Path-based file system MAC policy
Project Description
The main goal of this project is to extend the existing ugidfw (bsdextended) MAC policy to allow for path-based filesystem policies. Currently the ugidfw policy can only restrict operations based on file attributes such as the owner's uid or guid, mount points, etc.. It is not possible to identify a file on a policy rule on which access needs to be restricted by using the file path. This makes the policy difficult to use, and in some cases, impractical.
The primary obstacle that I will be facing is matching vnodes with path information provided in ugidfw rules. The reason being that path information is not provided after a file has been opened, and a vnode has been assigned to a file descriptor.
The extensions to the ugidfw utility would allow for rules such as the following to be used:
# ugidfw set 10 subject uid 1002 object filepath /home/clsk/sample.txt type r mode rwx
This rule would restrict access to file /home/clsk/sample.txt (of type "regular file") for user with uid 1002 to read/write/execute (only)
# ugidfw set 20 subject uid ! 1000 object filepath /home/clsk/secret_file.txt type r mode n # ugidfw set 30 subject uid 1000 object filepath /home/clsk/secret_file.txt type r mode arswx
These two rules would restrict file /home/clsk/secret_file.txt (of type "regular file") to only be accessed by user with uid 1000 (and no one else)
Approach to solving the problem
The current approach I'm taking is to modify the current ugidfw tool and the mac_bsdextended module to allow for paths to be entered as object conditions. When a path is entered as a condition it will be immediately resolved to a vnode's vattr->va_fileid and entered into the rule being added.
This means that it will be necessary to keep the policies up-to-date by monitoring changes to path names.
Milestones
Modify libugidfw to accept filepath object conditions [done]
Modify mac_bsdextended module to check filepath object conditions on vnode operations [done]
- Track file moves to other operating systems to update fileid
- Create automated tests to make sure everything works as expected.
The Code
The code is hosted at the FreeBSD's GSoC SVN repository
There's a ViewVC interface to the repository here
Contact: AlanAlvarez