Mandatory Access Control System in Linux Kernel
AppArmor
Because I recently studied the implementation of the OJ (oline judge) Background security module, I have been studying the sandbox in Linux and found that Apparmor can provide access control.
AppArmor (Application Armor) is a security module of the Linux kernel. AppArmor allows the system administrator to associate each program with a security configuration file to restrict the functions of the program. In short, AppArmor is an access control system similar to SELinux, through which you can specify which files can be read, written, or run by a program, and whether the network port can be opened. As a supplement to the autonomous access control module of traditional Unix systems, AppArmor provides a mandatory access control mechanism, which has been integrated into the Linux kernel of version 2.6.
At present, Ubuntu already comes with Apparmor. You can obtain relevant information in the manual. The article is summarized from many English documents and may be inaccurate. Please forgive me.
Www.2cto.com
1. Access Control bound to the program
The access control provided by Apparmor is bound to the program: AppArmor's unique security model is to bind access control attributes to programs rather than to users. assume that the path of an executable file is/home/lei/demoexe. If you want to use Apparmor for access control, you need to create a new configuration file (I will talk about how to write this configuration file later) named home. lei. demoexe, and put the configuration file to the directory where Apparmor is specially placed (/etc/apparmor. d ). Therefore, every executable file is bound to a configuration file. Therefore, if you modify the demoexe file name, the configuration file will become invalid.
Ii. Two working modes
Apparmor has two working modes: enforcement, complain/learning
Enforcement-In this mode, all the restrictions listed in the configuration file are executed, and the programs that violate these restrictions are logged.
Www.2cto.com
Complain-In this mode, the restrictions in the configuration file are not executed, and Apparmor only records the behavior of the program. For example, a program can write a file that indicates read-only in the configuration file, but Apparmor does not restrict the program's behavior, but only records it.
So since complain cannot restrict programs, why do we still need this mode? -- if the behavior of a program does not comply with the restrictions of its configuration file, we can record its behavior to the system log, in addition, logs can be converted into configuration files based on program behavior.
Of course, we can modify the configuration file at any time and select the desired mode.
Iii. Access Control and resource restrictions
Apparmor can be used to restrict programs in many aspects. Here I will only introduce what I have used.
(1) File System Access Control
Apparmor can control the access to a file or a file in a directory, including the following access modes:
RRead modewWrite mode (mutually exclusive to a) aAppend mode (mutually exclusive to w) kFile locking modelLink modelinkfile-> targetLink pair rule (cannot be combined with other access modes) readable, writable, scalable, and connectable (and executable x is not listed in the table )......
In the configuration file:
For example,/tmp r, which indicates that files in the/tmp directory can be read)
Note that files not listed in the configuration file cannot be accessed by the program, which is a bit like a whitelist.
(2) resource restrictions
Apparmor can provide a method similar to the system call setrlimit to limit resources that can be used by programs. To restrict resources, you can write set rlimit [resource] <= [value] in the configuration file. Its resource represents a resource, and value represents a value,
To limit the virtual memory that the program can use, you can write as follows: set rlimit as <= 1 M (the maximum virtual memory that can be used is 1 M). Note: apparmor can restrict the use of various resources (such as fsize, data, stack, core, rss, as, memlock, and msgqueue) in a program ), however, you cannot limit the CPU time that a program can use. (Currently, OJ generally imposes strict restrictions on the running time of the Program Submitted by ACMer. Therefore, to apply Apparmor to the OJ background security module, you must set a separate CPU time limit .)
(3) Network Access
The syntax in the configuration file is as follows: network [[domain] [type] [protocol] network programming should know what domain, type and protocol are.
To allow the program to perform all network operations, you only need to write in the configuration file:
Network,
To allow the program to use the TCP protocol under IPv4, write as follows:
Network inet tcp,
(4) capability entry Capability statements are simply the word capability followed by the name of the POSIX.1e capability as defined in the capabilities (7) man page. on the linux manual page, there is a capablities list. apparmor can restrict whether the program can perform operations in the list, for example:
Capability setgid (allow the program to perform the setgid Operation)
Iv. Preparation of configuration files
As mentioned above, after compiling the configuration file, put the file in/etc/apparmor. d. In this directory, there are actually more convenient methods. You can directly use sudo genprof [filename] in the command line to create a configuration file for the specified program, and put it in this directory.
The configuration file is as follows:
# Last Modified: Fri Feb 1 20:06:09 2013 # include <tunables/global>
/Home/lei/apparmor-helper/demoexe {
# Include <export actions/base>}
Note: This file uses the enforcement mode by default. to modify the mode, you only need to change the configuration file:
# Last Modified: Fri Feb 1 20:06:09 2013 # include <tunables/global>
/Home/lei/apparmor-helper/demoexe flags = (complain ){
# Include <export actions/base>}
The front part of the red text is the file path, which is used to bind a program to the configuration file.
Www.2cto.com
Okay, then you can add the corresponding content to the configuration file and add/home/lei/apparmor-helper/data rw in the braces,
Set rlimit stack <= 1 M,
Then execute the command: sudo/etc/init. d/apparmor reload to re-load the configuration file for the configuration file to take effect.
Note: loading fails if the syntax in the configuration file is incorrect.
This article is just a small summary of my use of apparmor, which is not perfect. For example, I have not mentioned many details about the configuration file. I have not mentioned some tools that can easily manage configuration files, for more details about apparmor.