GrsecurityACL system (1)

Article title: GrsecurityACL system (1 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Summary
The Access Control List (ACL) system is a software that provides better Access Control for your computer. Grsecurity is a typical and mature Linux ACL system. This document is an official document of the grsecurity project. it was translated by the way when I recently studied the Linux ACL system. Like systems like lids, grsecurity is complex, and there are many details in the document, so errors are inevitable.
　　
Introduction
　　
1. what is an ACL system?
　　
The Access Control List (ACL) system is a software that provides better Access Control for your computer.
　　
2. Why is the ACL system required?
　　
The ram system is used to restrict access to files, capabilities, resources, or sockets by all users, including root users. This is a model of legal Access Control (Mandatory Access Control. With the increasing attention to system security, many access control systems for Linux systems have emerged. Most of these Linux ACL systems are kernel patches. Grsecurity is a typical and mature one. Grsecurity allows the system administrator to grant the process as few permissions as possible, so that attackers cannot control the entire system even if they have the root permission.
　　
3. Supported features
　　
Grsecurity has the following features:
　　
Process-based access control;
Process-based resource restrictions;
IP address access control;
Limits on preventing process brute-force attacks;
Completely intelligent learning model;
Readable configuration file;
An intelligent user space management tool;
The include command supports additional ACL configurations. The parameter is a directory or file;
O (1) search algorithm;
Administrator mode;
Capability and ACL inheritance.
　　
　　
　　
Install Grsecurity system
　　
1. download grsecurity kernel patch and management tool gradm
　　
From grsecurity's official website http://www.grsecurity.net, we can get the source code for the latest grsecurity kernel patch and management tool gradm. This article will take Redhat 7.3 and the latest version of the Linux-2.4.19 kernel as an example to discuss.
　　
2. install the grsecurity kernel patch
　　
After the download is complete, we start to install. Go to the directory where the kernel source code is located and patch the kernel source code with grsecurity:
　　
[Nixe0n @ nixe0n nixe0n] $ cd linux-2.4.19
[Nixe0n @ nixe0n linux-2.4.19] $ patch-p1 <../grsecurity-1.9.6-2.4.19.patch
　　
　　
　　
Then enable the options supported by grsecurity in the configuration menu (the related options will be described later) and re-compile the kernel:
　　
[Nixe0n @ nixe0n linux-2.4.19] $ make menuconfig
[Root @ nixe0n linux-2.4.19] # make dep & make bzImage & make modules & make modules_install
[Root @ nixe0n linux-2.4.19] # cp arch/i386/boot/bzImage/boot/GRSecKernel
　　
　　
　　
Finally, use your favorite editor to add GRSecKernel to the startup menu in the/boot/grub/menu. lst file.
　　
Install grsecurity management tool gradm
　　
The Grsecurity management tool is gradm. after you download the gradm of the latest version, you can compile and install it by using the following command:
　　
Tar? Gradm-.tar.gz zxf
Cd gradm
Make
Make install
　　
　　
　　
When the make install command is executed, you need to define a password for managing the Grsecurity ACL system. For the sake of system security, the password should be long enough and should not be the same as the password of the root account.
　　
　　
Grsecurity configuration
　　
1. Structure of Grsecurity ACL
　　
Grsecurity ACL rules are composed of topic processes and objects. A theme process is an executed process. objects are files, resources, capabilities, and access control over IP addresses. The main access control list file of the system is located in/etc/grsec/acl. If this file is not available, an error is reported when the grsecurity system is started.
　　
The structure of the grsecurity ACL rule is as follows:
　　
　　 {
　　
[+ |-]
　　
Connect {
　　 / : -
}
Bind {
　　 / : -
}
}
　　
　　
　　
2. some grsecurity ACL rules
　　
Grsecurity's access control rules contain some precautions. These conventions must be remembered before they can be used accurately to enhance the security of the system. These conventions include:
　　
All paths must be absolute;
To prohibit access to a file, you only need to ignore the mode parameter;
You can use the include keyword to include rules that have already been defined. for example:
Include
　　
Grsecurity access control rules support annotations. Most configuration files and shell scripts in UNIX systems use # as the beginning of the comment line;
Themes and objects do not have to be files, they can also be valid directories;
The topic modes include h, p, v, k, and o (we will introduce them in detail later );
Object modes include r, w, x, a, h, I, and o (we will introduce them in detail later );
Capabilities only have one I mode;
No matter how configured, at least one default ACL is required. its topic is /. If not, gradm will tell you that the default ACL is missing when the grsecurity ACL system is started;
The ACL rules of any topic process should contain one/object;
CAP_ALL is not a real capability, just for convenience, so that it represents all the capabilities. For example, if you want to remove all capabilities other than CAP_SETUID, you can use-CAP_ALL and + CAP_SETUID;
In traditional UNIX, only the file system is granted access permissions to access files in the file system, as is the grsecurity ACL system.
　　
　　
3. modes and their meanings
　　
3. 1. topic process mode
　　
In the grsecurity ACL system, the topic mode is as follows:
　　
H. this process is hidden and can only be seen by processes with the v mode;
V processes in this mode can view hidden processes;
P processes are protected. processes in this mode can only be killed by processes in the k mode;
K processes with this mode can kill processes in the protection mode (p;
L enable the learning mode for this process;
O revoking ACL inheritance
　　
3. 2. object mode
　　
Objects in grsecurity access control rules can be in the following mode:
　　
R: This object can be opened for reading;
W this object can be opened and written or added;
O this object can be opened and added;
H. This object is hidden;
I. This mode is only used for binary executable files. When this object is executed, it inherits the access control list of the main process;
　　
4. Inheritance
　　
In the grsecurity ACL system, there is a feature called inheritance, which is very similar to the inheritance of C ++. There are two methods of inheritance: The first is related to the configuration file, and the second is related to the way the river handles the ACL. All ACL rules can use inheritance except for rules with the subject containing the o mode. There are some simple rules in the ACL configuration file to control inheritance:
　　
For an object of the current rule, if the parent ACL rule has access control for this object, grsecurity compares the restrictions imposed by the two rules, try to make the current rule do not allow more permissions than the parent rule allows, unless the current rule is defined as the o mode.
If there is no restriction on an object in the current ACL rule, grsecurity automatically uses the parent rule to restrict this object.
　　
　　
4. 1. Inheritance example
　　
For ease of understanding, let's take a few examples of inheritance:
　　
/{
/Rwx
/Etc rx
/Usr/bin rx
/Tmp rw
}
　　
/Usr/bin/mailman {
/Tmp rwxo
}
　　
　　
　　
The two ACL rules involved in inheritance are expanded in the following form:
　　
/{
/Rwx
/Etc rx
/Usr/bin rx
/Tmp rw
}
　　
/Usr/bin/mailman {
/Rwx
/Etc rx
/Usr/bin rx
/Tmp rwx
}
　　
　　
　　
The/usr/bin/mailman and/rules both contain access control for/tmp objects. In the/usr/bin/mailman rule, the/tmp object has the o mode, so the restrictions on the/tmp object in the/rule are ignored.
　　
The inheritance algorithm used by the grsecurity system not only calculates the inheritance of the parent rule (for example,/bin and/bin/su ), it calculates the inheritance of the current rule to all ancestor rules based on the entire path. For example, when you use an access control rule with/usr/X11R6/bin/XFree86 as the subject, grsecurity automatically calculates the access control set by/usr/X11R6/bin,/usr/X11R6,/usr,/, and other rules.
　　
Access control for many executable files has some common settings. to reduce repeated settings, grsecurity introduces inherited features. In some special rules, you can use the o topic mode to prohibit access control that inherits the parent rule within the entire rule range. you can also use the o object mode, only cancel the inheritance of an object access control.
　　
The kernel processes inheritance slightly differently. In this example, when an object with the I mode is executed, the kernel will include a copy of the topic ACL. In this way, you can grant special permissions to the process derived from a specific process. For example:
　　
/{
/Rwx
/Tmp rw
}
　　
/Usr/bin/mozilla {
/Usr/bin/mozilla-bin rxi
/Tmp rwxo
}
　　
　　
　　
In this example, assume that/usr/bin/mozilla is a script (this is true) and use it to execute the real mozilla program/usr/bin/mozilla-bin. When/usr/bin/mo