Инструменты пользователя

Инструменты сайта


модули_mac

Модули MAC

Вариант использования пользователями

# cat /etc/login.conf
...
russian|Russian Users Accounts:\
        :charset=UTF-8:\
        :lang=ru_RU.UTF-8:\
        :tc=default:\
        :label=mls/5,biba/5:
...

# cap_mkdb /etc/login.conf

# pw usermod user1 -L russian

# mkdir ~user1/doc

# chown user1:user1 ~user1/doc

# setfmac 'biba/5,mls/5' ~user1/doc

# ls ~user1/doc

# setfmac 'biba/high,mls/low' ~user1/doc

# setpmac 'biba/5,mls/5' setfmac 'biba/high,mls/low' ~user1/doc

Вариант использования как AppArmor

Выбор приложения

Тестирование

# fetch -qo - http://server.corpX.un/index.html

# fetch -qo - http://server.corpX.un/../../etc/passwd

Патчинг модулей biba и mls

Идея: все процессы будут работать с меткой equal по умолчанию

# rcsdiff /usr/src/sys/security/mac_mls/mac_mls.c
875c875
<       mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL);
---
>       mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
# rcsdiff /usr/src/sys/security/mac_biba/mac_biba.c
915c915
<       biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
---
>       biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);

Включение модулей при загрузке

# cat /boot/loader.conf
mac_mls_load="YES"
mac_biba_load="YES"
# init 6

# ps axZ

Включение множественных меток на файловой системе

# tunefs -l enable /

# init 6
  • Проверки:
 # mount
/dev/ad0s1a on / (ufs, local, multilabel)
...
# getfmac /etc/passwd

# ls -Zl /etc/passwd

Установка меток на файловую систему

!!! Процесс занимает 2-5 минут !!!

# setfmac 'biba/high,mls/high' /etc/passwd

# ldd /bin/sh
# ldd /bin/cat
# ldd /usr/bin/file

# man file

# cat /etc/policy.contexts
.*                              biba/high,mls/high

/                               biba/equal,mls/equal
/var                            biba/equal,mls/equal
/var/www                        biba/equal,mls/equal
/var/www/.*                     biba/equal,mls/equal
/bin                            biba/equal,mls/equal
/bin/sh                         biba/equal,mls/equal
/bin/cat                        biba/equal,mls/equal
/libexec                        biba/equal,mls/equal
/libexec/ld-elf.so.1            biba/equal,mls/equal
/lib                            biba/equal,mls/equal
/lib/libedit.so.7               biba/equal,mls/equal
/lib/libncursesw.so.8           biba/equal,mls/equal
/lib/libc.so.7                  biba/equal,mls/equal
/usr                            biba/equal,mls/equal
/usr/bin                        biba/equal,mls/equal
/usr/bin/file                   biba/equal,mls/equal
/lib/libz.so.6                  biba/equal,mls/equal
/usr/lib                        biba/equal,mls/equal
/usr/lib/libmagic.so.4          biba/equal,mls/equal
/usr/share                      biba/equal,mls/equal
/usr/share/misc                 biba/equal,mls/equal
/usr/share/misc/magic           biba/equal,mls/equal
/usr/local                      biba/equal,mls/equal
/usr/local/sbin                 biba/equal,mls/equal
/usr/local/sbin/webd            biba/equal,mls/equal
# setfsmac -evf /etc/policy.contexts /

Запуск приложения

# cat /etc/inetd.conf
...
http stream tcp nowait root /usr/sbin/setpmac setpmac biba/low,mls/low /usr/local/sbin/webd
модули_mac.txt · Последние изменения: 2018/02/08 14:44 — val