next up previous contents
Next: Procfs Labeling Implementation Up: Procfs Previous: Procfs Analysis   Contents

Procfs Labeling Design

To enable the security policy to control access to each process-specific subdirectory based on the security attributes of the associated process, each process-specific subdirectory and its files will be labeled with the SID of the associated process. If the security policy needs to be able to distinguish the individual files within each process-specific subdirectory, then a new interface could be added to the security server that would return the SID for each file based on the SID of the associated process. However, it is not evident that the security policy will require such distinctions. This contrasts with the distinctions in file modes among the files in the process-specific subdirectory.

Of particular note in the process-specific subdirectories are the mem files, since these files have the potential to provide read and write access to the memory of other processes. However, the existing restrictions on access to mem seem adequate if the ability to ptrace a child process is controlled by the security policy. Such controls need to be added to the process management component.

Most of the files outside of the process-specific subdirectories have the same fundamental security properties: readable by everyone and writeable only by administrators. Consequently, most of these files may be labeled with a single SID. This labeling scheme may be further refined over time to provide better support for least privilege. It seems desirable to provide support for easily specifying a distinct SID at any point in the /proc hierarchy and automatically assigning that SID to all files below that point that are not explicitly labeled. This will permit gradual refinement of labeling with minimal changes.

Due to the highly sensitive nature of the kmsg and kcore files, each of these files will be labeled with a distinct SID to permit fine-grained control over access to each file. Note that the Flask capability permission for CAP_SYS_RAWIO will also need to be granted for access to the kcore file.

As with the Linux access controls for sysctl, the Flask controls should be same whether a parameter is accessed through /proc/sys or through the sysctl system call. Hence, file mandatory access controls will be added to the sysctl system call code to parallel the controls that are already enforced when /proc/sys is accessed. As an initial step toward least privilege, the kernel, vm, net, fs, and dev subtrees will each be labeled with a distinct SID. Additionally, the /proc/sys/kernel/modprobe file will have a distinct SID to permit fine-grained control over the ability to change the path executed by the kernel to automatically load kernel modules. The other files and directories under /proc/sys will be labeled with a SID that distinguishes them from the rest of /proc.


next up previous contents
Next: Procfs Labeling Implementation Up: Procfs Previous: Procfs Analysis   Contents