Demonstrating Process and File Labeling

Since I do a lot of Trusted Extensions demonstrations, I'm often asked about process and file labeling. Both process and file labels are implicitly determined from zone and network labels. I've written two shell scripts which display these concepts using the zenity(1) GUI.

Here is the first script, getprocs:

#!/bin/ksh

ps -fe -o comm -o user -o pid | \\

while read command user pid
do
        label=`plabel $pid 2>/dev/null`
        if [ $? = 0 ]; then
                echo $command;
                echo $pid
                echo $user
                echo $label
        fi;
done | zenity --list \\
        --title=" Process Labels" \\
        --height=700 \\
        --width=650 \\
        --column="Process Name" \\
        --column="ID" \\
        --column="User" \\
        --column="Sensitivity Label"

The output of the script looks like this:


If you run this in the global zone, as root, you will see all processes and can sort the output based on the table columns. When run in a labeled zone, only processes with the current zone label are shown. I also use this script to demonstrate that by removing proc_info from my default privilege I can only see my own processes. The privilege setting in my /etc/user_attr file looks like this:

defaultpriv=basic,!proc_info

The other script, getmounts, displays the label of the currently mounted filesystems.

#!/bin/ksh

/usr/sbin/mount -p | cut -d " " -f3-4 | \\

while read mntpnt fstype
do
    label=`getlabel $mntpnt 2>/dev/null`
    if [ $? = 0 ]; then
        echo $mntpnt
        echo $fstype
         echo $label | cut -d : -f 2-99
    fi
done | zenity --list \\
    --title="File System Labels" \\
    --height=700 \\
    --width=750 \\
    --column="Directory" \\
    --column="Type" \\
    --column="Sensitivity Label"

When run as root in the global zone, everything is displayed except NFS mounts to the labeled zones. When run in a labeled zone, only the labels of the zone's filesystems, and those shared filesystems from the global zone and from lower-level zones or NFS servers are shown.

The output of this script looks like this:


Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog explores some of the security features of Oracle Solaris. In particular, topics such as Role-Based Access Control and Labeled Security are my special interests.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks