User Tools
модули_mac
This is an old revision of the document!
Table of Contents
Модули MAC
Вариант использования как AppArmor
Выбор приложения
Тестирование
# fetch -qo - http://server.corpX.un/index.html # fetch -qo - http://server.corpX.un/../../etc/passwd
Патчинг модулей biba и mls
Идея: все процессы будут работать с меткой equal по умолчанию
# rcsdiff /usr/src/sys/security/mac_mls/mac_mls.c
875c875 < mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL); --- > mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
# rcsdiff /usr/src/sys/security/mac_biba/mac_biba.c
915c915 < biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL); --- > biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
Включение модулей при загрузке
# cat /boot/loader.conf
mac_mls_load="YES" mac_biba_load="YES"
# init 6 # ps axZ
Включение множественных меток на файловой системе
- В однопользовательский режим выполняем:
# tunefs -l enable / # init 6
- Проверки:
# mount
/dev/ad0s1a on / (ufs, local, multilabel) ...
# getfmac /etc/passwd # ls -Zl /etc/passwd
Установка меток на файловую систему
!!! Процесс занимает 2-5 минут !!!
# setfmac 'biba/high,mls/high' /etc/passwd # ldd /bin/sh # ldd /bin/cat # ldd /usr/bin/file # man file # cat /etc/policy.contexts
.* biba/high,mls/high / biba/equal,mls/equal /var biba/equal,mls/equal /var/www biba/equal,mls/equal /var/www/.* biba/equal,mls/equal /bin biba/equal,mls/equal /bin/sh biba/equal,mls/equal /bin/cat biba/equal,mls/equal /libexec biba/equal,mls/equal /libexec/ld-elf.so.1 biba/equal,mls/equal /lib biba/equal,mls/equal /lib/libedit.so.7 biba/equal,mls/equal /lib/libncursesw.so.8 biba/equal,mls/equal /lib/libc.so.7 biba/equal,mls/equal /usr biba/equal,mls/equal /usr/bin biba/equal,mls/equal /usr/bin/file biba/equal,mls/equal /lib/libz.so.6 biba/equal,mls/equal /usr/lib biba/equal,mls/equal /usr/lib/libmagic.so.4 biba/equal,mls/equal /usr/share biba/equal,mls/equal /usr/share/misc biba/equal,mls/equal /usr/share/misc/magic biba/equal,mls/equal /usr/local biba/equal,mls/equal /usr/local/sbin biba/equal,mls/equal /usr/local/sbin/webd biba/equal,mls/equal
# setfsmac -evf /etc/policy.contexts /
Запуск приложения
# cat /etc/inetd.conf
... http stream tcp nowait root /usr/sbin/setpmac setpmac biba/low,mls/low /usr/local/sbin/webd
модули_mac.1511934473.txt.gz · Last modified: 2017/11/29 08:47 by val
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
