Porting NSA Security Enhanced Linux to Hand-held devices Russell Coker [email protected] http://www.coker.com.au/ Abstract process. In addition to the use of domains and types In the first part of this paper I will describe how for access control SE Linux tracks the identity I ported SE Linux to User-Mode-Linux and to of the user (which will be system_u for pro- the ARM CPU. I will focus on providing infor- cesses that are part of the operating system or mation that is useful to people who are porting the Unix user-name) and the role. Each identity to other platforms as well. In the second part will have a list of roles that it is permitted to as- I will describe the changes necessary to appli- sume, and each role will have a list of domains cations and security policy to run on small de- that it may use. This gives a high level of con- vices. This will be focussed on hand-held de- trol over the actions of a user which is tracked vices but can also be used for embedded appli- through the system. When the user runs SUID cations such as router or firewall type devices, or SGID programs the original identity will and any machine that has limited memory and still be tracked and their privileges in the SE se- storage. curity scheme will not change. This is very dif- ferent to the standard Unix permissions where 1 Introduction after a SUID program runs another SUID pro- gram it’s impossible to determine who ran the SE Linux offers significant benefits for secu- original process. Also of note is the fact that rity. It accomplishes this by adding another operations that are denied by the security pol- layer of security in addition to the default Unix icy [1] have the identity of the process in ques- permissions model. This is achieved by firstly tion logged. assigning a type to every file, device, network I often run SE Linux demonstration machines socket, etc. Then every process has a domain, on the Internet which provide root access to the and the level of access permitted to a type is world and an invitation to try and break the se- determined by the domain of the process that is curity. [2] attempting the access (in addition to the usual Unix permission checks). Domains may only For a detailed description of how SE Linux be changed at process execution time. The do- works I recommend reading the paper Peter main may automatically be changed when a Loscocco presented at OLS in 2001 [3]. process is executed based on the type of the executable program file and the domain of the SE Linux has been shown to provide sig- process that is executing it, or a privileged pro- nificant security benefits for little overhead cess may specify the new domain for the child on servers, desktop workstations, and laptops. Linux Symposium 118 However it has not had much use in embedded uses 52 different system calls through this in- devices yet. terface. Due to problems in porting the kernel code to some platforms (particularly those that Some people believe that SE Linux is only have a mixed 32 and 64bit memory model) the needed for server systems. I think that is in- decision was made to change the LSM inter- correct, and I believe that in many situations face for kernel 2.6.0. The new interface will laptops and hand-held devices need more pro- make the code fully portable and remove the tection than servers. A server will usually have painful porting work that is currently required. a firewall protecting it, with a small number However I needed to have SE Linux working of running applications which are well main- with the 2.4.x kernels so I couldn’t wait for ker- tained and easy to upgrade. Portable comput- nel 2.6.0. ers are often used in hostile environments that servers do not experience, they have no fire- The main difficulty in porting the code is the walls to protect them, and often they are con- system call execve_secure() which is used to nected to routers operated by potentially negli- specify the security context for the new pro- gent or hostile organizations. cess. This calls the kernel funtion do_exec() to perform the execution, and do_exec() needs a But there are two main factors that cause an pointer to the stack, thus requiring architecture increased need for security on portable devices. specific code in the sys_execve_secure() func- One is that it is usually extremely difficult and tion. The sys_security_selinux_worker() func- expensive to upgrade them if a new security fix tion (which determines which SE Linux sys- is needed. This means that in commercial use tem call is desired and passes the appropriate portable computers tend to never have security parameters to it) calls sys_execve_secure() and fixes applied. Another factor is that often the therefore also needs architecture specific code, person in posession of a hand-held computer is and so does the main system call sys_security_ not authorised to access all the data it contains, selinux(). and may even be hostile to the owner of the machine. My first port of SE Linux was to User-Mode Linux [5]. This was a practice effort for the Naturally for a full security solution for main porting work. It is quite easy to debug portable computers a strong encryption system kernel code under UML, and as it uses the i386 will need to be used for all persistent file sys- system call interface I could port the kernel tems. There are various methods of doing this, code without any need to port application code. but all aspects of such encryption are outside the scope of this project and can be imple- The main architecture dependent code is mented independently. in the source file security/selinux/ arch/i386/wrapper.c, which has code to look on the stack for the contents of par- 2 Kernel Porting ticular registers. This needs to be changed for platforms with different register names, and for The current stable series of SE Linux is based UML which does not permit such direct access on the 2.4.x kernels and uses the Linux Secu- of registers. rity Modules (LSM) [4] interface. The current LSM interface has a single sys_security() sys- The solution in the case of UML was to not tem call that is used to multiplex all the system have a wrapper function, as the current struc- calls for all of the security modules. SE Linux ture had a pointer to the stack anyway that Linux Symposium 119 could be used inside the sys_execve_secure() you are stuck with a memory limit of 64M. function. So I renamed the sys_security_ selinux_worker() function to sys_security_ The flash storage in an iPaQ can only be writ- selinux() for the UML port and entirely re- ten a limited number of times, this combined moved all reference to the wrapper. Then with the small amount of storage makes it im- I moved the implementation of sys_execve_ possible to use a swap space for virtual mem- secure() into the platform specific directory ory unless you purchase a special sleeve for us- and implemented a different version for each ing an external hard drive. Attaching an exter- port. nal hard drive such as the IBM/Hitachi Micro Drive is expensive and bulky. Therefore if you This was essentially all that was required to have a limited budget then storage expansion complete the port, the core code of SE Linux (for increased file storage or swap space) is not was all cleanly written and could just be com- an option. piled. The only other work involved getting the Makefile’s correctly configured, and adding a For storing files, the 32M file system can con- hook to sys_ptrace(). tain quite a lot. The Familiar distribution is op- timised for low overheads (no documentation One thing I did differently with my port to the or man pages) and all programs are optimised ARM architecture was that I removed the code for size not speed. Also the JFFS2 [7] file to replace the system call entry. When the SE system used by Familiar supports several com- Linux kernel code loads on UML and i386 it pression algorithms including the Lempel-Ziv replaces the system call with a direct call to the algorithm implemented in zlib, so more than SE Linux code (rather than using the option for 32M of files can fit in storage. LSM to multiplex between different modules). As there is currently no support for having SE For a system such as SE Linux to be viable on Linux be a loadable module there seems to be an iPaQ it has to take up a small portion of the no benefit in this, and it seems that on ARM 32M of flash storage and 64M of RAM, and there will be more overhead for adding an extra not require any long CPU intensive operations. level of indirection for this. So I made the SE Finally the screen of an iPaQ only has a reso- Linux patch hard-code the SE system call into lution of 240x320 and the default input device the sys-call table. is a keyboard displayed on the screen. This makes an iPaQ unsuitable for interactive tasks 3 iPaQ Design Constraints that involve security contexts as it takes too much typing to enter them and too much screen space to display them.