Re: [kernel-hardening] Re: [PATCH RFC v2 1/3] LSM: Allow per LSM module per "struct task_struct" blob.
From: Djalal Harouni <hidden>
Date: 2017-04-12 16:08:50
Also in:
linux-security-module, lkml
On Tue, Apr 11, 2017 at 9:54 PM, Casey Schaufler [off-list ref] wrote:
On 4/10/2017 9:43 PM, Kees Cook wrote:quoted
On Mon, Apr 10, 2017 at 1:00 PM, Djalal Harouni [off-list ref] wrote:quoted
On Mon, Apr 10, 2017 at 9:26 PM, Casey Schaufler [off-list ref] wrote:quoted
I think that would be the prudent approach. There is still the possibility that blob sharing (or full stacking, if you prefer) won't be accepted any time soon.Ok Casey! I will wait for more feedback, and if other maintainers do not object, I will convert it back to rhashtables in next iterations making sure that it should be simple to convert later to a blob sharing mechanism.Would it be possible just to add a single field to task_struct if this LSM is built in? I feel like rhashtables is a huge overhead when a single field is all that's needed.Special casing the task_struct based on which modules are compiled in would work, but I'm under the impression that there's a strong desire to keep to one pointer for security module information in the major structures. The code for generalizing shared blobs isn't that hard, and y'all have seen it many times. It would be perfectly safe to convert the task, cred, inode and such blobs to be infrastructure managed right now. That wouldn't mean that all the stacking issues (e.g. audit and networking) would be addressed, or that all combinations of modules would work (i.e. no SELinux+Smack) but it would clear the way for this case. And Yama could use a blob if it wanted to.
I've been thinking about this again, so my patches did not convert creds, inodes etc, I don't have a use case for them now. My use case was for task->security and I re-used the simple approach. I can't offer a solution for other blobs since I'm not familiar with their context nor the different use cases. I checked TOMOYO and that was easy, but I can't check all of them. I agreed that I may use rhashtables but as Kees pointed out this may introduce overheads and extra memory, where the task->security for this ModAutoProtect LSM will only require an extra sizeof(unsigned long) per-task. Also again the problem is not in this proposed Module, the problem is in modules that can't be stacked together. I am bringing this, since maybe after we manage to merge this, and if Kees agree I may send another set of patches for Yama to enable the same per-task context, this enables containers but also allows later in systemd-logind sessions to set it where all inferiors inside the user sessions are protected by default, not only some apps or special desktops but for all. So I will hit the same problem again where to put it? You said that the code that generalize the blobs isn't that hard, but also in a previous response that it may not be accepted... so I will try to converge the task->security blob to be more like the infrastructure that you are proposing, then resubmit and maybe we will enable these modules that are stackable by default. Is this reasonable ? Thanks! -- tixxdz