Mandatory Access Control
Mandatory access control is a system-enforced method of restricting access to objects based on the sensitivity of the object and the clearance of the user. By contrast, Discretionary Access Control is enforced by individual file owners rather than by the system.
Use of labels for MAC
Trusted AIX® uses a system of labels to enforce MAC. On a Trusted AIX system, all named objects have sensitivity labels (SLs) to identify the object's sensitivity level. Processes also have SLs. Process SLs indicate which levels of sensitive information the processes are allowed to access. In general, a process must have a sensitivity level equal to or greater than that of an object in order to access the object. The SLs can be used to make files read-only accessible or to completely prevent files from being accessed by regular users.
All system objects such as files, IPC objects, network connections, and processes, have SLs. SLs are automatically placed on objects when the objects are created. All core dumps are considered objects and are automatically labeled by the system.
Objects that exist prior to the installation of Trusted AIX receive
the default SYSTEM_LOW SLs (SLSL) when these objects are
accessed after Trusted AIX installation.
The SLs are not set permanently on these objects. The settxattr command
must be run on the object to set the SLs. For objects that are created after Trusted AIX installation, the object's
SLs are set to the SL of the creating process.
Users and labels
The system assigns each user account a range of valid SLs, either by system default or by a user-specific setting, and the user can only operate within this range. A process or user can only create files and directories at the current sensitivity label of the process or user and can only read and write files subject to the system-imposed MAC restrictions.
MAC enforcement
Mandatory Access Control is enforced any time a process attempts to open a file system object, retrieve the attributes of a file system object, send a signal to a process, transfer data through a STREAM, or send or receive a packet through a network interface. Access to any file system object is only possible if both MAC and DAC criteria are met. When a user attempts to access a file, MAC restrictions are enforced before DAC restrictions, such as permission bits or ACLs, are checked.
Access to file system objects is restricted not only by the SL of the object but also by the SL of the directory in which the object resides. Thus, a file system object can be protected at a different sensitivity level (the directory's SL) than the SL of the object itself. A file system object can have multiple names (links) located in one or more directories. Although each name (link) is protected at the same SL as the file to which the link points, the effective protection of the various links may differ because the links are in directories with different levels of protection.
The name of an object is stored in the directory where the object resides. Thus, any process with access to that directory is able to view the names of all objects in the directory. However, only processes with proper access may read from or write to one of the objects.
Listing and changing SLs
The SLs of objects and processes on the system can be viewed with the lstxattr command and can be modified using the settxattr commands.
Only users with proper authorizations and processes with the proper privileges can change the SL of a file or process.
With the settxattr command,
to change a filesystem object SL to a lower-level SL the user should have
the aix.mls.label.sl.downgrade authorization. To upgrade
a filesystem object SL the user should have the aix.mls.label.sl.upgrade authorization.
To alter the SL of processes, to upgrade the user should have aix.mls.proc.sl.upgrade authorization
and to downgrade the user should have aix.mls.proc.sl.downgrade authorization.
MAC on open file descriptors
For read/write and simple file accesses, MAC checks are performed when a process accesses a file. Once a process has a file descriptor for the file, it can read and write the file even if the process SL changes to a level lower than the SL of the file. However, some operations, such as setting file owner, permissions, labels, and privileges, perform access checks after a process has obtained a file descriptor.
This means that MAC checks and partitioned directory path resolutions are not performed when a process accesses a file using a file descriptor. The SL of the file and/or process may change and access is still permitted.