[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20230713233135.GA11480@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net>
Date: Thu, 13 Jul 2023 16:31:35 -0700
From: Fan Wu <wufan@...ux.microsoft.com>
To: Paul Moore <paul@...l-moore.com>
Cc: corbet@....net, zohar@...ux.ibm.com, jmorris@...ei.org,
serge@...lyn.com, tytso@....edu, ebiggers@...nel.org,
axboe@...nel.dk, agk@...hat.com, snitzer@...nel.org,
eparis@...hat.com, linux-doc@...r.kernel.org,
linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fscrypt@...r.kernel.org, linux-block@...r.kernel.org,
dm-devel@...hat.com, audit@...r.kernel.org,
roberto.sassu@...wei.com, linux-kernel@...r.kernel.org,
Deven Bowers <deven.desai@...ux.microsoft.com>
Subject: Re: [PATCH RFC v10 1/17] security: add ipe lsm
On Sat, Jul 08, 2023 at 12:22:59AM -0400, Paul Moore wrote:
> On Jun 28, 2023 Fan Wu <wufan@...ux.microsoft.com> wrote:
> >
> > Integrity Policy Enforcement (IPE) is an LSM that provides an
> > complimentary approach to Mandatory Access Control than existing LSMs
> > today.
> >
> > Existing LSMs have centered around the concept of access to a resource
> > should be controlled by the current user's credentials. IPE's approach,
> > is that access to a resource should be controlled by the system's trust
> > of a current resource.
> >
> > The basis of this approach is defining a global policy to specify which
> > resource can be trusted.
> >
> > Signed-off-by: Deven Bowers <deven.desai@...ux.microsoft.com>
> > Signed-off-by: Fan Wu <wufan@...ux.microsoft.com>
> > ---
> > MAINTAINERS | 7 +++++++
> > security/Kconfig | 11 ++++++-----
> > security/Makefile | 1 +
> > security/ipe/Kconfig | 17 +++++++++++++++++
> > security/ipe/Makefile | 10 ++++++++++
> > security/ipe/ipe.c | 37 +++++++++++++++++++++++++++++++++++++
> > security/ipe/ipe.h | 16 ++++++++++++++++
> > 7 files changed, 94 insertions(+), 5 deletions(-)
> > create mode 100644 security/ipe/Kconfig
> > create mode 100644 security/ipe/Makefile
> > create mode 100644 security/ipe/ipe.c
> > create mode 100644 security/ipe/ipe.h
>
> ...
>
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index a82795114ad4..ad00887d38ea 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -10278,6 +10278,13 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
> > F: security/integrity/
> > F: security/integrity/ima/
> >
> > +INTEGRITY POLICY ENFORCEMENT (IPE)
> > +M: Fan Wu <wufan@...ux.microsoft.com>
> > +L: linux-security-module@...r.kernel.org
> > +S: Supported
> > +T: git git://github.com/microsoft/ipe.git
>
> Using the raw git protocol doesn't seem to work with GH, I think you
> need to refernce the git/https URL:
>
> https://github.com/microsoft/ipe.git
>
Sure I can change it.
> > +F: security/ipe/
> > +
> > INTEL 810/815 FRAMEBUFFER DRIVER
> > M: Antonino Daplas <adaplas@...il.com>
> > L: linux-fbdev@...r.kernel.org
> > diff --git a/security/Kconfig b/security/Kconfig
> > index 97abeb9b9a19..daa4626ea99c 100644
> > --- a/security/Kconfig
> > +++ b/security/Kconfig
> > @@ -202,6 +202,7 @@ source "security/yama/Kconfig"
> > source "security/safesetid/Kconfig"
> > source "security/lockdown/Kconfig"
> > source "security/landlock/Kconfig"
> > +source "security/ipe/Kconfig"
> >
> > source "security/integrity/Kconfig"
> >
> > @@ -241,11 +242,11 @@ endchoice
> >
> > config LSM
> > string "Ordered list of enabled LSMs"
> > - default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
> > - default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
> > - default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
> > - default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC
> > - default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf"
> > + default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf,ipe" if DEFAULT_SECURITY_SMACK
> > + default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf,ipe" if DEFAULT_SECURITY_APPARMOR
> > + default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf,ipe" if DEFAULT_SECURITY_TOMOYO
> > + default "landlock,lockdown,yama,loadpin,safesetid,bpf,ipe" if DEFAULT_SECURITY_DAC
> > + default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf,ipe"
>
> Generally speaking the BPF LSM should be the last entry in the LSM
> list to help prevent issues caused by a BPF LSM returning an improper
> error and shortcutting a LSM after it.
>
Thanks for the insight, I will update this part.
> > help
> > A comma-separated list of LSMs, in initialization order.
> > Any LSMs left off this list, except for those with order
>
> ...
>
> > diff --git a/security/ipe/Makefile b/security/ipe/Makefile
> > new file mode 100644
> > index 000000000000..571648579991
> > --- /dev/null
> > +++ b/security/ipe/Makefile
> > @@ -0,0 +1,10 @@
> > +# SPDX-License-Identifier: GPL-2.0
> > +#
> > +# Copyright (C) Microsoft Corporation. All rights reserved.
> > +#
> > +# Makefile for building the IPE module as part of the kernel tree.
> > +#
> > +
> > +obj-$(CONFIG_SECURITY_IPE) += \
> > + hooks.o \
> > + ipe.o \
>
> It doesn't look like security/ipe/hook.c is included in this patch.
>
> It is important to ensure that each patch compiles after it is
> applied.
Sorry this was accidentally added during a rebase, I will try to avoid such a mistake in the future.
-Fan
>
> --
> paul-moore.com
Powered by blists - more mailing lists