Mandatory Access Control

We decided to put the MAC protection on the platform part despite the fact that it applies to the kernel too, since its use will be mainly at the platform level (except floor part).

Mandatory Access Control (MAC) is a protection provided by the Linux kernel that requires a Linux Security Module (LSM). AGL uses an LSM called Simplified Mandatory Access Control Kernel (SMACK). This protection involves the creation of SMACK labels as part of the extended attributes SMACK labels to the file extended attributes. And a policy is also created to define the behaviour of each label.

The kernel access controls is based on these labels and this policy. If there is no rule, no access will be granted and as a consequence, what is not explicitly authorized is forbidden.

There are two types of SMACK labels:

  • Execution SMACK (Attached to the process): Defines how files are accessed and created by that process.
  • File Access SMACK (Written to the extended attribute of the file): Defines which process can access the file.

By default a process executes with its File Access SMACK label unless an Execution SMACK label is defined.

AGL’s SMACK scheme is based on the Tizen 3 Q2/2015. It divides the System into the following domains:

  • Floor.
  • System.
  • Applications, Services and User.

See AGL security framework review and Smack White Paper for more information.


Floor

The floor domain includes the base system services and any associated data and libraries. This data remains unchanged at runtime. Writing to floor files or directories is allowed only in development mode or during software installation or upgrade.

The following table details the floor domain:

Label Name Execution SMACK File Access SMACK
- Floor r-x for all Only kernel and internal kernel thread.
^ Hat --- for all rx on all domains.
* Star rwx for all None
  • The Hat label is Only for privileged system services (currently only systemd-journal). Useful for backup or virus scans. No file with this label should exist except in the debug log.

  • The Star label is used for device files or /tmp Access restriction managed via DAC. Individual files remain protected by their SMACK label.

Domain Label name Recommendations
Kernel-MAC-Floor-1 ^ Only for privileged system services.
Kernel-MAC-Floor-2 * Used for device files or /tmp Access restriction via DAC.

System

The system domain includes a reduced set of core system services of the OS and any associated data. This data may change at runtime.

The following table details the system domain:

Label Name Execution SMACK File Access SMACK
System System None Privileged processes
System::Run Run rwxatl for User and System label None
System::Shared Shared rwxatl for system domain r-x for User label None
System::Log Log rwa for System label xa for user label None
System::Sub SubSystem Subsystem Config files SubSystem only
Domain Label name Recommendations
Kernel-MAC-System-1 System Process should write only to file with transmute attribute.
Kernel-MAC-System-2 System::run Files are created with the directory label from user and system domain (transmute) Lock is implicit with w.
Kernel-MAC-System-3 System::Shared Files are created with the directory label from system domain (transmute) User domain has locked privilege.
Kernel-MAC-System-4 System::Log Some limitation may impose to add w to enable append.
Kernel-MAC-System-5 System::Sub Isolation of risky Subsystem.

Applications, Services and User

The application, services and user domain includes code that provides services to the system and user, as well as any associated data. All code running on this domain is under Cynara control.

The following table details the application, services and user domain:

Label Name Execution SMACK File Access SMACK
User::Pkg::$AppID AppID rwx (for files created by the App). rx for files installed by AppFw $App runtime executing $App
User::Home Home rwx-t from System label r-x-l from App None
User::App-Shared Shared rwxat from System and User domains label of $User None
Domain Label name Recommendations
Kernel-MAC-System-1 User::Pkg::$AppID Only one Label is allowed per App. A data directory is created by the AppFw in rwx mode.
Kernel-MAC-System-2 User::Home AppFw needs to create a directory in /home/$USER/App-Shared at first launch if not present with label app-data access is User::App-Shared without transmute.
Kernel-MAC-System-3 User::App-Shared Shared space between all App running for a given user.

Attack Vectors

There are 4 major components to the system:

  • The LSM kernel module.
  • The smackfs filesystem.
  • Basic utilities for policy management and checking.
  • The policy/configuration data.

As with any mandatory access system, the policy management needs to be carefully separated from the checking, as the management utilities can become a convenient point of attack. Dynamic additions to the policy system need to be carefully verified, as the ability to update the policies is often needed, but introduces a possible threat. Finally, even if the policy management is well secured, the policy checking and failure response to that checking is also of vital importance to the smooth operation of the system.

While MAC is a certainly a step up in security when compared to DAC, there are still many ways to compromise a SMACK-enabled Linux system. Some of these ways are as follows:

  • Disabling SMACK at invocation of the kernel (with command-line: security=none).
  • Disabling SMACK in the kernel build and redeploying the kernel.
  • Changing a SMACK attribute of a file or directory at install time.
  • Tampering with a process with the CAP_MAC_ADMIN privilege.
  • Setting/Re-setting the SMACK label of a file.
  • Tampering with the default domains (i.e. /etc/smack/accesses.d/default-access-domains).
  • Disabling or tampering with the SMACK filesystem (i.e. /smackfs).
  • Adding policies with smackload (adding the utility if not present).
  • Changing labels with chsmack (adding the utility if not present).