Manage the compiled security policy file
secpol [-cdnpqQv] [-i compiled_policy] [-t type] [-a ability] [-f filter]
QNX Neutrino
Because the security policy file that secures a system may be referenced by multiple components even after it is pushed to procnto, it must be located at /proc/boot/secpol.bin.
The secpol utility is a target-based utility for manipulating binary policy files. Use it to view the contents of a compiled security policy (such as the rules for each type), validate a policy after you have compiled it, and to push the compiled policy into effect.
Without a policy in effect, all type identifiers are zero and processes with the PATHSPACE procmgr ability can attach channels anywhere in the path space. With the policy in effect, processes can only attach in a limited set of locations. Pushing the security policy triggers policy enforcement. It should be one of the first things that you do when you startup your system.
Start up resource managers after your push the policy.
secpol -v
This example shows how to push a compiled security policy from /proc/boot/secpol.bin to the microkernel:
secpol -p
attribute priv_port; ability iofunc/dup; ability network/bind/privport; type procnto; type io_pkt_t, priv_port; type qconn_t; type sshd_t; type fs_nfs3_t, priv_port; type user_1_t; type user_2_t; type root_t; allow io_pkt_t self : ability { nonroot able_create mem_phys:0- priority:255 qnet interrupt:18 iofunc/dup }; allow_attach io_pkt_t { /dev/socket/... /dev/crypto }; allow priv_port self : ability { network/bind/privport }; allow sshd_t self : ability { settypeid:user_1_t,user_2_t gain_priv:channel_connect }; allow sshd_t self : ability { fork unlock noinherit }; allow sshd_t self : ability { spawn noinherit }; allow root_t self : ability { default_priv -mem_phys }; allow_attach qconn_t / io_pkt_t; allow { root_t user_1_t } io_pkt_t:channel connect; allow user_1_t io_pkt_t:channel net_connect;Examples for each type of filter follow, including specific commands and the results of the filtering.
secpol -f ability -a pathspaceThe results of the filter indicate that three types have, or potentially have, the pathspace ability. The types io_pkt_t and qconn_t have gained it as a result of allow_attach rules while root_t has it for root only by virtue of having been given default_priv.
SECPOL_BLOB_ABILITIES io_pkt_t crc:160665c4 PATHSPACE allow root non-root inherit lock qconn_t crc:8977b760 PATHSPACE allow root non-root inherit lock root_t crc:98da6509 EOL
secpol -f capability -t user_1_tThe command yields the following filtered information:
SECPOL_BLOB_ABILITIES user_1_t crc:55ffe65b SPAWN allow root non-root inherit lock FORK allow root non-root inherit lock PROT_EXEC allow root non-root inherit lock PGRP allow root non-root inherit lock MAP_FIXED allow root non-root inherit lock RCONSTRAINT allow root non-root inherit lock PUBLIC_CHANNEL allow root non-root inherit lock RUNSTATE_BURST allow root non-root inherit lock XTHREAD_THREADCTL allow root non-root inherit lock PROT_WRITE_AND_EXEC allow root non-root inherit lock CHANNEL_CONNECT allow root non-root inherit lock subrange 2-2 (io_pkt_t) EOL deny root non-root inherit lock ------------------------------------------------- SECPOL_BLOB_PMA_RULES ------------------------------------------------- SECPOL_BLOB_QNET user_1_t can connect to: io_pkt_t
secpol -f channel -t io_pkt_tThe command yields the following filtered information, indicating that this channel type can either come from a process of type io_pkt_t attaching to /dev/crypto or anywhere under /dev/socket, or it can result in a process of type qconn_t attaching a channel to / and having its type changed to io_pkt_t:
SECPOL_BLOB_PMA_RULES allow_attach io_pkt_t /dev/socket/...; allow_attach io_pkt_t /dev/crypto; allow_attach qconn_t / io_pkt_t;
secpol -f connect -t io_pkt_tThe command yields the following filtered information, indicating that types user_1_t and root_t can make local connections to a channel of type io_pkt_t, while an incoming QNET connection of type user_1_t can also make a connection.:
SECPOL_BLOB_ABILITIES user_1_t crc:55ffe65b CHANNEL_CONNECT allow root non-root inherit lock subrange 2-2 (io_pkt_t) root_t crc:98da6509 CHANNEL_CONNECT allow root non-root inherit lock subrange 2-2 (io_pkt_t) ------------------------------------------------- SECPOL_BLOB_QNET user_1_t can connect to: io_pkt_t
secpol -f defaultIn this case, there is only a single type that has been granted default abilities. Although root_t could gain additional abilities through use of default_priv in the policy, it doesn't mean it will necessarily get all of them. In this case, the policy indicates that root_t should get default abilities with the exception of mem_phys:
SECPOL_BLOB_ABILITIES root_t crc:98da6509 EOLFor more information, filter based on the mem_phys ability to see that it is denied:
secpol -f ability -a mem_physThe command yields the following filtered information:
SECPOL_BLOB_ABILITIES io_pkt_t crc:160665c4 MEM_PHYS allow root non-root inherit lock subrange 0-18446744073709551615 root_t crc:ba473fd4 MEM_PHYS deny root non-root inherit lock
secpol -f dynamicThe command yields the following filtered information:
SECPOL_BLOB_ABILITIES io_pkt_t crc:160665c4 iofunc/dup allow root non-root inherit lock network/bind/privport deny non-root network/bind/privport allow root inherit lock fs_nfs3_t crc:7531f7d4 network/bind/privport deny non-root network/bind/privport allow root inherit lock
secpol -f noinheritIn this case root_t also shows up as having non-inherited abilities due to its use of default_priv since abilities are by default not-inherited:
SECPOL_BLOB_ABILITIES sshd_t crc:f8833bdb SPAWN allow root non-root no-inherit lock FORK allow root non-root no-inherit root_t crc:ba473fd4 EOL
secpol -f unlockThe command yields the following filtered information:
SECPOL_BLOB_ABILITIES sshd_t crc:f8833bdb FORK allow root non-root no-inherit root_t crc:b5407a43 EOL
secpol -f nonrootThe command yields the following filtered information:
SECPOL_BLOB_ABILITIES io_pkt_t crc:160665c4 PATHSPACE allow root non-root inherit lock MEM_PHYS allow root non-root inherit lock subrange 0-18446744073709551615 SPAWN allow root non-root inherit lock FORK allow root non-root inherit lock PROT_EXEC allow root non-root inherit lock QNET allow root non-root inherit lock INTERRUPT allow root non-root inherit lock subrange 18-18 PRIORITY allow root non-root inherit lock subrange 255-255 PGRP allow root non-root inherit lock MAP_FIXED allow root non-root inherit lock RCONSTRAINT allow root non-root inherit lock PUBLIC_CHANNEL allow root non-root inherit lock ABLE_CREATE allow root non-root inherit lock RUNSTATE_BURST allow root non-root inherit lock XTHREAD_THREADCTL allow root non-root inherit lock PROT_WRITE_AND_EXEC allow root non-root inherit lock iofunc/dup allow root non-root inherit lock network/bind/privport deny non-root EOL deny root non-root inherit lock qconn_t crc:8977b760 PATHSPACE allow root non-root inherit lock SPAWN allow root non-root inherit lock FORK allow root non-root inherit lock PROT_EXEC allow root non-root inherit lock . . .
secpol -f rootThe command yields the following filtered information:
SECPOL_BLOB_ABILITIES io_pkt_t crc:160665c4 network/bind/privport allow root inherit lock sshd_t crc:f8833bdb SETTYPEID allow root inherit lock subrange 6-7 (user_1_t,user_2_t) fs_nfs3_t crc:7531f7d4 network/bind/privport allow root inherit lock
secpol -f settype -t user_1_tThe command yields the following filtered information:
SECPOL_BLOB_ABILITIES sshd_t crc:f8833bdb SETTYPEID allow root inherit lock subrange 6-7 (user_1_t,user_2_t)
secpol -f reference -t io_pkt_tThe command yields the following filtered information:
SECPOL_BLOB_TYPE_MAP io_pkt_t = 2 ------------------------------------------------- SECPOL_BLOB_ABILITIES io_pkt_t crc:160665c4 PATHSPACE allow root non-root inherit lock MEM_PHYS allow root non-root inherit lock subrange 0-18446744073709551615 SPAWN allow root non-root inherit lock FORK allow root non-root inherit lock PROT_EXEC allow root non-root inherit lock QNET allow root non-root inherit lock INTERRUPT allow root non-root inherit lock subrange 18-18 PRIORITY allow root non-root inherit lock subrange 255-255 PGRP allow root non-root inherit lock MAP_FIXED allow root non-root inherit lock RCONSTRAINT allow root non-root inherit lock PUBLIC_CHANNEL allow root non-root inherit lock ABLE_CREATE allow root non-root inherit lock RUNSTATE_BURST allow root non-root inherit lock XTHREAD_THREADCTL allow root non-root inherit lock PROT_WRITE_AND_EXEC allow root non-root inherit lock iofunc/dup allow root non-root inherit lock network/bind/privport deny non-root network/bind/privport allow root inherit lock EOL deny root non-root inherit lock user_1_t crc:55ffe65b CHANNEL_CONNECT allow root non-root inherit lock subrange 2-2 (io_pkt_t) root_t crc:b5407a43 CHANNEL_CONNECT allow root non-root inherit lock subrange 2-2 (io_pkt_t) ------------------------------------------------- SECPOL_BLOB_PMA_RULES allow_attach io_pkt_t /dev/socket/...; allow_attach io_pkt_t /dev/crypto; allow_attach qconn_t / io_pkt_t; ------------------------------------------------- SECPOL_BLOB_QNET user_1_t can connect to: io_pkt_t