lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 16 Nov 2022 18:04:15 -0500
From:   Paul Moore <paul@...l-moore.com>
To:     Kees Cook <keescook@...omium.org>
Cc:     James Morris <jmorris@...ei.org>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        linux-security-module@...r.kernel.org,
        Mickaël Salaün <mic@...ikod.net>,
        linux-kernel@...r.kernel.org, bpf@...r.kernel.org,
        linux-hardening@...r.kernel.org
Subject: Re: [PATCH v2] LSM: Better reporting of actual LSMs at boot

On Tue, Nov 1, 2022 at 8:05 PM Kees Cook <keescook@...omium.org> wrote:
>
> Enhance the details reported by "lsm.debug" in several ways:
>
> - report contents of "security="
> - report contents of "CONFIG_LSM"
> - report contents of "lsm="
> - report any early LSM details
> - whitespace-align the output of similar phases for easier visual parsing
> - change "disabled" to more accurate "skipped"
> - explain what "skipped" and "ignored" mean in a parenthetical
>
> Upgrade the "security= is ignored" warning from pr_info to pr_warn,
> and include full arguments list to make the cause even more clear.
>
> Replace static "Security Framework initializing" pr_info with specific
> list of the resulting order of enabled LSMs.
>
> For example, if the kernel is built with:
>
> CONFIG_SECURITY_SELINUX=y
> CONFIG_SECURITY_APPARMOR=y
> CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_YAMA=y
> CONFIG_SECURITY_SAFESETID=y
> CONFIG_SECURITY_LOCKDOWN_LSM=y
> CONFIG_SECURITY_LANDLOCK=y
> CONFIG_INTEGRITY=y
> CONFIG_BPF_LSM=y
> CONFIG_DEFAULT_SECURITY_APPARMOR=y
> CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
>
> Booting without options will show:
>
> LSM: initializing lsm=lockdown,capability,landlock,yama,loadpin,safesetid,integrity,selinux,bpf
> landlock: Up and running.
> Yama: becoming mindful.
> LoadPin: ready to pin (currently not enforcing)
> SELinux:  Initializing.
> LSM support for eBPF active
>
> Boot with "lsm.debug" will show:
>
> LSM: legacy security= *unspecified*
> LSM: CONFIG_LSM=landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf
> LSM: boot arg lsm= *unspecified*
> LSM:   early started: lockdown (enabled)
> LSM:   first ordered: capability (enabled)
> LSM: builtin ordered: landlock (enabled)
> LSM: builtin ignored: lockdown (not built into kernel)
> LSM: builtin ordered: yama (enabled)
> LSM: builtin ordered: loadpin (enabled)
> LSM: builtin ordered: safesetid (enabled)
> LSM: builtin ordered: integrity (enabled)
> LSM: builtin ordered: selinux (enabled)
> LSM: builtin ignored: smack (not built into kernel)
> LSM: builtin ignored: tomoyo (not built into kernel)
> LSM: builtin ordered: apparmor (enabled)
> LSM: builtin ordered: bpf (enabled)
> LSM: exclusive chosen:   selinux
> LSM: exclusive disabled: apparmor
> LSM: initializing lsm=lockdown,capability,landlock,yama,loadpin,safesetid,integrity,selinux,bpf
> LSM: cred blob size       = 32
> LSM: file blob size       = 16
> LSM: inode blob size      = 72
> LSM: ipc blob size        = 8
> LSM: msg_msg blob size    = 4
> LSM: superblock blob size = 80
> LSM: task blob size       = 8
> LSM: initializing capability
> LSM: initializing landlock
> landlock: Up and running.
> LSM: initializing yama
> Yama: becoming mindful.
> LSM: initializing loadpin
> LoadPin: ready to pin (currently not enforcing)
> LSM: initializing safesetid
> LSM: initializing integrity
> LSM: initializing selinux
> SELinux:  Initializing.
> LSM: initializing bpf
> LSM support for eBPF active
>
> And some examples of how the lsm.debug ordering report changes...
>
> With "lsm.debug security=selinux":
>
> LSM: legacy security=selinux
> LSM: CONFIG_LSM=landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf
> LSM: boot arg lsm= *unspecified*
> LSM:   early started: lockdown (enabled)
> LSM:   first ordered: capability (enabled)
> LSM: security=selinux disabled: apparmor (only one legacy major LSM)
> LSM: builtin ordered: landlock (enabled)
> LSM: builtin ignored: lockdown (not built into kernel)
> LSM: builtin ordered: yama (enabled)
> LSM: builtin ordered: loadpin (enabled)
> LSM: builtin ordered: safesetid (enabled)
> LSM: builtin ordered: integrity (enabled)
> LSM: builtin ordered: selinux (enabled)
> LSM: builtin ignored: smack (not built into kernel)
> LSM: builtin ignored: tomoyo (not built into kernel)
> LSM: builtin ordered: apparmor (disabled)
> LSM: builtin ordered: bpf (enabled)
> LSM: exclusive chosen:   selinux
> LSM: initializing lsm=lockdown,capability,landlock,yama,loadpin,safesetid,integrity,selinux,bpf
>
> With "lsm.debug lsm=integrity,selinux,loadpin,crabability,bpf,loadpin,loadpin":
>
> LSM: legacy security= *unspecified*
> LSM: CONFIG_LSM=landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf
> LSM: boot arg lsm=integrity,selinux,loadpin,capability,bpf,loadpin,loadpin
> LSM:   early started: lockdown (enabled)
> LSM:   first ordered: capability (enabled)
> LSM: cmdline ordered: integrity (enabled)
> LSM: cmdline ordered: selinux (enabled)
> LSM: cmdline ordered: loadpin (enabled)
> LSM: cmdline ignored: crabability (not built into kernel)
> LSM: cmdline ordered: bpf (enabled)
> LSM: cmdline skipped: apparmor (not in requested order)
> LSM: cmdline skipped: yama (not in requested order)
> LSM: cmdline skipped: safesetid (not in requested order)
> LSM: cmdline skipped: landlock (not in requested order)
> LSM: exclusive chosen:   selinux
> LSM: initializing lsm=lockdown,capability,integrity,selinux,loadpin,bpf
>
> Cc: Paul Moore <paul@...l-moore.com>
> Cc: James Morris <jmorris@...ei.org>
> Cc: "Serge E. Hallyn" <serge@...lyn.com>
> Cc: linux-security-module@...r.kernel.org
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> v2: en/dis-enabled expanded, example output in commit log, use pr_cont.
> v1: https://lore.kernel.org/lkml/20221018064825.never.323-kees@kernel.org/
> ---
>  security/security.c | 45 ++++++++++++++++++++++++++++++++++++---------
>  1 file changed, 36 insertions(+), 9 deletions(-)

I tend to agree with Mickaël regarding the aligned output, but that's
not worth worrying too much about for debug stuff.  Merged into
lsm/next, thanks Kees.

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ