[PATCH v24 00/25] LSM: Module stacking for AppArmor
Topi Miettinen
toiwoton at gmail.com
Tue Feb 2 12:05:38 UTC 2021
On 26.1.2021 18.40, Casey Schaufler wrote:
> This patchset provides the changes required for
> the AppArmor security module to stack safely with any other.
In my test, when kernel command line has apparmor before selinux in lsm=
entry, the boot is not successful with enforcing=1:
systemd[1]: Failed to compute init label, ignoring.
systemd[1]: Failed to set SELinux security context
system_u:object_r:cgroup_t:s0 for /sys/fs/cgroup: Invalid argument
systemd[1]: Failed to set SELinux security context
system_u:object_r:pstore_t:s0 for /sys/fs/pstore: Invalid argument
systemd[1]: Failed to set SELinux security context
system_u:object_r:sysfs_t:s0 for /sys/firmware/efi/efivars: Invalid argument
...
Failed to drop capability bounding set of usermode helpers: Operation
not permitted
Failed to drop capability bounding set of usermode helpers.
systemd[1]: Freezing execution.
Probably SELinux libraries can't find or set the labels for the PID1 or
any file systems. Before the init label message, systemd calls
getcon_raw(), getfilecon_raw(), string_to_security_class() and
security_compute_create_raw(), so one of these don't understand the LSM
stacking.
Also the policy needs updating to handle process2:setdisplay:
SELinux: Permission setdisplay in class process2 not defined in policy.
SELinux: the above unknown classes and permissions will be denied
With enforcing=0, many services start, but for example systemd-journald
doesn't. This is probably related to the earlier problem with labels
(maybe libraries try to use SELinux labels where kernel wants AppArmor
profiles):
systemd[1]: Failed to set SELinux security context
system_u:object_r:init_runtime_t:s0 for
/run/systemd/units/invocation:systemd-user-sessions.service: Invalid
argument
Switching the order so that apparmor is after selinux, boot is
successful. Loading AppArmor profiles needs a permission from SELinux:
Feb 02 08:53:15 audit[963]: AVC avc: denied { mac_admin } for pid=963
comm="apparmor_parser" capability=33
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=capability2 permissive=0
Feb 02 08:53:15 audit[963]: AVC apparmor="STATUS"
operation="profile_replace" info="not policy admin" error=-13
profile="unconfined" pid=963 comm="apparmor_parser"
Feb 02 08:53:15 audit: AUDIT1420
subj_selinux=system_u:system_r:initrc_t:s0 subj_apparmor==unconfined
Feb 02 08:53:15 audit[963]: SYSCALL arch=c000003e syscall=1 success=no
exit=-13 a0=7 a1=7a8f2ff04f80 a2=1e09 a3=0 items=0 ppid=961 pid=963
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="apparmor_parser"
exe="/usr/sbin/apparmor_parser" subj=? key=(null)
Feb 02 08:53:15 audit: PROCTITLE
proctitle=2F7362696E2F61707061726D6F725F706172736572002D2D77726974652D6361636865002D2D7265706C616365002D2D002F6574632F61707061726D6F722E64
Feb 02 08:53:15 apparmor.systemd[963]: /sbin/apparmor_parser: Unable to
replace "/lib/systemd/systemd-resolved". Permission denied; attempted
to load a profile while confined?
This just seems to need TE rules for the apparmor_parser.
Double equal sign in subj_apparmor==unconfined looks odd, should that be
just one like subj_selinux?
Tools like ps, and KDE and Gnome System Monitors only show SELinux
context, but it would be nice if MAC contexts for all enabled LSMs were
shown.
-Topi
>
> v24: Rebase to 5.11-rc1
> Incorporate feedback from v23
> - Address the IMA team's concerns about "label collisions".
> A label collision occurs when there is ambiguity about
> which of multiple LSMs is being targeted in the definition
> of an integrity check rule. A system with Smack and
> AppArmor would be unable to distinguish which LSM is
> important to an integrity rule referrencing the label
> "unconfined" as that label is meaningful to both.
> Provide a boot option to specify which LSM will be used in
> IMA rules when multiple LSMs are present. (patch 04)
> Pull LSM "slot" identification from later audit patches in
> in support of this (patch 03).
> - Pick up a few audit events that need to include supplimental
> subject context records that had been missed in the
> previous version.
> v23: Rebase to 5.10-rc4
> Incorporate feedback from v22
> - Change /proc/*/attr/display to /proc/*/attr/interface_lsm to
> make the purpose clearer. (patch 0012)
> - Include ABI documentation. (patch 0012, 0022)
> - Introduce LSM documentation updates with the patches where
> the interfaces are added rather than at the end. (patch 0012, 0022)
> Include more maintainers and mail lists in To: and Cc: directives.
> v22: Rebase to 5.10-rc1
> v21: Rebase to 5.9-rc4
> Incorporate feedback from v20
> - Further revert UDS SO_PEERSEC to use scaffolding around
> the interfaces that use lsmblobs and store only a single
> secid. The possibility of multiple security modules
> requiring data here is still a future problem.
> - Incorporate Richard Guy Briggs' non-syscall auxiliary
> records patch (patch 0019-0021) in place of my "supplimental"
> records implementation. [I'm not sure I've given proper
> attestation. I will correct as appropriate]
> v20: Rebase to 5.9-rc1
> Change the BPF security module to use the lsmblob data. (patch 0002)
> Repair length logic in subject label processing (patch 0015)
> Handle -EINVAL from the empty BPF setprocattr hook (patch 0020)
> Correct length processing in append_ctx() (patch 0022)
> v19: Rebase to 5.8-rc6
> Incorporate feedback from v18
> - Revert UDS SO_PEERSEC implementation to use lsmblobs
> directly, rather than allocating as needed. The correct
> treatment of out-of-memory conditions in the later case
> is difficult to define. (patch 0005)
> - Use a size_t in append_ctx() (patch 0021)
> - Fix a memory leak when creating compound contexts. (patch 0021)
> Fix build error when CONFIG_SECURITY isn't set (patch 0013)
> Fix build error when CONFIG_SECURITY isn't set (patch 0020)
> Fix build error when CONFIG_SECURITY isn't set (patch 0021)
> v18: Rebase to 5.8-rc3
> Incorporate feedback from v17
> - Null pointer checking in UDS (patch 0005)
> Match changes in IMA code (patch 0012)
> Fix the behavior of LSM context supplimental audit
> records so that there's always exactly one when it's
> appropriate for there to be one. This is a substantial
> change that requires extention of the audit_context beyond
> syscall events. (patch 0020)
> v17: Rebase to 5.7-rc4
> v16: Rebase to 5.6
> Incorporate feedback from v15 - Thanks Stephen, Mimi and Paul
> - Generally improve commit messages WRT scaffolding
> - Comment ima_lsm_isset() (patch 0002)
> - Some question may remain on IMA warning (patch 0002)
> - Mark lsm_slot as __lsm_ro_after_init not __init_data (patch 0002)
> - Change name of lsmblob variable in ima_match_rules() (patch 0003)
> - Instead of putting a struct lsmblob into the unix_skb_parms
> structure put a pointer to an allocated instance. There is
> currently only space for 5 u32's in unix_skb_parms and it is
> likely to get even tighter. Fortunately, the lifecycle
> management of the allocated lsmblob is simple. (patch 0005)
> - Dropped Acks due to the above change (patch 0005)
> - Improved commentary on secmark labeling scaffolding. (patch 0006)
> - Reduced secmark related labeling scaffolding. (patch 0006)
> - Replace use of the zeroth entry of an lsmblob in scaffolding
> with a function lsmblob_value() to hopefully make it less
> obscure. (patch 0006)
> - Convert security_secmark_relabel_packet to use lsmblob as
> this reduces much of the most contentious scaffolding. (patch 0006)
> - Dropped Acks due to the above change (patch 0006)
> - Added BUILD_BUG_ON() for CIPSO tag 6. (patch 0018)
> - Reworked audit subject information. Instead of adding fields in
> the middle of existing records add a new record to the event. When
> a separate record is required use subj="?". (patch 0020)
> - Dropped Acks due to the above change (patch 0020)
> - Reworked audit object information. Instead of adding fields in
> the middle of existing records add a new record to the event. When
> a separate record is required use obj="?". (patch 0021)
> - Dropped Acks due to the above change (patch 0021)
> - Enhanced documentation (patch 0022)
> - Removed unnecessary error code check in security_getprocattr()
> (patch 0021)
> v15: Rebase to 5.6-rc1
> - Revise IMA data use (patch 0002)
> Incorporate feedback from v14
> - Fix lockdown module registration naming (patch 0002)
> - Revise how /proc/self/attr/context is gathered. (patch 0022)
> - Revise access modes on /proc/self/attr/context. (patch 0022)
> - Revise documentation on LSM external interfaces. (patch 0022)
> v14: Rebase to 5.5-rc5
> Incorporate feedback from v13
> - Use an array of audit rules (patch 0002)
> - Significant change, removed Acks (patch 0002)
> - Remove unneeded include (patch 0013)
> - Use context.len correctly (patch 0015)
> - Reorder code to be more sensible (patch 0016)
> - Drop SO_PEERCONTEXT as it's not needed yet (patch 0023)
> v13: Rebase to 5.5-rc2
> Incorporate feedback from v12
> - Print lsmblob size with %z (Patch 0002)
> - Convert lockdown LSM initialization. (Patch 0002)
> - Restore error check in nft_secmark_compute_secid (Patch 0006)
> - Correct blob scaffolding in ima_must_appraise() (Patch 0009)
> - Make security_setprocattr() clearer (Patch 0013)
> - Use lsm_task_display more widely (Patch 0013)
> - Use passed size in lsmcontext_init() (Patch 0014)
> - Don't add a smack_release_secctx() hook (Patch 0014)
> - Don't print warning in security_release_secctx() (Patch 0014)
> - Don't duplicate the label in nfs4_label_init_security() (Patch 0016)
> - Remove reviewed-by as code has significant change (Patch 0016)
> - Send the entire lsmblob for Tag 6 (Patch 0019)
> - Fix description of socket_getpeersec_stream parameters (Patch 0023)
> - Retain LSMBLOB_FIRST. What was I thinking? (Patch 0023)
> - Add compound context to LSM documentation (Patch 0023)
> v12: Rebase to 5.5-rc1
> Fixed a couple of incorrect contractions in the text.
> v11: Rebase to 5.4-rc6
> Incorporate feedback from v10
> - Disambiguate reading /proc/.../attr/display by restricting
> all use of the interface to the current process.
> - Fix a merge error in AppArmor's display attribute check
> v10: Ask the security modules if the display can be changed.
> v9: There is no version 9
> v8: Incorporate feedback from v7
> - Minor clean-up in display value management
> - refactor "compound" context creation to use a common
> append_ctx() function.
> v7: Incorporate feedback from v6
> - Make setting the display a privileged operation. The
> availability of compound contexts reduces the need for
> setting the display.
> v6: Incorporate feedback from v5
> - Add subj_<lsm>= and obj_<lsm>= fields to audit records
> - Add /proc/.../attr/context to get the full context in
> lsmname\0value\0... format as suggested by Simon McVittie
> - Add SO_PEERCONTEXT for getsockopt() to get the full context
> in the same format, also suggested by Simon McVittie.
> - Add /sys/kernel/security/lsm_display_default to provide
> the display default value.
> v5: Incorporate feedback from v4
> - Initialize the lsmcontext in security_secid_to_secctx()
> - Clear the lsmcontext in all security_release_secctx() cases
> - Don't use the "display" on strictly internal context
> interfaces.
> - The SELinux binder hooks check for cases where the context
> "display" isn't compatible with SELinux.
> v4: Incorporate feedback from v3
> - Mark new lsm_<blob>_alloc functions static
> - Replace the lsm and slot fields of the security_hook_list
> with a pointer to a LSM allocated lsm_id structure. The
> LSM identifies if it needs a slot explicitly. Use the
> lsm_id rather than make security_add_hooks return the
> slot value.
> - Validate slot values used in security.c
> - Reworked the "display" process attribute handling so that
> it works right and doesn't use goofy list processing.
> - fix display value check in dentry_init_security
> - Replace audit_log of secids with '?' instead of deleting
> the audit log
> v3: Incorporate feedback from v2
> - Make lsmblob parameter and variable names more
> meaningful, changing "le" and "l" to "blob".
> - Improve consistency of constant naming.
> - Do more sanity checking during LSM initialization.
> - Be a bit clearer about what is temporary scaffolding.
> - Rather than clutter security_getpeersec_dgram with
> otherwise unnecessary checks remove the apparmor
> stub, which does nothing useful.
>
> Patch 01 moves management of the sock security blob
> from the individual modules to the infrastructure.
>
> Patches 02-03 introduce a structure "lsmblob" that will gradually
> replace the "secid" as a shorthand for security module information.
> At this point lsmblob contains an array of u32 secids, one "slot"
> for each of the security modules compiled into the kernel that
> used secids. A "slot" is allocated when a security module requests
> one.
>
> Patch 04 provides mechanism for the IMA subsystem to identify
> explicitly which LSM is subject to IMA policy. This includes
> a boot option for specifying the default and an additional option
> in IMA rules "lsm=".
>
> Patches 05-13 change LSM interfaces to use the lsmblob instead
> of secids. It is important that the lsmblob be a fixed size entity
> that does not have to be allocated. Several of the places
> where it is used would have performance and/or locking
> issues with dynamic allocation.
>
> Patch 14 provides a mechanism for a process to identify which
> security module's hooks should be used when displaying or
> converting a security context string. A new interface
> /proc/self/attr/interface_lsm contains the name of the security
> module to show. Reading from this file will present the name of
> the module, while writing to it will set the value. Only names
> of active security modules are accepted. Internally, the name
> is translated to the appropriate "slot" number for the module
> which is then stored in the task security blob. Setting the
> display requires that all modules using the /proc interfaces
> allow the transition. The interface LSM of other processess
> can be neither read nor written. All suggested cases for
> reading the interface LSM of a different process have race
> conditions.
>
> Patch 15 Starts the process of changing how a security
> context is represented. Since it is possible for a
> security context to have been generated by more than one
> security module it is now necessary to note which module
> created a security context so that the correct "release"
> hook can be called. There are several places where the
> module that created a security context cannot be inferred.
>
> This is achieved by introducing a "lsmcontext" structure
> which contains the context string, its length and the
> "slot" number of the security module that created it.
> The security_release_secctx() interface is changed,
> replacing the (string,len) pointer pair with a lsmcontext
> pointer.
>
> Patches 16-18 convert the security interfaces from
> (string,len) pointer pairs to a lsmcontext pointer.
> The slot number identifying the creating module is
> added by the infrastructure. Where the security context
> is stored for extended periods the data type is changed.
>
> The Netlabel code is converted to save lsmblob structures
> instead of secids in Patch 19. This is not strictly
> necessary as there can only be one security module that
> uses Netlabel at this point. Using a lsmblob is much
> cleaner, as the interfaces that use the data have all
> been converted.
>
> Patch 20 adds checks to the binder hooks which verify
> that both ends of a transaction use the same interface LSM.
>
> Patches 21-23 add addition audit records for subject and
> object LSM data when there are multiple security modules
> with such data. The AUDIT_MAC_TASK_CONTEXTS record is used
> in conjuction with a "subj=?" field to identify the subject
> data. The AUDIT_MAC_OBJ_CONTEXTS record is used in conjuction
> with a "obj=?" field to identify the object data. The
> AUDIT_MAC_TASK_CONTEXTS record identifies the security module
> with the data: "subj_selinux=xyz_t subj_apparmor=abc". The
> AUDIT_MAC_OBJ_CONTEXTS record identifies the security module
> with the data: "obj_selinux=xyz_t obj_apparmor=abc". While
> AUDIT_MAC_TASK_CONTEXTS records will always contain an entry
> for each possible security modules, AUDIT_MAC_OBJ_CONTEXTS
> records will only contain entries for security modules for
> which the object in question has data.
>
> An example of the MAC_TASK_CONTEXTS (1420) record is:
>
> type=UNKNOWN[1420]
> msg=audit(1600880931.832:113)
> subj_apparmor==unconfined
> subj_smack=_
>
> An example of the MAC_OBJ_CONTEXTS (1421) record is:
>
> type=UNKNOWN[1421]
> msg=audit(1601152467.009:1050):
> obj_selinux=unconfined_u:object_r:user_home_t:s0
>
> Patch 24 adds a new interface for getting the compound security
> contexts, /proc/self/attr/context. An example of the content
> of this file is:
>
> selinux\0one_u:one_r:one_t:s0-s0:c0.c1023\0apparmor\0unconfined\0
>
> Finally, with all interference on the AppArmor hooks removed,
> Patch 25 removes the exclusive bit from AppArmor. An unnecessary
> stub hook was also removed.
>
> The Ubuntu project is using an earlier version of this patchset in
> their distribution to enable stacking for containers.
>
> Performance measurements to date have the change within the "noise".
> The sockperf and dbench results are on the order of 0.2% to 0.8%
> difference, with better performance being as common as worse. The
> benchmarks were run with AppArmor and Smack on Ubuntu.
>
> https://github.com/cschaufler/lsm-stacking.git#stack-5.11-rc1-v24
>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>
>
> Casey Schaufler (25):
> LSM: Infrastructure management of the sock security
> LSM: Add the lsmblob data structure.
> LSM: provide lsm name and id slot mappings
> IMA: avoid label collisions with stacked LSMs
> LSM: Use lsmblob in security_audit_rule_match
> LSM: Use lsmblob in security_kernel_act_as
> LSM: Use lsmblob in security_secctx_to_secid
> LSM: Use lsmblob in security_secid_to_secctx
> LSM: Use lsmblob in security_ipc_getsecid
> LSM: Use lsmblob in security_task_getsecid
> LSM: Use lsmblob in security_inode_getsecid
> LSM: Use lsmblob in security_cred_getsecid
> IMA: Change internal interfaces to use lsmblobs
> LSM: Specify which LSM to display
> LSM: Ensure the correct LSM context releaser
> LSM: Use lsmcontext in security_secid_to_secctx
> LSM: Use lsmcontext in security_inode_getsecctx
> LSM: security_secid_to_secctx in netlink netfilter
> NET: Store LSM netlabel data in a lsmblob
> LSM: Verify LSM display sanity in binder
> audit: add support for non-syscall auxiliary records
> Audit: Add new record for multiple process LSM attributes
> Audit: Add a new record for multiple object LSM attributes
> LSM: Add /proc attr entry for full LSM context
> AppArmor: Remove the exclusive flag
>
> Documentation/ABI/testing/ima_policy | 8 +-
> Documentation/ABI/testing/procfs-attr-context | 14 +
> .../ABI/testing/procfs-attr-lsm_display | 22 +
> Documentation/security/lsm.rst | 28 +
> drivers/android/binder.c | 26 +-
> fs/ceph/xattr.c | 6 +-
> fs/nfs/nfs4proc.c | 8 +-
> fs/nfsd/nfs4xdr.c | 20 +-
> fs/proc/base.c | 2 +
> include/linux/audit.h | 43 +-
> include/linux/cred.h | 3 +-
> include/linux/lsm_hooks.h | 36 +-
> include/linux/security.h | 185 +++++-
> include/net/netlabel.h | 11 +-
> include/net/scm.h | 15 +-
> include/net/xfrm.h | 13 +-
> include/uapi/linux/audit.h | 2 +
> kernel/audit.c | 175 ++++--
> kernel/audit.h | 11 +-
> kernel/auditfilter.c | 36 +-
> kernel/auditsc.c | 191 +++---
> kernel/cred.c | 12 +-
> net/ipv4/cipso_ipv4.c | 26 +-
> net/ipv4/ip_sockglue.c | 12 +-
> net/netfilter/nf_conntrack_netlink.c | 24 +-
> net/netfilter/nf_conntrack_standalone.c | 11 +-
> net/netfilter/nfnetlink_queue.c | 38 +-
> net/netfilter/nft_meta.c | 10 +-
> net/netfilter/xt_SECMARK.c | 7 +-
> net/netlabel/netlabel_domainhash.c | 4 +-
> net/netlabel/netlabel_kapi.c | 6 +-
> net/netlabel/netlabel_unlabeled.c | 106 ++--
> net/netlabel/netlabel_unlabeled.h | 2 +-
> net/netlabel/netlabel_user.c | 23 +-
> net/netlabel/netlabel_user.h | 2 +-
> net/xfrm/xfrm_policy.c | 10 +-
> net/xfrm/xfrm_state.c | 20 +-
> security/apparmor/include/apparmor.h | 3 +-
> security/apparmor/include/net.h | 6 +-
> security/apparmor/include/procattr.h | 2 +-
> security/apparmor/lsm.c | 105 ++--
> security/apparmor/procattr.c | 22 +-
> security/bpf/hooks.c | 12 +-
> security/commoncap.c | 7 +-
> security/integrity/ima/ima.h | 15 +-
> security/integrity/ima/ima_api.c | 17 +-
> security/integrity/ima/ima_appraise.c | 6 +-
> security/integrity/ima/ima_main.c | 54 +-
> security/integrity/ima/ima_policy.c | 97 ++-
> security/integrity/integrity_audit.c | 6 +-
> security/loadpin/loadpin.c | 8 +-
> security/lockdown/lockdown.c | 7 +-
> security/safesetid/lsm.c | 8 +-
> security/security.c | 561 ++++++++++++++++--
> security/selinux/hooks.c | 99 ++--
> security/selinux/include/classmap.h | 2 +-
> security/selinux/include/objsec.h | 5 +
> security/selinux/include/security.h | 1 +
> security/selinux/netlabel.c | 25 +-
> security/selinux/ss/services.c | 4 +-
> security/smack/smack.h | 6 +
> security/smack/smack_access.c | 2 +-
> security/smack/smack_lsm.c | 91 +--
> security/smack/smack_netfilter.c | 8 +-
> security/smack/smackfs.c | 13 +-
> security/tomoyo/tomoyo.c | 8 +-
> security/yama/yama_lsm.c | 7 +-
> 67 files changed, 1741 insertions(+), 634 deletions(-)
> create mode 100644 Documentation/ABI/testing/procfs-attr-context
> create mode 100644 Documentation/ABI/testing/procfs-attr-lsm_display
>
More information about the Linux-security-module-archive
mailing list