Structure of sysmask, and how it works ----------------------------------- The sysmask package contains 4 components. 1. A kernel patch with its header file to go to /usr/include/linux. 2. A utility program, /bin/sysmask. 3. A daemon program to be launched at system boot, /sbin/smkd. 4. A template configuration package, composed of a directory structure /etc/sysmask, as well as a sample modification to /etc/inittab that initiates sysmask at system boot. 5. Some miscellaneous utilities: /usr/sbin/sysmaskadm that is a menu based administration tool. /usr/bin/smlog that allows an ordinary user to read the part of the log file that belongs to him. /usr/sbin/hl2copy that replaces hard links among system files by ordinary file copies. ------------------------------------ The kernel patch attaches a sysmask structure to each process. This structure contains two mask sets (an active one and a latent one), a trigger value with a counter, two token values, and 4 values of syscall exceptions. Each mask set contains three subsets: m1, m2, cap. Each subset is a long integer composed of 32 mask bits. In the mean time, a mask table is established for system calls, each system call being assigned a mask value which is also a long integer. The m1 subset is the main mask subset of the system, and is used to directly mask system calls. Upon each system call, the mask value of the system call is checked against the m1 subset of the active mask of the process. If a same bit is set in both, the system call is masked by the sysmask of the process. In this case, the call returns an error (operation not permitted), unless the call number is among the 4 syscall exceptions. The m2 subset contains bits telling the kernel to do other types of control for the process, in particular selective access control to files and sockets. The cap subset is simply a covering mask for Linux capability: a capability is refused for the process if the corresponding bit in the cap subset is set, regardless of the status of the normal capability setting. It is needed because Linux capability cannot be centrally controled in the system, leading to potential loopholes. Also upon each system call, the call number is compared with the trigger. If they are the same, the trigger counter is decreased. When the latter reaches zero, the action of trigger takes place, with the latent mask set ored to the active one. The primary use of trigger is to mask system calls that are only need by the process at its startup, when the process enters its normal operation. The syscall exceptions are used in cases where a single m1 mask bit masks a large number of system calls, among them one or two are needed by the process. The tokens are the sysmask identity of the process, and are used by the daemon smkd to recognize it. ----------------------------------------------------- A system call is added for processes to communicate with sysmask. The communication includes getting and setting masks, as well as some requests reserved for smkd. For the time being, an unused system call number (56, corresponding to old mpx) is hijacked by sysmask. This is obviously incorrect, but being a person with no influence on the kernel, this is all that I can do for the time being. This number is subject to change later. Programs that want to use this system call should be compiled with the sysmask header file /usr/include/linux/sysmask.h. ------------------------------------------------------- The utility /bin/sysmask is used to launch programs after setting masks for them. To do so, each mask and each token has a text name that can be entered in a command line parameter of /bin/sysmask, together with the name of the program to start and its parameters. Due to the flexibility in the sysmask design, this is enough for process protections in the most of the time, thus eliminating the need to recompile softwares. The utility is also very handy for testing purposes. To change a mask set, you only have to change the command line and relaunch. When used in conjunction with smkd log, optimising the sysmask configuration for a daemon is often a matter of minutes. /bin/sysmask can also be used to query sysmask status, either for a given process, or a given token, or masks that are to be set. Scripts can also be designed using it to audit the security level of a whole system. ---------------------------------------------------------- Finaly, the daemon /sbin/smkd can be automatically launched by /bin/sysmask at system boot, so a init script is not really necessary. The daemon reads the configuration files, and takes care of selective access control, token switch, and interactive triggering for other processes. It is the only process that needs to read the sysmask configuration, so it is recommended that the access to sysmask configuration be closed to any other process (except highly privileged root ones), using denyid mask. ---------------------------------------------------------- Configuration of sysmask can be done either by the menu based tool /usr/sbin/sysmaskadm or by directly editing files in /etc/sysmask.