From: keescook@chromium.org (Kees Cook)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 00/18] LSM: Prepare for explict LSM ordering
Date: Sat, 15 Sep 2018 17:30:41 -0700 [thread overview]
Message-ID: <20180916003059.1046-1-keescook@chromium.org> (raw)
This refactors the LSM registration and initialization infrastructure
to more centrally support different LSM types. What was considered a
"major" LSM is split into "exclusive" and future "blob sharing" (to be
added later). The "minor" LSMs become more well defined as a result.
Instead of continuing to (somewhat improperly) overload the kernel's
initcall system, this changes the LSM infrastructure to store a
registration structure (struct lsm_info) table instead, where metadata
about each LSM can be recorded (name, type, order, enable flag, init
function). This can be extended in the future to include things like
required blob size for the coming "blob sharing" LSMs.
The "major" LSMs had to individually negotiate which of them should be
enabled. This didn't provide a way to negotiate combinations of other
LSMs (as will be needed for "blob sharing" LSMs). This is solved by
providing the LSM infrastructure with all the details needed to make
the choice (exposing the per-LSM "enabled" flag, if used, the LSM type,
and ordering expectations).
In better defining the "minor" LSMs, it was possible to remove the
open-coded security_add_hooks() calls for "capability", "yama", and
"loadpin", and to redefine "integrity" properly as a "minor" LSM (it
actually defines _no_ hooks, but needs the early initialization).
With all LSMs being proessed centrally, it was possible to implement
sensible parsing of the "security=" boot commandline argument to provide
explicit ordering, which is helpful for the future "blob sharing" LSMs.
To better show LSMs activation some debug reporting was added (enabled
with the "lsm.debug" boot commandline option).
Finally, I added a WARN() around LSM initialization failures, which
appear to have always been silently ignored. (Realistically any LSM init
failures would have only been due to catastrophic kernel issues that
would render a system unworkable anyway, but it'd be better to expose
the problem as early as possible.)
-Kees
Kees Cook (18):
vmlinux.lds.h: Avoid copy/paste of security_init section
LSM: Rename .security_initcall section to .lsm_info
LSM: Remove initcall tracing
LSM: Convert from initcall to struct lsm_info
vmlinux.lds.h: Move LSM_TABLE into INIT_DATA
LSM: Convert security_initcall() into DEFINE_LSM()
LSM: Add minor LSM initialization loop
integrity: Initialize as LSM_TYPE_MINOR
LSM: Record LSM name in struct lsm_info
LSM: Plumb visibility into optional "enabled" state
LSM: Lift LSM selection out of individual LSMs
LSM: Introduce ordering details in struct lsm_info
LoadPin: Initialize as LSM_TYPE_MINOR
Yama: Initialize as LSM_TYPE_MINOR
capability: Initialize as LSM_TYPE_MINOR
LSM: Allow arbitrary LSM ordering
LSM: Provide init debugging
LSM: Don't ignore initialization failures
.../admin-guide/kernel-parameters.txt | 15 +-
arch/arc/kernel/vmlinux.lds.S | 1 -
arch/arm/kernel/vmlinux-xip.lds.S | 1 -
arch/arm64/kernel/vmlinux.lds.S | 1 -
arch/h8300/kernel/vmlinux.lds.S | 1 -
arch/microblaze/kernel/vmlinux.lds.S | 2 -
arch/powerpc/kernel/vmlinux.lds.S | 2 -
arch/um/include/asm/common.lds.S | 2 -
arch/xtensa/kernel/vmlinux.lds.S | 1 -
include/asm-generic/vmlinux.lds.h | 25 +-
include/linux/init.h | 2 -
include/linux/lsm_hooks.h | 45 +++-
include/linux/module.h | 1 -
security/apparmor/lsm.c | 15 +-
security/commoncap.c | 9 +-
security/integrity/iint.c | 6 +-
security/loadpin/loadpin.c | 11 +-
security/security.c | 252 ++++++++++++++----
security/selinux/hooks.c | 15 +-
security/smack/smack_lsm.c | 7 +-
security/tomoyo/tomoyo.c | 6 +-
security/yama/yama_lsm.c | 8 +-
22 files changed, 295 insertions(+), 133 deletions(-)
--
2.17.1
next reply other threads:[~2018-09-16 0:30 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-16 0:30 Kees Cook [this message]
2018-09-16 0:30 ` [PATCH 01/18] vmlinux.lds.h: Avoid copy/paste of security_init section Kees Cook
2018-09-16 0:30 ` [PATCH 02/18] LSM: Rename .security_initcall section to .lsm_info Kees Cook
2018-09-16 0:30 ` [PATCH 03/18] LSM: Remove initcall tracing Kees Cook
2018-09-16 0:30 ` [PATCH 04/18] LSM: Convert from initcall to struct lsm_info Kees Cook
2018-09-16 0:30 ` [PATCH 05/18] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA Kees Cook
2018-09-16 0:30 ` [PATCH 06/18] LSM: Convert security_initcall() into DEFINE_LSM() Kees Cook
2018-09-16 0:30 ` [PATCH 07/18] LSM: Add minor LSM initialization loop Kees Cook
2018-09-16 1:27 ` Jann Horn
2018-09-16 1:49 ` Kees Cook
2018-09-16 0:30 ` [PATCH 08/18] integrity: Initialize as LSM_TYPE_MINOR Kees Cook
2018-09-16 0:30 ` [PATCH 09/18] LSM: Record LSM name in struct lsm_info Kees Cook
2018-09-16 0:30 ` [PATCH 10/18] LSM: Plumb visibility into optional "enabled" state Kees Cook
2018-09-16 0:30 ` [PATCH 11/18] LSM: Lift LSM selection out of individual LSMs Kees Cook
2018-09-16 1:32 ` Jann Horn
2018-09-16 1:47 ` Kees Cook
2018-09-16 0:30 ` [PATCH 12/18] LSM: Introduce ordering details in struct lsm_info Kees Cook
2018-09-16 0:30 ` [PATCH 13/18] LoadPin: Initialize as LSM_TYPE_MINOR Kees Cook
2018-09-16 0:30 ` [PATCH 14/18] Yama: " Kees Cook
2018-09-16 0:30 ` [PATCH 15/18] capability: " Kees Cook
2018-09-16 0:30 ` [PATCH 16/18] LSM: Allow arbitrary LSM ordering Kees Cook
2018-09-16 18:49 ` Casey Schaufler
2018-09-16 23:00 ` Kees Cook
2018-09-17 0:46 ` Tetsuo Handa
2018-09-17 15:06 ` Casey Schaufler
2018-09-17 16:24 ` Kees Cook
2018-09-17 17:13 ` Casey Schaufler
2018-09-17 18:14 ` Kees Cook
2018-09-17 19:23 ` Casey Schaufler
2018-09-17 19:55 ` John Johansen
2018-09-17 21:57 ` Casey Schaufler
2018-09-17 22:36 ` John Johansen
[not found] ` <a51a4d34-7077-bfbe-5979-00e79680f514@digikod.net>
2018-09-17 23:20 ` Kees Cook
2018-09-17 23:26 ` John Johansen
2018-09-17 23:28 ` Kees Cook
2018-09-17 23:40 ` Casey Schaufler
2018-09-17 23:30 ` Casey Schaufler
[not found] ` <968ac661-ad5d-c6e2-1587-971b6dceaaea@digikod.net>
2018-09-18 0:00 ` Casey Schaufler
2018-09-17 23:25 ` John Johansen
2018-09-17 23:25 ` Casey Schaufler
2018-09-18 0:00 ` Kees Cook
2018-09-18 0:24 ` Casey Schaufler
2018-09-18 0:45 ` Kees Cook
2018-09-18 0:57 ` Casey Schaufler
2018-09-18 0:59 ` Kees Cook
2018-09-18 1:08 ` John Johansen
2018-09-17 19:35 ` John Johansen
2018-09-16 0:30 ` [PATCH 17/18] LSM: Provide init debugging Kees Cook
2018-09-16 0:30 ` [PATCH 18/18] LSM: Don't ignore initialization failures Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180916003059.1046-1-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).