[rsbac] First steps into using RSBAC (non-advanced)

Palon Setin palons at danwin1210.me
Sat Dec 15 18:33:00 CET 2018


PART 1

I would like to present here the first steps into using RSBAC,
as I have recently learned them. I'll try to put it together in
a couple of emails.

This will be no substitute for the documentation on
https://www.rsbac.org/documentation , very far from. But will be
a few hands-on *tips for less advanced users*.

The documentation at https://www.rsbac.org/documentation is
occasionally lacking, although in most cases minimally so. The
tips mostly still apply as they read, and more rarely there are
obsolete explanations and instructions, as well as some tips of
lesser importance seem to be missing. (Mind that the code is
being updated very actively, it's just the documentation that is
not.)

These will be just the first steps into using the Rule Set Based
Access Control. I have myself only began using it. And exactly
because I'm fresh from learning these first steps, I'd like to
share my understanding and my freshly acquired knowhow.
Because...

Because I believe, as you will be able to read once you
rsbac-patch the latest kernel, and how to patch it I will show
you in this first email, and then you will be able to read it in
the kernel itself once you successfully patch it and issue "make
menuconfig" in it...  Because I believe the RSBAC provides some
real security to Linux. In the kernel sources you will be able
to browse and read:

 .config - Linux/x86 4.19.9 Kernel Configuration
 > Security options ------------------------------------------------
...
  | +------------------------------------------------------------- |
  | |      [*] Rule Set Based Access Control (RSBAC)  --->         |
...

 .config - Linux/x86 4.19.9 Kernel Configuration
 > Security options > Rule Set Based Access Control (RSBAC) --------
  +------------------------ Rule Set Based Access Control (RSBAC) -+
...

  | +------------------------------------------------------------- |
  | |      --- Rule Set Based Access Control (RSBAC)               |
  | |            General RSBAC options  --->                       |
  | |      [*]   User Management  --->                             |
  | |            RSBAC networking options  --->                    |
  | |            Decision modules (policy) options  --->           |
  | |            Softmode and switching  --->                      |
  | |            Logging  --->                                     |
  | |      [ ]   RSBAC symlink redirection                         |
  | |            Other RSBAC options  --->                         |
...

 .config - Linux/x86 4.19.9 Kernel Configuration
 > Security options > Rule Set Based Access Control (RSBAC) --------
  +------------------------ Rule Set Based Access Control (RSBAC) -+
  | CONFIG_RSBAC:                                                  |
  |                                                                |
  | RSBAC adds 'real' access control to the kernel. [...]          |

Because of that just above.

Because I am enclined to believe RSBAC may be well capable of
securing my Linux, which, as I get that kernel from upstream, is
not an truly secure OS by itself. I want to take my time to
learn how to secure my Debian Linux system with it, and also
show other users how to secure there Linuces, Debian or other
(mostly my tips apply to any flavor).

To be able to follow this guide which, if nothing comes in the
way, will be sent in a few emails to RSBAC mailing list, the
first step that needs to be done is downloading.

I'll assume you work in your homedir (but you can work anywhere
where you have the necessary privs to work).

Go to / or visit / or curl it / wget it / [other]:

https://download.rsbac.org/latestdiff/4.19/

and download:

rsbac-4.19.9-201812141230.diff.xz
rsbac-4.19.9-201812141230.diff.asc
(or whichever the latest version will be when you are
reading here)

And also:

https://download.rsbac.org/latestdiff/rsbac-admin/

and download:

rsbac-admin-1.5.3-201808141046.tar.xz
rsbac-admin-1.5.3-201808141046.asc
(or whichever the latest version will be when you are
reading here)

And also do (with the package mercurial installed):

$ hg clone https://bitbucket.org/igraltist/rsbac-tools

( "$" at start means the command is run as regular user, in many
Linuces that's the last char of the prompt in a terminal with
regular user )

Get the main RSBAC author's key:
$ gpg --recv-key ABDCA7EA1E514E8F

$ gpg --verify rsbac-admin-1.5.3-201808141046.asc \
    rsbac-admin-1.5.3-201808141046.tar.xz
gpg: Signature made Tue 14 Aug 2018 08:46:40 UTC
gpg:                using DSA key ABDCA7EA1E514E8F
gpg: Good signature from "Amon Ott <ao at rsbac.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 490F 77DB CAA6 61D8 A54D  C38B ABDC A7EA 1E51 4E8F

$ gpg --verify rsbac-4.19.9-201812141230.diff.asc \
    rsbac-4.19.9-201812141230.diff.xz
gpg: Signature made Fri 14 Dec 2018 11:30:29 UTC
gpg:                using DSA key 490F77DBCAA661D8A54DC38BABDCA7EA1E514E8F
gpg:                issuer "ao at rsbac.org"
gpg: Good signature from "Amon Ott <ao at rsbac.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 490F 77DB CAA6 61D8 A54D  C38B ABDC A7EA 1E51 4E8F
$

Proceed only if you've got "Good signature...".

Get the kernel source. Which one you would need for the patch
rsbac-4.19.9-201812141230.diff.xz?

You would need linux-4.19.9.tar.xz and linux-4.19.9.tar.sign.
But you're more likely to have a newer kernel by the time you
read this. The principles don't change so often however. These
instructions should be fit to follow for months or longer,
modified for the versions.

Get the kernel from (using your-browser/wget/curl/other):
https://www.kernel.org/pub/linux/kernel/v4.x/

The likelihood is you'll have to compile a newer kernel, and it
is also likely you'll want to keep recompiling RSBAC. So I'll
show you how I patched and compiled the kernel.

I did it first with reverse patching (with the same version
kernel patch) the kernel sources that I already had, and then
patching with the latest version (of the kernel patch) to get
effectively the latest kernel that the rsbac patch needs to be
applied onto. It'll be clear in a moment if it isn't yet.

This latter patch, the rsbac patch, is the main purpose and our
main interest here. The rsbac patch is the code (program text)
that patches the RSBAC into your kernel sources. It patches the
kernel to contain the RSBAC program, on top of all the code that
kernel already contains.

I'll show you how I patched, and then compiled, starting from
these (previously downloaded) archives (and one small newly
downloaded one, the patch-4.19.9.xz):

-rw-r--r-- 1 me me       989 2018-12-02 16:33 linux-4.19.5.tar.sign
-rw-r--r-- 1 me me 103116980 2018-11-27 14:20 linux-4.19.5.tar.xz
-rw-r--r-- 1 me me    226328 2018-12-02 19:13 patch-4.19.5.xz
-rw-r--r-- 1 me me    341724 2018-12-13 08:02 patch-4.19.9.xz
-rw-r--r-- 1 me me       216 2018-12-14 19:52
rsbac-4.19.9-201812141230.diff.asc
-rw-r--r-- 1 me me    373580 2018-12-14 19:52
rsbac-4.19.9-201812141230.diff.xz

and how I then patched the patched kernel with the rsbac patch
(which is also newly downloaded),

The linux-... and the patch-... files are from the
www.kernel.org link above, the rsbac from rsbac.org download
pages.

You will need this key for kernel compilations in the future
too, so fetch it:

$ gpg --recv-key  38DBBDC86092693E

$ unxz linux-4.19.5.tar.xz
$ gpg --verify linux-4.19.5.tar.sign linux-4.19.5.tar
gpg: Signature made Tue 27 Nov 2018 15:13:49 UTC
gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable
release signing key) <greg at kroah.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

This isn't strictly necessary, but I like to be able to any time
later verify the signature, so I like to keep the xz files
intact (except for the kernel, which verifies uncompressed tar).

$ cat patch-4.19.5.xz | unxz > patch-4.19.5
$ cat patch-4.19.9.xz | unxz > patch-4.19.9
$ cat rsbac-4.19.9-201812141230.diff.xz | unxz >
rsbac-4.19.9-201812141230.diff

( Instead of the above, you surely can simply:
$ unxz patch-4.19.5.xz
$ unxz patch-4.19.9.xz
$ unxz rsbac-4.19.9-201812141230.diff.xz with same result. )

The untarring:

$ tar xf linux-4.19.5.tar

will get us entire kernel uncompressed archive in linux-4.19.5/
in current directory.

Since we need to first reverse-patch to get the 4.19 kernel, and then patch
that to get kernel 4.19.9, we will, upfront:

$ mv -iv linux-4.19.5/ linux-4.19.9/

$ cd linux-4.19.9/

And this is the magic (and it's also easy to find extensive tips
on kernel compiling on kernel.org, just use your search
engine...) that converts kernel you have (previously) downloaded
into the major version:

$ patch -R -p1 < ../patch-4.19.5

patching file Documentation/admin-guide/kernel-parameters.txt
patching file Documentation/filesystems/fscrypt.rst
patching file Documentation/filesystems/overlayfs.txt

(hundred of lines cut here)

patching file
tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic-event-createremove.tc
patching file tools/testing/selftests/net/fib-onlink-tests.sh
patching file tools/testing/selftests/powerpc/ptrace/ptrace-tm-spd-gpr.c
patching file tools/testing/selftests/powerpc/tm/tm-tmspr.c
patching file virt/kvm/arm/arm.c
patching file virt/kvm/arm/mmu.c

( that makes our kernel into what you would get if you
downloaded linux-4.19.tar.xz )

and this is what will make it into a later version, in our case 4.19.9:
$ patch -p1 < ../patch-4.19.9

patching file Documentation/admin-guide/kernel-parameters.txt
patching file Documentation/admin-guide/security-bugs.rst
patching file Documentation/devicetree/bindings/net/can/holt_hi311x.txt
patching file Documentation/filesystems/fscrypt.rst

(hundred of lines cut here)

patching file tools/power/cpupower/utils/helpers/amd.c
patching file tools/testing/nvdimm/test/nfit.c
patching file
tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic-event-createremove.tc
patching file tools/testing/selftests/net/fib-onlink-tests.sh
patching file tools/testing/selftests/powerpc/ptrace/ptrace-tm-spd-gpr.c
patching file tools/testing/selftests/powerpc/tm/tm-tmspr.c
patching file virt/kvm/arm/arm.c
patching file virt/kvm/arm/mmu.c

That get's us the same kernel as if we had downloaded
linux-4.19.9.tar.xz.

Now, and only now that the kernel is exactly effectively the
kernel that our RSBAC patch requires, we apply the RSBAC patch:

$ patch -p1 < ../rsbac-4.19.8-201812100758.diff

patching file Documentation/rsbac/COPYING
patching file Documentation/rsbac/Changes
patching file Documentation/rsbac/Credits
patching file Documentation/rsbac/INSTALL
patching file Documentation/rsbac/Interceptions-2.4
patching file Documentation/rsbac/Interceptions-2.6
patching file Documentation/rsbac/README
patching file Documentation/rsbac/README-kernparam
patching file Documentation/rsbac/README-nrlists
patching file Documentation/rsbac/README-patching
patching file Documentation/rsbac/README-proc
patching file Documentation/rsbac/README-reg
patching file MAINTAINERS
patching file Makefile
patching file arch/alpha/include/uapi/asm/unistd.h
patching file arch/alpha/kernel/asm-offsets.c
patching file arch/alpha/kernel/ptrace.c
patching file arch/arm/include/uapi/asm/unistd.h
patching file arch/arm/tools/syscall.tbl
patching file arch/ia64/include/uapi/asm/unistd.h
patching file arch/ia64/kernel/asm-offsets.c
patching file arch/ia64/kernel/entry.S
patching file arch/m68k/include/uapi/asm/unistd.h
patching file arch/m68k/kernel/syscalltable.S
patching file arch/mips/kernel/scall32-o32.S
patching file arch/mips/kernel/scall64-64.S
patching file arch/mips/kernel/scall64-o32.S
patching file arch/parisc/kernel/syscall_table.S
patching file arch/powerpc/include/asm/systbl.h
patching file arch/powerpc/include/uapi/asm/unistd.h
patching file arch/powerpc/kernel/asm-offsets.c
patching file arch/sh/include/uapi/asm/unistd_32.h
patching file arch/sh/include/uapi/asm/unistd_64.h
patching file arch/sh/kernel/syscalls_32.S
patching file arch/sh/kernel/syscalls_64.S
patching file arch/sparc/include/uapi/asm/unistd.h
patching file arch/sparc/kernel/ptrace_32.c
patching file arch/sparc/kernel/ptrace_64.c
patching file arch/sparc/kernel/systbls_32.S
patching file arch/sparc/kernel/systbls_64.S
patching file arch/x86/entry/syscalls/syscall_32.tbl
patching file arch/x86/entry/syscalls/syscall_64.tbl
patching file arch/x86/entry/syscalls/syscalltbl.sh
patching file arch/x86/kernel/ioport.c
patching file block/ioctl.c
patching file block/ioprio.c
patching file drivers/block/loop.c
patching file drivers/char/mem.c
patching file drivers/ide/ide-ioctls.c
patching file drivers/tty/sysrq.c
patching file drivers/tty/tty_io.c
patching file drivers/tty/tty_ioctl.c
patching file fs/dcache.c
patching file fs/exec.c
patching file fs/ext2/ioctl.c
patching file fs/ext2/namei.c
patching file fs/ext4/ioctl.c
patching file fs/ext4/namei.c
patching file fs/fat/namei_msdos.c
patching file fs/fat/namei_vfat.c
patching file fs/ioctl.c
patching file fs/jbd2/transaction.c
patching file fs/jfs/namei.c
patching file fs/locks.c
patching file fs/minix/namei.c
patching file fs/namei.c
patching file fs/namespace.c
patching file fs/open.c
patching file fs/pipe.c
patching file fs/proc/array.c
patching file fs/proc/base.c
patching file fs/proc/kcore.c
patching file fs/proc/proc_sysctl.c
patching file fs/proc_namespace.c
patching file fs/quota/quota.c
patching file fs/read_write.c
patching file fs/readdir.c
patching file fs/reiserfs/namei.c
patching file fs/reiserfs/xattr.c
patching file fs/stat.c
patching file fs/statfs.c
patching file fs/sysfs/file.c
patching file fs/utimes.c
patching file fs/xattr.c
patching file fs/xfs/xfs_iops.c
patching file include/linux/fs.h
patching file include/linux/mm_types.h
patching file include/linux/sched.h
patching file include/linux/sched/task.h
patching file include/rsbac/aci.h
patching file include/rsbac/aci_data_structures.h
patching file include/rsbac/acl.h
patching file include/rsbac/acl_data_structures.h
patching file include/rsbac/acl_getname.h
patching file include/rsbac/acl_types.h
patching file include/rsbac/adf.h
patching file include/rsbac/adf_main.h
patching file include/rsbac/adf_syshelpers.h
patching file include/rsbac/auth.h
patching file include/rsbac/auth_data_structures.h
patching file include/rsbac/cap_getname.h
patching file include/rsbac/daz.h
patching file include/rsbac/debug.h
patching file include/rsbac/error.h
patching file include/rsbac/fs.h
patching file include/rsbac/gen_lists.h
patching file include/rsbac/getname.h
patching file include/rsbac/helpers.h
patching file include/rsbac/hooks.h
patching file include/rsbac/jail.h
patching file include/rsbac/jail_getname.h
patching file include/rsbac/lists.h
patching file include/rsbac/log_cap.h
patching file include/rsbac/lsm.h
patching file include/rsbac/mac.h
patching file include/rsbac/mac_data_structures.h
patching file include/rsbac/net_getname.h
patching file include/rsbac/network.h
patching file include/rsbac/network_types.h
patching file include/rsbac/pax.h
patching file include/rsbac/pax_getname.h
patching file include/rsbac/proc_fs.h
patching file include/rsbac/rc.h
patching file include/rsbac/rc_data_structures.h
patching file include/rsbac/rc_getname.h
patching file include/rsbac/rc_types.h
patching file include/rsbac/reg.h
patching file include/rsbac/reg_main.h
patching file include/rsbac/repl_lists.h
patching file include/rsbac/repl_types.h
patching file include/rsbac/request_groups.h
patching file include/rsbac/res_getname.h
patching file include/rsbac/rkmem.h
patching file include/rsbac/syscall_rsbac.h
patching file include/rsbac/syscalls.h
patching file include/rsbac/types.h
patching file include/rsbac/udf.h
patching file include/rsbac/um.h
patching file include/rsbac/um_types.h
patching file include/rsbac/unistd-alpha.h
patching file include/rsbac/unistd-i386.h
patching file include/rsbac/unistd-ppc.h
patching file include/uapi/linux/sched.h
patching file init/do_mounts.c
patching file init/main.c
patching file ipc/msg.c
patching file ipc/sem.c
patching file ipc/shm.c
patching file kernel/bpf/syscall.c
patching file kernel/capability.c
patching file kernel/cred.c
patching file kernel/exit.c
patching file kernel/fork.c
patching file kernel/groups.c
patching file kernel/kallsyms.c
patching file kernel/kexec.c
patching file kernel/module.c
patching file kernel/printk/printk.c
patching file kernel/ptrace.c
patching file kernel/reboot.c
patching file kernel/sched/core.c
patching file kernel/signal.c
patching file kernel/sys.c
patching file kernel/time/timekeeping.c
patching file kernel/uid16.c
patching file mm/mlock.c
patching file mm/mmap.c
patching file mm/mprotect.c
patching file mm/swapfile.c
patching file net/bridge/br_if.c
patching file net/core/dev_ioctl.c
patching file net/core/fib_rules.c
patching file net/ipv4/arp.c
patching file net/ipv4/devinet.c
patching file net/ipv4/fib_frontend.c
patching file net/ipv4/inet_diag.c
patching file net/ipv4/ipmr.c
patching file net/ipv4/netfilter/ip_tables.c
patching file net/ipv4/route.c
patching file net/sched/cls_api.c
patching file net/sched/sch_api.c
patching file net/socket.c
patching file net/unix/af_unix.c
patching file net/wireless/wext-core.c
patching file rsbac/Kconfig
patching file rsbac/Makefile
patching file rsbac/adf/Makefile
patching file rsbac/adf/acl/Makefile
patching file rsbac/adf/acl/acl_main.c
patching file rsbac/adf/acl/acl_syscalls.c
patching file rsbac/adf/adf_check.c
patching file rsbac/adf/adf_main.c
patching file rsbac/adf/auth/Makefile
patching file rsbac/adf/auth/auth_main.c
patching file rsbac/adf/auth/auth_syscalls.c
patching file rsbac/adf/cap/Makefile
patching file rsbac/adf/cap/cap_main.c
patching file rsbac/adf/daz/Makefile
patching file rsbac/adf/daz/daz_main.c
patching file rsbac/adf/daz/dazuko_call.h
patching file rsbac/adf/daz/dazuko_linux26.h
patching file rsbac/adf/daz/dazuko_platform.h
patching file rsbac/adf/daz/dazuko_rsbac.h
patching file rsbac/adf/daz/dazuko_xp.c
patching file rsbac/adf/daz/dazuko_xp.h
patching file rsbac/adf/daz/dazukoio.h
patching file rsbac/adf/daz/dazukoio_xp.h
patching file rsbac/adf/ff/Makefile
patching file rsbac/adf/ff/ff_main.c
patching file rsbac/adf/jail/Makefile
patching file rsbac/adf/jail/jail_main.c
patching file rsbac/adf/jail/jail_syscalls.c
patching file rsbac/adf/mac/Makefile
patching file rsbac/adf/mac/mac_main.c
patching file rsbac/adf/mac/mac_syscalls.c
patching file rsbac/adf/pax/Makefile
patching file rsbac/adf/pax/pax_main.c
patching file rsbac/adf/rc/Makefile
patching file rsbac/adf/rc/rc_main.c
patching file rsbac/adf/rc/rc_syscalls.c
patching file rsbac/adf/reg/Makefile
patching file rsbac/adf/reg/kproc_hide.c
patching file rsbac/adf/reg/modules_off.c
patching file rsbac/adf/reg/reg_main.c
patching file rsbac/adf/reg/reg_sample1.c
patching file rsbac/adf/reg/reg_sample2.c
patching file rsbac/adf/reg/reg_sample3.c
patching file rsbac/adf/reg/root_plug.c
patching file rsbac/adf/res/Makefile
patching file rsbac/adf/res/res_main.c
patching file rsbac/adf/udf/Makefile
patching file rsbac/adf/udf/udf_main.c
patching file rsbac/data_structures/Makefile
patching file rsbac/data_structures/aci_data_structures.c
patching file rsbac/data_structures/acl_data_structures.c
patching file rsbac/data_structures/auth_data_structures.c
patching file rsbac/data_structures/gen_lists.c
patching file rsbac/data_structures/mac_data_structures.c
patching file rsbac/data_structures/rc_data_structures.c
patching file rsbac/data_structures/um_data_structures.c
patching file rsbac/help/Makefile
patching file rsbac/help/acl_getname.c
patching file rsbac/help/cap_getname.c
patching file rsbac/help/debug.c
patching file rsbac/help/getname.c
patching file rsbac/help/helpers.c
patching file rsbac/help/jail_getname.c
patching file rsbac/help/net_getname.c
patching file rsbac/help/net_helpers.c
patching file rsbac/help/pax_getname.c
patching file rsbac/help/rc_getname.c
patching file rsbac/help/res_getname.c
patching file rsbac/help/rkmem.c
patching file rsbac/help/syscalls.c
patching file security/Kconfig

You now have the RSBAC-patched kernel. And I didn't cut any
lines from the output. This is the source of the program that I
am confident is capable of making my Linux secure, so I'm
interested in all it's aspects, and the wisdom is all in the
source, in these files that get patched into the vanilla kernel.

Now, if you want to find the line:

  | RSBAC adds 'real' access control to the kernel. [...]          |

that I pasted further above, you can. Remaining in the
linux-4.19.9/ dir, type "make menuconfig" and browse to that
line, as the pastes show.

However, pls. do quit from the ncurses menus without saving, for
now.

Next email will be about compiling the kernel, proper, this
email is all the necessary preps for compilation.

Email can't be changed once it is sent, so allow for ERRATA
later.

Sincerely,
Palon Setin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://www.rsbac.org/pipermail/rsbac/attachments/20181215/cc0369c3/attachment.sig>


More information about the rsbac mailing list