Mandatory Access Control

We decided to put the MAC protection on the platform part despite the fact that it applies to the kernel too, since its use will be mainly at the platform level (except floor part).

Mandatory Access Control (MAC) is a protection provided by the Linux kernel that requires a Linux Security Module (LSM). AGL uses an LSM called Simplified Mandatory Access Control Kernel (SMACK). This protection involves the creation of SMACK labels as part of the extended attributes SMACK labels to the file extended attributes. And a policy is also created to define the behaviour of each label.

The kernel access controls is based on these labels and this policy. If there is no rule, no access will be granted and as a consequence, what is not explicitly authorized is forbidden.

There are two types of SMACK labels:

Execution SMACK (Attached to the process): Defines how files are accessed and created by that process.
File Access SMACK (Written to the extended attribute of the file): Defines which process can access the file.

By default a process executes with its File Access SMACK label unless an Execution SMACK label is defined.

AGL's SMACK scheme is based on the Tizen 3 Q2/2015. It divides the System into the following domains:

Floor.
System.
Applications, Services and User.

See AGL security framework review and Smack White Paper for more information.

Floor

The floor domain includes the base system services and any associated data and libraries. This data remains unchanged at runtime. Writing to floor files or directories is allowed only in development mode or during software installation or upgrade.

The following table details the floor domain:

Label	Name	Execution SMACK	File Access SMACK
`-`	Floor	`r-x` for all	Only kernel and internal kernel thread.
`^`	Hat	`---` for all	`rx` on all domains.
`*`	Star	`rwx` for all	None

The Hat label is Only for privileged system services (currently only systemd-journal). Useful for backup or virus scans. No file with this label should exist except in the debug log.
The Star label is used for device files or /tmp Access restriction managed via DAC. Individual files remain protected by their SMACK label.

Domain	`Label` name	Recommendations
Kernel-MAC-Floor-1	`^`	Only for privileged system services.
Kernel-MAC-Floor-2	`*`	Used for device files or `/tmp` Access restriction via DAC.

System

The system domain includes a reduced set of core system services of the OS and any associated data. This data may change at runtime.

The following table details the system domain:

Label	Name	Execution SMACK	File Access SMACK
`System`	System	None	Privileged processes
`System::Run`	Run	`rwxatl` for User and System label	None
`System::Shared`	Shared	`rwxatl` for system domain `r-x` for User label	None
`System::Log`	Log	`rwa` for System label `xa` for user label	None
`System::Sub`	SubSystem	Subsystem Config files	SubSystem only

Domain	`Label` name	Recommendations
Kernel-MAC-System-1	`System`	Process should write only to file with transmute attribute.
Kernel-MAC-System-2	`System::run`	Files are created with the directory label from user and system domain (transmute) Lock is implicit with `w`.
Kernel-MAC-System-3	`System::Shared`	Files are created with the directory label from system domain (transmute) User domain has locked privilege.
Kernel-MAC-System-4	`System::Log`	Some limitation may impose to add `w` to enable append.
Kernel-MAC-System-5	`System::Sub`	Isolation of risky Subsystem.

Applications, Services and User

The application, services and user domain includes code that provides services to the system and user, as well as any associated data. All code running on this domain is under Cynara control.

The following table details the application, services and user domain:

Label	Name	Execution SMACK	File Access SMACK
`User::Pkg::$AppID`	AppID	`rwx` (for files created by the App). `rx` for files installed by AppFw	$App runtime executing $App
`User::Home`	Home	`rwx-t` from System label `r-x-l` from App	None
`User::App-Shared`	Shared	`rwxat` from System and User domains label of $User	None

Domain	`Label` name	Recommendations
Kernel-MAC-System-1	`User::Pkg::$AppID`	Only one Label is allowed per App. A data directory is created by the AppFw in `rwx` mode.
Kernel-MAC-System-2	`User::Home`	AppFw needs to create a directory in `/home/$USER/App-Shared` at first launch if not present with label app-data access is `User::App-Shared` without transmute.
Kernel-MAC-System-3	`User::App-Shared`	Shared space between all App running for a given user.

Attack Vectors

There are 4 major components to the system:

The LSM kernel module.
The smackfs filesystem.
Basic utilities for policy management and checking.
The policy/configuration data.

As with any mandatory access system, the policy management needs to be carefully separated from the checking, as the management utilities can become a convenient point of attack. Dynamic additions to the policy system need to be carefully verified, as the ability to update the policies is often needed, but introduces a possible threat. Finally, even if the policy management is well secured, the policy checking and failure response to that checking is also of vital importance to the smooth operation of the system.

While MAC is a certainly a step up in security when compared to DAC, there are still many ways to compromise a SMACK-enabled Linux system. Some of these ways are as follows:

Disabling SMACK at invocation of the kernel (with command-line: security=none).
Disabling SMACK in the kernel build and redeploying the kernel.
Changing a SMACK attribute of a file or directory at install time.
Tampering with a process with the CAP_MAC_ADMIN privilege.
Setting/Re-setting the SMACK label of a file.
Tampering with the default domains (i.e. /etc/smack/accesses.d/default-access-domains).
Disabling or tampering with the SMACK filesystem (i.e. /smackfs).
Adding policies with smackload (adding the utility if not present).
Changing labels with chsmack (adding the utility if not present).