[PATCH v2 0/6] LSM: Infrastructure blob allocation

Paul Moore paul at paul-moore.com
Mon Jul 29 21:20:41 UTC 2024


On Thu, Jul 11, 2024 at 4:15 PM Paul Moore <paul at paul-moore.com> wrote:
> On Wed, Jul 10, 2024 at 5:32 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
> >
> > When more than one Linux Security Module (LSM) can use the security
> > blob for a partincular object the management of the memory associated
> > with that blob needs to be done by the infrastructure rather than the
> > individual modules.  Until now, this has been done on an as needed basis,
> > with the blob management remaining in the modules until such time as a
> > new configuration of modules requires sharing the blob.  This piecemeal
> > approach makes adding new modules that use blobs more difficult, as
> > moving the blob management to the infrastructure isn't as simple as
> > it might seem. This patch set moves management of the security blobs
> > that is done in the modules into the infrastructure. Making security
> > blob management more consistant improves mantainablity and makes the
> > possibilty of general improvement of LSM blob managment easier.
> >
> > No effort has been put into pursuing the possible performance
> > optimizations these changes introduce. For example, sk_security blobs
> > might be moved to use kmem_zone_alloc(). The option of changing the
> > blob sizes to being compile time determined rather than calculated at
> > run time has been considered for future exploration.
> >
> > In the cases where infrastructure blob freeing no longer requires
> > any special action on the part of any security module the hook
> > definition has been removed as it is no long necessary.
> >
> > Security blobs for the xfrm subsystem are problematic as the only
> > security module that implements them (SELinux) has a variable size blob
> > that has a published external API. Management of these blobs by the
> > infrastructure will require significant consideration and negotiation
> > with the maintainers of the existing code.  This has been deferred until
> > such time as another user of xfrm appears.
> >
> > Casey Schaufler (6):
> >   LSM: Infrastructure management of the sock security
> >   LSM: Infrastructure management of the key security blob
> >   LSM: Add helper for blob allocations
> >   LSM: Infrastructure management of the dev_tun blob
> >   LSM: Infrastructure management of the infiniband blob
> >   LSM: Infrastructure management of the perf_event security blob
> >
> >  include/linux/lsm_hook_defs.h     |   8 +-
> >  include/linux/lsm_hooks.h         |   5 +
> >  security/apparmor/include/net.h   |   3 +-
> >  security/apparmor/lsm.c           |  17 +--
> >  security/apparmor/net.c           |   2 +-
> >  security/security.c               | 184 +++++++++++++++++++++---------
> >  security/selinux/hooks.c          | 157 +++++++++----------------
> >  security/selinux/include/objsec.h |  30 +++++
> >  security/selinux/netlabel.c       |  23 ++--
> >  security/smack/smack.h            |  12 ++
> >  security/smack/smack_lsm.c        | 101 ++++++++--------
> >  security/smack/smack_netfilter.c  |   4 +-
> >  12 files changed, 298 insertions(+), 248 deletions(-)
>
> Thanks Casey, these look good.  I'm going to merge them in
> lsm/dev-staging now with the expectation that they'll be merged after
> the upcoming merge window closes.

These are now in lsm/dev, thanks!

-- 
paul-moore.com



More information about the Linux-security-module-archive mailing list