Subject: Integrating securelevel and kauth(9)
To: None <tech-security@netbsd.org, tech-kern@netbsd.org>
From: Elad Efrat <elad@NetBSD.org>
List: tech-security
Date: 03/24/2006 19:56:27
Hello,
Outlined in this mail is my proposal for integrating the traditional BSD
securelevel with the kauth(9) interface.
This mail lightly uses some kauth(9) terminology; an online version of
the man-page is available from http://www.bsd.org.il/netbsd/kauth.9.html
It was discussed in the past ("The reason for securelevel") that we need
to separate the impact of securelevel to allow finer-grained control
over what can or cannot be done in our system. For example, an
administrator might like to customize the impact of the securelevel
combining several implications from securelevel 2 but otherwise all the
affects of securelevel 1.
On the other hand, some people may not want any of this. The solution
must allow people who would like to stick to the current model of
securelevel the ability to do so.
The proposal in this mail is divided in two. The first part will discuss
the proposed kernel backend to replace securelevel. The second part will
discuss possible (optional) userland enhancements that will allow the
finer-grained access mentioned above to people who need it.
The only issue with replacing the securelevel implementation is
third-party LKMs. This is because they may rely on the availability of a
"securelevel" variable. For example, a driver that according to the
securelevel allows or denies a certain request.
The magnitude of this issue needs to be realized: this affects only LKMs
that were written specifically for BSD systems, as a vanilla Linux (and
perhaps Solaris? I don't know) kernel does not provide a securelevel
mechanism.
The first part of this proposal will also describe possible solutions to
this problem.
1. Kernel backend
At the moment, the kernel implementation of securelevel is very
simple: a single (raise-only, sysctl-able) variable, "securelevel",
that is checked in various parts of the kernel whenever a
securelevel-relevant operation is requested. This means that the
interface to securelevel is also its implementation.
The suggested change is inspecting references to securelevel, creating
a list of common requests made that rely on securelevel. This list
should be able to describe the operations used in our kernel, and
offer operations that third-party LKMs may need.
Then, we could replace the securelevel variable with a bitmap. With
each bit representing a different operation, we could both support
fine-grained control over the securelevel by setting the individual
bits, or the traditional model by setting to specific pre-defined
bitmasks that will represent securelevels -1 to 2.
There is, however, a special case to this (pointed out by Thor
Lancelot Simon in a private mail) where going from multi-user to
single-user mode. At the moment, what happens is that the securelevel
is lowered to 0 when that happens, and when exiting the single-user
shell the securelevel is raised back to 1. Later, the startup scripts
may raise it further depending on /etc/sysctl.conf.
In a case of multiple knobs, a mechanism for saving state will have to
be in place so that the current bits set in the securelevel bitmap
will be restored once the single-user shell is exited.
To give an example, if some drivers guards their ioctl() in
securelevel > 1, we might introduce a "allow driver ioctl" request
that third-party driver LKMs can make.
These requests will be implemented as a new kauth(9) scope, called the
"system" scope.
Giving a code example, if we have something like:
/* Don't allow ioctl() requests if securelevel is > 1 */
if (securelevel > 1)
return (EPERM);
It might be replaced with:
/* See if we can issue ioctl() requests */
if (kauth_authorize_system(curproc->p_cred,
KAUTH_SYSTEM_DRIVER_IOCTL, NULL) != 0)
return (EPERM);
(note that this is just for illustration; we might need to pass more
arguments to kauth_authorize_system(). That is why an inspection of
securelevel references is required.. :)
For those who are not too familiar with kauth(9), this authorization
request will then be dispatched to the default listener for the system
scope. That listener will perform something like this:
[...]
error = 0;
switch (operation) {
[...]
case KAUTH_SYSTEM_DRIVER_IOCTL:
if (securelevel & KAUTH_SYSTEM_DRIVER_IOCTL)
error = EPERM;
break;
[...]
}
return (error);
(if you're asking yourself "why not just do a single if statement to
check for the requested operation in securelevel?", the answer is that
some securelevel implications also have other considerations taken
into account.)
Summarizing so far, we've managed to:
- Maintain existing traditional interface and implications for
people who want it;
- Allow finer-grained knobs to be implemented by making sure the
kernel backend does not check a single variable, but rather a
single "privilege".
- Allow future expansion of the securelevel on a per-user basis by
passing the user credentials along with the request.
...but we broke compatibility with third-party LKMs that rely on
securelevel being a simple integer.
Addressing that problem, we have several options:
- For people who are interested in keeping the traditional
securelevel, this is simple: because our securelevel bitmap will
be in a new variable, we can maintain the existing securelevel
variable to represent the system's securelevel for third-party
LKMs that need it.
That is, whenever the securelevel is changed, and the bitmasks are
set, we will also modify the securelevel variable. In the NetBSD
kernel it will not be used anywhere, but it will exist for
third-party LKMs.
- For people who are interested in the finer-grained securelevel
knobs, this is somewhat more complicated.
By changing the meaning of securelevel, a third-party LKM no longer
has anything to refer to as a "system security level". I offer two
possible solutions:
(a) The securelevel variable will be maintained as "third-party LKM
securelevel", maintained only for backwards binary
compatibility. It will have no meaning in the NetBSD kernel,
but will retain the raise-only property of the current
securelevel.
(b) Third-party LKMs will be encouraged to remove references to
securelevel and use the kauth(9) interface, possibly with the
operation they want guarded from the list of common operations
for the system scope.
We can always add more operations to the system scope if they
are needed, however authors of third-party LKMs that heavily
depend on securelevel's multiple levels will be advised to make
use of the new kauth(9) interface's ability to introduce new
scopes to the system.
An LKM relying on securelevel might consider code like:
#ifdef __HAVE_KERNELAUTH
/* Use kauth(9) */
#else
/* Check securelevel */
#endif /* __HAVE_KERNELAUTH */
To summarize, we maintained binary compatibility with existing LKMs,
offer an easy way for LKM authors to adapt to the new kauth(9)
interface, and suggest a way for supporting both earlier pre-kauth(9)
NetBSD kernels as well as newer ones that do provide the interface.
2. Userland enhancements
To properly support multiple-knobs, we'll have to provide a
user-interface for accessing them. This is not a problem with our
sysctl(9) system, but may pose a problem to third-party scripts that
may query or even modify kern.securelevel.
Just as with the third-party LKMs, we will continue to maintain
kern.securelevel as a "third-party securelevel" that can be used, with
the same semantics it has today.
Unlike LKMs, "fixing" this issue for third-party software (programs or
sciprts) isn't as easy, because the user-interface (sysctl(8) and
sysctl(3)) will show either the single knob or multiple knobs
depending on how the kernel was compiled.
I am not sure about the scale of this issue -- ie. how many references
we really have in third-party software -- but my best suggestion at
this point is to leave the existing kern.securelevel sysctl knob to
function as a "third-party reference", not just for LKMs. :)
3. Benefit
The changes outlined above are a rough proposal to, first and
foremost, integrate the securelevel mechanism with the kauth(9)
interface. Although initially the benefit will be minor to people
using the traditional securelevel interface, in the future it will
allow us to implement features like capabilities or MACs (choose your
favorite buzzword ;) -- the required changes to support such
mechanisms will be mostly internal to the kauth(9) framework, and not
system-wide changes.
Waiting for any kind of feedback,
-e.
--
Elad Efrat