Ask Your Question
3

Allow only trusted applications to access private data

asked 2018-09-21 08:54:44 -0600

sion0 gravatar image

updated 2018-09-30 23:31:31 -0600

Hello, Fedora! It seems that you are the only one who cares about security. So I will ask my question to you.

I am starting to write my own LSM. But before I drown in this, I want to make triple sure my goals can't be achieved using SELinux or other existing LSMs.

In SELinux every file and every process has security label attached. And we need to write rules like: "I want to allow process labelled with LABEL1 to read files labelled with LABEL2". Also we can write domain transition rules like: "If process labelled with LABEL1 starts executable labelled with LABEL2, I wan't new process to be labelled as LABEL3, not LABEL1". This is good if you want to confine some untrusted (or potentially vulnerable) applications.

But my goal is different. I need ability to mark some files as PRIVATE and no application should be able to access these files without permissive rule. Using SELinux, I can't allow transition to more permissive domain (for good reasons). And I don't want to use sudo to switch to more permissive domain. Furthermore, I need ability to mark files with multiple labels (like "Photos" + "Holly"). And only processes that are allowed to read all labels, should be able to read such file.

Is it possible?

UPDATE

I started to develop my own LSM (SELinux replacement). It seems like no one here is interested. But, just in case, you can find me here:

https://gitlab.com/mogryph/chariot

or here:

knight@mail.ua

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
2

answered 2018-09-24 11:53:47 -0600

sion0 gravatar image

updated 2018-09-24 12:02:50 -0600

In the end, I started to develop my own LSM (Linux Security Module). Currently, it is in the initial stage of development, but already allows to achieve (almost) what I wanted. Here are the basic principles:

  1. User can define up to 64 permissions. Permissions are identified by number, but also may have human-readable aliases. Examples:
    a) 1="Permission to read private photos"
    b) 2="Permission to read and write browser cookies"
    c) 3="Permission to read and write private notes"

  2. Using simple utility, user can mark any file to set:
    a) permissions required to read this file;
    b) permissions required to modify this file;
    c) permissions this file may have if executed.
    Examples:
    a) We make permission #1 (read priv photos) required to read some particular photo file.
    b) We set that program "/bin/firefox" cannot have any permissions if executed (meaningless because this is default).
    c) We set that program "/bin/cat" can have any permissions if executed.
    d) We set that program "/bin/imageview" can have permission #1 but not any other.

  3. IMPORTANT Programs (processes) can't have permissions that their parent doesn't have. Examples:
    a) "/bin/firefox" can't use "/bin/cat" to read private photo. "cat" will lose all permissions if launched by "firefox".

  4. PID 1 (parent of all userspace processes) starts with full permissions. After that, permissions of every program are determined by removing permissions this program doesn't have from it's parent's permissions.

  5. By default, programs have no permissions. And files need no permissions to read/modify them. So enabling my LSM can't break anything.

  6. There are also plans to implement system permissions like "use internet" or "use microphone".

Something like this... Please tell me if you see critical breaches in such logic.

On my PC, I was forced to give full permissions to following programs: systemd, agetty, login, bash, xinit, sh, startkde, kdeinit5, konsole.

Now programs I launch from KDE menu or from konsole may have any permissions. But most of them doesn't have any of course.

P.S. Currently I use single uint64_t to store sets of permissions. This allows very fast permission transition and access checks (simple bitwise operations).

edit flag offensive delete link more
1

answered 2018-09-25 07:55:12 -0600

heliosstyx gravatar image

I think, that is not the place to discuss this complex and high-sophicasted matter. If you are not satisfied with predefined and modifiable security solutions (like Fedora etc.), you should write your own operating system or customize Android etc. to your demands (that is the idea of open-source-code, you have only to do it). This is a Fedora Forum and it is a very secure and stable system and not a dreamer platform for projects like yours, which will need many years and manpower to create and test it.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-09-21 08:54:44 -0600

Seen: 205 times

Last updated: Sep 30