[rsbac] script for initial RC policy to use with learning mode

Javier Juan Martínez Cabezón tazok at rsbac.org
Wed Jan 6 17:36:25 CET 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



Hi all, last days I'm being specially cruel, and I'm mistreating Jens
code here to make his scripts do bad things
https://www.rsbac.org/wiki/experiences/igraltist/rc#toplevel_directories

I have planned to remove this uglys hacks that are TYPE and ROLE
variables and those stupid BASE_NUM and use arrays as here:
declare -a list_used_roles=$(rc_get_item list_roles |awk '{print $1}')
to get free roles to assign to new created roles.


Its planned too to use separate functions to emerge/dpkg/rpm or
whatinfernalpackagesystem exists to grant transactions to root
(previously autenticated against um to update with package system
owning his own role). We have to think if its better to grant
/etc/init.d and rc_initial_role or a rc_forced_role, for now it has
both :S

For now it eliminates in reset_caps all maximum capabilities to all
binaries to allow learning at boot, bootscriptsrc() create a new role
and a new type to each init.d script and to each cron task, names has
a 15 character limit (Amon I think this are too few), I have to
truncate them.

markrootdir() creates a new type to each / directory and assigns to them
markspecbinaries_role_type function assign a new type_fd and create
new roles to some special binaries (as /sbin/init or /bin/su)

It's not fully tested so it could make your system burn.

Amon, learning mode denies and then learns is this de desired
behaviour?. This means that to fully learn the same thing has to be
executed many times.

function reset_caps(){
for file in /usr/local/bin/* /usr/local/sbin/* /sbin/* /usr/bin/*
/bin/* /usr/sbin/* /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
/etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*
/etc/cron.d/* /usr/libexec/**/*; do attr_set_file_dir FD "$file"
max_caps UA; done
}
function bootscriptsrc()
{
TYPE=100
ROLE=100
for NAME in /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
/etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*;
do
NAMESPROV="$(basename $(echo $NAME))"
NAMESROL="$(echo $NAMESPROV |cut -c-11)"
NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
# create role
rc_set_item ROLE ${ROLE} name ${NAMESROL}

# set rc_fd_types
rc_set_item TYPE ${TYPE} type_netdev_name "${NAMESTYPE}_NDEV"
rc_set_item TYPE ${TYPE} type_nettemp_name "${NAMESTYPE}_NDEV"
rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"
rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"
rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"

rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294
rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
attr_set_file_dir FD ${NAME} rc_force_role ${ROLE}
((ROLE++))
((TYPE++))
done
}

function markrootdir()
{
BASE_NUM=10

for dir in /*; do
NAME="$(echo $dir)"
rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM}
((BASE_NUM++))
done
}

function markothertypesfiles()
{
BASE_NUM=500
for file in /etc/conf.d /etc/default /etc/lilo.conf  /etc/fwknop
/etc/openvpn /etc/shadow /etc/gshadow /etc/dovecot /etc/grub.d
/etc/hiawatha /etc/openvpn /etc/pam.d /etc/privoxy /etc/tripwire /var/*
do

NAME="$(basename $(echo $(echo $file)'cfg'))"
rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
attr_set_file_dir FD ${file} rc_type_fd ${BASE_NUM}
((BASE_NUM++))
done
}

function markspecbinaries_roles_types()
{
TYPE=800
ROLE=800
for NAME in /sbin/agetty /bin/login /sbin/init /bin/su /sbin/lilo
do
NAMESPROV="$(basename $(echo $NAME))"
NAMESROL="$(echo $NAMESPROV |cut -c-11)"
NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
# create role
rc_set_item ROLE ${ROLE} name ${NAMESROL}

# set rc_fd_types
rc_set_item TYPE ${TYPE} type_netdev_name "${NAMESTYPE}_NDEV"
rc_set_item TYPE ${TYPE} type_nettemp_name "${NAMESTYPE}_NDEV"
rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"
rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"
rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"

rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294
rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
attr_set_file_dir FD  ${NAME} rc_initial_role ${ROLE}
attr_set_file_dir FD ${NAME} rc_type_fd ${TYPE}
((ROLE++))
((TYPE++))
done
}
function trusted_path_execution()
{
echo 'dummy, to be written with arrays too :), dont get angry....yet'
}
reset_caps
bootscriptsrc
markothertypesfiles
markrootdir
markspecbinaries_roles_types
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWjUKHAAoJEFfmTgt/w77fA/wQALm4i0LpRV4iQ8VXLEpIYXDo
G9COI/Va35PWCNFck/QePZICFaOyedUir8EOf6KEfUiHA89lWvdeSfdxBDLkkexQ
qixBI4Z/X5zLVPq8ttakDEJx3q7hfvY+KoL4TFtrTe2k70c4T2U7LckE10PKKvl8
jhLy5O4q/vS0ymxbwENsfGDDQ4LSgyBi2gzMf+HDS39v9POPiQB4vufmugjuLxUi
aM6b4agpJ8F7s8p8HBaTYPe+2FFLCdxOOwZiDn/3DkqB3uGHUEqL84T5ewUGSeTW
+f4ZBpLx5BMWfg7fXZsrXJhbyIHrLEf0W2POqYGKhepW3r9IEZGujZ35oOAqErlK
5e25BF31VsSQlNkS9gLcfhxUf7en04PlBaTOxZua7pvJVMLbw4xp4G5fMyuupWll
wesgdfZDmcappJYpbk00yMmxfep+2oKU1gXZQVN09slPobPgnvxWV1X1R4Mg4JMR
9gjIXoHpv/wSWIosIUI4/Xlv2HhaOdDMhICrznvd0R8QRa+zoCstfwxdKUFgK39R
V36fH6Q2Exc4Ye79dLkh087FG0XB6JfeKx5GGKjeOp+zrW0OOuTFLPzI6eI5Lemd
3pqep4o4inNXgzipQ42AuNRHNjFFKZUcXUPjIL4U+WGrg6iDgtG8XGZzbeMUJd0u
3RssrlvVjGVMGIjNn5DH
=uu+Z
-----END PGP SIGNATURE-----

More information about the rsbac mailing list