Mac lomac/high(low-high) can't see lomac/low(low-low) in FreeBSD 7.0-Current

From: Ricardo A. Reis <ricardo.areis_at_gmail.com>
Date: Thu, 13 Sep 2007 15:10:33 -0300
Hi,

I attempt to create a web enviromente with mac_lomac and mac_partition,
but root user can't see insecure user.

My configurations,

teste# kldstat
Id Refs Address Size Name
1 10 0xc0400000 903430 kernel
2 1 0xc0d04000 2464 accf_http.ko
3 1 0xc0d07000 1fb4 mac_partition.ko
4 1 0xc0d09000 21b8 mac_seeotheruids.ko
5 1 0xc0d0c000 a5bc mac_lomac.ko
6 1 0xc0d17000 6a2c4 acpi.ko

teste# cat /boot/loader.conf|grep -v #
accf_http_load="YES"
mac_lomac_load="YES"
mac_partition_load="YES"
security.mac.lomac.trust_all_interfaces=1
mac_seeotheruids_load="YES"

teste# cat /etc/mac.conf |grep -v #
default_labels file ?biba,?lomac
default_labels ifnet ?biba,?lomac
default_labels process ?biba,?lomac,?partition
default_labels socket ?biba,?lomac

login.conf
....................
insecure:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
:manpath=/usr/share/man /usr/local/man:\
:nologin=/usr/sbin/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=91d:\
:umask=022:\
:ignoretime_at_:\
:label=lomac/low(low-low),partition/1:
----------------
default
....
....
:label=lomac/high(low-high):
-----------------

root user = default class
www user = insecure class

teste# getpmac
lomac/high(low-high),partition/0

ps -Zaxu
-----------------------------------------------------------------------------------
LABEL USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
lomac/equal(low-high),partition/0 root 11 100.0 0.0 0 8 ?? RL Wed11AM 1644:
53.86 [idle: cpu3]
lomac/equal(low-high),partition/0 root 12 100.0 0.0 0 8 ?? RL Wed11AM 1645:
05.20 [idle: cpu2]
lomac/equal(low-high),partition/0 root 13 100.0 0.0 0 8 ?? RL Wed11AM 1645:
03.54 [idle: cpu1]
lomac/equal(low-high),partition/0 root 14 100.0 0.0 0 8 ?? RL Wed11AM 1643:
32.38 [idle: cpu0]
lomac/equal(low-high),partition/0 root 0 0.0 0.0 0 0 ?? WLs Wed11AM
0:00.01[swapper]
lomac/high(low-high),partition/0 root 1 0.0 0.0 1888 464 ?? SLs Wed11AM 0:
00.01 /sbin/init --
lomac/equal(low-high),partition/0 root 2 0.0 0.0 0 8 ?? DL Wed11AM
0:01.90[g_event]
lomac/equal(low-high),partition/0 root 3 0.0 0.0 0 8 ?? DL Wed11AM 0:04.99[g_up]
lomac/equal(low-high),partition/0 root 4 0.0 0.0 0 8 ?? DL Wed11AM
0:04.25[g_down]
lomac/equal(low-high),partition/0 root 5 0.0 0.0 0 8 ?? DL Wed11AM
0:00.00[kqueue taskq]
lomac/equal(low-high),partition/0 root 6 0.0 0.0 0 8 ?? DL Wed11AM
0:00.00[acpi_task_0]
lomac/equal(low-high),partition/0 root 7 0.0 0.0 0 8 ?? DL Wed11AM
0:00.00[acpi_task_1]
lomac/equal(low-high),partition/0 root 8 0.0 0.0 0 8 ?? DL Wed11AM
0:00.00[acpi_task_2]
lomac/equal(low-high),partition/0 root 9 0.0 0.0 0 8 ?? DL Wed11AM
0:00.00[xpt_thrd]
lomac/equal(low-high),partition/0 root 10 0.0 0.0 0 8 ?? DL Wed11AM
0:00.00[audit]
lomac/equal(low-high),partition/0 root 15 0.0 0.0 0 8 ?? WL Wed11AM
0:00.00[swi1: net]
lomac/equal(low-high),partition/0 root 16 0.0 0.0 0 8 ?? WL Wed11AM
1:46.42[swi4: clock sio]
lomac/equal(low-high),partition/0 root 17 0.0 0.0 0 8 ?? WL Wed11AM
0:00.00[swi3: vm]
lomac/equal(low-high),partition/0 root 18 0.0 0.0 0 8 ?? DL Wed11AM
0:10.05[yarrow]
lomac/equal(low-high),partition/0 root 19 0.0 0.0 0 8 ?? WL Wed11AM
0:01.40[swi6: Giant taskq]
lomac/equal(low-high),partition/0 root 20 0.0 0.0 0 8 ?? WL Wed11AM
0:00.00[swi6: task queue]
lomac/equal(low-high),partition/0 root 21 0.0 0.0 0 8 ?? WL Wed11AM
0:00.00[swi2: cambio]
lomac/equal(low-high),partition/0 root 22 0.0 0.0 0 8 ?? WL Wed11AM
0:00.00[swi5: +]
lomac/equal(low-high),partition/0 root 23 0.0 0.0 0 8 ?? DL Wed11AM
0:00.00[thread taskq]
lomac/equal(low-high),partition/0 root 24 0.0 0.0 0 8 ?? WL Wed11AM
0:00.00[irq9: acpi0]
lomac/equal(low-high),partition/0 root 25 0.0 0.0 0 8 ?? DL Wed11AM
0:00.00[em0 taskq]
lomac/equal(low-high),partition/0 root 26 0.0 0.0 0 8 ?? DL Wed11AM
0:00.00[em1 taskq]
lomac/equal(low-high),partition/0 root 27 0.0 0.0 0 8 ?? WL Wed11AM
0:01.70[irq17: aac0]
lomac/equal(low-high),partition/0 root 28 0.0 0.0 0 8 ?? DL Wed11AM
0:00.02[aac0aif]
lomac/equal(low-high),partition/0 root 29 0.0 0.0 0 8 ?? WL Wed11AM
0:28.00[irq258: bce0]
lomac/equal(low-high),partition/0 root 30 0.0 0.0 0 8 ?? WL Wed11AM
0:00.00[irq259: bce1]
lomac/equal(low-high),partition/0 root 31 0.0 0.0 0 8 ?? WL Wed11AM
0:00.00[irq23: uhci0 uhci+]
lomac/equal(low-high),partition/0 root 32 0.0 0.0 0 8 ?? DL Wed11AM
0:00.04[usb0]
lomac/equal(low-high),partition/0 root 33 0.0 0.0 0 8 ?? DL Wed11AM
0:00.00[usbtask-hc]
lomac/equal(low-high),partition/0 root 34 0.0 0.0 0 8 ?? DL Wed11AM
0:00.00[usbtask-dr]
lomac/equal(low-high),partition/0 root 35 0.0 0.0 0 8 ?? WL Wed11AM
0:00.00[irq22: uhci1 uhci3]
lomac/equal(low-high),partition/0 root 36 0.0 0.0 0 8 ?? DL Wed11AM
0:00.00[usb1]
lomac/equal(low-high),partition/0 root 37 0.0 0.0 0 8 ?? DL Wed11AM
0:00.01[usb2]
lomac/equal(low-high),partition/0 root 38 0.0 0.0 0 8 ?? DL Wed11AM
0:00.01[usb3]
lomac/equal(low-high),partition/0 root 39 0.0 0.0 0 8 ?? DL Wed11AM
0:00.01[usb4]
lomac/equal(low-high),partition/0 root 40 0.0 0.0 0 8 ?? WL Wed11AM
0:00.00[irq14: ata0]
lomac/equal(low-high),partition/0 root 41 0.0 0.0 0 8 ?? WL Wed11AM
0:00.00[irq15: ata1]
lomac/equal(low-high),partition/0 root 42 0.0 0.0 0 8 ?? WL Wed11AM
0:00.00[irq1: atkbd0]
lomac/equal(low-high),partition/0 root 43 0.0 0.0 0 8 ?? WL Wed11AM
0:00.00[swi0: sio]
lomac/equal(low-high),partition/0 root 44 0.0 0.0 0 16 ?? DL Wed11AM
0:00.00[sctp_iterator]
lomac/equal(low-high),partition/0 root 45 0.0 0.0 0 8 ?? DL Wed11AM
0:00.05[pagedaemon]
lomac/equal(low-high),partition/0 root 46 0.0 0.0 0 8 ?? DL Wed11AM
0:00.00[vmdaemon]
lomac/equal(low-high),partition/0 root 47 0.0 0.0 0 8 ?? DL Wed11AM
0:00.00[pagezero]
lomac/equal(low-high),partition/0 root 48 0.0 0.0 0 8 ?? DL Wed11AM
0:00.27[bufdaemon]
lomac/equal(low-high),partition/0 root 49 0.0 0.0 0 8 ?? DL Wed11AM
0:00.39[vnlru]
lomac/equal(low-high),partition/0 root 50 0.0 0.0 0 8 ?? DL Wed11AM
1:09.13[syncer]
lomac/equal(low-high),partition/0 root 51 0.0 0.0 0 8 ?? DL Wed11AM
0:00.48[softdepflush]
lomac/high(low-high),partition/0 root 648 0.0 0.0 3240 1008 ?? Ss Wed11AM 0:
00.00 /usr/sbin/moused -p /dev/ums0 -t auto -I /va
lomac/high(low-high),partition/0 root 700 0.0 0.0 1888 524 ?? Ss Wed11AM 0:
00.00 /sbin/devd
lomac/high(low-high),partition/0 root 769 0.0 0.0 3156 1192 ?? Ss Wed11AM 0:
00.13 /usr/sbin/syslogd -s
lomac/high(low-high),partition/0 root 883 0.0 0.1 5592 3056 ?? Ss Wed11AM 0:
00.00 /usr/sbin/sshd
lomac/high(low-high),partition/0 root 890 0.0 0.0 3184 1260 ?? Ss Wed11AM 0:
00.17 /usr/sbin/cron -s
lomac/high(low-high),partition/0 root 946 0.0 0.1 8360 3916 ?? Ss Wed11AM 0:
00.03 sshd: grede [priv] (sshd)
lomac/high(low-high),partition/0 grede 949 0.0 0.1 8360 3932 ?? S Wed11AM 0:
00.07 sshd: grede_at_ttyp0 (sshd)
lomac/high(low-high),partition/0 root 938 0.0 0.0 3156 1076 v0 Ss+ Wed11AM
0:00.00 /usr/libexec/getty Pc ttyv0
lomac/high(low-high),partition/0 root 939 0.0 0.0 3156 1076 v1 Ss+ Wed11AM
0:00.00 /usr/libexec/getty Pc ttyv1
lomac/high(low-high),partition/0 root 940 0.0 0.0 3156 1076 v2 Ss+ Wed11AM
0:00.00 /usr/libexec/getty Pc ttyv2
lomac/high(low-high),partition/0 root 941 0.0 0.0 3156 1076 v3 Ss+ Wed11AM
0:00.00 /usr/libexec/getty Pc ttyv3
lomac/high(low-high),partition/0 root 942 0.0 0.0 3156 1076 v4 Ss+ Wed11AM
0:00.00 /usr/libexec/getty Pc ttyv4
lomac/high(low-high),partition/0 root 943 0.0 0.0 3156 1076 v5 Ss+ Wed11AM
0:00.00 /usr/libexec/getty Pc ttyv5
lomac/high(low-high),partition/0 root 944 0.0 0.0 3156 1076 v6 Ss+ Wed11AM
0:00.00 /usr/libexec/getty Pc ttyv6
lomac/high(low-high),partition/0 root 945 0.0 0.0 3156 1076 v7 Ss+ Wed11AM
0:00.00 /usr/libexec/getty Pc ttyv7
lomac/high(low-high),partition/0 grede 950 0.0 0.1 5444 2920 p0 Ss Wed11AM
0:00.01 -tcsh (tcsh)
lomac/high(low-high),partition/0 root 952 0.0 0.1 3592 1572 p0 S Wed11AM 0:
00.01 su -
lomac/high(low-high),partition/0 root 953 0.0 0.1 5444 3212 p0 S Wed11AM 0:
00.05 -su (csh)
lomac/high(low-high),partition/0 root 4522 0.0 0.0 3220 1052 p0 R+ 2:57PM 0:
00.00 ps -Zaxu
----------------------------
Apache
teste# /usr/sbin/setpmac lomac/low\(low-low\),partition/1 apachectl start
teste# /usr/sbin/setpmac lomac/low\(low-low\),partition/1 csh
teste# ps -Zaxu
teste# getpmac
lomac/low(low-low),partition/1
LABEL USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
lomac/low(low-low),partition/1 www 4529 5.7 0.5 28092 17196 ?? S 2:58PM 0:
00.00 /usr/local/sbin/httpd
lomac/low(low-low),partition/1 www 4530 5.7 0.5 28092 17196 ?? S 2:58PM 0:
00.00 /usr/local/sbin/httpd
lomac/low(low-low),partition/1 www 4531 5.7 0.5 28092 17196 ?? S 2:58PM 0:
00.00 /usr/local/sbin/httpd
lomac/low(low-low),partition/1 www 4532 5.7 0.5 28092 17196 ?? S 2:58PM 0:
00.00 /usr/local/sbin/httpd
lomac/low(low-low),partition/1 www 4533 5.7 0.5 28092 17196 ?? S 2:58PM 0:
00.00 /usr/local/sbin/httpd
lomac/low(low-low),partition/1 root 4528 5.0 0.5 28052 17152 ?? Ss 2:58PM 0:
00.52 /usr/local/sbin/httpd
lomac/low(low-low),partition/1 root 4534 0.0 0.1 5444 3000 p0 S 2:58PM 0:
00.01 csh
lomac/low(low-low),partition/1 root 4538 0.0 0.0 3220 1000 p0 R+ 2:59PM 0:
00.00 ps -Zaxu


Thanks by any help...

Ricardo A. Reis
Received on Thu Sep 13 2007 - 16:35:03 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:17 UTC