From shazalive at gmail.com Sun Jun 5 02:02:14 2011 From: shazalive at gmail.com (Shaz) Date: Sun, 5 Jun 2011 05:02:14 +0500 Subject: [rsbac] RSBAC Object Managers Message-ID: Dear all, I am switching from SELinux to RSBAC and wanted to check out what features does RSBAC cover? I could not find any dbus object manager for rsbac. Found something for Apache. Can you please list the object managers/enforcers available for RSBAC? In case work has not progressed much then I think it will not be difficult to reuse SELinux userspace object managers for RSBAC. What are your opinions? Thanks. -- Shahbaz Khan From tazok.id0 at gmail.com Sun Jun 5 11:31:10 2011 From: tazok.id0 at gmail.com (=?ISO-8859-1?Q?Javier_Juan_Mart=EDnez_Cabez=F3n?=) Date: Sun, 5 Jun 2011 11:31:10 +0200 Subject: [rsbac] RSBAC Object Managers In-Reply-To: References: Message-ID: rsbac is a framework, you can create a policy for dbus with RC 2011/6/5 Shaz > Dear all, > > I am switching from SELinux to RSBAC and wanted to check out what features > does RSBAC cover? I could not find any dbus object manager for rsbac. Found > something for Apache. > > Can you please list the object managers/enforcers available for RSBAC? In > case work has not progressed much then I think it will not be difficult to > reuse SELinux userspace object managers for RSBAC. What are your opinions? > > Thanks. > > -- > Shahbaz Khan > _______________________________________________ > rsbac mailing list > rsbac at rsbac.org > http://www.rsbac.org/mailman/listinfo/rsbac > From shazalive at gmail.com Sun Jun 5 11:54:20 2011 From: shazalive at gmail.com (Shaz) Date: Sun, 5 Jun 2011 14:54:20 +0500 Subject: [rsbac] RSBAC Object Managers In-Reply-To: References: Message-ID: 2011/6/5 Javier Juan Mart?nez Cabez?n > rsbac is a framework, you can create a policy for dbus with RC > > I mean can dbus, databse server and httpd server act as part of AEF? RC is similar to DTE or TE of SELinux. -- Shahbaz Khan R&D Engineer, Tactical Engineering and Consultancy. http://shazkhan.wordpress.com/ http://pk.linkedin.com/pub/shahbaz-khan/20/116/b49 http://imsciences.edu.pk/serg/ http://csrdu.org/ +92-91-332-9915828 From shazalive at gmail.com Sun Jun 5 14:44:01 2011 From: shazalive at gmail.com (Shaz) Date: Sun, 5 Jun 2011 17:44:01 +0500 Subject: [rsbac] Decision Module in Userspace Message-ID: Dear all, Can a decision module be implemented in userspace? Certain high level software components should not depend on legacy kernel as this impacts the overall performance of the system. RSBAC being a framework could be extended but not sure whether there is any work already done to do this. For instance if I want a web framework (e.g. Django) to use RSBAC's security then it would not be a good idea to use the in kernel decision modules. We can also say that such enforcement requirements should be dealt irrespective of rsbac and secured by the kernel based modules. Such general frameworks for access control are usually not available to the userspace unless using an application framework with such implementations. Some clarity of thought required here. Thanks. -- Shahbaz Khan R&D Engineer, Tactical Engineering and Consultancy. http://shazkhan.wordpress.com/ http://pk.linkedin.com/pub/shahbaz-khan/20/116/b49 http://imsciences.edu.pk/serg/ http://csrdu.org/ +92-91-332-9915828 From igraltist at rsbac.org Sun Jun 5 17:12:01 2011 From: igraltist at rsbac.org (Jens Kasten) Date: Sun, 05 Jun 2011 17:12:01 +0200 Subject: [rsbac] Decision Module in Userspace In-Reply-To: References: Message-ID: <1307286721.3930.18.camel@jaschtschik-pc> Hi, a point to your Django framework. Why should not use RSBAC to secure the webframe work? So far I understand, I would not need for daily use and additional module in userspace. I would analyse what files and directories are directly affected by the, if Django runs under his own user, and start to build RC-Roles and RC-Types. Than a Nettemplate and other small thinks. Now, why I should build RC-Roles befor, so that a userspace software get again a RC-Role to obtain his limitation? When I would lift up the decision to userspace, so that a software can ask if the subject has the correct rights to the object the data have to protect by what? If data must store again in the main place, rsbac.dat in every mountpoint, so no reason to build more software to lift up the decision to userspace. Gr?sse Jens Am Sonntag, den 05.06.2011, 17:44 +0500 schrieb Shaz: > Dear all, > > Can a decision module be implemented in userspace? Certain high level > software components should not depend on legacy kernel as this impacts the > overall performance of the system. RSBAC being a framework could be extended > but not sure whether there is any work already done to do this. For instance > if I want a web framework (e.g. Django) to use RSBAC's security then it > would not be a good idea to use the in kernel decision modules. > > We can also say that such enforcement requirements should be dealt > irrespective of rsbac and secured by the kernel based modules. Such general > frameworks for access control are usually not available to the userspace > unless using an application framework with such implementations. Some > clarity of thought required here. > > Thanks. > From shazalive at gmail.com Sun Jun 5 17:31:36 2011 From: shazalive at gmail.com (Shaz) Date: Sun, 5 Jun 2011 20:31:36 +0500 Subject: [rsbac] Decision Module in Userspace In-Reply-To: <1307286721.3930.18.camel@jaschtschik-pc> References: <1307286721.3930.18.camel@jaschtschik-pc> Message-ID: On Sun, Jun 5, 2011 at 8:12 PM, Jens Kasten wrote: > Hi, > > a point to your Django framework. > Why should not use RSBAC to secure the webframe work? > So far I understand, I would not need for daily use and additional > module in userspace. > I would analyse what files and directories are directly affected by the, > if Django runs under his own user, and start to build RC-Roles and > RC-Types. Than a Nettemplate and other small thinks. > Now, why I should build RC-Roles befor, so that a userspace software get > again a RC-Role to obtain his limitation? > When I would lift up the decision to userspace, so that a software can > ask if the subject has the correct rights to the object the data have to > protect by what? If data must store again in the main place, rsbac.dat > in every mountpoint, so no reason to build more software to lift up the > decision to userspace. > > What if we are thinking inside Django and the objects of Django not looking at Django from outside. Not the resources at the kernel/os point of view. Another example would be the elements of Django in the file and not just the file. Granularity with respect to Django. Thanks. -- Shahbaz Khan R&D Engineer, Tactical Engineering and Consultancy. http://shazkhan.wordpress.com/ http://pk.linkedin.com/pub/shahbaz-khan/20/116/b49 http://imsciences.edu.pk/serg/ http://csrdu.org/ +92-91-332-9915828 From shazalive at gmail.com Sun Jun 5 17:48:33 2011 From: shazalive at gmail.com (Shaz) Date: Sun, 5 Jun 2011 20:48:33 +0500 Subject: [rsbac] Decision Module in Userspace In-Reply-To: References: <1307286721.3930.18.camel@jaschtschik-pc> Message-ID: On Sun, Jun 5, 2011 at 8:31 PM, Shaz wrote: > > > On Sun, Jun 5, 2011 at 8:12 PM, Jens Kasten wrote: > >> Hi, >> >> a point to your Django framework. >> Why should not use RSBAC to secure the webframe work? >> So far I understand, I would not need for daily use and additional >> module in userspace. >> I would analyse what files and directories are directly affected by the, >> if Django runs under his own user, and start to build RC-Roles and >> RC-Types. Than a Nettemplate and other small thinks. >> Now, why I should build RC-Roles befor, so that a userspace software get >> again a RC-Role to obtain his limitation? >> When I would lift up the decision to userspace, so that a software can >> ask if the subject has the correct rights to the object the data have to >> protect by what? If data must store again in the main place, rsbac.dat >> in every mountpoint, so no reason to build more software to lift up the >> decision to userspace. >> >> > What if we are thinking inside Django and the objects of Django not looking > at Django from outside. Not the resources at the kernel/os point of view. > > Another example would be the elements of Django in the file and not just > the file. Granularity with respect to Django. > > > Thanks. > Subject and objects at kernel layer is definitely controlled by rsbac. Then we have subjects and objects of applications run on frameworks like Django, Java and Python. Is it a good idea to use or extend rsbac at the application layer? Or do we just simply stack the access control at both layers. This seems easy with respect to DAC but when we move to something like MAC (RC model) this gets confusing. The confusion can be further magnified when information flows or object distribution from application context through kernel/system context to another application context. Some sort of administration would be required to manage cross context attributes of subjects and objects. I hope this is making sense. Thanks! -- Shahbaz Khan R&D Engineer, Tactical Engineering and Consultancy. http://shazkhan.wordpress.com/ http://pk.linkedin.com/pub/shahbaz-khan/20/116/b49 http://imsciences.edu.pk/serg/ http://csrdu.org/ +92-91-332-9915828 From shazalive at gmail.com Sun Jun 5 21:02:43 2011 From: shazalive at gmail.com (Shaz) Date: Mon, 6 Jun 2011 00:02:43 +0500 Subject: [rsbac] RSBAC Object Managers In-Reply-To: References: Message-ID: On Sun, Jun 5, 2011 at 2:54 PM, Shaz wrote: > > > 2011/6/5 Javier Juan Mart?nez Cabez?n > >> rsbac is a framework, you can create a policy for dbus with RC >> >> > I mean can dbus, databse server and httpd server act as part of AEF? > > RC is similar to DTE or TE of SELinux. > For clarity of this thread and the one named "Decision Module in user space" I provide the following link: http://code.google.com/p/sepgsql/wiki/Apache_SELinux_plus Thanks. -- Shahbaz Khan R&D Engineer, Tactical Engineering and Consultancy. http://shazkhan.wordpress.com/ http://pk.linkedin.com/pub/shahbaz-khan/20/116/b49 http://imsciences.edu.pk/serg/ http://csrdu.org/ +92-91-332-9915828 From kang at insecure.ws Mon Jun 6 01:42:59 2011 From: kang at insecure.ws (kang) Date: Mon, 06 Jun 2011 01:42:59 +0200 Subject: [rsbac] Decision Module in Userspace / RSBAC Object Managers In-Reply-To: References: Message-ID: <4DEC1483.9070702@insecure.ws> Hi, This is, I hope, some kind of reply to both of your questions. There is an RSBAC Apache module, that let the Apache workers switch to a compatible "virtualhost role" to be able to access a specific virtual host and serve the request. (with Apache prefork MPM). The worker is then reset to a "worker main" role by the master (the worker "virtual host role" is not allowed to switch back itself), when it's task is finished, ensuring a requested served for one virtual host cannot access another virtual host. The worker processes therefore have lesser rights than the master Apache process (generally, can just read data for the virtualhost they have to serve, basically - of course, theres a little bit more than that necessary). This means for such modules, where you want to have some kind of "decision control", a user space module is not always necessary. Please note that the RSBAC example works for the RC module (it also has some JAIL module support, that is similar). For your application, you might want to achieve something similar. RSBAC RC is flexible enough, for you to be able to do this without any extra kernel code or loading a special module from user-space, just using available functionality. Should you, nevertheless, want to create your own RSBAC module, you can start by using the REG facility to register your own module at runtime, that could load stuff from user space (of course, the safety of the decision from your module is entirely up to you then). See: http://www.rsbac.org/documentation/mod_rsbac http://www.rsbac.org/documentation/rsbac_handbook/architecture_implementation/framework_components/runtime_registration From ao at rsbac.org Tue Jun 7 12:40:28 2011 From: ao at rsbac.org (Amon Ott) Date: Tue, 7 Jun 2011 12:40:28 +0200 Subject: [rsbac] Decision Module in Userspace In-Reply-To: References: Message-ID: <201106071240.29067.ao@rsbac.org> On Sunday 05 June 2011 wrote Shaz: > On Sun, Jun 5, 2011 at 8:31 PM, Shaz wrote: > > On Sun, Jun 5, 2011 at 8:12 PM, Jens Kasten wrote: > >> Hi, > >> > >> a point to your Django framework. > >> Why should not use RSBAC to secure the webframe work? > >> So far I understand, I would not need for daily use and additional > >> module in userspace. > >> I would analyse what files and directories are directly affected by the, > >> if Django runs under his own user, and start to build RC-Roles and > >> RC-Types. Than a Nettemplate and other small thinks. > >> Now, why I should build RC-Roles befor, so that a userspace software get > >> again a RC-Role to obtain his limitation? > >> When I would lift up the decision to userspace, so that a software can > >> ask if the subject has the correct rights to the object the data have to > >> protect by what? If data must store again in the main place, rsbac.dat > >> in every mountpoint, so no reason to build more software to lift up the > >> decision to userspace. > > > > What if we are thinking inside Django and the objects of Django not > > looking at Django from outside. Not the resources at the kernel/os point > > of view. > > > > Another example would be the elements of Django in the file and not just > > the file. Granularity with respect to Django. > > Subject and objects at kernel layer is definitely controlled by rsbac. Then > we have subjects and objects of applications run on frameworks like Django, > Java and Python. Is it a good idea to use or extend rsbac at the > application layer? Or do we just simply stack the access control at both > layers. > > This seems easy with respect to DAC but when we move to something like MAC > (RC model) this gets confusing. The confusion can be further magnified when > information flows or object distribution from application context through > kernel/system context to another application context. Some sort of > administration would be required to manage cross context attributes of > subjects and objects. > > I hope this is making sense. In general for RSBAC, everything that is security relevant for the whole system must be inside the kernel if ever possible. This has been an important design decision. The only necessary exception so far has been with DAZ module and on-access scanning. The scanners are too dangerous to run in the kernel, but RSBAC decides what is to be scanned and what to do with the scanner results. Addtionally, all accesses by the scanner are fully access controlled. In my opinion, there are two things that could be moved into user space: 1. decision modules 2. subject and object labelling (when not identifyable by kernel) 1. I believe that decision modules should not be in user space, because user space can be tampered with and thus endanger the whole access control system that relies on them. Addionally, I had the opportunity to follow the Medusa DS9 project, which had severe performance and stability problems with that approach, mostly caused by context switches and deadlocks on resources. My own benchmarks with DAZ result caching also showed that context switch penalty is huge. This said, you can of course quite easily write a REG kernel module as an interface to a user space decision daemon. 2. User space programs could ask RSBAC decision modules for decisions like "RC: may role n access FD type m?" and act accordingly. E.g. dbus could put labels on its connections and enforce the decisions coming down from kernel. However, this means that dbus must be trusted completely for access control. My preferred approach is to control the IPC flow between dbus and other processes from outside at kernel level. Then, we could try to have additional control inside dbus over information flow betreen certain dbus clients. Always try to have more than one layer of control. Amon. -- http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22 From tazok.id0 at gmail.com Thu Jun 9 17:29:42 2011 From: tazok.id0 at gmail.com (=?ISO-8859-1?Q?Javier_Juan_Mart=EDnez_Cabez=F3n?=) Date: Thu, 9 Jun 2011 17:29:42 +0200 Subject: [rsbac] IDS module to rsbac Message-ID: Hi, here is an idea for a possible new ADF module to be included between: *Planned for possible future inclusion and *Planned once we finished building a human cloning machine in the roadmap. What do you think about one host intrusion detection module module in rsbac? I think it could be done and work in a similar way as DAZ module works. Getting the hash integrity table in ring 0 I suppose it could be make HIDS job more trusted. If you like the idea here you have one idea about his possible future name, module IDS :-) This would add one feature that no other MAC framework have. What do you think? From igraltist at rsbac.org Wed Jun 22 09:17:33 2011 From: igraltist at rsbac.org (Jens Kasten) Date: Wed, 22 Jun 2011 09:17:33 +0200 Subject: [rsbac] kernel bug Message-ID: <1308727053.22341.7.camel@jaschtschik-pc> Hi list, i try kernel 2.6.32.41. My setup is a guest with qemu-kvm. I use cryptsetup with lvm. The root partition is on ext4. The kernel bug and config is appended. Gr??e Jens -------------- next part -------------- A non-text attachment was scrubbed... Name: config-2.6.32.41-rsbac-4 Type: text/x-mpsub Size: 34056 bytes Desc: not available URL: -------------- next part -------------- Asking all remaining processes to terminate...[ 267.362509] BUG: soft lockup - CPU#2 stuck for 61s! [ssh] [ 267.362509] Modules linked in: nfs lockd nfs_acl auth_rpcgss sunrpc loop [last unloaded: scsi_wait_sca] [ 267.362509] [ 267.362509] Pid: 964, comm: sshd Not tainted (2.6.32.41-rsbac-4 #5) Bochs [ 267.362509] EIP: 0060:[] EFLAGS: 00000297 CPU: 2 [ 267.362509] EIP is at __read_lock_failed+0x5/0x10 [ 267.362509] EAX: c13b2980 EBX: f6910940 ECX: 0000000f EDX: 000000bf [ 267.362509] ESI: f6910940 EDI: f6910800 EBP: 00000000 ESP: f6b53c88 [ 267.362509] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 267.362509] CR0: 80050033 CR2: b76cb050 CR3: 0143f000 CR4: 00000690 [ 267.362509] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 267.362509] DR6: ffff0ff0 DR7: 00000400 [ 267.362509] Call Trace: [ 267.362509] [] ? _read_lock+0xb/0x10 [ 267.362509] [] ? do_tty_hangup+0xd7/0x350 [ 267.362509] [] ? tty_release_dev+0x113/0x4f0 [ 267.362509] [] ? dput+0x82/0x120 [ 267.362509] [] ? remove_vma+0x37/0x50 [ 267.362509] [] ? free_pipe_info+0xe/0x20 [ 267.362509] [] ? d_kill+0x46/0x60 [ 267.362509] [] ? d_kill+0x46/0x60 [ 267.362509] [] ? d_kill+0x46/0x60 [ 267.362509] [] ? tty_release+0xf/0x20 [ 267.362509] [] ? __fput+0xc7/0x1c0 [ 267.362509] [] ? filp_close+0x25b/0x590 [ 267.362509] [] ? remove_vma+0x37/0x50 [ 267.362509] [] ? dput+0x82/0x120 [ 267.362509] [] ? remove_vma+0x37/0x50 [ 267.362509] [] ? dput+0x82/0x120 [ 267.362509] [] ? remove_vma+0x37/0x50 [ 267.362509] [] ? dput+0x82/0x120 [ 267.362509] [] ? remove_vma+0x37/0x50 [ 267.362509] [] ? remove_vma+0x37/0x50 [ 267.362509] [] ? put_files_struct+0x94/0xc0 [ 267.362509] [] ? do_exit+0x107/0x740 [ 267.362509] [] ? user_path_at+0x4b/0x80 [ 267.362509] [] ? user_path_at+0x4b/0x80 [ 267.362509] [] ? user_path_at+0x4b/0x80 [ 267.362509] [] ? do_group_exit+0x3c/0xb0 [ 267.362509] [] ? sys_exit_group+0x11/0x20 [ 267.362509] [] ? sysenter_do_call+0x12/0x2c [ 267.364492] BUG: soft lockup - CPU#3 stuck for 61s! [rsyslogd:793] [ 267.364492] Modules linked in: nfs lockd nfs_acl auth_rpcgss sunrpc loop [last unloaded: scsi_wait_sca] [ 267.364492] [ 267.364492] Pid: 793, comm: rsyslogd Not tainted (2.6.32.41-rsbac-4 #5) Bochs [ 267.364492] EIP: 0060:[] EFLAGS: 00000297 CPU: 3 [ 267.364492] EIP is at __read_lock_failed+0x3/0x10 [ 267.364492] EAX: c13b2980 EBX: f694d100 ECX: f6b7dcf4 EDX: 00000025 [ 267.364492] ESI: f6b7dcf4 EDI: f6add280 EBP: 0000000f ESP: f6b7dafc [ 267.364492] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 267.364492] CR0: 8005003b CR2: f848e0c4 CR3: 37381000 CR4: 00000690 [ 267.364492] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 267.364492] DR6: ffff0ff0 DR7: 00000400 [ 267.364492] Call Trace: [ 267.364492] [] ? _read_lock+0xb/0x10 [ 267.364492] [] ? get_attribute_value_name+0xfe/0x3a0 [ 267.364492] [] ? rsbac_get_full_path+0x1cb/0x1f0 [ 267.364492] [] ? rsbac_adf_request_int+0x1104/0x22d0 [ 267.364492] [] ? rsbac_adf_set_attr+0x1452/0x2a50 [ 267.364492] [] ? __pollwait+0x0/0xf0 [ 267.364492] [] ? skb_dequeue+0x47/0x70 [ 267.364492] [] ? skb_queue_purge+0x14/0x20 [ 267.364492] [] ? __kfree_skb+0xf/0x90 [ 267.364492] [] ? skb_free_datagram+0xa/0x30 [ 267.364492] [] ? skb_free_datagram+0xa/0x30 [ 267.364492] [] ? __sock_recvmsg+0x1f9/0x5c0 [ 267.364492] [] ? rsbac_adf_set_attr+0x1452/0x2a50 [ 267.364492] [] ? rsbac_adf_set_attr+0x1452/0x2a50 [ 267.364492] [] ? rsbac_adf_set_attr+0x1452/0x2a50 [ 267.364492] [] ? pvclock_clocksource_read+0x5d/0x170 [ 267.364492] [] ? sock_recvmsg+0xa3/0xd0 [ 267.364492] [] ? autoremove_wake_function+0x0/0x40 [ 267.364492] [] ? pvclock_clocksource_read+0xfe/0x170 [ 267.364492] [] ? sockfd_lookup_light+0x1b/0x70 [ 267.364492] [] ? sys_recvfrom+0xd7/0x160 [ 267.364492] [] ? do_signal+0x93/0xa30 [ 267.364492] [] ? do_futex+0x5d5/0xa70 [ 267.364492] [] ? sys_recv+0x37/0x40 [ 267.364492] [] ? sys_socketcall+0x189/0x270 [ 267.364492] [] ? sys_select+0x40/0xc0 [ 267.364492] [] ? sysenter_do_call+0x12/0x2c [ 267.371652] BUG: soft lockup - CPU#0 stuck for 61s! [acpid:846] [ 267.371652] Modules linked in: nfs lockd nfs_acl auth_rpcgss sunrpc loop [last unloaded: scsi_wait_sca] [ 267.371652] [ 267.371652] Pid: 846, comm: acpid Not tainted (2.6.32.41-rsbac-4 #5) Bochs [ 267.371652] EIP: 0060:[] EFLAGS: 00000297 CPU: 0 [ 267.371652] EIP is at __read_lock_failed+0x5/0x10 [ 267.371652] EAX: c13b2980 EBX: 00040006 ECX: f693c944 EDX: 00000004 [ 267.371652] ESI: f6bbaac0 EDI: f64b7f04 EBP: f6bcaa00 ESP: f64b7e8c [ 267.371652] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 267.371652] CR0: 8005003b CR2: f848e0c4 CR3: 36b0d000 CR4: 00000690 [ 267.371652] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 267.371652] DR6: ffff0ff0 DR7: 00000400 [ 267.371652] Call Trace: [ 267.371652] [] ? _read_lock+0xb/0x10 [ 267.371652] [] ? get_signal_to_deliver+0x326/0x3e0 [ 267.371652] [] ? find_get_page+0x19/0x90 [ 267.371652] [] ? do_signal+0x93/0xa30 [ 267.371652] [] ? handle_mm_fault+0x23f/0xb50 [ 267.371652] [] ? sys_send+0x37/0x40 [ 267.371652] [] ? sys_select+0x40/0xc0 [ 267.371652] [] ? do_notify_resume+0x38/0x60 [ 267.371652] [] ? work_notifysig+0x13/0x1b