Re: [PATCH v39 00/42] LSM: General module stacking
From: John Johansen <john.johansen@canonical.com>
Date: 2024-02-02 00:24:15
Also in:
lkml
On 12/15/23 14:15, Casey Schaufler wrote:
This patchset provides the changes required to allow arbitrary combination of all the existing Linux Security Modules (LSM). It does not provide for all possible configurations of all of co-existing modules. It does not ensure that the enforcement of policy provided by one module does not interfere with the behavior of another module. The bulk of the code change is in support of the audit system. Because subjects and objects may have multiple LSM specific attributes that are used to make access control decisions it was necessary to enhance the audit system to report these security attributes. Separate audit records have been added to include the additional information for each of the audit event subject and object. Providing the required security information using 32-bit secids was no longer sufficient. A new structure, lsmblob, has been introduced to include the data for all relevant modules. The lsmblob structure has an entry for each of the modules that has used secids. Each module provides a structure of its own which contains the information it uses. For SELinux this is a u32 secid. Smack provides a pointer into the label list. Modules that are not configured use conditional compilation to have empty structures. Because audit records may need to include the text representation of more than one module's security attributes (commonly referred to as the "security context") the interfaces that convert the lsmblob into a text representation need to identify which module provided the text. An structure lsmcontext has been added that contains the text, its length and the identifier of the module than created it. Security attributes for network facilities have provided certain challenges. The security information allowed in socket buffers and secmarks is limited to a single u32 secid, and there is no indication that this will ever be allowed to change. The netlabel subsystem, which provides CIPSO and CALIPSO labeling on internet packets, supports only one IP packet option at a time. Labeled NFS3 also supports only one security module. The existing modules have been updated to accept that they may not have access to these networking security attributes. The first module to register that uses them is given exclusive access. The issue of multiple modules using the /proc/.../attr interfaces has been largely addressed for some time by the inclusion of module specific sub-directories. Applications should be using these except for the case of SELinux. Patch 0001 removes an interface dependency on audit from IMA. Patch 0002 moves management of socket security blobs out of the modules and into the LSM infrastructure. Patch 0003 introduces the lsmblob structure. Patch 0004 introduces mechanism for the IMA mechanisms to handle the possibility of multiple modules that use attributes. Patches 0005-0015 add new interfaces and change existing interfaces to use the lsmblob to represent security data. Patches 0016-0021 replace a the use of string and length pairs to use a "security context" with an lsmcontext structure. Patches 0022-0026 implement audit records describing the multiple security attributes on subjects and objects. Patch 0027 removes scaffolding code used in support on lsmcontext. Patches 0028-0030 optimize LSM hooks for the networking single module user case. Patch 0031 implements mechanism to reserve use of network secmarks. Patch 0032 limits security_secctx_to_secid() to a single module. Patch 0033 removes the exclusive tag from AppArmor. Patches 0034-0035 adds mount operation security blobs. Patch 0036 moves management of key security blobs out of the modules and into the LSM infrastructure. Patch 0037 enables management of mount operation security blobs in the modules. Patches 0038-0039 remove scaffolding for lsmblobs. Patch 0040 implements mechanism to reserve use of netlabel. Patch 0041 restricts a hook used only by binder to a single module. Patch 0042 removes the exclusive tag from Smack. https://github.com:cschaufler/lsm-stacking.git#stack-6.7-rc1-pcmoore-dev-v39-b
This is now in testing on the Ubuntu Unstable 6.8 based kernels https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/unstable and if all goes well will get rolled out to the noble (24.04) -proposed kernels for broader testing soon.
Casey Schaufler (42): integrity: disassociate ima_filter_rule from security_audit_rule SM: Infrastructure management of the sock security LSM: Add the lsmblob data structure. IMA: avoid label collisions with stacked LSMs LSM: Use lsmblob in security_audit_rule_match LSM: Add lsmblob_to_secctx hook Audit: maintain an lsmblob in audit_context LSM: Use lsmblob in security_ipc_getsecid Audit: Update shutdown LSM data LSM: Use lsmblob in security_current_getsecid LSM: Use lsmblob in security_inode_getsecid Audit: use an lsmblob in audit_names LSM: Create new security_cred_getlsmblob LSM hook Audit: Change context data from secid to lsmblob Netlabel: Use lsmblob for audit data LSM: Ensure the correct LSM context releaser LSM: Use lsmcontext in security_secid_to_secctx LSM: Use lsmcontext in security_lsmblob_to_secctx LSM: Use lsmcontext in security_inode_getsecctx LSM: Use lsmcontext in security_dentry_init_security LSM: security_lsmblob_to_secctx module selection Audit: Create audit_stamp structure Audit: Allow multiple records in an audit_buffer Audit: Add record for multiple task security contexts audit: multiple subject lsm values for netlabel Audit: Add record for multiple object contexts LSM: Remove unused lsmcontext_init() LSM: Improve logic in security_getprocattr LSM: secctx provider check on release LSM: Single calls in socket_getpeersec hooks LSM: Exclusive secmark usage LSM: Identify which LSM handles the context string AppArmor: Remove the exclusive flag LSM: Add mount opts blob size tracking LSM: allocate mnt_opts blobs instead of module specific data LSM: Infrastructure management of the key security blob LSM: Infrastructure management of the mnt_opts security blob LSM: Correct handling of ENOSYS in inode_setxattr LSM: Remove lsmblob scaffolding LSM: Allow reservation of netlabel LSM: restrict security_cred_getsecid() to a single LSM Smack: Remove LSM_FLAG_EXCLUSIVE Documentation/ABI/testing/ima_policy | 8 +- drivers/android/binder.c | 25 +- fs/ceph/super.h | 3 +- fs/ceph/xattr.c | 15 +- fs/fuse/dir.c | 35 +- fs/nfs/dir.c | 2 +- fs/nfs/inode.c | 17 +- fs/nfs/internal.h | 8 +- fs/nfs/nfs4proc.c | 16 +- fs/nfs/nfs4xdr.c | 22 +- fs/nfsd/nfs4xdr.c | 21 +- include/linux/audit.h | 13 + include/linux/lsm/apparmor.h | 17 + include/linux/lsm/bpf.h | 16 + include/linux/lsm/selinux.h | 16 + include/linux/lsm/smack.h | 17 + include/linux/lsm_hook_defs.h | 35 +- include/linux/lsm_hooks.h | 8 + include/linux/nfs4.h | 8 +- include/linux/nfs_fs.h | 2 +- include/linux/security.h | 158 +++++++-- include/net/netlabel.h | 2 +- include/net/scm.h | 12 +- include/uapi/linux/audit.h | 2 + kernel/audit.c | 269 +++++++++++---- kernel/audit.h | 20 +- kernel/auditfilter.c | 9 +- kernel/auditsc.c | 142 +++----- net/ipv4/ip_sockglue.c | 12 +- net/netfilter/nf_conntrack_netlink.c | 16 +- net/netfilter/nf_conntrack_standalone.c | 11 +- net/netfilter/nfnetlink_queue.c | 22 +- net/netlabel/netlabel_unlabeled.c | 46 ++- net/netlabel/netlabel_user.c | 10 +- net/netlabel/netlabel_user.h | 2 +- security/apparmor/audit.c | 19 +- security/apparmor/include/audit.h | 8 +- security/apparmor/include/net.h | 8 +- security/apparmor/include/secid.h | 5 +- security/apparmor/lsm.c | 65 +--- security/apparmor/net.c | 2 +- security/apparmor/secid.c | 52 ++- security/bpf/hooks.c | 1 + security/integrity/ima/ima.h | 32 +- security/integrity/ima/ima_api.c | 6 +- security/integrity/ima/ima_appraise.c | 6 +- security/integrity/ima/ima_main.c | 60 ++-- security/integrity/ima/ima_policy.c | 91 +++++- security/security.c | 415 ++++++++++++++++++------ security/selinux/hooks.c | 285 +++++++++------- security/selinux/include/audit.h | 13 +- security/selinux/include/netlabel.h | 5 + security/selinux/include/objsec.h | 12 + security/selinux/netlabel.c | 27 +- security/selinux/ss/services.c | 20 +- security/smack/smack.h | 22 ++ security/smack/smack_lsm.c | 347 ++++++++++++-------- security/smack/smack_netfilter.c | 12 +- security/smack/smackfs.c | 24 +- 59 files changed, 1691 insertions(+), 883 deletions(-) create mode 100644 include/linux/lsm/apparmor.h create mode 100644 include/linux/lsm/bpf.h create mode 100644 include/linux/lsm/selinux.h create mode 100644 include/linux/lsm/smack.h