| Message ID | 20231215221636.105680-1-casey@schaufler-ca.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | LSM: General module stacking | expand |
On 12/15/23 14:15, Casey Schaufler wrote: > This patchset provides the changes required to allow arbitrary > combination of all the existing Linux Security Modules (LSM). > It does not provide for all possible configurations of all of > co-existing modules. It does not ensure that the enforcement > of policy provided by one module does not interfere with the > behavior of another module. > > The bulk of the code change is in support of the audit system. > Because subjects and objects may have multiple LSM specific > attributes that are used to make access control decisions it > was necessary to enhance the audit system to report these > security attributes. Separate audit records have been added > to include the additional information for each of the audit > event subject and object. Providing the required security > information using 32-bit secids was no longer sufficient. A > new structure, lsmblob, has been introduced to include the > data for all relevant modules. > > The lsmblob structure has an entry for each of the modules > that has used secids. Each module provides a structure of > its own which contains the information it uses. For SELinux > this is a u32 secid. Smack provides a pointer into the label > list. Modules that are not configured use conditional compilation > to have empty structures. > > Because audit records may need to include the text representation > of more than one module's security attributes (commonly referred > to as the "security context") the interfaces that convert the > lsmblob into a text representation need to identify which module > provided the text. An structure lsmcontext has been added that > contains the text, its length and the identifier of the module > than created it. > > Security attributes for network facilities have provided certain > challenges. The security information allowed in socket buffers > and secmarks is limited to a single u32 secid, and there is no > indication that this will ever be allowed to change. The netlabel > subsystem, which provides CIPSO and CALIPSO labeling on internet > packets, supports only one IP packet option at a time. Labeled > NFS3 also supports only one security module. The existing modules > have been updated to accept that they may not have access to > these networking security attributes. The first module to > register that uses them is given exclusive access. > > The issue of multiple modules using the /proc/.../attr interfaces > has been largely addressed for some time by the inclusion of module > specific sub-directories. Applications should be using these except > for the case of SELinux. > > Patch 0001 removes an interface dependency on audit from IMA. > Patch 0002 moves management of socket security blobs out of the > modules and into the LSM infrastructure. > Patch 0003 introduces the lsmblob structure. > Patch 0004 introduces mechanism for the IMA mechanisms to handle > the possibility of multiple modules that use attributes. > Patches 0005-0015 add new interfaces and change existing interfaces > to use the lsmblob to represent security data. > Patches 0016-0021 replace a the use of string and length pairs to > use a "security context" with an lsmcontext structure. > Patches 0022-0026 implement audit records describing the multiple > security attributes on subjects and objects. > Patch 0027 removes scaffolding code used in support on lsmcontext. > Patches 0028-0030 optimize LSM hooks for the networking single > module user case. > Patch 0031 implements mechanism to reserve use of network secmarks. > Patch 0032 limits security_secctx_to_secid() to a single module. > Patch 0033 removes the exclusive tag from AppArmor. > Patches 0034-0035 adds mount operation security blobs. > Patch 0036 moves management of key security blobs out of the > modules and into the LSM infrastructure. > Patch 0037 enables management of mount operation security blobs > in the modules. > Patches 0038-0039 remove scaffolding for lsmblobs. > Patch 0040 implements mechanism to reserve use of netlabel. > Patch 0041 restricts a hook used only by binder to a single module. > Patch 0042 removes the exclusive tag from Smack. > > https://github.com:cschaufler/lsm-stacking.git#stack-6.7-rc1-pcmoore-dev-v39-b > This is now in testing on the Ubuntu Unstable 6.8 based kernels https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/unstable and if all goes well will get rolled out to the noble (24.04) -proposed kernels for broader testing soon. > Casey Schaufler (42): > integrity: disassociate ima_filter_rule from security_audit_rule > SM: Infrastructure management of the sock security > LSM: Add the lsmblob data structure. > IMA: avoid label collisions with stacked LSMs > LSM: Use lsmblob in security_audit_rule_match > LSM: Add lsmblob_to_secctx hook > Audit: maintain an lsmblob in audit_context > LSM: Use lsmblob in security_ipc_getsecid > Audit: Update shutdown LSM data > LSM: Use lsmblob in security_current_getsecid > LSM: Use lsmblob in security_inode_getsecid > Audit: use an lsmblob in audit_names > LSM: Create new security_cred_getlsmblob LSM hook > Audit: Change context data from secid to lsmblob > Netlabel: Use lsmblob for audit data > LSM: Ensure the correct LSM context releaser > LSM: Use lsmcontext in security_secid_to_secctx > LSM: Use lsmcontext in security_lsmblob_to_secctx > LSM: Use lsmcontext in security_inode_getsecctx > LSM: Use lsmcontext in security_dentry_init_security > LSM: security_lsmblob_to_secctx module selection > Audit: Create audit_stamp structure > Audit: Allow multiple records in an audit_buffer > Audit: Add record for multiple task security contexts > audit: multiple subject lsm values for netlabel > Audit: Add record for multiple object contexts > LSM: Remove unused lsmcontext_init() > LSM: Improve logic in security_getprocattr > LSM: secctx provider check on release > LSM: Single calls in socket_getpeersec hooks > LSM: Exclusive secmark usage > LSM: Identify which LSM handles the context string > AppArmor: Remove the exclusive flag > LSM: Add mount opts blob size tracking > LSM: allocate mnt_opts blobs instead of module specific data > LSM: Infrastructure management of the key security blob > LSM: Infrastructure management of the mnt_opts security blob > LSM: Correct handling of ENOSYS in inode_setxattr > LSM: Remove lsmblob scaffolding > LSM: Allow reservation of netlabel > LSM: restrict security_cred_getsecid() to a single LSM > Smack: Remove LSM_FLAG_EXCLUSIVE > > Documentation/ABI/testing/ima_policy | 8 +- > drivers/android/binder.c | 25 +- > fs/ceph/super.h | 3 +- > fs/ceph/xattr.c | 15 +- > fs/fuse/dir.c | 35 +- > fs/nfs/dir.c | 2 +- > fs/nfs/inode.c | 17 +- > fs/nfs/internal.h | 8 +- > fs/nfs/nfs4proc.c | 16 +- > fs/nfs/nfs4xdr.c | 22 +- > fs/nfsd/nfs4xdr.c | 21 +- > include/linux/audit.h | 13 + > include/linux/lsm/apparmor.h | 17 + > include/linux/lsm/bpf.h | 16 + > include/linux/lsm/selinux.h | 16 + > include/linux/lsm/smack.h | 17 + > include/linux/lsm_hook_defs.h | 35 +- > include/linux/lsm_hooks.h | 8 + > include/linux/nfs4.h | 8 +- > include/linux/nfs_fs.h | 2 +- > include/linux/security.h | 158 +++++++-- > include/net/netlabel.h | 2 +- > include/net/scm.h | 12 +- > include/uapi/linux/audit.h | 2 + > kernel/audit.c | 269 +++++++++++---- > kernel/audit.h | 20 +- > kernel/auditfilter.c | 9 +- > kernel/auditsc.c | 142 +++----- > net/ipv4/ip_sockglue.c | 12 +- > net/netfilter/nf_conntrack_netlink.c | 16 +- > net/netfilter/nf_conntrack_standalone.c | 11 +- > net/netfilter/nfnetlink_queue.c | 22 +- > net/netlabel/netlabel_unlabeled.c | 46 ++- > net/netlabel/netlabel_user.c | 10 +- > net/netlabel/netlabel_user.h | 2 +- > security/apparmor/audit.c | 19 +- > security/apparmor/include/audit.h | 8 +- > security/apparmor/include/net.h | 8 +- > security/apparmor/include/secid.h | 5 +- > security/apparmor/lsm.c | 65 +--- > security/apparmor/net.c | 2 +- > security/apparmor/secid.c | 52 ++- > security/bpf/hooks.c | 1 + > security/integrity/ima/ima.h | 32 +- > security/integrity/ima/ima_api.c | 6 +- > security/integrity/ima/ima_appraise.c | 6 +- > security/integrity/ima/ima_main.c | 60 ++-- > security/integrity/ima/ima_policy.c | 91 +++++- > security/security.c | 415 ++++++++++++++++++------ > security/selinux/hooks.c | 285 +++++++++------- > security/selinux/include/audit.h | 13 +- > security/selinux/include/netlabel.h | 5 + > security/selinux/include/objsec.h | 12 + > security/selinux/netlabel.c | 27 +- > security/selinux/ss/services.c | 20 +- > security/smack/smack.h | 22 ++ > security/smack/smack_lsm.c | 347 ++++++++++++-------- > security/smack/smack_netfilter.c | 12 +- > security/smack/smackfs.c | 24 +- > 59 files changed, 1691 insertions(+), 883 deletions(-) > create mode 100644 include/linux/lsm/apparmor.h > create mode 100644 include/linux/lsm/bpf.h > create mode 100644 include/linux/lsm/selinux.h > create mode 100644 include/linux/lsm/smack.h >