Policy Enforcement

In UNIX all input and output is performed through a file interface, which means that file system security policy applies throughout the Trusted Solaris environment. For this reason, file system security policy is described in detail here.

File system security policy is stated in terms of the following:

• Mandatory and discretionary access checks between the process and the path name preceding the final object.

• Mandatory and discretionary access checks between the process and the final object.

Security policy for interprocess communications (IPC) is stated in terms of mandatory read and write access checks between the accessing process and the process being accessed. Some IPC mechanisms and X Window System objects use files, and file system security policy as described in this section applies to those operations. Some IPC mechanisms have the read-down and write-up security policy, while other IPC mechanisms have the more restrictive read-equal and write-equal policy. The X Window system has the write-equal and read-down policy. See the following chapters for specific security policy information on these topics:

• Chapter 10, Interprocess Communications covers security policy for process-to-process communications on the same host and over the network.

• Chapter 14, Trusted X Window System covers security policy for accessing X11 windows property and resource data.

File System Security Policy

This section describes mandatory and discretionary access checks for the following file system objects:

• Directories - Regular directories and multilevel directories.

• Files - Regular files, executable files, device special files, and symbolic links.

Discretionary Access

The owner of the process must have discretionary search (execute) access to all directories in the path preceding the final object. Once the final object is reached, access operations can be performed as follows.

• Read from a file or list the contents of a directory - Discretionary read access is allowed when a process has discretionary search (execute) access to all directories in the object's path and discretionary read access to the object.

• Write to a file, create a file or directory, or delete a file or directory - Discretionary write access is allowed when the process has discretionary search (execute) access to all directories in the object's path and discretionary write access to the object.

• Execute a file - Discretionary execute access is allowed when the process has discretionary search (execute) access to all directories in the file's path and discretionary execute access to the file.

Mandatory Access

In addition to passing the DAC checks, mandatory search access is required to all directories in the path preceding the final file. Mandatory search access to a directory is allowed when the process sensitivity label dominates the sensitivity label of all directories in the path. Once the final file is reached, access operations can be performed as follows.

• Read from a file, execute a file, list the contents of a directory, view file security attributes, or view file security attribute flags - Mandatory read access is allowed when the process has mandatory search access to all directories in the path and the process sensitivity label dominates the sensitivity label of the final object. If the final object is a device special file, the process sensitivity label must equal the device sensitivity label.

• Write to a file, modify file security attributes, modify file security attribute flags, or delete a file - Mandatory write access is allowed when the process has discretionary and mandatory search access to all directories in the path and the file's sensitivity label dominates the process sensitivity label. If the final object is a device special file, the process sensitivity label must equal the device sensitivity label.

• Create a file or directory - Create access is write-equal. When a process creates a file, directory, or symbolic link the process sensitivity label must equal the sensitivity label of the file or directory.

File System Access Privileges

When a discretionary or mandatory access check fails on a file system object, the process can assert privilege to bypass security policy, or raise an error if the task should not be allowed at the current label or for that user.

Discretionary access is enabled as follows:

• Search access to all directories in the path preceding the final file system object is enabled when the process asserts the file_dac_search privilege.

• Read access to the final object is enabled when the process asserts the file_dac_read privilege.

• Write access to the final object is enabled when the process asserts the file_dac_write privilege.

• Execute access to the final object is enabled when the process asserts the file_dac_execute privilege.

Mandatory access is enabled as follows:

• Search access to all directories in the path preceding the final file system object is enabled when the process asserts the file_mac_search privilege.

• Read access (including execute access) to the final object is enabled when the process asserts the file_mac_read privilege.

• Write access to the final object is enabled when the process asserts the file_mac_write privilege.

• Create access to the final object is enabled when the process asserts the file_mac_write privilege.

When Access Checks are Performed

Mandatory and discretionary access checks are performed on the path name at the time a file system object is opened. No further access checks are performed when the file descriptor is used in other system calls, except as follows:

• A file is opened for writing and the descriptor is later used with the fstat(2) system call for a read. In this case, there are access checks for the read and privilege may be required if the access is denied.

• A file is opened for reading and the descriptor is later used with the fchmod(2) system call for a write. In this case, there are access checks for the write access and privilege may be required if the access is denied.

File System Policy Examples

The examples in this section illustrate the kinds of things you need to think about when a process accesses a file system object for read, write, search, and execute operations.

The process accesses /export/home/heartyann/somefile for reading and writing, and /export/home/heartyann/filetoexec for execution. These files are both protected at Confidential. The process sensitivity label is Secret and the process clearance is Top Secret. Confidential is lower than Secret and Secret is lower than Top Secret.

Sensitivity Labels

As shown in the following figure, the path /export/home has a sensitivity label of ADMIN_LOW and the heartyann directory and somefile have a sensitivity label of Confidential.

Figure 1-1 Accessing a File System Object

• The process does not own somefile or the directories in somefile's path.

• Discretionary access permissions on /export allow the owner and group read, write, and search access; and allow others read and search access.

• Discretionary access permission on /export/home allow the owner read, write, and search access; and allow the group and others read and search access.

• Discretionary access permissions on /export/home/heartyann allow the owner and group read, write, and search access; and allow others read and search access.

• Discretionary access permissions on somefile allow the owner read and write access; and the group and others read access only.

• Discretionary access permissions on filetoexec allow the owner read, write, and execute access; and allow the group and others read and execute access.

If the process fails a mandatory or discretionary access check, the program needs to assert an error or the proper privilege if the program is intended to run with privilege.

See Chapter 4, Labels in "Label Guidelines" for information on handling sensitivity labels when privileges are used to bypass access controls.

Open the File

The Secret process opens somefile for reading, performs a read operation, and closes the file. The fully adorned pathname is used so somefile in the Confidential /export/home/heartyann single-level directory is accessed.

A fully adorned pathname uses the multilevel directory adornment and specifies precisely which single-level directory is wanted. If a regular pathname was used instead, the Secret single-level directory would be accessed because the process is running at Secret.

See "Adorned Names" for a discussion on fully adorned pathnames. Chapter 7, Multilevel Directories presents interfaces for handling multilevel and single-level directories so fully adorned pathnames are not hardcoded the way they have been for clarity in these examples.

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

main()
{
	int filedes, retval;
	ssize_t size;
	char readbuf[1024];
	char *buffer = "Write to File.";
	char *file = "/export/home/.MLD.heartyann/.SLD.1/filetoexec";
	char *argv[10] = {"filetoexec"};

	filedes = open("/export/home/.MLD.heartyann/.SLD.1/somefile", O_RDONLY);
	size = read(filedes, readbuf, 29);
	retval = close(filedes);

• Mandatory access checks on the open(2) system call - The process needs mandatory search access to /export/home/heartyann, and mandatory read access to somefile. The process running at Secret passes both mandatory access checks.

• Discretionary access checks on the open(2) system call - The process needs discretionary search access to /export/home/heartyann, and discretionary read access to somefile. The permission bits for other on the directory path and somefile allow the required discretionary search and read access.

• Mandatory access checks on the read(2) system call - The mandatory access checks were performed when somefile opened. No other access checks are performed.

• Discretionary access checks on the read(2) system call - The discretionary access checks were performed when somefile was opened. No other access checks are performed.

Write to the File

The Secret process opens somefile for writing in the Confidential /export/home/heartyann single-level directory, performs a write operation, and closes the file.

filedes = open("/export/home/.MLD.heartyann/.SLD.1/somefile", O_WRONLY);
size = write(filedes, buffer, 14);
retval = close(filedes);

• Mandatory access checks on the open(2) system call - The process needs mandatory search access to /export/home/heartyann, and mandatory write access to somefile. The process running at Secret passes the mandatory search access check, but does not pass the mandatory write access check. For mandatory write access, somefile's sensitivity label must dominate the process sensitivity label and it does not (Confidential does not dominate Secret). The process can assert the file_mac_write privilege to override this restriction or assert an error.

• Discretionary access checks on the open(2) system call - The process needs discretionary search access to /export/home/heartyann, and discretionary write access to somefile. The permission bits for other on the directory path and somefile allow the discretionary search access, but do not pass the discretionary write access check. The process can assert the file_dac_write privilege to override this restriction or assert an error.

• Mandatory access checks on the write(2) system call - The mandatory access checks were performed when somefile opened. No other access checks are performed.

• Discretionary access checks on the write(2) system call - The discretionary access checks were performed when somefile was opened. No other access checks are performed.

Execute a File

The Secret process executes an executable file in the Confidential /export/home/heartyann single-level directory.

retval = execv(file, argv);

• Mandatory access checks on the execv(2) system call - The process needs mandatory search access to /export/home/heartyann, and mandatory read access to file. Mandatory read access to a file is needed to execute the file. The process running at Secret passes both of these mandatory access checks.

• Discretionary access checks on the execv(2) system call - The process needs discretionary search access to /export/home/heartyann, and discretionary execute access to file. The permission bits on the directory path and on file allow discretionary search and execute access to file.