[PATCH 0/8] LSM: Security module stacking

Casey Schaufler casey at schaufler-ca.com
Thu Mar 8 01:44:40 UTC 2018


Subject: [PATCH 0/8] LSM: Security module stacking

Move the management of Linux Security Module (LSM) data blobs
out of the individual modules and into the LSM infrastructure.
The modules are now required to declare how much space they need
for each sort of blob used. This will allow modules that use
security blobs to be stacked so long as they aren't using hooks
that require secids. Several proposed modules, including S.A.R.A.,
PTAGS and Landlock, meet these criteria.

Change the way that "secids" are treated outside of the security
modules. Use a structure that contains the secid for each available
module rather than a single u32. This works for everything except
netfilter secmarks, which require a mapping between secid sets and
a single u32 be maintained.

A process may chose which security module is reported using SO_PEERSEC
with a prctl() option. This is the simplest way to address the variety
of mechanism between UDS, TCP/IP and UDP/IP.

Netlabel has been augmented with an API to compare lsm secattrs.
This is used to determine if all security modules agree on what
label to put on IP packets. Attempting to set incompatible labels
results in an error. As a result, using SELinux and Smack together
results in disappointing, but safe, network behavior using their
default configurations. 

Tested with Fedora 24 and 27, and Ubuntu 17.04. Passes the
SELinux test suite unless Smack is also running, in which case
the errors are explained by the netlabel conflicts between the
two modules.

1/8: Add the smack subdirectory to /proc/.../attr
2/8: Move management of cred security blobs to the LSM infrastructure
3/8: Move management of file security blobs to the LSM infrastructure
4/8: Move management of task security blobs to the LSM infrastructure
5/8: Move management of the remaining security blobs to the LSM infrastructure
6/8: Change the configuration controls for security stacking
7/8: Allow multiple modules to provide mount options
8/8: Maintain and use compound secids instead of a single integer

Also available git://github.com/cschaufler/lsm_stacking.git#stacking-4.17

Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
 Documentation/admin-guide/LSM/index.rst |  23 +-
 fs/btrfs/super.c                        |  10 +-
 fs/proc/base.c                          |  63 ++-
 fs/proc/internal.h                      |   1 +
 include/linux/cred.h                    |   3 +-
 include/linux/lsm_hooks.h               |  78 ++-
 include/linux/security.h                | 220 ++++++--
 include/net/flow.h                      |   5 +-
 include/net/netlabel.h                  |  16 +-
 include/net/scm.h                       |   4 +-
 include/uapi/linux/prctl.h              |   4 +
 kernel/audit.c                          |  23 +-
 kernel/audit.h                          |   9 +-
 kernel/auditfilter.c                    |   4 +-
 kernel/auditsc.c                        |  42 +-
 kernel/cred.c                           |  19 +-
 kernel/fork.c                           |   3 +
 kernel/signal.c                         |   1 +
 net/ipv4/cipso_ipv4.c                   |  19 +-
 net/ipv4/ip_sockglue.c                  |   6 +-
 net/netfilter/nf_conntrack_netlink.c    |  12 +-
 net/netfilter/nf_conntrack_standalone.c |   6 +-
 net/netfilter/nfnetlink_queue.c         |   9 +-
 net/netfilter/xt_SECMARK.c              |   7 +-
 net/netlabel/netlabel_kapi.c            |  52 +-
 net/netlabel/netlabel_unlabeled.c       |  30 +-
 net/netlabel/netlabel_unlabeled.h       |   2 +-
 net/netlabel/netlabel_user.c            |   4 +-
 net/unix/af_unix.c                      |  22 +-
 net/xfrm/xfrm_policy.c                  |   6 +-
 net/xfrm/xfrm_state.c                   |   3 +-
 security/Kconfig                        |  80 +++
 security/Makefile                       |   1 +
 security/apparmor/context.c             |   2 -
 security/apparmor/include/context.h     |  24 +-
 security/apparmor/include/file.h        |   2 +-
 security/apparmor/lsm.c                 |  71 ++-
 security/integrity/ima/ima_policy.c     |   7 +-
 security/security.c                     | 943 +++++++++++++++++++++++++++++---
 security/selinux/hooks.c                | 678 +++++++++--------------
 security/selinux/include/audit.h        |   2 +-
 security/selinux/include/objsec.h       |  87 ++-
 security/selinux/include/xfrm.h         |   9 +-
 security/selinux/netlabel.c             |  25 +-
 security/selinux/selinuxfs.c            |   5 +-
 security/selinux/ss/services.c          |  13 +-
 security/selinux/xfrm.c                 |  29 +-
 security/smack/smack.h                  |  95 +++-
 security/smack/smack_access.c           |   6 +-
 security/smack/smack_lsm.c              | 764 +++++++++++---------------
 security/smack/smack_netfilter.c        |  28 +-
 security/smack/smackfs.c                |  32 +-
 security/tomoyo/common.h                |  31 +-
 security/tomoyo/domain.c                |   4 +-
 security/tomoyo/securityfs_if.c         |  15 +-
 security/tomoyo/tomoyo.c                |  57 +-
 56 files changed, 2463 insertions(+), 1253 deletions(-)

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list