Supporting Astra Linux SE 1.5 security policies

[dmazilov]

Hi!
I have issue with starting rails app on Astra Linux Special Edition (Debian like).
This OS has custom security policies over standard Linux and uses custom PARSEC subsystem to set security labels and categories on users, filesystem, sockets, processes, etc.

I tried to implement needed behavior in Passenger, but I am missing something in architecture design.
Below is sketchy example of some network service with Astra Linux security policies supporting. How can implement this behavior in Passenger?
Which block of code should be in agent's CoreMain, which in Apache mod or Spawner?
Because of complex structure and having multiple sockets for internal working, should Linux/Parsec privileges be set on multiple (or all?) sockets?

My general purpose is to process each client request in separate process with security label of client-user within client-user context.

#include <string.h>
#include <linux/prctl.h>
#include <sys/socket.h>
#include <netdb.h>
#include <parsec/mac.h>
#include <parsec/parsec_integration.h>
#include <parsec/parsec_mac.h>
#include <pwd.h>

int sock = 0;
int clnt_sock = 0;
const char* user;
socklen_t addrlen;
struct sockaddr_in serv_addr, clnt_addr;
pid_t child;
memset(&clnt_addr,0,sizeof(clnt_addr));
addr_len = sizeof(clnt_addr);
serv_addr.sin_port = htons(7777);

//
// Here is setting and and checking Linux and Parsec privileges for MAIN process using Parsec library
//

serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
// Create privileged socket
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
    // error
}
// Bind privileged socket
if(bind(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)))
{
    // error
}
// Listening for client connecion
if(listen(sock,5) < 0)
{
    // error
}
// Accepting client connection on privileged socket
if(!(clnt_sock = accept(sock,(struct sockaddr*)&clnt_addr,&addr_len)))
{
    // error
}

// Creating child process for client request processing within client-user context
child = fork();
if(child<0)
{
    // error
}
if(!child)
{
    // Process sequrity label
    parsec_mac_label_t mac_label;
    // For gid/uid
    struct passwd* pwd = NULL;

    //
    // Here is setting and and checking Linux and Parsec privileges for CHILD process using Parsec library
    //

    // Getting security label for current client process from priviledged socket using Parsec library
    if(parsec_fstatmac(clnt_sock,&mac_label))
    {
        // error
    }

    // Setting security label for current client process from priviledged socket using Parsec library
    if(parsec_setmac(0,&mac_label.mac) < 0)
    {
        // error
    }

    // Getting user's gid and uid
    pwd=getpwnam(user);
    if(!pwd)
    {
        // error
    }
    // Setting gid and uid for current client process
    if(setgid(pwd->pw_gid))
    {
        // error
    }
    if(setuid(pwd->pw_uid))
    {
        // error
    }

    //
    // Here is request processing here
    //
}   

[FooBarWidget]

You may want to take a look at our architectural overview document: https://www.phusionpassenger.com/documentation/Design%20and%20Architecture.html

I'm not familiar with Astra Linux's security mechanism so I'm afraid I cannot help you further other than giving you some pointers on how Passenger works.

It may also help to read our SELinux security policy: https://github.com/phusion/passenger_rpm_automation/blob/master/specs/passenger/passenger.te