| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <587c9d63-bd39-5781-a7b6-6add2f63c72e@schaufler-ca.com> Date: Fri, 24 Jun 2016 16:26:17 -0700 From: Casey Schaufler <casey@...aufler-ca.com> To: Paul Moore <paul@...l-moore.com>, Kees Cook <keescook@...omium.org> Cc: LSM <linux-security-module@...r.kernel.org>, James Morris <jmorris@...ei.org>, John Johansen <john.johansen@...onical.com>, Stephen Smalley <sds@...ho.nsa.gov>, Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>, LKLM <linux-kernel@...r.kernel.org> Subject: [PATCH v5 0/3] LSM: security module information improvements Subject: [PATCH v5 0/3] LSM: security module information improvements Changes from v4: Use kasprintf instead of kzalloc() ... sprintf in more places. More in the documentation. Separate module information in contexts with ",". (not yet visible) Changes from v3: Use kasprintf instead of kzalloc() ... sprintf. Create interfaces that make it possible to deal with process attributes in the face of multiple "major" security modules. Patch 1/3 adds /sys/kernel/security/lsm, which provides a list of the active security modules on the system. $ cat /sys/kernel/security/lsm capability,yama,loadpin,smack Patch 2/3 adds a subdirectory in /proc/.../attr for each security module that exports process attribute data. This allows a program in easily differentiate between the "current" value for Smack and AppArmor. $ cat /proc/self/attr/smack/current System $ cat /proc/self/attr/apparmor/current unconfined Patch 3/3 adds an interface that provides module identified information that otherwise matches the "current" attr. This allows a system with multiple modules to provide the complete security "context" in one place. A (future) system with both Smack and AppArmor might report: $ cat /proc/self/attr/context smack='System',apparmor='unconfined' Signed-off-by: Casey Schaufler <casey@...aufler-ca.com> --- Documentation/security/LSM.txt | 34 ++++++-- fs/proc/base.c | 95 +++++++++++++++++++--- fs/proc/internal.h | 1 + include/linux/lsm_hooks.h | 12 +-- include/linux/security.h | 15 ++-- security/apparmor/lsm.c | 38 +++++++-- security/commoncap.c | 3 +- security/inode.c | 26 +++++- security/loadpin/loadpin.c | 2 +- security/security.c | 177 ++++++++++++++++++++++++++++++++++++++++- security/selinux/hooks.c | 22 ++++- security/smack/smack_lsm.c | 22 ++--- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 2 +- 14 files changed, 395 insertions(+), 56 deletions(-)
Powered by blists - more mailing lists