[PATCH security-next v2 00/26] LSM: Explict LSM ordering

Martin Steigerwald martin at lichtvoll.de
Thu Sep 20 20:14:46 UTC 2018 

Kees Cook - 20.09.18, 18:23:
> v2:
> - add "lsm.order=" and CONFIG_LSM_ORDER instead of overloading
> "security=" - reorganize introduction of ordering logic code
> 
> Updated cover letter:
> 
> This refactors the LSM registration and initialization infrastructure
> to more centrally support different LSM types. What was considered a
> "major" LSM is kept for legacy use of the "security=" boot parameter,
> and now overlaps with the new class of "exclusive" LSMs for the future
> blob sharing (to be added later). The "minor" LSMs become more well
> defined as a result of the refactoring.
> 
> Instead of continuing to (somewhat improperly) overload the kernel's
> initcall system, this changes the LSM infrastructure to store a
> registration structure (struct lsm_info) table instead, where metadata
> about each LSM can be recorded (name, flags, order, enable flag, init
> function). This can be extended in the future to include things like
> required blob size for the coming "blob sharing" LSMs.

I read the cover letter and still don´t know what this is about. Now I 
am certainly not engaged deeply with LSM. I bet my main missing piece 
is: What is a "blob sharing" LSM.

I think it would improve the cover letter greatly if it explains briefly 
what is a major LSM, what is a minor LSM and what is a "blob sharing" 
LSM.

Why those are all needed? What is the actual security or end user 
benefit of this work? The questions are not to question your work. I bet 
it makes all perfect sense. I just did not understand its sense from 
reading the cover letter.

> The "major" LSMs had to individually negotiate which of them should be
> enabled. This didn't provide a way to negotiate combinations of other
> LSMs (as will be needed for "blob sharing" LSMs). This is solved by
> providing the LSM infrastructure with all the details needed to make
> the choice (exposing the per-LSM "enabled" flag, if used, the LSM
> characteristics, and ordering expectations).
> 
> As a result of the refactoring, the "minor" LSMs are able to remove
> the open-coded security_add_hooks() calls for "capability", "yama",
> and "loadpin", and to redefine "integrity" properly as a general LSM.
> (Note that "integrity" actually defined _no_ hooks, but needs the
> early initialization).
> 
> With all LSMs being proessed centrally, it was possible to implement
> a new boot parameter "lsm.order=" to provide explicit ordering, which
> is helpful for the future "blob sharing" LSMs. Matching this is the
> new CONFIG_LSM_ORDER, which replaces CONFIG_DEFAULT_SECURITY, as it
> provides a higher granularity of control.
> 
> To better show LSMs activation some debug reporting was added (enabled
> with the "lsm.debug" boot commandline option).
> 
> Finally, I added a WARN() around LSM initialization failures, which
> appear to have always been silently ignored. (Realistically any LSM
> init failures would have only been due to catastrophic kernel issues
> that would render a system unworkable anyway, but it'd be better to
> expose the problem as early as possible.)
> 
> -Kees
> 
> Kees Cook (26):
>   LSM: Correctly announce start of LSM initialization
>   vmlinux.lds.h: Avoid copy/paste of security_init section
>   LSM: Rename .security_initcall section to .lsm_info
>   LSM: Remove initcall tracing
>   LSM: Convert from initcall to struct lsm_info
>   vmlinux.lds.h: Move LSM_TABLE into INIT_DATA
>   LSM: Convert security_initcall() into DEFINE_LSM()
>   LSM: Record LSM name in struct lsm_info
>   LSM: Provide init debugging infrastructure
>   LSM: Don't ignore initialization failures
>   LSM: Introduce LSM_FLAG_LEGACY_MAJOR
>   LSM: Provide separate ordered initialization
>   LSM: Plumb visibility into optional "enabled" state
>   LSM: Lift LSM selection out of individual LSMs
>   LSM: Introduce lsm.enable= and lsm.disable=
>   LSM: Prepare for reorganizing "security=" logic
>   LSM: Refactor "security=" in terms of enable/disable
>   LSM: Build ordered list of ordered LSMs for init
>   LSM: Introduce CONFIG_LSM_ORDER
>   LSM: Introduce "lsm.order=" for boottime ordering
>   LoadPin: Initialize as ordered LSM
>   Yama: Initialize as ordered LSM
>   LSM: Introduce enum lsm_order
>   capability: Mark as LSM_ORDER_FIRST
>   LSM: Separate idea of "major" LSM from "exclusive" LSM
>   LSM: Add all exclusive LSMs to ordered initialization
> 
>  .../admin-guide/kernel-parameters.txt         |   7 +
>  arch/arc/kernel/vmlinux.lds.S                 |   1 -
>  arch/arm/kernel/vmlinux-xip.lds.S             |   1 -
>  arch/arm64/kernel/vmlinux.lds.S               |   1 -
>  arch/h8300/kernel/vmlinux.lds.S               |   1 -
>  arch/microblaze/kernel/vmlinux.lds.S          |   2 -
>  arch/powerpc/kernel/vmlinux.lds.S             |   2 -
>  arch/um/include/asm/common.lds.S              |   2 -
>  arch/xtensa/kernel/vmlinux.lds.S              |   1 -
>  include/asm-generic/vmlinux.lds.h             |  25 +-
>  include/linux/init.h                          |   2 -
>  include/linux/lsm_hooks.h                     |  43 ++-
>  include/linux/module.h                        |   1 -
>  security/Kconfig                              |  42 +--
>  security/apparmor/lsm.c                       |  16 +-
>  security/commoncap.c                          |   8 +-
>  security/integrity/iint.c                     |   5 +-
>  security/loadpin/loadpin.c                    |  10 +-
>  security/security.c                           | 304
> ++++++++++++++---- security/selinux/hooks.c                      | 
> 16 +-
>  security/smack/smack_lsm.c                    |   8 +-
>  security/tomoyo/tomoyo.c                      |   7 +-
>  security/yama/yama_lsm.c                      |   7 +-
>  23 files changed, 348 insertions(+), 164 deletions(-)


-- 
Martin

More information about the Linux-security-module-archive mailing list