rsbacl5s.gif (2243 Byte)  

Rule Set Based Access Control (RSBAC) for Linux - Targets and Requests


Targets

RSBAC restricts access by subjects to objects. The subjects are always processes, acting on behalf of a user with certain attributes, like system_role etc. Objects in RSBAC are called (Access) Targets. They are grouped in Target Types. The following types are defined:

FILE Files, including device special files. Identified by device and inode number.
DIR Directories, identified by device and inode number.
FIFO (new in v1.1.1) FIFO special files
DEV Devices, identified by type (char or block), major and minor number
IPC InterProcess Communication: Semaphores (sem), Messages (msg), Shared Memory (shm), Sockets (sock) and FiFo (fifo, removed in 1.1.1).
SCD System Control Data: Objects affecting the whole system. This target type is the only one with a fixed number of objects, identified by number (see below).
USER Users as objects, mostly for access control information (ACI).
PROCESS Processes as objects.
NETDEV Network Device, identified by name.
NETTEMP Network Template, identified by index number. Access control: access to template itself, RC Administration: access to values/settings for both template and NETOBJ, ACL administration: Default ACLs for NETOBJ
NETOBJ Network Object, identified by internal pointer to struct socket. Attribute values mostly inherited from NETTEMP settings.
NETTEMP_NT ACL administration only, ACL entries for NETTEMP objects themselves.
NONE No object associated with this request. In some models (RC, ACL) this is internally changed into SCD target "other".
FD (Only in user space): Let the command line tool decide between types FILE and DIR

System Control Data (SCD) targets are these:

time_strucs System timer
clock System time and date
host_id Host name
net_id Domain name
ioports Access Control for direct hardware access
rlimit Setting process ressource limits
swap Control of swapping
syslog System log
rsbac RSBAC data in /proc
rsbaclog RSBAC own log
kmem Direct access to kernel memory via proc or device
other MODIFY_SYSTEM_DATA for sysctl, otherwise only internal in RC and ACL: Substitute for target NONE
auth_administration (only in RC and ACL): AUTH model administration
network General networking, like routing, arp etc. (Devices are protected as NETDEV targets!)
firewall Firewall settings, packet filter etc.

Requests

Before access to a target is granted, a request call to the Access Control Decision facility (ADF) is performed. Based on the request type and the target, access can be granted or denied.

RSBAC requests and the system calls they are issued from are listed in the following table. Please note that some requests are only issued under certain conditions, e.g. EXECUTE from mmap() only, if mapping request is for EXEC mode. Also, some calls depend on the kernel configuration settings, e.g. RSBAC net support.

Some calls are done from common helper functions, e.g. do_fork(). Those functions that also perform the rsbac_adf_set_attr() notification call for the request are marked with an *.

Additionally, some requests provide extra data with kernel internal attribute types. These attributes are: A_group, A_sockaddr_p, A_signal, A_mode, A_nlink, A_switch_target, A_mod_name, A_request, A_ms_segment, A_trace_request, A_auth_add_f_cap, A_auth_remove_f_cap, A_auth_get_caplist, A_prot_bits. Please have a look into include/rsbac/types.h for the respective data types.

Request Description Valid Target Types System calls and functions
ADD_TO_KERNEL Add a kernel module NONE create_module(NONE), init_module(NONE)
ALTER Change IPC control information IPC msgctl(IPC), shmctl(IPC)
APPEND_OPEN Open to append FILE, DEV, IPC open(FILE,DEV)*, msgsnd(IPC)*, sendto(IPC)*, sendmsg(IPC)*
CHANGE_GROUP Change active group IPC, PROCESS, NONE setgid(PROC), setregid(PROC), setresgid(PROC), setgroups(PROC), setfsgid(NONE) (for DAC only), shmctl(IPC), msgctl(IPC)
CHANGE_OWNER Change owner FILE, DIR, FIFO, IPC, PROCESS, NONE chown(FILE, DIR, FIFO), lchown(FILE, DIR, FIFO), fchown(FILE, DIR, FIFO), setuid(PROC)*, setreuid(PROC)*, setresuid(PROC)*, setfsuid(NONE) (for DAC only), shmctl(IPC), msgctl(IPC)
CHDIR Change working directory DIR chdir(DIR), fchdir(DIR), chroot(DIR)
CLONE Fork/clone a process PROCESS fork(PROC)*, vfork(PROC)*, clone(PROC)*
CLOSE Close opened file etc. Should always be granted. FILE, DIR, FIFO, DEV, IPC, NETOBJ close(FILE, DIR, FIFO, DEV, IPC, NETOBJ)*, shmdt(IPC)*, msgrcv(IPC)*, msgsnd(IPC)*, send(IPC)*, sendto(IPC)*, sendmsg(IPC)*, recv(IPC)*, recvfrom(IPC)*, recvmsg(IPC)*
CREATE Create object DIR (where), IPC, NETTEMP, NETOBJ creat(DIR, IPC)*, open(DIR, IPC)*, mknod(DIR)*, mkdir(DIR)*, symlink(DIR)*, shmget(IPC)*, msgget(IPC)*, socket(IPC)*, accept(IPC)*, rsbac_net_temp(NETTEMP), socket(NETOBJ)
DELETE Delete object FILE, DIR, FIFO, IPC unlink(FILE, DIR, FIFO)*, rmdir(DIR)*, msgctl(IPC)*, shmctl(IPC)*, shutdown(IPC)*. close(IPC)*, rsbac_net_temp(NETTEMP)
EXECUTE Execute a file (until v1.1.2: also map library file/other code executable, see MAP_EXEC) FILE exec()*
GET_PERMISSIONS_DATA Read Unix permissions (mode) FILE, DIR, FIFO access(FILE, DIR, FIFO)
GET_STATUS_DATA Get status (stat() etc.) FILE, DIR, FIFO, IPC, SCD, NETDEV open_port(SCD) (/dev/kmem etc.), open_kcore(SCD) (/proc/kcore), stat(FILE, DIR, FIFO, IPC), newstat(FILE, DIR, FIFO, IPC), lstat(FILE, DIR, FIFO, IPC), newlstat(FILE, DIR, FIFO, IPC), fstat(FILE, DIR, FIFO, IPC), newfstat(FILE, DIR, FIFO, IPC), stat64(FILE, DIR, FIFO, IPC), lstat64(FILE, DIR, FIFO, IPC), fstat64(FILE, DIR, FIFO, IPC), statfs(FILE, DIR, FIFO), fstatfs(FILE, DIR, FIFO), rsbac_stats(SCD), rsbac_check(SCD), rsbac_stats_pm(SCD), rsbac_stats_rc(SCD), rsbac_stats_acl(SCD), rsbac_log(SCD), (access to RSBAC proc-files(SCD)), dev_ioctl(NETDEV), arp_ioctl(NETDEV), ip_mroute_setsockopt(SCD network), firewalling code (SCD firewall)
LINK_HARD Hard link FILE, DIR, FIFO link(FILE, DIR, FIFO)
MODIFY_ACCESS_DATA Change access information, e.g. time, date FILE, DIR, FIFO utimes(FILE, DIR, FIFO)
MODIFY_ATTRIBUTE Change an RSBAC attribute value All target types (specific request needed for various security models)
MODIFY_PERMISSIONS_DATA Change Unix permissions FILE, DIR, FIFO, SCD ioperm(SCD), iopl(SCD), chmod(FILE, DIR, FIFO) , fchmod(FILE, DIR, FIFO)
MODIFY_SYSTEM_DATA Change system settings SCD, NETDEV stime(SCD), settimeofday(SCD), adjtimex(SCD), sethostname(SCD), setdomainname(SCD), setrlimit(SCD), syslog(SCD), sysctl(SCD), swapon(SCD), swapoff(SCD), rsbac_log(SCD), dev_ioctl(NETDEV), arp_ioctl(NETDEV), ip_mroute_setsockopt(SCD network), firewalling code (SCD firewall)
MOUNT Mount a filesystem DIR, DEV mount(DIR, DEV) (separate mount notification for data structures)
READ Read from DIR or NETTEMP. Optional: read from other objects DIR, NETTEMP (optional: FILE, FIFO, DEV, IPC, NETOBJ) read(FILE, FIFO, DEV, IPC, NETOBJ)*, readv(FILE, FIFO, DEV, IPC)*, pread(FILE, DEV, IPC)*, readdir(DIR), open(DIR), rsbac_net_temp(NETTEMP)
READ_ATTRIBUTE Read RSBAC attribute value All target types (specific request needed for various security models)
READ_OPEN Open for read FILE, FIFO, DEV, IPC open(FILE, FIFO, DEV, IPC)*, shmat(IPC)*, msgrcv(IPC)*, recv(IPC)*, recvfrom(IPC)*, recvmsg(IPC)*
READ_WRITE_OPEN Open for read and write FILE, FIFO, DEV, IPC open(FILE, FIFO, DEV, IPC)*, shmat(IPC)*, bind(IPC)*, connect(IPC)*, listen(IPC)*
REMOVE_FROM_KERNEL Remove kernel module NONE delete_module(NONE)
RENAME Rename FILE, DIR, FIFO rename(FILE, DIR, FIFO) (RSBAC identification not changed by rename!)
SEARCH Lookup in dir or symlink from inside kernel for access with full path DIR, SYMLINK (internal functions lookup_dentry(DIR) / path_walk(DIR) / lookup_hash(DIR) / follow_symlink(SYMLINK))
SEND_SIGNAL Send a signal PROCESS kill(PROC)
SHUTDOWN Shutdown/reboot system NONE reboot(NONE)
SWITCH_LOG Change RSBAC log settings NONE rsbac_adf_log_switch(NONE)
SWITCH_MODULE Switch decision module on/off NONE rsbac_switch(NONE)
TERMINATE End of calling process, for attribute cleanup. Should always be granted. PROCESS exit(PROC)
TRACE Trace a process PROCESS ptrace(PROC) (architecture dependent)
TRUNCATE Truncate FILE open(FILE)*, truncate(FILE)*, ftruncate(FILE)*, truncate64(FILE)*, ftruncate64(FILE)*
UMOUNT Umount a filesystem DIR, DEV umount(DIR, DEV) (separate umount notification for data structures)
WRITE Write to a DIR, SCD or NETTEMP. Used for object moving to target dir. Optional: write to file etc. DIR, SCD (optional: FILE, FIFO, DEV, IPC-sock) write(FILE, FIFO, IPC, DEV, NETTEMP)*, writev(FILE, FIFO, IPC, DEV)*, pwrite(FILE, IPC, DEV)*, rename(DIR), rsbac_write(SCD), rsbac_net_temp(NETTEMP)
WRITE_OPEN Open for write FILE, FIFO, DEV, IPC open(FILE, FIFO, DEV, IPC)*
MAP_EXEC Map a library from a file (target FILE) or other code (target NONE) for execution. FILE, NONE mmap(FILE) (EXEC mode), mprotect(FILE, NONE) (EXEC mode), uselib(FILE)
BIND Bind network address and port (if applicable) to local socket, bind to network device NETDEV, NETOBJ dev_ioctl(NETDEV), bind()*
LISTEN Listen on a local socket NETOBJ listen()*
ACCEPT Accept a connection from a remote network endpoint NETOBJ accept()*
CONNECT Connect to remote network endpoint NETOBJ connect()*
SEND Send to remote network endpoint NETOBJ send()*, sendmsg()*, sendto()*
RECEIVE Receive from remote network endpoint NETOBJ recv()*, recvmsg()*, recvfrom()*
NET_SHUTDOWN Shutdown channel of local socket NETOBJ shutdown()

Please remember that some models (RC, ACL) internally change NONE targets to SCD target "other" for access control.


Questions, tips, etc.

28-May-02, -ao