[PATCH v2 0/6] LSM: Infrastructure blob allocation
Paul Moore
paul at paul-moore.com
Mon Jul 29 21:20:41 UTC 2024
On Thu, Jul 11, 2024 at 4:15 PM Paul Moore <paul at paul-moore.com> wrote:
> On Wed, Jul 10, 2024 at 5:32 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
> >
> > When more than one Linux Security Module (LSM) can use the security
> > blob for a partincular object the management of the memory associated
> > with that blob needs to be done by the infrastructure rather than the
> > individual modules. Until now, this has been done on an as needed basis,
> > with the blob management remaining in the modules until such time as a
> > new configuration of modules requires sharing the blob. This piecemeal
> > approach makes adding new modules that use blobs more difficult, as
> > moving the blob management to the infrastructure isn't as simple as
> > it might seem. This patch set moves management of the security blobs
> > that is done in the modules into the infrastructure. Making security
> > blob management more consistant improves mantainablity and makes the
> > possibilty of general improvement of LSM blob managment easier.
> >
> > No effort has been put into pursuing the possible performance
> > optimizations these changes introduce. For example, sk_security blobs
> > might be moved to use kmem_zone_alloc(). The option of changing the
> > blob sizes to being compile time determined rather than calculated at
> > run time has been considered for future exploration.
> >
> > In the cases where infrastructure blob freeing no longer requires
> > any special action on the part of any security module the hook
> > definition has been removed as it is no long necessary.
> >
> > Security blobs for the xfrm subsystem are problematic as the only
> > security module that implements them (SELinux) has a variable size blob
> > that has a published external API. Management of these blobs by the
> > infrastructure will require significant consideration and negotiation
> > with the maintainers of the existing code. This has been deferred until
> > such time as another user of xfrm appears.
> >
> > Casey Schaufler (6):
> > LSM: Infrastructure management of the sock security
> > LSM: Infrastructure management of the key security blob
> > LSM: Add helper for blob allocations
> > LSM: Infrastructure management of the dev_tun blob
> > LSM: Infrastructure management of the infiniband blob
> > LSM: Infrastructure management of the perf_event security blob
> >
> > include/linux/lsm_hook_defs.h | 8 +-
> > include/linux/lsm_hooks.h | 5 +
> > security/apparmor/include/net.h | 3 +-
> > security/apparmor/lsm.c | 17 +--
> > security/apparmor/net.c | 2 +-
> > security/security.c | 184 +++++++++++++++++++++---------
> > security/selinux/hooks.c | 157 +++++++++----------------
> > security/selinux/include/objsec.h | 30 +++++
> > security/selinux/netlabel.c | 23 ++--
> > security/smack/smack.h | 12 ++
> > security/smack/smack_lsm.c | 101 ++++++++--------
> > security/smack/smack_netfilter.c | 4 +-
> > 12 files changed, 298 insertions(+), 248 deletions(-)
>
> Thanks Casey, these look good. I'm going to merge them in
> lsm/dev-staging now with the expectation that they'll be merged after
> the upcoming merge window closes.
These are now in lsm/dev, thanks!
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list