 Who's going to talk about process tags? Welcome. Hello. Thank you to the organizer of the security room first, because they accept my talk. Thank you to you to be here. So I will speak about PTAX, that's this process tag, so it's a code name, process tags. It's currently implemented as a module in the kernel, but it's not in the kernel because it's not on the tree of the kernel. So it's a Linux security module-based system. It benefits from the stacking facility that is implemented in kernel since Linux kernel 4.1, and thanks to Kassel Schoffler, that is the author of SMAC security module. It allows to stack several Linux security modules, and it's an ongoing effort that is still continuing to... The idea is just a dream, as to be able to allow, at the same time, S-Linux, Aparmar, Tomoyo and SMAC. So we'll see. So why to tag? That's the question, but I think that you see at the top the devices here are not tagged, so it's a shame because you cannot say if it's the fish soup that you like or this fucking bloody corned beef that you dislike. Currently, kernel processes are tagged. Any process is tagged. That's the way that works. S-Linux, SMAC and some other. So currently it already exists, but you cannot do it by your own for your user space use. So that's the idea. How it works. Currently, there is two files by task. This one that is in the PROC PID of the main process and at it's here, that's for the attributes. That's where you will find security attributes, be aware it will change soon. And here is a Psydo file PTAX that allows you to converse with the module. So you can read it, you can write it and it responds to iNotify that is a very cool thing. So our PTAX. PTAX are just strings, you know. The string cannot contain a new line character. So these are just strings without control character. You can insert spaces, but no tabs. So no confusion. If you see a space, it's a space, not a tab. And it's a field structured separated by columns. Okay? Then how to use it? For example, you can just use your shell to show the content of the PTAX. So it just shows you the tags of the process. One per line. You can wrap it. There is also a kind of query language. So you can write to this same file. You can write this. It means do you have this? And the answer is yes. And do you have this? And the answer is no. That's really simple. Okay? It provides also a kind of wildcard query. So this is structured as a yarashi. Currently, you can add tags using this kind of query language. So just a plus. Plus this tag, okay? Plus this tag and at the end, you get the process tagged. Okay? Oh yes, a side note. Tags are return not sorted. That's cool. Thank you. Okay. Another aspect is tags can have value. So here, you say give the value simple to the test. Tags. But the tag has to exist before. Okay? So you can remove the value of a tag. That is not exactly the same that setting the value equal nothing. Because the value equal nothing is the value nothing. But not having a value is not having the value nothing. Okay? Seems reasonable. And you can also remove tags. That's cool. This kind of query language is very easy to learn. Okay? So remove test and remove omiter. At the end, it's removed. Now forking, executing. When you fork, the process keeps its tag. So the child process has the same tags than the parent process. When you exec, the tags that are not having the keep flag that is shown here as a hat sign. The tags that do not have the keep flag are removed. And only the tags that must be kept are kept. That's cool. And efficient. So now let's go in how it works. You have to do something with keep flags. So here is nothing. Here is a tag. And the tag with the keep flags. So the rows here are not so complicated, but I will not enter in that. So what is important is to know that you can set the keep flag, remove the keep flag, create the tag. It's logic. Okay? Nothing really extraordinary. It works. Now about the star, that is the pattern. You are matching something. It also works for removing. But also here, that is special for adding keep flag. Okay. We are in the room of security and we have not talked about security currently. So why is it here in the room of security? It's because this is related to processes. So you want to tag the process. For what reason? I don't know. But if anyone can do that, it's just a nightmare. So there are rules that tell you what you can do. So the rules are very easy. If you are a kernel process or a kernel thread, you can do anything that you want. But it's not intended to be used by kernel process or kernel thread. It's unrelated. There is no internal API. It's only user space tagging. So you should have the capability of administrating mandatory access control. Maybe someone will say, okay, can we create a new capability? No. I used what existed. So there is a way of dealing without capabilities is to use the prefix ptex on text. So if a process has special tagging, that means starting with ptex, it can add. It can sub. It can set. It can also manage other processes. So these are the basic actions that you can perform. Adding a tag, removing a tag, setting the value of a tag, changing the tags of another process. So here are some examples. It means, okay, this one can remove any tag of itself. And it cannot remove the tags starting with ptex. That's another security aspect is that to remove tags with ptex, you must have this. Oh, no, it's not here. It's here because here I also explained it. You must have this kind of tag telling that you can add ptex. It's a security. It's a kind of prefix language, not so hard to understand, but efficient. So here are examples of use case, the launcher use case. Okay, the launcher here has some tags that allows him to create new tags for the launch it process. Then it drops its privilege and at the end it execs for the processes it has to launch and the process is now tagged with what the launcher expects to give. Here is to pass because in the fact, you know, it's not mandatory to use this to remove the privilege, but you have to have privilege before. So it's the issue with a launcher as to be privileged and to remove and drop its privilege. So that's an issue with launcher use case. It was designed at first to give permissions to clients. So the client has a tag. The tag is a kind of permission. The server can query what permission is. Does this process as this tag? Yes, okay, I will process. There is, for example, the identity use case. This client query an identity to a server. This server gives the identity to the client. The client do something, forks, execs, et cetera. Any process it created has the identity negotiated here. The monitor use case can be to tag process all this one. And also here, 34%, it's not a good value. I have to monitor it. And many more use cases. That's open to your imagination. Okay. It handles namespace because I had a discussion with Sergey about it. And it seems to be a very good idea to have namespace. So it's already in. When you create a user namespace, you get the user ID zero and all the capabilities and you can redesign all your system. But at the ground, it's managed. Okay. Some issues. So let us version of the kernel. Do not more allows to write this kind of files. So there was a very interesting debate on the mailing list. Also, the files in this pseudo file system are restricted in use case. So you cannot write so many things that's limited in size, et cetera. So another critique is that PID can be faked. Okay. Currently, the thread are like process. So they receive a new identity and there will be. They can have different tax. It's not a good idea. I think we have to manage process threads of the same process to a same space of tax. And there was also, we have to shift from create structure to the task structure. But it's an ongoing effort inside the kernel and the security module. That's also carried by the writer of Tomo. I don't remember its name. Okay. So the next version will use something that I'm developing that is the process unique identifier with its file system that will not be restricted. There will be a new get capabilities and we will share the same tax for all threads of a process. So it's available. Currently, there is user library that you can find here that integrates query language, et cetera. It's a facility. The H file is here. So it's easy to read and description is here. You can see it. If you want to check it and use it in your project, there exist layers for Yachto already existing. And if you have questions, you can ask me. That's all. I already uploaded the slides and it's up to you. Thank you. Thank you, Jose. And we have time for questions. Anyone raise your hand. Thanks. You said that you can fake a PID. How do you do that? I never did that. And people say me, not the first time that you can fake it. And it's true because you can make sleep a process, create process until you get the right PID and wake up the process and the process just awake and say, okay, that's you. No, no. It's not him. Okay, so you're talking about the kernel space when you dequeue your process from the PID list, but not from the shadow queue, right? Can you repeat because I have a do you talk about the queues in the kernel when you can remove the process from the process list, but not from the kernel queue where the process are scheduled. It's about removing some of the process structure. I didn't check this part. Okay. Thank you for pointing this out. Okay, thanks. More questions. So would there be an automated way to notify me if my Firefox or my mail server spawns a shell or something like that? Yeah, let's say, okay, I have these tags and then some process pops up which shouldn't have a tag from a privileged process. Would this be possible with this framework? I really don't understand the question. Sorry. Let's say someone exploited my server and then he says, okay, I may open that cat reversal. And I want to see this automatically automatically. So could I say, okay, there's a new pro a net cat process or any other binary and makes a internet connection and I see, okay, this shouldn't be opened by my post fix. Currently, it has to be implemented. I don't know if it is the good framework for doing this thing. But if it is a good framework, you know it's a mediation. So the tag is a kind of telling to the process that will allow or not the connection if the client has a right or not. Maybe, but I don't think it's really the good framework. Okay, thanks. We have another question up here. So can you talk about some interesting use case that you do have in mind? So what's some real world application that you have? Okay. For me, I came here. That's not the first time that I'm here in security room. Two years ago I spoke about a launcher, a secure launcher. So the secure launcher was my primary concern. It was a study research. So it has here, here is the process of the launcher. Okay. You give some permission to a process and it will follow the process and its child. And there is, I don't see another way to doing that. So what I presented two years ago was a use of fuse. I used fuse file system to mimic PROC PID file system to do that thing. It was a little bit different because I used file names and directory entries. Okay. So here is currently in what's the use that I had. And it's, I'm still thinking about that. Will it be used this way or not? But in fact, for me it was more interesting to have a such framework, such tool, because it's more than just that. It can be more. And on the Linux mailing list, Kazashofer proposed to use it, for example, to store, also he spoke about the monitoring use case. Is it monitor use case where some processes are still monitoring system and get advertising from alias, et cetera. And so checks this one, maybe this one, no, et cetera. And at the end can give values. It has, it may have values on long term system. Thank you. Thank you. More questions? Raise your hand. Okay. So this might be a new question, but I know system D and SC Linux uses tagging, basically tags the process. What I don't understand is, is this the same system or it's built, it's basically a set of a language on top of it. Like, I don't understand the difference between the tagging in system D and SC Linux and this. Thank you. Yeah. SC Linux use a tag, its tag, that's the process tag that you can read at. Okay. Here, you have for a process, you replace your PTAX with current and you get the identity of the process from SC Linux point of view. Okay. It may change in future, but that currently is current. Okay. That's the same for SMAC. So it's a tag that is attached to processes and test structure by the Linux security module framework. So it's attached to the credential and it's dedicated to SC Linux. So it's internal, it's made inside and used inside. It check any file access, any IPC, anything is checked against this tag. That is the security tag. Okay. Here, we are speaking of something that you can use at the user level. It's not dedicated to SC Linux.