[25/25] LSM: Prevent stacking of incompatible modules
diff mbox

Message ID 1c7a75c3-9de7-8da4-7c49-dc58a848e858@schaufler-ca.com
State New
Headers show

Commit Message

Casey Schaufler Aug. 13, 2016, 8:38 p.m. UTC
Subject: [PATCH 25/25] LSM: Prevent stacking of incompatible modules

The previous model for selecting security modules to stack allows
for selecting SELinux and Smack together. There are several reasons
that these two modules can't share the stack. Until those issues
are resolved stacking them together must be prevented.

When stacking is selected the modules to add to the stack are
selected. There is a special menu from selecting between SELinux,
Smack or neither. When stacking is not selected there is a menu
to select the default module which looks a little different than
before, but which works the same.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/Kconfig          | 76 +++++++++++++++++++++++++++++++++++++++++++++--
 security/apparmor/Kconfig | 13 --------
 security/security.c       | 20 ++++++-------
 security/selinux/Kconfig  | 13 --------
 security/smack/Kconfig    | 13 --------
 security/tomoyo/Kconfig   | 13 --------
 6 files changed, 84 insertions(+), 64 deletions(-)

Patch
diff mbox

diff --git a/security/Kconfig b/security/Kconfig
index 77a3b83..fadc034 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -40,7 +40,7 @@  config SECURITY_STACKING
 	  "bail on fail" policy, in which the infrastructure
 	  will stop processing once a denial is detected. Not
 	  all modules can be stacked. SELinux and Smack are
-	  known to be incompatable. User space components may
+	  known to be incompatible. User space components may
 	  have trouble identifying the security module providing
 	  data in some cases.
 
@@ -53,7 +53,7 @@  config SECURITY_STACKING
 
 	  If you are unsure how to answer this question, answer N.
 
-config SECURITY_STACKING_DEBUG
+config SECURITY_LSM_DEBUG
 	bool "Enable debugging of the LSM infrastructure"
 	depends on SECURITY
 	help
@@ -158,6 +158,9 @@  source security/yama/Kconfig
 
 source security/integrity/Kconfig
 
+menu "Security Module Selection"
+	visible if !SECURITY_STACKING
+
 choice
 	prompt "Default security module"
 	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
@@ -197,3 +200,72 @@  config DEFAULT_SECURITY
 
 endmenu
 
+menu "Security Module Stack"
+	visible if SECURITY_STACKING
+
+choice
+	prompt "Stacked 'extreme' security module"
+	default SECURITY_SELINUX_STACKED if SECURITY_SELINUX
+	default SECURITY_SMACK_STACKED if SECURITY_SMACK
+
+	help
+	  Enable an extreme security module. These modules cannot
+	  be used at the same time.
+
+	config SECURITY_SELINUX_STACKED
+		bool "SELinux" if SECURITY_SELINUX=y
+	help
+	  Add the SELinux security module to the stack. At this
+	  time the Smack security module is incompatible with this
+	  module.
+	  Please be sure your user space code is accomodating of
+	  this security module.
+
+	config SECURITY_SMACK_STACKED
+		bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+	help
+	  Add the Smack security module to the stack. At this
+	  time the SELinux security module is incompatible with this
+	  module.
+	  Please be sure your user space code is accomodating of
+	  this security module.
+
+	config SECURITY_NOTHING_STACKED
+		bool "Use no 'extreme' security module"
+	help
+	  Add neither the SELinux security module nor the Smack security
+	  module to the stack.
+	  Please be sure your user space code does not require either of
+	  these security modules.
+
+endchoice
+
+config SECURITY_TOMOYO_STACKED
+	bool "TOMOYO support is enabled by default"
+	depends on SECURITY_TOMOYO && SECURITY_STACKING
+	default n
+	help
+	  This option instructs the system to use the TOMOYO checks.
+	  If not selected the module will not be invoked.
+	  Stacked security modules may interact in unexpected ways.
+	  Please be sure your user space code is accomodating of
+	  multiple security modules.
+
+	  If you are unsure how to answer this question, answer N.
+
+config SECURITY_APPARMOR_STACKED
+	bool "AppArmor support is enabled by default"
+	depends on SECURITY_APPARMOR && SECURITY_STACKING
+	default n
+	help
+	  This option instructs the system to use the AppArmor checks.
+	  If not selected the module will not be invoked.
+	  Stacked security modules may interact in unexpected ways.
+	  Please be sure your user space code is accomodating of
+	  multiple security modules.
+
+	  If you are unsure how to answer this question, answer N.
+
+endmenu
+
+endmenu
diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
index 8012bb3..be5e941 100644
--- a/security/apparmor/Kconfig
+++ b/security/apparmor/Kconfig
@@ -14,19 +14,6 @@  config SECURITY_APPARMOR
 
 	  If you are unsure how to answer this question, answer N.
 
-config SECURITY_APPARMOR_STACKED
-	bool "AppArmor support is enabled by default"
-	depends on SECURITY_APPARMOR && SECURITY_STACKING
-	default n
-	help
-	  This option instructs the system to use the AppArmor checks.
-	  If not selected the module will not be invoked.
-	  Stacked security modules may interact in unexpected ways.
-	  Please be sure your user space code is accomodating of
-	  multiple security modules.
-
-	  If you are unsure how to answer this question, answer N.
-
 config SECURITY_APPARMOR_BOOTPARAM_VALUE
 	int "AppArmor boot parameter default value"
 	depends on SECURITY_APPARMOR
diff --git a/security/security.c b/security/security.c
index dc7506e..ace4a15 100644
--- a/security/security.c
+++ b/security/security.c
@@ -85,7 +85,7 @@  int __init security_init(void)
 	 */
 	do_security_initcalls();
 
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
 	pr_info("LSM: cred blob size       = %d\n", blob_sizes.lbs_cred);
 	pr_info("LSM: file blob size       = %d\n", blob_sizes.lbs_file);
 	pr_info("LSM: inode blob size      = %d\n", blob_sizes.lbs_inode);
@@ -96,7 +96,7 @@  int __init security_init(void)
 	pr_info("LSM: msg_msg blob size    = %d\n", blob_sizes.lbs_msg_msg);
 	pr_info("LSM: sock blob size       = %d\n", blob_sizes.lbs_sock);
 	pr_info("LSM: superblock blob size = %d\n", blob_sizes.lbs_superblock);
-#endif /* CONFIG_SECURITY_STACKING_DEBUG */
+#endif /* CONFIG_SECURITY_LSM_DEBUG */
 
 	return 0;
 }
@@ -195,7 +195,7 @@  void __init security_add_hooks(struct security_hook_list *hooks, int count,
  */
 int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
 {
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
 	if (cred->security)
 		pr_info("%s: Inbound cred blob is not NULL.\n", __func__);
 #endif
@@ -251,7 +251,7 @@  void __init security_add_blobs(struct lsm_blob_sizes *needed)
  */
 int lsm_file_alloc(struct file *file)
 {
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
 	if (file->f_security)
 		pr_info("%s: Inbound file blob is not NULL.\n", __func__);
 #endif
@@ -274,7 +274,7 @@  int lsm_file_alloc(struct file *file)
  */
 int lsm_inode_alloc(struct inode *inode)
 {
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
 	if (inode->i_security)
 		pr_info("%s: Inbound inode blob is not NULL.\n", __func__);
 #endif
@@ -297,7 +297,7 @@  int lsm_inode_alloc(struct inode *inode)
  */
 int lsm_ipc_alloc(struct kern_ipc_perm *kip)
 {
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
 	if (kip->security)
 		pr_info("%s: Inbound ipc blob is not NULL.\n", __func__);
 #endif
@@ -321,7 +321,7 @@  int lsm_ipc_alloc(struct kern_ipc_perm *kip)
  */
 int lsm_key_alloc(struct key *key)
 {
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
 	if (key->security)
 		pr_info("%s: Inbound key blob is not NULL.\n", __func__);
 #endif
@@ -345,7 +345,7 @@  int lsm_key_alloc(struct key *key)
  */
 int lsm_msg_msg_alloc(struct msg_msg *mp)
 {
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
 	if (mp->security)
 		pr_info("%s: Inbound msg_msg blob is not NULL.\n", __func__);
 #endif
@@ -369,7 +369,7 @@  int lsm_msg_msg_alloc(struct msg_msg *mp)
  */
 int lsm_sock_alloc(struct sock *sock, gfp_t priority)
 {
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
 	if (sock->sk_security)
 		pr_info("%s: Inbound sock blob is not NULL.\n", __func__);
 #endif
@@ -392,7 +392,7 @@  int lsm_sock_alloc(struct sock *sock, gfp_t priority)
  */
 int lsm_superblock_alloc(struct super_block *sb)
 {
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
 	if (sb->s_security)
 		pr_info("%s: Inbound superblock blob is not NULL.\n", __func__);
 #endif
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 35a20dd..8691e92 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -8,19 +8,6 @@  config SECURITY_SELINUX
 	  You will also need a policy configuration and a labeled filesystem.
 	  If you are unsure how to answer this question, answer N.
 
-config SECURITY_SELINUX_STACKED
-	bool "NSA SELinux Support is enabled by default"
-	depends on SECURITY_SELINUX && SECURITY_STACKING
-	default n
-	help
-	  This option instructs the system to use the SELinux checks.
-	  If not selected the module will not be invoked.
-	  Stacked security modules may interact in unexpected ways.
-	  Please be sure your user space code is accomodating of
-	  multiple security modules.
-
-	  If you are unsure how to answer this question, answer N.
-
 config SECURITY_SELINUX_BOOTPARAM
 	bool "NSA SELinux boot parameter"
 	depends on SECURITY_SELINUX
diff --git a/security/smack/Kconfig b/security/smack/Kconfig
index 362a865..271adae 100644
--- a/security/smack/Kconfig
+++ b/security/smack/Kconfig
@@ -12,19 +12,6 @@  config SECURITY_SMACK
 	  of other mandatory security schemes.
 	  If you are unsure how to answer this question, answer N.
 
-config SECURITY_SMACK_STACKED
-	bool "Smack support is enabled by default"
-	depends on SECURITY_SMACK && SECURITY_STACKING
-	default n
-	help
-	  This option instructs the system to use the Smack checks.
-	  If not selected the module will not be invoked.
-	  Stacked security modules may interact in unexpected ways.
-	  Please be sure your user space code is accomodating of
-	  multiple security modules.
-
-	  If you are unsure how to answer this question, answer N.
-
 config SECURITY_SMACK_BRINGUP
 	bool "Reporting on access granted by Smack rules"
 	depends on SECURITY_SMACK
diff --git a/security/tomoyo/Kconfig b/security/tomoyo/Kconfig
index 746e8c4..404dce6 100644
--- a/security/tomoyo/Kconfig
+++ b/security/tomoyo/Kconfig
@@ -14,19 +14,6 @@  config SECURITY_TOMOYO
 	  found at <http://tomoyo.sourceforge.jp/>.
 	  If you are unsure how to answer this question, answer N.
 
-config SECURITY_TOMOYO_STACKED
-	bool "TOMOYO support is enabled by default"
-	depends on SECURITY_TOMOYO && SECURITY_STACKING
-	default n
-	help
-	  This option instructs the system to use the TOMOYO checks.
-	  If not selected the module will not be invoked.
-	  Stacked security modules may interact in unexpected ways.
-	  Please be sure your user space code is accomodating of
-	  multiple security modules.
-
-	  If you are unsure how to answer this question, answer N.
-
 config SECURITY_TOMOYO_MAX_ACCEPT_ENTRY
 	int "Default maximal count for learning mode"
 	default 2048