Proposal: tunable default/init label for MAC policies

Borja Marcos borjam at sarenet.es
Tue Feb 11 10:35:56 UTC 2014 

(I've just sent this to trustedbsd-discuss but the list is  probably dead, so I am crossposting)

Hello,

I am using a combination of mac_biba, mac_mls and mac_bsdextended to secure a shared hosting web server. The goals of each policy are:

- mac_biba: Protect the  integrity of the OS and configuration files against actions derived of a security breach of a user's website. Example, the typical PHP crap. Any descendant of a user process should be unable to modify anything but the files in that user's directory.

- mac_mls: Protect certain sensible files against read access by descendants of user processes. For example, we wish to protect key system files from Apache and its descendants, and Apache configuration files themselves from PHP/CGI processes or, of course, their descendants.

- mac_bsdextended so that users whose uid falls inside the "hosting users" set, imagine, 10000-20000, can't see processes or files belonging to other uids within that set.


The intent is to minimize surprise (hence, no need for a lot of technical support to adapt crappy CGI/PHP code for security requirements) but, at the same time, keeping good security measures.

This scheme has been used for years with very good results, without the mls policy, but we have stumbled upon an obstacle with MLS. The mls module defines a default mls label of mls/low, which gets applied to processes that haven't been spawned after a setusercontext() call. So, for example, applying a mls/high label to the ssh  private keys makes sshd inoperable, as it's launched by init, and gets a mls/low label, unable to read its private keys.

A  tunable like security.mac.{mls,biba...}.default_label or, maybe, more appropiately, security.{mac,biba...}.init_lable would allow the administrator to, for example, limit the usage of the MAC policies to descendants of certain processes. In our case, with most of the OS having the usual Unix security requirements, except for the intrinsicly dangerous stuff such as Apache and PHP/CGIs, init labels of {mls,biba}/equal would be more than enough, applying the necessary labels to the untrusted processes.

What do you think? I am sure this makes the MAC policies much more useful, and much easier to integrate with the typical Unix software without unnecessary incompatibilities, and of course not just for our particular scenario.










Borja.

More information about the freebsd-security mailing list