[rsbac] script for initial RC policy to use with learning mode

Javier Juan Martínez Cabezón tazok at rsbac.org
Wed Jan 13 17:43:14 CET 2016 

On 07/01/16 16:56, Jens Kasten wrote:
> Hi Juan,
> 
> Today I would never use shell scipts for such tasks anymore. There 
> are good for testing but then it should be enough after the 
> experimental phase. Python is for me the better shell :)
> 
> When thinking of RC roles then there have to be a good
> configsetup. For me e.g. an user install nginx server. Therefor
> must a modern configfile format exist that ship all information.
> Hardcoded rc types would be produce a conflict in the future
> because an independ developer could not write policies.
> 
> Jens
> 
> 
> Am 06.01.2016 17:36 schrieb Javier Juan Martínez Cabezón 
> <tazok at rsbac.org>:
>> 

Nah, I agree at some grade with you, but generally no.. The main
problem is that I will restrict in the script the use of python and
perl xDD. If you surely would not grant me the use of perl or python
in your critical_and_very_secret_cubietruck_server I would neither do
it for others (Remember that accidentally I defaced time ago the main
rsbac page, imagine what could I do to your raspberry pi with python,
accessing to your GPIO ports)....

Perl and Python are too powerfull to even write exploits :-S. Bash
it's more standarized and faster (take note that this version of
script uses arrays and in python would be deadly in slowness (even
rsbac*menu admin dialog tools are written in bash, (message to Amon:
to put in todo list: just prior to building cloning machine rsbac_menu
tools written in sdl with pygame (in pygame because Jens would get fun
hacking it and could be used with a framebuffer in text mode, and
well, if you like we could add a pacman somewhere in the screen
feeding from your files).

NOTE: I have the main screen written, only left everything else, kang
I think has the lonely existing backup of the sources in a mail from
me, I sent him it time ago, and maybe this one is the lonely copy that
exists in the world right now.


> For me e.g. an user install nginx server. Therefor must a modern 
> configfile format exist that ship all information. Hardcoded rc 
> types would be produce a conflict in the future because an
> independ developer could not write policies.


The main problem with that is that in rsbac "config files" are in
kerneland not in userland, or are you suggesting something like
iptables? Too slow to be loading policies in each reboot don't you
think and incompatible with some B grade in orange book |_:S.

I have solved (I think) the hack of hardcoded types, now the script
appears to be a real script and not a text written by a (something
like) drunken_amateur_programmer_after_a_bad_day from the point of
view of a real programmer...

Roles, types and names are allocated automagically to avoid collisions
and overwritting.... However it could be broken in too many places and
surely mine it's not the better way to do things.

I have planned to add to many checks as in if [ -z blablabla ] with
binaries and maybe use and abuse and even missuse of $(whereis
blablabla).

for now I think it could be added as functions:

rc_dummyroot(): copy root role to a new one copy from general user and
assigned to root account (in progress)

cap_rc_create_forensic_role() an req_reauth authenticated forced role
that can read anything even ram memory and can access at raw to any
devices
(in progress, a lot of copy-paste from prior code with some tuning)

cap_rc_package_system(): other forced re_authenticated role that could
read write anything not in /home /admin /root directories and can change
anything, assign rights everywhere under their "owned" types and with
individual_fd_create_type everywhere too.

rc_mark_devices():assign each(group?) devices their own dev and fd type.

rc_mark_proc_sys():assign /proc/kcore or /proc/config.gz... or anything
else it's own fd_type.

rc_restrict_perl_python()

rc_forbid_send_to_terminals(): tiocsti kill.
rc_forbid_scd_kmem_to_allnotforensic()
rc_mozilla_isolation_to_protect_user_files_against_ransomware()

One of this days I will do it. I think I'm going to sleep now. Get fun

function cap_reset_caps()
{
for file in /usr/local/bin/* /usr/local/sbin/* /sbin/* /usr/bin/* /bin/*
/usr/sbin/* /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
/etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/* /etc/cron.d/*
/usr/libexec/**/*; do attr_set_file_dir FD "$file" max_caps UA; done
}


function rc_bootscriptsrc()
{
declare -a list_used_roles=$(rc_get_item list_role_nr)
declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
declare -a list_used_dev_types=$(rc_get_item list_dev_type_nr)
declare -a list_used_ipc_types=$(rc_get_item list_ipc_type_nr)
declare -a list_used_user_types=$(rc_get_item list_user_type_nr)
declare -a list_used_process_types=$(rc_get_item list_process_type_nr)
declare -a list_used_group_types=$(rc_get_item list_group_types |awk
'{print $1}')

TYPE=100
ROLE=100
for NAME in /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/*
/etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*;
do
NAMESPROV="$(basename $(echo $NAME))"
NAMESROL="$(echo $NAMESPROV |cut -c-11)"
NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
# create role
while [[ ${list_used_roles[*]} =~ $ROLE ]]
do
((ROLE++))
done
rc_set_item ROLE ${ROLE} name ${NAMESROL}

# set netobj_types
while [[ ${list_used_roles[*]} =~ $ROLE ]]
do
((ROLE++))
done
rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"


#set user type
while [[ ${list_used_user_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"


#set group type
while [[ ${list_used_user_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}

#set ipc type
while [[ ${list_used_ipc_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}

while [[ ${list_used_proc_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294

while [[ ${list_used_fd_types[*]} =~ $TYPE ]]
do
((TYPE++))
done

rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
attr_set_file_dir FD ${NAME} rc_force_role ${ROLE}
done
}

function rc_markrootdir()
{
BASE_NUM=100
declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
for dir in /*; do
while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]]
do
((BASE_NUM++))
done
NAME="$(echo $dir)"

rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM}
done
}

function rc_markothertypesfiles()
{
BASE_NUM=100
declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
for file in /etc/conf.d /etc/default /etc/lilo.conf  /etc/fwknop
/etc/openvpn /etc/shadow /etc/gshadow /etc/dovecot /etc/grub.d
/etc/hiawatha /etc/openvpn /etc/pam.d /etc/privoxy /etc/tripwire /var/*
do

while [[ ${list_used_fd_types[*]} =~ $BASE_NUM ]]
do
((BASE_NUM++))
done
NAME="$(basename $(echo $(echo $file)'cfg'))"
rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME}
attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM}
done
}

function rc_markbinaries_roles_types()
{
TYPE=100
ROLE=100
declare -a list_used_roles=$(rc_get_item list_role_nr)
declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)
declare -a list_used_dev_types=$(rc_get_item list_dev_type_nr)
declare -a list_used_ipc_types=$(rc_get_item list_ipc_type_nr)
declare -a list_used_user_types=$(rc_get_item list_user_type_nr)
declare -a list_used_process_types=$(rc_get_item list_process_type_nr)
declare -a list_used_group_types=$(rc_get_item list_group_types |awk
'{print $1}')
for NAME in /sbin/agetty /bin/login /sbin/init /bin/su /sbin/lilo
/usr/bin/sudo
do

NAMESPROV="$(basename $(echo $NAME))"
NAMESROL="$(echo $NAMESPROV |cut -c-11)"
NAMESTYPE="$(echo $NAMESPROV |cut -c -7)"
# create role
while [[ ${list_used_roles[*]} =~ $ROLE ]]
do
((ROLE++))
done
rc_set_item ROLE ${ROLE} name ${NAMESROL}

# set netobj_types
while [[ ${list_used_roles[*]} =~ $ROLE ]]
do
((ROLE++))
done
rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ"


#set user type
while [[ ${list_used_user_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR"


#set group type
while [[ ${list_used_user_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP"
rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}

#set ipc type
while [[ ${list_used_ipc_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC"
rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}

while [[ ${list_used_proc_types[*]} =~ $TYPE ]]
do
((TYPE++))
done
rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC"
rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291
rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294

while [[ ${list_used_fd_types[*]} =~ $TYPE ]]
do
((TYPE++))
done

rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD"
rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294
rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE}
rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE}
attr_set_file_dir FD ${NAME} rc_force_role ${ROLE}
done

}

function rc_trusted_path_execution()
{
declare -a list_used_roles=$(rc_get_item list_role_nr)
declare -a list_used_fd_types=$(rc_get_item list_fd_type_nr)

for all_roles in "${list_used_roles[@]}"
do
for all_types in "${list_used_fd_types[@]}"
do
rc_set_item -k ROLE "${all_roles}" type_comp_fd "${all_types}" MAP_EXEC
EXECUTE
done
done

for all_roles in "${list_used_roles[@]}"
do
for dir in /usr/local/bin /usr/local/sbin /sbin /usr/bin /bin /usr/sbin
/usr/libexec;
do
rc_set_item -a ROLE "${all_roles}" type_comp_fd $(attr_get_file_dir RC
FD "${dir}" rc_type_fd) MAP_EXEC EXECUTE
echo "incomplete function, what's happen with cron scripts and init.d
ones, can you tell me?"
done
done

}
cap_reset_caps
rc_bootscriptsrc
rc_markothertypesfiles
rc_markrootdir
rc_markbinaries_roles_types
rc_trusted_path_execution

More information about the rsbac mailing list