Mandatory access control (MAC) is one of the main components of Ironclad’s security. It does not necesarily help with preventing breaches, but, when configured correctly, it can help mitigate consequences to a massive degree.
MAC in Ironclad consists on a series of settings inherited from parent process to children, these settings come in the form of capabilities and file filters.
Capabilities are a set of coarse permissions that restrict a process on what it can and cannot do, only more restrictive capability escalations are allowed, they are configured using mac_capabilities.
The available capability list is:
MAC_CAP_SCHEDThe process will be allowed to change its own scheduling rules, like modifying deadlines.
MAC_CAP_SPAWNThe process will be allowed to spawn other processes and threads.
MAC_CAP_ENTROPYThe process will have unrestricted access to the sources of entropy of the
kernel, this does not cover the UNIX-standard random/urandom.
MAC_CAP_SYS_MEMThe process will be able to allocate and deallocate both private and shared memory regions.
MAC_CAP_USE_NETThe process will be able to use networking.
MAC_CAP_SYS_NETThe process will be able to modify networking, for things like hostname changing.
MAC_CAP_SYS_MNTThe process will be able to modify, add, and remove mountpoints.
MAC_CAP_SYS_PWRThe process will be able to modify power settings, along doing things like shutdown and reboot.
MAC_CAP_PTRACEThe process will be able to use ptrace on children processes.
MAC_CAP_SETUIDThe process will be able to change its effective and global UIDs without checks.
MAC_CAP_SYS_MACThe process will be able to add allowed inodes to the MAC definitions, along with modifying hard limits for system resources.
MAC_CAP_CLOCKThe process will be able to access clocks syscalls like clock or
clock_nanosleep, as well as setting the time of clocks that can do so.
This is provided as reading clock time can sometimes be used as a way to
coordinate attacks.
MAC_CAP_SIGNALALLProcesses by default need to share the user with another one to either kill it or send a signal. This capability allows to send signals to all processes, regardless of the user issuing it.
MAC_CAP_SETGIDThe process will be able to change its effective and global UIDs without checks.
MAC_CAP_IPCThe process will be able to bypass UID/GID and mode checks when interacting with SystemV-style IPC objects, like the ones you can create with shmget.
File filters consist on permissions given to specific paths and files, that, just like capabilities, get inherited from parent to child processes. Access to inodes and devices can be granted using add_mac_permissions.
The action to take on MAC violations can be set with set_mac_enforcement. Possible values include denying requests, killing the offending part outright, or denying and additionally logging the event.
Once booted, MAC is enabled and gives full access to all capabilities, and offers full access to all inodes and devices. It is up to userland to further restrict access, and for those settings to trickle down to children processes. File access enforcement will kick in only once the first filter is added with add_mac_permissions.