from:"Toshiharu Harada"

Re: Problem with accessing namespace_sem from LSM.

2007-11-05 Thread Toshiharu Harada


On 11/6/2007 1:11 PM, Arjan van de Ven wrote:

On Tue, 06 Nov 2007 13:00:41 +0900
Tetsuo Handa <[EMAIL PROTECTED]> wrote:


Hello.

I found that accessing namespace_sem from security_inode_create()
causes lockdep warning when compiled with CONFIG_PROVE_LOCKING=y .


sounds like you have an AB-BA deadlock...


sed /you/AppArmor shipped with OpenSuSE 10.1 and 10.2/ :)

Though I don't think this deadlock should occur quite often,
it occurs when it occurs. Care should be taken promptly.
There should be no way around for this problem as its nature.
Passing vfsmount parameter to VFS helper functions and
LSM hooks seems to be a good choice to me.

Cheers,
Toshiharu Harada

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: Problem with accessing namespace_sem from LSM.

2007-11-05 Thread Toshiharu Harada


On 11/6/2007 1:11 PM, Arjan van de Ven wrote:

On Tue, 06 Nov 2007 13:00:41 +0900
Tetsuo Handa [EMAIL PROTECTED] wrote:


Hello.

I found that accessing namespace_sem from security_inode_create()
causes lockdep warning when compiled with CONFIG_PROVE_LOCKING=y .


sounds like you have an AB-BA deadlock...


sed /you/AppArmor shipped with OpenSuSE 10.1 and 10.2/ :)

Though I don't think this deadlock should occur quite often,
it occurs when it occurs. Care should be taken promptly.
There should be no way around for this problem as its nature.
Passing vfsmount parameter to VFS helper functions and
LSM hooks seems to be a good choice to me.

Cheers,
Toshiharu Harada

-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: Linux Security Module Framework (Was: LSM conversion to static interface)

2007-10-31 Thread Toshiharu Harada

2007/10/31, Crispin Cowan <[EMAIL PROTECTED]>:
> Peter Dolding wrote:
> > Lets end the bitrot.  Start having bits go into the main OS security
> > features where they should be.
> >
> Linus categorically rejected this idea, several times, very clearly.
>
> He did so because the security community cannot agree on a
> one-true-standard for what that OS security feature set should be. From
> looking at this thread and many others, he is correct; there is no
> consensus on what the feature set should be.
>
> So you can wish for the "main OS security features" all you want, but it
> is not going to happen without a miraculous degree of consensus abruptly
> arising.
>
> On the contrary, security, done well, is a tight fitting suit. It must
> be tight, or it allows too much slack and attackers can exploit that. To
> make it tight, it must be tailored to the situation at hand. That means
> that there may *never* be a consensus on the "one true way", because it
> could be that there is no "one true way". It could be that SMACK is best
> in some cases, AppArmor in others, SELinux in others yet again, MLS in
> others, etc. etc.
>
> I agree with Casey; LSM may not be perfect, but it is a great deal more
> consensus than I have seen anywhere else in the security community. Your
> desire that AppArmor and SELinux should share code has already happened:
> LSM *is* the sharable code base between AppArmor, SELinux, and SMACK and
> TOMOYO, and MultiADM, etc.

My main concern is whether we (different attempts) can share the code.
IOW whether we can reach and form the agreement for single security framework.
It is possible to write code if only we have a clear specifications, but
this is not the case.
I can easily think of LSM, or whatever we call,  as Greatest Common Factor,
but in that case LSM will explode soon and no single module can not be happy,
Linux security will not be achieved.

> It certainly can be improved, but it is not in need of wholesale
> replacement, and especially not without a clear design that addresses
> clearly stated problems that lots of people are having.

We should not invent wheels, that is agreed by everyone , but if we try to share
something that we can not share, we will fail. From the fact existing
LSM did not satisfy any module (including SELinux), I do not
want to investigate stack able version.

Cheers,
Toshiharu Harada
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: Linux Security Module Framework (Was: LSM conversion to static interface)

2007-10-31 Thread Toshiharu Harada

2007/10/31, Crispin Cowan [EMAIL PROTECTED]:
 Peter Dolding wrote:
  Lets end the bitrot.  Start having bits go into the main OS security
  features where they should be.
 
 Linus categorically rejected this idea, several times, very clearly.

 He did so because the security community cannot agree on a
 one-true-standard for what that OS security feature set should be. From
 looking at this thread and many others, he is correct; there is no
 consensus on what the feature set should be.

 So you can wish for the main OS security features all you want, but it
 is not going to happen without a miraculous degree of consensus abruptly
 arising.

 On the contrary, security, done well, is a tight fitting suit. It must
 be tight, or it allows too much slack and attackers can exploit that. To
 make it tight, it must be tailored to the situation at hand. That means
 that there may *never* be a consensus on the one true way, because it
 could be that there is no one true way. It could be that SMACK is best
 in some cases, AppArmor in others, SELinux in others yet again, MLS in
 others, etc. etc.

 I agree with Casey; LSM may not be perfect, but it is a great deal more
 consensus than I have seen anywhere else in the security community. Your
 desire that AppArmor and SELinux should share code has already happened:
 LSM *is* the sharable code base between AppArmor, SELinux, and SMACK and
 TOMOYO, and MultiADM, etc.

My main concern is whether we (different attempts) can share the code.
IOW whether we can reach and form the agreement for single security framework.
It is possible to write code if only we have a clear specifications, but
this is not the case.
I can easily think of LSM, or whatever we call,  as Greatest Common Factor,
but in that case LSM will explode soon and no single module can not be happy,
Linux security will not be achieved.

 It certainly can be improved, but it is not in need of wholesale
 replacement, and especially not without a clear design that addresses
 clearly stated problems that lots of people are having.

We should not invent wheels, that is agreed by everyone , but if we try to share
something that we can not share, we will fail. From the fact existing
LSM did not satisfy any module (including SELinux), I do not
want to investigate stack able version.

Cheers,
Toshiharu Harada
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: Linux Security Module Framework (Was: LSM conversion to static interface)

2007-10-30 Thread Toshiharu Harada


On 10/30/2007 5:40 PM, Jan Engelhardt wrote:

On Oct 30 2007 12:23, Toshiharu Harada wrote:

Instead of pushing TOMOYO Linux, I started developing
comparison chart of security-enhance Linux implementations.
The current version can be found in

http://tomoyo.sourceforge.jp/wiki-e/?WhatIs#comparison


Smack Security Model: autolabel, as far as I can tell.

I noticed the smell of danger in the naming of "Security Model".
Please allow me some time.


Smack Policy Generation: user - hand - and an editor
Apparmor tutorial (beats any FAQ at first):
ftp://ftp.belnet.be/pub/mirror/FOSDEM/FOSDEM2006-apparmor.avi

Updated above two items. Thank you. :)

I'm not an optimist to believe we can reach the perfect
comparison. The purpose is to feed information, not to judge.
This might sound ironically, but I don't really think
we can *compare* them because they have different
theories/purposes/backgrounds. Some kind of forgiveness and
fuzziness are required.

As I don't want to steal everybody's bandwidth,
simple updates will be done silently. Your suggestions and
information will be greatly appreciated despite of
visible evidence.

Thank you.
Toshiharu Harada

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: Linux Security Module Framework (Was: LSM conversion to static interface)

2007-10-30 Thread Toshiharu Harada


On 10/30/2007 5:40 PM, Jan Engelhardt wrote:

On Oct 30 2007 12:23, Toshiharu Harada wrote:

Instead of pushing TOMOYO Linux, I started developing
comparison chart of security-enhance Linux implementations.
The current version can be found in

http://tomoyo.sourceforge.jp/wiki-e/?WhatIs#comparison


Smack Security Model: autolabel, as far as I can tell.

I noticed the smell of danger in the naming of Security Model.
Please allow me some time.


Smack Policy Generation: user - hand - and an editor
Apparmor tutorial (beats any FAQ at first):
ftp://ftp.belnet.be/pub/mirror/FOSDEM/FOSDEM2006-apparmor.avi

Updated above two items. Thank you. :)

I'm not an optimist to believe we can reach the perfect
comparison. The purpose is to feed information, not to judge.
This might sound ironically, but I don't really think
we can *compare* them because they have different
theories/purposes/backgrounds. Some kind of forgiveness and
fuzziness are required.

As I don't want to steal everybody's bandwidth,
simple updates will be done silently. Your suggestions and
information will be greatly appreciated despite of
visible evidence.

Thank you.
Toshiharu Harada

-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: Linux Security Module Framework (Was: LSM conversion to static interface)

2007-10-29 Thread Toshiharu Harada


On 10/25/2007 9:41 AM, Chris Wright wrote:

* Linus Torvalds ([EMAIL PROTECTED]) wrote:
Do other people want to stand up and be "LSM maintainers" in the sense 
that they also end up being informed members who can also stand up for new 
modules and help merge them, rather than just push the existing one(s)? 
Chris? Casey? Crispin?


Stephen and James, despite their clear bias towards SELinux, do try to
give good feedback.  But you are right, there's not enough active help
for people trying to make a contribution to get their code in shape.
Many of the modules that come along have been misguided conceptually,
but I think that e.g. apparmor, tomoyo, smack could use that kind
of constructive help to get into final mergable shape.  Personally,
I haven't spent nearly enough time reviewing those, my apologies to
those developers.  So, yes, help is welcome.


Yes, TOMOYO Linux is committed to help.
I mean, please count me in.

PS
Chris, I've been waiting for your comments for our code. :)

Regards,
Toshiharu Harada

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: Linux Security Module Framework (Was: LSM conversion to static interface)

2007-10-29 Thread Toshiharu Harada


On 10/25/2007 10:42 AM, Casey Schaufler wrote:

I agree that security code does need to provide security. What we
need to get away from is the automatic attacks that are based on 20th
century computer system assumptions. Things like "name based access
control is rediculous", and "a module can't be any good if it doesn't
deal with all objects", or "the granularity isn't fine enough". Look
at TOMOYO. It's chuck full of good ideas. Why spend so much energy
badgering them about not dealing with sockets? How about helping the
AppArmor crew come up with acceptable implementations rather than
whinging about the evils of hard links? And maybe, just maybe, we can
get away from the inevitable claim that you could do that with a few
minutes work in SELinux policy, but only if you're a security
professional of course.


Casey,

Thank you introducing TOMOYO Linux. I really like your idea of
simplified MAC (and you work so hard!). I also find advantages
of AppArmor for distributing policies with less hustle. Finally
and most importantly, I respect SELinux as the first in-tree,
flexible and reliable security frame work and respect developers
involved.

As a project manager of TOMOYO Linux, I would like to
push it, of course. But I noticed, if each of LSM module
developer begin pushing their own code, that's not for the
sake of Linux and we may end up with chaos.

Instead of pushing TOMOYO Linux, I started developing
comparison chart of security-enhance Linux implementations.
The current version can be found in

http://tomoyo.sourceforge.jp/wiki-e/?WhatIs#comparison

I would like to receive feedbacks from Stephen, Crispin
(you already have a comparison, though :),
Casey and any people interested in. If possible,
I would like to include opinions from BSD people.

I would like LSM to be the result of common requirements.
"Common" means good in general, but not always for security
perspective. IMHO, I think it is possible for us to get to the
conclusion not to have a framework.

Cheers (and with love to Linux),
Toshiharu Harada

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: Linux Security Module Framework (Was: LSM conversion to static interface)

2007-10-29 Thread Toshiharu Harada


On 10/25/2007 10:42 AM, Casey Schaufler wrote:

I agree that security code does need to provide security. What we
need to get away from is the automatic attacks that are based on 20th
century computer system assumptions. Things like name based access
control is rediculous, and a module can't be any good if it doesn't
deal with all objects, or the granularity isn't fine enough. Look
at TOMOYO. It's chuck full of good ideas. Why spend so much energy
badgering them about not dealing with sockets? How about helping the
AppArmor crew come up with acceptable implementations rather than
whinging about the evils of hard links? And maybe, just maybe, we can
get away from the inevitable claim that you could do that with a few
minutes work in SELinux policy, but only if you're a security
professional of course.


Casey,

Thank you introducing TOMOYO Linux. I really like your idea of
simplified MAC (and you work so hard!). I also find advantages
of AppArmor for distributing policies with less hustle. Finally
and most importantly, I respect SELinux as the first in-tree,
flexible and reliable security frame work and respect developers
involved.

As a project manager of TOMOYO Linux, I would like to
push it, of course. But I noticed, if each of LSM module
developer begin pushing their own code, that's not for the
sake of Linux and we may end up with chaos.

Instead of pushing TOMOYO Linux, I started developing
comparison chart of security-enhance Linux implementations.
The current version can be found in

http://tomoyo.sourceforge.jp/wiki-e/?WhatIs#comparison

I would like to receive feedbacks from Stephen, Crispin
(you already have a comparison, though :),
Casey and any people interested in. If possible,
I would like to include opinions from BSD people.

I would like LSM to be the result of common requirements.
Common means good in general, but not always for security
perspective. IMHO, I think it is possible for us to get to the
conclusion not to have a framework.

Cheers (and with love to Linux),
Toshiharu Harada

-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: Linux Security Module Framework (Was: LSM conversion to static interface)

2007-10-29 Thread Toshiharu Harada


On 10/25/2007 9:41 AM, Chris Wright wrote:

* Linus Torvalds ([EMAIL PROTECTED]) wrote:
Do other people want to stand up and be LSM maintainers in the sense 
that they also end up being informed members who can also stand up for new 
modules and help merge them, rather than just push the existing one(s)? 
Chris? Casey? Crispin?


Stephen and James, despite their clear bias towards SELinux, do try to
give good feedback.  But you are right, there's not enough active help
for people trying to make a contribution to get their code in shape.
Many of the modules that come along have been misguided conceptually,
but I think that e.g. apparmor, tomoyo, smack could use that kind
of constructive help to get into final mergable shape.  Personally,
I haven't spent nearly enough time reviewing those, my apologies to
those developers.  So, yes, help is welcome.


Yes, TOMOYO Linux is committed to help.
I mean, please count me in.

PS
Chris, I've been waiting for your comments for our code. :)

Regards,
Toshiharu Harada

-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: WANTED: kernel projects for CS students

2007-10-18 Thread Toshiharu Harada

On 10/15/2007 8:01 AM, Rik van Riel wrote:
> The kernel newbies community often gets inquiries from CS students who
> need a project for their studies and would like to do something with
> the Linux kernel, but would also like their code to be useful to the
> community afterwards.
>
> In order to make it easier for them, I am trying to put together a
> page with projects that:
> - Are self contained enough that the students can implement the
>   project by themselves, since that is often a university requirement.
> - Are self contained enough that Linux could merge the code (maybe
>   with additional changes) after the student has been working on it
>   for a few months.
> - Are large enough to qualify as a student project, luckily there is
>   flexibility here since we get inquiries for anything from 6 week
>   projects to 6 month projects.
>
> If you have ideas on what projects would be useful, please add them
> to this page (or email me):
>
> http://kernelnewbies.org/KernelProjects

Well, I know something that might be interesting for kernel newbies
including students. So let me share it with you.
It's Ubuntu 7.04 based LiveCD with TOMOYO Linux kernel.

Directions:
1. visit the following URL and save ISO image
   http://tomoyo.sourceforge.jp/wiki-e/?TomoyoLive
2. burn CD/DVD and boot from the disc
   (or start up VM from the downloaded image)
3. open "TOOMYO Linux Policy Editor" icon on the gnome desktop
4. browse "domains" with cursor keys
   you can see how processes were created (great experience)
5. choose a domain and enter return key
   you can see the behavior of the selected "domain" (ACL mode)
6. enter return to step 5 (domain transition mode)
   (repeat 5-7 as you like, type 'r' to refresh screen)
7. enter q to quit the editpolicy program

As it's LiveCD like KNOPPIX, hard disks will not be
affected unless you mount them and operate with intention.
I mean, it's safe to play with.

What makes all of these possible is "TOMOYO Linux",
but you don't have to understand it. ;)
No policy definition, preparation, knowledge or hustle is
required.

If you are interested in TOMOYO Linux (just in case...),
please visit our Wiki page.
http://tomoyo.sourceforge.jp/wiki-e/?WhatIs

Cheers,
Toshiharu Harada
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: WANTED: kernel projects for CS students

2007-10-18 Thread Toshiharu Harada


On 10/15/2007 8:01 AM, Rik van Riel wrote:
 The kernel newbies community often gets inquiries from CS students who
 need a project for their studies and would like to do something with
 the Linux kernel, but would also like their code to be useful to the
 community afterwards.

 In order to make it easier for them, I am trying to put together a
 page with projects that:
 - Are self contained enough that the students can implement the
   project by themselves, since that is often a university requirement.
 - Are self contained enough that Linux could merge the code (maybe
   with additional changes) after the student has been working on it
   for a few months.
 - Are large enough to qualify as a student project, luckily there is
   flexibility here since we get inquiries for anything from 6 week
   projects to 6 month projects.

 If you have ideas on what projects would be useful, please add them
 to this page (or email me):

 http://kernelnewbies.org/KernelProjects

Well, I know something that might be interesting for kernel newbies
including students. So let me share it with you.
It's Ubuntu 7.04 based LiveCD with TOMOYO Linux kernel.

Directions:
1. visit the following URL and save ISO image
   http://tomoyo.sourceforge.jp/wiki-e/?TomoyoLive
2. burn CD/DVD and boot from the disc
   (or start up VM from the downloaded image)
3. open TOOMYO Linux Policy Editor icon on the gnome desktop
4. browse domains with cursor keys
   you can see how processes were created (great experience)
5. choose a domain and enter return key
   you can see the behavior of the selected domain (ACL mode)
6. enter return to step 5 (domain transition mode)
   (repeat 5-7 as you like, type 'r' to refresh screen)
7. enter q to quit the editpolicy program

As it's LiveCD like KNOPPIX, hard disks will not be
affected unless you mount them and operate with intention.
I mean, it's safe to play with.

What makes all of these possible is TOMOYO Linux,
but you don't have to understand it. ;)
No policy definition, preparation, knowledge or hustle is
required.

If you are interested in TOMOYO Linux (just in case...),
please visit our Wiki page.
http://tomoyo.sourceforge.jp/wiki-e/?WhatIs

Cheers,
Toshiharu Harada
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [TOMOYO 14/15] Conditional permission support.

2007-08-25 Thread Toshiharu Harada

Hi,

2007/8/25, Pavel Machek <[EMAIL PROTECTED]>:
> Hi!
>
> > This patch allows administrators use conditional permission.
> > TOMOYO Linux supports conditional permission based on
> > process's UID,GID etc. and/or requested pathname's UID/GID.
> >
> > Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
> > Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
>
> > + * Since the trailing spaces are removed by tmy_normalize_line(),
> > + * the last "\040if\040" sequence corresponds to condition part.
> > + */
> > +char *tmy_find_condition_part(char *data)
> > +{
> > + char *cp = strstr(data, " if ");
> > + if (cp) {
> > + char *cp2;
> > + while ((cp2 = strstr(cp + 3, " if ")) != NULL)
> > + cp = cp2;
> > + *cp++ = '\0';
> > + }
> > + return cp;
> > +}
> ...
>
> > + unsigned long left_min = 0;
> > + unsigned long left_max = 0;
> > + unsigned long right_min = 0;
> > + unsigned long right_max = 0;
> > + if (strncmp(condition, "if ", 3))
> > + return NULL;
> > + condition += 3;
> > + start = condition;
> > + while (*condition) {
> > + if (*condition == ' ')
> > + condition++;
> > + for (left = 0; left < MAX_KEYWORD; left++) {
> > + if (strncmp(condition, cc_keyword[left].keyword,
> > + cc_keyword[left].keyword_len))
> > + continue;
> > + condition += cc_keyword[left].keyword_len;
> > + break;
> > + }
> > + if (left == MAX_KEYWORD) {
> > + if (!tmy_parse_ulong(_min, ))
> > + goto out;
> > + counter++; /* body */
> > + if (*condition != '-')
> > + goto not_range1;
> > + condition++;
> > + if (!tmy_parse_ulong(_max, )
> > + || left_min > left_max)
> > + goto out;
> > + counter++; /* body */
> > +not_range1: ;
> > + }
> > + if (strncmp(condition, "!=", 2) == 0)
> > + condition += 2;
> > + else if (*condition == '=')
> > + condition++;
> > + else
> > + goto out;
> > + counter++; /* header */
> > + for (right = 0; right < MAX_KEYWORD; right++) {
> > + if (strncmp(condition, cc_keyword[right].keyword,
> > + cc_keyword[right].keyword_len))
> > + continue;
> > + condition += cc_keyword[right].keyword_len;
> > + break;
> > + }
>
> What is that? Language parser in kernel?
>
> Pavel

Key idea of TOMOYO Linux is to let each process to remember the program
(path) name. Names are stored in task struct and "appended" to the list when
execve is called.

An example of /usr/lib/cups/backend/lpd.
(picked up from
http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/centos4.4/domain_policy.txt?v=policy-sample)

/etc/rc.d/init.d/cups (fork)
 /sbin/initlog (fork)
   /usr/sbin/cupsd (fork)
 /bin/bash (fork)
   /usr/lib/cups/backend/lpd (current process)

SELinux and other DTE implementations need domain definitions to  work.
It is administrators task to design domains and name each domains.
TOMOYO Linux can be used as DTE MAC, but administrators don't
have to define and name domains. Because TOMOYO Linux
automatically defines domains and name them (from booting to
shutdown).

I wrote "TOMOYO Linux can be used as MAC", because
users can just view the domain transitions and analyze systems
with TOMOYO Linux. Or they can use TOMOYO Linux to
get logs with process invocation histories instead of a simple
program name.

TOMOYO Linux policy consists of path names and they are currently
handled as strings.

Thanks.

--
Toshiharu Harada
NTT DATA CORPORATION
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [TOMOYO 14/15] Conditional permission support.

2007-08-25 Thread Toshiharu Harada

Hi,

2007/8/25, Pavel Machek [EMAIL PROTECTED]:
 Hi!

  This patch allows administrators use conditional permission.
  TOMOYO Linux supports conditional permission based on
  process's UID,GID etc. and/or requested pathname's UID/GID.
 
  Signed-off-by: Kentaro Takeda [EMAIL PROTECTED]
  Signed-off-by: Tetsuo Handa [EMAIL PROTECTED]

  + * Since the trailing spaces are removed by tmy_normalize_line(),
  + * the last \040if\040 sequence corresponds to condition part.
  + */
  +char *tmy_find_condition_part(char *data)
  +{
  + char *cp = strstr(data,  if );
  + if (cp) {
  + char *cp2;
  + while ((cp2 = strstr(cp + 3,  if )) != NULL)
  + cp = cp2;
  + *cp++ = '\0';
  + }
  + return cp;
  +}
 ...

  + unsigned long left_min = 0;
  + unsigned long left_max = 0;
  + unsigned long right_min = 0;
  + unsigned long right_max = 0;
  + if (strncmp(condition, if , 3))
  + return NULL;
  + condition += 3;
  + start = condition;
  + while (*condition) {
  + if (*condition == ' ')
  + condition++;
  + for (left = 0; left  MAX_KEYWORD; left++) {
  + if (strncmp(condition, cc_keyword[left].keyword,
  + cc_keyword[left].keyword_len))
  + continue;
  + condition += cc_keyword[left].keyword_len;
  + break;
  + }
  + if (left == MAX_KEYWORD) {
  + if (!tmy_parse_ulong(left_min, condition))
  + goto out;
  + counter++; /* body */
  + if (*condition != '-')
  + goto not_range1;
  + condition++;
  + if (!tmy_parse_ulong(left_max, condition)
  + || left_min  left_max)
  + goto out;
  + counter++; /* body */
  +not_range1: ;
  + }
  + if (strncmp(condition, !=, 2) == 0)
  + condition += 2;
  + else if (*condition == '=')
  + condition++;
  + else
  + goto out;
  + counter++; /* header */
  + for (right = 0; right  MAX_KEYWORD; right++) {
  + if (strncmp(condition, cc_keyword[right].keyword,
  + cc_keyword[right].keyword_len))
  + continue;
  + condition += cc_keyword[right].keyword_len;
  + break;
  + }

 What is that? Language parser in kernel?

 Pavel

Key idea of TOMOYO Linux is to let each process to remember the program
(path) name. Names are stored in task struct and appended to the list when
execve is called.

An example of /usr/lib/cups/backend/lpd.
(picked up from
http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/centos4.4/domain_policy.txt?v=policy-sample)

/etc/rc.d/init.d/cups (forkexec)
 /sbin/initlog (forkexec)
   /usr/sbin/cupsd (forkexec)
 /bin/bash (forkexec)
   /usr/lib/cups/backend/lpd (current process)

SELinux and other DTE implementations need domain definitions to  work.
It is administrators task to design domains and name each domains.
TOMOYO Linux can be used as DTE MAC, but administrators don't
have to define and name domains. Because TOMOYO Linux
automatically defines domains and name them (from booting to
shutdown).

I wrote TOMOYO Linux can be used as MAC, because
users can just view the domain transitions and analyze systems
with TOMOYO Linux. Or they can use TOMOYO Linux to
get logs with process invocation histories instead of a simple
program name.

TOMOYO Linux policy consists of path names and they are currently
handled as strings.

Thanks.

--
Toshiharu Harada
NTT DATA CORPORATION
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

2007-06-23 Thread Toshiharu Harada


This thread is amazing.  With so many smart people's precious time,

What are the results?
What are the issues anyway?
Is anyone happy? (I'm not and I assume Chris is not)

Yes, "waste of time" is taking place here, but
it's not for "pathname-based MAC" but for "wrongly posted messages",
I believe.  I'm a relatively new to this ml, let me ask.

Is this ml a place of judge or battle? (not to help or support?)

Nothing is perfect, so we can work to make things to better, right?
I have suggestions:

Let's clarify issues first.
- problems (or limitations) of pathname-based MAC
- advantages of pathname-based MAC
- how can pathname-based MAC supplement label based
(Stephen, James and Kyle, please help)

Let's start the arguments again if we get the issues.
Threads should be definitely separated per issue and
a assigning a chair may help.


Well, I crated a Wiki page. If it helps, please
feel free to use it.  I mean I would like
people to add your issues here.  It's wiki, so
you are welcome to modify everything.

http://tomoyo.sourceforge.jp/wiki-e/?MAC-ISSUES

If ml is better, I have no objections.
I just wanted to help discussion.


Above issues are independent of SELinux. We should not *compare*
SELinux and AA, that can cause a problem. Every software has
shortages that's why we need to work and we can make progress.
For some issues we may need to compare them, in that case
moderators would help.

BTW I have posted a RFC of TOMOYO Linux that is another
pathname-based MAC.
http://lkml.org/lkml/2007/6/13/58
AA and TOMOYO Linux have BoF sessions at OLS2007,
so it would be a great opportunity to *talk* over the issues.

What I want to say is "let's make progress and help each other
to make Linux better".


Cheers,
Toshiharu Harada

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

2007-06-23 Thread Toshiharu Harada

This thread is amazing.  With so many smart people's precious time,

What are the results?
What are the issues anyway?
Is anyone happy? (I'm not and I assume Chris is not)

Yes, "waste of time" is taking place here, but
it's not for "pathname-based MAC" but for "wrongly posted messages",
I believe.  I'm a relatively new to this ml, let me ask.

Is this ml a place of judge or battle? (not to help or support?)

Nothing is perfect, so we can work to make things to better, right?
I have suggestions:

Let's clarify issues first.
- problems (or limitations) of pathname-based MAC
- advantages of pathname-based MAC
- how can pathname-based MAC supplement label based
(Stephen, James and Kyle, please help)

Let's start the arguments again if we get the issues.
Threads should be definitely separated per issue and
a assigning a chair may help.

Above issues are independent of SELinux. We should not *compare*
SELinux and AA, that can cause a problem. Every software has
shortages that's why we need to work and we can make progress.
For some issues we may need to compare them, in that case
moderators would help.

BTW I have posted a RFC of TOMOYO Linux that is another
pathname-based MAC.
http://lkml.org/lkml/2007/6/13/58
AA and TOMOYO Linux have BoF sessions at OLS2007,
so it would be a great opportunity to *talk* over the issues.

What I want to say is "let's make progress and help each other
to make Linux better".

Thank you,
Toshiharu Harada

Chris Wright wrote:
> * Chris Mason ([EMAIL PROTECTED]) wrote:
>> I'm sure people there will have a different versions of events.  The
>> one part that was discussed was if pathname based security was
>> useful, and a number of the people in the room (outside of 
>> novell) said it was.  Now, it could be that nobody wanted to argue
>> anymore, since most opinions had come out on one list or another by
>> then.  
> 
> Indeed.  The trouble is that's too high level compared with the actual
> implementation details.  AA is stalled because it has failed to get
> VFS support for it's model.  I don't see a nice way out unless it
> changes it's notion of policy language (globbing is the tough one)
> or gets traction to pass dentry/vfsmount all the way down.  Paths are
> completely relevant for security, esp. when considering the parent dir
> and the leaf (as in forward lookup case).  Retroactively creating the
> full path is at the minimum ugly, and in the worst case can be insecure
> (yes AA has taken many measures to mitigate that insecurity).
> 
>> But as someone who doesn't use either SElinux or AA, I really hope
>> we can get past the part of the debate where:
>>
>> while(1)
>> AA) we think we're making users happy with pathname security
>> SELINUX) pathname security sucks
> 
> Yes.  Please.  Both parties are miserably failing the sanity test.
> Doing the same thing over and over and expecting different results.
> 
> AA folks: deal with the VFS issues that your patchset have in a palatable
> way (which does not include passing NULL when it's inconvenient to
> do otherwise).  You've already missed an opportunity with Christoph's
> suggestions for changes in NFS.  I know you've considered many alternative
> approaches and consistently hit dead ends.  But please note, if you
> have coded yourself into a corner because of your policy language,
> that's your issue to solve, not ours.
> 
> SELinux folks: do something useful rather than quibbling over the TCSEC
> definition of MAC and AA's poor taste in marketing literature.  Here's
> some suggestions:
> 
> 1) Make SELinux usable (it's *still* the number one complaint).  While
> this is a bit of a cheap shot, it really is one of the core reasons AA
> advocates exist.
> 2) Work on a variant of Kyle's suggestion to squash the relevancy of AA.
> 3) Write an effective exploit against AA that demonstrates the fundamental
> weakness of the model (better make sure it's not also an issue for
> targetted policy).

-- 
Toshiharu Harada
[EMAIL PROTECTED]

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

2007-06-23 Thread Toshiharu Harada

This thread is amazing.  With so many smart people's precious time,

What are the results?
What are the issues anyway?
Is anyone happy? (I'm not and I assume Chris is not)

Yes, waste of time is taking place here, but
it's not for pathname-based MAC but for wrongly posted messages,
I believe.  I'm a relatively new to this ml, let me ask.

Is this ml a place of judge or battle? (not to help or support?)

Nothing is perfect, so we can work to make things to better, right?
I have suggestions:

Let's clarify issues first.
- problems (or limitations) of pathname-based MAC
- advantages of pathname-based MAC
- how can pathname-based MAC supplement label based
(Stephen, James and Kyle, please help)

Let's start the arguments again if we get the issues.
Threads should be definitely separated per issue and
a assigning a chair may help.

Above issues are independent of SELinux. We should not *compare*
SELinux and AA, that can cause a problem. Every software has
shortages that's why we need to work and we can make progress.
For some issues we may need to compare them, in that case
moderators would help.

BTW I have posted a RFC of TOMOYO Linux that is another
pathname-based MAC.
http://lkml.org/lkml/2007/6/13/58
AA and TOMOYO Linux have BoF sessions at OLS2007,
so it would be a great opportunity to *talk* over the issues.

What I want to say is let's make progress and help each other
to make Linux better.

Thank you,
Toshiharu Harada

Chris Wright wrote:
 * Chris Mason ([EMAIL PROTECTED]) wrote:
 I'm sure people there will have a different versions of events.  The
 one part that was discussed was if pathname based security was
 useful, and a number of the people in the room (outside of 
 novell) said it was.  Now, it could be that nobody wanted to argue
 anymore, since most opinions had come out on one list or another by
 then.  
 
 Indeed.  The trouble is that's too high level compared with the actual
 implementation details.  AA is stalled because it has failed to get
 VFS support for it's model.  I don't see a nice way out unless it
 changes it's notion of policy language (globbing is the tough one)
 or gets traction to pass dentry/vfsmount all the way down.  Paths are
 completely relevant for security, esp. when considering the parent dir
 and the leaf (as in forward lookup case).  Retroactively creating the
 full path is at the minimum ugly, and in the worst case can be insecure
 (yes AA has taken many measures to mitigate that insecurity).
 
 But as someone who doesn't use either SElinux or AA, I really hope
 we can get past the part of the debate where:

 while(1)
 AA) we think we're making users happy with pathname security
 SELINUX) pathname security sucks
 
 Yes.  Please.  Both parties are miserably failing the sanity test.
 Doing the same thing over and over and expecting different results.
 
 AA folks: deal with the VFS issues that your patchset have in a palatable
 way (which does not include passing NULL when it's inconvenient to
 do otherwise).  You've already missed an opportunity with Christoph's
 suggestions for changes in NFS.  I know you've considered many alternative
 approaches and consistently hit dead ends.  But please note, if you
 have coded yourself into a corner because of your policy language,
 that's your issue to solve, not ours.
 
 SELinux folks: do something useful rather than quibbling over the TCSEC
 definition of MAC and AA's poor taste in marketing literature.  Here's
 some suggestions:
 
 1) Make SELinux usable (it's *still* the number one complaint).  While
 this is a bit of a cheap shot, it really is one of the core reasons AA
 advocates exist.
 2) Work on a variant of Kyle's suggestion to squash the relevancy of AA.
 3) Write an effective exploit against AA that demonstrates the fundamental
 weakness of the model (better make sure it's not also an issue for
 targetted policy).

-- 
Toshiharu Harada
[EMAIL PROTECTED]

-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

2007-06-23 Thread Toshiharu Harada


This thread is amazing.  With so many smart people's precious time,

What are the results?
What are the issues anyway?
Is anyone happy? (I'm not and I assume Chris is not)

Yes, waste of time is taking place here, but
it's not for pathname-based MAC but for wrongly posted messages,
I believe.  I'm a relatively new to this ml, let me ask.

Is this ml a place of judge or battle? (not to help or support?)

Nothing is perfect, so we can work to make things to better, right?
I have suggestions:

Let's clarify issues first.
- problems (or limitations) of pathname-based MAC
- advantages of pathname-based MAC
- how can pathname-based MAC supplement label based
(Stephen, James and Kyle, please help)

Let's start the arguments again if we get the issues.
Threads should be definitely separated per issue and
a assigning a chair may help.


Well, I crated a Wiki page. If it helps, please
feel free to use it.  I mean I would like
people to add your issues here.  It's wiki, so
you are welcome to modify everything.

http://tomoyo.sourceforge.jp/wiki-e/?MAC-ISSUES

If ml is better, I have no objections.
I just wanted to help discussion.


Above issues are independent of SELinux. We should not *compare*
SELinux and AA, that can cause a problem. Every software has
shortages that's why we need to work and we can make progress.
For some issues we may need to compare them, in that case
moderators would help.

BTW I have posted a RFC of TOMOYO Linux that is another
pathname-based MAC.
http://lkml.org/lkml/2007/6/13/58
AA and TOMOYO Linux have BoF sessions at OLS2007,
so it would be a great opportunity to *talk* over the issues.

What I want to say is let's make progress and help each other
to make Linux better.


Cheers,
Toshiharu Harada

-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC] TOMOYO Linux

2007-06-15 Thread Toshiharu Harada


Stephen Smalley wrote:

On Wed, 2007-06-13 at 23:22 +0900, Toshiharu Harada wrote:

2007/6/13, Stephen Smalley <[EMAIL PROTECTED]>:

On Wed, 2007-06-13 at 17:13 +0900, Toshiharu Harada wrote:

Here are examples:
/bin/bash process invoked from mingetty: /sbin/mingetty /bin/bash
/bin/bash process invoked from sshd: /usr/sbin/sshd /bin/bash
/bin/bash process invoked from /bin/bash which was invoked from sshd: 
/usr/sbin/sshd /bin/bash /bin/bash

Why can't you do this via SELinux domain transitions?  That lets you do
it by equivalence class rather than per-binary, and let's you just
encode the security-relevant parts of the "invocation history" aka call
chain.  For example, the above could be expressed in SELinux policy
already as:
domain_auto_trans(getty_t, shell_exec_t, local_shell_t)
domain_auto_trans(sshd_t, shell_exec_t, remote_shell_t)
domain_auto_trans(remote_shell_t, shell_exec_t, remote_subshell_t)
or whatever you like.  But you don't have to keep extending it
indefinitely when you don't need to distinguish in policy, so you might
choose to entirely omit the last one, and just have it stay in
remote_shell_t.

The above SELinux policy looks similar to the one I wrote, but
that is not very true.  Because in my example, path name corresponds to a file
while local_shell_t are bound to multiple.
I understand the advantages of label, but it needs to be
translated to human understandable form of path name.
So I think pathname based call chains are advantages for
at least auditing and profiling.


Well, not to get into a debate, but think about whether
"/usr/sbin/sshd /bin/bash" and "/sbin/mingetty /bin/bash" is more
understandable to an administrator than "remote shell" vs. "local shell"
- the label-based approach lets you map the low-level detail of
individual programs/pathnames to abstract equivalence classes that are
more understandable, not less.  Further, think about the advantages of
being able to encode only the security-relevant invocations, not all of
them.


With our sample implmentation of "automated process invocation
history tracking system" (or TOMOYO Linux, in short :)),
no domain transition design and definition is needed.
All you have to do is just run the kernel.
So limiting to encode does not matter much.


On a different note, from a quick look, it looks like TOMOYO is AppArmor
+ invocation history from a user perspective.  Plus a wider range of
controls in your original implementation, but your LSM implementation
seems to be just getting started and only deals with files.  So what's
the case for having a whole separate security module vs. a small
extension to AppArmor?


The reason we cut off various MAC controls was to make
the code as small as possible (we knew lkml readers are busy).
If AA would merge the TOMOYO Linux's "automated proccess
invocation history tracking system" and "real-time policy
learning system", I would be fine.

Cheers,
Toshiharu Harada

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC] TOMOYO Linux

2007-06-15 Thread Toshiharu Harada

Stephen,

Thank you for your interests and comment.
I'm beginning to feel that you might be misunderstanding
my message. Let me explain.

Stephen Smalley wrote:

On Wed, 2007-06-13 at 17:13 +0900, Toshiharu Harada wrote:

A couple of years ago, we tried to build a tool to generate
SELinux policy (*1). To do that, we had to gather the access
requests information. So we researched a profiling method and
got to the idea of having a process to store its invocation
history information (or ancestors).

Here are examples:
/bin/bash process invoked from mingetty: /sbin/mingetty /bin/bash
/bin/bash process invoked from sshd: /usr/sbin/sshd /bin/bash
/bin/bash process invoked from /bin/bash which was invoked from sshd:
/usr/sbin/sshd /bin/bash /bin/bash

"The idea":
If we let process to inherit the name of its ancestors (usualy starts
from /sbin/init), then Linux kernel will be able to know ancestors
for each process.

"Above examples" are:
examples of how we can distinguish the same /bin/bash processes.

Why can't you do this via SELinux domain transitions? That lets you do

What do you mean by "this" here?
I was not talking about MAC nor policy definitions.

it by equivalence class rather than per-binary, and let's you just
encode the security-relevant parts of the "invocation history" aka call
chain. For example, the above could be expressed in SELinux policy
already as:

I might have confused you and I am sorry for that.
The above three lines are not TOMOYO Linux plicy.

domain_auto_trans(getty_t, shell_exec_t, local_shell_t)
domain_auto_trans(sshd_t, shell_exec_t, remote_shell_t)
domain_auto_trans(remote_shell_t, shell_exec_t, remote_subshell_t)
or whatever you like. But you don't have to keep extending it
indefinitely when you don't need to distinguish in policy, so you might
choose to entirely omit the last one, and just have it stay in
remote_shell_t.

In your SELinux policy examples, someone must write down them.
To do that someone must know what will happen beforehands.
But if you use TOMOYO Linux, you'll get domain transition
information easily. The example of the result can be found here:

http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/?v=policy-sample
(choose whatever distribution and open the link for
"domain_policy.txt")

For example, from
http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/centos4.4/domain_policy.txt?v=policy-sample#L4564
you will know:

/bin/cp which was invoked from
/usr/bin/makewhatis which was invoked from
/etc/cron.weekly/00-makewhatis.cron which was invoked from
/usr/bin/run-parts which was invoked from
/bin/bash which was invoked from
/usr/sbin/crond

that /bin/cp process needs to

read /dev/null, /etc/selinux/config, /proc/filesystems, and
write /var/cache/man/whatis, and truncate /var/cache/man/whatis.

We implemnted the above mentioned idea and TOMOYO Linux is a
sample system which use distinguished process as a "domain".
In some sense it is a system analyzing tool.

Again, we intended to share the idea to people on the lkml.
MAC (TOMOYO Linux) is just a sample.
Any feedback will be appreciated.

It seemed to us that this clarification would be familiar to
users/administrators and could be used for various purposes.
We did implement this by making use of the Linux's traditional
fork & exec mechanisms, and built a pathname-based MAC using
this implementation. We named the result as "TOMOYO Linux"
and made it open source at SourceForge.jp (*2).

TOMOYO Linux kernel keeps track of process invocation and
distinguishes every different process invocation history as a "domain".
TOMOYO Linux can accumulate the accesses requests for each domain.

TOMOYO Linux has a utility called "ccstree". It prints the invocation
history for each process in addition to the output of "pstree" command:

[EMAIL PROTECTED] ~]# ccstree
init (1) /sbin/init
+- udevd (388) /sbin/udevd
...
+- automount (1970) /etc/rc.d/init.d/autofs /usr/sbin/automount
+- acpid (1993) /etc/rc.d/init.d/acpid /bin/bash /usr/sbin/acpid
+- cupsd (2008) /etc/rc.d/init.d/cups /bin/bash /usr/sbin/cupsd
+- sshd (2026) /usr/sbin/sshd
+- sshd (2269) /usr/sbin/sshd
+- bash (2271) /usr/sbin/sshd /bin/bash
+- ccstree (15125) /usr/sbin/sshd /bin/bash
/root/ccstools/ccstree

(symbol, "" indicates a virtual base.)

We had a presentation and a tutorial session of TOMOYO Linux
version 1.4 at the ELC2007 (*3). Version 1.4.1 is the latest and
has a rich set of MAC functions for files, networking, and
capabilities and so on. For historical reasons, it is not using
LSM or auditd. We decided to share this idea with the Linux community
and totally rewrote the code. The result was TOMOYO Linux 2.0,
which is now using LSM and auditd. To make discussion smooth,
we cut off MAC functions other than for files.

We are posting thi

Re: [RFC] TOMOYO Linux

2007-06-15 Thread Toshiharu Harada

Stephen,

Thank you for your interests and comment.
I'm beginning to feel that you might be misunderstanding
my message. Let me explain.

Stephen Smalley wrote:

On Wed, 2007-06-13 at 17:13 +0900, Toshiharu Harada wrote:

The idea:
If we let process to inherit the name of its ancestors (usualy starts
from /sbin/init), then Linux kernel will be able to know ancestors
for each process.

Above examples are:
examples of how we can distinguish the same /bin/bash processes.

Why can't you do this via SELinux domain transitions? That lets you do

What do you mean by this here?
I was not talking about MAC nor policy definitions.

it by equivalence class rather than per-binary, and let's you just
encode the security-relevant parts of the invocation history aka call
chain. For example, the above could be expressed in SELinux policy
already as:

I might have confused you and I am sorry for that.
The above three lines are not TOMOYO Linux plicy.

http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/?v=policy-sample
(choose whatever distribution and open the link for
domain_policy.txt)

For example, from
http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/centos4.4/domain_policy.txt?v=policy-sample#L4564
you will know:

that /bin/cp process needs to

read /dev/null, /etc/selinux/config, /proc/filesystems, and
write /var/cache/man/whatis, and truncate /var/cache/man/whatis.

We implemnted the above mentioned idea and TOMOYO Linux is a
sample system which use distinguished process as a domain.
In some sense it is a system analyzing tool.

Again, we intended to share the idea to people on the lkml.
MAC (TOMOYO Linux) is just a sample.
Any feedback will be appreciated.

It seemed to us that this clarification would be familiar to
users/administrators and could be used for various purposes.
We did implement this by making use of the Linux's traditional
fork exec mechanisms, and built a pathname-based MAC using
this implementation. We named the result as TOMOYO Linux
and made it open source at SourceForge.jp (*2).

TOMOYO Linux kernel keeps track of process invocation and
distinguishes every different process invocation history as a domain.
TOMOYO Linux can accumulate the accesses requests for each domain.

TOMOYO Linux has a utility called ccstree. It prints the invocation
history for each process in addition to the output of pstree command:

[EMAIL PROTECTED] ~]# ccstree
init (1) kernel /sbin/init
+- udevd (388) kernel /sbin/udevd
...
+- automount (1970) kernel /etc/rc.d/init.d/autofs /usr/sbin/automount
+- acpid (1993) kernel /etc/rc.d/init.d/acpid /bin/bash /usr/sbin/acpid
+- cupsd (2008) kernel /etc/rc.d/init.d/cups /bin/bash /usr/sbin/cupsd
+- sshd (2026) kernel /usr/sbin/sshd
+- sshd (2269) kernel /usr/sbin/sshd
+- bash (2271) kernel /usr/sbin/sshd /bin/bash
+- ccstree (15125) kernel /usr/sbin/sshd /bin/bash
/root/ccstools/ccstree

(symbol, kernel indicates a virtual base.)

We are posting this message because we believe that this process
invocation history idea might

Re: [RFC] TOMOYO Linux

2007-06-15 Thread Toshiharu Harada


Stephen Smalley wrote:

On Wed, 2007-06-13 at 23:22 +0900, Toshiharu Harada wrote:

2007/6/13, Stephen Smalley [EMAIL PROTECTED]:

On Wed, 2007-06-13 at 17:13 +0900, Toshiharu Harada wrote:

Here are examples:
/bin/bash process invoked from mingetty: /sbin/mingetty /bin/bash
/bin/bash process invoked from sshd: /usr/sbin/sshd /bin/bash
/bin/bash process invoked from /bin/bash which was invoked from sshd: 
/usr/sbin/sshd /bin/bash /bin/bash

Why can't you do this via SELinux domain transitions?  That lets you do
it by equivalence class rather than per-binary, and let's you just
encode the security-relevant parts of the invocation history aka call
chain.  For example, the above could be expressed in SELinux policy
already as:
domain_auto_trans(getty_t, shell_exec_t, local_shell_t)
domain_auto_trans(sshd_t, shell_exec_t, remote_shell_t)
domain_auto_trans(remote_shell_t, shell_exec_t, remote_subshell_t)
or whatever you like.  But you don't have to keep extending it
indefinitely when you don't need to distinguish in policy, so you might
choose to entirely omit the last one, and just have it stay in
remote_shell_t.

The above SELinux policy looks similar to the one I wrote, but
that is not very true.  Because in my example, path name corresponds to a file
while local_shell_t are bound to multiple.
I understand the advantages of label, but it needs to be
translated to human understandable form of path name.
So I think pathname based call chains are advantages for
at least auditing and profiling.


Well, not to get into a debate, but think about whether
/usr/sbin/sshd /bin/bash and /sbin/mingetty /bin/bash is more
understandable to an administrator than remote shell vs. local shell
- the label-based approach lets you map the low-level detail of
individual programs/pathnames to abstract equivalence classes that are
more understandable, not less.  Further, think about the advantages of
being able to encode only the security-relevant invocations, not all of
them.


With our sample implmentation of automated process invocation
history tracking system (or TOMOYO Linux, in short :)),
no domain transition design and definition is needed.
All you have to do is just run the kernel.
So limiting to encode does not matter much.


On a different note, from a quick look, it looks like TOMOYO is AppArmor
+ invocation history from a user perspective.  Plus a wider range of
controls in your original implementation, but your LSM implementation
seems to be just getting started and only deals with files.  So what's
the case for having a whole separate security module vs. a small
extension to AppArmor?


The reason we cut off various MAC controls was to make
the code as small as possible (we knew lkml readers are busy).
If AA would merge the TOMOYO Linux's automated proccess
invocation history tracking system and real-time policy
learning system, I would be fine.

Cheers,
Toshiharu Harada

-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [TOMOYO 5/9] Memory and pathname management functions.

2007-06-14 Thread Toshiharu Harada


Christoph Hellwig wrote:

On Thu, Jun 14, 2007 at 04:36:09PM +0900, Kentaro Takeda wrote:
We limit the maximum length of any string data (such as domainname and 
pathnames)
to TOMOYO_MAX_PATHNAME_LEN (which is 4000) bytes to fit within a single 
page.


Userland programs can obtain the amount of RAM currently used by TOMOYO 
from /proc interface.


Same NACK for this as for AppArmor, on exactly the same grounds.  Please
stop wasting your time on pathname-based non-solutions.


TOMOYO Linux is a pathname-based MAC, that is true.
But what that patch aimed for was sharing the idea of having
Linux kernel to keep "process invocation history" information
for each process. In that sense, TOMOYO Linux is just
a sample implementation.

Please take a look at the following message:
http://lkml.org/lkml/2007/6/13/58

Best regards,
Toshiharu Harada

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [TOMOYO 5/9] Memory and pathname management functions.

2007-06-14 Thread Toshiharu Harada


Christoph Hellwig wrote:

On Thu, Jun 14, 2007 at 04:36:09PM +0900, Kentaro Takeda wrote:
We limit the maximum length of any string data (such as domainname and 
pathnames)
to TOMOYO_MAX_PATHNAME_LEN (which is 4000) bytes to fit within a single 
page.


Userland programs can obtain the amount of RAM currently used by TOMOYO 
from /proc interface.


Same NACK for this as for AppArmor, on exactly the same grounds.  Please
stop wasting your time on pathname-based non-solutions.


TOMOYO Linux is a pathname-based MAC, that is true.
But what that patch aimed for was sharing the idea of having
Linux kernel to keep process invocation history information
for each process. In that sense, TOMOYO Linux is just
a sample implementation.

Please take a look at the following message:
http://lkml.org/lkml/2007/6/13/58

Best regards,
Toshiharu Harada

-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC] TOMOYO Linux

2007-06-13 Thread Toshiharu Harada

Morris, thank you for your comment.

2007/6/14, James Morris <[EMAIL PROTECTED]>:

On Thu, 14 Jun 2007, Toshiharu Harada wrote:

> TOMOYO Linux has a mode called "learning"
> in addition to "permissive" and "enforce". You can easily
> get the TOMOYO Linux policy with learning mode that
> SELinux does not have.

Blindly generating security policy through observation of the system is
potentially dangerous for many reasons.
See
<http://securityblog.org/brindle/2006/03/25/security-anti-pattern-status-quo-encapsulation/>

When I saw Russell Coker and showed him a demonstration of
TOMOYO Linux, he told the same comment.
Also after tracing an AppAmor's long thread, I'm convinced of the
meaning of label base. That's why I don't think TOMOYO Linux as a
replace of SELinux. "Professional policy (or reference policy)"
makes sense to me.

However it may be safe for audition and profiling purpose.
Policy learning feature of TOMOYO Linux will help
understanding the behavior of Linux boxes.
That is my point.

I will double check the link you showed me. Thank you.
(It's wonderful to receive comments from you and Stephen!)

Note that while SELinux does also have a similar capability with the
audit2allow tool, it should be considered an expert tool, the output of
which needs to be understood before use (as noted in its man page).

Yes. But I remember Frank said "don't use it :-)" when he gave a
presentation in Japan.

> In addition, access control mode of
> TOMOYO Linux can be managed for every difference domain.

We have considered per-domain enforcing mode a couple of times in the
past, but figured that it could be implemented via policy alone (e.g. run
the task in a domain where all accesses are allowed and logged); and it
would also be of limited usefulness because of the aforementioned problems
with learning mode security policy.

I'll reply this part in later.

Thanks!
Toshiharu Harada
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC] TOMOYO Linux

2007-06-13 Thread Toshiharu Harada

2007/6/14, Rik van Riel <[EMAIL PROTECTED]>:

Toshiharu Harada wrote:
> 2007/6/14, Rik van Riel <[EMAIL PROTECTED]>:
> SELinux has a well designed robust and flexible functions.
> So it should be used for everywhere.  I understand it.
> As you mentioned one can analyze the system (process)
> behaviors from AVC logs. But the maintenance cost is not trivial.
>
> If logging with process context is the only purpose,
> current TOMOYO Linux can do it with no hustle at all.

Yes, but so does standard SELinux.

You are making me curious: what does TOMOYO do that is
not done by regular SELinux?

Logging with process name, path name and contexts is
already done.  I must have missed some other TOMOYO
feature in your initial email...

I see SELinux can log with process name, path name and
contexts, but "contexts" must be defined beforehand.
TOMOYO Linux kernel does that with pathname, so no
label definitions needed.
You can confirm the process (domain) transitions any time
and access occurred are clarified per domain basis automatically.
Security context in TOMOYO Linux is represented and stored
as a call chain and very intuitive.

TOMOYO Linux has a mode called "learning"
in addition to "permissive" and "enforce". You can easily
get the TOMOYO Linux policy with learning mode that
SELinux does not have. In addition, access control mode of
TOMOYO Linux can be managed for every difference domain.

--
Toshiharu Harada
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC] TOMOYO Linux

2007-06-13 Thread Toshiharu Harada


2007/6/14, Rik van Riel <[EMAIL PROTECTED]>:

> So I think pathname based call chains are advantages for
> at least auditing and profiling.

SELinux audit logs (well, whatever is in /var/log/audit on
my system) does show the path names of objects that fail to
be accessed as well as the name and context of the processes
trying to access them.

This is with standard Fedora and RHEL installations.


Thank you for your comment.

SELinux has a well designed robust and flexible functions.
So it should be used for everywhere.  I understand it.
As you mentioned one can analyze the system (process)
behaviors from AVC logs. But the maintenance cost is not trivial.

If logging with process context is the only purpose,
current TOMOYO Linux can do it with no hustle at all.
Installation takes just 15 minutes. Please think it as something like
TOYOTA Prius. It's a compact and economical car.
Volvo is known by its security, but we don't have to use only Volvo.

TOMOYO Linux and its underlying idea are free and
you don't have to find a garage. :-)

Cheers,
Toshiharu Harada
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC] TOMOYO Linux

2007-06-13 Thread Toshiharu Harada

2007/6/13, Stephen Smalley <[EMAIL PROTECTED]>:

On Wed, 2007-06-13 at 17:13 +0900, Toshiharu Harada wrote:
> Here are examples:
> /bin/bash process invoked from mingetty: /sbin/mingetty /bin/bash
> /bin/bash process invoked from sshd: /usr/sbin/sshd /bin/bash
> /bin/bash process invoked from /bin/bash which was invoked from sshd: 
/usr/sbin/sshd /bin/bash /bin/bash

Why can't you do this via SELinux domain transitions?  That lets you do
it by equivalence class rather than per-binary, and let's you just
encode the security-relevant parts of the "invocation history" aka call
chain.  For example, the above could be expressed in SELinux policy
already as:
domain_auto_trans(getty_t, shell_exec_t, local_shell_t)
domain_auto_trans(sshd_t, shell_exec_t, remote_shell_t)
domain_auto_trans(remote_shell_t, shell_exec_t, remote_subshell_t)
or whatever you like.  But you don't have to keep extending it
indefinitely when you don't need to distinguish in policy, so you might
choose to entirely omit the last one, and just have it stay in
remote_shell_t.

The above SELinux policy looks similar to the one I wrote, but
that is not very true.  Because in my example, path name corresponds to a file
while local_shell_t are bound to multiple.
I understand the advantages of label, but it needs to be
translated to human understandable form of path name.
So I think pathname based call chains are advantages for
at least auditing and profiling.

--
Toshiharu Harada
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[RFC] TOMOYO Linux

2007-06-13 Thread Toshiharu Harada

Hello,

TOMOYO Linux kernel keeps track of process invocation and
distinguishes every different process invocation history as a "domain".
TOMOYO Linux can accumulate the accesses requests for each domain.

TOMOYO Linux has a utility called "ccstree". It prints the invocation
history for each process in addition to the output of "pstree" command:

(symbol, "" indicates a virtual base.)

We are posting this message because we believe that this process
invocation history idea might be a useful addition to Linux.
Please take some time to see what this small piece of software can do
with your own eyes. Your feedback will be greatly appreciated.

If some of you are interested in TOMOYO Linux as a method for
access control, please be advised to try full-featured version 1.4.1 (*4).
It is quite easy to install and maintain TOMOYO Linux, but it should
not be considered as a replacement of SELinux.

All right, that's almost everything. Please visit the following
URL for the code and documents:
http://tomoyo.sourceforge.jp/wiki-e/
If you want to see the code first, then:

http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/security/tomoyo/?v=linux-2.6.21.3-tomoyo-2.0

We will have a TOMOYO Linux BOF session at the OLS2007 (*5).
Please come along and let's talk.

Thank you.

Toshiharu Harada (project manager)
Tetsuo Handa (main architect, version 1 author)
Kentaro Takeda (version 2.0 author)
NTT DATA CORPORATION
http://www.nttdata.co.jp/en/index.html

*1) http://sourceforge.jp/projects/tomoyo/document/nsf2003-en.pdf
*2) http://tomoyo.sourceforge.jp/
*3) http://www.celinux.org/elc2007/
http://tree.celinuxforum.org/CelfPubWiki/ELC2007Presentations
*4) http://tomoyo.sourceforge.jp/en/1.4.1/
*5) http://www.linuxsymposium.org/2007/

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

[RFC] TOMOYO Linux

2007-06-13 Thread Toshiharu Harada

Hello,

It seemed to us that this clarification would be familiar to
users/administrators and could be used for various purposes.
We did implement this by making use of the Linux's traditional
fork exec mechanisms, and built a pathname-based MAC using
this implementation. We named the result as TOMOYO Linux
and made it open source at SourceForge.jp (*2).

TOMOYO Linux kernel keeps track of process invocation and
distinguishes every different process invocation history as a domain.
TOMOYO Linux can accumulate the accesses requests for each domain.

TOMOYO Linux has a utility called ccstree. It prints the invocation
history for each process in addition to the output of pstree command:

(symbol, kernel indicates a virtual base.)

All right, that's almost everything. Please visit the following
URL for the code and documents:
http://tomoyo.sourceforge.jp/wiki-e/
If you want to see the code first, then:

http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/security/tomoyo/?v=linux-2.6.21.3-tomoyo-2.0

We will have a TOMOYO Linux BOF session at the OLS2007 (*5).
Please come along and let's talk.

Thank you.

Toshiharu Harada (project manager)
Tetsuo Handa (main architect, version 1 author)
Kentaro Takeda (version 2.0 author)
NTT DATA CORPORATION
http://www.nttdata.co.jp/en/index.html

-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Re: [RFC] TOMOYO Linux

2007-06-13 Thread Toshiharu Harada


2007/6/13, Stephen Smalley [EMAIL PROTECTED]:

On Wed, 2007-06-13 at 17:13 +0900, Toshiharu Harada wrote:
 Here are examples:
 /bin/bash process invoked from mingetty: /sbin/mingetty /bin/bash
 /bin/bash process invoked from sshd: /usr/sbin/sshd /bin/bash
 /bin/bash process invoked from /bin/bash which was invoked from sshd: 
/usr/sbin/sshd /bin/bash /bin/bash

Why can't you do this via SELinux domain transitions?  That lets you do
it by equivalence class rather than per-binary, and let's you just
encode the security-relevant parts of the invocation history aka call
chain.  For example, the above could be expressed in SELinux policy
already as:
domain_auto_trans(getty_t, shell_exec_t, local_shell_t)
domain_auto_trans(sshd_t, shell_exec_t, remote_shell_t)
domain_auto_trans(remote_shell_t, shell_exec_t, remote_subshell_t)
or whatever you like.  But you don't have to keep extending it
indefinitely when you don't need to distinguish in policy, so you might
choose to entirely omit the last one, and just have it stay in
remote_shell_t.


The above SELinux policy looks similar to the one I wrote, but
that is not very true.  Because in my example, path name corresponds to a file
while local_shell_t are bound to multiple.
I understand the advantages of label, but it needs to be
translated to human understandable form of path name.
So I think pathname based call chains are advantages for
at least auditing and profiling.

--
Toshiharu Harada
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC] TOMOYO Linux

2007-06-13 Thread Toshiharu Harada


2007/6/14, Rik van Riel [EMAIL PROTECTED]:

 So I think pathname based call chains are advantages for
 at least auditing and profiling.

SELinux audit logs (well, whatever is in /var/log/audit on
my system) does show the path names of objects that fail to
be accessed as well as the name and context of the processes
trying to access them.

This is with standard Fedora and RHEL installations.


Thank you for your comment.

SELinux has a well designed robust and flexible functions.
So it should be used for everywhere.  I understand it.
As you mentioned one can analyze the system (process)
behaviors from AVC logs. But the maintenance cost is not trivial.

If logging with process context is the only purpose,
current TOMOYO Linux can do it with no hustle at all.
Installation takes just 15 minutes. Please think it as something like
TOYOTA Prius. It's a compact and economical car.
Volvo is known by its security, but we don't have to use only Volvo.

TOMOYO Linux and its underlying idea are free and
you don't have to find a garage. :-)

Cheers,
Toshiharu Harada
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC] TOMOYO Linux

2007-06-13 Thread Toshiharu Harada


2007/6/14, Rik van Riel [EMAIL PROTECTED]:

Toshiharu Harada wrote:
 2007/6/14, Rik van Riel [EMAIL PROTECTED]:
 SELinux has a well designed robust and flexible functions.
 So it should be used for everywhere.  I understand it.
 As you mentioned one can analyze the system (process)
 behaviors from AVC logs. But the maintenance cost is not trivial.

 If logging with process context is the only purpose,
 current TOMOYO Linux can do it with no hustle at all.

Yes, but so does standard SELinux.

You are making me curious: what does TOMOYO do that is
not done by regular SELinux?

Logging with process name, path name and contexts is
already done.  I must have missed some other TOMOYO
feature in your initial email...


I see SELinux can log with process name, path name and
contexts, but contexts must be defined beforehand.
TOMOYO Linux kernel does that with pathname, so no
label definitions needed.
You can confirm the process (domain) transitions any time
and access occurred are clarified per domain basis automatically.
Security context in TOMOYO Linux is represented and stored
as a call chain and very intuitive.

TOMOYO Linux has a mode called learning
in addition to permissive and enforce. You can easily
get the TOMOYO Linux policy with learning mode that
SELinux does not have. In addition, access control mode of
TOMOYO Linux can be managed for every difference domain.

--
Toshiharu Harada
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC] TOMOYO Linux

2007-06-13 Thread Toshiharu Harada

Morris, thank you for your comment.

2007/6/14, James Morris [EMAIL PROTECTED]:

On Thu, 14 Jun 2007, Toshiharu Harada wrote:

TOMOYO Linux has a mode called learning
in addition to permissive and enforce. You can easily
get the TOMOYO Linux policy with learning mode that
SELinux does not have.

Blindly generating security policy through observation of the system is
potentially dangerous for many reasons.
See
http://securityblog.org/brindle/2006/03/25/security-anti-pattern-status-quo-encapsulation/

When I saw Russell Coker and showed him a demonstration of
TOMOYO Linux, he told the same comment.
Also after tracing an AppAmor's long thread, I'm convinced of the
meaning of label base. That's why I don't think TOMOYO Linux as a
replace of SELinux. Professional policy (or reference policy)
makes sense to me.

However it may be safe for audition and profiling purpose.
Policy learning feature of TOMOYO Linux will help
understanding the behavior of Linux boxes.
That is my point.

I will double check the link you showed me. Thank you.
(It's wonderful to receive comments from you and Stephen!)

Note that while SELinux does also have a similar capability with the
audit2allow tool, it should be considered an expert tool, the output of
which needs to be understood before use (as noted in its man page).

Yes. But I remember Frank said don't use it :-) when he gave a
presentation in Japan.

In addition, access control mode of
TOMOYO Linux can be managed for every difference domain.

We have considered per-domain enforcing mode a couple of times in the
past, but figured that it could be implemented via policy alone (e.g. run
the task in a domain where all accesses are allowed and logged); and it
would also be of limited usefulness because of the aforementioned problems
with learning mode security policy.

I'll reply this part in later.

Thanks!
Toshiharu Harada
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

2007-05-29 Thread Toshiharu Harada

2007/5/29, Kyle Moffett <[EMAIL PROTECTED]>:

>>> But writing policy with labels are somewhat indirect way (I mean,
>>> we need "ls -Z" or "ps -Z").  Indirect way can cause flaw so we
>>> need a lot of work that is what I wanted to tell.
>>
>> I don't really use "ls -Z" or "ps -Z" when writing SELinux policy; I
>> do that only when I actually think I mislabeled files.
>
> I believe what you wrote, but it may not be as easy for average
> Linux users.

As I said before, average Linux users should not be writing their own
security policy.  I have yet to meet an "average Linux user" who
could reliably quote for me what the file permissions on the "/tmp"
directory should be, or what the sticky bit was.  A small percentage
of average Linux system administrators don't get that right
consistently, and if you don't understand the sticky bit then you
should *definitely* not be controlling program permissions on a per-
syscall basis.

Thank you for your detailed and thoughtful explanation.
Things are much clear now for me. Although your explanation was
quite persuasive, I still have some concerns.

Linux is now being used literately everywhere. As devices, technologies and
Linux itself is evolving so quickly, I'm afraid the way you showed was right
but could never meet the every goal perfectly. So some areas, including
embedded and special distro I guess, there must be solutions and help  for
average level administrators.

I think there are two ways to make secure systems.  One is just
you wrote: "ask it professionals" way, the other is "making practices".
You might ask "how?" My answer to the question is pahtname-based
systems such as AppAmor and TOMOYO Linux.
They can't be compared to SELinux, but they should be considered to
supplemental tools.  At least they are helpful to analyze how Linux works.
Tweeking SELinux policy is not easy but writing policies for
them is relatively easy (I'm not talking about security here).

Not everybody can be a professional administrators, but he/she can be a
professional administrator of his/her system.  I believe there must be
solutions for non professional administrators.  That's why we developed
TOMOYO Linux (http://tomoyo.sourceforge.jp/) and so was AppArmor
I guess.  You might laugh, but we are doing this because we want to
contribute to Linux and its community. :)

Thanks,
Toshiharu Harada
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

2007-05-29 Thread Toshiharu Harada


2007/5/29, Kyle Moffett [EMAIL PROTECTED]:

 But writing policy with labels are somewhat indirect way (I mean,
 we need ls -Z or ps -Z).  Indirect way can cause flaw so we
 need a lot of work that is what I wanted to tell.

 I don't really use ls -Z or ps -Z when writing SELinux policy; I
 do that only when I actually think I mislabeled files.

 I believe what you wrote, but it may not be as easy for average
 Linux users.

As I said before, average Linux users should not be writing their own
security policy.  I have yet to meet an average Linux user who
could reliably quote for me what the file permissions on the /tmp
directory should be, or what the sticky bit was.  A small percentage
of average Linux system administrators don't get that right
consistently, and if you don't understand the sticky bit then you
should *definitely* not be controlling program permissions on a per-
syscall basis.


Thank you for your detailed and thoughtful explanation.
Things are much clear now for me. Although your explanation was
quite persuasive, I still have some concerns.

Linux is now being used literately everywhere. As devices, technologies and
Linux itself is evolving so quickly, I'm afraid the way you showed was right
but could never meet the every goal perfectly. So some areas, including
embedded and special distro I guess, there must be solutions and help  for
average level administrators.

I think there are two ways to make secure systems.  One is just
you wrote: ask it professionals way, the other is making practices.
You might ask how? My answer to the question is pahtname-based
systems such as AppAmor and TOMOYO Linux.
They can't be compared to SELinux, but they should be considered to
supplemental tools.  At least they are helpful to analyze how Linux works.
Tweeking SELinux policy is not easy but writing policies for
them is relatively easy (I'm not talking about security here).

Not everybody can be a professional administrators, but he/she can be a
professional administrator of his/her system.  I believe there must be
solutions for non professional administrators.  That's why we developed
TOMOYO Linux (http://tomoyo.sourceforge.jp/) and so was AppArmor
I guess.  You might laugh, but we are doing this because we want to
contribute to Linux and its community. :)

Thanks,
Toshiharu Harada
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

2007-05-28 Thread Toshiharu Harada

2007/5/27, Kyle Moffett <[EMAIL PROTECTED]>:

On May 27, 2007, at 03:25:27, Toshiharu Harada wrote:
> 2007/5/27, Kyle Moffett <[EMAIL PROTECTED]>:

How is that argument not trivially circular?  "Foo has an assumption
that foo-property is always properly defined and maintained."  That
could be said about *anything*:

What I wanted to mention was the difficulties or efforts to make
assumptions real.  I never meant a circular argument, but if you
felt so I apologize sincerely.

>> If you can't properly manage your labels, then how do you expect
>> any security at all?
>
> Please read my message again. I didn't say, "This can never be
> achieved".  I said, "This can not be easily achieved".

So you said "(data labels) can not be easily achieved".  My question
for you is: How do you manage secure UNIX systems without standard
UNIX permission bits?  Also:  If you have problems with data labels
then what makes pathname based labels "easier"?  If there is
something that could be done to improve SELinux and make it more
readily configurable then it should probably be done.

Permission bits can be checked easily with "ls" command,
but assuring the correctness of labels are not that easy.
I'll try to explain.

The correctness of the permission bit for a given file can be judged
solely by the result of "ls" command.  The correctness of the label,
on the other hand, can't be judged without understanding of whole policy
including domain transitions. (see the attached figure)
I can imagine that once one get the complete SELinux policy,
then it is able to modify and maintain it.

I don't say making a complete SELinux policy is impossible,
and actually you said you did it.  But to be frank, I don't think
you are the average level user at all. ;-)

> I'm very interested in how you can know that you have the correct
> object labeling (this is my point). Could you tell?

I know that I have the correct object labeling because:

Do you mind if I add this?

0) I understood the default policy and perfectly understand the
every behavior of my system.

this is where the difficulties exist.

  1) I rewrote/modified the default policy to be extremely strict on
the system where I wanted the extra security and hassle.
  2) I ensured that the type transitions were in place for almost
everything that needed to be done to administer the system.
  3) I wrote a file-contexts file and relabeled *once*
  4) I loaded the customized policy plus policy for restorecon and
relabeled for the last time
  5) I reloaded the customized policy without restorecon privileges
and without the ability to reload the policy again.
  6) I never reboot the system without enforcing mode.
  7) If there are unexpected errors or files have incorrect labels,
I have to get the security auditor to log in on the affected system
and relabel the problematic files manually (rare occurrence which
requires excessive amounts of paperwork).

Thank you for the procedures.  It's quite helpful.

> I don't deny DAC at all.  If we deny DAC, we can't live with Linux
> it's the base.  MAC can be used to cover the shortages of DAC and
> Linux's simple user model, that's it.
>
> From security point of view, simplicity is always the virtue and
> the way to go.  Inode combined label is guaranteed to be a single
> at any point time.  This is the most noticeable advantage of label-
> based security.

I would argue that pathname-based security breaks the "simplicity is
the best virtue (of a security system)" paradigm, because it
attributes multiple potentially-conflicting labels to the same piece

Every pathname-based security must provide the mechanism
to prevent a conflicting/malicious access, otherwise it's junk.

I have a question for you.  With current implementation of
SELinux, only one label can be assigned.  But there are cases
that one object can be used in different context, so I think
it might help if SELinux would allow objects to have
multiple labels. (I'm not talking about conflicts here)
What do you think?

> But writing policy with labels are somewhat indirect way (I mean,
> we need "ls -Z" or "ps -Z").  Indirect way can cause flaw so we
> need a lot of work that is what I wanted to tell.

I don't really use "ls -Z" or "ps -Z" when writing SELinux policy; I
do that only when I actually think I mislabeled files.

I believe what you wrote, but it may not be as easy for average Linux users.

Typically the SELinux-policy-development cycle is:
  1)  Modify and reload the policy
  2)  Relabel the affected files (either by hand or with some
automated tool like restorecon)
  3)  Rerun the problem program or daemon
  4)  Examine the errors in the audit logs.  If there are no errors
and it works then you're finished.
  5)  Go back to step 1 and fix your policy

Cheers,
Toshiharu Harada
<>

Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

2007-05-28 Thread Toshiharu Harada


2007/5/27, Kyle Moffett [EMAIL PROTECTED]:

On May 27, 2007, at 03:25:27, Toshiharu Harada wrote:
 2007/5/27, Kyle Moffett [EMAIL PROTECTED]:



How is that argument not trivially circular?  Foo has an assumption
that foo-property is always properly defined and maintained.  That
could be said about *anything*:


What I wanted to mention was the difficulties or efforts to make
assumptions real.  I never meant a circular argument, but if you
felt so I apologize sincerely.


 If you can't properly manage your labels, then how do you expect
 any security at all?

 Please read my message again. I didn't say, This can never be
 achieved.  I said, This can not be easily achieved.

So you said (data labels) can not be easily achieved.  My question
for you is: How do you manage secure UNIX systems without standard
UNIX permission bits?  Also:  If you have problems with data labels
then what makes pathname based labels easier?  If there is
something that could be done to improve SELinux and make it more
readily configurable then it should probably be done.


Permission bits can be checked easily with ls command,
but assuring the correctness of labels are not that easy.
I'll try to explain.

The correctness of the permission bit for a given file can be judged
solely by the result of ls command.  The correctness of the label,
on the other hand, can't be judged without understanding of whole policy
including domain transitions. (see the attached figure)
I can imagine that once one get the complete SELinux policy,
then it is able to modify and maintain it.

I don't say making a complete SELinux policy is impossible,
and actually you said you did it.  But to be frank, I don't think
you are the average level user at all. ;-)


 I'm very interested in how you can know that you have the correct
 object labeling (this is my point). Could you tell?

I know that I have the correct object labeling because:


Do you mind if I add this?

0) I understood the default policy and perfectly understand the
every behavior of my system.

this is where the difficulties exist.


  1) I rewrote/modified the default policy to be extremely strict on
the system where I wanted the extra security and hassle.
  2) I ensured that the type transitions were in place for almost
everything that needed to be done to administer the system.
  3) I wrote a file-contexts file and relabeled *once*
  4) I loaded the customized policy plus policy for restorecon and
relabeled for the last time
  5) I reloaded the customized policy without restorecon privileges
and without the ability to reload the policy again.
  6) I never reboot the system without enforcing mode.
  7) If there are unexpected errors or files have incorrect labels,
I have to get the security auditor to log in on the affected system
and relabel the problematic files manually (rare occurrence which
requires excessive amounts of paperwork).


Thank you for the procedures.  It's quite helpful.


 I don't deny DAC at all.  If we deny DAC, we can't live with Linux
 it's the base.  MAC can be used to cover the shortages of DAC and
 Linux's simple user model, that's it.

 From security point of view, simplicity is always the virtue and
 the way to go.  Inode combined label is guaranteed to be a single
 at any point time.  This is the most noticeable advantage of label-
 based security.

I would argue that pathname-based security breaks the simplicity is
the best virtue (of a security system) paradigm, because it
attributes multiple potentially-conflicting labels to the same piece


Every pathname-based security must provide the mechanism
to prevent a conflicting/malicious access, otherwise it's junk.

I have a question for you.  With current implementation of
SELinux, only one label can be assigned.  But there are cases
that one object can be used in different context, so I think
it might help if SELinux would allow objects to have
multiple labels. (I'm not talking about conflicts here)
What do you think?


 But writing policy with labels are somewhat indirect way (I mean,
 we need ls -Z or ps -Z).  Indirect way can cause flaw so we
 need a lot of work that is what I wanted to tell.

I don't really use ls -Z or ps -Z when writing SELinux policy; I
do that only when I actually think I mislabeled files.


I believe what you wrote, but it may not be as easy for average Linux users.


Typically the SELinux-policy-development cycle is:
  1)  Modify and reload the policy
  2)  Relabel the affected files (either by hand or with some
automated tool like restorecon)
  3)  Rerun the problem program or daemon
  4)  Examine the errors in the audit logs.  If there are no errors
and it works then you're finished.
  5)  Go back to step 1 and fix your policy


Cheers,
Toshiharu Harada
attachment: fig.png

Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

2007-05-27 Thread Toshiharu Harada

2007/5/27, Kyle Moffett <[EMAIL PROTECTED]>:

On May 26, 2007, at 19:08:56, Toshiharu Harada wrote:
> 2007/5/27, James Morris <[EMAIL PROTECTED]>:
>> On Sat, 26 May 2007, Kyle Moffett wrote:
>>> AppArmor).  On the other hand, if you actually want to protect
>>> the _data_, then tagging the _name_ is flawed; tag the *DATA*
>>> instead.
>>
>> Bingo.
>>
>> (This is how traditional Unix DAC has always functioned, and is
>> what SELinux does: object labeling).
>
> Object labeling (or labeled security) looks simple and straight
> forward way, but it's not.
>
> (1) Object labeling has a assumption that labels are always
> properly defined and maintained. This can not be easily achieved.

That's a circular argument, and a fairly trivial one at that.

Sorry Kyle, I don't think it's a trivial one.  The opposite.

If you can't properly manage your labels, then how do you expect any
security at all?

Please read my message again. I didn't say, "This can never be achieved".
I said, "This can not be easily achieved".

 If you can't manage your "labels", then pathname-
based security won't work either.  This is analogous to saying
"Pathname-based security has an assumption that path-permissions are
always properly defined and maintained", which is equally obvious.

Yes,! You got the point.
Both label-based and pathname-based apporaches have the advantaes and
difficluties.
In that sense they are equal. That's what I wanted to say.
Both approaches can be improved and even can be used combined to
overcome the difficulties. Let's not fight against and think together,
then we can make Linux better.

If you can't achieve the first with reasonable security, then you
probably can't achieve the second either.  Also, if you can't manage
correct object labeling then I'm very interested in how you are
maintaining secure Linux systems without standard DAC.

I'm very interested in how you can know that you have the
correct object labeling (this is my point). Could you tell?
I assume your best efforts end up with
- have a proper fc definitions and guard them (this can be done)
- executes relabeling as needed (best efforts)
- hope everything work fine

> (2) Also, assigning a label is something like inventing and
> assigning a *new* name (label name) to objects which can cause flaws.

I don't understand how assigning new attributes to objects "can cause
flaws", nor what flaws those might be; could you elaborate further?
In particular, I don't see how this is really all that more
complicated than defining additional access control in
apache .htaccess files.  The principle is the same:  by stacking
multiple independent security-verification mechanisms (Classical UNIX
DAC and Apache permissions) you can increase security, albeit at an
increased management cost.  You might also note that ".htaccess"
files are yet another form of successful "label-based" security; the
security context for a directory depends on the .htaccess "label"
file found within.  The *exact* same principles apply to SELinux: you
add additional attributes backed by a simple and powerful state-
machine.  The cross-checks are lower-level than those from .htaccess
files, but the principles are the same.

I don't deny DAC at all.  If we deny DAC, we can't live with Linux
it's the base.  MAC can be used to cover the shortages of DAC and
Linux's simple user model, that's it.

From security point of view, simplicity is always the virtue and the way to go.

Inode combined label is guaranteed to be a single at any point time.
This is the most noticeable advantage of label-based security.
But writing policy with labels are somewhat indirect way (I mean, we need
"ls -Z" or "ps -Z").  Indirect way can cause flaw so we need a lot of work
that is  what I wanted to tell.

Cheers,
Toshiharu Harada
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

2007-05-27 Thread Toshiharu Harada


2007/5/27, Kyle Moffett [EMAIL PROTECTED]:

On May 26, 2007, at 19:08:56, Toshiharu Harada wrote:
 2007/5/27, James Morris [EMAIL PROTECTED]:
 On Sat, 26 May 2007, Kyle Moffett wrote:
 AppArmor).  On the other hand, if you actually want to protect
 the _data_, then tagging the _name_ is flawed; tag the *DATA*
 instead.

 Bingo.

 (This is how traditional Unix DAC has always functioned, and is
 what SELinux does: object labeling).

 Object labeling (or labeled security) looks simple and straight
 forward way, but it's not.

 (1) Object labeling has a assumption that labels are always
 properly defined and maintained. This can not be easily achieved.

That's a circular argument, and a fairly trivial one at that.


Sorry Kyle, I don't think it's a trivial one.  The opposite.


If you can't properly manage your labels, then how do you expect any
security at all?


Please read my message again. I didn't say, This can never be achieved.
I said, This can not be easily achieved.


 If you can't manage your labels, then pathname-
based security won't work either.  This is analogous to saying
Pathname-based security has an assumption that path-permissions are
always properly defined and maintained, which is equally obvious.


Yes,! You got the point.
Both label-based and pathname-based apporaches have the advantaes and
difficluties.
In that sense they are equal. That's what I wanted to say.
Both approaches can be improved and even can be used combined to
overcome the difficulties. Let's not fight against and think together,
then we can make Linux better.


If you can't achieve the first with reasonable security, then you
probably can't achieve the second either.  Also, if you can't manage
correct object labeling then I'm very interested in how you are
maintaining secure Linux systems without standard DAC.


I'm very interested in how you can know that you have the
correct object labeling (this is my point). Could you tell?
I assume your best efforts end up with
- have a proper fc definitions and guard them (this can be done)
- executes relabeling as needed (best efforts)
- hope everything work fine


 (2) Also, assigning a label is something like inventing and
 assigning a *new* name (label name) to objects which can cause flaws.

I don't understand how assigning new attributes to objects can cause
flaws, nor what flaws those might be; could you elaborate further?
In particular, I don't see how this is really all that more
complicated than defining additional access control in
apache .htaccess files.  The principle is the same:  by stacking
multiple independent security-verification mechanisms (Classical UNIX
DAC and Apache permissions) you can increase security, albeit at an
increased management cost.  You might also note that .htaccess
files are yet another form of successful label-based security; the
security context for a directory depends on the .htaccess label
file found within.  The *exact* same principles apply to SELinux: you
add additional attributes backed by a simple and powerful state-
machine.  The cross-checks are lower-level than those from .htaccess
files, but the principles are the same.


I don't deny DAC at all.  If we deny DAC, we can't live with Linux
it's the base.  MAC can be used to cover the shortages of DAC and
Linux's simple user model, that's it.


From security point of view, simplicity is always the virtue and the way to go.

Inode combined label is guaranteed to be a single at any point time.
This is the most noticeable advantage of label-based security.
But writing policy with labels are somewhat indirect way (I mean, we need
ls -Z or ps -Z).  Indirect way can cause flaw so we need a lot of work
that is  what I wanted to tell.

Cheers,
Toshiharu Harada
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

2007-05-26 Thread Toshiharu Harada

2007/5/27, James Morris <[EMAIL PROTECTED]>:

On Sat, 26 May 2007, Kyle Moffett wrote:
> AppArmor).  On the other hand, if you actually want to protect the _data_,
> then tagging the _name_ is flawed; tag the *DATA* instead.

Bingo.

(This is how traditional Unix DAC has always functioned, and is what
SELinux does: object labeling).

Object labeling (or labeled security) looks simple and straight forward way,
but it's not.

(1) Object labeling has a assumption that labels are always properly
defined and maintained. This can not be easily achieved.
(2) Also, assigning a label is something like inventing and assigning
a *new* name (label name) to objects which can cause flaws.

I'm not saying labeled security or SELinux is wrong.  I just wanted to
remind that  the important part is the "process" not the "result". :-)

--
Toshiharu Harada
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

2007-05-26 Thread Toshiharu Harada


2007/5/27, James Morris [EMAIL PROTECTED]:

On Sat, 26 May 2007, Kyle Moffett wrote:
 AppArmor).  On the other hand, if you actually want to protect the _data_,
 then tagging the _name_ is flawed; tag the *DATA* instead.

Bingo.

(This is how traditional Unix DAC has always functioned, and is what
SELinux does: object labeling).


Object labeling (or labeled security) looks simple and straight forward way,
but it's not.

(1) Object labeling has a assumption that labels are always properly
defined and maintained. This can not be easily achieved.
(2) Also, assigning a label is something like inventing and assigning
a *new* name (label name) to objects which can cause flaws.

I'm not saying labeled security or SELinux is wrong.  I just wanted to
remind that  the important part is the process not the result. :-)

--
Toshiharu Harada
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

2007-05-25 Thread Toshiharu Harada


Hi,

2007/5/24, James Morris <[EMAIL PROTECTED]>:

I can restate my question and ask why you'd want a security policy like:

 Subject 'sysadmin' has:
read access to /etc/shadow
read/write access to /views/sysadmin/etc/shadow

where the objects referenced by the paths are identical and visible to the
subject along both paths, in keeping with your description of "policy may
allow access to some locations but not to others" ?


If I understand correctly, the original issue was whether to allow passing
vfsmount to the inode_create LSM hook or not. Which is independent from
AA or "pathname based MAC", I think.

It is proven that Linux can be used without that change,　however it is
also clear that current LSM cause the ambiguities as AA people has
explained. Clearing ambiguities is a obvious gain to Linux and will make
benefits for auditing besides "pathname based MAC".

So here's my opinion. If anybody can't explain clear reason (or needs)
to keep these ambiguities unsolved,　we should consider to merge
the proposal.

Thanks.

--
Toshiharu Harada
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

2007-05-25 Thread Toshiharu Harada


Hi,

2007/5/24, James Morris [EMAIL PROTECTED]:

I can restate my question and ask why you'd want a security policy like:

 Subject 'sysadmin' has:
read access to /etc/shadow
read/write access to /views/sysadmin/etc/shadow

where the objects referenced by the paths are identical and visible to the
subject along both paths, in keeping with your description of policy may
allow access to some locations but not to others ?


If I understand correctly, the original issue was whether to allow passing
vfsmount to the inode_create LSM hook or not. Which is independent from
AA or pathname based MAC, I think.

It is proven that Linux can be used without that change,　however it is
also clear that current LSM cause the ambiguities as AA people has
explained. Clearing ambiguities is a obvious gain to Linux and will make
benefits for auditing besides pathname based MAC.

So here's my opinion. If anybody can't explain clear reason (or needs)
to keep these ambiguities unsolved,　we should consider to merge
the proposal.

Thanks.

--
Toshiharu Harada
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

44 matches

Mail list logo