thr3ads.net - freebsd security - Questions about MAC [Jan 2004]

If this information is useful, please help other people find it:
Share via:

Jaroslaw Nozderko

2004-Jan-02 19:01 UTC

Questions about MAC

FreeBSD 5.1-RELEASE

Hi,

I'm examining Biba and MLS MAC policies and something is
not clear for me. Unless I'm doing something wrong,
it seems policies are enforced only for reading, but
not writing.

1) Biba

I've created test file with biba/127 label:

$ echo "Message" > file_biba_127.txt

$ setfmac biba/127 file_biba_127.txt

$ getfmac file_biba_127.txt
file_biba_127.txt: biba/127,mls/low

Trying to read with different labels:

$ setpmac biba/high  more file_biba_127.txt
file_biba_127.txt: Permission denied

$ setpmac biba/128  more file_biba_127.txt
file_biba_127.txt: Permission denied

$ setpmac biba/127  more file_biba_127.txt
Message

$ setpmac biba/126  more file_biba_127.txt
Message

$ setpmac biba/low  more file_biba_127.txt
Message

It looks OK.

- Writing:

$ setpmac biba/high echo "High" >> file_biba_127.txt

$ setpmac biba/128 echo "128" >> file_biba_127.txt

$ setpmac biba/127 echo "127" >> file_biba_127.txt

-- Should the following 2 commands succeed ?
$ setpmac biba/126 echo "126" >> file_biba_127.txt
$ setpmac biba/low echo "low" >> file_biba_127.txt

$ setpmac biba/low more file_biba_127.txt
Message
High
128
127
126
low

All writes succeeded - event writing by process with
biba/126 and biba/low to file with biba/127. Is it correct ?

According to mac_biba(4):

"A subject at a lower integrity level than an object may read the
object, but not write to the object"

2) MLS

As for Biba, I've created file with mls/127:

$ echo "Message" > file_mls_127.txt

$ setfmac mls/127 file_mls_127.txt

$ getfmac file_mls_127.txt
file_mls_127.txt: biba/high,mls/127

- reading:

$ setpmac mls/high  more file_mls_127.txt
Message

$ setpmac mls/128  more file_mls_127.txt
Message

$ setpmac mls/127  more file_mls_127.txt
Message

$ setpmac mls/126  more file_mls_127.txt
file_mls_127.txt: Permission denied

$ setpmac mls/low  more file_mls_127.txt
file_mls_127.txt: Permission denied

It looks OK.

- writing:

-- Should the following 2 commands succeed ?
$ setpmac mls/high echo "High" >> file_mls_127.txt
$ setpmac mls/128 echo "128" >> file_mls_127.txt

$ setpmac mls/127 echo "127" >> file_mls_127.txt
$ setpmac mls/126 echo "126" >> file_mls_127.txt
$ setpmac mls/low echo "Low" >> file_mls_127.txt

$ setpmac mls/high more file_mls_127.txt
Message
High
128
127
126
Low

All writes above succeeded. Should policy allow command
ran as mls/high and mls/128 to write to a file with mls/127 ?
Does it conform to *-property (no write down) ?

mac_mls(4) says:

"Subjects may not write to objects with a lower classification level
than its own clearance level"

Am I making some obvious mistake ? 
Thanks in advance for any help.

Regards,
Jarek

Peter Pentchev

2004-Jan-04 23:28 UTC

head link

Questions about MAC

On Sat, Jan 03, 2004 at 12:50:24AM +0100, Jaroslaw Nozderko
wrote:> FreeBSD 5.1-RELEASE
> 
> Hi,
> 
> I'm examining Biba and MLS MAC policies and something is
> not clear for me. Unless I'm doing something wrong,
> it seems policies are enforced only for reading, but
> not writing.
> 
> 1) Biba
> 
> I've created test file with biba/127 label:
> 
> $ echo "Message" > file_biba_127.txt
> 
> $ setfmac biba/127 file_biba_127.txt
[snip]> - Writing:
> 
> $ setpmac biba/high echo "High" >> file_biba_127.txt
> 
> $ setpmac biba/128 echo "128" >> file_biba_127.txt
> 
> $ setpmac biba/127 echo "127" >> file_biba_127.txt
> 
> -- Should the following 2 commands succeed ?
> $ setpmac biba/126 echo "126" >> file_biba_127.txt
> $ setpmac biba/low echo "low" >> file_biba_127.txt
What happens if you try:

  setpmac biba/126 sh -c 'echo "126" >>
file_biba_127.txt'
  setpmac biba/low sh -c 'echo "126" >>
file_biba_127.txt'

Using your commands, the policy set by setpmac(8) only applies to the
echo command itself, not to the attempt to write to the file.  The file
appending is handled by your shell - all redirections are handled by the
shell - and the shell is *not* subject to policy restrictions set by its
own child processes.

This is the same "issue" that you can see by trying the following:

[roam@straylight ~]> whoami
roam
[roam@straylight ~]> who am i
roam             ttyp3     5 ??? 08:42 (10.0.12.18:S.3)
[roam@straylight ~]> id
uid=1000(roam) gid=0(wheel) groups=0(wheel), 5(operator)
[roam@straylight ~]> sudo touch foo
otp-md5 452 st7459 ext
Password:
[roam@straylight ~]> sudo chmod 600 foo
[roam@straylight ~]> cat foo
cat: foo: Permission denied
[roam@straylight ~]> sudo echo blah >> foo
foo: Permission denied.
[roam@straylight ~]> sudo sh -c 'echo blah >> foo'
[roam@straylight ~]> cat foo
cat: foo: Permission denied
[roam@straylight ~]> sudo cat foo
blah
[roam@straylight ~]>

The 'sudo echo blah >> foo' command does not succeed, since the
redirection is attempted by my own shell still running as my own
account, 'roam', which does not have write access to the new file; only
the 'echo blah' command is executed with root privileges.  The next
attempt, executing a shell to perform the redirection, succeeds.

G'luck,
Peter

-- 
Peter Pentchev	roam@ringlet.net    roam@sbnd.net    roam@FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
I've heard that this sentence is a rumor.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040105/f7ceb929/attachment.bin

Reasonably Related Threads

Search for more apparently analagous threads

freebsd security - Jan 2004 - Questions about MAC

Questions about MAC

Questions about MAC

Reasonably Related Threads