[RFC PATCH v2] security, lockdown, selinux: implement SELinux lockdown

Paul Moore paul at paul-moore.com
Mon Dec 9 23:12:57 UTC 2019 

On Wed, Nov 27, 2019 at 12:04 PM Stephen Smalley <sds at tycho.nsa.gov> wrote:
> Implement a SELinux hook for lockdown.  If the lockdown module is also
> enabled, then a denial by the lockdown module will take precedence over
> SELinux, so SELinux can only further restrict lockdown decisions.
> The SELinux hook only distinguishes at the granularity of integrity
> versus confidentiality similar to the lockdown module, but includes the
> full lockdown reason as part of the audit record as a hint in diagnosing
> what triggered the denial.  To support this auditing, move the
> lockdown_reasons[] string array from being private to the lockdown
> module to the security framework so that it can be used by the lsm audit
> code and so that it is always available even when the lockdown module
> is disabled.
>
> Note that the SELinux implementation allows the integrity and
> confidentiality reasons to be controlled independently from one another.
> Thus, in an SELinux policy, one could allow operations that specify
> an integrity reason while blocking operations that specify a
> confidentiality reason. The SELinux hook implementation is
> stricter than the lockdown module in validating the provided reason value.
>
> Sample AVC audit output from denials:
> avc:  denied  { integrity } for pid=3402 comm="fwupd"
>  lockdown_reason="/dev/mem,kmem,port" scontext=system_u:system_r:fwupd_t:s0
>  tcontext=system_u:system_r:fwupd_t:s0 tclass=lockdown permissive=0
>
> avc:  denied  { confidentiality } for pid=4628 comm="cp"
>  lockdown_reason="/proc/kcore access"
>  scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
>  tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
>  tclass=lockdown permissive=0
>
> Signed-off-by: Stephen Smalley <sds at tycho.nsa.gov>
> ---
>  include/linux/lsm_audit.h           |  2 ++
>  include/linux/security.h            |  2 ++
>  security/lockdown/lockdown.c        | 24 -----------------------
>  security/lsm_audit.c                |  5 +++++
>  security/security.c                 | 30 +++++++++++++++++++++++++++++
>  security/selinux/hooks.c            | 30 +++++++++++++++++++++++++++++
>  security/selinux/include/classmap.h |  2 ++
>  7 files changed, 71 insertions(+), 24 deletions(-)

While I remain concerned about the granularity, I think this is about
as good as we can get right now without potentially messing things up
in the future.  Applied to selinux/next, thanks Stephen.

-- 
paul moore
www.paul-moore.com

More information about the Linux-security-module-archive mailing list