[PATCH 00/97] LSM: Complete module stacking
Casey Schaufler
casey at schaufler-ca.com
Thu Feb 28 22:43:29 UTC 2019
This is a preliminary version of the complete stacking
implementation. The patches need to be cleaned up, and
several are not strictly necessary. There is likely to
be work required in the audit sub-system. It does address
all the shared data, including CIPSO headers. It should
handle CALIPSO once Smack supports it. I will be revising
the set after 5.1.
Complete the transition from module based blob management
to infrastructure based blob management. This includes
the socket, superblock and key blobs.
Change the LSM infrastructure from exposing secids to
exposing an opaque "lsm_export" structure that can contain
information for multiple active security modules. Update
all of the security modules to use information from the
lsm_export structure. Update the LSM interfaces that expose
secids for more than one module to use the export structure.
Update all the users of these interfaces.
Change the LSM infrastructure from using a string/size pair
for security "contexts" to a "lsm_context" structure that
can represent information for multiple modules. This contains
information that allows the "context" to be properly freed
regardless of where it is allocated and where it is used.
Add an interface to identify which security module data
should be presented with SO_PEERSEC. /proc/.../attr/display
will set and report the name of the LSM for which the
security_secid_to_secctx() will use to translate to text.
If it is not explicitly set, the first security module that
supplies secid (now lsm_export) interfaces will be used.
To ensure consistency, a set of module hooks dealing with
the secid/context processing is maintained with each process
that explicitly sets it.
Before sending a network packet verify that all interested
security modules agree on the labeling. Fail if the labeling
cannot be reconciled. This requires a new Netlabel interface
to compare proposed labels, and a change to the return values
from the existing netlabel attribute setting functions.
git://github.com/cschaufler/lsm-stacking.git#5.0-rc3-plus-a
Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
fs/kernfs/dir.c | 6 +-
fs/kernfs/inode.c | 31 +-
fs/kernfs/kernfs-internal.h | 4 +-
fs/nfs/inode.c | 13 +-
fs/nfs/internal.h | 8 +-
fs/nfs/nfs4proc.c | 17 +-
fs/nfs/nfs4xdr.c | 16 +-
fs/nfsd/nfs4proc.c | 8 +-
fs/nfsd/nfs4xdr.c | 14 +-
fs/nfsd/vfs.c | 7 +-
fs/proc/base.c | 1 +
include/linux/cred.h | 3 +-
include/linux/lsm_hooks.h | 122 ++--
include/linux/nfs4.h | 8 +-
include/linux/security.h | 165 +++--
include/net/netlabel.h | 18 +-
include/net/route.h | 55 +-
include/net/scm.h | 14 +-
include/net/sock.h | 14 +-
include/uapi/linux/netfilter/xt_CONNMARK.h | 45 +-
include/uapi/linux/netfilter/xt_DSCP.h | 27 +-
include/uapi/linux/netfilter/xt_MARK.h | 17 +-
include/uapi/linux/netfilter/xt_RATEEST.h | 38 +-
include/uapi/linux/netfilter/xt_TCPMSS.h | 13 +-
include/uapi/linux/netfilter_ipv4/ipt_ECN.h | 40 +-
include/uapi/linux/netfilter_ipv4/ipt_TTL.h | 14 +-
include/uapi/linux/netfilter_ipv6/ip6t_HL.h | 14 +-
kernel/audit.c | 60 +-
kernel/audit.h | 9 +-
kernel/auditfilter.c | 6 +-
kernel/auditsc.c | 61 +-
kernel/cred.c | 15 +-
net/ipv4/cipso_ipv4.c | 13 +-
net/ipv4/ip_sockglue.c | 14 +-
net/ipv4/route.c | 61 ++
net/netfilter/nf_conntrack_netlink.c | 27 +-
net/netfilter/nf_conntrack_standalone.c | 16 +-
net/netfilter/nfnetlink_queue.c | 35 +-
net/netfilter/nft_meta.c | 8 +-
net/netfilter/xt_DSCP.c | 149 ++---
net/netfilter/xt_HL.c | 164 ++---
net/netfilter/xt_RATEEST.c | 278 +++------
net/netfilter/xt_SECMARK.c | 9 +-
net/netfilter/xt_TCPMSS.c | 378 +++---------
net/netlabel/netlabel_kapi.c | 125 +++-
net/netlabel/netlabel_unlabeled.c | 99 ++-
net/netlabel/netlabel_unlabeled.h | 2 +-
net/netlabel/netlabel_user.c | 13 +-
net/netlabel/netlabel_user.h | 2 +-
net/socket.c | 17 +
net/unix/af_unix.c | 11 +-
security/apparmor/audit.c | 4 +-
security/apparmor/include/audit.h | 2 +-
security/apparmor/include/net.h | 6 +-
security/apparmor/include/secid.h | 9 +-
security/apparmor/lsm.c | 64 +-
security/apparmor/secid.c | 42 +-
security/integrity/ima/ima.h | 14 +-
security/integrity/ima/ima_api.c | 9 +-
security/integrity/ima/ima_appraise.c | 6 +-
security/integrity/ima/ima_main.c | 34 +-
security/integrity/ima/ima_policy.c | 19 +-
security/security.c | 682 ++++++++++++++++++---
security/selinux/hooks.c | 308 +++++-----
security/selinux/include/audit.h | 6 +-
security/selinux/include/netlabel.h | 7 +
security/selinux/include/objsec.h | 43 +-
security/selinux/netlabel.c | 69 ++-
security/selinux/ss/services.c | 19 +-
security/smack/smack.h | 34 +
security/smack/smack_access.c | 14 +-
security/smack/smack_lsm.c | 389 ++++++------
security/smack/smack_netfilter.c | 48 +-
security/smack/smackfs.c | 23 +-
.../Z6.0+pooncelock+poonceLock+pombonce.litmus | 12 +-
75 files changed, 2369 insertions(+), 1798 deletions(-)
More information about the Linux-security-module-archive
mailing list