[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231215221636.105680-1-casey@schaufler-ca.com>
Date: Fri, 15 Dec 2023 14:15:54 -0800
From: Casey Schaufler <casey@...aufler-ca.com>
To: casey@...aufler-ca.com,
paul@...l-moore.com,
linux-security-module@...r.kernel.org
Cc: jmorris@...ei.org,
serge@...lyn.com,
keescook@...omium.org,
john.johansen@...onical.com,
penguin-kernel@...ove.sakura.ne.jp,
stephen.smalley.work@...il.com,
linux-kernel@...r.kernel.org,
mic@...ikod.net
Subject: [PATCH v39 00/42] LSM: General module stacking
This patchset provides the changes required to allow arbitrary
combination of all the existing Linux Security Modules (LSM).
It does not provide for all possible configurations of all of
co-existing modules. It does not ensure that the enforcement
of policy provided by one module does not interfere with the
behavior of another module.
The bulk of the code change is in support of the audit system.
Because subjects and objects may have multiple LSM specific
attributes that are used to make access control decisions it
was necessary to enhance the audit system to report these
security attributes. Separate audit records have been added
to include the additional information for each of the audit
event subject and object. Providing the required security
information using 32-bit secids was no longer sufficient. A
new structure, lsmblob, has been introduced to include the
data for all relevant modules.
The lsmblob structure has an entry for each of the modules
that has used secids. Each module provides a structure of
its own which contains the information it uses. For SELinux
this is a u32 secid. Smack provides a pointer into the label
list. Modules that are not configured use conditional compilation
to have empty structures.
Because audit records may need to include the text representation
of more than one module's security attributes (commonly referred
to as the "security context") the interfaces that convert the
lsmblob into a text representation need to identify which module
provided the text. An structure lsmcontext has been added that
contains the text, its length and the identifier of the module
than created it.
Security attributes for network facilities have provided certain
challenges. The security information allowed in socket buffers
and secmarks is limited to a single u32 secid, and there is no
indication that this will ever be allowed to change. The netlabel
subsystem, which provides CIPSO and CALIPSO labeling on internet
packets, supports only one IP packet option at a time. Labeled
NFS3 also supports only one security module. The existing modules
have been updated to accept that they may not have access to
these networking security attributes. The first module to
register that uses them is given exclusive access.
The issue of multiple modules using the /proc/.../attr interfaces
has been largely addressed for some time by the inclusion of module
specific sub-directories. Applications should be using these except
for the case of SELinux.
Patch 0001 removes an interface dependency on audit from IMA.
Patch 0002 moves management of socket security blobs out of the
modules and into the LSM infrastructure.
Patch 0003 introduces the lsmblob structure.
Patch 0004 introduces mechanism for the IMA mechanisms to handle
the possibility of multiple modules that use attributes.
Patches 0005-0015 add new interfaces and change existing interfaces
to use the lsmblob to represent security data.
Patches 0016-0021 replace a the use of string and length pairs to
use a "security context" with an lsmcontext structure.
Patches 0022-0026 implement audit records describing the multiple
security attributes on subjects and objects.
Patch 0027 removes scaffolding code used in support on lsmcontext.
Patches 0028-0030 optimize LSM hooks for the networking single
module user case.
Patch 0031 implements mechanism to reserve use of network secmarks.
Patch 0032 limits security_secctx_to_secid() to a single module.
Patch 0033 removes the exclusive tag from AppArmor.
Patches 0034-0035 adds mount operation security blobs.
Patch 0036 moves management of key security blobs out of the
modules and into the LSM infrastructure.
Patch 0037 enables management of mount operation security blobs
in the modules.
Patches 0038-0039 remove scaffolding for lsmblobs.
Patch 0040 implements mechanism to reserve use of netlabel.
Patch 0041 restricts a hook used only by binder to a single module.
Patch 0042 removes the exclusive tag from Smack.
https://github.com:cschaufler/lsm-stacking.git#stack-6.7-rc1-pcmoore-dev-v39-b
Casey Schaufler (42):
integrity: disassociate ima_filter_rule from security_audit_rule
SM: Infrastructure management of the sock security
LSM: Add the lsmblob data structure.
IMA: avoid label collisions with stacked LSMs
LSM: Use lsmblob in security_audit_rule_match
LSM: Add lsmblob_to_secctx hook
Audit: maintain an lsmblob in audit_context
LSM: Use lsmblob in security_ipc_getsecid
Audit: Update shutdown LSM data
LSM: Use lsmblob in security_current_getsecid
LSM: Use lsmblob in security_inode_getsecid
Audit: use an lsmblob in audit_names
LSM: Create new security_cred_getlsmblob LSM hook
Audit: Change context data from secid to lsmblob
Netlabel: Use lsmblob for audit data
LSM: Ensure the correct LSM context releaser
LSM: Use lsmcontext in security_secid_to_secctx
LSM: Use lsmcontext in security_lsmblob_to_secctx
LSM: Use lsmcontext in security_inode_getsecctx
LSM: Use lsmcontext in security_dentry_init_security
LSM: security_lsmblob_to_secctx module selection
Audit: Create audit_stamp structure
Audit: Allow multiple records in an audit_buffer
Audit: Add record for multiple task security contexts
audit: multiple subject lsm values for netlabel
Audit: Add record for multiple object contexts
LSM: Remove unused lsmcontext_init()
LSM: Improve logic in security_getprocattr
LSM: secctx provider check on release
LSM: Single calls in socket_getpeersec hooks
LSM: Exclusive secmark usage
LSM: Identify which LSM handles the context string
AppArmor: Remove the exclusive flag
LSM: Add mount opts blob size tracking
LSM: allocate mnt_opts blobs instead of module specific data
LSM: Infrastructure management of the key security blob
LSM: Infrastructure management of the mnt_opts security blob
LSM: Correct handling of ENOSYS in inode_setxattr
LSM: Remove lsmblob scaffolding
LSM: Allow reservation of netlabel
LSM: restrict security_cred_getsecid() to a single LSM
Smack: Remove LSM_FLAG_EXCLUSIVE
Documentation/ABI/testing/ima_policy | 8 +-
drivers/android/binder.c | 25 +-
fs/ceph/super.h | 3 +-
fs/ceph/xattr.c | 15 +-
fs/fuse/dir.c | 35 +-
fs/nfs/dir.c | 2 +-
fs/nfs/inode.c | 17 +-
fs/nfs/internal.h | 8 +-
fs/nfs/nfs4proc.c | 16 +-
fs/nfs/nfs4xdr.c | 22 +-
fs/nfsd/nfs4xdr.c | 21 +-
include/linux/audit.h | 13 +
include/linux/lsm/apparmor.h | 17 +
include/linux/lsm/bpf.h | 16 +
include/linux/lsm/selinux.h | 16 +
include/linux/lsm/smack.h | 17 +
include/linux/lsm_hook_defs.h | 35 +-
include/linux/lsm_hooks.h | 8 +
include/linux/nfs4.h | 8 +-
include/linux/nfs_fs.h | 2 +-
include/linux/security.h | 158 +++++++--
include/net/netlabel.h | 2 +-
include/net/scm.h | 12 +-
include/uapi/linux/audit.h | 2 +
kernel/audit.c | 269 +++++++++++----
kernel/audit.h | 20 +-
kernel/auditfilter.c | 9 +-
kernel/auditsc.c | 142 +++-----
net/ipv4/ip_sockglue.c | 12 +-
net/netfilter/nf_conntrack_netlink.c | 16 +-
net/netfilter/nf_conntrack_standalone.c | 11 +-
net/netfilter/nfnetlink_queue.c | 22 +-
net/netlabel/netlabel_unlabeled.c | 46 ++-
net/netlabel/netlabel_user.c | 10 +-
net/netlabel/netlabel_user.h | 2 +-
security/apparmor/audit.c | 19 +-
security/apparmor/include/audit.h | 8 +-
security/apparmor/include/net.h | 8 +-
security/apparmor/include/secid.h | 5 +-
security/apparmor/lsm.c | 65 +---
security/apparmor/net.c | 2 +-
security/apparmor/secid.c | 52 ++-
security/bpf/hooks.c | 1 +
security/integrity/ima/ima.h | 32 +-
security/integrity/ima/ima_api.c | 6 +-
security/integrity/ima/ima_appraise.c | 6 +-
security/integrity/ima/ima_main.c | 60 ++--
security/integrity/ima/ima_policy.c | 91 +++++-
security/security.c | 415 ++++++++++++++++++------
security/selinux/hooks.c | 285 +++++++++-------
security/selinux/include/audit.h | 13 +-
security/selinux/include/netlabel.h | 5 +
security/selinux/include/objsec.h | 12 +
security/selinux/netlabel.c | 27 +-
security/selinux/ss/services.c | 20 +-
security/smack/smack.h | 22 ++
security/smack/smack_lsm.c | 347 ++++++++++++--------
security/smack/smack_netfilter.c | 12 +-
security/smack/smackfs.c | 24 +-
59 files changed, 1691 insertions(+), 883 deletions(-)
create mode 100644 include/linux/lsm/apparmor.h
create mode 100644 include/linux/lsm/bpf.h
create mode 100644 include/linux/lsm/selinux.h
create mode 100644 include/linux/lsm/smack.h
--
2.41.0
Powered by blists - more mailing lists