lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240830003411.16818-1-casey@schaufler-ca.com>
Date: Thu, 29 Aug 2024 17:33:58 -0700
From: Casey Schaufler <casey@...aufler-ca.com>
To: casey@...aufler-ca.com,
	paul@...l-moore.com,
	linux-security-module@...r.kernel.org
Cc: jmorris@...ei.org,
	serge@...lyn.com,
	keescook@...omium.org,
	john.johansen@...onical.com,
	penguin-kernel@...ove.sakura.ne.jp,
	stephen.smalley.work@...il.com,
	linux-kernel@...r.kernel.org,
	selinux@...r.kernel.org,
	mic@...ikod.net
Subject: [PATCH v2 00/13] LSM: Move away from secids

Many of the Linux Security Module (LSM) interfaces use u32
security ID values (secids) to identify module specific security
attributes. This is an artifact of the SELinux security server
architecture and compromises made to allow security attributes
to be associated with networking mechanisms. There are significant
performance implications to using this approach, as access control
decisions must map the secids to the real data to be used. There is
also impact on the audit system, which must provide textual values
for security attributes.

The secid based interfaces are also constrained to supporting a
single security module. There are clever mechanisms for representing
multiple 32 bit values in a single 32 bit value, but they add overhead
and complexity. While the issue of multiple concurrent security modules
is not explicity addressed here, the move away from secids is required
to make that possible.

Most uses of secids can be replaced by a security module specific
value. In SELinux this remains a u32 secid. In Smack the value is
a pointer into the system label list. In AppArmor a pointer to a
security context can be used. Because the active security module can
be specified at boot time using the "security=" or "lsm=" flags,
the system must be able to use any of the possible values.

A struct lsmblob is introduced to contain the attribute values.
This struct includes a member for each of the security modules that
are built into the kernel. Where possible, uses of secids are
replaced with a lsmblob. LSM interfaces have been modified to use
lsmblob pointers instead of secids in most cases. Some new interfaces
have been introduced where it is not practical to replace an existing
secid interface. This occurs in several networking code paths.

https://github.com/cschaufler/lsm-stacking.git#lsmblob-6.11-rc3#lsmblob-6.11-rc3-v2

Revisons:

v2: Feedback on v1
    - Share common code in apparmor_*_to_secctx()
    - Remove stale review tags
    - Fix mistakes in comments

Casey Schaufler (13):
  LSM: Add the lsmblob data structure.
  LSM: Use lsmblob in security_audit_rule_match
  LSM: Add lsmblob_to_secctx hook
  Audit: maintain an lsmblob in audit_context
  LSM: Use lsmblob in security_ipc_getsecid
  Audit: Update shutdown LSM data
  LSM: Use lsmblob in security_current_getsecid
  LSM: Use lsmblob in security_inode_getsecid
  Audit: use an lsmblob in audit_names
  LSM: Create new security_cred_getlsmblob LSM hook
  Audit: Change context data from secid to lsmblob
  Netlabel: Use lsmblob for audit data
  LSM: Remove lsmblob scaffolding

 include/linux/lsm/apparmor.h          |  17 +++++
 include/linux/lsm/bpf.h               |  16 ++++
 include/linux/lsm/selinux.h           |  16 ++++
 include/linux/lsm/smack.h             |  17 +++++
 include/linux/lsm_hook_defs.h         |  20 +++--
 include/linux/security.h              |  90 ++++++++++++++++++----
 include/net/netlabel.h                |   2 +-
 kernel/audit.c                        |  21 +++---
 kernel/audit.h                        |   7 +-
 kernel/auditfilter.c                  |   9 ++-
 kernel/auditsc.c                      |  61 ++++++++-------
 net/netlabel/netlabel_unlabeled.c     |   2 +-
 net/netlabel/netlabel_user.c          |   7 +-
 net/netlabel/netlabel_user.h          |   2 +-
 security/apparmor/audit.c             |   4 +-
 security/apparmor/include/audit.h     |   2 +-
 security/apparmor/include/secid.h     |   2 +
 security/apparmor/lsm.c               |  17 +++--
 security/apparmor/secid.c             |  21 +++++-
 security/integrity/ima/ima.h          |   6 +-
 security/integrity/ima/ima_api.c      |   6 +-
 security/integrity/ima/ima_appraise.c |   6 +-
 security/integrity/ima/ima_main.c     |  60 +++++++--------
 security/integrity/ima/ima_policy.c   |  20 ++---
 security/security.c                   | 105 ++++++++++++++++++--------
 security/selinux/hooks.c              |  49 +++++++-----
 security/selinux/include/audit.h      |   5 +-
 security/selinux/ss/services.c        |   7 +-
 security/smack/smack_lsm.c            |  97 +++++++++++++++---------
 security/smack/smackfs.c              |   4 +-
 30 files changed, 471 insertions(+), 227 deletions(-)
 create mode 100644 include/linux/lsm/apparmor.h
 create mode 100644 include/linux/lsm/bpf.h
 create mode 100644 include/linux/lsm/selinux.h
 create mode 100644 include/linux/lsm/smack.h

-- 
2.46.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ