using gconf as an example of how to create an userspace
play

Using GConf as an Example of How to Create an Userspace Object - PowerPoint PPT Presentation

Apr 27, 2023 •314 likes •609 views

Using GConf as an Example of How to Create an Userspace Object Manager James Carter jwcart2@tycho.nsa.gov National Security Agency National Information Assurance Research Laboratory (NIARL) 1 Background - SELinux Flask architecture

  1. Using GConf as an Example of How to Create an Userspace Object Manager James Carter jwcart2@tycho.nsa.gov National Security Agency National Information Assurance Research Laboratory (NIARL) 1

  2. Background - SELinux ● Flask architecture – Security server – Object managers – Access vector caches (AVCs) ● Object Managers – Bind security labels to their objects – Query the security server for labeling and access decisions – Enforce the security decisions of the security server 2

  3. Background - GConf ● Configuration system for GNOME – Not GNOME specific ● Stores configuration data for programs ● Provides change notification to programs 3

  4. GConf Architecture ● Configuration sources ● Client library ● Per-user configuration server ● ORBit – CORBA 4

  5. GConf Operation Client Library Client Library ORBit Configuration Server Backend Backend Configuration Configuration Configuration Source Source Source 5

  6. Configuration Sources ● Data: Key-value pairs ● Metadata: expected type, default value, description ● Accessed through a backend 6

  7. Client Library ● Interface to access the configuration sources ● Caches configuration values ● Allows a specific set of configuration sources to be specified ● Works with the configuration server to notify the client when the value of a registered key changes 7

  8. Per-user Configuration Server ● Accesses the configuration sources through the appropriate backend ● Presents a unified set of configuration data to the client ● Notifies the client library of all clients effected when the value of a key changes 8

  9. Providing Security Controls over a Program ● Adequate control is often achieved by merely running an application in the domain of its parent. ● If not, then either: – The application should not be run – The security goals of the system reduced to allow the program to run, or – Security controls must be added 9

  10. Four Strategies for Adding Security Controls over a Program ● Add SELinux policy for the program ● Add additional or finer-grained controls to SELinux ● Re-architect the program to make use of existing SELinux controls ● Modify the program to become an userspace object manager 10

  11. Add SELinux Policy ● Does not require modification of the program – Least obtrusive strategy ● May be able to use the policy for another program with similar functions ● Custom policy involves: – Specifying the security label the process will run in – Labeling security-relevant objects – Specifying rules for the process and objects to interact with each other and the rest of the system 11

  12. Add Additional Features to SELinux ● Add additional or finer-grained SELinux kernel controls ● SELinux is meant to have comprehensive controls over kernel objects, so new kernel controls shouldn't be required often ● If new controls are written, then new policy is needed to take advantage of those controls 12

  13. Re-Architect the Program ● Decompose a program into a small, privileged process and a larger, unprivileged process ● Run multiple copies of the program in different domains ● Rewrite the program 13

  14. Creating an Userspace Object Manager ● SELinux provides object managers for kernel objects ● New object managers are needed for any object not controlled by the kernel ● Natural part of implementing the Flask architecture on Linux 14

  15. Functions of an Userspace Object Manager ● Bind security labels to the objects that it controls ● Request labeling and access decisions from the appropriate security server ● Enforce the decisions returned by the security server 15

  16. Trust Required of an Userspace Object Manager ● Only trusted to control its objects ● Not trusted in all of its operations ● Still controlled by the system's security policy 16

  17. Steps in Creating an Userspace Object Manager ● Identify the objects in greater detail ● Provide a way to uniquely and reliably label the object ● Add access checks and labeling requests where needed to control the object ● Make the subject's label available at the access checks 17

  18. Steps in Creating an Userspace Object Manager (Cont) ● Add an access vector cache (AVC) to the program to cache the access decisions of the security server ● Create new SELinux policy classes and permissions as needed ● Create SELinux policy to control the objects 18

  19. What Needs to be Secured in GConf ● Configuration sources ● Key-value pairs ● ORBit IORs 19

  20. Adding SELinux Policy to Secure GConf ● Only the configuration server can access or modify the configuration data of the user ● Cannot label the configuration data itself 20

  21. Strategies Not Used to Secure GConf ● Add additional features to SELinux – Configuration data of GConf is only visible to the configuration server at the appropriate granularity ● Re-Architect GConf – Some advantages, more disadvantages 21

  22. GConf Needs to be an Userspace Object Manager ● Using the other strategies, some progress has been made ● Configuration data still not adequately controlled ● Configuration data is only visible at the right level to the configuration server ● The configuration server must be made into an userspace object manager 22

  23. Labeling the Configuration Data ● Security labels stored in a separate namespace – /selinux ● Security labels are normal GConf value strings ● Namespace protected by requiring special functions to directly access security labels ● Security label always chosen from the default configuration sources 23

  24. Adding Labeling Requests and Access Checks ● Access checks are done before an operation on the configuration data – For server-side notification registration, the check is done sooner – For querying all keys in a directory or all directories in a directory, the check is done after ● Labeling request is done on a set operation if the key doesn't already have a security context 24

  25. Making the Client's Security Context Available ● Would like to get it from the kernel – Can't because the client and server communicate through ORBit ● Would like to get it from a process that the server trusts – Modifying ORBit to provide the context would be a lot of work – If D-Bus replaces ORBit, then it would be easier ● Actually trusts the client to provide the context 25

  26. Add an Access Vector Cache (AVC) ● Provided by the library libselinux ● Start the AVC when the configuration server starts ● Used GConf specific memory allocation, logging, and audit callback functions 26

  27. Create New SELinux Policy Class and Permissions ● Security class – gconf ● Permissions – get_value, set_value, create_value, remove_value, get_meta, set_meta, relabel_from, relabel_to 27

  28. Create SELinux Policy to Control Objects ● Sensitive keys must be identified and labeled ● Processes that need to have different accesses to configuration data must run in different domains – Currently, most user processes run in on domain ● Only policy to test for proper operation has been written at this time 28

  29. Conclusions ● Questions? 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AddressSanitizer/ThreadSanitizer for Linux Kernel and userspace. Konstantin Serebryany, Dmitry

AddressSanitizer/ThreadSanitizer for Linux Kernel and userspace. Konstantin Serebryany, Dmitry

AddressSanitizer/ThreadSanitizer for Linux Kernel and userspace. Konstantin Serebryany, Dmitry Vyukov Linux Collaboration Summit 15 April 2013 Agenda AddressSanitizer, a memory error detector (userspace) ThreadSanitizer, a data race

1.18k views • 69 slides
2 Berkeley Socket Userspace Kernel Hardware Time 1983 2 Berkeley TCP Arrakis &

2 Berkeley Socket Userspace Kernel Hardware Time 1983 2 Berkeley TCP Arrakis &

LITE Kernel RDMA Support for Datacenter Applications Shin-Yeh Tsai , Yiying Zhang Time 2 Berkeley Socket Userspace Kernel Hardware Time 1983 2 Berkeley TCP Arrakis & Socket IX O ffl oad engine mTCP Userspace Kernel Hardware

1.34k views • 104 slides
XtreemFS: high- performance network file system clients and servers in userspace Minor Gordon,

XtreemFS: high- performance network file system clients and servers in userspace Minor Gordon,

XtreemFS: high- performance network file system clients and servers in userspace Minor Gordon, NEC Deutschland GmbH mgordon@hpce.nec.com HIGH PERFORMANCE Why userspace? COMPUTING 05/04/09 File systems traditionally implemented in the

275 views • 15 slides
Linux Plumbers Conference 2011 Userspace RCU Library: RCU Synchronization and RCU/Lock-Free Data

Linux Plumbers Conference 2011 Userspace RCU Library: RCU Synchronization and RCU/Lock-Free Data

Linux Plumbers Conference 2011 Userspace RCU Library: RCU Synchronization and RCU/Lock-Free Data Containers for Userspace E-mail: mathieu.desnoyers@efficios.com Mathieu Desnoyers September 8th, 2011 1 > Presenter Mathieu Desnoyers

589 views • 41 slides
Scaling Userspace @ Facebook Ben Maurer bmaurer@fb.com About Me At Facebook since 2010

Scaling Userspace @ Facebook Ben Maurer bmaurer@fb.com About Me At Facebook since 2010

Scaling Userspace @ Facebook Ben Maurer bmaurer@fb.com About Me At Facebook since 2010 Co-founded reCAPTCHA Tech-lead of Web Foundation team Responsible for the overall performance & reliability of Facebooks user-

537 views • 32 slides
The userspace solution for control groups Linux Kongress 2010 Dhaval Giani

The userspace solution for control groups Linux Kongress 2010 Dhaval Giani

The userspace solution for control groups Linux Kongress 2010 Dhaval Giani dhaval.giani@gmail.com RETIS Lab, Scuola Superiore SantAnna September 2010 Dhaval Giani The userspace solution for control groups Control Groups What are cgroups?

896 views • 70 slides
Moving thread activation policies to userspace using kfutex Helge Bahmann

Moving thread activation policies to userspace using kfutex Helge Bahmann

Moving thread activation policies to userspace using kfutex Helge Bahmann <hcb@chaoticmind.net> Google Zrich Pop quiz: Which class of operations do processes spend >99% of their time in? Introduction What are threads? Answer

634 views • 18 slides
D e b c o n f 1 6 LTTng: Kernel and userspace tracing in Debian mjeanson@effjcios.com

D e b c o n f 1 6 LTTng: Kernel and userspace tracing in Debian mjeanson@effjcios.com

D e b c o n f 1 6 LTTng: Kernel and userspace tracing in Debian mjeanson@effjcios.com w h o a mi Michael Jeanson, Software developer @ EffjciOS Debian Maintainer Ubuntu Member Fedora Packager Offjcial and

894 views • 20 slides
Instant OS Updates via Userspace Checkpoint-and-Restart Sanidhya Kashyap , Changwoo Min,

Instant OS Updates via Userspace Checkpoint-and-Restart Sanidhya Kashyap , Changwoo Min,

Instant OS Updates via Userspace Checkpoint-and-Restart Sanidhya Kashyap , Changwoo Min, Byoungyoung Lee, Taesoo Kim, Pavel Emelyanov OS updates are prevalent And OS updates are unavoidable Prevent known, state-of-the-art attacks

1.08k views • 79 slides
Compiling Android userspace and Linux Kernel with LLVM Nick Desaulniers, Greg Hackmann, and

Compiling Android userspace and Linux Kernel with LLVM Nick Desaulniers, Greg Hackmann, and

Compiling Android userspace and Linux Kernel with LLVM Nick Desaulniers, Greg Hackmann, and Stephen Hines* October 18, 2017 *This was/is a really HUGE effort by many other people/teams/companies. We are just the messengers. :) Making large

565 views • 42 slides
mmb : Flexible High-Speed Userspace Middleboxes Korian Edeline , Justin Iurman, Cyril Soldani,

mmb : Flexible High-Speed Userspace Middleboxes Korian Edeline , Justin Iurman, Cyril Soldani,

mmb : Flexible High-Speed Userspace Middleboxes Korian Edeline , Justin Iurman, Cyril Soldani, Benoit Donnet Montefiore Institute, University of Lige Belgium A middleboxed Internet https://github.com/mami-project/roadshows 7/22/19 2 ANRW

624 views • 28 slides
the kernel bypass with RDMA! Using the RDMA infrastructure for performance while retaining kernel

the kernel bypass with RDMA! Using the RDMA infrastructure for performance while retaining kernel

Userspace networking: beyond the kernel bypass with RDMA! Using the RDMA infrastructure for performance while retaining kernel integration Benot Ganne, bganne@cisco.com 30/01/2020 1 Why a native network driver? Why userspace networking?

773 views • 8 slides
Userspace RCU Library: What Linear Multiprocessor Scalability Means for Your Application Linux

Userspace RCU Library: What Linear Multiprocessor Scalability Means for Your Application Linux

Userspace RCU Library: What Linear Multiprocessor Scalability Means for Your Application Linux Plumbers Conference 2009 Mathieu Desnoyers cole Polytechnique de Montral > Mathieu Desnoyers Author/maintainer of : LTTV (Linux

725 views • 26 slides
(bbdev) Amr Mokhtar DPDK Summit Userspace - Dublin- 2017 why baseband..? MAC Tx Data Downlink

(bbdev) Amr Mokhtar DPDK Summit Userspace - Dublin- 2017 why baseband..? MAC Tx Data Downlink

Wireless Base Band Device (bbdev) Amr Mokhtar DPDK Summit Userspace - Dublin- 2017 why baseband..? MAC Tx Data Downlink * Reference: 3GPP TS 36.211 & 36.212 architecture Common programing framework for Application wireless

1.15k views • 15 slides
LIO and the TCMU Userspace Passthrough: The Best of Both Worlds Andy Grover

LIO and the TCMU Userspace Passthrough: The Best of Both Worlds Andy Grover

LIO and the TCMU Userspace Passthrough: The Best of Both Worlds Andy Grover <agrover@redhat.com> @iamagrover March 11, 2015 1 LIO AND TCMU What is LIO? Multi-protocol in-kernel SCSI target 2 LIO AND TCMU Multi-protocol in - kernel

615 views • 27 slides
Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler <bazsi@balabit.com> www.balabit.com Zorp Has been established in 2000, as the fjrst BalaBit product Code was GPLd right from the start Initial set

590 views • 20 slides
Turning Managers Into Communicators Workshop OHSU Portland, Oregon Bryant A. Hilton Austin,

Turning Managers Into Communicators Workshop OHSU Portland, Oregon Bryant A. Hilton Austin,

March 12, 2019 Turning Managers Into Communicators Workshop OHSU Portland, Oregon Bryant A. Hilton Austin, Texas Engaging employees. Navigating change. 2 Introductions Who are you? Where do you work? What do you want/need from your

1.44k views • 129 slides
Sessions: Administering with Activities Manager A brief audio-visual guide for administrators.

Sessions: Administering with Activities Manager A brief audio-visual guide for administrators.

Sessions: Administering with Activities Manager A brief audio-visual guide for administrators. Once you are logged in select your activity and, using the triangle drop down next to the pencil, click to select the session you want to administer.

550 views • 13 slides
New PM: taming a custom pipeline of Falcon JIT Fedor Sergeev Azul Systems Compiler team

New PM: taming a custom pipeline of Falcon JIT Fedor Sergeev Azul Systems Compiler team

New PM: taming a custom pipeline of Falcon JIT Fedor Sergeev Azul Systems Compiler team AGENDA Intro to Falcon JIT Legacy Pass Manager Falcon-specific problems New Pass Manager Design & current status Falcon

511 views • 27 slides
SMB3 Multichannel Update Gnther Deschner <gd@samba.org> Sachin Prabhu

SMB3 Multichannel Update Gnther Deschner <gd@samba.org> Sachin Prabhu

SMB3 Multichannel Update Gnther Deschner <gd@samba.org> Sachin Prabhu <sprabhu@redhat.com> A g e n d a S a mb a / C T D B C l u s t e r i n g w i t h G l u s t e r F S S M B 3 M u

862 views • 33 slides
Alire: Ada Has a Package Manager Alejandro Mosteo, professor at Centro Universitario de la Defensa

Alire: Ada Has a Package Manager Alejandro Mosteo, professor at Centro Universitario de la Defensa

alire.ada.dev Alire: Ada Has a Package Manager Alejandro Mosteo, professor at Centro Universitario de la Defensa de Zaragoza Fabien Chouteau, embedded software engineer at AdaCore Pierre-Marie de Rodat, software engineer at AdaCore

375 views • 26 slides
SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What? SELinux is a MAC system for Linux Enabled by default on Fedora, RHEL Available on Ubuntu, Gentoo, Debian, etc Policies are available for

579 views • 16 slides
Extending and Customizing PMM Michael Coburn Percona Michael Coburn Product Manager for

Extending and Customizing PMM Michael Coburn Percona Michael Coburn Product Manager for

Extending and Customizing PMM Michael Coburn Percona Michael Coburn Product Manager for PMM (as well as for Percona Toolkit) At Percona for 6 years across multiple MySQL roles Principal Architect, Managing Consultant, Technical

524 views • 29 slides
Integration-Manager Workflow and Rebasing Sign in on the attendance sheet! Remember the

Integration-Manager Workflow and Rebasing Sign in on the attendance sheet! Remember the

Lecture 8 Integration-Manager Workflow and Rebasing Sign in on the attendance sheet! Remember the Centralized Workflow? Problem: Every developer needs push access to the shared repository! Integration-Manager Workflow Github/ The cloud

626 views • 21 slides

More recommend