[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <7e8702ce-2598-e0a3-31a2-bc29157fb73d@schaufler-ca.com>
Date: Thu, 10 May 2018 17:30:44 -0700
From: Casey Schaufler <casey@...aufler-ca.com>
To: LSM <linux-security-module@...r.kernel.org>,
LKLM <linux-kernel@...r.kernel.org>,
Paul Moore <paul@...l-moore.com>,
Stephen Smalley <sds@...ho.nsa.gov>,
SE Linux <selinux@...ho.nsa.gov>,
"SMACK-discuss@...ts.01.org" <SMACK-discuss@...ts.01.org>,
John Johansen <john.johansen@...onical.com>,
Kees Cook <keescook@...omium.org>,
Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
James Morris <jmorris@...ei.org>
Cc: Casey Schaufler <casey@...aufler-ca.com>
Subject: [PATCH 00/23] LSM: Full security module stacking
Subject: [PATCH 00/23] LSM: Full security module stacking
Here it is, the whole nine yards, broken into mostly
review friendly pieces. I believe that it would make
a good deal of sense to take this in two bites, with
the infrastructure managed blobs going first and the
secid conversion coming later. I hope there will be some
debate around that.
The blob management part is pretty clean by now. I
welcome serious review on that. The secid part is more
wobbly, but I am convinced that it's the right direction
if not perhaps always the best possible implementation.
AppArmor in in the process of a major overhaul, and that
slowed me down a bit as I had to do new work to convert
it to use the new mechanisms.
I had experimented with secid "tokens" in the hope of
minimizing API changes. That doesn't work. Changing
the APIs to use a struct secids pointer in place of a
u32 is brutal to the diffstat, but reduces the amount
of active code that has to change, and really makes
data management easier.
If there are two possible ways to do a thing you will
find them both in the networking code. AF_UNIX, netfilter,
SO_PEERSEC and netlabel each has its own clever ways
to manipulate security information. I think I nailed
them all, but I'm not betting more than a beer on it.
There could be issues in the audit code, although nothing
jumped out immediately. The same goes for the integrity
subsystem. I haven't tried Infiniband or very many
filesystem types that don't com standard with Fedora or
Ubuntu.
I have fixed everything I've found. If you find something
(please look!) let me know.
Tested primarily on virtual machines.
Fedora 25-27 - SELinux, Smack and the two together
Ubuntu 17.04 - AppArmor and AppArmor + Smack
The SELinux test suite completes successfully unless
you add in Smack, in which case it fails where you would
expect it to due to the different use models for netlabel.
Smack tests work as well. AppArmor was tested by booting
Ubuntu, but not beyond.
Signed-off-by: Casey Schaufler <casey@...aufler-ca.com>
---
Documentation/admin-guide/LSM/index.rst | 23 +-
fs/btrfs/super.c | 10 +-
fs/proc/base.c | 63 +-
fs/proc/internal.h | 1 +
include/linux/cred.h | 3 +-
include/linux/lsm_hooks.h | 85 ++-
include/linux/security.h | 211 +++++--
include/net/flow.h | 5 +-
include/net/netlabel.h | 16 +-
include/net/scm.h | 4 +-
include/uapi/linux/netfilter/xt_SECMARK.h | 1 +
include/uapi/linux/prctl.h | 4 +
kernel/audit.c | 25 +-
kernel/audit.h | 9 +-
kernel/auditfilter.c | 4 +-
kernel/auditsc.c | 44 +-
kernel/cred.c | 19 +-
kernel/fork.c | 3 +
net/ipv4/cipso_ipv4.c | 19 +-
net/ipv4/ip_sockglue.c | 6 +-
net/netfilter/nf_conntrack_netlink.c | 22 +-
net/netfilter/nf_conntrack_standalone.c | 11 +-
net/netfilter/nfnetlink_queue.c | 14 +-
net/netfilter/xt_SECMARK.c | 44 +-
net/netlabel/netlabel_kapi.c | 52 +-
net/netlabel/netlabel_unlabeled.c | 30 +-
net/netlabel/netlabel_unlabeled.h | 2 +-
net/netlabel/netlabel_user.c | 4 +-
net/unix/af_unix.c | 19 +-
net/xfrm/xfrm_policy.c | 5 +-
net/xfrm/xfrm_state.c | 2 +-
security/Kconfig | 80 +++
security/Makefile | 1 +
security/apparmor/domain.c | 2 +-
security/apparmor/include/cred.h | 24 +-
security/apparmor/include/file.h | 9 +-
security/apparmor/include/lib.h | 4 +
security/apparmor/include/net.h | 10 +-
security/apparmor/include/task.h | 22 +-
security/apparmor/lsm.c | 131 ++--
security/apparmor/task.c | 6 +-
security/integrity/ima/ima.h | 10 +-
security/integrity/ima/ima_api.c | 5 +-
security/integrity/ima/ima_appraise.c | 4 +-
security/integrity/ima/ima_main.c | 22 +-
security/integrity/ima/ima_policy.c | 11 +-
security/security.c | 973 +++++++++++++++++++++++++++---
security/selinux/hooks.c | 658 ++++++++------------
security/selinux/include/audit.h | 2 +-
security/selinux/include/objsec.h | 87 ++-
security/selinux/include/xfrm.h | 9 +-
security/selinux/netlabel.c | 33 +-
security/selinux/selinuxfs.c | 5 +-
security/selinux/ss/services.c | 13 +-
security/selinux/xfrm.c | 29 +-
security/smack/smack.h | 90 ++-
security/smack/smack_access.c | 6 +-
security/smack/smack_lsm.c | 673 ++++++++++-----------
security/smack/smack_netfilter.c | 19 +-
security/smack/smackfs.c | 32 +-
security/tomoyo/common.h | 31 +-
security/tomoyo/domain.c | 4 +-
security/tomoyo/securityfs_if.c | 15 +-
security/tomoyo/tomoyo.c | 57 +-
64 files changed, 2581 insertions(+), 1256 deletions(-)
Powered by blists - more mailing lists