macOS MACF
Basic Information
MACF inamaanisha Mandatory Access Control Framework, ambayo ni mfumo wa usalama uliojengwa ndani ya mfumo wa uendeshaji kusaidia kulinda kompyuta yako. Inafanya kazi kwa kuweka kanuni kali kuhusu nani au nini kinaweza kufikia sehemu fulani za mfumo, kama vile faili, programu, na rasilimali za mfumo. Kwa kutekeleza kanuni hizi kiotomatiki, MACF inahakikisha kwamba ni watumiaji na michakato walioidhinishwa pekee wanaweza kufanya vitendo maalum, kupunguza hatari ya ufikiaji usioidhinishwa au shughuli mbaya.
Kumbuka kwamba MACF haifanyi maamuzi yoyote kwani inachukua tu hatua za vitendo, inawaachia maamuzi moduli za sera (kernel extensions) inazopiga simu kama AppleMobileFileIntegrity.kext
, Quarantine.kext
, Sandbox.kext
, TMSafetyNet.kext
na mcxalr.kext
.
Flow
Mchakato unafanya syscall/mach trap
Kazi husika inaitwa ndani ya kernel
Kazi inaita MACF
MACF inakagua moduli za sera ambazo zilitaka kuunganisha kazi hiyo katika sera zao
MACF inaita sera husika
Sera zinaonyesha kama zinaruhusu au kukataa hatua hiyo
Apple ndiye pekee anayeweza kutumia KPI ya MAC Framework.
Labels
MACF inatumia labels ambazo sera zitakazokagua kama zinapaswa kutoa ufikiaji fulani au la. Kanuni ya kutangaza muundo wa labels inaweza kupatikana hapa, ambayo inatumika ndani ya struct ucred
hapa katika sehemu ya cr_label
. Label ina bendera na nambari ya slots ambazo zinaweza kutumika na sera za MACF kutoa viashiria. Kwa mfano, Sanbox itakuwa na kiashiria cha wasifu wa kontena.
MACF Policies
Sera ya MACF inafafanua kanuni na masharti yanayopaswa kutumika katika operesheni fulani za kernel.
Kupanua kernel kunaweza kuunda muundo wa mac_policy_conf
na kisha kujiandikisha kwa kuita mac_policy_register
. Kutoka hapa:
It's easy to identify the kernel extensions configuring these policies by checking calls to mac_policy_register
. Moreover, checking the disassemble of the extension it's also possible to find the used mac_policy_conf
struct.
Note that MACF policies can be registered and unregistered also dynamically.
One of the main fields of the mac_policy_conf
is the mpc_ops
. This field specifies which operations the policy is interested in. Note that there are hundreds of them, so it's possible to zero all of them and then select just the ones the policy is interested in. From here:
Ni rahisi kubaini nyongeza za kernel zinazokamilisha sera hizi kwa kuangalia simu za mac_policy_register
. Zaidi ya hayo, kuangalia disassemble ya nyongeza pia inawezekana kupata mac_policy_conf
struct inayotumika.
Kumbuka kwamba sera za MACF zinaweza kuandikishwa na kufutwa pia kikamilifu.
Moja ya maeneo makuu ya mac_policy_conf
ni mpc_ops
. Sehemu hii inaelezea ni shughuli zipi sera inazovutiwa nazo. Kumbuka kwamba kuna mamia yao, hivyo inawezekana kuweka sifuri kwa zote na kisha kuchagua zile tu ambazo sera inavutiwa nazo. Kutoka hapa:
Almost all the hooks will be called back by MACF when one of those operations are intercepted. However, mpo_policy_*
hooks are an exception because mpo_hook_policy_init()
is a callback called upon registration (so after mac_policy_register()
) and mpo_hook_policy_initbsd()
is called during late registration once the BSD subsystem has initialised properly.
Moreover, the mpo_policy_syscall
hook can be registered by any kext to expose a private ioctl style call interface. Then, a user client will be able to call mac_syscall
(#381) specifying as parameters the policy name with an integer code and optional arguments.
For example, the Sandbox.kext
uses this a lot.
Checking the kext's __DATA.__const*
is possible to identify the mac_policy_ops
structure used when registering the policy. It's possible to find it because its pointer is at an offset inside mpo_policy_conf
and also because the amount of NULL pointers that will be in that area.
Moreover, it's also possible to get the list of kexts that have configured a policy by dumping from memory the struct _mac_policy_list
which is updated with every policy that is registered.
MACF Initialization
MACF is initialised very soon. It's set up in XNU's bootstrap_thread
: after ipc_bootstrap
a call to mac_policy_init()
which initializes the mac_policy_list
and moments later mac_policy_initmach()
is called. Among other things, this function will get all the Apple kexts with the AppleSecurityExtension
key in their Info.plist like ALF.kext
, AppleMobileFileIntegrity.kext
, Quarantine.kext
, Sandbox.kext
and TMSafetyNet.kext
and loads them.
MACF Callouts
It's common to find callouts to MACF defined in code like: #if CONFIG_MAC
conditional blocks. Moreover, inside these blocks it's possible to find calls to mac_proc_check*
which calls MACF to check for permissions to perform certain actions. Moreover, the format of the MACF callouts is: mac_<object>_<opType>_opName
.
The object is one of the following: bpfdesc
, cred
, file
, proc
, vnode
, mount
, devfs
, ifnet
, inpcb
, mbuf
, ipq
, pipe
, sysv[msg/msq/shm/sem]
, posix[shm/sem]
, socket
, kext
.
The opType
is usually check which will be used to allow or deny the action. However, it's also possible to find notify
, which will allow the kext to react to the given action.
You can find an example in https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/kern/kern_mman.c#L621:
Then, it's possible to find the code of mac_file_check_mmap
in https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac_file.c#L174
Ambayo inaita MAC_CHECK
macro, ambayo msimbo wake unaweza kupatikana katika https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac_internal.h#L261
Ambayo itapitia sera zote za mac zilizorekodiwa ikitumia kazi zao na kuhifadhi matokeo ndani ya mabadiliko ya makosa, ambayo yanaweza kubadilishwa tu na mac_error_select
kwa nambari za mafanikio hivyo ikiwa ukaguzi wowote unashindwa ukaguzi mzima utashindwa na hatua haitaruhusiwa.
Hata hivyo, kumbuka kwamba si kila kito cha MACF kinatumika tu kukataa hatua. Kwa mfano, mac_priv_grant
inaita macro MAC_GRANT, ambayo itatoa kibali kilichohitajika ikiwa sera yoyote itajibu kwa 0:
priv_check & priv_grant
Hizi callas zinakusudia kuangalia na kutoa (mifumo ya) privileges zilizofafanuliwa katika bsd/sys/priv.h.
Baadhi ya msimbo wa kernel utaita priv_check_cred()
kutoka bsd/kern/kern_priv.c kwa kutumia KAuth credentials za mchakato na moja ya msimbo wa privileges ambayo itaita mac_priv_check
ili kuona kama sera yoyote inasitisha kutoa ile privilege na kisha inaita mac_priv_grant
ili kuona kama sera yoyote inatoa privilege
.
proc_check_syscall_unix
Hii hook inaruhusu kukamata simu zote za mfumo. Katika bsd/dev/[i386|arm]/systemcalls.c
inawezekana kuona kazi iliyoelezwa unix_syscall
, ambayo ina msimbo huu:
Ambayo itakagua katika mchakato unaoitwa bitmask ikiwa syscall ya sasa inapaswa kuita mac_proc_check_syscall_unix
. Hii ni kwa sababu syscalls zinaitwa mara nyingi sana kwamba ni muhimu kuepuka kuita mac_proc_check_syscall_unix
kila wakati.
Kumbuka kwamba kazi proc_set_syscall_filter_mask()
, ambayo huweka bitmask syscalls katika mchakato inaitwa na Sandbox kuweka masks kwenye michakato iliyowekwa kwenye sandbox.
Syscalls za MACF zilizofichuliwa
Inawezekana kuingiliana na MACF kupitia syscalls zingine zilizofafanuliwa katika security/mac.h:
References
Last updated