[PATCH 00/97] LSM: Complete module stacking
Stephen Smalley
sds at tycho.nsa.gov
Fri Mar 1 14:17:18 UTC 2019
On 2/28/19 5:17 PM, Casey Schaufler wrote:
> This is a preliminary version of the complete stacking
> implementation. The patches need to be cleaned up, and
> several are not strictly necessary. There is likely to
> be work required in the audit sub-system. It does address
> all the shared data, including CIPSO headers. It should
> handle CALIPSO once Smack supports it. I will be revising
> the set after 5.1.
>
> Complete the transition from module based blob management
> to infrastructure based blob management. This includes
> the socket, superblock and key blobs.
>
> Change the LSM infrastructure from exposing secids to
> exposing an opaque "lsm_export" structure that can contain
> information for multiple active security modules. Update
> all of the security modules to use information from the
> lsm_export structure. Update the LSM interfaces that expose
> secids for more than one module to use the export structure.
> Update all the users of these interfaces.
>
> Change the LSM infrastructure from using a string/size pair
> for security "contexts" to a "lsm_context" structure that
> can represent information for multiple modules. This contains
> information that allows the "context" to be properly freed
> regardless of where it is allocated and where it is used.
>
> Add an interface to identify which security module data
> should be presented with SO_PEERSEC. /proc/.../attr/display
> will set and report the name of the LSM for which the
> security_secid_to_secctx() will use to translate to text.
> If it is not explicitly set, the first security module that
> supplies secid (now lsm_export) interfaces will be used.
> To ensure consistency, a set of module hooks dealing with
> the secid/context processing is maintained with each process
> that explicitly sets it.
>
> Before sending a network packet verify that all interested
> security modules agree on the labeling. Fail if the labeling
> cannot be reconciled. This requires a new Netlabel interface
> to compare proposed labels, and a change to the return values
> from the existing netlabel attribute setting functions.
Have you run any benchmarks to assess the performance impact of these
changes?
>
> git://github.com/cschaufler/lsm-stacking.git#5.0-rc3-plus-a
>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> ---
> fs/kernfs/dir.c | 6 +-
> fs/kernfs/inode.c | 31 +-
> fs/kernfs/kernfs-internal.h | 4 +-
> fs/nfs/inode.c | 13 +-
> fs/nfs/internal.h | 8 +-
> fs/nfs/nfs4proc.c | 17 +-
> fs/nfs/nfs4xdr.c | 16 +-
> fs/nfsd/nfs4proc.c | 8 +-
> fs/nfsd/nfs4xdr.c | 14 +-
> fs/nfsd/vfs.c | 7 +-
> fs/proc/base.c | 1 +
> include/linux/cred.h | 3 +-
> include/linux/lsm_hooks.h | 122 ++--
> include/linux/nfs4.h | 8 +-
> include/linux/security.h | 165 +++--
> include/net/netlabel.h | 18 +-
> include/net/route.h | 55 +-
> include/net/scm.h | 14 +-
> include/net/sock.h | 14 +-
> include/uapi/linux/netfilter/xt_CONNMARK.h | 45 +-
> include/uapi/linux/netfilter/xt_DSCP.h | 27 +-
> include/uapi/linux/netfilter/xt_MARK.h | 17 +-
> include/uapi/linux/netfilter/xt_RATEEST.h | 38 +-
> include/uapi/linux/netfilter/xt_TCPMSS.h | 13 +-
> include/uapi/linux/netfilter_ipv4/ipt_ECN.h | 40 +-
> include/uapi/linux/netfilter_ipv4/ipt_TTL.h | 14 +-
> include/uapi/linux/netfilter_ipv6/ip6t_HL.h | 14 +-
> kernel/audit.c | 60 +-
> kernel/audit.h | 9 +-
> kernel/auditfilter.c | 6 +-
> kernel/auditsc.c | 61 +-
> kernel/cred.c | 15 +-
> net/ipv4/cipso_ipv4.c | 13 +-
> net/ipv4/ip_sockglue.c | 14 +-
> net/ipv4/route.c | 61 ++
> net/netfilter/nf_conntrack_netlink.c | 27 +-
> net/netfilter/nf_conntrack_standalone.c | 16 +-
> net/netfilter/nfnetlink_queue.c | 35 +-
> net/netfilter/nft_meta.c | 8 +-
> net/netfilter/xt_DSCP.c | 149 ++---
> net/netfilter/xt_HL.c | 164 ++---
> net/netfilter/xt_RATEEST.c | 278 +++------
> net/netfilter/xt_SECMARK.c | 9 +-
> net/netfilter/xt_TCPMSS.c | 378 +++---------
> net/netlabel/netlabel_kapi.c | 125 +++-
> net/netlabel/netlabel_unlabeled.c | 99 ++-
> net/netlabel/netlabel_unlabeled.h | 2 +-
> net/netlabel/netlabel_user.c | 13 +-
> net/netlabel/netlabel_user.h | 2 +-
> net/socket.c | 17 +
> net/unix/af_unix.c | 11 +-
> security/apparmor/audit.c | 4 +-
> security/apparmor/include/audit.h | 2 +-
> security/apparmor/include/net.h | 6 +-
> security/apparmor/include/secid.h | 9 +-
> security/apparmor/lsm.c | 64 +-
> security/apparmor/secid.c | 42 +-
> security/integrity/ima/ima.h | 14 +-
> security/integrity/ima/ima_api.c | 9 +-
> security/integrity/ima/ima_appraise.c | 6 +-
> security/integrity/ima/ima_main.c | 34 +-
> security/integrity/ima/ima_policy.c | 19 +-
> security/security.c | 682 ++++++++++++++++++---
> security/selinux/hooks.c | 308 +++++-----
> security/selinux/include/audit.h | 6 +-
> security/selinux/include/netlabel.h | 7 +
> security/selinux/include/objsec.h | 43 +-
> security/selinux/netlabel.c | 69 ++-
> security/selinux/ss/services.c | 19 +-
> security/smack/smack.h | 34 +
> security/smack/smack_access.c | 14 +-
> security/smack/smack_lsm.c | 389 ++++++------
> security/smack/smack_netfilter.c | 48 +-
> security/smack/smackfs.c | 23 +-
> .../Z6.0+pooncelock+poonceLock+pombonce.litmus | 12 +-
> 75 files changed, 2369 insertions(+), 1798 deletions(-)
>
More information about the Linux-security-module-archive
mailing list