| Message ID | b9f3ece0-977b-690a-ba16-dbf22b1f928a@schaufler-ca.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Wed, Jan 25, 2017 at 6:07 PM, Casey Schaufler <casey@schaufler-ca.com> wrote: > Subject: [PATCH RFC 5/9] LSM: General but not extreme module stacking > > Leverage the infrastructure management of the credential and > file security blobs to allow stacking of security modules in > all but the most extreme case. Security modules are informed > of the location of their data within the blobs at module > initialization. > > Stacking is optional. If stacking is not configured the old > limit of one "major" security module applies. If stacking is > configured any combination that does not include both SELinux > and Smack is allowed. > > A subdirectory has been added to /proc/.../attr for each of > SELinux and AppArmor (Smack introduced such a subdirectory earlier) > to disambiguate what data is provided in the proc/.../attr > interfaces. An entry "context" is added to /proc/.../attr and > to each of the subdirectories. The "context" entry provides > process attribute information in the form: > > lsm-name='lsm-data'[,lsm-name='lsm-data']... > > Data returned with SO_PEERSEC and SCM_SECURITY will be > in "context" format when stacking is configured. > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > --- > Documentation/security/LSM.txt | 18 ++++- > fs/proc/base.c | 33 +++++++++ > include/linux/lsm_hooks.h | 2 +- > security/Kconfig | 94 ++++++++++++++++++++++++ > security/apparmor/include/context.h | 10 +++ > security/apparmor/lsm.c | 55 ++++++++++++-- > security/security.c | 142 +++++++++++++++++++++++++++++++++++- > security/selinux/hooks.c | 29 +++++++- > security/selinux/include/objsec.h | 8 ++ > security/smack/smack.h | 9 +++ > security/smack/smack_lsm.c | 27 ++++--- > security/tomoyo/common.h | 5 ++ > security/tomoyo/tomoyo.c | 7 +- > 13 files changed, 414 insertions(+), 25 deletions(-) > > diff --git a/Documentation/security/LSM.txt b/Documentation/security/LSM.txt > index 57eafbc..23664b7 100644 > --- a/Documentation/security/LSM.txt > +++ b/Documentation/security/LSM.txt > @@ -18,8 +18,14 @@ in the core functionality of Linux itself. > > The Linux capabilities modules will always be included. For more details > on capabilities, see capabilities(7) in the Linux man-pages project. > -This may be followed by any number of "minor" modules and at most one > -"major" module. > + > +Security modules that do not use the security data blobs maintained > +by the LSM infrastructure are considered "minor" modules. These may be > +included at compile time and stacked explicitly. Security modules that > +use the LSM maintained security blobs are considered "major" modules. > +These may only be stacked if the CONFIG_LSM_STACKED configuration > +option is used. If this is chosen all of the security modules selected > +will be used. > > A list of the active security modules can be found by reading > /sys/kernel/security/lsm. This is a comma separated list, and > @@ -36,6 +42,14 @@ security module and contains all its special files. The files directly > in /proc/.../attr remain as legacy interfaces for modules that provide > subdirectories. > > +The files named "context" in the attr directories contain the > +same information as the "current" files, but formatted to > +identify the module it comes from. > + > +if selinux is the active security module: > + /proc/self/attr/context could contain selinux='unconfined_t' > + /proc/self/attr/selinux/context could contain selinux='unconfined_t' > + > Based on https://lkml.org/lkml/2007/10/26/215, > a new LSM is accepted into the kernel when its intent (a description of > what it tries to protect against and in what cases one would expect to > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 565010c..0d54b17 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2558,13 +2558,37 @@ static const struct inode_operations proc_##LSM##_attr_dir_inode_ops = { \ > .setattr = proc_setattr, \ > } > > +#ifdef CONFIG_SECURITY_SELINUX > +static const struct pid_entry selinux_attr_dir_stuff[] = { > + ATTR("selinux", "current", 0666), > + ATTR("selinux", "prev", 0444), > + ATTR("selinux", "exec", 0666), > + ATTR("selinux", "fscreate", 0666), > + ATTR("selinux", "keycreate", 0666), > + ATTR("selinux", "sockcreate", 0666), > + ATTR("selinux", "context", 0666), > +}; > +LSM_DIR_OPS(selinux); > +#endif > + > #ifdef CONFIG_SECURITY_SMACK > static const struct pid_entry smack_attr_dir_stuff[] = { > ATTR("smack", "current", 0666), > + ATTR("smack", "context", 0666), > }; > LSM_DIR_OPS(smack); > #endif > > +#ifdef CONFIG_SECURITY_APPARMOR > +static const struct pid_entry apparmor_attr_dir_stuff[] = { > + ATTR("apparmor", "current", 0666), > + ATTR("apparmor", "prev", 0444), > + ATTR("apparmor", "exec", 0666), > + ATTR("apparmor", "context", 0666), > +}; > +LSM_DIR_OPS(apparmor); > +#endif > + > static const struct pid_entry attr_dir_stuff[] = { > ATTR(NULL, "current", 0666), > ATTR(NULL, "prev", 0444), > @@ -2572,10 +2596,19 @@ static const struct pid_entry attr_dir_stuff[] = { > ATTR(NULL, "fscreate", 0666), > ATTR(NULL, "keycreate", 0666), > ATTR(NULL, "sockcreate", 0666), > + ATTR(NULL, "context", 0666), > +#ifdef CONFIG_SECURITY_SELINUX > + DIR("selinux", 0555, > + proc_selinux_attr_dir_inode_ops, proc_selinux_attr_dir_ops), > +#endif > #ifdef CONFIG_SECURITY_SMACK > DIR("smack", 0555, > proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops), > #endif > +#ifdef CONFIG_SECURITY_APPARMOR > + DIR("apparmor", 0555, > + proc_apparmor_attr_dir_inode_ops, proc_apparmor_attr_dir_ops), > +#endif It seems like the FS changes could be split from the rest of this patch, just to make review easier? > }; > > static int proc_attr_dir_readdir(struct file *file, struct dir_context *ctx) > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index c1807a2..86ce8da 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -1926,7 +1926,7 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, > } > #endif /* CONFIG_SECURITY_SELINUX_DISABLE */ > > -extern int __init security_module_enable(const char *module); > +extern bool __init security_module_enable(const char *lsm, const bool stacked); > extern void __init capability_add_hooks(void); > #ifdef CONFIG_SECURITY_YAMA > extern void __init yama_add_hooks(void); > diff --git a/security/Kconfig b/security/Kconfig > index 3356875..7c54d90 100644 > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -31,6 +31,28 @@ config SECURITY > > If you are unsure how to answer this question, answer N. > > +config SECURITY_STACKING > + bool "Security module stacking" > + depends on SECURITY > + help > + Allows multiple major security modules to be stacked. > + Modules are invoked in the order registered with a > + "bail on fail" policy, in which the infrastructure > + will stop processing once a denial is detected. Not > + all modules can be stacked. SELinux and Smack are > + known to be incompatible. User space components may > + have trouble identifying the security module providing > + data in some cases. > + > + If you select this option you will have to select which > + of the stackable modules you wish to be active. The > + "Default security module" will be ignored. The boot line > + "security=" option can be used to specify that one of > + the modules identifed for stacking should be used instead > + of the entire stack. > + > + If you are unsure how to answer this question, answer N. > + > config SECURITY_LSM_DEBUG > bool "Enable debugging of the LSM infrastructure" > depends on SECURITY > @@ -178,6 +200,9 @@ source security/yama/Kconfig > > source security/integrity/Kconfig > > +menu "Security Module Selection" > + visible if !SECURITY_STACKING > + > choice > prompt "Default security module" > default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX > @@ -217,3 +242,72 @@ config DEFAULT_SECURITY > > endmenu > > +menu "Security Module Stack" > + visible if SECURITY_STACKING > + > +choice > + prompt "Stacked 'extreme' security module" Commit message says "but not extreme", but here things are described as extreme. :) > + default SECURITY_SELINUX_STACKED if SECURITY_SELINUX > + default SECURITY_SMACK_STACKED if SECURITY_SMACK > + > + help > + Enable an extreme security module. These modules cannot > + be used at the same time. > + > + config SECURITY_SELINUX_STACKED > + bool "SELinux" if SECURITY_SELINUX=y > + help > + Add the SELinux security module to the stack. At this > + time the Smack security module is incompatible with this > + module. > + Please be sure your user space code is accomodating of > + this security module. > + > + config SECURITY_SMACK_STACKED > + bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y > + help > + Add the Smack security module to the stack. At this > + time the SELinux security module is incompatible with this > + module. > + Please be sure your user space code is accomodating of > + this security module. > + > + config SECURITY_NOTHING_STACKED > + bool "Use no 'extreme' security module" > + help > + Add neither the SELinux security module nor the Smack security > + module to the stack. > + Please be sure your user space code does not require either of > + these security modules. > + > +endchoice > [...] > - if (!apparmor_enabled || !security_module_enable("apparmor")) { > +#ifdef CONFIG_SECURITY_APPARMOR_STACKED > + if (!apparmor_enabled || !security_module_enable("apparmor", true)) { > aa_info_message( > "AppArmor disabled by boot time parameter"); > apparmor_enabled = 0; > return 0; > } > +#else > + if (!apparmor_enabled || !security_module_enable("apparmor", false)) { > + aa_info_message( > + "AppArmor disabled by boot time parameter"); > + apparmor_enabled = 0; > + return 0; > + } > +#endif Instead of #ifdef, us IS_ENALBED(CONFIG_SECURITY_APPARMOR_STACKED) for the true/false parameter. -Kees
On 2/13/2017 12:03 PM, Kees Cook wrote: > On Wed, Jan 25, 2017 at 6:07 PM, Casey Schaufler <casey@schaufler-ca.com> wrote: >> Subject: [PATCH RFC 5/9] LSM: General but not extreme module stacking >> >> Leverage the infrastructure management of the credential and >> file security blobs to allow stacking of security modules in >> all but the most extreme case. Security modules are informed >> of the location of their data within the blobs at module >> initialization. >> >> Stacking is optional. If stacking is not configured the old >> limit of one "major" security module applies. If stacking is >> configured any combination that does not include both SELinux >> and Smack is allowed. >> >> A subdirectory has been added to /proc/.../attr for each of >> SELinux and AppArmor (Smack introduced such a subdirectory earlier) >> to disambiguate what data is provided in the proc/.../attr >> interfaces. An entry "context" is added to /proc/.../attr and >> to each of the subdirectories. The "context" entry provides >> process attribute information in the form: >> >> lsm-name='lsm-data'[,lsm-name='lsm-data']... >> >> Data returned with SO_PEERSEC and SCM_SECURITY will be >> in "context" format when stacking is configured. >> >> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> >> --- >> Documentation/security/LSM.txt | 18 ++++- >> fs/proc/base.c | 33 +++++++++ >> include/linux/lsm_hooks.h | 2 +- >> security/Kconfig | 94 ++++++++++++++++++++++++ >> security/apparmor/include/context.h | 10 +++ >> security/apparmor/lsm.c | 55 ++++++++++++-- >> security/security.c | 142 +++++++++++++++++++++++++++++++++++- >> security/selinux/hooks.c | 29 +++++++- >> security/selinux/include/objsec.h | 8 ++ >> security/smack/smack.h | 9 +++ >> security/smack/smack_lsm.c | 27 ++++--- >> security/tomoyo/common.h | 5 ++ >> security/tomoyo/tomoyo.c | 7 +- >> 13 files changed, 414 insertions(+), 25 deletions(-) >> >> diff --git a/Documentation/security/LSM.txt b/Documentation/security/LSM.txt >> index 57eafbc..23664b7 100644 >> --- a/Documentation/security/LSM.txt >> +++ b/Documentation/security/LSM.txt >> @@ -18,8 +18,14 @@ in the core functionality of Linux itself. >> >> The Linux capabilities modules will always be included. For more details >> on capabilities, see capabilities(7) in the Linux man-pages project. >> -This may be followed by any number of "minor" modules and at most one >> -"major" module. >> + >> +Security modules that do not use the security data blobs maintained >> +by the LSM infrastructure are considered "minor" modules. These may be >> +included at compile time and stacked explicitly. Security modules that >> +use the LSM maintained security blobs are considered "major" modules. >> +These may only be stacked if the CONFIG_LSM_STACKED configuration >> +option is used. If this is chosen all of the security modules selected >> +will be used. >> >> A list of the active security modules can be found by reading >> /sys/kernel/security/lsm. This is a comma separated list, and >> @@ -36,6 +42,14 @@ security module and contains all its special files. The files directly >> in /proc/.../attr remain as legacy interfaces for modules that provide >> subdirectories. >> >> +The files named "context" in the attr directories contain the >> +same information as the "current" files, but formatted to >> +identify the module it comes from. >> + >> +if selinux is the active security module: >> + /proc/self/attr/context could contain selinux='unconfined_t' >> + /proc/self/attr/selinux/context could contain selinux='unconfined_t' >> + >> Based on https://lkml.org/lkml/2007/10/26/215, >> a new LSM is accepted into the kernel when its intent (a description of >> what it tries to protect against and in what cases one would expect to >> diff --git a/fs/proc/base.c b/fs/proc/base.c >> index 565010c..0d54b17 100644 >> --- a/fs/proc/base.c >> +++ b/fs/proc/base.c >> @@ -2558,13 +2558,37 @@ static const struct inode_operations proc_##LSM##_attr_dir_inode_ops = { \ >> .setattr = proc_setattr, \ >> } >> >> +#ifdef CONFIG_SECURITY_SELINUX >> +static const struct pid_entry selinux_attr_dir_stuff[] = { >> + ATTR("selinux", "current", 0666), >> + ATTR("selinux", "prev", 0444), >> + ATTR("selinux", "exec", 0666), >> + ATTR("selinux", "fscreate", 0666), >> + ATTR("selinux", "keycreate", 0666), >> + ATTR("selinux", "sockcreate", 0666), >> + ATTR("selinux", "context", 0666), >> +}; >> +LSM_DIR_OPS(selinux); >> +#endif >> + >> #ifdef CONFIG_SECURITY_SMACK >> static const struct pid_entry smack_attr_dir_stuff[] = { >> ATTR("smack", "current", 0666), >> + ATTR("smack", "context", 0666), >> }; >> LSM_DIR_OPS(smack); >> #endif >> >> +#ifdef CONFIG_SECURITY_APPARMOR >> +static const struct pid_entry apparmor_attr_dir_stuff[] = { >> + ATTR("apparmor", "current", 0666), >> + ATTR("apparmor", "prev", 0444), >> + ATTR("apparmor", "exec", 0666), >> + ATTR("apparmor", "context", 0666), >> +}; >> +LSM_DIR_OPS(apparmor); >> +#endif >> + >> static const struct pid_entry attr_dir_stuff[] = { >> ATTR(NULL, "current", 0666), >> ATTR(NULL, "prev", 0444), >> @@ -2572,10 +2596,19 @@ static const struct pid_entry attr_dir_stuff[] = { >> ATTR(NULL, "fscreate", 0666), >> ATTR(NULL, "keycreate", 0666), >> ATTR(NULL, "sockcreate", 0666), >> + ATTR(NULL, "context", 0666), >> +#ifdef CONFIG_SECURITY_SELINUX >> + DIR("selinux", 0555, >> + proc_selinux_attr_dir_inode_ops, proc_selinux_attr_dir_ops), >> +#endif >> #ifdef CONFIG_SECURITY_SMACK >> DIR("smack", 0555, >> proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops), >> #endif >> +#ifdef CONFIG_SECURITY_APPARMOR >> + DIR("apparmor", 0555, >> + proc_apparmor_attr_dir_inode_ops, proc_apparmor_attr_dir_ops), >> +#endif > It seems like the FS changes could be split from the rest of this > patch, just to make review easier? 8 larger patches vs 25 smaller patches. I'm trying for the "right" balance. Sure, I can split this up for the next round. >> }; >> >> static int proc_attr_dir_readdir(struct file *file, struct dir_context *ctx) >> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h >> index c1807a2..86ce8da 100644 >> --- a/include/linux/lsm_hooks.h >> +++ b/include/linux/lsm_hooks.h >> @@ -1926,7 +1926,7 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, >> } >> #endif /* CONFIG_SECURITY_SELINUX_DISABLE */ >> >> -extern int __init security_module_enable(const char *module); >> +extern bool __init security_module_enable(const char *lsm, const bool stacked); >> extern void __init capability_add_hooks(void); >> #ifdef CONFIG_SECURITY_YAMA >> extern void __init yama_add_hooks(void); >> diff --git a/security/Kconfig b/security/Kconfig >> index 3356875..7c54d90 100644 >> --- a/security/Kconfig >> +++ b/security/Kconfig >> @@ -31,6 +31,28 @@ config SECURITY >> >> If you are unsure how to answer this question, answer N. >> >> +config SECURITY_STACKING >> + bool "Security module stacking" >> + depends on SECURITY >> + help >> + Allows multiple major security modules to be stacked. >> + Modules are invoked in the order registered with a >> + "bail on fail" policy, in which the infrastructure >> + will stop processing once a denial is detected. Not >> + all modules can be stacked. SELinux and Smack are >> + known to be incompatible. User space components may >> + have trouble identifying the security module providing >> + data in some cases. >> + >> + If you select this option you will have to select which >> + of the stackable modules you wish to be active. The >> + "Default security module" will be ignored. The boot line >> + "security=" option can be used to specify that one of >> + the modules identifed for stacking should be used instead >> + of the entire stack. >> + >> + If you are unsure how to answer this question, answer N. >> + >> config SECURITY_LSM_DEBUG >> bool "Enable debugging of the LSM infrastructure" >> depends on SECURITY >> @@ -178,6 +200,9 @@ source security/yama/Kconfig >> >> source security/integrity/Kconfig >> >> +menu "Security Module Selection" >> + visible if !SECURITY_STACKING >> + >> choice >> prompt "Default security module" >> default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX >> @@ -217,3 +242,72 @@ config DEFAULT_SECURITY >> >> endmenu >> >> +menu "Security Module Stack" >> + visible if SECURITY_STACKING >> + >> +choice >> + prompt "Stacked 'extreme' security module" > Commit message says "but not extreme", but here things are described > as extreme. :) Um.. A foolish consistency is the hobgoblin of little minds? :) Good point. A little too much of description reuse. >> + default SECURITY_SELINUX_STACKED if SECURITY_SELINUX >> + default SECURITY_SMACK_STACKED if SECURITY_SMACK >> + >> + help >> + Enable an extreme security module. These modules cannot >> + be used at the same time. >> + >> + config SECURITY_SELINUX_STACKED >> + bool "SELinux" if SECURITY_SELINUX=y >> + help >> + Add the SELinux security module to the stack. At this >> + time the Smack security module is incompatible with this >> + module. >> + Please be sure your user space code is accomodating of >> + this security module. >> + >> + config SECURITY_SMACK_STACKED >> + bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y >> + help >> + Add the Smack security module to the stack. At this >> + time the SELinux security module is incompatible with this >> + module. >> + Please be sure your user space code is accomodating of >> + this security module. >> + >> + config SECURITY_NOTHING_STACKED >> + bool "Use no 'extreme' security module" >> + help >> + Add neither the SELinux security module nor the Smack security >> + module to the stack. >> + Please be sure your user space code does not require either of >> + these security modules. >> + >> +endchoice >> [...] >> - if (!apparmor_enabled || !security_module_enable("apparmor")) { >> +#ifdef CONFIG_SECURITY_APPARMOR_STACKED >> + if (!apparmor_enabled || !security_module_enable("apparmor", true)) { >> aa_info_message( >> "AppArmor disabled by boot time parameter"); >> apparmor_enabled = 0; >> return 0; >> } >> +#else >> + if (!apparmor_enabled || !security_module_enable("apparmor", false)) { >> + aa_info_message( >> + "AppArmor disabled by boot time parameter"); >> + apparmor_enabled = 0; >> + return 0; >> + } >> +#endif > Instead of #ifdef, us IS_ENALBED(CONFIG_SECURITY_APPARMOR_STACKED) for > the true/false parameter. #ifdef foo #if IS_ENABLED(foo) #if defined(foo) All do the same thing. I don't see where the coding style guidelines say which should be used where. I'm not saying it isn't there, but I can't find it. Pointer? ... but then, I got really annoyed when the compiler stopped allowing #ifdef foo ... #endif foo > > -Kees > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Feb 13, 2017 at 1:53 PM, Casey Schaufler <casey@schaufler-ca.com> wrote: > On 2/13/2017 12:03 PM, Kees Cook wrote: >> On Wed, Jan 25, 2017 at 6:07 PM, Casey Schaufler <casey@schaufler-ca.com> wrote: >>> [...] >>> - if (!apparmor_enabled || !security_module_enable("apparmor")) { >>> +#ifdef CONFIG_SECURITY_APPARMOR_STACKED >>> + if (!apparmor_enabled || !security_module_enable("apparmor", true)) { >>> aa_info_message( >>> "AppArmor disabled by boot time parameter"); >>> apparmor_enabled = 0; >>> return 0; >>> } >>> +#else >>> + if (!apparmor_enabled || !security_module_enable("apparmor", false)) { >>> + aa_info_message( >>> + "AppArmor disabled by boot time parameter"); >>> + apparmor_enabled = 0; >>> + return 0; >>> + } >>> +#endif >> Instead of #ifdef, us IS_ENALBED(CONFIG_SECURITY_APPARMOR_STACKED) for >> the true/false parameter. > > #ifdef foo > #if IS_ENABLED(foo) > #if defined(foo) > > All do the same thing. I don't see where the coding style guidelines > say which should be used where. I'm not saying it isn't there, but I > can't find it. Pointer? > > ... but then, I got really annoyed when the compiler stopped allowing > #ifdef foo > ... > #endif foo It's not ifdef, it's C: if (!apparmor_enabled || !security_module_enable("apparmor", IS_ENABLED(CONFIG_SECURITY_APPARMOR_STACKED))) { aa_info_message( "AppArmor disabled by boot time parameter"); apparmor_enabled = 0; return 0; } no ifdefs, no copy/paste of multiple lines... -Kees
On 2/13/2017 1:57 PM, Kees Cook wrote: > On Mon, Feb 13, 2017 at 1:53 PM, Casey Schaufler <casey@schaufler-ca.com> wrote: >> On 2/13/2017 12:03 PM, Kees Cook wrote: >>> On Wed, Jan 25, 2017 at 6:07 PM, Casey Schaufler <casey@schaufler-ca.com> wrote: >>>> [...] >>>> - if (!apparmor_enabled || !security_module_enable("apparmor")) { >>>> +#ifdef CONFIG_SECURITY_APPARMOR_STACKED >>>> + if (!apparmor_enabled || !security_module_enable("apparmor", true)) { >>>> aa_info_message( >>>> "AppArmor disabled by boot time parameter"); >>>> apparmor_enabled = 0; >>>> return 0; >>>> } >>>> +#else >>>> + if (!apparmor_enabled || !security_module_enable("apparmor", false)) { >>>> + aa_info_message( >>>> + "AppArmor disabled by boot time parameter"); >>>> + apparmor_enabled = 0; >>>> + return 0; >>>> + } >>>> +#endif >>> Instead of #ifdef, us IS_ENALBED(CONFIG_SECURITY_APPARMOR_STACKED) for >>> the true/false parameter. >> #ifdef foo >> #if IS_ENABLED(foo) >> #if defined(foo) >> >> All do the same thing. I don't see where the coding style guidelines >> say which should be used where. I'm not saying it isn't there, but I >> can't find it. Pointer? >> >> ... but then, I got really annoyed when the compiler stopped allowing >> #ifdef foo >> ... >> #endif foo > It's not ifdef, it's C: > > if (!apparmor_enabled || !security_module_enable("apparmor", > > IS_ENABLED(CONFIG_SECURITY_APPARMOR_STACKED))) { > aa_info_message( > "AppArmor disabled by boot time parameter"); > apparmor_enabled = 0; > return 0; > } > > no ifdefs, no copy/paste of multiple lines... OK, yes, that is much better. My little brain was stuck on IS_ENABLED() in the context of #if and didn't see it in the context of code. Now that I see this other opportunities spring to mind. > > -Kees > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/Documentation/security/LSM.txt b/Documentation/security/LSM.txt index 57eafbc..23664b7 100644 --- a/Documentation/security/LSM.txt +++ b/Documentation/security/LSM.txt @@ -18,8 +18,14 @@ in the core functionality of Linux itself. The Linux capabilities modules will always be included. For more details on capabilities, see capabilities(7) in the Linux man-pages project. -This may be followed by any number of "minor" modules and at most one -"major" module. + +Security modules that do not use the security data blobs maintained +by the LSM infrastructure are considered "minor" modules. These may be +included at compile time and stacked explicitly. Security modules that +use the LSM maintained security blobs are considered "major" modules. +These may only be stacked if the CONFIG_LSM_STACKED configuration +option is used. If this is chosen all of the security modules selected +will be used. A list of the active security modules can be found by reading /sys/kernel/security/lsm. This is a comma separated list, and @@ -36,6 +42,14 @@ security module and contains all its special files. The files directly in /proc/.../attr remain as legacy interfaces for modules that provide subdirectories. +The files named "context" in the attr directories contain the +same information as the "current" files, but formatted to +identify the module it comes from. + +if selinux is the active security module: + /proc/self/attr/context could contain selinux='unconfined_t' + /proc/self/attr/selinux/context could contain selinux='unconfined_t' + Based on https://lkml.org/lkml/2007/10/26/215, a new LSM is accepted into the kernel when its intent (a description of what it tries to protect against and in what cases one would expect to diff --git a/fs/proc/base.c b/fs/proc/base.c index 565010c..0d54b17 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2558,13 +2558,37 @@ static const struct inode_operations proc_##LSM##_attr_dir_inode_ops = { \ .setattr = proc_setattr, \ } +#ifdef CONFIG_SECURITY_SELINUX +static const struct pid_entry selinux_attr_dir_stuff[] = { + ATTR("selinux", "current", 0666), + ATTR("selinux", "prev", 0444), + ATTR("selinux", "exec", 0666), + ATTR("selinux", "fscreate", 0666), + ATTR("selinux", "keycreate", 0666), + ATTR("selinux", "sockcreate", 0666), + ATTR("selinux", "context", 0666), +}; +LSM_DIR_OPS(selinux); +#endif + #ifdef CONFIG_SECURITY_SMACK static const struct pid_entry smack_attr_dir_stuff[] = { ATTR("smack", "current", 0666), + ATTR("smack", "context", 0666), }; LSM_DIR_OPS(smack); #endif +#ifdef CONFIG_SECURITY_APPARMOR +static const struct pid_entry apparmor_attr_dir_stuff[] = { + ATTR("apparmor", "current", 0666), + ATTR("apparmor", "prev", 0444), + ATTR("apparmor", "exec", 0666), + ATTR("apparmor", "context", 0666), +}; +LSM_DIR_OPS(apparmor); +#endif + static const struct pid_entry attr_dir_stuff[] = { ATTR(NULL, "current", 0666), ATTR(NULL, "prev", 0444), @@ -2572,10 +2596,19 @@ static const struct pid_entry attr_dir_stuff[] = { ATTR(NULL, "fscreate", 0666), ATTR(NULL, "keycreate", 0666), ATTR(NULL, "sockcreate", 0666), + ATTR(NULL, "context", 0666), +#ifdef CONFIG_SECURITY_SELINUX + DIR("selinux", 0555, + proc_selinux_attr_dir_inode_ops, proc_selinux_attr_dir_ops), +#endif #ifdef CONFIG_SECURITY_SMACK DIR("smack", 0555, proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops), #endif +#ifdef CONFIG_SECURITY_APPARMOR + DIR("apparmor", 0555, + proc_apparmor_attr_dir_inode_ops, proc_apparmor_attr_dir_ops), +#endif }; static int proc_attr_dir_readdir(struct file *file, struct dir_context *ctx) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index c1807a2..86ce8da 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1926,7 +1926,7 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, } #endif /* CONFIG_SECURITY_SELINUX_DISABLE */ -extern int __init security_module_enable(const char *module); +extern bool __init security_module_enable(const char *lsm, const bool stacked); extern void __init capability_add_hooks(void); #ifdef CONFIG_SECURITY_YAMA extern void __init yama_add_hooks(void); diff --git a/security/Kconfig b/security/Kconfig index 3356875..7c54d90 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -31,6 +31,28 @@ config SECURITY If you are unsure how to answer this question, answer N. +config SECURITY_STACKING + bool "Security module stacking" + depends on SECURITY + help + Allows multiple major security modules to be stacked. + Modules are invoked in the order registered with a + "bail on fail" policy, in which the infrastructure + will stop processing once a denial is detected. Not + all modules can be stacked. SELinux and Smack are + known to be incompatible. User space components may + have trouble identifying the security module providing + data in some cases. + + If you select this option you will have to select which + of the stackable modules you wish to be active. The + "Default security module" will be ignored. The boot line + "security=" option can be used to specify that one of + the modules identifed for stacking should be used instead + of the entire stack. + + If you are unsure how to answer this question, answer N. + config SECURITY_LSM_DEBUG bool "Enable debugging of the LSM infrastructure" depends on SECURITY @@ -178,6 +200,9 @@ source security/yama/Kconfig source security/integrity/Kconfig +menu "Security Module Selection" + visible if !SECURITY_STACKING + choice prompt "Default security module" default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX @@ -217,3 +242,72 @@ config DEFAULT_SECURITY endmenu +menu "Security Module Stack" + visible if SECURITY_STACKING + +choice + prompt "Stacked 'extreme' security module" + default SECURITY_SELINUX_STACKED if SECURITY_SELINUX + default SECURITY_SMACK_STACKED if SECURITY_SMACK + + help + Enable an extreme security module. These modules cannot + be used at the same time. + + config SECURITY_SELINUX_STACKED + bool "SELinux" if SECURITY_SELINUX=y + help + Add the SELinux security module to the stack. At this + time the Smack security module is incompatible with this + module. + Please be sure your user space code is accomodating of + this security module. + + config SECURITY_SMACK_STACKED + bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y + help + Add the Smack security module to the stack. At this + time the SELinux security module is incompatible with this + module. + Please be sure your user space code is accomodating of + this security module. + + config SECURITY_NOTHING_STACKED + bool "Use no 'extreme' security module" + help + Add neither the SELinux security module nor the Smack security + module to the stack. + Please be sure your user space code does not require either of + these security modules. + +endchoice + +config SECURITY_TOMOYO_STACKED + bool "TOMOYO support is enabled by default" + depends on SECURITY_TOMOYO && SECURITY_STACKING + default n + help + This option instructs the system to use the TOMOYO checks. + If not selected the module will not be invoked. + Stacked security modules may interact in unexpected ways. + Please be sure your user space code is accomodating of + multiple security modules. + + If you are unsure how to answer this question, answer N. + +config SECURITY_APPARMOR_STACKED + bool "AppArmor support is enabled by default" + depends on SECURITY_APPARMOR && SECURITY_STACKING + default n + help + This option instructs the system to use the AppArmor checks. + If not selected the module will not be invoked. + Stacked security modules may interact in unexpected ways. + Please be sure your user space code is accomodating of + multiple security modules. + + If you are unsure how to answer this question, answer N. + +endmenu + +endmenu diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h index c140aad..666b975 100644 --- a/security/apparmor/include/context.h +++ b/security/apparmor/include/context.h @@ -87,14 +87,24 @@ int aa_set_current_hat(struct aa_profile *profile, u64 token); int aa_restore_previous_profile(u64 cookie); struct aa_profile *aa_get_task_profile(struct task_struct *task); +extern struct lsm_blob_sizes apparmor_blob_sizes; + static inline struct aa_task_cxt *apparmor_cred(const struct cred *cred) { +#ifdef CONFIG_SECURITY_STACKING + return cred->security + apparmor_blob_sizes.lbs_cred; +#else return cred->security; +#endif } static inline struct aa_file_cxt *apparmor_file(const struct file *file) { +#ifdef CONFIG_SECURITY_STACKING + return file->f_security + apparmor_blob_sizes.lbs_file; +#else return file->f_security; +#endif } /** diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index ed8f1e4..5428cd8 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -438,9 +438,13 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, const struct cred *cred = get_task_cred(task); struct aa_task_cxt *cxt = cred_cxt(cred); struct aa_profile *profile = NULL; + char *vp; + char *np; if (strcmp(name, "current") == 0) profile = aa_get_newest_profile(cxt->profile); + else if (strcmp(name, "context") == 0) + profile = aa_get_newest_profile(cxt->profile); else if (strcmp(name, "prev") == 0 && cxt->previous) profile = aa_get_newest_profile(cxt->previous); else if (strcmp(name, "exec") == 0 && cxt->onexec) @@ -448,9 +452,29 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, else error = -EINVAL; - if (profile) - error = aa_getprocattr(profile, value); + if (profile == NULL) + goto put_out; + + error = aa_getprocattr(profile, &vp); + if (error < 0) + goto put_out; + if (strcmp(name, "context") == 0) { + *value = kasprintf(GFP_KERNEL, "apparmor='%s'", vp); + if (*value == NULL) { + error = -ENOMEM; + goto put_out; + } + np = strchr(*value, '\n'); + if (np != NULL) { + np[0] = '\''; + np[1] = '\0'; + } + error = strlen(*value); + } else + *value = vp; + +put_out: aa_put_profile(profile); put_cred(cred); @@ -492,7 +516,7 @@ static int apparmor_setprocattr(struct task_struct *task, char *name, goto out; arg_size = size - (args - (largs ? largs : (char *) value)); - if (strcmp(name, "current") == 0) { + if (strcmp(name, "current") == 0 || strcmp(name, "context") == 0) { if (strcmp(command, "changehat") == 0) { error = aa_setprocattr_changehat(args, arg_size, !AA_DO_TEST); @@ -514,7 +538,10 @@ static int apparmor_setprocattr(struct task_struct *task, char *name, else goto fail; } else - /* only support the "current" and "exec" process attributes */ + /* + * only support the "current", "context" and "exec" + * process attributes + */ goto fail; if (!error) @@ -832,18 +859,34 @@ static int __init apparmor_init(void) int error; if (!finish) { - if (apparmor_enabled && security_module_enable("apparmor")) +#ifdef CONFIG_SECURITY_APPARMOR_STACKED + if (apparmor_enabled && + security_module_enable("apparmor", true)) + security_add_blobs(&apparmor_blob_sizes); +#else + if (apparmor_enabled && + security_module_enable("apparmor", false)) security_add_blobs(&apparmor_blob_sizes); +#endif finish = 1; return 0; } - if (!apparmor_enabled || !security_module_enable("apparmor")) { +#ifdef CONFIG_SECURITY_APPARMOR_STACKED + if (!apparmor_enabled || !security_module_enable("apparmor", true)) { aa_info_message( "AppArmor disabled by boot time parameter"); apparmor_enabled = 0; return 0; } +#else + if (!apparmor_enabled || !security_module_enable("apparmor", false)) { + aa_info_message( + "AppArmor disabled by boot time parameter"); + apparmor_enabled = 0; + return 0; + } +#endif error = aa_alloc_root_ns(); diff --git a/security/security.c b/security/security.c index 0aee0f4..42ab35c 100644 --- a/security/security.c +++ b/security/security.c @@ -31,13 +31,18 @@ /* Maximum number of letters for an LSM name string */ #define SECURITY_NAME_MAX 10 +#define MODULE_STACK "(stacking)" char *lsm_names; static struct lsm_blob_sizes blob_sizes; /* Boot-time LSM user choice */ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = +#ifdef CONFIG_SECURITY_STACKING + MODULE_STACK; +#else CONFIG_DEFAULT_SECURITY; +#endif static void __init do_security_initcalls(void) { @@ -113,6 +118,7 @@ static int lsm_append(char *new, char **result) /** * security_module_enable - Load given security module on boot ? * @module: the name of the module + * @stacked: indicates that the module wants to be stacked * * Each LSM must pass this method before registering its own operations * to avoid security registration races. This method may also be used @@ -124,9 +130,29 @@ static int lsm_append(char *new, char **result) * choose an alternate LSM at boot time. * Otherwise, return false. */ -int __init security_module_enable(const char *module) +bool __init security_module_enable(const char *lsm, const bool stacked) { - return !strcmp(module, chosen_lsm); +#ifdef CONFIG_SECURITY_STACKING + /* + * Module defined on the command line security=XXXX + */ + if (strcmp(chosen_lsm, MODULE_STACK)) { + if (!strcmp(lsm, chosen_lsm)) { + pr_info("Command line sets the %s security module.\n", + lsm); + return true; + } + return false; + } + /* + * Module configured as stacked. + */ + return stacked; +#else + if (strcmp(lsm, chosen_lsm) == 0) + return true; + return false; +#endif } /** @@ -1316,8 +1342,49 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name, char **value) { struct security_hook_list *hp; + char *vp; + char *cp = NULL; + int trc; int rc; + /* + * "context" requires work here in addition to what + * the modules provide. + */ + if (strcmp(name, "context") == 0) { + *value = NULL; + rc = -EINVAL; + list_for_each_entry(hp, + &security_hook_heads.getprocattr, list) { + if (lsm != NULL && strcmp(lsm, hp->lsm)) + continue; + trc = hp->hook.getprocattr(p, "context", &vp); + if (trc == -ENOENT) + continue; + if (trc <= 0) { + kfree(*value); + return trc; + } + rc = trc; + if (*value == NULL) { + *value = vp; + } else { + cp = kasprintf(GFP_KERNEL, "%s,%s", *value, vp); + if (cp == NULL) { + kfree(*value); + kfree(vp); + return -ENOMEM; + } + kfree(*value); + kfree(vp); + *value = cp; + } + } + if (rc > 0) + return strlen(*value); + return rc; + } + list_for_each_entry(hp, &security_hook_heads.getprocattr, list) { if (lsm != NULL && strcmp(lsm, hp->lsm)) continue; @@ -1333,6 +1400,77 @@ int security_setprocattr(struct task_struct *p, const char *lsm, char *name, { struct security_hook_list *hp; int rc; + char *local; + char *cp; + int slen; + int failed = 0; + + /* + * If lsm is NULL look at all the modules to find one + * that processes name. If lsm is not NULL only look at + * that module. + * + * "context" is handled directly here. + */ + if (strcmp(name, "context") == 0) { + /* + * First verify that the input is acceptable. + * lsm1='v1'lsm2='v2'lsm3='v3' + * + * A note on the use of strncmp() below. + * The check is for the substring at the beginning of cp. + * The kzalloc of size + 1 ensures a terminated string. + */ + rc = -EINVAL; + local = kzalloc(size + 1, GFP_KERNEL); + memcpy(local, value, size); + cp = local; + list_for_each_entry(hp, &security_hook_heads.setprocattr, + list) { + if (lsm != NULL && strcmp(lsm, hp->lsm)) + continue; + if (cp[0] == ',') { + if (cp == local) + goto free_out; + cp++; + } + slen = strlen(hp->lsm); + if (strncmp(cp, hp->lsm, slen)) + goto free_out; + cp += slen; + if (cp[0] != '=' || cp[1] != '\'' || cp[2] == '\'') + goto free_out; + for (cp += 2; cp[0] != '\''; cp++) + if (cp[0] == '\0') + goto free_out; + cp++; + } + + cp = local; + list_for_each_entry(hp, &security_hook_heads.setprocattr, + list) { + if (lsm != NULL && strcmp(lsm, hp->lsm)) + continue; + if (cp[0] == ',') + cp++; + cp += strlen(hp->lsm) + 2; + for (slen = 0; cp[slen] != '\''; slen++) + ; + cp[slen] = '\0'; + + rc = hp->hook.setprocattr(p, "context", cp, slen); + if (rc < 0) + failed = rc; + cp += slen + 1; + } + if (failed != 0) + rc = failed; + else + rc = size; +free_out: + kfree(local); + return rc; + } list_for_each_entry(hp, &security_hook_heads.setprocattr, list) { if (lsm != NULL && strcmp(lsm, hp->lsm)) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 546956a..b7c6613 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5767,6 +5767,8 @@ static int selinux_getprocattr(struct task_struct *p, if (!strcmp(name, "current")) sid = __tsec->sid; + else if (!strcmp(name, "context")) + sid = __tsec->sid; else if (!strcmp(name, "prev")) sid = __tsec->osid; else if (!strcmp(name, "exec")) @@ -5784,7 +5786,19 @@ static int selinux_getprocattr(struct task_struct *p, if (!sid) return 0; - error = security_sid_to_context(sid, value, &len); + if (strcmp(name, "context")) { + error = security_sid_to_context(sid, value, &len); + } else { + char *vp; + + error = security_sid_to_context(sid, &vp, &len); + if (!error) { + *value = kasprintf(GFP_KERNEL, "selinux='%s'", vp); + if (*value == NULL) + error = -ENOMEM; + } + } + if (error) return error; return len; @@ -5824,6 +5838,8 @@ static int selinux_setprocattr(struct task_struct *p, error = current_has_perm(p, PROCESS__SETSOCKCREATE); else if (!strcmp(name, "current")) error = current_has_perm(p, PROCESS__SETCURRENT); + else if (!strcmp(name, "context")) + error = current_has_perm(p, PROCESS__SETCURRENT); else error = -EINVAL; if (error) @@ -5883,7 +5899,7 @@ static int selinux_setprocattr(struct task_struct *p, tsec->keycreate_sid = sid; } else if (!strcmp(name, "sockcreate")) { tsec->sockcreate_sid = sid; - } else if (!strcmp(name, "current")) { + } else if (!strcmp(name, "current") || !strcmp(name, "context")) { error = -EINVAL; if (sid == 0) goto abort_change; @@ -6271,10 +6287,17 @@ static __init int selinux_init(void) { static int finish; - if (!security_module_enable("selinux")) { +#ifdef CONFIG_SECURITY_SELINUX_STACKED + if (!security_module_enable("selinux", true)) { + selinux_enabled = 0; + return 0; + } +#else + if (!security_module_enable("selinux", false)) { selinux_enabled = 0; return 0; } +#endif if (!finish) { security_add_blobs(&selinux_blob_sizes); diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index d02c1f8..8ae0285 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -137,12 +137,20 @@ extern struct lsm_blob_sizes selinux_blob_sizes; static inline struct task_security_struct *selinux_cred(const struct cred *cred) { +#ifdef CONFIG_SECURITY_STACKING + return cred->security + selinux_blob_sizes.lbs_cred; +#else return cred->security; +#endif } static inline struct file_security_struct *selinux_file(const struct file *file) { +#ifdef CONFIG_SECURITY_STACKING + return file->f_security + selinux_blob_sizes.lbs_file; +#else return file->f_security; +#endif } #endif /* _SELINUX_OBJSEC_H_ */ diff --git a/security/smack/smack.h b/security/smack/smack.h index bb0d24b..5af0233 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -333,6 +333,7 @@ extern struct smack_known *smack_syslog_label; extern struct smack_known *smack_unconfined; #endif extern int smack_ptrace_rule; +extern struct lsm_blob_sizes smack_blob_sizes; extern struct smack_known smack_known_floor; extern struct smack_known smack_known_hat; @@ -355,12 +356,20 @@ extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS]; static inline struct task_smack *smack_cred(const struct cred *cred) { +#ifdef CONFIG_SECURITY_STACKING + return cred->security + smack_blob_sizes.lbs_cred; +#else return cred->security; +#endif } static inline struct smack_known **smack_file(const struct file *file) { +#ifdef CONFIG_SECURITY_STACKING + return file->f_security + smack_blob_sizes.lbs_file; +#else return file->f_security; +#endif } /* diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index d0b48de..c4b4161 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3567,18 +3567,20 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value) { struct smack_known *skp = smk_of_task_struct(p); char *cp; - int slen; - if (strcmp(name, "current") != 0) + if (strcmp(name, "current") == 0) { + cp = kstrdup(skp->smk_known, GFP_KERNEL); + if (cp == NULL) + return -ENOMEM; + } else if (strcmp(name, "context") == 0) { + cp = kasprintf(GFP_KERNEL, "smack='%s'", skp->smk_known); + if (cp == NULL) + return -ENOMEM; + } else return -EINVAL; - cp = kstrdup(skp->smk_known, GFP_KERNEL); - if (cp == NULL) - return -ENOMEM; - - slen = strlen(cp); *value = cp; - return slen; + return strlen(cp); } /** @@ -3615,7 +3617,7 @@ static int smack_setprocattr(struct task_struct *p, char *name, void *value, if (value == NULL || size == 0 || size >= SMK_LONGLABEL) return -EINVAL; - if (strcmp(name, "current") != 0) + if (strcmp(name, "current") != 0 && strcmp(name, "context") != 0) return -EINVAL; skp = smk_import_entry(value, size); @@ -4748,8 +4750,13 @@ static __init int smack_init(void) struct cred *cred = (struct cred *) current->cred; struct task_smack *tsp; - if (!security_module_enable("smack")) +#ifdef CONFIG_SECURITY_SMACK_STACKED + if (!security_module_enable("smack", true)) + return 0; +#else + if (!security_module_enable("smack", false)) return 0; +#endif if (!finish) { security_add_blobs(&smack_blob_sizes); diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index cbcfccc..a78b354 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -1085,6 +1085,7 @@ extern struct tomoyo_domain_info tomoyo_kernel_domain; extern struct tomoyo_policy_namespace tomoyo_kernel_namespace; extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT]; extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT]; +extern struct lsm_blob_sizes tomoyo_blob_sizes; /********** Inlined functions. **********/ @@ -1204,7 +1205,11 @@ static inline void tomoyo_put_group(struct tomoyo_group *group) */ static inline struct tomoyo_domain_info **tomoyo_cred(const struct cred *cred) { +#ifdef CONFIG_SECURITY_STACKING + return cred->security + tomoyo_blob_sizes.lbs_cred; +#else return cred->security; +#endif } /** diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 61285fe..bbbf48d 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -561,8 +561,13 @@ static int __init tomoyo_init(void) struct cred *cred = (struct cred *) current_cred(); struct tomoyo_domain_info **blob; - if (!security_module_enable("tomoyo")) +#ifdef CONFIG_SECURITY_TOMOYO_STACKED + if (!security_module_enable("tomoyo", true)) return 0; +#else + if (!security_module_enable("tomoyo", false)) + return 0; +#endif if (!finish) { security_add_blobs(&tomoyo_blob_sizes);
Subject: [PATCH RFC 5/9] LSM: General but not extreme module stacking Leverage the infrastructure management of the credential and file security blobs to allow stacking of security modules in all but the most extreme case. Security modules are informed of the location of their data within the blobs at module initialization. Stacking is optional. If stacking is not configured the old limit of one "major" security module applies. If stacking is configured any combination that does not include both SELinux and Smack is allowed. A subdirectory has been added to /proc/.../attr for each of SELinux and AppArmor (Smack introduced such a subdirectory earlier) to disambiguate what data is provided in the proc/.../attr interfaces. An entry "context" is added to /proc/.../attr and to each of the subdirectories. The "context" entry provides process attribute information in the form: lsm-name='lsm-data'[,lsm-name='lsm-data']... Data returned with SO_PEERSEC and SCM_SECURITY will be in "context" format when stacking is configured. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- Documentation/security/LSM.txt | 18 ++++- fs/proc/base.c | 33 +++++++++ include/linux/lsm_hooks.h | 2 +- security/Kconfig | 94 ++++++++++++++++++++++++ security/apparmor/include/context.h | 10 +++ security/apparmor/lsm.c | 55 ++++++++++++-- security/security.c | 142 +++++++++++++++++++++++++++++++++++- security/selinux/hooks.c | 29 +++++++- security/selinux/include/objsec.h | 8 ++ security/smack/smack.h | 9 +++ security/smack/smack_lsm.c | 27 ++++--- security/tomoyo/common.h | 5 ++ security/tomoyo/tomoyo.c | 7 +- 13 files changed, 414 insertions(+), 25 deletions(-)