On Wed, Mar 3, 2021 at 7:44 PM Paul Moore wrote:
> On Sun, Feb 21, 2021 at 7:51 AM John Johansen
> wrote:
> > On 2/19/21 3:29 PM, Paul Moore wrote:
> > > Of the three LSMs that implement the security_task_getsecid() LSM
> > > hook, all three LSMs provide the task's objective security
> > >
On Mon, Mar 8, 2021 at 2:25 PM Richard Guy Briggs wrote:
> On 2021-02-19 18:29, Paul Moore wrote:
> > Of the three LSMs that implement the security_task_getsecid() LSM
> > hook, all three LSMs provide the task's objective security
> > credentials. This turns out to be unfortunate as most of the
On Tue, Mar 9, 2021 at 1:44 PM Alan Evangelista wrote:
>
> I have the following audit rule:
>
> -a exit,always -F dir=/data -F arch=b64 -S open -S unlink -S unlinkat -S link
> -S rename -S renameat S renameat2 -S chmod -S fchmod -S fchmodat -S chown -S
> fchown -S fchownat -S mkdir -S rmdir -S
I have the following audit rule:
-a exit,always -F dir=/data -F arch=b64 -S open -S unlink -S unlinkat -S
link -S rename -S renameat S renameat2 -S chmod -S fchmod -S fchmodat -S
chown -S fchown -S fchownat -S mkdir -S rmdir -S setxattr -S lsetxattr -S
fsetxattr -S removexattr -S lremovexattr -S
With the inclusion of the interface LSM process attribute
mechanism AppArmor no longer needs to be treated as an
"exclusive" security module. Remove the flag that indicates
it is exclusive. Remove the stub getpeersec_dgram AppArmor
hook as it has no effect in the single LSM case and
interferes in
Create a new audit record type to contain the object information
when there are multiple security modules that may require such data.
This record is linked with the same timestamp and serial number.
An example of the MAC_OBJ_CONTEXTS (1421) record is:
type=UNKNOWN[1421]
Create a new audit record type to contain the subject information
when there are multiple security modules that require such data.
This record is linked with the same timestamp and serial number
using the audit_alloc_local() mechanism.
The record is produced only in cases where there is more than
Standalone audit records have the timestamp and serial number generated
on the fly and as such are unique, making them standalone. This new
function audit_alloc_local() generates a local audit context that will
be used only for a standalone record and its auxiliary record(s). The
context is
Verify that the tasks on the ends of a binder transaction
use the same "display" security module. This prevents confusion
of security "contexts".
Reviewed-by: Kees Cook
Reviewed-by: John Johansen
Acked-by: Stephen Smalley
Acked-by: Paul Moore
Signed-off-by: Casey Schaufler
---
Netlabel uses LSM interfaces requiring an lsmblob and
the internal storage is used to pass information between
these interfaces, so change the internal data from a secid
to a lsmblob. Update the netlabel interfaces and their
callers to accommodate the change. This requires that the
modules using
Change netlink netfilter interfaces to use lsmcontext
pointers, and remove scaffolding.
Reviewed-by: Kees Cook
Reviewed-by: John Johansen
Acked-by: Stephen Smalley
Acked-by: Pablo Neira Ayuso
Signed-off-by: Casey Schaufler
Cc: net...@vger.kernel.org
Cc: netfilter-de...@vger.kernel.org
---
Change the security_inode_getsecctx() interface to fill
a lsmcontext structure instead of data and length pointers.
This provides the information about which LSM created the
context so that security_release_secctx() can use the
correct hook.
Acked-by: Stephen Smalley
Acked-by: Paul Moore
Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the
Add a new lsmcontext data structure to hold all the information
about a "security context", including the string, its size and
which LSM allocated the string. The allocation information is
necessary because LSMs have different policies regarding the
lifecycle of these strings. SELinux allocates
Create a new entry "interface_lsm" in the procfs attr directory for
controlling which LSM security information is displayed for a
process. A process can only read or write its own display value.
The name of an active LSM that supplies hooks for
human readable data may be written to
The IMA interfaces ima_get_action() and ima_match_policy()
call LSM functions that use lsmblobs. Change the IMA functions
to pass the lsmblob to be compatible with the LSM functions.
Reviewed-by: Kees Cook
Reviewed-by: John Johansen
Acked-by: Stephen Smalley
Signed-off-by: Casey Schaufler
Cc:
Change the security_cred_getsecid() interface to fill in a
lsmblob instead of a u32 secid. The associated data elements
in the audit sub-system are changed from a secid to a lsmblob
to accommodate multiple possible LSM audit users.
Reviewed-by: Kees Cook
Reviewed-by: John Johansen
Acked-by:
Change the security_inode_getsecid() interface to fill in a
lsmblob structure instead of a u32 secid. This allows for its
callers to gather data from all registered LSMs. Data is provided
for IMA and audit.
Reviewed-by: Kees Cook
Reviewed-by: John Johansen
Acked-by: Stephen Smalley
Acked-by:
When more than one security module is exporting data to
audit and networking sub-systems a single 32 bit integer
is no longer sufficient to represent the data. Add a
structure to be used instead.
The lsmblob structure is currently an array of
u32 "secids". There is an entry for each of the
There may be more than one LSM that provides IPC data
for auditing. Change security_ipc_getsecid() to fill in
a lsmblob structure instead of the u32 secid. The
audit data structure containing the secid will be updated
later, so there is a bit of scaffolding here.
Reviewed-by: Kees Cook
Change security_secid_to_secctx() to take a lsmblob as input
instead of a u32 secid. It will then call the LSM hooks
using the lsmblob element allocated for that module. The
callers have been updated as well. This allows for the
possibility that more than one module may be called upon
to translate
Change the security_secctx_to_secid interface to use a lsmblob
structure in place of the single u32 secid in support of
module stacking. Change its callers to do the same.
The security module hook is unchanged, still passing back a secid.
The infrastructure passes the correct entry from the
Move management of the sock->sk_security blob out
of the individual security modules and into the security
infrastructure. Instead of allocating the blobs from within
the modules the modules tell the infrastructure how much
space is required, and the space is allocated there.
Acked-by: Paul Moore
Change the security_kernel_act_as interface to use a lsmblob
structure in place of the single u32 secid in support of
module stacking. Change its only caller, set_security_override,
to do the same. Change that one's only caller,
set_security_override_from_ctx, to call it with the new
parameter
Change the secid parameter of security_audit_rule_match
to a lsmblob structure pointer. Pass the entry from the
lsmblob structure for the approprite slot to the LSM hook.
Change the users of security_audit_rule_match to use the
lsmblob instead of a u32. The scaffolding function lsmblob_init()
Integrity measurement may filter on security module information
and needs to be clear in the case of multiple active security
modules which applies. Provide a boot option ima_rules_lsm= to
allow the user to specify an active securty module to apply
filters to. If not specified, use the first
Provide interfaces to map LSM slot numbers and LSM names.
Update the LSM registration code to save this information.
Signed-off-by: Casey Schaufler
---
include/linux/security.h | 4
security/security.c | 45
2 files changed, 49 insertions(+)
This patchset provides the changes required for
the AppArmor security module to stack safely with any other.
v25: Rebase to 5.12-rc2
Incorporate feedback from v24
- The IMA team suggested improvements to the integrity rule
processing.
v24: Rebase to 5.11-rc1
Incorporate
28 matches
Mail list logo