to provide this sysctl is non sense.

i don't understand the example.
your diff doesn't seem to do secmodel_eval("securelevel") at all.

I sent a wrong old patch. See the secmodel_extensions:is_securelevel_above() function.

http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/secmodel/extensions/secmodel_extensions.c?annotate=1.1&only_with_tag=MAIN

Same goes for suser (which controls rights for superuser):
curtain/usermounts are not really a suser policy, rather an extension
from it. Hence the secmodel_extensions stuff.

i don't understand what would be a suser policy and what would be an
extension.
can you explain your criteria?

Sure.

kauth(9) hides all the credentials behind "opaque" types, like kauth_cred_t. What is found behind is implementation-defined. Nowadays, uid_t/euid_t model is used.

secmodel_suser() expresses the policy bound to the super-user (ie. all operations that root - everything with uid 0 - is allowed to perform). That is: _just_ super-user. Nothing more.

=== curtain ===

curtain is a security measure that restricts the information accessible to any given user to the objects it currently "owns", ownership being known by the credentials attached to this object. Note that the "credentials" is still an opaque "type" here, and should not assume whether it represents an uid, label, or role.

However, secmodel_suser(9) _does_ make that assumption (credentials being UIDs), which contradicts the original intent of curtain.

For convenience, curtain may allow specific credentials to gather information for all objects, and not just the ones a user owns. When suser is loaded, thes credentials are those corresponding to root. But in the event that suser is replaced by another secmodel, modifying secmodel_extensions to cope with this new shiny secmodel is pretty trivial. While with the "old" design, you would have to reimplement curtain in this secmodel first, by copy/pasting it from suser.

=== user_set_cpu_affinity ===

This is pretty much the same as curtain. That feature allows user to control CPU affinity, regardless of their credential implementation. The user_set_cpu_affinity just says that any user has the right modify the affinity of the LWPs it owns.

All these sysctl have requirements on the alteration of their value when securelevel is above 0. Basically, you can remove rights to users, but cannot grant them more any more (unless you did so before raising level). That implies that securelevel is present, but alas, anyone is free not to use/load securelevel module. Hence, we have to provide a way to cope with this: here comes secmodel_eval(9).

Hope this made everything more clear. Don't hesitate if you have more questions.

--
Jean-Yves Migeon
jeanyves.migeon%free.fr@localhost


Home | Main Index | Thread Index | Old Index