Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Allow only trusted applications to access private data

Hello, Fedora! It seems that you are the only one who cares about security. So I will ask my question to you.

I am starting to write my own LSM. But before I drown in this, I want to make triple sure my goals can't be achieved using SELinux or other existing LSMs.

In SELinux every file and every process has security label attached. And we need to write rules like: "I want to allow process labelled with LABEL1 to read files labelled with LABEL2". Also we can write domain transition rules like: "If process labelled with LABEL1 starts executable labelled with LABEL2, I wan't new process to be labelled as LABEL3, not LABEL1". This is good if you want to confine some untrusted (or potentially vulnerable) applications.

But my goal is different. I need ability to mark some files as PRIVATE and no application should be able to access these files without permissive rule. Using SELinux, I can't allow transition to more permissive domain (for good reasons). And I don't want to use sudo to switch to more permissive domain. Furthermore, I need ability to mark files with multiple labels (like "Photos" + "Holly"). And only processes that are allowed to read all labels, should be able to read such file.

Is it possible?

Fine, if anyone is interested, here is model I am going to implement (If I don't find breaches in it).

  1. I define labels like "1:Pictures", "2:Videos" etc. Digit means bit position.

  2. Every file and process will have xattr label (like SELinux context) containing... for example... one uint8_t value.

  3. If we have "00000000" (uint8_ t as bits) label on process, this means process doesn't have access to any private categories. "1111111" means full access to all categories.

  4. If we have "00000000" label on file, this means file is not private and can be accessed by any process.

  5. If we have "11000000" label on file, this means file can be accessed only by process which has label like "11??????".

  6. (MOST IMPORTANT) If process that has access to some category (like "1000000") starts process that doesn't have access to that category (bit #1 is not set on executable file's label), new process will not have access to category. Like some... Partial domain transition...

In the end, we need to give "11111111" permissions to systemd, bash, xterm, kdeinit etc. But other programs must have "00000000" by default.

Now, while I write this, I start to see some problems... But I think I can figure something out...

Please, tell me you know ready-made solution... Also, here is stackexchange topic I've started to find solution: https://security.stackexchange.com/questions/193832/prevent-apps-from-having-full-access-to-user-files

Allow only trusted applications to access private data

Hello, Fedora! It seems that you are the only one who cares about security. So I will ask my question to you.

I am starting to write my own LSM. But before I drown in this, I want to make triple sure my goals can't be achieved using SELinux or other existing LSMs.

In SELinux every file and every process has security label attached. And we need to write rules like: "I want to allow process labelled with LABEL1 to read files labelled with LABEL2". Also we can write domain transition rules like: "If process labelled with LABEL1 starts executable labelled with LABEL2, I wan't new process to be labelled as LABEL3, not LABEL1". This is good if you want to confine some untrusted (or potentially vulnerable) applications.

But my goal is different. I need ability to mark some files as PRIVATE and no application should be able to access these files without permissive rule. Using SELinux, I can't allow transition to more permissive domain (for good reasons). And I don't want to use sudo to switch to more permissive domain. Furthermore, I need ability to mark files with multiple labels (like "Photos" + "Holly"). And only processes that are allowed to read all labels, should be able to read such file.

Is it possible?

Fine, if anyone is interested, UPDATE

I started to develop my own LSM (SELinux replacement). It seems like no one here is model I am going to implement (If I don't interested. But, just in case, you can find breaches in it).

  1. I define labels like "1:Pictures", "2:Videos" etc. Digit means bit position.

  2. Every file and process will have xattr label (like SELinux context) containing... for example... one uint8_t value.

  3. If we have "00000000" (uint8_ t as bits) label on process, this means process doesn't have access to any private categories. "1111111" means full access to all categories.

  4. If we have "00000000" label on file, this means file is not private and can be accessed by any process.

  5. If we have "11000000" label on file, this means file can be accessed only by process which has label like "11??????".

  6. (MOST IMPORTANT) If process that has access to some category (like "1000000") starts process that doesn't have access to that category (bit #1 is not set on executable file's label), new process will not have access to category. Like some... Partial domain transition...

In the end, we need to give "11111111" permissions to systemd, bash, xterm, kdeinit etc. But other programs must have "00000000" by default.

Now, while I write this, I start to see some problems... But I think I can figure something out...

Please, tell me you know ready-made solution... Also, here is stackexchange topic I've started to find solution: https://security.stackexchange.com/questions/193832/prevent-apps-from-having-full-access-to-user-fileshere:

https://gitlab.com/mogryph/chariot

or here:

knight@mail.ua