S Parent topic: S

secpolmonitor

Updated: April 19, 2023

Realtime monitoring of security events.

Syntax:

secpolmonitor [-acnprsuv] [-f name] [-i time] [-o file]  [-S ability-name]

Runs on:

QNX Neutrino

Options:

-a
Monitor ability checks.
-c
Combine events from processes of the same name.
-f name
Only output events for processes of given name. May be used multiple times.
-i time
Re-report abilities used more than time seconds after process start.
-n
Include unnamed processes (i.e., events prior to the process having acquired a name).
-O
Show opens that fail security checks or file accesses that require either the iofunc/read or iofunc/exec ability.
-o file
Write output to file instead of stdout.
-p
Monitor path space attachments.
-r
Notify repeated ability checks, not just the first.
-S ability-name
Treat dynamic ability as having subranges.
-s
Log successful events rather than just failures.
-u
Show unregistered sigevents.

For more information, see sigevent and MsgRegisterEvent() in the C Library Reference and Events in the “Interprocess Communication (IPC)” chapter of the System Architecture guide.

-v
Verbose output.

Description:

secpolmonitor is a development time tool used to help investigate the privileges required for various operations. It outputs information to standard output about such things as ability tests and privileges associated with resmgr_attach() calls.

If you run secpolmonitor and then perform some operation, you can see the privilege checks triggered by the operation.

While secpolmonitor provides information that can be used to develop security policies, secpolgenerate is usually the better tool to use for this purpose.

See the Security Developers Guide for more information on security policies.

Example:

To run this example, start a system that has no policy installed. After the system boots, compile the following policy with the secpolcompile utility:

type default;
allow_attach default /...;
allow_link default /...;
type fs_t;
type fs_user_t;
type fs_nonuser_t;
allow_attach fs_t {
    /dev/fsF*
    /
    /fsFp0
};
allow fs_t self:ability {
      RSRCDBMGR
      IO
};
allow fs_t fs_t:channel connect;
allow fs_user_t fs_t:channel connect;
allow_link fs_nonuser_t /tmp/libc*;
allow fs_nonuser_t self:channel connect;
allow fs_nonuser_t self:ability io;
allow fs_user_t self:ability io;
The rules for default in this policy minimize its impact on other components and permit the secpolmonitor utility to be started and stopped. Place the binary policy in /proc/boot/secpol.bin so that the secpol and the secpolmonitor utilities can find it.

Install the policy as follows:

secpolpush
Note: This example uses devf-ram, a service that can create and mount a file system.
Before continuing, run the secpolmonitor utility in another terminal. You can run it to show errors only: 
secpolmonitor -ap
Or, run it to also show successful uses of abilities and path space changes: 
secpolmonitor -aps
The first secpolmonitor command helps to debug problems and produces less output, while the second option gives a better idea of all the things that are going on.

Start devf-ram using the wrong type (for example, fsuser_t):

on -T fs_user_t devf-ram -i15

It fails:

unable to attach mounter: Operation not permitted

The following secpolmonitor output indicates that devf-ram is missing the path space ability:

error: sbin/devf-ram (pid:2670618) type fs_user_t lacks ability 
       PATHSPACE as root

However, it is not enough to give the process these abilities. Try the command again with the type fs_nonuser_t (which does have io and pathspace abilities):

on -T fs_nonuser_t devf-ram -i15

The output from on is:

unable to attach mounter: Permission denied
The secpolmonitor output indicates why: 
error: sbin/devf-ram (pid:2773018) of type fs_nonuser_t failed to attach
       to path /: no rule

To start up devf-ram successfully, use the fs_t type and follow up by running flashctl to initialize and mount its file system:

on -T fs_t devf-ram -i15
on -T fs_t flashctl -p /dev/fsFp0 -e -f -m

Run secpolmonitor with the -s option (to show non-error events). The output shows some of the abilities it has used as well as the path space changes that have occurred: 

info: sbin/devf-ram (pid:2809882) type fs_t uses ability IO as root 
info: sbin/devf-ram (pid:2809882) type fs_t uses ability PUBLIC_CHANNEL 
      as root 
info: sbin/devf-ram (pid:2809882) type fs_t uses ability PATHSPACE 
      as root 
info: sbin/devf-ram (pid:2809882) of type fs_t attached channel to 
      path /dev/fsF 
info: sbin/devf-ram (pid:2809882) of type fs_t attached channel to 
      path /fsFp0 
info: sbin/devf-ram (pid:2809882) of type fs_t attached channel to 
      path /dev/fsFp0
Now, try to use the file system with fs_nonuser_t:
on -T fs_nonuser_t touch /fsFp0/file

The output from on is:

/fsFp0/file: Operation not permitted

The following secpolmonitor output indicates why:

error: usr/bin/touch (pid:2936859) type fs_nonuser_t lacks ability  
       CHANNEL_CONNECT(1) (fs_t) as root

Try it again, but with the fs_user_t type:

on -T fs_user_t touch /fsFp0/file

It succeeds. The secpolmonitor utility shows the following successful use of the channel_connect ability:

info: usr/bin/touch (pid:2949147) type fs_user_t uses ability  
      CHANNEL_CONNECT(1) (fs_t) as root

If type fs_nonuser_t tries to create procmgr symbolic links, the following on commands succeed (or fail) depending on the path for the symbolic link. For example:

on -T fs_nonuser_t ln -sPf /proc/boot/libc.so.5 /tmp/libc.so.5
on -T fs_nonuser_t ln -sPf /proc/boot/libc.so.5 /tmp/notlibc.so.5

The output from on is:

ln: unable to link. (/proc/boot/libc.so.5 or /tmp/notlibc.so.5): 
                    Permission denied

It includes the following output from the secpolmonitor utility:

info: proc/boot/ln (pid:2961435) of type fs_nonuser_t created link to 
       path /tmp/libc.so.5 
error: proc/boot/ln (pid:2973723) of type fs_nonuser_t failed to  
       attach to path /tmp/notlibc.so.5: no rule
Parent topic: S