secpolmonitor

Syntax:

secpolmonitor [-acnpqrsv] [-f name] [-i time] [-o file]  [-S ability-name]

Runs on:

QNX Neutrino

Options:

-a: Monitor ability checks.
-c: Combine events from processes of the same name.
-f name: Only output events for processes of given name. May be used multiple times.
-i time: Re-report abilities used more than time seconds after process start.
-n: Include unnamed processes (i.e. events prior to the process having acquired a name)
-o file: Write output to file instead of stdout.
-p: Monitor path space attachments.
-q: Show QNET-related events.
-r: Notify repeated ability checks, not just the first.
-s: Log successful events rather than just failures.
-S ability-name: Treat dynamic ability as having subranges.
-v: Verbose output.

Description:

Use the secpolmonitor utility to trace interactions between processes, and as input to determine requirements for the security policy. It is a target-based utility, monitoring what processes do with regard to attaching to the path space as well as the procmgr abilities they require.

See the Security Developers Guide for more information about:

how to design a security policy
the grammar that you can use in the text version of the security policy file (uncompiled)
how to compile a security policy with the secpolcompile utility
how to manage a compiled security policy with the secpol utility and push it to the microkernel
best practices for security integration
mandatory access control

Example:

To run this example, start a system that has no policy installed. After the system boots, compile the following policy with the secpolcompile utility:

type default;
allow_attach default /...;
allow_link default /...;
type fs_t;
type fs_user_t;
type fs_nonuser_t;
allow_attach fs_t {
    /dev/fsF*
    /
    /fsFp0
};
allow fs_t self:ability {
      RSRCDBMGR
      IO
};
allow fs_t fs_t:channel connect;
allow fs_user_t fs_t:channel connect;
allow_link fs_nonuser_t /tmp/libc*;
allow fs_nonuser_t self:channel connect;
allow fs_nonuser_t self:ability io;
allow fs_user_t self:ability io;

The rules for default in this policy minimize its impact on other components and permit the secpolmonitor utility to be started and stopped. Place the binary policy in /proc/boot/secpol.bin so that the secpol and the secpolmonitor utilities can find it.

Install the policy as follows:

secpol -p

Note: This example uses devf-ram, a service that can create and mount a file system.

Before continuing, run the secpolmonitor utility in another terminal. You can run it to show errors only:

secpolmonitor -ap

Or, run it to also show successful uses of abilities and path space changes:

secpolmonitor -aps

The first secpolmonitor command helps to debug problems and produces less output, while the second option gives a better idea of all the things that are going on.

Start devf-ram using the wrong type (for example, fsuser_t):

on -T fs_user_t devf-ram -i15

It fails:

unable to attach mounter: Operation not permitted

The following secpolmonitor output indicates that devf-ram is missing the path space ability:

error: sbin/devf-ram (pid:2670618) type fs_user_t lacks ability 
       PATHSPACE as root

However, it is not enough to give the process these abilities. Try the command again with the type fs_nonuser_t (which does have io and pathspace abilities):

on -T fs_nonuser_t devf-ram -i15

The output from on is:

unable to attach mounter: Permission denied

The secpolmonitor output indicates why:

error: sbin/devf-ram (pid:2773018) of type fs_nonuser_t failed to attach
       to path /: no rule

To start up devf-ram successfully, use the fs_t type and follow up by running flashctl to initialize and mount its file system:

on -T fs_t devf-ram -i15
on -T fs_t flashctl -p /dev/fsFp0 -e -f -m

Run secpolmonitor with the -s option (to show non-error events). The output shows some of the abilities it has used as well as the path space changes that have occurred:

info: sbin/devf-ram (pid:2809882) type fs_t uses ability IO as root 
info: sbin/devf-ram (pid:2809882) type fs_t uses ability PUBLIC_CHANNEL 
      as root 
info: sbin/devf-ram (pid:2809882) type fs_t uses ability PATHSPACE 
      as root 
info: sbin/devf-ram (pid:2809882) of type fs_t attached channel to 
      path /dev/fsF 
info: sbin/devf-ram (pid:2809882) of type fs_t attached channel to 
      path /fsFp0 
info: sbin/devf-ram (pid:2809882) of type fs_t attached channel to 
      path /dev/fsFp0

Now, try to use the file system with fs_nonuser_t:

on -T fs_nonuser_t touch /fsFp0/file

The output from on is:

/fsFp0/file: Operation not permitted

The following secpolmonitor output indicates why:

error: usr/bin/touch (pid:2936859) type fs_nonuser_t lacks ability  
       CHANNEL_CONNECT(1) (fs_t) as root

Try it again, but with the fs_user_t type:

on -T fs_user_t touch /fsFp0/file

It succeeds. The secpolmonitor utility shows the following successful use of the channel_connect ability:

info: usr/bin/touch (pid:2949147) type fs_user_t uses ability  
      CHANNEL_CONNECT(1) (fs_t) as root

If type fs_nonuser_t tries to create procmgr symbolic links, the following on commands succeed (or fail) depending on the path for the symbolic link. For example:

on -T fs_nonuser_t ln -sPf /proc/boot/libc.so.4 /tmp/libc.so.4
on -T fs_nonuser_t ln -sPf /proc/boot/libc.so.4 /tmp/notlibc.so.4

The output from on is:

ln: unable to link. (/proc/boot/libc.so.4 or /tmp/notlibc.so.4): 
                    Permission denied

It includes the following output from the secpolmonitor utility:

info: proc/boot/ln (pid:2961435) of type fs_nonuser_t created link to 
       path /tmp/libc.so.4 
error: proc/boot/ln (pid:2973723) of type fs_nonuser_t failed to  
       attach to path /tmp/notlibc.so.4: no rule