Activation of MAC_SEEOTHERUIDS policy

French Fries

French Fries

Dear Friends,

Pardon my ignorance, but I would like to implement MAC_SEEOTHERUIDS as explained in:

https://www.freebsd.org/doc/el/books/handbook/mac-modules.html

Code: 
Kernel configuration line: options MAC_SEEOTHERUIDS
Boot option: mac_seeotheruids_load="YES"

I added mac_seeotheruids_load="YES" to /boot/loader.conf

Where to implement:
Code: 
options MAC_SEEOTHERUIDS
?

My board is a beagleBone Black, I hope that it has the requested kernel modules.
For a newcomer like me, "Kernel configuration line" is not clear enough.

Thank you
 
Configuring custom kernel

You can choose here if you would prefer to load given module dynamically (via the /boot/loader.conf file) or link it statically into your custom built kernel (using the options MAC_SEEOTHERUIDS option).

Side note - try to use links to the English versions of documents where those exists. That may help others to get quick glance what you are talking about. You wouldn't be probably too surprised that I was not able to say where in documentation I am in the Greek version linked above :)
 
Hei,

I haven't used it myself but mac_seeotheruid.ko looks like a kernel module that extends sysctl security.bsd.see_other_uids functionality.
Code: 
% sysctl -a | grep uids
security.bsd.see_other_uids: 1

after kldload mac_seeotheruids it should look like that:
Code: 
% sysctl -a | grep uids
security.mac.seeotheruids.specificgid: 0
security.mac.seeotheruids.specificgid_enabled: 0
security.mac.seeotheruids.suser_privileged: 1
security.mac.seeotheruids.primarygroup_enabled: 0
security.mac.seeotheruids.enabled: 1
security.bsd.see_other_uids: 1

If the kernel module is available you make it load at boot time by adding mac_seeotheruids_load="YES" to /boot/loader.conf
(from the manpage mac_seeotheruids(4) noted in the Handbook page you postet)

Than you configure it by using e.g. sysctl security.mac.seeotheruids.specificgid=[I]n[/I]

When you're happy add settings to /etc/sysctl.conf to be applied at boot time.


Greetings
Matthias
 
Thank you all.

ondra_knezour said:
Configuring custom kernel
Side note - try to use links to the English versions of documents where those exists. That may help others to get quick glance what you are talking about. You wouldn't be probably too surprised that I was not able to say where in documentation I am in the Greek version linked above :)
Click to expand...

I included a link to documentation, do mean I should also quote the documentation for easy reading. Sure!

kldload mac_seeotheruids
returns an error message 'no such file'/

It is probably that the Beaglebone black kernel is stipped-down and I need to recompile or fetch a full-kernel.
In fact, I will study all this on my server and not on an embedded platform.

Thanks!
 
Hei French Fries,

Sad to see the kernel module does not exist for the beagle bone.
I'm not sure where to go from here. There need at least to be kernel sources for arm(??) to compile but I have no idea how that is handled since I never had any none-x86 in use.

French Fries said:
In fact, I will study all this on my server and not on an embedded platform.
Click to expand...
Good idea to learn how it works :)
 
k.jacker said:
There need at least to be kernel sources for arm(??) to compile but I have no idea how that is handled since I never had any none-x86 in use.
Click to expand...
There is only one source tree. You use the exact same source tree on AMD64, i386, in your case, ARM, and every other supported architecture.

That said, I'm not certain if MAC is actually supported on ARM. I would guess it is but it may not be enabled by default (to keep things to a minimum for embedded systems).
 
You must log in or register to reply here.
Back
Top