The Simplified Mandatory Access Control Kernel

Casey SchauflerJanuary 2008

Casey Schaufler

• Ported Unix Version 6 to 32bit• Started Development of TSOL• Architect of Trusted Irix

– B1, CAPP, LSPP evaluated• US NSA’s Trusix Group• POSIX P1003.1e/2c• TSIG

Today’s Talk

• Mandatory Access Control (MAC)• What MAC is good for• How Smack implements MAC• What Smack is good for• Details of Smack

Mandatory Access Control

• Concepts– Subject is an active entity– Object is a passive entity– Access is an operation preformed on an

object by a subject

Mandatory Access Control

• Principles– User has no say in it– Based on system controlled attributes

Mandatory Access Control

• Jargon– MAC– Label– Bell & LaPadula– Multilevel Security– CIPSO

Mandatory Access Control

MAC Implementations

• Bell & LaPadula Sensitivity– Multics, Unix

• Type Enforcement– SELinux

• Pathname Controls– AppArmor, TOMOYO

Uses of MAC Systems

• Security Checkbox• Sharing an expensive machine• Disjoint sets of users

– B&L Catagories• Hierarchical use of shared data

– B&L Levels

Where Did Smack Come From?

• Traditionally– Label relationships hard coded– Names map to label values

• Mythtory:TopSecret,Skeeve,Ahz,Chumly• Level=4,Catagories=17,49,113

– Users only use names• Why use anything but names?

Smack Label Mechanism

• Labels and label names are the same• No implicit relationship between labels• List of explicit access relationships• Every subject gets a label• Every object gets a label• Objects get creating Subject’s label

Subjects Access Objects

• lstat() reads a file object’s attributes• kill() writes to a process object• send() writes to a process object• bind() is uninteresting

System Labels• _ floor• ^ hat• * star

– Objects Only• Any single special

character

_

*

^

User Labels

_

*

^

DapSEAsia

Explicit Access Rules

• Dap SEAsia r• Med Pop w

Dap

Med

SEAsia

Pop

Access Rule Specification

• /etc/smack/accesses– Subject Object [–rwxa]

• /smack/load– Strict fixed format

• /sbin/smackload– Writes to /smack/load

Bell & LaPadula Levels

• Secret more sensitive than Unclass• TopSecret more sensitive than Secret• Secret Unclass rx• TopSecret Secret rx• TopSecret Unclass rx• All relationships must be specified

Bell & LaPadula Categories

• Categories Skeeve and Ahz• Labels:

– “Skeeve,Ahz”– “Skeeve”– “Ahz”

• Skeeve,Ahz Skeeve rx• Skeeve,Ahz Ahz rx

Biba Integrity

• Floor is highest integrity• Hat is lowest Integrity

Ring of Vigilance

• SEAsia Dap r• Med SEAsia r• Dap Med r

Dap

Med

SEAsia

Messaging

• Informant Reporter w• Reporter Editor w• Editor Reporter w

Time of Day

• At 17:00– WorkerBee Game x

• At 08:00– WorkerBee Game –

Implementation

• Label Scheme• Access Checks• File Systems• Networking• The LSM• Audit

Label Scheme

• Labels are short text strings• Compared for equality• Stored in a list

– secid– Optional CIPSO value– Never forgotten

Access Checks

• Rules written to /smack/load• Hard Coded Labels• Subject and object equal• Find the subject/object pair• Check the request against the rule

File Systems

• Use xattrs if supported• Hard coded behavior

– smackfs, pipefs, sockfs, procfs, devpts• Superblock values

– File system root– File system default– File system floor and hat

• Not yet implemented

Networking Model

• Sender writes to receiver– Sender is subject, receiver is object

• Socket, packet not policy components• William Janet w

– Allows a UDP packet• Janet William r

– Does not allow a UDP Packet

Packet Labeling

• Unlabeled packets get ambient label• CIPSO option on every local packet• CIPSO value from the label list

– Set via /smack/cipso• CIPSO direct mapping

– Level 250– Label copied into category bits

• Same CIPSO as SELinux

The LSM

• Provides a restrictive interface• Evolved in step with SELinux• Imperfectly defined

– Networking– Audit– USB

• Module Stacking

Programming interfaces

• getxattr(), setxattr()– SMACK64

• /proc/<pid>/attr/current

Socket Interfaces

• Socket Attributes– fgetxattr(), fsetxattr()– SMACK64.IPIN– SMACK64.IPOUT

• Packet Attributes– SO_PEERSEC

• TCP– SCM_SECURITY

• UDP

Administrative Interfaces

• /smack/load• /smack/cipso• /smack/doi• /smack/direct• /smack/nltype

What Have You Learned?

• Smack is a modern implementation of old school Mandatory Access Control with the mistakes omitted.

• Smack is designed for simplicity• Smack is designed as a kernel mechanism

Special Thank You

• Paul Moore – Network interfaces• Ahmed S. Darwish – Work on smackfs• And a host of reviewers, including

– Stephen Smalley, Seth Arnold,– Joshua Brindle, Al Viro,– James Morris, Kyle Moffett,– Pavel Machek

Contact Information

• http://schaufler-ca.com• casey@schaufler-ca.com• rancidfat@yahoo.com