LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

FBAC-LSM

By Jake Edge
January 13, 2010

Process sandboxes for security are getting lots of attention these days. There are standalone utilities like isolate and Rainbow, sandboxes integrated into applications like the Chromium sandbox, as well as tools that use existing LSMs such as the SELinux sandbox. Furthermore, there are various proposals floating around to add Linux kernel features in support of application sandboxes, such as the seccomp additions and network restrictions. An LSM specifically designed for application sandboxing, which uses a new model called Functionality-Based Application Confinement (FBAC), was introduced on linux-kernel back in December.

FBAC-LSM came out of Z. Cliffe Schreuders's PhD research, and is a prototype implementation of the FBAC model. It uses an earlier version of the LSM interface, with the AppArmor pathname-based hooks and still needs "quite a bit of work to be done before it is ready for production systems or formal code review." Schreuders is looking for collaborators to work on completing the project, presumably with an eye towards getting it into the mainline.

The basic idea behind FBAC is to make security policy more accessible and understandable to users, so that application restrictions are more widely adopted. A major component of the FBAC system is a GUI-based policy manager that can guide users through setting policies for particular applications. Users specify the high-level needs of an application based on its type (such as web browser or file editor) and the policy manager will help create the policies that will govern its behavior.

In developing the policy manager, Schreuders analyzed over a hundred different applications to extract common behaviors that could be encapsulated in the FBAC policies. This allows the policy manager to automate certain aspects of developing policies for new applications, including things like configuration files, network ports, and other resources that the application requires. The policy manager also has a "learning mode" where it can observe the application and suggest additional privileges that might be granted.

FBAC has the underlying concept of "functionalities", which are essentially a set of permissions for file and network operations that are allowed. These are fine-grained permissions for things like "file_read", "file_getattr", "file_execute", "dir_mkdir", "network_incoming", etc. The permissions which are granted to a particular functionality are listed in its definition.

Functionalities are hierarchical, so that they can incorporate other, lower-level permissions into one that governs an entire application or class of applications. In addition, they are parameterized so that a functionality can be applied to multiple different applications, with the parameters specifying the particular files, directories, and network destinations that the permissions are granted for.

Both mandatory access control (MAC) and discretionary access control (DAC) are supported by FBAC. Application policy can be permanently set by an administrator, so that an ordinary user cannot make changes, or FBAC can be configured to allow users to further restrict applications beyond the policies set by the administrator. The confinement of an application then depends on the intersection of these mandatory and discretionary policies.

Allowing users to specify reduced privileges for arbitrary applications risks running afoul of the problems with setuid() programs that other sandboxing mechanisms (the network restrictions feature mentioned above for example) have encountered. Some means of stopping unprivileged users from changing the environment expected by setuid() programs will need to be provided.

The interface to FBAC-LSM is via a filesystem which is mounted at /sys/kernel/security/fbac-lsm. Various files in the directory allow querying the existing installed policies as well as adding new ones. There are several steps to sending the policy information, with each piece being written to a separate file in the directory. That is followed by "commit" being written to /sys/kernel/security/fbac-lsm/commit, which actually causes the policy to be processed. That is rather race-prone, but is required by the sysfs "one value per file" rule. It seems likely that FBAC-LSM will eventually change its interface to a private filesystem like those used by Smack and SELinux.

FBAC is a different approach from that taken by other security solutions, but it has enough similarities that Schreuders has plans to make the policy manager read and write AppArmor and SEEdit policies. But FBAC definitely lives up to its prototype billing. The code is rather disorganized and littered with commented-out sections that make it somewhat hard to follow.

The current incarnation of FBAC-LSM certainly has the feel of code that was put together somewhat hurriedly for a PhD dissertation, rather than as a "real" LSM. But it does embody some interesting ideas that merit further attention. One of the biggest hurdles faced by various security solutions (for which SELinux is the poster child) is the complexity of developing and—more importantly—understanding the policies that are being used. That complexity is something that Schreuders set out to reduce with FBAC. It remains to be seen if he has succeeded with that, but any such attempt is worthy of a look.

(Log in to post comments)

FBAC-LSM

Posted Jan 14, 2010 10:44 UTC (Thu) by cliffe (guest, #62958) [Link]

Thanks for the well educated write-up.

I agree, the code is a bit of a mess in places, particularly the vfs interface you accurately described. Thanks for persevering! I am in the process of cleaning up code, and yes there is lots of work to be done. As you mentioned, I am looking for contributors to help make FBAC-LSM a production ready system. So if anyone is interested please let me know.

As part of my research I conducted a usability study which compared FBAC-LSM with AppArmor and SELinux. The results were encouraging! Adding (reduced feature) export to FBAC-LSM should provide some of the usability benefits of FBAC-LSM to these systems. Users can then benefit from the stability of the other systems while FBAC-LSM continues to be improved. FBAC-LSM policy manager may even be extended to completely manage other LSMs such as AppArmor.

Allowing users to restrict the applications they run lets them protect their own security interests: such as controlling which applications have access to particular files they own. It can cause problems if programs assume they have more privileges than they have. In most cases it is the responsibility of the software developers to check that their assumptions are valid and that the program has access to the resources they expect access to. Most of the applications I have studied so far have fairly predictable needs, and are well modelled by FBAC functionalities. You bring up an interesting point, that the security goals of an administrator might actually require the granting of privileges to a program that a normal user runs, and that allowing a normal user to take these privileges away could present problems. I think that in most cases it is in the best interests of users to grant setuid programs the resources they require. If preventing access to resources causes the programs to misbehave in an insecure fashion, then perhaps the programs need to be updated. Having said that, it would not be hard to extend FBAC to allow administrators to specify which applications users are allowed to create policies for. I would be interested in further justifications for this.

Z. Cliffe Schreuders

FBAC-LSM

Posted Feb 5, 2010 20:09 UTC (Fri) by oak (guest, #2786) [Link]

Couldn't running of setuid programs be just disabled when security
policies are in effect?

FBAC-LSM

Posted Jan 14, 2010 12:40 UTC (Thu) by Trou.fr (subscriber, #26289) [Link]

I really think Linux should have a mainline sandbox that can be used easily by non-root users to confine untrusted or exposed applications easily.

Since now the main threat for a desktop system is the browser/mail client, it makes no sense to run it with the same priviledges as the logged in user, where it can effectively access all the critical data.

Windows malwares have been doing ransom blackmail : pay me to decrypt your important files I have found on your hard drive. Microsoft did make the good choice with the lower privilege mode introducted with IE7 in Vista.

Actually the chromium sandbox seems great, i would need a standalone version, maybe Google could release it separately.

Links

Posted Jan 14, 2010 17:01 UTC (Thu) by mstone (subscriber, #58824) [Link]

Trou.fr wrote:
I really think Linux should have a mainline sandbox that can be used easily by non-root users to confine untrusted or exposed applications easily.
You don't seem to be alone in this opinion: sandboxing.org catalogues the work of several tens of people who feel the same way and who are looking for ideas and help on making their work more accessible. Start some conversations with them!

FBAC-LSM

Posted Jan 15, 2010 16:00 UTC (Fri) by SEJeff (subscriber, #51588) [Link]

You need to look into lxc, it isn't technically a sandbox, but not far from
it. It is closer to a solaris zone than anything else.

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds