From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752203AbdBBRFl (ORCPT ); Thu, 2 Feb 2017 12:05:41 -0500 Received: from mail-wm0-f68.google.com ([74.125.82.68]:34234 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752174AbdBBRFi (ORCPT ); Thu, 2 Feb 2017 12:05:38 -0500 From: Djalal Harouni X-Google-Original-From: Djalal Harouni To: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-security-module@vger.kernel.org, Kees Cook Cc: Andrew Morton , Lafcadio Wluiki , Djalal Harouni , Dongsu Park , Andy Lutomirski , James Morris , , Al Viro , Daniel Mack , Jann Horn , Elena Reshetova Subject: [RFC/PATCH 3/3] doc: add Timgad LSM documentation Date: Thu, 2 Feb 2017 18:04:54 +0100 Message-Id: <1486055094-4532-4-git-send-email-djalal@gmail.com> X-Mailer: git-send-email 2.5.5 In-Reply-To: <1486055094-4532-1-git-send-email-djalal@gmail.com> References: <1486055094-4532-1-git-send-email-djalal@gmail.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Djalal Harouni Cc: Kees Cook Signed-off-by: Djalal Harouni --- Documentation/security/Timgad.txt | 61 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 Documentation/security/Timgad.txt diff --git a/Documentation/security/Timgad.txt b/Documentation/security/Timgad.txt new file mode 100644 index 0000000..1ae1e7c --- /dev/null +++ b/Documentation/security/Timgad.txt @@ -0,0 +1,61 @@ +Timgad is a Linux Security Module that collects per process and +system-wide security protections that are not handled by the core kernel +itself. + +This is selectable at build-time with CONFIG_SECURITY_TIMGAD, and can be +controlled at run-time through sysctls in /proc/sys/kernel/timgad: +or prctl() interface. + + +- module_restrict + +============================================================== + +Linux containers need robust settings to control if modules are allowed to +be loaded or unloaded globally or per process/container policy. +Automatic loading of kernel modules using the "auto-load" feature is also +covered. + +This adds global sysctl settings to indicate if modules are allowed +to be loaded or unloaded, at same time it also supports a +per-process/container settings based on prctl(2) interface. The prctl(2) +settings are inherited by children created by fork(2) and clone(2), and +preserved across execve(2). + + +*) The per-process prctl() settings are: + prctl(PR_TIMGAD_OPTS, PR_TIGMAD_SET_MOD_RESTRICT, value, 0, 0) + + Where value means: + +0 - Classic module load and unload permissions, nothing changes. + +1 - The current process must have CAP_SYS_MODULE to be able to load and + unload modules. CAP_NET_ADMIN should allow the current process to + load and unload only netdev aliased modules. + +2 - Current process can not loaded nor unloaded modules. + + +*) The sysctl settings (writable only with CAP_SYS_MODULE) are: + /proc/sys/kernel/timgad/module_restrict + +0 - Classic module load and unload permissions, nothing changes. + +1 - Only processes with CAP_SYS_MODULE should be able to load and + unload modules. Processes with CAP_NET_ADMIN should be able to + load and unload only netdev aliased modules. + +2 - Modules can not be loaded nor unloaded. Once set, this sysctl value + cannot be changed. + + +Rules: +First the prctl() settings are checked, if the access is not denied +then the global sysctl settings are checked. + + +The original idea and inspiration is from grsecurity +'GRKERNSEC_MODHARDEN' + +============================================================== -- 2.5.5