Google Summer of Code

Path-based file system MAC policy

Alan Alvarez

Abstract

The TrustedBSD MAC Framework makes it easy to extend the FreeBSD kernel security model using pluggable modules, which has provided support for traditional mandatory access control. However, the base system MAC policies are difficult to use, primarily because they don't extend security metadata. The main goal of this project is to extend the existing ugidfw (bsdextended) MAC policy to allow for path-based filesystem policies by maintaining a table of path metadata associated with kernel vnodes.

Additional Information

The main goal of this project is to extend the existing ugidfw (bsdextended) MAC policy to allow for path-based filesystem policies. Currently the ugidfw policy can only restrict operations based on file attributes such as the owner's uid or guid, mount points, etc.. It is not possible to identify a file on a policy rule on which access needs to be restricted by using the file path. This makes the policy difficult to use, and in some cases, impractical.

 

The primary obstacle that I will be facing is matching vnodes with path information provided in ugidfw rules. The reason being that path information is not provided after a file has been opened, and a vnode has been assigned to a file descriptor. The solution that I have explored is creating a hash table of paths associated with vnodes and updating it every time a file is opened, closed, renamed or deleted if necessary. It is important to note that a single file can have many paths. The policy should be aware of this in order to enforce the rule on all paths associated with the file in question.

 

The reason for keeping track of all this information for subsequent operations after a file has been open()'d, is to provide the possiblity of revocable fine-grained Mandatory Access Control. It should be possible to restrict any single type of access to a file after a user has had the file open for some time. This allows for better control of the system's resources.

 

The extensions to the ugidfw utility would allow for rules such as the following to be used:

 

# ugidfw set 10 subject uid 1002 object file /home/clsk/sample.txt type r mode rwx

 

This rule would restrict access to file /home/clsk/sample.txt (of type "regular file") for user with uid 1002 to read/write/execute (only)

 

# ugidfw set 20 subject uid ! 1000 object filepath /home/clsk/secret_file.txt type r mode n

# ugidfw set 30 subject uid 1000 object filepath /home/clsk/secret_file.txt type r mode arswx

 

These two rules would restrict filepath /home/clsk/secret_file.txt (of type "regular file") to only be accessed by user with uid 1000 (and no one else)