Re: [TOMOYO #7 30/30] Hooks for SAKURA and TOMOYO.

[Crispin Cowan]

Stephen Smalley wrote:
> On Sun, 2008-04-13 at 19:05 -0700, Crispin Cowan wrote:
>   
> > Things that pathname-based access control is good at:
> >
> >     * *System Integrity:* Many of the vital components of a UNIX system
> >       are stored in files with Well Known Names such as /etc/shadow,
> >       /var/www/htdocs/index.html and /home/crispin/.ssh/known_hosts. The
> >       contents of the actual data blocks is less important than the
> >       integrity of what some random process gets when it asks for these
> >       resources by name. Preserving the integrity of what responds to
> >       the Well Known Name is thus easier if you restrict access based on
> >       the name.
> >     
> I think some might argue that the integrity of the data in /etc/shadow
> and your .ssh files is very important, not just their names.
I understand how the confidentiality of secrets like the contents of 
/etc/shadow and your .ssh files is important, but how can the integrity 
of these data objects be important? Back them up if you care ...

>   And as
> names are themselves just data contained by directories, the integrity
> of the names is a particular case of the data integrity problem.
That's just access control for the containing directory, and/or access 
control to the raw partition, which is also  controlled by name-based 
access control to /dev

>   And
> ultimately data integrity requires information flow control to preserve.
>   
You've argued that before, and I've never been convinced. Rather, it 
looked a lot like a stretched definition trying really hard to turn 
integrity into an information flow problem.The most information flow 
that I will buy in the integrity problem is taint analysis of software 
inputs; that software should validate inputs before acting on it.

> >     * *Dynamic Access Control:* A special case of the above pertains to
> >       files that may or may not exist. If you don't *have* a /etc/hosts
> >       file, it is still important to have a rule that controls whether
> >       it can be created. This is hard to do in label-based systems,
> >       because the file does not exist to put a label on, so you have to
> >       kludge it by either creating the file with zero length and
> >       labeling it, or by creating more complex policy for the parent
> >       /etc directory, and that's hard given the number of uses for /etc
> >       such as /etc/motd. In a name based scheme, you simply don't
> >       provide write permission to "/etc/hosts" unless you mean it, and
> >       it can be enforced even if such a file does not exist.
> >     
> I'd view this as another example of practical or legacy concerns, as it
> wouldn't pose a problem if either of the following were true:
> - /etc was further partitioned into multiple subdirectories (seemingly
> true in an increasing number of cases, so we seem to be moving in that
> direction regardless) so that inheritance from parent directory would
> suffice, or
>   
If you want to move this particular benefit to the "practical" bucket, I 
have no issue with that. It is a core part of the name-based argument 
that it is a practical solution for system administrators who     
experience the system through names.

> - specific programs were used to create or update the individual files
> (true for some of the files in /etc, and generally helpful for ensuring
> proper data formatting and applying basic sanity checks on the content)
> so that the files created by them could be labeled based on the creating
> domain or via appropriate instrumentation of the programs to set the
> attributes (the latter is not fundamentally different than the situation
> for DAC ownership/mode or ACLs).
>   
Security architecture for a clean&pure architecture are an interesting 
problem, but certainly are not the LSM problem.

> Also, note that in the case of SELinux, we do have a solution to the
> above situation, namely restorecond, which leverages the kernel's
> inotify mechanism.
>   
IMHO that is a slow and racy solution. If one applied the kind of 
standards that AppArmor is being asked to pass to restorecond, it would 
have a tough time too.

> As an example where the name-based schemes have difficulties with
> "dynamic" data, files created at runtime in /tmp and other shared
> directories often have security-irrelevant names,
Presumably you mean that the name is not meaningfully predictable with 
respect tot he application. Yes, sometimes this is a problem, and 
AppArmor doesn't presently deal with it well.

>  yet protecting them
> from tampering by others can be very relevant to security.  There the
> attribute-based schemes have the advantage.
>   
John Johansen has some designs he has been working on to let an AA 
profile require a UID match as well as a name match. To the extent that 
file ownership is a kind of label, this is a small step towards a hybrid 
model that leverages the strengths of both name and label based access 
controls.

> >     * *Ad Hoc Generalization:* Label-based access control generalizes
> >       policy in that the policy treats all files and resources that
> >       share a label the same. If you want to make a new generalization
> >       that encompasses *part* of the files that share a label, but *not
> >       all* of those files, then you have to "split the label", relabel
> >       the file system, and revise the policy accordingly. Name-based
> >       access control lets you create ad hoc generalizations, so that
> >       *my* policy can grant access to "/var/www/*.pl" without regard to
> >       whatever labels or rules some other policy has applied to the same
> >       directory tree.
> >     
> We might argue about whether ad hoc policy writing is the best approach.
>   
Another way of saying "ad hoc policy writing" is "incremental policy 
development."

If you can anticipate everything you need in your data center and get it 
right ahead of time, then you don't need ad hoc policy. If circumstances 
change on you and you need to adapt, then your policy is necessarily ad hoc.

> Regardless, the corresponding weakness here for the path-based schemes
> is that they force you into writing policy in terms of the filesystem
> layout and names, which may have little or no bearing on the actual
> security characteristics of the files.
>   
I assert that the pathname has a strong correspondence to the integrity 
sensitivity of the file, and a weaker correspondence to the 
confidentiality sensitivity of the file, e.g. a backup copy of your 
actual /etc/shadow file is still sensitive if it gets disclosed to 
someone intent on password cracking.

This is not a severe problem for AppArmor in practice because of the 
default-deny nature of the policy: only grant read access to the files 
you intend to allow to be read. It is fairly difficult to accidentally 
disclose a file in an AppArmor policy unless you engage in really sloppy 
practice like dropping copies of sensitive files in publicly readable 
places like /tmp

> >     * *Familiar Interface:* Administrators are accustomed to
> >       administering the box in terms of the names of the files that
> >       matter. A name-based policy is therefore somewhat more familiar
> >       than a policy with label abstractions, where they then have to go
> >       look at the restorecon file to discover what files will/should
> >       have what labels.
> >     
> restorecon /path/to/file doesn't require the user to deal with anything
> other than a pathname.
Yes it does. To understand your security policy, you have to understand 
both the SELinux policy about labels & types and which are allowed to 
access each other, and also the restorecon specification that determines 
what labels will be applied to which files.

> >     * *Practical Concerns:* Not all file systems support labels, and so
> >       label-based schemes become coarse grained when they run into them.
> >       Name based schemes remain granular when specifying access down
> >       into the internals of such file systems. Legacy Linux file systems
> >       like ext2 don't matter much any more, but persistent file systems
> >       that will never have label support include NFSv3 file systems
> >       (nearly every Network Appliance NAS server out there) and FAT32
> >       file system (most every USB storage device).
> >     
> At present this is a limitation, although we do support per-mount
> labeling of such filesystems, which is really all we can guarantee in
> terms of protection anyway
That's what I meant by granular: you get access to the whole NFS mount, 
or none of it.

>  - anything further is misleading as the
> server or device won't ensure any finer grained separation for us.
I don't understand this issue. The enforcement here is t contain the 
program executing on the NFS *client* to permit it to only mangle the 
parts of the NFS mount that you want it to mangle. That the server won't 
enforce anything for you is irrelevant when the threat is the confined 
application.

> > A lot of what's going on is the duality of the one:many relationships 
> > between labels and names:
> >
> >     * Labels: one label represents many files
> >           o this property is why ad hoc generalization fails in label
> >             based systems
> >     * Names: many names can represent a single file
> >           o This property is why deny rules fail in name based systems
> >
> > Therefore, I am not claiming name-based access controls to be the 
> > ultimate. Rather, there are duals for all of the above that induce 
> > circumstances where label-based systems are superior. Each class of 
> > system has strengths and weaknesses. These are name-based strengths.
> >     
>
> The weaknesses from my POV are:
> - no system-wide view of the subjects and objects and thus of the
> policy,
>   
... and no *requirement* to construct a system-wide consistent view of 
security policy.

> - no uniform abstraction for handling objects (not everything has a
> pathname), leading to inconsistent or incomplete control,
>   
*Strawman* argument: AppArmor doesn't try to apply pathnames to 
everything, just the file system. The "uniform abstraction" is to 
specify security policy in the native terms of the resource being 
mediated. Files are named as /path/to/some/files/*.html and network 
resources are named in terms of ports and network addresses reminiscent 
of firewall rules.

In contrast, SELinux *does* apply the labeled model to everything. That 
has the strength that you are dealing with the same abstraction all the 
time, and the weakness that the mapping from the label abstraction to 
the stuff that admins and users have to actually deal with is arcane.

> - forcing policy to be written in terms of individual objects and
> filesystem layout rather than security properties.
>   
Name-based access control makes the overt assumption that the name of an 
object corresponds to its security properties. If your data layout does 
*not* make such an assumption, then you have some very strange data 
layout putting highly sensitive objects next to non-sensitive objects.

Note also that the SELinux restorecon mechanism also makes the 
assumption that path names correspond to security properties: in fact, 
that is precisely its function, to take a path name and use it to apply 
a security property (a label). Naturally I have no objection to 
inferring a security property from the path name :) I just object to the 
racy way that restorecon does it, combined with the complaint that 
AppArmor is wrong for doing exactly the same thing in a different way.

Crispin

--
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin
The Olympic Games: Symbolizing oppression and corruption for over a
hundred years

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/