Commit 2233975c authored by James Morris's avatar James Morris
Browse files

Merge tag 'blob-stacking-security-next' of... 

Merge tag 'blob-stacking-security-next' of https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux into next-general

LSM: Module stacking for SARA and Landlock

The combined series of LSM refactoring and addition of blob-sharing for
SARA and Landlock.

From Casey:

v5: Include Kees Cook's rework of the lsm command
    line interface.
v4: Finer granularity in the patches and other
    cleanups suggested by Kees Cook.
    Removed dead code created by the removal of SELinux
    credential blob poisoning.
v3: Add ipc blob for SARA and task blob for Landlock.
    Removing the SELinux cred blob pointer poisoning
    results selinux_is_enabled() being unused, so it and
    all it's overhead has been removed.
    Broke up the cred infrastructure patch.
v2: Reduce the patchset to what is required to support
    the proposed SARA and LandLock security modules

The SARA security module is intended to be used
in conjunction with other security modules. It requires
state to be maintained for the credential, which
in turn requires a mechanism for sharing the credential
security blob. It also uses the ipc security blob. The
module also requires mechanism for user space manipulation
of the credential information, hence an additional
subdirectory in /proc/.../attr.

The LandLock security module provides user configurable
policy in the secmark mechanism. It requires data in
the credential, file, inode and task security blobs. For
this to be used along side the existing "major" security
modules mechanism for sharing these blobs are provided.

A side effect of providing sharing of the crendential
security blob is that the TOMOYO module can be used at
the same time as the other "major" modules.

The mechanism for configuring which security modules are
enabled has to change when stacking in enabled. Any
module that uses just the security blobs that are shared
can be selected. Additionally, one other "major" module
can be selected.

The security module stacking issues around networking and
IPC are not addressed here as they are beyond what is
required for TOMOYO, SARA and LandLock.
parents 49e41801 a5e2fe7e

Documentation/admin-guide/LSM/index.rst

+10 −3
Original line number Diff line number Diff line
@@ -17,9 +17,8 @@ MAC extensions, other extensions can be built using the LSM to provide 
specific changes to system operation when these tweaks are not available

in the core functionality of Linux itself.



Without a specific LSM built into the kernel, the default LSM will be the

Linux capabilities system. Most LSMs choose to extend the capabilities

system, building their checks on top of the defined capability hooks.

The Linux capabilities modules will always be included. This may be

followed by any number of "minor" modules and at most one "major" module.

For more details on capabilities, see ``capabilities(7)`` in the Linux

man-pages project.
@@ -30,6 +29,14 @@ order in which checks are made. The capability module will always 
be first, followed by any "minor" modules (e.g. Yama) and then

the one "major" module (e.g. SELinux) if there is one configured.



Process attributes associated with "major" security modules should

be accessed and maintained using the special files in ``/proc/.../attr``.

A security module may maintain a module specific subdirectory there,

named after the module. ``/proc/.../attr/smack`` is provided by the Smack

security module and contains all its special files. The files directly

in ``/proc/.../attr`` remain as legacy interfaces for modules that provide

subdirectories.



.. toctree::

   :maxdepth: 1

Documentation/admin-guide/kernel-parameters.txt

+4 −0
Original line number Diff line number Diff line
@@ -2319,6 +2319,10 @@ 


	lsm.debug	[SECURITY] Enable LSM initialization debugging output.



	lsm=lsm1,...,lsmN

			[SECURITY] Choose order of LSM initialization. This

			overrides CONFIG_LSM.



	machvec=	[IA-64] Force the use of a particular machine-vector

			(machvec) in a generic kernel.

			Example: machvec=hpzx1_swiotlb

fs/proc/base.c

+55 −9
Original line number Diff line number Diff line
@@ -143,6 +143,10 @@ struct pid_entry { 
	NOD(NAME, (S_IFREG|(MODE)),			\

		NULL, &proc_single_file_operations,	\

		{ .proc_show = show } )

#define ATTR(LSM, NAME, MODE)				\

	NOD(NAME, (S_IFREG|(MODE)),			\

		NULL, &proc_pid_attr_operations,	\

		{ .lsm = LSM })



/*

 * Count the number of hardlinks for the pid_entry table, excluding the .
@@ -2525,7 +2529,7 @@ static ssize_t proc_pid_attr_read(struct file * file, char __user * buf, 
	if (!task)

		return -ESRCH;



	length = security_getprocattr(task,

	length = security_getprocattr(task, PROC_I(inode)->op.lsm,

				      (char*)file->f_path.dentry->d_name.name,

				      &p);

	put_task_struct(task);
@@ -2574,7 +2578,9 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, 
	if (rv < 0)

		goto out_free;



	rv = security_setprocattr(file->f_path.dentry->d_name.name, page, count);

	rv = security_setprocattr(PROC_I(inode)->op.lsm,

				  file->f_path.dentry->d_name.name, page,

				  count);

	mutex_unlock(&current->signal->cred_guard_mutex);

out_free:

	kfree(page);
@@ -2588,13 +2594,53 @@ static const struct file_operations proc_pid_attr_operations = { 
	.llseek		= generic_file_llseek,

};



#define LSM_DIR_OPS(LSM) \

static int proc_##LSM##_attr_dir_iterate(struct file *filp, \

			     struct dir_context *ctx) \

{ \

	return proc_pident_readdir(filp, ctx, \

				   LSM##_attr_dir_stuff, \

				   ARRAY_SIZE(LSM##_attr_dir_stuff)); \

} \

\

static const struct file_operations proc_##LSM##_attr_dir_ops = { \

	.read		= generic_read_dir, \

	.iterate	= proc_##LSM##_attr_dir_iterate, \

	.llseek		= default_llseek, \

}; \

\

static struct dentry *proc_##LSM##_attr_dir_lookup(struct inode *dir, \

				struct dentry *dentry, unsigned int flags) \

{ \

	return proc_pident_lookup(dir, dentry, \

				  LSM##_attr_dir_stuff, \

				  ARRAY_SIZE(LSM##_attr_dir_stuff)); \

} \

\

static const struct inode_operations proc_##LSM##_attr_dir_inode_ops = { \

	.lookup		= proc_##LSM##_attr_dir_lookup, \

	.getattr	= pid_getattr, \

	.setattr	= proc_setattr, \

}



#ifdef CONFIG_SECURITY_SMACK

static const struct pid_entry smack_attr_dir_stuff[] = {

	ATTR("smack", "current",	0666),

};

LSM_DIR_OPS(smack);

#endif



static const struct pid_entry attr_dir_stuff[] = {

	REG("current",    S_IRUGO|S_IWUGO, proc_pid_attr_operations),

	REG("prev",       S_IRUGO,	   proc_pid_attr_operations),

	REG("exec",       S_IRUGO|S_IWUGO, proc_pid_attr_operations),

	REG("fscreate",   S_IRUGO|S_IWUGO, proc_pid_attr_operations),

	REG("keycreate",  S_IRUGO|S_IWUGO, proc_pid_attr_operations),

	REG("sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),

	ATTR(NULL, "current",		0666),

	ATTR(NULL, "prev",		0444),

	ATTR(NULL, "exec",		0666),

	ATTR(NULL, "fscreate",		0666),

	ATTR(NULL, "keycreate",		0666),

	ATTR(NULL, "sockcreate",	0666),

#ifdef CONFIG_SECURITY_SMACK

	DIR("smack",			0555,

	    proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),

#endif

};



static int proc_attr_dir_readdir(struct file *file, struct dir_context *ctx)

fs/proc/internal.h

+1 −0
Original line number Diff line number Diff line
@@ -81,6 +81,7 @@ union proc_op { 
	int (*proc_show)(struct seq_file *m,

		struct pid_namespace *ns, struct pid *pid,

		struct task_struct *task);

	const char *lsm;

};



struct proc_inode {

include/linux/cred.h

+0 −1
Original line number Diff line number Diff line
@@ -15,7 +15,6 @@ 
#include <linux/capability.h>

#include <linux/init.h>

#include <linux/key.h>

#include <linux/selinux.h>

#include <linux/atomic.h>

#include <linux/uidgid.h>

#include <linux/sched.h>

CRA Git | Maintained and supported by SUSTech CRA and CCSE