[PATCH v39 00/42] LSM: General module stacking

John Johansen john.johansen at canonical.com
Fri Feb 2 00:24:03 UTC 2024


On 12/15/23 14:15, Casey Schaufler wrote:
> This patchset provides the changes required to allow arbitrary
> combination of all the existing Linux Security Modules (LSM).
> It does not provide for all possible configurations of all of
> co-existing modules. It does not ensure that the enforcement
> of policy provided by one module does not interfere with the
> behavior of another module.
> 
> The bulk of the code change is in support of the audit system.
> Because subjects and objects may have multiple LSM specific
> attributes that are used to make access control decisions it
> was necessary to enhance the audit system to report these
> security attributes. Separate audit records have been added
> to include the additional information for each of the audit
> event subject and object. Providing the required security
> information using 32-bit secids was no longer sufficient. A
> new structure, lsmblob, has been introduced to include the
> data for all relevant modules.
> 
> The lsmblob structure has an entry for each of the modules
> that has used secids. Each module provides a structure of
> its own which contains the information it uses. For SELinux
> this is a u32 secid. Smack provides a pointer into the label
> list. Modules that are not configured use conditional compilation
> to have empty structures.
> 
> Because audit records may need to include the text representation
> of more than one module's security attributes (commonly referred
> to as the "security context") the interfaces that convert the
> lsmblob into a text representation need to identify which module
> provided the text. An structure lsmcontext has been added that
> contains the text, its length and the identifier of the module
> than created it.
> 
> Security attributes for network facilities have provided certain
> challenges. The security information allowed in socket buffers
> and secmarks is limited to a single u32 secid, and there is no
> indication that this will ever be allowed to change. The netlabel
> subsystem, which provides CIPSO and CALIPSO labeling on internet
> packets, supports only one IP packet option at a time. Labeled
> NFS3 also supports only one security module. The existing modules
> have been updated to accept that they may not have access to
> these networking security attributes. The first module to
> register that uses them is given exclusive access.
> 
> The issue of multiple modules using the /proc/.../attr interfaces
> has been largely addressed for some time by the inclusion of module
> specific sub-directories. Applications should be using these except
> for the case of SELinux.
> 
> Patch 0001 removes an interface dependency on audit from IMA.
> Patch 0002 moves management of socket security blobs out of the
> 	modules and into the LSM infrastructure.
> Patch 0003 introduces the lsmblob structure.
> Patch 0004 introduces mechanism for the IMA mechanisms to handle
> 	the possibility of multiple modules that use attributes.
> Patches 0005-0015 add new interfaces and change existing interfaces
> 	to use the lsmblob to represent security data.
> Patches 0016-0021 replace a the use of string and length pairs to
> 	use a "security context" with an lsmcontext structure.
> Patches 0022-0026 implement audit records describing the multiple
> 	security attributes on subjects and objects.
> Patch 0027 removes scaffolding code used in support on lsmcontext.
> Patches 0028-0030 optimize LSM hooks for the networking single
> 	module user case.
> Patch 0031 implements mechanism to reserve use of network secmarks.
> Patch 0032 limits security_secctx_to_secid() to a single module.
> Patch 0033 removes the exclusive tag from AppArmor.
> Patches 0034-0035 adds mount operation security blobs.
> Patch 0036 moves management of key security blobs out of the
> 	modules and into the LSM infrastructure.
> Patch 0037 enables management of mount operation security blobs
> 	in the modules.
> Patches 0038-0039 remove scaffolding for lsmblobs.
> Patch 0040 implements mechanism to reserve use of netlabel.
> Patch 0041 restricts a hook used only by binder to a single module.
> Patch 0042 removes the exclusive tag from Smack.
> 
> https://github.com:cschaufler/lsm-stacking.git#stack-6.7-rc1-pcmoore-dev-v39-b
> 

This is now in testing on the Ubuntu Unstable 6.8 based kernels
https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/unstable

and if all goes well will get rolled out to the noble (24.04) -proposed kernels
for broader testing soon.

> Casey Schaufler (42):
>    integrity: disassociate ima_filter_rule from security_audit_rule
>    SM: Infrastructure management of the sock security
>    LSM: Add the lsmblob data structure.
>    IMA: avoid label collisions with stacked LSMs
>    LSM: Use lsmblob in security_audit_rule_match
>    LSM: Add lsmblob_to_secctx hook
>    Audit: maintain an lsmblob in audit_context
>    LSM: Use lsmblob in security_ipc_getsecid
>    Audit: Update shutdown LSM data
>    LSM: Use lsmblob in security_current_getsecid
>    LSM: Use lsmblob in security_inode_getsecid
>    Audit: use an lsmblob in audit_names
>    LSM: Create new security_cred_getlsmblob LSM hook
>    Audit: Change context data from secid to lsmblob
>    Netlabel: Use lsmblob for audit data
>    LSM: Ensure the correct LSM context releaser
>    LSM: Use lsmcontext in security_secid_to_secctx
>    LSM: Use lsmcontext in security_lsmblob_to_secctx
>    LSM: Use lsmcontext in security_inode_getsecctx
>    LSM: Use lsmcontext in security_dentry_init_security
>    LSM: security_lsmblob_to_secctx module selection
>    Audit: Create audit_stamp structure
>    Audit: Allow multiple records in an audit_buffer
>    Audit: Add record for multiple task security contexts
>    audit: multiple subject lsm values for netlabel
>    Audit: Add record for multiple object contexts
>    LSM: Remove unused lsmcontext_init()
>    LSM: Improve logic in security_getprocattr
>    LSM: secctx provider check on release
>    LSM: Single calls in socket_getpeersec hooks
>    LSM: Exclusive secmark usage
>    LSM: Identify which LSM handles the context string
>    AppArmor: Remove the exclusive flag
>    LSM: Add mount opts blob size tracking
>    LSM: allocate mnt_opts blobs instead of module specific data
>    LSM: Infrastructure management of the key security blob
>    LSM: Infrastructure management of the mnt_opts security blob
>    LSM: Correct handling of ENOSYS in inode_setxattr
>    LSM: Remove lsmblob scaffolding
>    LSM: Allow reservation of netlabel
>    LSM: restrict security_cred_getsecid() to a single LSM
>    Smack: Remove LSM_FLAG_EXCLUSIVE
> 
>   Documentation/ABI/testing/ima_policy    |   8 +-
>   drivers/android/binder.c                |  25 +-
>   fs/ceph/super.h                         |   3 +-
>   fs/ceph/xattr.c                         |  15 +-
>   fs/fuse/dir.c                           |  35 +-
>   fs/nfs/dir.c                            |   2 +-
>   fs/nfs/inode.c                          |  17 +-
>   fs/nfs/internal.h                       |   8 +-
>   fs/nfs/nfs4proc.c                       |  16 +-
>   fs/nfs/nfs4xdr.c                        |  22 +-
>   fs/nfsd/nfs4xdr.c                       |  21 +-
>   include/linux/audit.h                   |  13 +
>   include/linux/lsm/apparmor.h            |  17 +
>   include/linux/lsm/bpf.h                 |  16 +
>   include/linux/lsm/selinux.h             |  16 +
>   include/linux/lsm/smack.h               |  17 +
>   include/linux/lsm_hook_defs.h           |  35 +-
>   include/linux/lsm_hooks.h               |   8 +
>   include/linux/nfs4.h                    |   8 +-
>   include/linux/nfs_fs.h                  |   2 +-
>   include/linux/security.h                | 158 +++++++--
>   include/net/netlabel.h                  |   2 +-
>   include/net/scm.h                       |  12 +-
>   include/uapi/linux/audit.h              |   2 +
>   kernel/audit.c                          | 269 +++++++++++----
>   kernel/audit.h                          |  20 +-
>   kernel/auditfilter.c                    |   9 +-
>   kernel/auditsc.c                        | 142 +++-----
>   net/ipv4/ip_sockglue.c                  |  12 +-
>   net/netfilter/nf_conntrack_netlink.c    |  16 +-
>   net/netfilter/nf_conntrack_standalone.c |  11 +-
>   net/netfilter/nfnetlink_queue.c         |  22 +-
>   net/netlabel/netlabel_unlabeled.c       |  46 ++-
>   net/netlabel/netlabel_user.c            |  10 +-
>   net/netlabel/netlabel_user.h            |   2 +-
>   security/apparmor/audit.c               |  19 +-
>   security/apparmor/include/audit.h       |   8 +-
>   security/apparmor/include/net.h         |   8 +-
>   security/apparmor/include/secid.h       |   5 +-
>   security/apparmor/lsm.c                 |  65 +---
>   security/apparmor/net.c                 |   2 +-
>   security/apparmor/secid.c               |  52 ++-
>   security/bpf/hooks.c                    |   1 +
>   security/integrity/ima/ima.h            |  32 +-
>   security/integrity/ima/ima_api.c        |   6 +-
>   security/integrity/ima/ima_appraise.c   |   6 +-
>   security/integrity/ima/ima_main.c       |  60 ++--
>   security/integrity/ima/ima_policy.c     |  91 +++++-
>   security/security.c                     | 415 ++++++++++++++++++------
>   security/selinux/hooks.c                | 285 +++++++++-------
>   security/selinux/include/audit.h        |  13 +-
>   security/selinux/include/netlabel.h     |   5 +
>   security/selinux/include/objsec.h       |  12 +
>   security/selinux/netlabel.c             |  27 +-
>   security/selinux/ss/services.c          |  20 +-
>   security/smack/smack.h                  |  22 ++
>   security/smack/smack_lsm.c              | 347 ++++++++++++--------
>   security/smack/smack_netfilter.c        |  12 +-
>   security/smack/smackfs.c                |  24 +-
>   59 files changed, 1691 insertions(+), 883 deletions(-)
>   create mode 100644 include/linux/lsm/apparmor.h
>   create mode 100644 include/linux/lsm/bpf.h
>   create mode 100644 include/linux/lsm/selinux.h
>   create mode 100644 include/linux/lsm/smack.h
> 




More information about the Linux-security-module-archive mailing list