On Thu, Jun 1, 2017 at 1:35 AM, Serge E. Hallyn <[email protected]> wrote:
> Quoting Casey Schaufler ([email protected]):
>>
>>
>> On 5/31/2017 3:59 AM, Peter Dolding wrote:
>> > ...
>> >
>> > Like you see here in Australian government policy there is another
>> > thing called whitelisted.
>> > https://www.asd.gov.au/publications/protect/top_4_mitigations_linux.htm
>> > Matthew Garrett you might want to call IMA whitelisting Australian
>> > government for one does not agree. IMA is signed. The difference
>> > between signed and white-listed is you might have signed a lot more
>> > than what a particular system is white-listed to allowed used.
>> >
>> To be clear, I'm all for a security module to support this policy.
>> As the explicit requirement is for a whitelist, as opposed to allowing
>> for a properly configured system*, you can't use any of the existing
>> technologies to meet it. This kind of thing** is why we have a LSM
>> infrastructure.
>>
>> Unfortunately, the implementation proposed has very serious issues.
>> You can't do access control from userspace. You can't count on
>> identifying programs strictly by pathname. It's much more complicated
>> than it needs to be for the task.
>>
>> Suggestion:
>>
>> Create an security module that looks for the attribute
>>
>> security.WHITELISTED
>
> Bonus, you can have EVM verify the validity of these xattrs, and
> IMA verify the interity of the file itself.
Complete fail. You have to think of a whitelist as a list you give
to a security at a gate.
Shot-gunned all over the file system that you have to search down what
is approved is not acceptable.
I should be more clear you need a whitelist file to tick the box.
Where you can open up 1 file and see everything that is on the
approved list. Same with blacklist. Think of it like a list of
invited guests given to a security guard at a door. You can check
who is invited by look at that list. Attribute is like saying if
the person has X id let them in and going to the guard at the door to
see who is let in is not going to help you.
Of course just because the guard at door is letting people on the list
in does not mean they are not checking ids as well. This is not an
either or issue this is an add a feature.
So whitelist file and Attribute in production usage function way
differently. You don't want to have to scan a complete filesystem
all the time looking for stray set attributes.
Whitelist and Blacklisting fits into IMA not LSM really. Because
you need to be able to use other LSM at the same time as
white/blacklists.
EVM and attributes they are so easy to use that implement
whitelist/blacklist files has not be done. Including means to sign
whitelist files to prevent modification when required.
So what both of you are suggest is not the right item to tick the box
to claim Linux has whitelist support.
Linux has hacks to implement whitelist support not properly whitelist
support that is functional in the right way.
Whitelist functional in the right way look in 1 location know what is set.
Also IMA support for containers is kind required supporting
whitelist/blacklist files because setting everything into attribute
can become very impractical.
So this is something that is missing.
Peter Dolding
Quoting Peter Dolding ([email protected]):
> On Thu, Jun 1, 2017 at 1:35 AM, Serge E. Hallyn <[email protected]> wrote:
> > Quoting Casey Schaufler ([email protected]):
> >>
> >>
> >> On 5/31/2017 3:59 AM, Peter Dolding wrote:
> >> > ...
> >> >
> >> > Like you see here in Australian government policy there is another
> >> > thing called whitelisted.
> >> > https://www.asd.gov.au/publications/protect/top_4_mitigations_linux.htm
> >> > Matthew Garrett you might want to call IMA whitelisting Australian
> >> > government for one does not agree. IMA is signed. The difference
> >> > between signed and white-listed is you might have signed a lot more
> >> > than what a particular system is white-listed to allowed used.
> >> >
> >> To be clear, I'm all for a security module to support this policy.
> >> As the explicit requirement is for a whitelist, as opposed to allowing
> >> for a properly configured system*, you can't use any of the existing
> >> technologies to meet it. This kind of thing** is why we have a LSM
> >> infrastructure.
> >>
> >> Unfortunately, the implementation proposed has very serious issues.
> >> You can't do access control from userspace. You can't count on
> >> identifying programs strictly by pathname. It's much more complicated
> >> than it needs to be for the task.
> >>
> >> Suggestion:
> >>
> >> Create an security module that looks for the attribute
> >>
> >> security.WHITELISTED
> >
> > Bonus, you can have EVM verify the validity of these xattrs, and
> > IMA verify the interity of the file itself.
>
> Complete fail. You have to think of a whitelist as a list you give
> to a security at a gate.
>
> Shot-gunned all over the file system that you have to search down what
> is approved is not acceptable.
>
> I should be more clear you need a whitelist file to tick the box.
So you do what SELinux does. You offer a list of 'at-boot' files which a
relabeling program goes over and measures. But when it is time to check if
someone is allowed ot run a program, you check what is stored with the file
being run. The security.WHITELISTED xattr :) Not the list. It was good
enough for CAPP and LSPP, should be good enough for your org.
If that doesn't suffice, then you will not be able to tick the box, and you
should go back to the people who drew the box and have them update their
requirements. They're usually pretty interested.
> Where you can open up 1 file and see everything that is on the
> approved list. Same with blacklist. Think of it like a list of
That '1 file' is just a user interface/toolset issue. It doesn't restrict
how the kernel implements it.
-serge