Yi Xiaodong (yi_xiao_dong@sohu.com)
May 2003
This paper mainly tells the new important security mechanism in the FreeBSD 5.0 operating system, ie forces the use of the forced access control mechanism (MAC), mainly including the forced access control framework and multi-level security (MLS) policy two parts. This section tells some of the work that should be used to use the MAC framework with the MLS policy, and how to effectively use them.
Forced Access Control (English Abbreviation MAC) is an important way to implement operating system security. Now all of all security operating systems use forced access control as one of its core security mechanisms. Forced Access Control is a variety of objects such as files, sockets, systems FIFO, SCD, IPC, etc.) for fine-grained access control, that is, when the user or user program has access to a certain object of the system, forced access control mechanisms Check the security of this access. Unlike autonomous access control, forced access control limits the behavior of users and user programs to achieve higher security levels.
Forced Access Control is a mechanism that checks the user's access to the client with the user program, but what kind of access is safe? This requires the concept of introducing security policies. Security policies can be considered a set of inspection conditions that define a security tag for each access to the subject (user or user program) and accessible objects such as files, and then determine this according to the security tag of the main body and the object. Access is safe. A variety of security strategies have been developed, of which MLS is used up to. MLS is the meaning of multi-level security, which is the earliest use in military fields. Its basic idea is to define some security levels, such as from low to high-level ordinary, confidentiality, top secret, require high security level information that cannot be disclosed to a low-security level, which requires a low-security level that cannot be read High security grade objects, while high security levels cannot write low security levels. See the relevant information for details.
Like Linux, the FreeBSD system is an Open source operating system, and freeBSD is clear and safe, so it is also very wide. From the 5.0rc2 version, the FreeBSD kernel began to introduce forced access control mechanisms. It implements a flexible universal Mac framework in the kernel. This framework has access to almost all core objects in the FreeBSD core, and this frame design is reasonably, and the interface is simple, so that we can easily develop various security policy modules and Hang it to the system, so that the system is safely controlled by our own strategy. In addition, the system also provides a plurality of policy modules including the MLS policy module for us to choose.
This paper details the forced access control mechanism in the FreeBSD system from the two aspects of the use and source code. The content mainly includes MAC frameworks and MLS strategies. It is believed that friends who are interested in this part will be inspired.
1: When I use FreeBSD 5.0 RC2 version of FreeBSD 5.0, the kernel source code already contains the Mac framework and some MAC policy modules (such as MLS policy modules, MAC_NONE policy modules for development and experiments, integrity. Module Mac_biba, etc.), but this version of the kernel is not officially supported by MAC, so default, it is not compiled into the code of the Mac framework when compiling the kernel. In addition, we will use the MLS strategy as an example to explain how to use the Mac framework to load the policy module. In order to make MLS strategies true practical, we need to configure the system's extension file attribute, etc., we will make a certain introduction. Finally, we will introduce the MAC tags such as the console command and how to use the system call interface in the program to operate the file or process.
1.1 Re-compiling the kernel as described above, Since the MAC framework in the FreeBSD 5.0 RC2 is still in the development phase, the kernel binary code does not include support for the Mac framework. To make the kernel support the Mac framework, you must configure and recompile the kernel, the specific method is as follows. Under / USR / SRC / SYS / I386 / Conf, copy the generic file into another file such as YXD_kernel (do not change the generic file), then find the MakeOptions in the YXD_kernel file, in the existing format, add a line (detail For information, see "TrustedBSD Mac Framework" section in FreeBSD Developers' Handbook):
Options Mac
This option will open the MAC compilation switch so that the corresponding Mac frame code will be compiled into the kernel when compiling.
In addition, in order to support the storage of the MAC tag of the file and the directory, the kernel must support the extended file system (not supported by default). To achieve this, you must add the following two compilation options in YXD_kernel:
Options ufs_extattr
Options ufs_extattr_autostart
This article will explain more detailed explanation of the expansion file system later.
After configuring the YXD_kernel file by the above requirements, use the following command to recompile the kernel:
CD / USR / SRC / SYS / I386 / CONF
Config yxd_kernel
At this time, the system will build a directory with your configuration file below / usr / src / sys / i386 / compile, this example is YXD_kernel. Enter this directory, enter the following command:
Make depe
Make
Make Install
At this point, the compiled kernel work is completed, and the whole process may take more than a dozen minutes based on your machine. After completing the above compilation and restart the system, we can use the Mac framework.
1.2 After configuring the MLS Policy Complete the work of 1.1, the system only provides a Mac framework, and does not load any security policies for you, but after this design is very good Mac framework, it will be very convenient to load any security strategy. Below we take MLS strategy as an example, how to load it into the system to allow it to access the system.
The source code of the MLS policy is in / usr / src / sys / security / mac_mls directory, two files for mac_mls.h and mac_mls.c, if you have modified it, you need to compile it, directly enter / usr / src / Sys / modules / mac_mls directory, running the board command. Make's target file is a mac_mls.ko file, which is the KLD (Kernel Linker Dynam, Dynamic Link Mechanism) module under FreeBSD, can be compiled and loaded independently of the kernel, which is very convenient for us to debug.
Mac_mls.ko This module must be loaded before the system initialization, and cannot wait until the system starts, use the kldload command to manually load, it is guaranteed by a load mark (see the Mac framework and MLS Policy Analysis Chapter). In order to achieve this, we must add the following line and restart the system in /boot/loader.conf file:
Mac_mls_load = "yes"
It is worth noting that when we modify and recompile the Mac_mls.ko module, you must copy it from the / usr / src / sys / modules / mac_mls directory to the / boot / kernel directory, because the system starts from / boot / kernel directory looks for modules. 1.3 Configuring an extended file system When we finished 1.1 and 1.2, the MLS module has played in the system, we can use the "GetFMAC file / directory name" to get the MAC tag of the file or directory (like "file / Directory Name: MLS / Low, please refer to 1.4 section), but the tag at this time is a pseudo-tag, that is, this tag is the default mark of the MLS policy to each file, and this tag It is not stored when the system is turned off. But according to our needs, we hope that the Mac tag of each file or directory should have "non-transistive" tags, that is, we hope this tag is stored on disk as files. This requires the introduction of the extended file system such that the MAC tag of each file or directory is stored in the corresponding file or directory extension attribute. For ease of understanding, the extension file system in FreeBSD is described below.
Simply put, the expansion file system is an expansion of existing file systems. Extended Attributes (EA, Extended Attribute) is based on standard properties of files or directories in the Inode node of the traditional file system, which can add additional information stored in the inode node, which The system is accessed from the inode node. The extension attribute (EA) of each file system is a set of name, value. A Inode node (file or directory) may define a certain property or may not be defined. If the Inode node defines an attribute, it may contain 0, or data that may contain multiple bytes of this attribute. This is similar to the environment variable of the general shell. In this way, the extended attribute mechanism provides a simple way to store access security information for the various security features (ACL, MAC and capabilities, etc.) of TrustedBSD. Some non-secure applications can also create extended properties as needed, such as the checksum, key, etc. of the file. The extended attribute can dynamically increase the new extended attribute without having to change the storage format of the file system on the disk.
To make the MAC tag can be stored in the file extension attribute, you must support an extension attribute. Below we use the / TMP file system as an example, tell how to configure it to support extended file properties:
First create a / TMP/.attribute/system directory. When Mount is a file system, the system will automatically find files corresponding to the extension file system from this directory. Use the following command to create a file called FreeBSD.mac, this file will store the extension attribute of all files in the / TMP file system. 100 This number indicates that the length of each extended property is 100 bytes:
CD /TMP/.attribute/system
ExtTrctl initattr -p. 100 freebsd.mac
Use the following command to tag tag to / TMP file system, tell the system to load the extension file system when Mount. Where the -l flag indicates that the expansion file system is used for Mac tags, see Man Page:
CD /
Umount / TMP
Runefs -l enable / TMP
Mount / TMP
CD /TMP/.attribute/system
Since the extension property enabled when the file system mount is named FreeBSD.mac, and the extension attribute we need is mac_mls (whose reason is to see the Mac framework analysis section), so we must use the following command activation of the extension attribute named MAC_mls : EXTATTRCTL ENABLE / TMP SYSTEM MAC_MLS ./freebsd.mac
At this point, the / TMP file system is configured, and we can try to use the following command to change the MAC mark of the / tmp / test file:
SetFMAC MLS / High / TMP / TEST
1.4 Operating the MLS tag and all system functions, the MLS tag can be or set in the console by the command, or can be used or set in the program, the following is a simple introduction to these two ways .
The console command mainly has three, namely GetFMAC, which is used to obtain the MAC tag of the file or directory; setFMAC is used to set the MAC tag of the file or directory; getPMAC, used to get the MAC mark of the current process. Another command setpmac is not well supported in the current system.
If you are using the MLS policy, the returned MAC is marked as mls / [single_mac] ([mac_range]), where MLS is the policy name, and later is separated from the tag data. [SINGLE_MAC] is a single MAC tag, possibly "low" or "high" or "equal". [Mac_RANGE] is a range of MAC markers, often has a range. An example of a MAC mark is: MLS / Low (Low-High).
In the application, you can use the system call. For the /usr/src/sys/sys/mac.h file #ifndef _kernel this block provided in this block, it is worth noting that some interface parameters in Man Page are The return value type is incorrect, please be based on the type in the mac.h file.
Below is a few most commonly used functions:
Mac_get_proc, mac_get_file usage:
Struct Mac MYMAC;
Char ss [60] = "mls";
mymac.m_string = ss;
mymac.m_bufflen = 60;
Mac_get_proc (& mymac);
Mac_get_file ("/ tmp / test", & mymac);
Mac_set_proc, mac_set_file usage:
Struct Mac MYMAC;
mymac.m_string = "mls / high";
mymac.m_bufflen = Strlen (mymac.m_string);
Mac_set_proc (& mymac);
Mac_set_file ("/ tmp / test", & mymac);
1.5 Summary Since the FreeBSD 5.0RC2 version has just begun to informally support Mac, for ordinary users, it is necessary to actually use it, and the work to do is more cumbersome. For MLS strategies, there are many places worthy, such as existing MLS policies do not support users setup MAC tags, and the subject is too much time limit, and MLS does not support trusted process, etc. It is necessary to improve the next version.
In use, from my personal experience, it is not easy to use. Of course, this problem cannot be complete, the MLS strategy has caused ease of use to reduce the facts, I believe that after a period of development, I will eventually give us a satisfactory answer. But I don't hide jade, open MLS, look at the MAC framework, it should be said to be a perfect design: good structure, clear logic, very simple interface, these advantages should be, you can give every intention A big surprise. Even the MLS policy is implemented as a KLD module, it is very easy to modify and expand it. I believe that after a period of time, the MLS module will become our surprise. If you are interested in understanding the implementation of the Mac framework and MLS strategy, please read it down.
About the author Yi Xiaodong, Male, National Defense Technology University in the study direction is a safe operating system. You can contact him by email yi_xiao_dong@sohu.com.