freebsd security - Feb 2014 - Proposal: tunable default/init label for MAC policies

(I've just sent this to trustedbsd-discuss but the list is  probably dead,
so I am crossposting)

Hello,

I am using a combination of mac_biba, mac_mls and mac_bsdextended to secure a
shared hosting web server. The goals of each policy are:

- mac_biba: Protect the  integrity of the OS and configuration files against
actions derived of a security breach of a user's website. Example, the
typical PHP crap. Any descendant of a user process should be unable to modify
anything but the files in that user's directory.

- mac_mls: Protect certain sensible files against read access by descendants of
user processes. For example, we wish to protect key system files from Apache and
its descendants, and Apache configuration files themselves from PHP/CGI
processes or, of course, their descendants.

- mac_bsdextended so that users whose uid falls inside the "hosting
users" set, imagine, 10000-20000, can't see processes or files
belonging to other uids within that set.


The intent is to minimize surprise (hence, no need for a lot of technical
support to adapt crappy CGI/PHP code for security requirements) but, at the same
time, keeping good security measures.

This scheme has been used for years with very good results, without the mls
policy, but we have stumbled upon an obstacle with MLS. The mls module defines a
default mls label of mls/low, which gets applied to processes that haven't
been spawned after a setusercontext() call. So, for example, applying a mls/high
label to the ssh  private keys makes sshd inoperable, as it's launched by
init, and gets a mls/low label, unable to read its private keys.

A  tunable like security.mac.{mls,biba...}.default_label or, maybe, more
appropiately, security.{mac,biba...}.init_lable would allow the administrator
to, for example, limit the usage of the MAC policies to descendants of certain
processes. In our case, with most of the OS having the usual Unix security
requirements, except for the intrinsicly dangerous stuff such as Apache and
PHP/CGIs, init labels of {mls,biba}/equal would be more than enough, applying
the necessary labels to the untrusted processes.

What do you think? I am sure this makes the MAC policies much more useful, and
much easier to integrate with the typical Unix software without unnecessary
incompatibilities, and of course not just for our particular scenario.










Borja.

On 2014-02-11 11:28, Borja Marcos wrote:
<snip>
> A  tunable like security.mac.{mls,biba...}.default_label or, maybe,
> more appropiately, security.{mac,biba...}.init_lable would allow the
> administrator to, for example, limit the usage of the MAC policies to
> descendants of certain processes. In our case, with most of the OS
> having the usual Unix security requirements, except for the
> intrinsicly dangerous stuff such as Apache and PHP/CGIs, init labels
> of {mls,biba}/equal would be more than enough, applying the necessary
> labels to the untrusted processes.
> 
> What do you think? I am sure this makes the MAC policies much more
> useful, and much easier to integrate with the typical Unix software
> without unnecessary incompatibilities, and of course not just for our
> particular scenario.
> 
> Borja.
Hi list,
I think that being able to set the MAC process label from rc.conf would
be a better and more flexible way of moving forward, so that modifying
rc-scripts everywhere would be unnecessary.

Thinking about how to handle this in the contexts of jails would also be
nice. Currently using jail_poststart_exec to jexec with the correct
label is a bit of a pain. Perhaps there is a better way that i am
unaware of?

br
andreas