From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com, paul@paul-moore.com,
linux-security-module@vger.kernel.org
Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
mic@digikod.net
Subject: [PATCH 00/13] LSM: Move away from secids
Date: Sun, 25 Aug 2024 12:00:35 -0700 [thread overview]
Message-ID: <20240825190048.13289-1-casey@schaufler-ca.com> (raw)
In-Reply-To: 20240825190048.13289-1-casey.ref@schaufler-ca.com
Many of the Linux Security Module (LSM) interfaces use u32
security ID values (secids) to identify module specific security
attributes. This is an artifact of the SELinux security server
architecture and compromises made to allow security attributes
to be associated with networking mechanisms. There are significant
performance implications to using this approach, as access control
decisions must map the secids to the real data to be used. There is
also impact on the audit system, which must provide textual values
for security attributes.
The secid based interfaces are also constrained to supporting a
single security module. There are clever mechanisms for representing
multiple 32 bit values in a single 32 bit value, but they add overhead
and complexity. While the issue of multiple concurrent security modules
is not explicity addressed here, the move away from secids is required
to make that possible.
Most uses of secids can be replaced by a security module specific
value. In SELinux this remains a u32 secid. In Smack the value is
a pointer into the system label list. In AppArmor a pointer to a
security context can be used. Because the active security module can
be specified at boot time using the "security=" or "lsm=" flags,
the system must be able to use any of the possible values.
A struct lsmblob is introduced to contain the attribute values.
This struct includes a member for each of the security modules that
are built into the kernel. Where possible, uses of secids are
replaced with a lsmblob. LSM interfaces have been modified to use
lsmblob pointers instead of secids in most cases. Some new interfaces
have been introduced where it is not practical to replace an existing
secid interface. This occurs in several networking code paths.
https://github.com/cschaufler/lsm-stacking.git#lsmblob-6.11-rc3
Casey Schaufler (13):
LSM: Add the lsmblob data structure.
LSM: Use lsmblob in security_audit_rule_match
LSM: Add lsmblob_to_secctx hook
Audit: maintain an lsmblob in audit_context
LSM: Use lsmblob in security_ipc_getsecid
Audit: Update shutdown LSM data
LSM: Use lsmblob in security_current_getsecid
LSM: Use lsmblob in security_inode_getsecid
Audit: use an lsmblob in audit_names
LSM: Create new security_cred_getlsmblob LSM hook
Audit: Change context data from secid to lsmblob
Netlabel: Use lsmblob for audit data
LSM: Remove lsmblob scaffolding
include/linux/lsm/apparmor.h | 17 +++++
include/linux/lsm/bpf.h | 16 ++++
include/linux/lsm/selinux.h | 16 ++++
include/linux/lsm/smack.h | 17 +++++
include/linux/lsm_hook_defs.h | 20 +++--
include/linux/security.h | 90 ++++++++++++++++++----
include/net/netlabel.h | 2 +-
kernel/audit.c | 21 +++---
kernel/audit.h | 7 +-
kernel/auditfilter.c | 9 ++-
kernel/auditsc.c | 61 ++++++++-------
net/netlabel/netlabel_unlabeled.c | 2 +-
net/netlabel/netlabel_user.c | 7 +-
net/netlabel/netlabel_user.h | 2 +-
security/apparmor/audit.c | 4 +-
security/apparmor/include/audit.h | 2 +-
security/apparmor/include/secid.h | 2 +
security/apparmor/lsm.c | 17 +++--
security/apparmor/secid.c | 32 ++++++++
security/integrity/ima/ima.h | 6 +-
security/integrity/ima/ima_api.c | 6 +-
security/integrity/ima/ima_appraise.c | 6 +-
security/integrity/ima/ima_main.c | 60 +++++++--------
security/integrity/ima/ima_policy.c | 20 ++---
security/security.c | 105 ++++++++++++++++++--------
security/selinux/hooks.c | 49 +++++++-----
security/selinux/include/audit.h | 5 +-
security/selinux/ss/services.c | 7 +-
security/smack/smack_lsm.c | 95 +++++++++++++++--------
security/smack/smackfs.c | 4 +-
30 files changed, 483 insertions(+), 224 deletions(-)
create mode 100644 include/linux/lsm/apparmor.h
create mode 100644 include/linux/lsm/bpf.h
create mode 100644 include/linux/lsm/selinux.h
create mode 100644 include/linux/lsm/smack.h
--
2.41.0
next parent reply other threads:[~2024-08-25 19:01 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240825190048.13289-1-casey.ref@schaufler-ca.com>
2024-08-25 19:00 ` Casey Schaufler [this message]
2024-08-25 19:00 ` [PATCH 01/13] LSM: Add the lsmblob data structure Casey Schaufler
2024-08-26 13:34 ` Georgia Garcia
2024-08-25 19:00 ` [PATCH 02/13] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2024-08-26 19:31 ` kernel test robot
2024-08-25 19:00 ` [PATCH 03/13] LSM: Add lsmblob_to_secctx hook Casey Schaufler
2024-08-26 17:43 ` Georgia Garcia
2024-08-26 18:45 ` Casey Schaufler
2024-08-27 14:45 ` Georgia Garcia
2024-08-25 19:00 ` [PATCH 04/13] Audit: maintain an lsmblob in audit_context Casey Schaufler
2024-08-27 15:01 ` Georgia Garcia
2024-08-27 15:08 ` Georgia Garcia
2024-08-25 19:00 ` [PATCH 05/13] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2024-08-27 12:23 ` Stephen Smalley
2024-08-25 19:00 ` [PATCH 06/13] Audit: Update shutdown LSM data Casey Schaufler
2024-08-25 19:00 ` [PATCH 07/13] LSM: Use lsmblob in security_current_getsecid Casey Schaufler
2024-08-26 21:24 ` kernel test robot
2024-08-25 19:00 ` [PATCH 08/13] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2024-08-25 19:00 ` [PATCH 09/13] Audit: use an lsmblob in audit_names Casey Schaufler
2024-08-25 19:00 ` [PATCH 10/13] LSM: Create new security_cred_getlsmblob LSM hook Casey Schaufler
2024-08-27 5:00 ` kernel test robot
2024-08-25 19:00 ` [PATCH 11/13] Audit: Change context data from secid to lsmblob Casey Schaufler
2024-08-25 19:00 ` [PATCH 12/13] Netlabel: Use lsmblob for audit data Casey Schaufler
2024-08-25 19:00 ` [PATCH 13/13] LSM: Remove lsmblob scaffolding Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240825190048.13289-1-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox