mac-implementing.html

FreeBSD操作系统的详细使用手册

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">getpmac</kbd>
biba/15(15-15),mls/15(15-15),partition/15
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">setpmac partition/15,mls/equal top</kbd>
</pre>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> The top process will be killed before we start another top process.</p>
</blockquote>
</div>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN22947" name="AEN22947">15.14.5.2 MAC Seeotheruids
Tests</a></h3>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ps Zax</kbd>
biba/15(15-15),mls/15(15-15),partition/15  1096 #C:  S      0:00.03 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15  1101 #C:  R+     0:00.01 ps Zax
</pre>

<p>We should not be permitted to see any processes owned by other users.</p>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN22953" name="AEN22953">15.14.5.3 MAC Partition Test</a></h3>

<p>Disable the <acronym class="ACRONYM">MAC</acronym> <var
class="LITERAL">seeotheruids</var> policy for the rest of these tests:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">sysctl security.mac.seeotheruids.enabled=0</kbd>
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ps Zax</kbd>
LABEL                                                   PID  TT  STAT      TIME COMMAND
  biba/equal(low-high),mls/equal(low-high),partition/15  1122 #C:  S+     0:00.02 top
  biba/15(15-15),mls/15(15-15),partition/15              1096 #C:  S      0:00.05 -su (bash)
  biba/15(15-15),mls/15(15-15),partition/15              1123 #C:  R+     0:00.01 ps Zax
</pre>

<p>All users should be permitted to see every process in their partition.</p>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN22964" name="AEN22964">15.14.5.4 Testing Biba and MLS
Labels</a></h3>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">setpmac partition/15,mls/equal,biba/high\(high-high\) top</kbd>
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ps Zax</kbd>
LABEL                                                   PID  TT  STAT    TIME   COMMAND
  biba/high(high-high),mls/equal(low-high),partition/15   1251 #C:  S+     0:00.02 top
  biba/15(15-15),mls/15(15-15),partition/15               1096 #C:  S      0:00.06 -su (bash)
  biba/15(15-15),mls/15(15-15),partition/15               1157 #C:  R+     0:00.00 ps Zax
</pre>

<p>The Biba policy allows us to read higher-labeled objects.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">setpmac partition/15,mls/equal,biba/low top</kbd>
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ps Zax</kbd>
LABEL                                       PID  TT  STAT      TIME COMMAND
  biba/15(15-15),mls/15(15-15),partition/15  1096 #C:  S      0:00.07 -su (bash)
  biba/15(15-15),mls/15(15-15),partition/15  1226 #C:  R+     0:00.01 ps Zax
</pre>

<p>The Biba policy does not allow lower-labeled objects to be read; however, <acronym
class="ACRONYM">MLS</acronym> does.</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ifconfig bge0 | grep maclabel</kbd>
maclabel biba/low(low-low),mls/low(low-low)
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ping -c 1 192.0.34.166</kbd>
PING 192.0.34.166 (192.0.34.166): 56 data bytes
ping: sendto: Permission denied
</pre>

<p>Users are unable to ping <tt class="HOSTID">example.com</tt>, or any domain for that
matter.</p>

<p>To prevent this error from occurring, run the following command:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">sysctl security.mac.biba.trust_all_interfaces=1</kbd>
</pre>

<p>This sets the default interface label to insecure mode, so the default Biba policy
label will not be enforced.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">ifconfig bge0 maclabel biba/equal\(low-high\),mls/equal\(low-high\)</kbd>
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ping -c 1 192.0.34.166</kbd>
PING 192.0.34.166 (192.0.34.166): 56 data bytes
64 bytes from 192.0.34.166: icmp_seq=0 ttl=50 time=204.455 ms
--- 192.0.34.166 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 204.455/204.455/204.455/0.000 ms
</pre>

<p>By setting a more correct label, we can issue <tt class="COMMAND">ping</tt>
requests.</p>

<p>Now to create a few files for some read and write testing procedures:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">touch test1 test2 test3 test4 test5</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">getfmac test1</kbd>
test1: biba/equal,mls/equal
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">setfmac biba/low test1 test2; setfmac biba/high test4 test5; \
  setfmac mls/low test1 test3; setfmac mls/high test2 test4</kbd>
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">setfmac mls/equal,biba/equal test3 &#38;&#38; getfmac test?</kbd>
test1: biba/low,mls/low
test2: biba/low,mls/high
test3: biba/equal,mls/equal
test4: biba/high,mls/high
test5: biba/high,mls/equal
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">chown testuser:testuser test?</kbd>
</pre>

<p>All of these files should now be owned by our <tt class="USERNAME">testuser</tt> user.
And now for some read tests:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls</kbd>
test1   test2   test3   test4   test5
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ls test?</kbd>
ls: test1: Permission denied
ls: test2: Permission denied
ls: test4: Permission denied
test3   test5
</pre>

<p>We should not be permitted to observe pairs; e.g.: <var
class="LITERAL">(biba/low,mls/low)</var>, <var class="LITERAL">(biba/low,mls/high)</var>
and <var class="LITERAL">(biba/high,mls/high)</var>. And of course, read access should be
denied. Now for some write tests:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd
class="USERINPUT">for i in `echo test*`; do echo 1 &#62; $i; done</kbd>
-su: test1: Permission denied
-su: test4: Permission denied
-su: test5: Permission denied
</pre>

<p>Like with the read tests, write access should not be permitted to write pairs; e.g.:
<var class="LITERAL">(biba/low,mls/high)</var> and <var
class="LITERAL">(biba/equal,mls/equal)</var>.</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">cat test?</kbd>
cat: test1: Permission denied
cat: test2: Permission denied
1
cat: test4: Permission denied
</pre>

<p>And now as <tt class="USERNAME">root</tt>:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cat test2</kbd>
1
</pre>
</div>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="mac-lomac.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="mac-examplehttpd.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">The MAC LOMAC Module</td>
<td width="34%" align="center" valign="top"><a href="mac.html" accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Another Example: Using MAC to Constrain a Web
Server</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>