From owner-freebsd-security@FreeBSD.ORG Tue May 29 22:57:04 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A141816A46B for ; Tue, 29 May 2007 22:57:04 +0000 (UTC) (envelope-from kirill.bolshakov@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.236]) by mx1.freebsd.org (Postfix) with ESMTP id 43B7013C45E for ; Tue, 29 May 2007 22:57:04 +0000 (UTC) (envelope-from kirill.bolshakov@gmail.com) Received: by nz-out-0506.google.com with SMTP id 14so714881nzn for ; Tue, 29 May 2007 15:57:03 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=mqCBScl1WBHdBvqf/yNy60O/+RaKzKeG/iXvOiUlNOqf9TnwgAqXiSUlWfqaMhWtG2gKktSDDUIWMZcYd3TKmasVTDby0CoasTl7qjc0NclaLG2w9jw0NOq/2lVrjUlFacOHHxreu/U/Q6BUkH70u5bhOsujf61ySWlHTn83wAw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=MrN9wwUO4jradkOOzlGd7qvR8ef1+7Hd2S820LJTBWJDlyO7Dk4z1QX+l0cM6+gaqvu0R+MekGuylIRxhpOoqUbx4KNheGTF4AU/ZQiNssSl0m+iXq6ESPK/oqp1Fh++MZ8AJZb2q76Ezt1bI7H98aSuo0f78mKItUjw7/vZXp8= Received: by 10.114.173.15 with SMTP id v15mr3626597wae.1180477964200; Tue, 29 May 2007 15:32:44 -0700 (PDT) Received: by 10.114.103.17 with HTTP; Tue, 29 May 2007 15:32:44 -0700 (PDT) Message-ID: <1ef87a7d0705291532v472a3c30i4bee07d0f502bc5b@mail.gmail.com> Date: Wed, 30 May 2007 02:32:44 +0400 From: "Kirill Bolshakov" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: LoMAC module: cannot get clearance level revoked X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 22:57:04 -0000 Hello Almighty All, I am trying to get the LoMAC module revoke user's privileges. In my test setup, the user with a higher clearance tries to open a lower clearance file for reading. After that the process label of the user's process is checked. As a final test, the user's process tries to write to a file with the higher integrity label. And he succeeds. Please find my test setup including the test program below. I will be grateful for any advice you may have. I am using FreeBSD 6.1. All MAC stuff enabled, the corresponding module loaded, and other models evaluated (Biba, MLS, combo). Thanks, Kirill === TEST PROGRAM === #include #include #include #include void printfilelabel(const char * fname) { mac_t filelabel; char *buf; if ( 0 != mac_prepare_file_label( &filelabel ) ) { fprintf( stderr, "printfilelabel(%s): failed to prepare label\n", fname ); exit( -1 ); } if ( 0 != mac_get_file( fname, filelabel ) ) { fprintf( stderr, "printfilelabel(%s): failed to get label\n", fname ); exit( -1 ); } if ( 0 != mac_to_text( filelabel, &buf ) ) { fprintf( stderr, "printfilelabel(%s): failed to convert label\n", fname ); exit( -1 ); } printf( "\tfilelabel(%s) is %s\n", fname, buf ); free( buf ); mac_free( filelabel ); } void printmylabel() { mac_t mylabel; char *buf; if ( 0 != mac_prepare_process_label( &mylabel ) ) { fprintf( stderr, "printmylabel: failed to prepare label" ); exit( -1 ); } if ( 0 != mac_get_proc( mylabel ) ) { fprintf( stderr, "printmylabel: failed to get label" ); exit( -1 ); } if ( 0 != mac_to_text( mylabel, &buf ) ) { fprintf( stderr, "printmylabel: failed to convert label" ); exit( -1 ); } printf( "\tMy label is %s\n", buf ); free( buf ); mac_free( mylabel ); } int main(int argc, char **argv) { if ( argc != 3 ) return -1; printmylabel(); printfilelabel( argv[1] ); printf( "Try to open %s for reading...\n", argv[1]); FILE * f = fopen( argv[1], "r" ); if ( f ) { /*printf( "Boo! read by lomac/high!\n" );*/ printf("Open for reading succeeded for %s\n", argv[1] ); printmylabel(); printfilelabel( argv[1] ); fclose(f); f = NULL; printmylabel(); printfilelabel( argv[2] ); printf( "Try to open %s for writing\n", argv[2] ); f = fopen(argv[2],"w"); if ( f ){ printmylabel(); printf( "Succeeded in opening %s for writing\n", argv[2] ); printfilelabel( argv[2] ); fclose( f ); printfilelabel( argv[2] ); printmylabel(); } else { printf( "Unable to open %s for writing!\n", argv[2] ); } } else { printf( "Unable to open %s for reading!\n", argv[1] ); } } === END OF TEST PROGRAM === === TWO TEST FILES === The program was run like this: ./lomactest testlow test and the files had these labels: testlow: lomac/low test: lomac/high === END OF TWO TEST FILES === === LOGIN CLASS === lmsecure:\ :copyright=/etc/COPYRIGHT:\ :welcome=/etc/motd:\ :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ :path=~/bin:/sbin:/bin:/usr/sbin:/user/bin:/usr/local/sbin:usr/local/bin:\ :manpath=/usr/share/man /usr/local/man:\ :nologin=/usr/sbin/nologin:\ :cputime=1h30m:\ :datasize=8M:\ :vmemoryuse=100M:\ :stacksize=2M:\ :memorylocked=4M:\ :memoryuse=8M:\ :filesize=8M:\ :coredumpsize=8M:\ :openfiles=24:\ :maxproc=32:\ :priority=0:\ :requirehome:\ :passwordtime=91d:\ :umask=022:\ :ignoretime@:\ :label=lomac/high(high-high): === END OF LOGIN CLASS === PROGRAM RUN RESULT My label is lomac/high(high-high) filelabel(testlow) is lomac/low Try to open testlow for reading... Open for reading succeeded for testlow My label is lomac/high(high-high) filelabel(testlow) is lomac/low My label is lomac/high(high-high) filelabel(test) is lomac/high Try to open test for writing My label is lomac/high(high-high) Succeeded in open test for writing filelabel(test) is lomac/high filelabel(test) is lomac/high My label is lomac/high(high-high) === END OF PROGRAM RUN RESULT