From patchwork Sat Aug 13 20:38:29 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 9279371 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9531760780 for ; Sun, 14 Aug 2016 11:53:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 847D028A06 for ; Sun, 14 Aug 2016 11:53:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 78A6028A57; Sun, 14 Aug 2016 11:53:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 852F828A06 for ; Sun, 14 Aug 2016 11:53:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932763AbcHNLxZ (ORCPT ); Sun, 14 Aug 2016 07:53:25 -0400 Received: from nm47-vm6.bullet.mail.bf1.yahoo.com ([216.109.115.141]:42435 "EHLO nm47-vm6.bullet.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932787AbcHNLxX (ORCPT ); Sun, 14 Aug 2016 07:53:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1471120713; bh=jRoa7NC6C6wH3ai5w5Mdp8wK6LMZ6l52mfePsDHy+dI=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From:Subject; b=O7MdqXDU46RNycwLJvzQJQSihBESdgwvC4+BhvW/j+6Q4bYmLSNEubVOui439P0rXGzn+BNCTouPCS/g18SVr3gQSqlqjVK8EdgecU3W4KDcQ0PnYeNCoDlTRLK7wCOfF0OJoLD/w2uXNXnvEAMtVsU+WhUTqlb6wQPQNm5BXuRsLFMRLTtPWG/C37QX0vw0SWOwjMBw7bhoQK9fpOPtuuZ0CuIG8Dtcd+QeBUHSoav89ZrRu6BkUTmuOlf0FcqndNwdHK17lkGyAnMSqOSN9rVZ8CzrPSl4+2OhrDQfrrC7OFQXkygTYPCWWTEX66Npld6U4lWNyF9+XMamEln54w== Received: from [98.139.170.179] by nm47.bullet.mail.bf1.yahoo.com with NNFMP; 13 Aug 2016 20:38:33 -0000 Received: from [68.142.230.75] by tm22.bullet.mail.bf1.yahoo.com with NNFMP; 13 Aug 2016 20:38:33 -0000 Received: from [127.0.0.1] by smtp232.mail.bf1.yahoo.com with NNFMP; 13 Aug 2016 20:38:33 -0000 X-Yahoo-Newman-Id: 44071.75535.bm@smtp232.mail.bf1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: byCknjwVM1n5u7_6SPBcDtjXIgtBdc1F7zLIlxnJdLHliyY ebLXXpJNlVxj0vU.DfuVZgkN9Z7CaZBR7SRNoo3BQhJf52Gs9IpVbSUb13LN JgmhDVhdhUYgMzzbTieh6ej6wBqrw_eRdsvIswHe_ZyE9fczRm3QqrfU04rn kP1jyD_b874TNKMKGyAhzJcees2m5ugEo5YxKhL19Wha.o5UfEP1VTiKZEJf d3ITO4CiFIuufsxtr8ufm6DzBe.cJ3zJtLQkXLgGdU2E4soxckBu95aM8IVY b5aFBqiHVNWeDFrAV2l35hUc_l6o5A.YheCE.CnNz29oFGBskC7HQs1Hker2 n.klIATntV4mPF71bh4NqEu5QRPnuQJOmiUA_S0Meo0sWj3Ra4EaFImjPAFc s5CKbVqmwxYD7MoYI_d6Gvc9hxbzXVmEtToHgkLsh3YXVCJCtKnFt8UwKWDN wpnWNYCV1VnQSrZ5OgxY9jnV2AKD8NJc3tUAKf07cCbJTHDGYVPTza4zXqmT rVTAyOUXzB4Rn5anLO5qvHge.ghx9g._Xmx3CzBmvq5HOsvY0M7Xu X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: [PATCH 25/25] LSM: Prevent stacking of incompatible modules To: LSM , James Morris References: <801ef9a9-e594-387c-f285-8d90879ee2bf@schaufler-ca.com> Cc: John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley From: Casey Schaufler Message-ID: <1c7a75c3-9de7-8da4-7c49-dc58a848e858@schaufler-ca.com> Date: Sat, 13 Aug 2016 13:38:29 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <801ef9a9-e594-387c-f285-8d90879ee2bf@schaufler-ca.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Subject: [PATCH 25/25] LSM: Prevent stacking of incompatible modules The previous model for selecting security modules to stack allows for selecting SELinux and Smack together. There are several reasons that these two modules can't share the stack. Until those issues are resolved stacking them together must be prevented. When stacking is selected the modules to add to the stack are selected. There is a special menu from selecting between SELinux, Smack or neither. When stacking is not selected there is a menu to select the default module which looks a little different than before, but which works the same. Signed-off-by: Casey Schaufler --- security/Kconfig | 76 +++++++++++++++++++++++++++++++++++++++++++++-- security/apparmor/Kconfig | 13 -------- security/security.c | 20 ++++++------- security/selinux/Kconfig | 13 -------- security/smack/Kconfig | 13 -------- security/tomoyo/Kconfig | 13 -------- 6 files changed, 84 insertions(+), 64 deletions(-) diff --git a/security/Kconfig b/security/Kconfig index 77a3b83..fadc034 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -40,7 +40,7 @@ config SECURITY_STACKING "bail on fail" policy, in which the infrastructure will stop processing once a denial is detected. Not all modules can be stacked. SELinux and Smack are - known to be incompatable. User space components may + known to be incompatible. User space components may have trouble identifying the security module providing data in some cases. @@ -53,7 +53,7 @@ config SECURITY_STACKING If you are unsure how to answer this question, answer N. -config SECURITY_STACKING_DEBUG +config SECURITY_LSM_DEBUG bool "Enable debugging of the LSM infrastructure" depends on SECURITY help @@ -158,6 +158,9 @@ source security/yama/Kconfig source security/integrity/Kconfig +menu "Security Module Selection" + visible if !SECURITY_STACKING + choice prompt "Default security module" default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX @@ -197,3 +200,72 @@ config DEFAULT_SECURITY endmenu +menu "Security Module Stack" + visible if SECURITY_STACKING + +choice + prompt "Stacked 'extreme' security module" + default SECURITY_SELINUX_STACKED if SECURITY_SELINUX + default SECURITY_SMACK_STACKED if SECURITY_SMACK + + help + Enable an extreme security module. These modules cannot + be used at the same time. + + config SECURITY_SELINUX_STACKED + bool "SELinux" if SECURITY_SELINUX=y + help + Add the SELinux security module to the stack. At this + time the Smack security module is incompatible with this + module. + Please be sure your user space code is accomodating of + this security module. + + config SECURITY_SMACK_STACKED + bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y + help + Add the Smack security module to the stack. At this + time the SELinux security module is incompatible with this + module. + Please be sure your user space code is accomodating of + this security module. + + config SECURITY_NOTHING_STACKED + bool "Use no 'extreme' security module" + help + Add neither the SELinux security module nor the Smack security + module to the stack. + Please be sure your user space code does not require either of + these security modules. + +endchoice + +config SECURITY_TOMOYO_STACKED + bool "TOMOYO support is enabled by default" + depends on SECURITY_TOMOYO && SECURITY_STACKING + default n + help + This option instructs the system to use the TOMOYO checks. + If not selected the module will not be invoked. + Stacked security modules may interact in unexpected ways. + Please be sure your user space code is accomodating of + multiple security modules. + + If you are unsure how to answer this question, answer N. + +config SECURITY_APPARMOR_STACKED + bool "AppArmor support is enabled by default" + depends on SECURITY_APPARMOR && SECURITY_STACKING + default n + help + This option instructs the system to use the AppArmor checks. + If not selected the module will not be invoked. + Stacked security modules may interact in unexpected ways. + Please be sure your user space code is accomodating of + multiple security modules. + + If you are unsure how to answer this question, answer N. + +endmenu + +endmenu diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig index 8012bb3..be5e941 100644 --- a/security/apparmor/Kconfig +++ b/security/apparmor/Kconfig @@ -14,19 +14,6 @@ config SECURITY_APPARMOR If you are unsure how to answer this question, answer N. -config SECURITY_APPARMOR_STACKED - bool "AppArmor support is enabled by default" - depends on SECURITY_APPARMOR && SECURITY_STACKING - default n - help - This option instructs the system to use the AppArmor checks. - If not selected the module will not be invoked. - Stacked security modules may interact in unexpected ways. - Please be sure your user space code is accomodating of - multiple security modules. - - If you are unsure how to answer this question, answer N. - config SECURITY_APPARMOR_BOOTPARAM_VALUE int "AppArmor boot parameter default value" depends on SECURITY_APPARMOR diff --git a/security/security.c b/security/security.c index dc7506e..ace4a15 100644 --- a/security/security.c +++ b/security/security.c @@ -85,7 +85,7 @@ int __init security_init(void) */ do_security_initcalls(); -#ifdef CONFIG_SECURITY_STACKING_DEBUG +#ifdef CONFIG_SECURITY_LSM_DEBUG pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred); pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file); pr_info("LSM: inode blob size = %d\n", blob_sizes.lbs_inode); @@ -96,7 +96,7 @@ int __init security_init(void) pr_info("LSM: msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); pr_info("LSM: sock blob size = %d\n", blob_sizes.lbs_sock); pr_info("LSM: superblock blob size = %d\n", blob_sizes.lbs_superblock); -#endif /* CONFIG_SECURITY_STACKING_DEBUG */ +#endif /* CONFIG_SECURITY_LSM_DEBUG */ return 0; } @@ -195,7 +195,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, */ int lsm_cred_alloc(struct cred *cred, gfp_t gfp) { -#ifdef CONFIG_SECURITY_STACKING_DEBUG +#ifdef CONFIG_SECURITY_LSM_DEBUG if (cred->security) pr_info("%s: Inbound cred blob is not NULL.\n", __func__); #endif @@ -251,7 +251,7 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed) */ int lsm_file_alloc(struct file *file) { -#ifdef CONFIG_SECURITY_STACKING_DEBUG +#ifdef CONFIG_SECURITY_LSM_DEBUG if (file->f_security) pr_info("%s: Inbound file blob is not NULL.\n", __func__); #endif @@ -274,7 +274,7 @@ int lsm_file_alloc(struct file *file) */ int lsm_inode_alloc(struct inode *inode) { -#ifdef CONFIG_SECURITY_STACKING_DEBUG +#ifdef CONFIG_SECURITY_LSM_DEBUG if (inode->i_security) pr_info("%s: Inbound inode blob is not NULL.\n", __func__); #endif @@ -297,7 +297,7 @@ int lsm_inode_alloc(struct inode *inode) */ int lsm_ipc_alloc(struct kern_ipc_perm *kip) { -#ifdef CONFIG_SECURITY_STACKING_DEBUG +#ifdef CONFIG_SECURITY_LSM_DEBUG if (kip->security) pr_info("%s: Inbound ipc blob is not NULL.\n", __func__); #endif @@ -321,7 +321,7 @@ int lsm_ipc_alloc(struct kern_ipc_perm *kip) */ int lsm_key_alloc(struct key *key) { -#ifdef CONFIG_SECURITY_STACKING_DEBUG +#ifdef CONFIG_SECURITY_LSM_DEBUG if (key->security) pr_info("%s: Inbound key blob is not NULL.\n", __func__); #endif @@ -345,7 +345,7 @@ int lsm_key_alloc(struct key *key) */ int lsm_msg_msg_alloc(struct msg_msg *mp) { -#ifdef CONFIG_SECURITY_STACKING_DEBUG +#ifdef CONFIG_SECURITY_LSM_DEBUG if (mp->security) pr_info("%s: Inbound msg_msg blob is not NULL.\n", __func__); #endif @@ -369,7 +369,7 @@ int lsm_msg_msg_alloc(struct msg_msg *mp) */ int lsm_sock_alloc(struct sock *sock, gfp_t priority) { -#ifdef CONFIG_SECURITY_STACKING_DEBUG +#ifdef CONFIG_SECURITY_LSM_DEBUG if (sock->sk_security) pr_info("%s: Inbound sock blob is not NULL.\n", __func__); #endif @@ -392,7 +392,7 @@ int lsm_sock_alloc(struct sock *sock, gfp_t priority) */ int lsm_superblock_alloc(struct super_block *sb) { -#ifdef CONFIG_SECURITY_STACKING_DEBUG +#ifdef CONFIG_SECURITY_LSM_DEBUG if (sb->s_security) pr_info("%s: Inbound superblock blob is not NULL.\n", __func__); #endif diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 35a20dd..8691e92 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -8,19 +8,6 @@ config SECURITY_SELINUX You will also need a policy configuration and a labeled filesystem. If you are unsure how to answer this question, answer N. -config SECURITY_SELINUX_STACKED - bool "NSA SELinux Support is enabled by default" - depends on SECURITY_SELINUX && SECURITY_STACKING - default n - help - This option instructs the system to use the SELinux checks. - If not selected the module will not be invoked. - Stacked security modules may interact in unexpected ways. - Please be sure your user space code is accomodating of - multiple security modules. - - If you are unsure how to answer this question, answer N. - config SECURITY_SELINUX_BOOTPARAM bool "NSA SELinux boot parameter" depends on SECURITY_SELINUX diff --git a/security/smack/Kconfig b/security/smack/Kconfig index 362a865..271adae 100644 --- a/security/smack/Kconfig +++ b/security/smack/Kconfig @@ -12,19 +12,6 @@ config SECURITY_SMACK of other mandatory security schemes. If you are unsure how to answer this question, answer N. -config SECURITY_SMACK_STACKED - bool "Smack support is enabled by default" - depends on SECURITY_SMACK && SECURITY_STACKING - default n - help - This option instructs the system to use the Smack checks. - If not selected the module will not be invoked. - Stacked security modules may interact in unexpected ways. - Please be sure your user space code is accomodating of - multiple security modules. - - If you are unsure how to answer this question, answer N. - config SECURITY_SMACK_BRINGUP bool "Reporting on access granted by Smack rules" depends on SECURITY_SMACK diff --git a/security/tomoyo/Kconfig b/security/tomoyo/Kconfig index 746e8c4..404dce6 100644 --- a/security/tomoyo/Kconfig +++ b/security/tomoyo/Kconfig @@ -14,19 +14,6 @@ config SECURITY_TOMOYO found at . If you are unsure how to answer this question, answer N. -config SECURITY_TOMOYO_STACKED - bool "TOMOYO support is enabled by default" - depends on SECURITY_TOMOYO && SECURITY_STACKING - default n - help - This option instructs the system to use the TOMOYO checks. - If not selected the module will not be invoked. - Stacked security modules may interact in unexpected ways. - Please be sure your user space code is accomodating of - multiple security modules. - - If you are unsure how to answer this question, answer N. - config SECURITY_TOMOYO_MAX_ACCEPT_ENTRY int "Default maximal count for learning mode" default 2048