lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <d15ee1ccfb91bda67d248b3ec70f0475@paul-moore.com>
Date: Thu, 12 Sep 2024 21:29:54 -0400
From: Paul Moore <paul@...l-moore.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [GIT PULL] lsm/lsm-pr-20240911

Linus,

We've got a reasonably large pull request for the LSM framework this
time (at least it's large for us), here are the highlights:

* Move the LSM framework to static calls

Based on some of our exchanges over the summer, it sounds like you
are already familiar with the effort to convert the LSM callbacks
from function pointers to static calls.  This pull request includes
that work and transitions the vast majority of the LSM callbacks into
static calls.  Those callbacks which haven't been converted were
left as-is due to the general ugliness of the changes required to
support the static call conversion; we can revisit those callbacks
at a future date.

It is worth mentioning that Tetsuo Handa is opposed to the static call
patches, some even carry his NACK, as they make it more difficult to
dynamically load out-of-tree LSMs, or unsupported LSMs on distro kernels.
Many of us have tried to explain that out-of-tree LSMs are not a
concern for the upstream LSM framework, or the Linux kernel in general,
and that decisions around what LSMs are enabled in distro kernels is
a distro issue, not an upstream issue, but unfortunately Tetsuo
continues to disregard these arguments.

* Add the Integrity Policy Enforcement (IPE) LSM

This pull request adds a new LSM, Integrity Policy Enforcement (IPE).
There is plenty of documentation about IPE in this patches, so I'll
refrain from going into too much detail here, but the basic motivation
behind IPE is to provide a mechanism such that administrators can
restrict execution to only those binaries which come from integrity
protected storage, e.g. a dm-verity protected filesystem.  You will
notice that IPE requires additional LSM hooks in the initramfs,
dm-verity, and fs-verity code, with the associated patches carrying
ACK/review tags from the associated maintainers.  We couldn't find an
obvious maintainer for the initramfs code, but the IPE patchset has
been widely posted over several years.

Both Deven Bowers and Fan Wu have contributed to IPE's development
over the past several years, with Fan Wu agreeing to serve as the IPE
maintainer moving forward.  Once IPE is accepted into your tree, I'll
start working with Fan to ensure he has the necessary accounts, keys,
etc. so that he can start submitting IPE pull requests to you directly
during the next merge window.

* Move the lifecycle management of the LSM blobs to the LSM framework

Management of the LSM blobs (the LSM state buffers attached to various
kernel structs, typically via a void pointer named "security" or similar)
has been mixed, some blobs were allocated/managed by individual LSMs,
others were managed by the LSM framework itself.  Starting with this
pull request we move management of all the LSM blobs, minus the XFRM
blob, into the framework itself, improving consistency across LSMs, and
reducing the amount of duplicated code across LSMs.  Due to some
additional work required to migrate the XFRM blob, it has been left as
a todo item for a later date; from a practical standpoint this omission
should have little impact as only SELinux provides a XFRM LSM
implementation.

* Fix problems with the LSM's handling of F_SETOWN

The LSM hook for the fcntl(F_SETOWN) operation had a couple of problems:
it was racy with itself, and it was disconnected from the associated DAC
related logic in such a way that the LSM state could be updated in cases
where the DAC state would not.  We fix both of these problems by moving
the security_file_set_fowner() hook into the same section of code where
the DAC attributes are updated.  Not only does this resolve the DAC/LSM
synchronization issue, but as that code block is protected by a lock, it
also resolve the race condition.

* Fix potential problems with the security_inode_free() LSM hook 

Due to use of RCU to protect inodes and the placement of the LSM hook
associated with freeing the inode, there is a bit of a challenge when
it comes to managing any LSM state associated with an inode.  The VFS
folks are not open to relocating the LSM hook so we have to get creative
when it comes to releasing an inode's LSM state.  Traditionally we have
used a single LSM callback within the hook that is triggered when the
inode is "marked for death", but not actually released due to RCU.
Unfortunately, this causes problems for LSMs which want to take an
action when the inode's associated LSM state is actually released; this
pull request adds an additional LSM callback, inode_free_security_rcu(),
that is called when the inode's LSM state is released in the RCU free
callback.

* Refactor two LSM hooks to better fit the LSM return value patterns

The vast majority of the LSM hooks follow the "return 0 on success,
negative values on failure" pattern, however, there are a small handful
that have unique return value behaviors which has caused confusion in the
past and makes it difficult for the BPF verifier to properly vet BPF LSM
programs.  This pull request includes patches to convert two of these
"special" LSM hooks to the common 0/-ERRNO pattern.

* Various cleanups and improvements

A handful of patches to remove redundant code, better leverage the
IS_ERR_OR_NULL() helper, add missing "static" markings, and do some minor
style fixups.

-Paul

--
The following changes since commit 8400291e289ee6b2bf9779ff1c83a291501f017b:

  Linux 6.11-rc1 (2024-07-28 14:19:55 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
    tags/lsm-pr-20240911

for you to fetch changes up to 19c9d55d72a9040cf9dc8de62633e6217381106b:

  security: Update file_set_fowner documentation
    (2024-09-09 12:30:51 -0400)

----------------------------------------------------------------
lsm/stable-6.12 PR 20240911
----------------------------------------------------------------

Casey Schaufler (6):
      lsm: infrastructure management of the sock security
      lsm: infrastructure management of the key security blob
      lsm: add helper for blob allocations
      lsm: infrastructure management of the dev_tun blob
      lsm: infrastructure management of the infiniband blob
      lsm: infrastructure management of the perf_event security blob

Deven Bowers (13):
      lsm: add IPE lsm
      ipe: add policy parser
      ipe: add evaluation loop
      ipe: add LSM hooks on execution and kernel read
      ipe: add userspace interface
      audit,ipe: add IPE auditing support
      ipe: add permissive toggle
      block,lsm: add LSM blob and new LSM hooks for block devices
      dm-verity: expose root hash digest and signature data to LSMs
      ipe: add support for dm-verity as a trust provider
      scripts: add boot policy generation program
      ipe: kunit test for parser
      documentation: add IPE documentation

Fan Wu (7):
      initramfs,lsm: add a security hook to do_populate_rootfs()
      ipe: introduce 'boot_verified' as a trust provider
      lsm: add new securityfs delete function
      lsm: add security_inode_setintegrity() hook
      fsverity: expose verified fsverity built-in signatures to LSMs
      ipe: enable support for fs-verity as a trust provider
      MAINTAINERS: add IPE entry with Fan Wu as maintainer

Hongbo Li (1):
      lsm: Use IS_ERR_OR_NULL() helper function

KP Singh (4):
      init/main.c: Initialize early LSMs after arch code, static keys
         and calls.
      kernel: Add helper macros for loop unrolling
      lsm: count the LSMs enabled at compile time
      lsm: replace indirect LSM hook calls with static calls

Mickaël Salaün (2):
      fs: Fix file_set_fowner LSM hook inconsistencies
      security: Update file_set_fowner documentation

Paul Moore (2):
      lsm: cleanup lsm_hooks.h
      lsm: add the inode_free_security_rcu() LSM implementation hook

Tetsuo Handa (1):
      lsm: remove LSM_COUNT and LSM_CONFIG_COUNT

Xu Kuohai (2):
      lsm: Refactor return value of LSM hook vm_enough_memory
      lsm: Refactor return value of LSM hook inode_copy_up_xattr

Yang Li (1):
      ipe: Remove duplicated include in ipe.c

Yue Haibing (1):
      lockdown: Make lockdown_lsmid static

 Documentation/admin-guide/LSM/index.rst             |    1 
 Documentation/admin-guide/LSM/ipe.rst               |  790 ++++++++++++
 Documentation/admin-guide/kernel-parameters.txt     |   12 
 Documentation/filesystems/fsverity.rst              |   27 
 Documentation/security/index.rst                    |    1 
 Documentation/security/ipe.rst                      |  446 ++++++
 MAINTAINERS                                         |   10 
 block/bdev.c                                        |    7 
 drivers/md/dm-verity-target.c                       |  118 +
 drivers/md/dm-verity.h                              |    4 
 fs/fcntl.c                                          |   14 
 fs/overlayfs/copy_up.c                              |    6 
 fs/verity/signature.c                               |   18 
 include/linux/args.h                                |    6 
 include/linux/blk_types.h                           |    3 
 include/linux/lsm_count.h                           |  135 ++
 include/linux/lsm_hook_defs.h                       |   20 
 include/linux/lsm_hooks.h                           |  129 +
 include/linux/security.h                            |   55 
 include/linux/unroll.h                              |   36 
 include/uapi/linux/audit.h                          |    3 
 include/uapi/linux/lsm.h                            |    1 
 init/initramfs.c                                    |    3 
 init/main.c                                         |    6 
 scripts/Makefile                                    |    1 
 scripts/ipe/Makefile                                |    2 
 scripts/ipe/polgen/.gitignore                       |    2 
 scripts/ipe/polgen/Makefile                         |    5 
 scripts/ipe/polgen/polgen.c                         |  145 ++
 security/Kconfig                                    |   11 
 security/Makefile                                   |    1 
 security/apparmor/include/net.h                     |    3 
 security/apparmor/lsm.c                             |   17 
 security/apparmor/net.c                             |    2 
 security/commoncap.c                                |   11 
 security/inode.c                                    |   27 
 security/integrity/evm/evm_main.c                   |    2 
 security/integrity/ima/ima.h                        |    2 
 security/integrity/ima/ima_iint.c                   |   20 
 security/integrity/ima/ima_main.c                   |    2 
 security/ipe/.gitignore                             |    2 
 security/ipe/Kconfig                                |   97 +
 security/ipe/Makefile                               |   31 
 security/ipe/audit.c                                |  292 ++++
 security/ipe/audit.h                                |   19 
 security/ipe/digest.c                               |  118 +
 security/ipe/digest.h                               |   26 
 security/ipe/eval.c                                 |  393 +++++
 security/ipe/eval.h                                 |   70 +
 security/ipe/fs.c                                   |  247 +++
 security/ipe/fs.h                                   |   16 
 security/ipe/hooks.c                                |  314 ++++
 security/ipe/hooks.h                                |   52 
 security/ipe/ipe.c                                  |   98 +
 security/ipe/ipe.h                                  |   26 
 security/ipe/policy.c                               |  227 +++
 security/ipe/policy.h                               |   98 +
 security/ipe/policy_fs.c                            |  472 +++++++
 security/ipe/policy_parser.c                        |  559 ++++++++
 security/ipe/policy_parser.h                        |   11 
 security/ipe/policy_tests.c                         |  296 ++++
 security/landlock/fs.c                              |    9 
 security/lockdown/lockdown.c                        |    2 
 security/security.c                                 |  615 ++++++---
 security/selinux/hooks.c                            |  176 --
 security/selinux/include/objsec.h                   |   28 
 security/selinux/netlabel.c                         |   23 
 security/smack/smack.h                              |   12 
 security/smack/smack_lsm.c                          |  107 -
 security/smack/smack_netfilter.c                    |    4 
 tools/testing/selftests/lsm/lsm_list_modules_test.c |    3 
 71 files changed, 6063 insertions(+), 484 deletions(-)

--
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ