lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LRH.2.21.1809130727310.19741@namei.org>
Date:   Thu, 13 Sep 2018 07:29:32 +1000 (AEST)
From:   James Morris <jmorris@...ei.org>
To:     Casey Schaufler <casey@...aufler-ca.com>,
        Salvatore Mesoraca <s.mesoraca16@...il.com>, mic@...ikod.net
cc:     LSM <linux-security-module@...r.kernel.org>,
        LKLM <linux-kernel@...r.kernel.org>,
        SE Linux <selinux@...ho.nsa.gov>,
        John Johansen <john.johansen@...onical.com>,
        Kees Cook <keescook@...omium.org>,
        Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
        Paul Moore <paul@...l-moore.com>,
        Stephen Smalley <sds@...ho.nsa.gov>,
        "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
        Alexey Dobriyan <adobriyan@...il.com>,
        "Schaufler, Casey" <casey.schaufler@...el.com>
Subject: Re: [PATCH v2 00/10] LSM: Module stacking in support of S.A.R.A and
 Landlock

Adding the SARA and LandLock authors for review & comment.

Salvatore & Mickaƫl: does this patchset meet your needs for merging to 
mainline?



On Tue, 11 Sep 2018, Casey Schaufler wrote:

> LSM: Module stacking in support of S.A.R.A and Landlock
> 
> v2: Reduce the patchset to what is required to support
>     the proposed S.A.R.A. and LandLock security modules
> 
> The S.A.R.A. security module is intended to be used
> in conjunction with other security modules. It requires
> state to be maintained for the credential, which
> in turn requires a mechanism for sharing the credential
> security blob. The module also requires mechanism for
> user space manipulation of the credential information,
> hence an additional subdirectory in /proc/.../attr.
> 
> The LandLock security module provides user configurable
> policy in the secmark mechanism. It requires data in
> the credential, file and inode security blobs. For this
> to be used along side the existing "major" security
> modules mechanism for sharing these blobs is provided.
> 
> A side effect of providing sharing of the crendential
> security blob is that the TOMOYO module can be used at
> the same time as the other "major" modules.
> 
> The mechanism for configuring which security modules are
> enabled has to change when stacking in enabled. Any
> module that uses just the security blobs that are shared
> can be selected. Additionally, one other "major" module
> can be selected.
> 
> The security module stacking issues around networking and
> IPC are not addressed here as they are beyond what is
> required for TOMOYO, S.A.R.A and LandLock.
> 
> git://github.com/cschaufler/lsm-stacking.git#stacking-4.19-rc2-saralock
> 
> Signed-off-by: Casey Schaufler <casey@...aufler-ca.com>
> ---
>  Documentation/admin-guide/LSM/index.rst |  23 ++-
>  fs/proc/base.c                          |  64 ++++++-
>  fs/proc/internal.h                      |   1 +
>  include/linux/lsm_hooks.h               |  20 ++-
>  include/linux/security.h                |  15 +-
>  kernel/cred.c                           |  13 --
>  security/Kconfig                        |  92 ++++++++++
>  security/apparmor/domain.c              |   2 +-
>  security/apparmor/include/cred.h        |  24 ++-
>  security/apparmor/include/file.h        |   9 +-
>  security/apparmor/include/lib.h         |   4 +
>  security/apparmor/lsm.c                 |  53 ++++--
>  security/apparmor/task.c                |   6 +-
>  security/security.c                     | 293 ++++++++++++++++++++++++++++++--
>  security/selinux/hooks.c                | 215 ++++++++---------------
>  security/selinux/include/objsec.h       |  37 +++-
>  security/selinux/selinuxfs.c            |   5 +-
>  security/selinux/xfrm.c                 |   4 +-
>  security/smack/smack.h                  |  42 ++++-
>  security/smack/smack_access.c           |   4 +-
>  security/smack/smack_lsm.c              | 283 +++++++++++-------------------
>  security/smack/smackfs.c                |  18 +-
>  security/tomoyo/common.h                |  31 +++-
>  security/tomoyo/domain.c                |   4 +-
>  security/tomoyo/securityfs_if.c         |  15 +-
>  security/tomoyo/tomoyo.c                |  57 +++++--
>  26 files changed, 899 insertions(+), 435 deletions(-)
> 

-- 
James Morris
<jmorris@...ei.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ