[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <bdfdb8af-6cab-4e3c-acf8-68a774805fd3@canonical.com>
Date: Thu, 1 Feb 2024 16:24:03 -0800
From: John Johansen <john.johansen@...onical.com>
To: Casey Schaufler <casey@...aufler-ca.com>, paul@...l-moore.com,
linux-security-module@...r.kernel.org
Cc: jmorris@...ei.org, serge@...lyn.com, keescook@...omium.org,
penguin-kernel@...ove.sakura.ne.jp, stephen.smalley.work@...il.com,
linux-kernel@...r.kernel.org, mic@...ikod.net
Subject: Re: [PATCH v39 00/42] LSM: General module stacking
On 12/15/23 14:15, Casey Schaufler wrote:
> This patchset provides the changes required to allow arbitrary
> combination of all the existing Linux Security Modules (LSM).
> It does not provide for all possible configurations of all of
> co-existing modules. It does not ensure that the enforcement
> of policy provided by one module does not interfere with the
> behavior of another module.
>
> The bulk of the code change is in support of the audit system.
> Because subjects and objects may have multiple LSM specific
> attributes that are used to make access control decisions it
> was necessary to enhance the audit system to report these
> security attributes. Separate audit records have been added
> to include the additional information for each of the audit
> event subject and object. Providing the required security
> information using 32-bit secids was no longer sufficient. A
> new structure, lsmblob, has been introduced to include the
> data for all relevant modules.
>
> The lsmblob structure has an entry for each of the modules
> that has used secids. Each module provides a structure of
> its own which contains the information it uses. For SELinux
> this is a u32 secid. Smack provides a pointer into the label
> list. Modules that are not configured use conditional compilation
> to have empty structures.
>
> Because audit records may need to include the text representation
> of more than one module's security attributes (commonly referred
> to as the "security context") the interfaces that convert the
> lsmblob into a text representation need to identify which module
> provided the text. An structure lsmcontext has been added that
> contains the text, its length and the identifier of the module
> than created it.
>
> Security attributes for network facilities have provided certain
> challenges. The security information allowed in socket buffers
> and secmarks is limited to a single u32 secid, and there is no
> indication that this will ever be allowed to change. The netlabel
> subsystem, which provides CIPSO and CALIPSO labeling on internet
> packets, supports only one IP packet option at a time. Labeled
> NFS3 also supports only one security module. The existing modules
> have been updated to accept that they may not have access to
> these networking security attributes. The first module to
> register that uses them is given exclusive access.
>
> The issue of multiple modules using the /proc/.../attr interfaces
> has been largely addressed for some time by the inclusion of module
> specific sub-directories. Applications should be using these except
> for the case of SELinux.
>
> Patch 0001 removes an interface dependency on audit from IMA.
> Patch 0002 moves management of socket security blobs out of the
> modules and into the LSM infrastructure.
> Patch 0003 introduces the lsmblob structure.
> Patch 0004 introduces mechanism for the IMA mechanisms to handle
> the possibility of multiple modules that use attributes.
> Patches 0005-0015 add new interfaces and change existing interfaces
> to use the lsmblob to represent security data.
> Patches 0016-0021 replace a the use of string and length pairs to
> use a "security context" with an lsmcontext structure.
> Patches 0022-0026 implement audit records describing the multiple
> security attributes on subjects and objects.
> Patch 0027 removes scaffolding code used in support on lsmcontext.
> Patches 0028-0030 optimize LSM hooks for the networking single
> module user case.
> Patch 0031 implements mechanism to reserve use of network secmarks.
> Patch 0032 limits security_secctx_to_secid() to a single module.
> Patch 0033 removes the exclusive tag from AppArmor.
> Patches 0034-0035 adds mount operation security blobs.
> Patch 0036 moves management of key security blobs out of the
> modules and into the LSM infrastructure.
> Patch 0037 enables management of mount operation security blobs
> in the modules.
> Patches 0038-0039 remove scaffolding for lsmblobs.
> Patch 0040 implements mechanism to reserve use of netlabel.
> Patch 0041 restricts a hook used only by binder to a single module.
> Patch 0042 removes the exclusive tag from Smack.
>
> https://github.com:cschaufler/lsm-stacking.git#stack-6.7-rc1-pcmoore-dev-v39-b
>
This is now in testing on the Ubuntu Unstable 6.8 based kernels
https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/unstable
and if all goes well will get rolled out to the noble (24.04) -proposed kernels
for broader testing soon.
> Casey Schaufler (42):
> integrity: disassociate ima_filter_rule from security_audit_rule
> SM: Infrastructure management of the sock security
> LSM: Add the lsmblob data structure.
> IMA: avoid label collisions with stacked LSMs
> LSM: Use lsmblob in security_audit_rule_match
> LSM: Add lsmblob_to_secctx hook
> Audit: maintain an lsmblob in audit_context
> LSM: Use lsmblob in security_ipc_getsecid
> Audit: Update shutdown LSM data
> LSM: Use lsmblob in security_current_getsecid
> LSM: Use lsmblob in security_inode_getsecid
> Audit: use an lsmblob in audit_names
> LSM: Create new security_cred_getlsmblob LSM hook
> Audit: Change context data from secid to lsmblob
> Netlabel: Use lsmblob for audit data
> LSM: Ensure the correct LSM context releaser
> LSM: Use lsmcontext in security_secid_to_secctx
> LSM: Use lsmcontext in security_lsmblob_to_secctx
> LSM: Use lsmcontext in security_inode_getsecctx
> LSM: Use lsmcontext in security_dentry_init_security
> LSM: security_lsmblob_to_secctx module selection
> Audit: Create audit_stamp structure
> Audit: Allow multiple records in an audit_buffer
> Audit: Add record for multiple task security contexts
> audit: multiple subject lsm values for netlabel
> Audit: Add record for multiple object contexts
> LSM: Remove unused lsmcontext_init()
> LSM: Improve logic in security_getprocattr
> LSM: secctx provider check on release
> LSM: Single calls in socket_getpeersec hooks
> LSM: Exclusive secmark usage
> LSM: Identify which LSM handles the context string
> AppArmor: Remove the exclusive flag
> LSM: Add mount opts blob size tracking
> LSM: allocate mnt_opts blobs instead of module specific data
> LSM: Infrastructure management of the key security blob
> LSM: Infrastructure management of the mnt_opts security blob
> LSM: Correct handling of ENOSYS in inode_setxattr
> LSM: Remove lsmblob scaffolding
> LSM: Allow reservation of netlabel
> LSM: restrict security_cred_getsecid() to a single LSM
> Smack: Remove LSM_FLAG_EXCLUSIVE
>
> Documentation/ABI/testing/ima_policy | 8 +-
> drivers/android/binder.c | 25 +-
> fs/ceph/super.h | 3 +-
> fs/ceph/xattr.c | 15 +-
> fs/fuse/dir.c | 35 +-
> fs/nfs/dir.c | 2 +-
> fs/nfs/inode.c | 17 +-
> fs/nfs/internal.h | 8 +-
> fs/nfs/nfs4proc.c | 16 +-
> fs/nfs/nfs4xdr.c | 22 +-
> fs/nfsd/nfs4xdr.c | 21 +-
> include/linux/audit.h | 13 +
> include/linux/lsm/apparmor.h | 17 +
> include/linux/lsm/bpf.h | 16 +
> include/linux/lsm/selinux.h | 16 +
> include/linux/lsm/smack.h | 17 +
> include/linux/lsm_hook_defs.h | 35 +-
> include/linux/lsm_hooks.h | 8 +
> include/linux/nfs4.h | 8 +-
> include/linux/nfs_fs.h | 2 +-
> include/linux/security.h | 158 +++++++--
> include/net/netlabel.h | 2 +-
> include/net/scm.h | 12 +-
> include/uapi/linux/audit.h | 2 +
> kernel/audit.c | 269 +++++++++++----
> kernel/audit.h | 20 +-
> kernel/auditfilter.c | 9 +-
> kernel/auditsc.c | 142 +++-----
> net/ipv4/ip_sockglue.c | 12 +-
> net/netfilter/nf_conntrack_netlink.c | 16 +-
> net/netfilter/nf_conntrack_standalone.c | 11 +-
> net/netfilter/nfnetlink_queue.c | 22 +-
> net/netlabel/netlabel_unlabeled.c | 46 ++-
> net/netlabel/netlabel_user.c | 10 +-
> net/netlabel/netlabel_user.h | 2 +-
> security/apparmor/audit.c | 19 +-
> security/apparmor/include/audit.h | 8 +-
> security/apparmor/include/net.h | 8 +-
> security/apparmor/include/secid.h | 5 +-
> security/apparmor/lsm.c | 65 +---
> security/apparmor/net.c | 2 +-
> security/apparmor/secid.c | 52 ++-
> security/bpf/hooks.c | 1 +
> security/integrity/ima/ima.h | 32 +-
> security/integrity/ima/ima_api.c | 6 +-
> security/integrity/ima/ima_appraise.c | 6 +-
> security/integrity/ima/ima_main.c | 60 ++--
> security/integrity/ima/ima_policy.c | 91 +++++-
> security/security.c | 415 ++++++++++++++++++------
> security/selinux/hooks.c | 285 +++++++++-------
> security/selinux/include/audit.h | 13 +-
> security/selinux/include/netlabel.h | 5 +
> security/selinux/include/objsec.h | 12 +
> security/selinux/netlabel.c | 27 +-
> security/selinux/ss/services.c | 20 +-
> security/smack/smack.h | 22 ++
> security/smack/smack_lsm.c | 347 ++++++++++++--------
> security/smack/smack_netfilter.c | 12 +-
> security/smack/smackfs.c | 24 +-
> 59 files changed, 1691 insertions(+), 883 deletions(-)
> create mode 100644 include/linux/lsm/apparmor.h
> create mode 100644 include/linux/lsm/bpf.h
> create mode 100644 include/linux/lsm/selinux.h
> create mode 100644 include/linux/lsm/smack.h
>
Powered by blists - more mailing lists