| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Nov 2016 10:33:16 +0100 From: jobol@...adev.net To: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org Cc: José Bollo <jobol@...adev.net> Subject: [RFC 0/1] LSM ptags: Secure tagging of processes From: José Bollo <jobol@...adev.net> RELEASE NOTE ============ New version rebased on 4.9-rc6 Q: is there an interest in protection of values with "ptags:..:get" ? WHAT IS THE LSM PTAGS? ====================== The Linux Security Module ptags manages for each process a list of tags that can be empty. Values can be attached to tags. This tag list is accessed through the new files /proc/PID/attr/ptags and /proc/PID/tasks/TID/attr/ptags below named "ptags file". Except for few special tags, the meaning of the tag is free. Tags are structured in fields separated by : (colon) with available semantic of prefixing field(s). The list of tags is copied (this is not shared) during 'clone'. The list of tags is filtered during 'execve' to keep only expected tags. Tagging is compatible with the use of other LSM like Smack, AppAmor, SELinux, ... Tagging is compatible with user namespaces and pid namespaces. WHY IS IT USEFUL? ================= Tagging processes serves multiple purposes that can be mixed due the the prefix policy of tags: - provide basis for managing in userland permissions, privileges or capabilities (3 words for same concept) of processes - provide ability to attach cookies to processes The primary goal is to implement a user-land permission mechanism. With that intention, the tagging feature is used to record the list of the permissions granted to a process. Any service that requires that their client must have a permission can check the list to accept or refuse to serve. WHY IS IT SECURE? ================= By default: - processes can NOT remove any of its tags - processes can NOT add any tag to itself - processes can NOT set value to any of its tag - processes can NOT alter (add, remove or set) tags of other processes - processes lose tags during 'execve' - processes can read tags of other processes when DAC/MAC allows it But some rules allow authorized processes: - to remove some of its tags - to add some tag to itself - to set a value to some of its tag - to alter (add, remove, set) some tags of other processes - to change how tags are kept or not during 'execve' These rules are allowing the management of the tags either using daemons/services or using fork/exec or using both methods mixed. LINKS ===== user library: https://gitlab.com/jobol/ptags yocto layer: https://gitlab.com/jobol/meta-ptags José Bollo http://IoT.BzH José Bollo (1): LSM ptags: Add tagging of processes Documentation/security/ptags.txt | 428 +++++++ fs/proc/base.c | 3 + include/linux/cred.h | 3 + include/linux/user_namespace.h | 23 + kernel/cred.c | 6 + kernel/user_namespace.c | 3 + security/Kconfig | 1 + security/Makefile | 2 + security/apparmor/lsm.c | 14 +- security/ptags/Kconfig | 16 + security/ptags/Makefile | 6 + security/ptags/ptags-lsm.c | 213 ++++ security/ptags/ptags.c | 2377 ++++++++++++++++++++++++++++++++++++++ security/selinux/hooks.c | 8 + security/smack/smack_lsm.c | 14 +- 15 files changed, 3113 insertions(+), 4 deletions(-) create mode 100644 Documentation/security/ptags.txt create mode 100644 security/ptags/Kconfig create mode 100644 security/ptags/Makefile create mode 100644 security/ptags/ptags-lsm.c create mode 100644 security/ptags/ptags.c -- 2.7.4
Powered by blists - more mailing lists