/************************************************************************* * * This file lists known LOMAC bugs, deficiencies, and correct behaviors * deemed sufficiently surprising to require explanation. * *************************************************************************/ o rpm - can't use rpm In order to use the rpm program to install software into the level-2 part of the system, you must run rpm as root, at level 2. Unfortunately, rpm needs to create files in /tmp and read from them. Presently, LOMAC sets all files in /tmp to level 1, and rpm gets demoted to level-1 when it tries to read from its own /tmp files. This problem will go away once it's possible for a level-2 program to create level-2 files in /tmp. o vi, emacs - can't use common editors for administration (workaround). In their default configuration, editors such as vi and emacs tend to create temporary files and lock files in the level-1 parts of the system. When the administrator runs these editors at level 2, and the editors read from their own temporary and lock files, LOMAC demotes the editors to level 1. Once demoted, the editors cannot write to level-2 files, which makes them useless for administration. The emacs editor also exhibits disturbing file truncation behavior in these situations, as described in the "cp - surprising behavior" entry, below. Eventually, LOMAC should be fixed to allow level-2 editors to create level-2 temporary and lock files. However, until then, a workaround is available: vi and emacs can be configured to make their temporary and lock files in the level-2 part of the system when run by the root user. Use the following steps: (1) mkdir /root/tmp (2) Include the following aliases in the root user's .bashrc (or equivalent aliases for other shells): alias emacs='EMACSLOCKDIR=/root/tmp emacs' alias vi='TMPDIR=/root/tmp vi' (3) Include the following lines in root's .nexrc (vi resource) file: set dir=/root/tmp set recdir=/root/tmp/vi.recover The "set dir" command in .nexrc should allow you to do without the vi alias shown in step 2. However, my version of vi (Debian release of 1.79 CSRG/UCB) seems to need the TMPDIR environment variable provided by the alias. Note that you probably don't want to set TMPDIR globally, since programs like man need to use a level-1 temporary directory (the default) in order to operate properly with LOMAC. o XDM (logging in via X) - doesn't yet work with LOMAC's default policy From the LOMAC v0.3pre6 announcement on the lomac-users mailing list: The PLM is the "Path-Level Map" - the data structure that maps levels to files in the filesystem namespace. Its default configuration presently has a problem concerning /var/log/lastlog. /sbin/init reads from this file. This fact compels us to set /var/log/lastlog at the high level, since if /sbin/init ever reads a low file, it will be demoted, and will subsequently have insufficient privilege to shut down the machine. However, sessreg - part of the XDM suite of programs for managing X logins - needs /var/log/lastlog to be low so it can write to it at the start of each user session. It seems (after a few minimal tests) that sessreg won't start a session unless it can write to /var/log/lastlog. The present PLM configuration sets /var/log/lastlog high, so if you boot your machine into runlevel 5 (X) and use an XDM configuration that uses sessreg, you will not be able to log in via X. You can rescue yourself by hitting CTRL-ALT-F1 and logging in at a virtual console. If you boot your machine into runlevel 3 (multiuser) and start X manually via "xinit" or "startx", you will not experience this problem. I hope to fix this sessreg problem, soon. o Hardlinks - can confuse LOMAC LOMAC determines the proper level for a file based on its filename. If a file has two names (via hardlinks), where one name indicated level-1 and the other level-2, LOMAC will pick one level or the other depending on the name used to open the file. Symbolic links do not confuse LOMAC. o NFSD - mediation No mediation is done on the kernel nfsd. o cp - surprising behavior There is a surprising (although correct) behavior when running cp at level 2, trying to copy a level-1 file over an existing level-2 file: 1. cp asks, "overwrite?" you answer yes. 2. cp (still at level 2) truncates existing level-2 file. 3. cp reads level-1 file and gets demoted. 4. cp, now at level 1, can't write new level-2 file. 5. you wind up with a 0-length level-2 file. (ouch!) o UNIX domain sockets - grandfathering The UNIX domain socket grandfathering code for non-bound sockets needs to be improved. (Grandfathering refers to assigning levels to pre-existing objects at LOMAC load time). The current code is security-safe, but is overly pessimistic - some sockets get level 1 when they could safely be given level 2. o Bad copyin discipline The wrap_unlink() function still has a time-of-check/time-of-use error. This is a security-relevant bug. These bugs allow a malicious multithreaded level-1 program to attempt to bypass LOMAC's controls using the following algorithm: THREAD 1: THREAD 2: DO DO char *filename = "level1file" filename = "level2file" unlink( filename ) MANY TIMES MANY TIMES The unlink will probably harmlessly unlink "level1file" for many iterations until the timing happens to work out as follows: THREAD1 filename = "level1file" THREAD1 make unlink( filename ) syscall LOMAC copyin path "level1file" LOMAC decide that unlink is permissible (this operation can block) THREAD2 filename = "level2file" KERNEL copyin path "level2file" KERNEL unlink "level2file" /* oops! */ THREAD1 return from unlink syscall This problem can be fixed by eliminating the multiple copyins of the same parameter. o SYS_SEND - insufficient mediation LOMAC does not control SYS_SEND, SYS_SENDTO, and SYS_SENDMSG calls used on UNIX-domain datagram sockets. o System V IPC - no mediation or monitoring LOMAC does not control the use of System V IPC. o Mediation - not all operations have sufficient controls. LOMAC presently controls (at least partially) these system calls: creat, ftruncate, kill, link, mkdir, mknod, mount, open, pipe, read, readv, reboot, rename, rmdir, setpgid, socketcall, truncate, umount, unlink, write, writev. A list of Linux system calls can be found in /usr/src/linux/arch//kernel/entry.S Search for ENTRY(sys_call_table). It shows many system calls that are not yet controlled by LOMAC.