Re: [RFC PATCH v2] security, lockdown, selinux: implement SELinux lockdown

2019-12-09 Thread Paul Moore 
On Wed, Nov 27, 2019 at 12:04 PM Stephen Smalley  wrote:
> Implement a SELinux hook for lockdown.  If the lockdown module is also
> enabled, then a denial by the lockdown module will take precedence over
> SELinux, so SELinux can only further restrict lockdown decisions.
> The SELinux hook only distinguishes at the granularity of integrity
> versus confidentiality similar to the lockdown module, but includes the
> full lockdown reason as part of the audit record as a hint in diagnosing
> what triggered the denial.  To support this auditing, move the
> lockdown_reasons[] string array from being private to the lockdown
> module to the security framework so that it can be used by the lsm audit
> code and so that it is always available even when the lockdown module
> is disabled.
>
> Note that the SELinux implementation allows the integrity and
> confidentiality reasons to be controlled independently from one another.
> Thus, in an SELinux policy, one could allow operations that specify
> an integrity reason while blocking operations that specify a
> confidentiality reason. The SELinux hook implementation is
> stricter than the lockdown module in validating the provided reason value.
>
> Sample AVC audit output from denials:
> avc:  denied  { integrity } for pid=3402 comm="fwupd"
>  lockdown_reason="/dev/mem,kmem,port" scontext=system_u:system_r:fwupd_t:s0
>  tcontext=system_u:system_r:fwupd_t:s0 tclass=lockdown permissive=0
>
> avc:  denied  { confidentiality } for pid=4628 comm="cp"
>  lockdown_reason="/proc/kcore access"
>  scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
>  tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
>  tclass=lockdown permissive=0
>
> Signed-off-by: Stephen Smalley 
> ---
>  include/linux/lsm_audit.h   |  2 ++
>  include/linux/security.h|  2 ++
>  security/lockdown/lockdown.c| 24 ---
>  security/lsm_audit.c|  5 +
>  security/security.c | 30 +
>  security/selinux/hooks.c| 30 +
>  security/selinux/include/classmap.h |  2 ++
>  7 files changed, 71 insertions(+), 24 deletions(-)

While I remain concerned about the granularity, I think this is about
as good as we can get right now without potentially messing things up
in the future.  Applied to selinux/next, thanks Stephen.

-- 
paul moore
www.paul-moore.com


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

[RFC PATCH v2] security,lockdown,selinux: implement SELinux lockdown

2019-11-28 Thread Stephen Smalley 
Implement a SELinux hook for lockdown.  If the lockdown module is also
enabled, then a denial by the lockdown module will take precedence over
SELinux, so SELinux can only further restrict lockdown decisions.
The SELinux hook only distinguishes at the granularity of integrity
versus confidentiality similar to the lockdown module, but includes the
full lockdown reason as part of the audit record as a hint in diagnosing
what triggered the denial.  To support this auditing, move the
lockdown_reasons[] string array from being private to the lockdown
module to the security framework so that it can be used by the lsm audit
code and so that it is always available even when the lockdown module
is disabled.

Note that the SELinux implementation allows the integrity and
confidentiality reasons to be controlled independently from one another.
Thus, in an SELinux policy, one could allow operations that specify
an integrity reason while blocking operations that specify a
confidentiality reason. The SELinux hook implementation is
stricter than the lockdown module in validating the provided reason value.

Sample AVC audit output from denials:
avc:  denied  { integrity } for pid=3402 comm="fwupd"
 lockdown_reason="/dev/mem,kmem,port" scontext=system_u:system_r:fwupd_t:s0
 tcontext=system_u:system_r:fwupd_t:s0 tclass=lockdown permissive=0

avc:  denied  { confidentiality } for pid=4628 comm="cp"
 lockdown_reason="/proc/kcore access"
 scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
 tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
 tclass=lockdown permissive=0

Signed-off-by: Stephen Smalley 
---
 include/linux/lsm_audit.h   |  2 ++
 include/linux/security.h|  2 ++
 security/lockdown/lockdown.c| 24 ---
 security/lsm_audit.c|  5 +
 security/security.c | 30 +
 security/selinux/hooks.c| 30 +
 security/selinux/include/classmap.h |  2 ++
 7 files changed, 71 insertions(+), 24 deletions(-)

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 915330abf6e5..99d629fd9944 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -74,6 +74,7 @@ struct common_audit_data {
 #define LSM_AUDIT_DATA_FILE12
 #define LSM_AUDIT_DATA_IBPKEY  13
 #define LSM_AUDIT_DATA_IBENDPORT 14
+#define LSM_AUDIT_DATA_LOCKDOWN 15
union   {
struct path path;
struct dentry *dentry;
@@ -93,6 +94,7 @@ struct common_audit_data {
struct file *file;
struct lsm_ibpkey_audit *ibpkey;
struct lsm_ibendport_audit *ibendport;
+   int reason;
} u;
/* this union contains LSM specific data */
union {
diff --git a/include/linux/security.h b/include/linux/security.h
index a8d59d612d27..df7a4d293fe8 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -125,6 +125,8 @@ enum lockdown_reason {
LOCKDOWN_CONFIDENTIALITY_MAX,
 };
 
+extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
+
 /* These functions are in security/commoncap.c */
 extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
   int cap, unsigned int opts);
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 8a10b43daf74..5a952617a0eb 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -16,30 +16,6 @@
 
 static enum lockdown_reason kernel_locked_down;
 
-static const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
-   [LOCKDOWN_NONE] = "none",
-   [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
-   [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
-   [LOCKDOWN_KEXEC] = "kexec of unsigned images",
-   [LOCKDOWN_HIBERNATION] = "hibernation",
-   [LOCKDOWN_PCI_ACCESS] = "direct PCI access",
-   [LOCKDOWN_IOPORT] = "raw io port access",
-   [LOCKDOWN_MSR] = "raw MSR access",
-   [LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables",
-   [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage",
-   [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO",
-   [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters",
-   [LOCKDOWN_MMIOTRACE] = "unsafe mmio",
-   [LOCKDOWN_DEBUGFS] = "debugfs access",
-   [LOCKDOWN_INTEGRITY_MAX] = "integrity",
-   [LOCKDOWN_KCORE] = "/proc/kcore access",
-   [LOCKDOWN_KPROBES] = "use of kprobes",
-   [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM",
-   [LOCKDOWN_PERF] = "unsafe use of perf",
-   [LOCKDOWN_TRACEFS] = "use of tracefs",
-   [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
-};
-
 static const enum lockdown_reason lockdown_levels[] = {LOCKDOWN_NONE,
 LOCKDOWN_INTEGRITY_MAX,

Re: [RFC PATCH v2] security,lockdown,selinux: implement SELinux lockdown

2019-11-27 Thread James Morris 
On Wed, 27 Nov 2019, Stephen Smalley wrote:

> avc:  denied  { confidentiality } for pid=4628 comm="cp"
>  lockdown_reason="/proc/kcore access"
>  scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
>  tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
>  tclass=lockdown permissive=0
> 
> Signed-off-by: Stephen Smalley 
> ---
>  include/linux/lsm_audit.h   |  2 ++
>  include/linux/security.h|  2 ++
>  security/lockdown/lockdown.c| 24 ---
>  security/lsm_audit.c|  5 +
>  security/security.c | 30 +
>  security/selinux/hooks.c| 30 +
>  security/selinux/include/classmap.h |  2 ++
>  7 files changed, 71 insertions(+), 24 deletions(-)

LGTM.

Reviewed-by: James Morris 


-- 
James Morris



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit