Smack technology-Self-access control and forced Access Control

Independent access control DAC
What is "autonomous "? In the past, we often heard that we are independent and self-reliant. What we say is that we rely on ourselves and take the lead. The "autonomy" here also means that I have certain resources and I can decide who can access my resources. In the computer world, the object that initiates an access is usually called a subject, such as a user or process, and the accessed object is called an object, such as a file. The access method is usually read R, write W, and execute X. Autonomous access control policies are generally represented by tuples (S, O, a). S represents the subject, O represents the object, and a represents the access method. The Linux operating system uses autonomous access control. For any file, Linux uses owner, group, and other persons other to indicate access to the file, for example, the attribute of file 1 is rwx.
R_x RW _ indicates that the owner of file 1 can perform read, write, and execute operations on the object, while the owner's group can perform read or execute operations on the object, others in the group that neither the owner nor the owner is in can only perform read or write operations on them.

How can a computer system implement autonomous access control? Autonomous access control is easy to implement. Generally, the access control list ACL or capability list Cl is used, while the former is more common. In an ACL-based system, each object corresponds to an ACL to indicate how each subject accesses the object in the system. This method can be stored using columns of the access control matrix, as shown in:

We observe each column, such as the file1 column, so we know exactly how sunny, clone, and Richard can access it. By querying the ACL of an object, the system references the Monitor (a security mechanism that cannot be bypassed by the subject) it is easy to determine whether the subject attempting to access the object has the corresponding permissions. You can also use the Linux Command getfacl to view the ACL information of a file, as shown in:

In the computer world, simple things are often not so good, and DAC also has its fatal defects. First, we know that there is a Super User Root in Linux, so it is not restricted by DAC. Second, DAC cannot prevent Trojans. For example, a Trojan horse has been hidden in a program approved by the user, this program may cause harm to the computer system. Thirdly, the DAC control granularity is coarse and cannot effectively implement fine-grained access control.
The Android system is based on Linux. At the android kernel layer, Android adopts the Linux DAC mechanism. This is one of the reasons why Mr. Liang wants to add smack.
Ii. Mac
The so-called forcible execution is forced execution. Just as a person violates the law, whether he is willing or not, he must accept legal sanctions, which are enforced by national judicial organs. This is a rough description. In fact, we must give an example to clarify the mandatory access control. We know that there are a lot of military files that need to be kept confidential, and all files have a certain confidentiality level, such as top secret, secret, and confidential ), to access these files, visitors must receive a certain level of security education. For example, those who receive top-level confidential education can access all confidential files, while those who receive the secret education can only access the secret and open files. As shown in the preceding example, both the visitor and the accessed file have certain security attributes. In a computer system, both the subject and the object have security attributes, that is, security tags. Each subject is assigned a license label to indicate the permission level of the subject to access the object. Each object is assigned a Sensitivity Label to indicate the Sensitivity Level of the object, just like top-level secrets and secrets in the above example. When the subject initiates an access to the object, the reference monitor in the system compares the tag of the subject and object to determine whether to approve the access. In smack, smack is used to determine whether the subject and object tags are consistent.
The mandatory access control policy is also represented by a triplet (S, O, a). In smack, A can be R, W, X, A (add or blind write ). The mandatory access control policy ensures the confidentiality and integrity of information. However, it should be noted that the mandatory access control policy is equivalent to the fact that the elements in the TAG set satisfy the "Partial Order" relationship, that is, the two tags must satisfy the partial order relationship, however, a link is the ordinal relationship. If and only when the relationship is <X, Y>
X and Y meet the opposite requirements. Here, we may be confused. It doesn't matter. Let's talk about it slowly.
In the multi-level security policy-based mandatory access control, the security tag consists of two parts: category and category. A class can reflect a level relationship, so we call it a security level. Of course, the security level can be compared. In specific implementation, we can use an integer to represent the security level. Category, as its name implies, is a range (SET). It is a non-hierarchical concept and cannot be compared in size. For example, we cannot say that vegetables are larger than fruits. For a category, we can only say that one category is within another category. For two security tags A and B, A prevails over B, which is equivalent to a's security level greater than or equal to B's, and a's category includes B's category, this is not an out-of-order relationship A> B (less equal sign, I don't know how to write). Similarly, A equals B, which is equivalent to a's security level equal to B's security level, A and B are mutually included. With this knowledge, let's consider how to implement mandatory access control?

Mandatory Access Control is generally based on the BLP model. It is a computer security model that complies with military security policies. It can formally describe and define the Conversion Relationship between systems, security states, and non-security states. This model is complex and described in mathematical language. We only need to know two points: high-security subjects can read low-security objects, low-security subjects can write high-security objects. This ensures one-way flow of information to a subject with a higher security level. When implementing mandatory access control, two rules are stipulated. If the subject wants to read the object, the security tag of the subject must control the security tag of the object. If the subject wants to write the object, the security label of the subject must be dominated by the security label of the object. Here is a simple example, as shown in:

The license label of process a can control the file label. Therefore, a can read the file. Similarly, the security label of the file controls the security label of A. Therefore, a can write B. The security labels of C are incomparable with those of files. Therefore, write and read operations are rejected.
Well, the mandatory access control technology is very deep. in Linux, typical examples include SELinux, smack, and SELinux mainly use DTE and RBAC, but its RBAC is simple, smack mainly uses security policies and LSM Mechanisms Based on tags. One difference between SELinux and smack is that SELinux's security policies are compiled into binary files and imported into kernel space at system startup, the security policy of smack can be customized by users. Of course, it must also be imported to space by smack.