RSBAC Changes ------------- 1.2.2: - Added ms_need_scan attribute for selective scanning - MS module support for F-Protd as scanning engine - ms_need_scan FD attribute for selective scanning - JAIL flag allow_inet_localhost to additionally allow to/from local/remote IP 127.0.0.1 - RSBAC syscall version numbers - New RES module with minimum and maximum resource settings for users and programs - Moved AUTH module to generic lists with ttl - Added new requests CHANGE_DAC_(EFF|FS)_OWNER on PROCESS targets for seteuid and setfsuid (configurable) - Added caps and checks for effective and fs owner to AUTH module (optional) - Changed behaviour on setuid etc.: Notification is always sent, even if the uid was set to the same value. This allows for restricted RC initial roles with correct role after setuid to root. - New Process Hiding feature in CAP module - Delayed init for initial ramdisks: delay RSBAC init until the first real device mount. - rsbac_init() syscall to trigger init by hand, if not yet initialized - can be used with e.g. rsbac_delayed_root=99:99, which will never trigger init automatically. - MS module support for clamd as scanning engine. - Almost complete reimplementation of the MAC model with many new features. - New system role 'auditor' for most models, which may read and flush RSBAC own log. 1.2.1: - Added support for all other architectures. - Cleaned up rsbac syscall filesystem name lookup and target type checks. - New module JAIL: preconfigured process encapsulation (see kernel config help). 1.2.0: - Moved most lists to generic lists, splitting up between modules on the way (GEN = general for all modules). - DS for each module only included, if module is compiled in. - New Linux Capabilities (CAP) module - Split system_role into mac_role, fc_role, etc. Please do not use old A_system_role attribute any longer. - Changed rsbac_get/set_attr interface to include target module - Added module guessing from attribute into sys_rsbac_get/set_attr, if module is not given (value SW_NONE). - Added user and RC role based symlink redirection - Added network and firewall config protection as SCD network and firewall targets - Added NETDEV, NETTEMP and NETOBJ targets for network access control. - Added network templates for default NETOBJ attribute values - Renamed /rsbac dir to /rsbac.dat to avoid name conflicts. - RC model with unlimited roles and types - Selective dir tree disabling of Linux DAC - Generic list ordering (needed for templates and optimization) - List optimization - Generic time-to-live support in generic lists (new on-disk version) - Support time-to-live for ACL group members and ACL entries - copy_net_temp - Individual module soft mode - Support time-to-live for RC entries - Backport to 2.2.20 1.1.2: - Own RSBAC memory allocation functions. Own RSBAC mem slabs in 2.4 kernels. - Generic lists - simply register your list item sizes with filename and persist flag, and a persistent list will be kept for you. - Generic lists of lists, two level version. - Moved pm_data_structures.c to new lists with proc backup files Attention: There is no auto-update from older versions possible! - proc backup files for RC and ACL are now optional - New proc subdir pm, replaces old write_list call - rsbac_pm write_list call removed - New FD aci version with new rc_initial_role and 16 bit ff_flags - New FF flag append_only, which limits all write accesses to APPEND_OPEN and WRITE - Fix for rename hole: rename could replace and thus delete an existing file without DELETE check. Also performs secure_delete, if necessary - New rsbac_mount hook in change_root for initial ramdisk - Fixed missing Linux check in bad_signal - Added optional switch rsbac_dac_disable to disable Linux filesystem access control - Added count support for multiple mounts - Added optional switch rsbac_nosyslog to temporarily disable logging to syslog - Added config option for DEBUG code 1.1.1: - New target type FIFO, with a lot of cleanup, e.g. IPC type fifo removed - MAC module reworked, including MAC-Light option - Several bugfixes - Port to 2.4.0, 2.4.1 and 2.4.2 - New Makefiles with lists for 2.4 and without for 2.2 kernels (Thanks to Edward Brocklesby for samples) - init process default ACI now partly depends on root's ACI - Optional interception of sys_read and sys_write. Attention: you might have to add READ and WRITE rights to files, fifos, dirs and sockets first, if upgrading from an older version - REG overhaul. Now you can register syscall functions, everything is kept in unlimited lists instead of arrays and registering is versioned to allow for binary module shipping with REG version checks. - Inheritance is now fixed, except for MAC model - MAC: optional inheritance, new option Smart Inheritance that tries to avoid new attribute objects (see config help) - New soft mode option: all decisions and logging are performed, but DO_NOT_CARE is returned to enforcement. Off by default. See config help for details. - Optional initialization in extra rsbac_initd thread. 1.1.0: - Port to 2.4.0-test11 - Interception of sys_mmap and sys_mprotect added. Now execution of library code requires EXECUTE privilege on the library file, and setting non-mmapped memory to EXEC mode requires EXECUTE on target NONE. - MAC Light option by Stanislav Ievlev added. See kernel config help or modules.htm. 1.0.9c: - Port to 2.4.0-test{[789]|10}, this means major changes to the lookup and inheritance code - of course #ifdef'd - Change string declarations to kmalloc. On the way moved MAX_PATH_LEN restriction from 1999 to max_kmalloc - 256 (>127K). - Renamed several PM xy.class to xy.object_class for C++ compatibility - Added SCD type ST_kmem - Changed rc_force_role default to rc_role_inherit_parent, terminated at root dir with old default rc_role_inherit_mixed. This makes it much easier to keep a dir of force-roled binaries. 1.0.9b: - Port to 2.3.42 - 2.3.99-pre3 - Port to 2.2.14 - 2.2.16 - 32 Bit Uid/Gid with new attribute versions - User and program based logging - AUTH capability ranges - Made write to MSDOS fs a config option, so use it on your own risk (see config help) - MAC levels 0-252 - Added config option for ioport access (X support) 1.0.9a: - Added group management to ACL module. - Removed CONFIG_RSBAC_SYNC option. - Added module hints to logging - Added RC separation of duty (see models.htm) - Added RC force role inherit_up_mixed and made it default setting 1.0.9: - Added registration of additional decision modules (REG) - Wrote decision module examples (see README-reg and reg_samples dir) - Port to 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12 (pre versions) - Heavily changed RC model: Now it has a distinguished role-to-type compatibility setting for each request type, instead of one setting for all request types. This allows for much finer grained access control. Unfortunately there was no way to update existing role settings, so those have to be reentered by hand. Still, the types entries are kept. - Set all MSDOS based file systems to read-only, because inode numbers are likely to change between boots. - Added Access Control List module. ACLs are kept on FILE, DIR, DEV, IPC, SCD and PROCESS targets (IPC and PROCESS have only one default ACL each). Each entry contains subject type (user, rc_role, group), subject id and the rights this subject has. Also, rights are inherited from parents and from a target specific default ACL. See html/models.htm for details. - Added optional full path logging. 1.0.8a: - Port to 2.2.7 - File Flag no_execute added to prevent execution, e.g. of user binaries under /home tree. Can be circumvented by scripts via 'interpreter scriptname'. 1.0.8: - Port to 2.2.1 - Added /proc/rsbac-info/backup to provide an easier means of backup for not device dependent stuff. To be extended. - Added new Role Compatibility (RC) module. - New on-disk binary layout, auto update from all versioned data (1.0.5 upwards). - AUTH module added to support proper authentification by enforcing externally granted CHANGE_OWNER capabilities. - Save to disk inconsistency in PM sets fixed. - MAC categories added, but limited to a fixed number of 64. Apart from that, the MAC module categories are as proposed in the Bell-LaPadula model. - Port to 2.2.2 - Port to 2.2.3 with minor changes - Port to 2.2.4 - Port to 2.2.5 1.0.7a: - Added alpha support (with Shaun Savage). Has different storage sizes, so default useraci does not work and you need a maint kernel. - Added new error detection features for file/dir entries. - Increasing of NR_FD_LISTS is now handled differently for error detection reasons. See README-nrlists. - Marked init functions as __init - though saving a few KB doesn't make such a big difference while using RSBAC... ;) - Fixed memory leaks in write_*_list while introducing vmalloc for large lists. The number of file/dir lists is now only a matter of performance and available memory. - Added two flags to File Flags - Port to 2.2.0-pre6 - Added secure deletion/truncation, needs a config switch to be enabled. If on, all files marked with (inheritable) FF-flag secure_delete and all files marked as PM-personal data are zeroed on deletion and truncation - if the regarding modules are switched on. 1.0.7: - Port to 2.1.131 - Added more fs types to non-writable: smbfs, ncpfs, codafs - so there should be no writing on network mounts (unfortunately there is no afs SUPER_MAGIC) - Added configuration option NO_DECISION_ON_NETMOUNTS, which additionally turns off all decisions for all these fs, so that they are completely ignored - Added attribute inheritance: Some attributes for files and dirs have a special value 'inherit'. If this is set, the value of the parent dir's attribute is used instead. This mechanism ends on fs boundaries - each fs root dir gets old style standard values, if attribute is set to 'inherit'. Currently security_level, object_category and data_type are inheritable. - Added configuration option DEF_INHERIT. If set, default values for inheritable attributes are *inherit, rather than the old default. This option setting should not differ between different RSBAC kernels to avoid deeper confusion for administrators and rsbac_check(). - To support inheritance, added parameter inherit to both get_attr system calls. If on, the effective (possibly inherited) value is returned, if off, the real value is returned. - Corrected a security hole in receiving from / sending via datagram sockets (thanks to Simone). Now a read/append open and a close request are done for every datagram (if net support is configured, as usual). Attention: Programs that open an UDP socket as one user (e.g. root) and then setuid to another (e.g. bin) may not be able to access that socket, if the new user has insufficent rights! (see config help) Checking of net access can as before be turned on/off via CONFIG_RSBAC_NET. - Worked on rsbac_check(). Is more stable now, but should only be called under maximum of moderate load. 1.0.6: - Moved to 2.1.128 - Cleaned up old includes in syscalls.c - Added RSBAC own logging in /proc/rsbac-info/rmsg, to be accessed by modified klogd or sys_rsbac_log, restricted by most modules to security officers. Additionally, logging to standard syslog can be turned off to hide security relevant log from all but those with explicit access. - Added module File Flags with attribute ff_flags for FILE/DIR targets - Added auto-update of last version attributes (only FD changed though) - Changed ms_trusted from boolean to tristate: non-trusted, read, full - Fixed rm -r hang bug - Added consistency check for RSBAC items, which can remove items for deleted inodes (ext2 only) and entries containing only default values (FILE/DIR targets only). It also recalculates item counts. - Added sys_rsbac_check to trigger this check. 1.0.5: - Rewrote most of attribute saving to disk. Now disk writing is never done with a spinlock held, increasing stability significantly (is this a taboo? if yes, where is it documented?) - Changed write-to-disk behaviour: The old immediate write is no longer default, but optional (CONFIG_RSBAC_SYNC_WRITE). Instead, sys_rsbac_write can be used from user space or a kernel daemon can be activated to write changes automatically every n seconds (CONFIG_RSBAC_AUTO_WRITE) - Added kernel param rsbac_debug_auto for the daemon - gives a good overview of attribute change rate - Added proc interface for statistics and many RSBAC settings - Added rsbac_adf_request calls MODIFY_SYSTEM_DATA to sysctl.c - Wrote man pages for all RSBAC syscalls (in Documentation/rsbac/man) - Added version information and check for all file/dir/dev aci and for log_levels - Added some more scan strings to Malware Scan module, had to change string representation to a more general way 1.0.4: - Port via 2.1.115 and 2.1.124 to 2.1.125 - IPC targets: changed ids for sockets from pid/fd combination to pointer to sock structure, including (many) changes in the handling. - Added socket level scanning (tcp and udp) to module Malware Scan. This feature can stop malware while still being transferred to your system. Added new attributes for IPC, process and file/dir targets to manage socket scan. - Reordered configuration options - Added CONFIG_RSBAC_NO_WRITE to totally disable writing to disk for testing purposes and kernel parameter rsbac_debug_no_write to temporarily disable disk writing - Added CONFIG_RSBAC_*_ROLE_PROTection for all role dependant modules: Now change-owner (setuid etc.) can be restricted between users with special roles - see configuration help for details - Some more bugfixes, mostly to decision modules 1.0.4-pre2: - Port to 2.1.111 - Attribute mac_trusted_for_user added to FILE aci. Value meanings: RSBAC_NO_USER (-3): program is not MAC-trusted RSBAC_ALL_USERS (-4): program is MAC-trusted for all users other user-ID: program is MAC-trusted, if invoked by this user Especially the last is useful for daemon programs that can be started by all users. Init process is checked, too, but is MAC-trusted by default. - Syscalls rsbac_mac_set/get_max_seclevel added. Now a process can reduce its own maximum security level. Useful for wrapper daemons like inetd after forking and before invoking another program. - Object dependent logging #ifdef'd with configuration option. - Configuration option 'Maintenance Kernel' added. Disables all other options. - removed CONFIG_RSBAC_ADMIN and rsbac_admin() stuff - now we have capabilities, and there is no suser() anymore to extend - changed locking for Data Structures component from semaphores to read/write spinlocks - added (U)MOUNT requests for target DEV to sys_(u)mount. Now both target dir and device are checked for access (MAC: dir: read-write, dev: depending on mount mode read or read-write). Note: After mount, all file/dir accesses on this device are checked as usual. - Moved checks for valid request/target combinations from MAC module to extra functions in rsbac/adf/check.c. 1.0.3: - Target DEV added. Now devices can get their own attributes based on major/minor numbers. Attributes based on their file representations in /dev are no longer used for open, but still for all other calls. MAC decisions on open requests for devices must be explicitely enabled by mac_check to keep system bootable. Short rule: Only if contents is accessed, DEV attributes apply. - Attribute object_type removed, was not used anyway and maintained in linux structures. - Attributes log_array_low and log_array_high for FILE/DIR/DEV added, providing individial request based logging for those objects. - PM module: if DEV is personal_data, neccessary access is checked for new class DEV (can be changed to custom class) - A couple of minor bugfixes done 1.0.2A: - Port to 2.0.34 - A few #ifdef CONFIG_RSBAC_USE_RSBAC_OWNER were missing, causing error messages "rsbac_set/get_attr returned error" -> added 13/Jun/2001 Amon Ott