Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure.

(off-list ancestor, not in this archive)
[PATCH v22 00/23] LSM: Module stacking for AppArmor · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 01/23] LSM: Infrastructure management of the sock security · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 02/23] LSM: Create and manage the lsmblob data structure. · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure. · Mimi Zohar <zohar@linux.ibm.com> · 2020-12-28
Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure. · Casey Schaufler <casey@schaufler-ca.com> · 2020-12-28
Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure. · Mimi Zohar <zohar@linux.ibm.com> · 2020-12-28
Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure. · Mimi Zohar <zohar@linux.ibm.com> · 2020-12-28
Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure. · Casey Schaufler <casey@schaufler-ca.com> · 2020-12-28
Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure. · Mimi Zohar <zohar@linux.ibm.com> · 2020-12-28
Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure. · Casey Schaufler <casey@schaufler-ca.com> · 2020-12-28
Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure. · Mimi Zohar <zohar@linux.ibm.com> · 2020-12-29
Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure. · Mimi Zohar <zohar@linux.ibm.com> · 2020-12-29
Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure. · Casey Schaufler <casey@schaufler-ca.com> · 2020-12-29
Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure. · Mimi Zohar <zohar@linux.ibm.com> · 2020-12-29
[PATCH v23 03/23] LSM: Use lsmblob in security_audit_rule_match · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 04/23] LSM: Use lsmblob in security_kernel_act_as · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 05/23] LSM: Use lsmblob in security_secctx_to_secid · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 06/23] LSM: Use lsmblob in security_secid_to_secctx · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 07/23] LSM: Use lsmblob in security_ipc_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 08/23] LSM: Use lsmblob in security_task_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 09/23] LSM: Use lsmblob in security_inode_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 10/23] LSM: Use lsmblob in security_cred_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 11/23] IMA: Change internal interfaces to use lsmblobs · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 12/23] LSM: Specify which LSM to display · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 13/23] LSM: Ensure the correct LSM context releaser · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 14/23] LSM: Use lsmcontext in security_secid_to_secctx · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 15/23] LSM: Use lsmcontext in security_inode_getsecctx · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 16/23] LSM: security_secid_to_secctx in netlink netfilter · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 17/23] NET: Store LSM netlabel data in a lsmblob · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 18/23] LSM: Verify LSM display sanity in binder · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 19/23] audit: add support for non-syscall auxiliary records · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
Re: [PATCH v23 19/23] audit: add support for non-syscall auxiliary records · kernel test robot <hidden> · 2020-11-20
Re: [PATCH v23 19/23] audit: add support for non-syscall auxiliary records · kernel test robot <hidden> · 2020-11-21
[PATCH v23 20/23] Audit: Add new record for multiple process LSM attributes · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
Re: [PATCH v23 20/23] Audit: Add new record for multiple process LSM attributes · kernel test robot <hidden> · 2020-11-20
Re: [PATCH v23 20/23] Audit: Add new record for multiple process LSM attributes · kernel test robot <hidden> · 2020-11-21
[PATCH v23 21/23] Audit: Add a new record for multiple object LSM attributes · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 22/23] LSM: Add /proc attr entry for full LSM context · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20
[PATCH v23 23/23] AppArmor: Remove the exclusive flag · Casey Schaufler <casey@schaufler-ca.com> · 2020-11-20

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2020-12-29 13:54:43
Also in: bpf, lkml, selinux

On Mon, 2020-12-28 at 20:53 -0500, Mimi Zohar wrote:

On Mon, 2020-12-28 at 15:20 -0800, Casey Schaufler wrote:

quoted

On 12/28/2020 2:14 PM, Mimi Zohar wrote:

quoted

On Mon, 2020-12-28 at 12:06 -0800, Casey Schaufler wrote:

quoted

On 12/28/2020 11:24 AM, Mimi Zohar wrote:

quoted

-int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
+int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule)
 {
-       return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
+       struct security_hook_list *hp;
+       int rc;
+
+       hlist_for_each_entry(hp, &security_hook_heads.audit_rule_match, list) {
+               if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+                       continue;
+               rc = hp->hook.audit_rule_match(secid, field, op,
+                                              &lsmrule[hp->lsmid->slot]);
+               if (rc)
+                       return rc;

Suppose that there is an IMA dont_measure or dont_appraise rule, if one
LSM matches, then this returns true, causing any measurement or
integrity verification to be skipped.

Yes, that is correct. Like the audit system, you're doing a string based
lookup, which pretty well has to work this way. I have proposed compound
label specifications in the past, but even if we accepted something like
"apparmor=dates,selinux=figs" we'd still have to be compatible with the
old style inputs.

quoted

Sample policy rules:
dont_measure obj_type=foo_log
dont_appraise obj_type=foo_log

IMA could extend the existing policy rules like "lsm=[selinux] |
[smack] | [apparmor]", but that assumes that the underlying
infrastructure supports it.

Yes, but you would still need rational behavior in the
case where someone has old IMA policy rules.

From an IMA perspective, allowing multiple LSMs to define the same
policy label is worse than requiring the label be constrained to a
particular LSM.

If allowing multiple LSMs to define the same label is only an IMA
issue, then have security_audit_rule_init() return the number of LSMs
which define the label.   IMA is already emitting a warning when an LSM
rule is not defined.   Emitting an additional warning would be the
first step.

In addition, ima_parse_rule() could detect policy rules containing non
LSM specific labels.  Based on policy, IMA would decide how to handle
it.

thanks,

Mimi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help