Linux kernel kontrollib tegevusi
Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
Sissejuhatus
TODO
Mõisted
- seccomp
- capabilities
- dac/acl
- lsm
Tööpõhimõte
Väited
- üldiselt tahab protsess kasutada mingit ressurssi ja seda on vaja kontrollida (nt peab süsteem otsustama, kas seda kasutamist lubada)
- privileegid (st õigus midagi teha, midagi kasutada) pole mitte niivõrd kasutajal, aga privileegid on protsessil
- protsessi privileegid tulenevad muu hulgast kolmest asjaolust: 1. seccomp syscall tulemüür, 2. capabilities, 3. lsm
- system call (syscall, 'make system call') - xxx
Syscallisid on üldiselt kahesuguseid
- Automatic Syscalls: Actions like mmap(), read(), or brk() are considered "safe." The kernel assumes that if you have the memory or the file handle, you can perform these actions. No special "permission" is needed beyond standard file permissions.
- Restricted Syscalls: Actions like clock_adjtime(), reboot(), or mount() are "dangerous." Historically, the kernel had a simple rule: if (uid == 0) (Root), allow; else, deny.
Joonis
töötav protsess -> syscall liides -> kernel -> ressurss
^ ^ ^
| | |
| | |
seccomp tulemüür capabilities lsm (apparmor)
dac
kus
- systemd - tegeleb seccomp ja capabilities rakendamisega
- apparmor - tegeleb lsm rakendamisega
gemini joonis
[ PROCESS ]
|
| 1. SECCOMP GATE (The Vocabulary Check)
| "Is this syscall even allowed to be uttered?"
| [ Filter: 23 active ] ---------------------> [ REJECT / SIGSYS ]
|
v
| 2. CAPABILITIES GATE (The Authority Check)
| "Does this process hold the specific bit for this action?"
| [ e.g., CAP_SYS_TIME ] --------------------> [ REJECT / EPERM ]
|
v
| 3. DAC / ACL GATE (The Identity Check)
| "Is the process UID/GID on the list for this file/device?"
| [ Feature: +ACL ] -------------------------> [ REJECT / EACCES ]
|
v
| 4. LSM / MAC GATE (The Policy "Horizon")
| "Does the overall security policy permit this role this access?"
| [ AppArmor / SELINUX ] --------------------> [ REJECT / DENIED ]
|
v
[ RESOURCE ] (e.g., /dev/sda, System Clock, Network Socket)
Capabilities - 2026 kevad märkmed
Väited
- teatud mõttes capabilities laiendab nö klassikaliselt setuid lahendust (mis võimaldab faili omaduste alusel tuletada protsessi käivitamise jaoks sobivad privileegid - tavaliselt tavakasutaja -> root kasutaja)
- võimalik on tekitada tavakasutajale kuuluva protsessi, mis on binditud privilegeeritud st <1024 port külge
- teatud määral päritakse capabilitied parent protsessi käest child protsessi poolt
capabilities saab toimuda kahe nö allika põhiselt
- faili xattr alusel staatiliselt
- kõrgema privileegiga protsessi poolt väljakutsutud viisil dünaamiliselt (nt systemd service unit)
systemd puhul tavaliselt seadistatakse alumime ja ülemine lagi privileegidega
root@zabbix-pub-01:~# systemctl show systemd-resolved | grep Capab CapabilityBoundingSet=cap_setpcap cap_net_bind_service cap_net_raw AmbientCapabilities=cap_setpcap cap_net_bind_service cap_net_raw root@zabbix-pub-01:~# egrep -r AmbientCapabilities /lib/systemd/ /lib/systemd/system/e2scrub_reap.service:AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_RAWIO /lib/systemd/system/e2scrub@.service:AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_RAWIO /lib/systemd/system/xfs_scrub@.service:AmbientCapabilities=CAP_SYS_ADMIN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_RAWIO /lib/systemd/system/systemd-timesyncd.service:AmbientCapabilities=CAP_SYS_TIME /lib/systemd/system/systemd-networkd.service:AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW /lib/systemd/system/systemd-resolved.service:AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
Parasjagu olevat protsesside seisu capability mõttes esitab pscap programm, nt
root@zabbix-pub-01:~# apt-get install libcap-ng-utils root@zabbix-pub-01:~# pscap -a ppid pid uid command capabilities 0 1 root systemd full + 1 344 root systemd-journal chown, dac_override, dac_read_search, fowner, setgid, setuid, sys_ptrace, sys_admin, audit_control, mac_override, syslog, audit_read + 1 395 root multipathd full + 1 413 root systemd-udevd chown, dac_override, dac_read_search, fowner, fsetid, kill, setgid, setuid, setpcap, linux_immutable, net_bind_service, net_broadcast, net_admin, net_raw, ipc_lock, ipc_owner, sys_module, sys_rawio, sys_chroot, sys_ptrace, sys_pacct, sys_admin, sys_boot, sys_nice, sys_resource, sys_tty_config, mknod, lease, audit_write, audit_control, setfcap, mac_override, mac_admin, syslog, block_suspend, audit_read, perfmon, bpf, checkpoint_restore + 1 562 systemd-network systemd-network net_bind_service, net_broadcast, net_admin, net_raw @ + 1 577 systemd-resolve systemd-resolve net_raw @ + 1 593 systemd-timesync systemd-timesyn sys_time @ + 1 715 messagebus dbus-daemon audit_write + 1 719 root php-fpm8.3 full + 1 724 root qemu-ga full + 1 733 root systemd-logind chown, dac_override, dac_read_search, fowner, linux_immutable, sys_admin, sys_tty_config, audit_control, mac_admin + ...
Dünaamiline capability
Ühes aknas öeldakse
root@zabbix-pub-01:~# capsh --keep=1 --user=nobody --inh=cap_chown --addamb=cap_chown --caps="cap_chown=eip" -- -c "sleep 60"
ja teises küsitakse
root@zabbix-pub-01:~# ps aux | grep sleep nobody 216107 0.0 0.1 5692 2196 pts/0 S+ 00:45 0:00 sleep 60 root@zabbix-pub-01:~# grep -i cap /proc/216107/status CapInh: 0000000000000001 CapPrm: 0000000000000001 CapEff: 0000000000000001 CapBnd: 000001ffffffffff CapAmb: 0000000000000001
Kasulikud lisamaterjalid
- TODO
