Secret of SE Linux: Part 2 in-depth discussion of NSA's Linux security enhanced version of the code
Larry Loeb (larryloeb@prodigy.net) author, Secure Electronic Transactions 2001 March
The US National Security Agency (NSA) unusually published security enhanced versions of Linux-including code and all parts to open source communities. This section of this developerWorks specially in-depth studies, and analyzes how security_av is calculated and checks how other SE Linux security features.
The larvae, gravel and code let's take a look at some of the C code in the SE Linux distribution version, check the implementation details of security enhancements.
Let us start from the beginning. In the Distributed Contents include / Linux / Flask / Flask Types.h. There is a header file containing basic Flask types and constants, and is now extracted as follows:
/ * The security context type
* Is Defined as a variable-length string That Can be BE.-LENGTH STRING THAT CANBE
* Interpreted by Any Application Or User.
* /
Typedef char * security_context_t;
/ *
* A security Identifier (SID) IS A Fixed-Size Value
* That Is Mapped by the security server to a
* Particular Security Context.
* /
TYPEDEF __U32 Security_ID_T;
#define secsid_null 0x00000000 / * unspecified Sid * /
#define second_wild 0xffffffff / * Wildcard SID * /
/ *
* Each Object Class Is Identified by a fixed-size value.
.
* /
TYPEDEF __U16 Security_CLASS_T;
#define seclass_null 0x0000 / * no class * /
/ *
* A Persistent Security Identifier (PSID) IS A Fixed-Size
* Value That Is Assigned by The File System Component
* to Each Security Context Associated with an Object
* in The File System.
* /
TYPEDEF __U32 PSID_T;
Struct psidtab;
/ *
* An Access Vector (AV) IS A Collection of Related Permissions
* for a pair of sids.
* /
TYPEDEF __U32 Access_vector_t;
In Kernel / Flask / Access_Vectors, we found that these structures further define security servers AV:
Class security
{
Compute_av
Notify_Perm
Transition_sid
MEMBER_SID
SID_TO_CONTEXT
Context_to_sid
Load_policy
Get_sids
Register_AVC
Change_sid
}
There is a similar to such AV:
Class Process
{
Execute
Fork
transition
Sigchld
Sigkill
Sigstop
Signal
PTRACE
Getsched
setsched
GetSession
Getpgid
setpgid
Getcap
SetCap
EntryPoint
}
The file object av is the following structure:
Class FileSystem
{
Mount
Remount
Unmount
Getattr
Relabelfrom
Relabelto
transition
Associate
}
Class Dir
Inherits file
{
Add_name
REMOVE_NAME
reparent
Search
RMDir
Mounton
MountAssociate
}
Since we have entered the AV statement, let's take a look at the code for AV calculations in the security server. Remember, if you have not hit a cache, then the core calls AVC, AVC calls the security server.
This code snippet provides minimal implementation, which provides a single SID and granted all permissions. This is not very safe. In this segment code, AV is calculated and a SID is generated. Note that SSID is the source SID, TSID is the target SID. Since I have conducted some comments, I destroy the original good format.
This is the status quo. It may be the easiest and is not very useful. If you want to know what to add RBAC, TE and MLS, please check the code in Kernel / Security / Services.c.
How does security calls work in SE Linux? For that point, see the code sample and outline Call_security.c in its release. Includes code snippets and comments. For short, I ignored the correctness check function that appeared before the main menu option.
The code sample is similar to code snippet, but it comes from the CheckPolicy program mentioned in the previous article (see Refigu). It shows the code called other security functions and does not need to be described at all. The checkpolicy program contains a complete copy of the security server code, as long as this copy is executed, allowing it to allow: (1) Test / debug user space, (2) Check the policy before boot, (3) compile the policy into its binary Representation.
This brief example illustrates one of these calls that can only be used. The kernel access vector cache calls kernel / include / Linux / Flask / AVC.H in the SECURITY_COMPUTE_AV in AVC_HAS_PERM_REF_AUDIT. Then, the AVC_HAS_PERM_REF_AUDIT in the DO_LINK function in kernel / fs / namei.c can be called by the object manager. This provides examples of how the kernel calls AVC and how AVC calls security servers (if there is a cache mismatch).
How the application calls security_compute_av in the process_crontab function of utils / vixie-cron-3.0.1 / database.c. This shows how the application calls the security server. Authors have declared that they plan to provide an application AVC library so that applications can also cache security policies and interfaces with core styles. This will greatly simplify programming, we can only hope that this will appear as soon as possible.
Conclusion Safety Enhanced Linux is very bright because it looks to meet the needs of secure OS. Of course, there are still many things to do in the actual available form, but the open source community may handle this.
This article examines some code inside, which shows their working mechanisms. Remember, this is just a part of the code snippet extracted from the distributed full code. You should always consult the distribution site (see Resources) to make sure you get the latest version. Acknowledgments have been taking technical review by those with qualified colleagues. They don't want me to mention them in this public. Also, they know who they are. Thank you.
Reference
By merge a commercial product called Nettop, the NSA is said to replace some physical separated computers. There is a new 2.4.2-based SE Linux distribution on the website of the National Security Agency. SE Linux documents include the design and implementation of the kernel security mechanism, as well as the details of the security policy configuration. Source code from the NSA site.
About the author Larry Loeb is an editor or contributor to many "Death Planens" computer magazines in the last century. He published a book about SET, and set was an agreement developed by Visa and Mastercard as secure electronic trading. You can contact him through larryloeb@prodigy.net, you will get a reply in most cases.
