Alpha 3 FMAC Code Drop

Alpha 3 FMAC Code Drop

This page includes links to the Alpha 3 sources and to the Alpha 3 release notes.

Commits to the repository go to the fmac-notify list (subscribe).

Release Notes

October 29, 2008

These release notes document the Alpha 3 code drop of the Flask/Type Enforcement[R] code that is based on toolchain/policy Version 15. The ON base of the FMAC repository in the fmac-gate repository is onnv_97.

This Alpha 3 code drop introduces major new kernel functionality, including labeled file objects for ZFS and TMPFS file systems, domain transitions on  exec process and file mandatory access control checks.

NOTE: Any patches posted to the fmac-discuss list after October 29, 2008 are not part of this release.

Each code drop includes everything from previous code drops, except where noted.

This document covers the following topics:

• Feature List
• Accessing the FMAC Source Files
• FMAC Source File Locations
• Known Limitations
• Reporting Bugs

Feature List

The following describes features of this Alpha 3 code drop:

• New FMAC kernel functionality:
• File security labeling and access controls for ZFS and TMPFS
• Basic process context transition support on exec
• mmap PROT_EXEC restrictions
• Setting of linker security flag
• Basic proc vnode protection
• Basic process access controls (hasprocperm)
• Extended AVC auditing to include pid, comm, and path information
• Improved AVC interface and locking
• Exported AVC stats via kstat
• kstat -m avc
• Fixed getprevcon() and setting of prev_secid

• New FMAC system calls to libc:

        int getfilecon(const char path, char *secctxp);
        int setfilecon(const char path, char secctx);

For more information about FMAC, see the fmac(5) man page.

• New FMAC utilities:
• The getfilecon command lets you view the security context on a file, see the getfilecon(1M) man page
• The setfilecon command lets you set the security context on a file, see the setfilecon(1M) man page
• The newrole command lets you start a shell with a different context
• The fmacsetup command labels files after a BFU
• The setfiles command is now functional and labels file objects, see the setfiles(1M) man page

• Enhanced FMAC policy:
• The file_contexts file has been adapted to the Solaris[tm] Operating System
• The FMAC user, sysadm_u, has been added

• Assigning Solaris users to FMAC users:
• A new context attribute has been added to user_attr that maps the Solaris user to a FMAC user. For example:

        jack::::context=user_u\:user_r\:user_t
        jill::::context=sysadm_u\:user_r\:user_t
        root::::context=root\:sysadm_r\:sysadm_t

• The unix_cred PAM module has been modified to set the initial user context based on the user_attr context attribute. If a context attribute is not specified in user_attr for a user, the unix_cred module will default to the following:

        root: root:sysadm_r:sysadm_t
        non-root: user_u:user_r:user_t

• All FMAC utility man pages are posted on the FMAC documentation page.

• This Alpha 3 release is based on onnv_97. Use the corresponding onbld and closed bins that are available from opensolaris.org at http://dlc.sun.com/osol/on/downloads/b97/.

See Known Limitations for information about building on the SPARC[R] platform and about an x86 build problem.

Accessing the FMAC Source Files

You can download snapshots of the FMAC source code repository or the latest sources by using the hg command.

• To pull the Alpha 3 FMAC source code from the fmac-gate repository, type:

        # hg clone -r fmac_alpha3
       ssh://anon@hg.opensolaris.org/hg/fmac/fmac-gate

• To pull the latest FMAC source code from the fmac-gate repository, type:

        # hg clone
       ssh://anon@hg.opensolaris.org/hg/fmac/fmac-gate

FMAC Source File Locations

The following list describes the FMAC source locations:

usr/src/common/fmac
Policy Flask definitions and security server code shared by user space and the kernel
usr/src/cmd/fmac
Policy configuration and user space tools
usr/src/uts/common/sys/fmac
Flask headers and generated definitions
usr/src/uts/common/fmac
Flask kernel-only code

Known Limitations

• Security labeling and MAC checks are not yet supported for special files or symbolic links on ZFS or TMPFS file systems, or for files in other filesystem types.

• The process controls are incomplete - FMAC is only presently
  mediating process operations that already invoke *hasprocperm() for permission checking and is only presently mediating proc vnode accesses that invoke priv_proc_cred_perm().

• The basic process context transition support on exec does not yet include controls on the inheritance of open file descriptors or other inherited state.

• The source for the policy is in usr/src/cmd/fmac/policy. It is not yet fully converted for use with the OpenSolaris[tm] release.

• If building on the SPARC platform, see the special SPARC instructions from the OpenSolaris Sun[tm] Studio 11 tools page.

If you run into problems running the Sun Studio 11 SPARC installer with the default Java[tm] 1.6 version, try the following workaround:

        # PATH=/usr/jdk/jdk1.5.0_15/bin:${PATH}
        # export PATH
        # ./installer

Then, use patchadd to install the following Sun Studio 11 SPARC patches:

• 121015-04
• 120760-11
• 121017-07
• 122135-02

• The following build error on x86 seems to be due by a reference to htonll and ntohll in pkcs11_softtoken.so.1 that's not resolved in the Build 97 libc:

Check ELF runtime attributes

     ./usr/lib/security/amd64/pkcs11_softtoken.so.1: symbol not found: htonll         (/builds/jweeks/onnv_97/proto/root_i386/usr/lib/security/amd64/pkcs11_softtoken.so.1) <no -zdefs?>
     ./usr/lib/security/amd64/pkcs11_softtoken.so.1: symbol not found: ntohll         (/builds/jweeks/onnv_97/proto/root_i386/usr/lib/security/amd64/pkcs11_softtoken.so.1) <no -zdefs?>
     ./usr/lib/security/pkcs11_softtoken.so.1: symbol not found: htonll         (/builds/jweeks/onnv_97/proto/root_i386/usr/lib/security/pkcs11_softtoken.so.1) <no -zdefs?>
     ./usr/lib/security/pkcs11_softtoken.so.1: symbol not found: ntohll         (/builds/jweeks/onnv_97/proto/root_i386/usr/lib/security/pkcs11_softtoken.so.1) <no -zdefs?>

Diff ELF runtime attributes (since last build)

This issue has been posted to opensolaris-help. While this problem generates an error during boot, the system still functions.

As a workaround, you can use the 20080825 version of onbld for x86.

Reporting Bugs

For each problem you encounter, send the following information to help the team determine the root cause of the problem:

1. Describe the problem and describe what you were doing when you encountered the problem.

NOTE: Give as much information as you can to enable the team to reproduce the problem.

1. Describe your configuration.

For example, x data servers running on x machines.

1. Describe the bits you have installed.

For example, run the following commands on all machines:

        % cat /etc/motd
        % cat /etc/release

1. If the problem is a panic, include the stack trace and access to the core file.

1. Send the information in an email message to the fmac dash discuss at opensolaris dot org list.

NOTE: You must be a member of the list before you can post messages to it.