From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com, paul@paul-moore.com,
linux-security-module@vger.kernel.org
Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
mic@digikod.net
Subject: [PATCH v39 00/42] LSM: General module stacking
Date: Fri, 15 Dec 2023 14:15:54 -0800 [thread overview]
Message-ID: <20231215221636.105680-1-casey@schaufler-ca.com> (raw)
In-Reply-To: 20231215221636.105680-1-casey.ref@schaufler-ca.com
This patchset provides the changes required to allow arbitrary
combination of all the existing Linux Security Modules (LSM).
It does not provide for all possible configurations of all of
co-existing modules. It does not ensure that the enforcement
of policy provided by one module does not interfere with the
behavior of another module.
The bulk of the code change is in support of the audit system.
Because subjects and objects may have multiple LSM specific
attributes that are used to make access control decisions it
was necessary to enhance the audit system to report these
security attributes. Separate audit records have been added
to include the additional information for each of the audit
event subject and object. Providing the required security
information using 32-bit secids was no longer sufficient. A
new structure, lsmblob, has been introduced to include the
data for all relevant modules.
The lsmblob structure has an entry for each of the modules
that has used secids. Each module provides a structure of
its own which contains the information it uses. For SELinux
this is a u32 secid. Smack provides a pointer into the label
list. Modules that are not configured use conditional compilation
to have empty structures.
Because audit records may need to include the text representation
of more than one module's security attributes (commonly referred
to as the "security context") the interfaces that convert the
lsmblob into a text representation need to identify which module
provided the text. An structure lsmcontext has been added that
contains the text, its length and the identifier of the module
than created it.
Security attributes for network facilities have provided certain
challenges. The security information allowed in socket buffers
and secmarks is limited to a single u32 secid, and there is no
indication that this will ever be allowed to change. The netlabel
subsystem, which provides CIPSO and CALIPSO labeling on internet
packets, supports only one IP packet option at a time. Labeled
NFS3 also supports only one security module. The existing modules
have been updated to accept that they may not have access to
these networking security attributes. The first module to
register that uses them is given exclusive access.
The issue of multiple modules using the /proc/.../attr interfaces
has been largely addressed for some time by the inclusion of module
specific sub-directories. Applications should be using these except
for the case of SELinux.
Patch 0001 removes an interface dependency on audit from IMA.
Patch 0002 moves management of socket security blobs out of the
modules and into the LSM infrastructure.
Patch 0003 introduces the lsmblob structure.
Patch 0004 introduces mechanism for the IMA mechanisms to handle
the possibility of multiple modules that use attributes.
Patches 0005-0015 add new interfaces and change existing interfaces
to use the lsmblob to represent security data.
Patches 0016-0021 replace a the use of string and length pairs to
use a "security context" with an lsmcontext structure.
Patches 0022-0026 implement audit records describing the multiple
security attributes on subjects and objects.
Patch 0027 removes scaffolding code used in support on lsmcontext.
Patches 0028-0030 optimize LSM hooks for the networking single
module user case.
Patch 0031 implements mechanism to reserve use of network secmarks.
Patch 0032 limits security_secctx_to_secid() to a single module.
Patch 0033 removes the exclusive tag from AppArmor.
Patches 0034-0035 adds mount operation security blobs.
Patch 0036 moves management of key security blobs out of the
modules and into the LSM infrastructure.
Patch 0037 enables management of mount operation security blobs
in the modules.
Patches 0038-0039 remove scaffolding for lsmblobs.
Patch 0040 implements mechanism to reserve use of netlabel.
Patch 0041 restricts a hook used only by binder to a single module.
Patch 0042 removes the exclusive tag from Smack.
https://github.com:cschaufler/lsm-stacking.git#stack-6.7-rc1-pcmoore-dev-v39-b
Casey Schaufler (42):
integrity: disassociate ima_filter_rule from security_audit_rule
SM: Infrastructure management of the sock security
LSM: Add the lsmblob data structure.
IMA: avoid label collisions with stacked LSMs
LSM: Use lsmblob in security_audit_rule_match
LSM: Add lsmblob_to_secctx hook
Audit: maintain an lsmblob in audit_context
LSM: Use lsmblob in security_ipc_getsecid
Audit: Update shutdown LSM data
LSM: Use lsmblob in security_current_getsecid
LSM: Use lsmblob in security_inode_getsecid
Audit: use an lsmblob in audit_names
LSM: Create new security_cred_getlsmblob LSM hook
Audit: Change context data from secid to lsmblob
Netlabel: Use lsmblob for audit data
LSM: Ensure the correct LSM context releaser
LSM: Use lsmcontext in security_secid_to_secctx
LSM: Use lsmcontext in security_lsmblob_to_secctx
LSM: Use lsmcontext in security_inode_getsecctx
LSM: Use lsmcontext in security_dentry_init_security
LSM: security_lsmblob_to_secctx module selection
Audit: Create audit_stamp structure
Audit: Allow multiple records in an audit_buffer
Audit: Add record for multiple task security contexts
audit: multiple subject lsm values for netlabel
Audit: Add record for multiple object contexts
LSM: Remove unused lsmcontext_init()
LSM: Improve logic in security_getprocattr
LSM: secctx provider check on release
LSM: Single calls in socket_getpeersec hooks
LSM: Exclusive secmark usage
LSM: Identify which LSM handles the context string
AppArmor: Remove the exclusive flag
LSM: Add mount opts blob size tracking
LSM: allocate mnt_opts blobs instead of module specific data
LSM: Infrastructure management of the key security blob
LSM: Infrastructure management of the mnt_opts security blob
LSM: Correct handling of ENOSYS in inode_setxattr
LSM: Remove lsmblob scaffolding
LSM: Allow reservation of netlabel
LSM: restrict security_cred_getsecid() to a single LSM
Smack: Remove LSM_FLAG_EXCLUSIVE
Documentation/ABI/testing/ima_policy | 8 +-
drivers/android/binder.c | 25 +-
fs/ceph/super.h | 3 +-
fs/ceph/xattr.c | 15 +-
fs/fuse/dir.c | 35 +-
fs/nfs/dir.c | 2 +-
fs/nfs/inode.c | 17 +-
fs/nfs/internal.h | 8 +-
fs/nfs/nfs4proc.c | 16 +-
fs/nfs/nfs4xdr.c | 22 +-
fs/nfsd/nfs4xdr.c | 21 +-
include/linux/audit.h | 13 +
include/linux/lsm/apparmor.h | 17 +
include/linux/lsm/bpf.h | 16 +
include/linux/lsm/selinux.h | 16 +
include/linux/lsm/smack.h | 17 +
include/linux/lsm_hook_defs.h | 35 +-
include/linux/lsm_hooks.h | 8 +
include/linux/nfs4.h | 8 +-
include/linux/nfs_fs.h | 2 +-
include/linux/security.h | 158 +++++++--
include/net/netlabel.h | 2 +-
include/net/scm.h | 12 +-
include/uapi/linux/audit.h | 2 +
kernel/audit.c | 269 +++++++++++----
kernel/audit.h | 20 +-
kernel/auditfilter.c | 9 +-
kernel/auditsc.c | 142 +++-----
net/ipv4/ip_sockglue.c | 12 +-
net/netfilter/nf_conntrack_netlink.c | 16 +-
net/netfilter/nf_conntrack_standalone.c | 11 +-
net/netfilter/nfnetlink_queue.c | 22 +-
net/netlabel/netlabel_unlabeled.c | 46 ++-
net/netlabel/netlabel_user.c | 10 +-
net/netlabel/netlabel_user.h | 2 +-
security/apparmor/audit.c | 19 +-
security/apparmor/include/audit.h | 8 +-
security/apparmor/include/net.h | 8 +-
security/apparmor/include/secid.h | 5 +-
security/apparmor/lsm.c | 65 +---
security/apparmor/net.c | 2 +-
security/apparmor/secid.c | 52 ++-
security/bpf/hooks.c | 1 +
security/integrity/ima/ima.h | 32 +-
security/integrity/ima/ima_api.c | 6 +-
security/integrity/ima/ima_appraise.c | 6 +-
security/integrity/ima/ima_main.c | 60 ++--
security/integrity/ima/ima_policy.c | 91 +++++-
security/security.c | 415 ++++++++++++++++++------
security/selinux/hooks.c | 285 +++++++++-------
security/selinux/include/audit.h | 13 +-
security/selinux/include/netlabel.h | 5 +
security/selinux/include/objsec.h | 12 +
security/selinux/netlabel.c | 27 +-
security/selinux/ss/services.c | 20 +-
security/smack/smack.h | 22 ++
security/smack/smack_lsm.c | 347 ++++++++++++--------
security/smack/smack_netfilter.c | 12 +-
security/smack/smackfs.c | 24 +-
59 files changed, 1691 insertions(+), 883 deletions(-)
create mode 100644 include/linux/lsm/apparmor.h
create mode 100644 include/linux/lsm/bpf.h
create mode 100644 include/linux/lsm/selinux.h
create mode 100644 include/linux/lsm/smack.h
--
2.41.0
next parent reply other threads:[~2023-12-15 22:16 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20231215221636.105680-1-casey.ref@schaufler-ca.com>
2023-12-15 22:15 ` Casey Schaufler [this message]
2023-12-15 22:15 ` [PATCH v39 01/42] integrity: disassociate ima_filter_rule from security_audit_rule Casey Schaufler
2024-03-06 9:54 ` Roberto Sassu
2024-03-06 16:56 ` Casey Schaufler
2024-03-07 7:56 ` Roberto Sassu
2023-12-15 22:15 ` [PATCH v39 02/42] SM: Infrastructure management of the sock security Casey Schaufler
2023-12-15 22:15 ` [PATCH v39 03/42] LSM: Add the lsmblob data structure Casey Schaufler
2023-12-15 22:15 ` [PATCH v39 04/42] IMA: avoid label collisions with stacked LSMs Casey Schaufler
2024-03-06 10:09 ` Roberto Sassu
2024-03-06 17:04 ` Casey Schaufler
2024-03-07 8:15 ` Roberto Sassu
2024-03-07 17:36 ` Casey Schaufler
2023-12-15 22:15 ` [PATCH v39 05/42] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 06/42] LSM: Add lsmblob_to_secctx hook Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 07/42] Audit: maintain an lsmblob in audit_context Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 08/42] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 09/42] Audit: Update shutdown LSM data Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 10/42] LSM: Use lsmblob in security_current_getsecid Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 11/42] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 12/42] Audit: use an lsmblob in audit_names Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 13/42] LSM: Create new security_cred_getlsmblob LSM hook Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 14/42] Audit: Change context data from secid to lsmblob Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 15/42] Netlabel: Use lsmblob for audit data Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 16/42] LSM: Ensure the correct LSM context releaser Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 17/42] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 18/42] LSM: Use lsmcontext in security_lsmblob_to_secctx Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 19/42] LSM: Use lsmcontext in security_inode_getsecctx Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 20/42] LSM: Use lsmcontext in security_dentry_init_security Casey Schaufler
2023-12-18 2:50 ` Xiubo Li
2023-12-18 16:55 ` Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 21/42] LSM: security_lsmblob_to_secctx module selection Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 22/42] Audit: Create audit_stamp structure Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 23/42] Audit: Allow multiple records in an audit_buffer Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 24/42] Audit: Add record for multiple task security contexts Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 25/42] audit: multiple subject lsm values for netlabel Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 26/42] Audit: Add record for multiple object contexts Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 27/42] LSM: Remove unused lsmcontext_init() Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 28/42] LSM: Improve logic in security_getprocattr Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 29/42] LSM: secctx provider check on release Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 30/42] LSM: Single calls in socket_getpeersec hooks Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 31/42] LSM: Exclusive secmark usage Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 32/42] LSM: Identify which LSM handles the context string Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 33/42] AppArmor: Remove the exclusive flag Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 34/42] LSM: Add mount opts blob size tracking Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 35/42] LSM: allocate mnt_opts blobs instead of module specific data Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 36/42] LSM: Infrastructure management of the key security blob Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 37/42] LSM: Infrastructure management of the mnt_opts " Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 38/42] LSM: Correct handling of ENOSYS in inode_setxattr Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 39/42] LSM: Remove lsmblob scaffolding Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 40/42] LSM: Allow reservation of netlabel Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 41/42] LSM: restrict security_cred_getsecid() to a single LSM Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 42/42] Smack: Remove LSM_FLAG_EXCLUSIVE Casey Schaufler
2023-12-18 2:18 ` Leesoo Ahn
2024-02-02 0:24 ` [PATCH v39 00/42] LSM: General module stacking John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231215221636.105680-1-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).