File Content Based Access Control Casey Schaufler August 2010
Casey Schaufler • Trusted Solaris, Trusted Irix, Linux LSM • Various Government Efforts – Trusix, CMM, CHATS • Standards – P1003.1e/2c, TSIG • Smack Linux Security Module
Today’s Talk • Access Control • File Contents • Looking • Enforcement • Implementation
Access Control • Concepts – Subject, Object, Access • Principles – Always Invoked – Not Circumventable • Jargon – Discretionary, Mandatory – Sensitivity, Integrity
Containers • The thing with a name – An object • Traditional attributes – Mode bits, owner, group • Extended attributes – ACL, SELinux context, Smack label
Container Rationalizations • Owner knows best – Fundamental tenant of DAC • Like breeds like – Fundamental tenant of MAC • Don’t care what is in the container – Container is appropriately marked
Rationalizations Break Down • DAC • MAC – Secret file with location of the donuts
File Contents • You have to look • You have to keep looking • You can spend all your time looking
When To Look • New empty files are uninteresting • Newly modified files are interesting • Any modification makes them interesting • Stay interesting until examined
Is it Time To Look? • Filesystem scan – A’La Windows Virus Scanning • Inotify – You have to ask for each file – Limited number of watches
Keeping In Mind • Kernels don’t do data • Pathnames are transient • Existing behaviors can’t change much
Keeping Track • Mark file when modified – Easy for the kernel • Mark file when scanned – Easy for an application • Kernel knows who needs scanning
Data Flow 1 Kernel Metadata 4 2 Data 3 Sca nner
Data States • Kernel marks modified file • Kernel announces pathname • Application opens file, looks for mark • Examine marked files • Remark them for access control
Enforcement Mechanisms • Overloading the familiar leads to tears • LSM schemes aren’t so familiar • SELinux would work – “All it would take is policy” • Smack would do – Still more than you need
Creating a Mechanism • LSM schemes are easy to write • Access control based on marks been done • Right place for notification, too
The Datastate Implementation • Special purpose LSM • Scanner dispatcher • Scanner applications
The Datastate LSM • Marks files as they are modified • Provides names of modified files • Enforces Smack style access rules • Only cares about regular files
Modifications • Any data write operation counts • Files marked – open are ignored • Files marked + anything are ignored • All others are marked – open
Notification • Pathname collected with d_path • Written to /datastate/changed – Only if not marked – open
Access Control • Process mark – /proc/self/attr/current • Process mark and file mark rules – Developer GPLv3 n – Lawyer GPLv3 y – Careful – open n – -system +logfile y
The Datastate Dispatcher • Reads /datastate/changed • Checks if file exists • Checks if file is marked – open • Invokes scanner
The Datastate Scanner “ Wait a second. This isn’t Windows with viruses. Why do I care?“
The Datastate Scanner … under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, ...
The labelgpl3 Scanner • Checks if file is marked – open • Checks for GPL version 3 • Marks GPL3 files GPLv3 • Marks others -closed
Unsolved Mysteries • Repudiation • Rename of – open file • Should open fail, or wait? • Avoid an initial scan
What have you learned? • Content based access control is – Important – Viable • It could be done with existing facilities • It is easier to do from scratch
Can I get it? • Hosted by the Smack Project • http://schaufler-ca.com/datastate – Kernel patch – Dispatcher program datastate – Scanner application labelgpl3
Dedication Sue Schaufler 1929 – 2010
Contact Information • http://schaufler-ca.com • casey@schaufler-ca.com
Recommend
More recommend
