Re: [PATCH v2] TaskTracker : Simplified thread information tracker.

On 8/7/2023 7:24 AM, Tetsuo Handa wrote: > On 2023/08/07 7:01, Steve Grubb wrote: >> This is where the problem begins. We like to have normalized audit records. >> Meaning that a type of event defines the fields it contains. In this case >> subject would be a process label. and there is already a

Re: [PATCH v38 01/39] LSM: Identify modules by more than name

On 3/3/2023 7:17 AM, Georgia Garcia wrote: > Hi! > > On Tue, 2022-09-27 at 12:53 -0700, Casey Schaufler wrote: >> Create a struct lsm_id to contain identifying information >> about Linux Security Modules (LSMs). At inception this contains >> a single member, which is the

Re: Identify whether the kernel version supports Path based exclusion

On 1/10/2023 4:08 AM, Anurag Aggarwal wrote: > Hello All, > > I need a method to identify whether the audid version a kernel is > running supports path based exclusions. % cat /sys/kernel/security/lsm This will tell you what security modules are in use. Check whether any of the modules that use p

Re: [PATCH 1/2] audit: introduce a struct to represent an audit timestamp

On 12/19/2022 9:54 AM, Ondrej Mosnacek wrote: > Join the two fields that comprise an audit timestamp into a common > structure. This will be used further in later commits. Patch 30/39 of my LSM stacking patchset[1] is almost identical to this. The only significant difference is the structure name.

Re: LSM stacking in next for 6.1?

t is correct. In order to have a LSM identifier token the LSM must > > be upstream. > > at > https://lkml.kernel.org/r/cahc9vht2azg1f-g3rq4xl7jga3oathafzs1_nvuyeufscj9...@mail.gmail.com > . > > If we can agree that the upstream kernel never refuse to assign LSM ID

Re: LSM stacking in next for 6.1?

On 10/30/2022 9:37 AM, Kees Cook wrote: > On October 30, 2022 7:02:52 AM PDT, Tetsuo Handa > wrote: >> Casey's patchset is trying to provide LSM ID Repository for userspace >> programs. >> But an LSM ID value cannot be assigned to that LSM unless that module is >> available in the upstream kerne

Re: LSM stacking in next for 6.1?

On 10/26/2022 3:19 AM, Tetsuo Handa wrote: > On 2022/10/26 7:41, Casey Schaufler wrote: >> You need a built-in LSM that loads and manages loadable >> security modules. > That is no longer loadable LSM modules. A loadable LSM module must be capable > of > loadin

Re: LSM stacking in next for 6.1?

On 10/25/2022 3:12 PM, Tetsuo Handa wrote: > On 2022/10/25 23:12, Casey Schaufler wrote: >> On 10/25/2022 4:20 AM, Tetsuo Handa wrote: >>> On 2022/10/25 19:26, John Johansen wrote: >>>> no, Casey is not. He is trying to find a path forward to get LSM >>>&g

Re: LSM stacking in next for 6.1?

On 10/25/2022 4:20 AM, Tetsuo Handa wrote: > On 2022/10/25 19:26, John Johansen wrote: >> no, Casey is not. He is trying to find a path forward to get LSM >> stacking upstream sooner than later. He has made proposals that >> admittedly you have not liked, but he has at least tried to propose >> ide

Re: [PATCH v38 39/39] LSM: Create lsm_module_list system call

On 10/12/2022 3:04 PM, Kees Cook wrote: > On Tue, Sep 27, 2022 at 01:31:55PM -0700, Casey Schaufler wrote: >> +SYSCALL_DEFINE3(lsm_module_list, >> + unsigned int __user *, ids, >> + size_t __user *, size, >> + int, flags) > Please

Re: [PATCH v38 04/39] LSM: Maintain a table of LSM attribute data

On 10/24/2022 8:13 AM, Tetsuo Handa wrote: > On 2022/10/24 2:13, Casey Schaufler wrote: >>> We won't be able to accept whatever LSM modules to upstream, and we won't >>> be able to enable whatever LSM modules in distributor kernels. >> A built in module load

Re: [PATCH v38 04/39] LSM: Maintain a table of LSM attribute data

On 10/23/2022 3:10 AM, Tetsuo Handa wrote: > On 2022/10/23 16:27, Tetsuo Handa wrote: >> On 2022/10/21 8:42, Casey Schaufler wrote: >>> I will, on the other hand, listen to compelling arguments. It is not the >>> intention of this code to lock out loadable modules.

Re: [PATCH v38 04/39] LSM: Maintain a table of LSM attribute data

On 10/23/2022 12:27 AM, Tetsuo Handa wrote: > On 2022/10/21 8:42, Casey Schaufler wrote: >> On 10/13/2022 3:04 AM, Tetsuo Handa wrote: >>> On 2022/09/28 4:53, Casey Schaufler wrote: >>>> @@ -483,6 +491,16 @@ void __init security_add_hooks(struct >>>

Re: [PATCH v38 04/39] LSM: Maintain a table of LSM attribute data

On 10/13/2022 3:04 AM, Tetsuo Handa wrote: > On 2022/09/28 4:53, Casey Schaufler wrote: >> @@ -483,6 +491,16 @@ void __init security_add_hooks(struct >> security_hook_list *hooks, int count, >> { >> int i; >> >> +/* >> + * A secur

Re: [PATCH v38 02/39] LSM: Add an LSM identifier for external use

On 10/12/2022 2:14 PM, Mickaël Salaün wrote: > > On 27/09/2022 21:53, Casey Schaufler wrote: >> Add an integer member "id" to the struct lsm_id. This value is >> a unique identifier associated with each security module. The >> values are defined in a new UAPI hea

Re: [PATCH v38 39/39] LSM: Create lsm_module_list system call

On 10/12/2022 2:19 PM, Mickaël Salaün wrote: > > On 27/09/2022 22:31, Casey Schaufler wrote: >> Create a system call to report the list of Linux Security Modules >> that are active on the system. The list is provided as an array >> of LSM ID numbers. > > With lsm_sel

Re: [PATCH v38 06/39] LSM: lsm_self_attr syscall for LSM self attributes

On 10/20/2022 8:44 AM, Paul Moore wrote: > On Tue, Sep 27, 2022 at 3:57 PM Casey Schaufler > wrote: >> Create a system call lsm_self_attr() to provide the security >> module maintained attributes of the current process. Historically >> these attributes have been exposed t

Re: LSM stacking in next for 6.1?

On 9/14/2022 6:42 AM, Paul Moore wrote: > On Thu, Sep 8, 2022 at 6:56 PM Casey Schaufler wrote: >> I am going to start playing with these syscalls. Please help me understand >> where I have suggested something stoopid. > Thanks for posting an initial patch that we can use for fu

[PATCH v38 39/39] LSM: Create lsm_module_list system call

Create a system call to report the list of Linux Security Modules that are active on the system. The list is provided as an array of LSM ID numbers. Signed-off-by: Casey Schaufler --- arch/x86/entry/syscalls/syscall_64.tbl | 1 + include/linux/syscalls.h | 1 + include/uapi/asm

[PATCH v38 31/39] LSM: Add a function to report multiple LSMs

Add a new boolean function lsm_multiple_contexts() to identify when multiple security modules provide security context strings. Signed-off-by: Casey Schaufler Acked-by: Paul Moore Reviewed-by: John Johansen --- include/linux/security.h | 9 + 1 file changed, 9 insertions(+) diff

[PATCH v38 38/39] AppArmor: Remove the exclusive flag

erferes in the multiple LSM case. Acked-by: Stephen Smalley Acked-by: John Johansen Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler --- security/apparmor/lsm.c | 20 +--- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/security/apparmor/lsm.c b/security/appa

[PATCH v38 37/39] LSM: Removed scaffolding function lsmcontext_init

The scaffolding function lsmcontext_init() is no longer used. Remove it. Signed-off-by: Casey Schaufler --- include/linux/security.h | 19 --- 1 file changed, 19 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index c190b9189287..f6a247033556

[PATCH v38 36/39] netlabel: Use a struct lsmblob in audit data

Remove scaffolding in netlabel audit by keeping subject lsm information in an lsmblob structure instead of a secid. Acked-by: Paul Moore Signed-off-by: Casey Schaufler --- include/net/netlabel.h| 2 +- net/netlabel/netlabel_unlabeled.c | 4 +--- net/netlabel/netlabel_user.c

[PATCH v38 34/39] audit: multiple subject lsm values for netlabel

Refactor audit_log_task_context(), creating a new audit_log_subject_context(). This is used in netlabel auditing to provide multiple subject security contexts as necessary. Acked-by: Paul Moore Signed-off-by: Casey Schaufler --- include/linux/audit.h| 7 +++ kernel/audit.c

[PATCH v38 35/39] Audit: Add record for multiple object contexts

t;obj=" field in other records in the event will be "obj=?". An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on an object security context. Signed-off-by: Casey Schaufler Acked-by: Paul Moore --- i

[PATCH v38 33/39] Audit: Add record for multiple task security contexts

;subj=" field in other records in the event will be "subj=?". An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on a subject security context. Acked-by: Paul Moore Signed-off-by: Casey Schaufler --- includ

[PATCH v38 32/39] Audit: Allow multiple records in an audit_buffer

e are currently defined) as have been added to the list. Functions are created to manage the skb list in the audit_buffer. Suggested-by: Paul Moore Signed-off-by: Casey Schaufler --- kernel/audit.c | 111 +++-- 1 file changed, 89 insertions(+), 22 dele

[PATCH v38 30/39] Audit: Create audit_stamp structure

Replace the timestamp and serial number pair used in audit records with a structure containing the two elements. Signed-off-by: Casey Schaufler Acked-by: Paul Moore --- kernel/audit.c | 17 + kernel/audit.h | 13 + kernel/auditsc.c | 22 +- 3

[PATCH v38 29/39] Audit: Keep multiple LSM data in audit_names

Replace the osid field in the audit_names structure with a lsmblob structure. This accommodates the use of an lsmblob in security_audit_rule_match() and security_inode_getsecid(). Signed-off-by: Casey Schaufler Acked-by: Paul Moore --- kernel/audit.h | 2 +- kernel/auditsc.c | 22

[PATCH v38 28/39] LSM: security_secid_to_secctx module selection

ISPLAY the "interface lsm" is used. If the value is LSMBLOB_FIRST the first security module providing a hook is used. The integrity IMA subsystem has chosen to always use the LSMBLOB_FIRST behavior, regardless of the lsm_display values. Signed-off-by: Casey Schaufler --- driv

[PATCH v38 27/39] binder: Pass LSM identifier for confirmation

Send an identifier for the security module interface_lsm along with the security context. This allows the receiver to verify that the receiver and the sender agree on which security module's context is being used. If they don't agree the message is rejected. Signed-off-by: Casey

[PATCH v38 25/39] LSM: security_secid_to_secctx in netlink netfilter

Change netlink netfilter interfaces to use lsmcontext pointers, and remove scaffolding. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Paul Moore Acked-by: Stephen Smalley Acked-by: Pablo Neira Ayuso Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org Cc: netfilter-de

[PATCH v38 26/39] NET: Store LSM netlabel data in a lsmblob

netlabel use the lsm_id.slot to access the correct secid when using netlabel. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org --- include/net/netlabel.h | 8 +-- net/ipv4

[PATCH v38 24/39] Use lsmcontext in security_dentry_init_security

new structure. Special care is taken in the NFS code, which uses the same data structure for its own copied labels as it does for the data which comes from security_dentry_init_security(). In the case of copied labels the data has to be freed, not released. Signed-off-by: Casey Schaufler --- fs

[PATCH v38 22/39] LSM: Use lsmcontext in security_secid_to_secctx

new structure. security_secid_to_secctx() will now return the length value if the passed lsmcontext pointer is NULL. Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-de...@vger.kernel.org --- drivers/android/binder.c| 26

[PATCH v38 21/39] LSM: Ensure the correct LSM context releaser

allocates and destroys them on each use, whereas Smack provides a pointer to an entry in a list that never goes away. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Paul Moore Acked-by: Stephen Smalley Acked-by: Chuck Lever Signed-off-by: Casey Schaufler Cc: linux-integr...@vger.

[PATCH v38 23/39] LSM: Use lsmcontext in security_inode_getsecctx

-by: Chuck Lever Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler Cc: linux-...@vger.kernel.org --- fs/nfsd/nfs4xdr.c| 23 +-- include/linux/security.h | 5 +++-- security/security.c | 13 +++-- 3 files changed, 23

[PATCH v38 18/39] LSM: Use lsmblob in security_inode_getsecid

: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integr...@vger.kernel.org Cc: linux-audit@redhat.com --- include/linux/security.h| 13 +++-- kernel/auditsc.c| 6 +- security/integrity/ima/ima_policy.c | 9 + security/security.c

[PATCH v38 19/39] LSM: Use lsmblob in security_cred_getsecid

: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integr...@vger.kernel.org Cc: linux-audit@redhat.com --- drivers/android/binder.c | 12 +-- include/linux/security.h | 7 --- kernel/audit.c| 25

[PATCH v38 20/39] LSM: Specify which LSM to display

security module is responsible for defining its policy. AppArmor hook initially provided by John Johansen . SELinux hook initially provided by Stephen Smalley Signed-off-by: Casey Schaufler --- include/linux/security.h | 17 include/uapi/linux/prctl.h | 4 + security

[PATCH v38 17/39] LSM: Use lsmblob in security_current_getsecid

Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integr...@vger.kernel.org Cc: linux-audit@redhat.com Cc: net...@vger.kernel.org --- drivers/android/binder.c | 6 +-- include/linux/security.h | 31 +++--- kernel

[PATCH v38 16/39] LSM: Use lsmblob in security_ipc_getsecid

-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-audit@redhat.com --- include/linux/security.h | 7 --- kernel/auditsc.c | 7 ++- security/security.c | 12 +--- 3 files changed, 19 insertions(+), 7 deletions

[PATCH v38 15/39] LSM: Use lsmblob in security_secid_to_secctx

a secid to a string, as can occur in the audit code. Acked-by: Paul Moore Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-de...@vger.kernel.org To: Pablo Neira Ayuso --- drivers/android/binder.c| 12

[PATCH v38 14/39] LSM: Use lsmblob in security_secctx_to_secid

lsmblob. Acked-by: Paul Moore Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org Cc: netfilter-de...@vger.kernel.org To: Pablo Neira Ayuso --- include/linux/security.h | 26 ++-- kernel/cred.c | 4 +--- net/netfilter

[PATCH v38 13/39] LSM: Use lsmblob in security_kernel_act_as

mblob instead of a secid. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler To: David Howells --- include/linux/cred.h | 3 ++- include/linux/security.h | 5 +++-- kernel/cred.c| 10 ++ sec

[PATCH v38 12/39] LSM: Use lsmblob in security_audit_rule_match

dropped. Signed-off-by: Casey Schaufler Acked-by: Paul Moore Reviewed-by: John Johansen Cc: linux-audit@redhat.com --- include/linux/security.h | 5 +++-- kernel/auditfilter.c | 6 -- kernel/auditsc.c | 16 +++- security/security.c | 5 +++-- 4 files changed, 21

[PATCH v38 11/39] IMA: avoid label collisions with stacked LSMs

registered module that supports the audit_rule_match() LSM hook. Allow the user to specify in the IMA policy an lsm= option to specify the security module to use for a particular rule. Signed-off-by: Casey Schaufler To: Mimi Zohar To: linux-integr...@vger.kernel.org --- Documentation/ABI/testing

[PATCH v38 10/39] LSM: provide lsm name and id slot mappings

Provide interfaces to map LSM slot numbers and LSM names. Update the LSM registration code to save this information. Acked-by: Paul Moore Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler --- include/linux/security.h | 4 security/security.c | 45

[PATCH v38 09/39] LSM: Add the lsmblob data structure.

s expanded to use an array of security module data rather than a single instance. A new structure audit_lsm_rules is defined to avoid the confusion which commonly accompanies the use of void ** parameters. Signed-off-by: Casey Schaufler --- include/linux/audit.h| 9 - include/linux

[PATCH v38 08/39] LSM: Infrastructure management of the sock security

ore Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/apparmor/include/net.h | 6 ++- security/apparmor/lsm.c | 38 -- security/apparmor/net.c |

[PATCH v38 06/39] LSM: lsm_self_attr syscall for LSM self attributes

ctx_len| -- | unsigned char ctx[ctx_len] | -- Signed-off-by: Casey Schaufler --- arch/x86/entry/syscalls/syscall_64.tbl | 1 + include/linux/syscalls.h | 1 + include/uapi/asm-generic/unistd.h

[PATCH v38 07/39] integrity: disassociate ima_filter_rule from security_audit_rule

ansen Signed-off-by: Casey Schaufler To: Mimi Zohar Cc: linux-integr...@vger.kernel.org --- include/linux/security.h | 24 security/integrity/ima/ima.h | 26 -- security/security.c | 21 + 3 files changed, 45 inser

[PATCH v38 05/39] proc: Use lsmids instead of lsm names for attrs

will provide a minor performance improvement. Signed-off-by: Casey Schaufler --- fs/proc/base.c | 29 +++-- fs/proc/internal.h | 2 +- include/linux/security.h | 11 +-- security/security.c | 11 +-- 4 files changed, 26 insertions(+

[PATCH v38 04/39] LSM: Maintain a table of LSM attribute data

As LSMs are registered add their lsm_id pointers to a table. This will be used later for attribute reporting. Signed-off-by: Casey Schaufler --- include/linux/security.h | 17 + security/security.c | 18 ++ 2 files changed, 35 insertions(+) diff --git a

[PATCH v38 03/39] LSM: Identify the process attributes for each module

Add an integer member "features" to the struct lsm_id which identifies the API related data associated with each security module. The initial set of features maps to information that has traditionaly been available in /proc/self/attr. Signed-off-by: Casey Schaufler --- include/linux/l

[PATCH v38 01/39] LSM: Identify modules by more than name

lsm_id and pass it to security_add_hooks(). Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h| 11 +-- security/apparmor/lsm.c | 6 +- security/bpf/hooks.c | 11 ++- security/commoncap.c | 6 +- security/landlock/cred.c | 2

[PATCH v38 02/39] LSM: Add an LSM identifier for external use

Add an integer member "id" to the struct lsm_id. This value is a unique identifier associated with each security module. The values are defined in a new UAPI header file. Each existing LSM has been updated to include it's LSMID in the lsm_id. Signed-off-by: Casey Schaufler ---

[PATCH v38 00/39] LSM: Module stacking for AppArmor

s describing what is active on the system. The Ubuntu project is using an earlier version of this patchset in their distribution to enable stacking for containers. Performance measurements to date have the change within the "noise". The sockperf and dbench results are on the order of 0.2% to

[PATCH v2 RFC] LSM: lsm_self_attr syscall for LSM self attributes

attribute processing for security_[gs]etprocattr(). Signed-off-by: Casey Schaufler --- arch/x86/entry/syscalls/syscall_64.tbl | 1 + fs/proc/base.c | 29 ++--- fs/proc/internal.h | 2 +- include/linux/lsm_hooks.h | 13 ++- include/linux

Re: LSM stacking in next for 6.1?

On 9/15/2022 7:27 AM, Tetsuo Handa wrote: > On 2022/09/14 22:56, Paul Moore wrote: >> On Fri, Sep 9, 2022 at 7:33 AM Tetsuo Handa >> wrote: >>> Inclusion into upstream is far from the goal. >> For better or worse, there is a long history of the upstream Linux >> Kernel focusing only on in-tree ke

[PATCH RFC] LSM: Specify which LSM to display

security module is responsible for defining its policy. AppArmor hook initially provided by John Johansen . SELinux hook initially provided by Stephen Smalley Signed-off-by: Casey Schaufler --- include/linux/security.h | 17 include/uapi/linux/prctl.h | 4 + security

Re: LSM stacking in next for 6.1?

On 9/14/2022 6:57 AM, Tetsuo Handa wrote: > On 2022/09/13 23:45, Casey Schaufler wrote: >>> . A security module that manages loadable LSM modules cannot give us a good >>> answer >>> if there is a kernel config option to disable the manager security module. >&

Re: LSM stacking in next for 6.1?

On 9/13/2022 3:47 AM, Tetsuo Handa wrote: > On 2022/09/13 2:37, Casey Schaufler wrote: >> That doesn't give us a good answer for loadable modules. The last time I >> looked >> seriously at loadable modules I was considering that we'd need a security >> m

Re: LSM stacking in next for 6.1?

On 9/9/2022 9:17 PM, Tetsuo Handa wrote: > On 2022/09/09 7:56, Casey Schaufler wrote: >> Good idea. I'm reading the official how-to-write-a-syscall documentation. > Can't we use prctl() syscall? We can assign an LSM ID when an (built-in or > loadable) LSM > is loaded,

[PATCH RFC] LSM: lsm_self_attr system call to get security module attributes

providing the attribute, which of the possible attributes is provided, the size of the attribute, and finally the attribute value as a nul terminated string. An LSM ID table is introduced to map IDs to security modules. Signed-off-by: Casey Schaufler -- arch/x86/entry/syscalls/syscall_64

Re: LSM stacking in next for 6.1?

On 9/8/2022 12:32 PM, Paul Moore wrote: > On Thu, Sep 8, 2022 at 2:05 PM Casey Schaufler wrote: >> On 9/7/2022 8:57 PM, Paul Moore wrote: >>> On Wed, Sep 7, 2022 at 7:53 PM Casey Schaufler >>> wrote: >>>> On 9/7/2022 4:27 PM, Paul Moore wrote: > ..

Re: LSM stacking in next for 6.1?

On 9/7/2022 8:57 PM, Paul Moore wrote: > On Wed, Sep 7, 2022 at 7:53 PM Casey Schaufler wrote: >> On 9/7/2022 4:27 PM, Paul Moore wrote: > .. > >>> I >>> just want an interface that is clearly defined, has reasonable >>> capacity to be extended in

Re: LSM stacking in next for 6.1?

On 9/8/2022 8:18 AM, Tetsuo Handa wrote: > On 2022/08/03 9:01, Casey Schaufler wrote: >> I would like very much to get v38 or v39 of the LSM stacking for Apparmor >> patch set in the LSM next branch for 6.1. The audit changes have polished >> up nicely and I believe tha

Re: LSM stacking in next for 6.1?

On 9/7/2022 4:27 PM, Paul Moore wrote: > On Wed, Sep 7, 2022 at 12:42 PM Casey Schaufler > wrote: >> On 9/7/2022 7:41 AM, Paul Moore wrote: >>> On Tue, Sep 6, 2022 at 8:10 PM John Johansen >>> wrote: >>>> On 9/6/22 16:24, Paul Moore wrote: >>&g

Re: LSM stacking in next for 6.1?

On 9/7/2022 4:04 PM, Paul Moore wrote: > On Wed, Sep 7, 2022 at 1:08 PM Casey Schaufler wrote: >> On 9/7/2022 8:13 AM, Paul Moore wrote: >>> On Tue, Sep 6, 2022 at 8:31 PM Casey Schaufler >>> wrote: >>>> On 9/6/2022 4:24 PM, Paul Moore wrote: >>>&

Re: LSM stacking in next for 6.1?

On 9/7/2022 8:13 AM, Paul Moore wrote: > On Tue, Sep 6, 2022 at 8:31 PM Casey Schaufler wrote: >> On 9/6/2022 4:24 PM, Paul Moore wrote: >>> On Fri, Sep 2, 2022 at 7:14 PM Casey Schaufler >>> wrote: >>>> On 9/2/2022 2:30 PM, Paul Moore wrote: >>

Re: LSM stacking in next for 6.1?

On 9/7/2022 7:41 AM, Paul Moore wrote: > On Tue, Sep 6, 2022 at 8:10 PM John Johansen > wrote: >> On 9/6/22 16:24, Paul Moore wrote: >>> On Fri, Sep 2, 2022 at 7:14 PM Casey Schaufler >>> wrote: >>>> On 9/2/2022 2:30 PM, Paul Moore wrote: >>>

Re: LSM stacking in next for 6.1?

On 9/6/2022 5:10 PM, John Johansen wrote: > sorry I am wa behind on this, so starting from here > > On 9/6/22 16:24, Paul Moore wrote: >> I can't currently in good conscience defend the kernel/userspace >> combined label interfaces as "good", especially when we have a very >> rare opportunity t

Re: LSM stacking in next for 6.1?

On 9/6/2022 4:24 PM, Paul Moore wrote: > On Fri, Sep 2, 2022 at 7:14 PM Casey Schaufler wrote: >> On 9/2/2022 2:30 PM, Paul Moore wrote: >>> On Tue, Aug 2, 2022 at 8:56 PM Paul Moore wrote: >>>> On Tue, Aug 2, 2022 at 8:01 PM Casey Schaufler >>>> wrot

Re: LSM stacking in next for 6.1?

On 9/2/2022 4:14 PM, Casey Schaufler wrote: > On 9/2/2022 2:30 PM, Paul Moore wrote: > ... >> I think it's time to think about a proper set of LSM syscalls. > At the very least we need a liblsm that preforms a number of useful > functions Which would include at least th

Re: LSM stacking in next for 6.1?

On 9/2/2022 2:30 PM, Paul Moore wrote: > On Tue, Aug 2, 2022 at 8:56 PM Paul Moore wrote: >> On Tue, Aug 2, 2022 at 8:01 PM Casey Schaufler >> wrote: >>> I would like very much to get v38 or v39 of the LSM stacking for Apparmor >>> patch set in the LSM next

Re: LSM stacking in next for 6.1?

On 8/2/2022 5:56 PM, Paul Moore wrote: > On Tue, Aug 2, 2022 at 8:01 PM Casey Schaufler wrote: >> I would like very much to get v38 or v39 of the LSM stacking for Apparmor >> patch set in the LSM next branch for 6.1. The audit changes have polished >> up nicely and I believe

LSM stacking in next for 6.1?

I would like very much to get v38 or v39 of the LSM stacking for Apparmor patch set in the LSM next branch for 6.1. The audit changes have polished up nicely and I believe that all comments on the integrity code have been addressed. The interface_lsm mechanism has been beaten to a frothy peak. Ther

Re: [PATCH v37 00/33] LSM: Module stacking for AppArmor

On 7/12/2022 2:42 PM, John Johansen wrote: > On 6/27/22 17:55, Casey Schaufler wrote: >> This patchset provides the changes required for >> the AppArmor security module to stack safely with any other. >> There are additional changes required for SELinux and Smack >> to c

[PATCH v37 33/33] AppArmor: Remove the exclusive flag

erferes in the multiple LSM case. Acked-by: Stephen Smalley Acked-by: John Johansen Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler --- security/apparmor/lsm.c | 20 +--- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/security/apparmor/lsm.c b/security/appa

[PATCH v37 31/33] LSM: Removed scaffolding function lsmcontext_init

The scaffolding function lsmcontext_init() is no longer used. Remove it. Signed-off-by: Casey Schaufler --- include/linux/security.h | 19 --- 1 file changed, 19 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 890a5f9f043c..a7154cc3ffd1

[PATCH v37 30/33] netlabel: Use a struct lsmblob in audit data

Remove scaffolding in netlabel audit by keeping subject lsm information in an lsmblob structure instead of a secid. Acked-by: Paul Moore Signed-off-by: Casey Schaufler --- include/net/netlabel.h| 2 +- net/netlabel/netlabel_unlabeled.c | 4 +--- net/netlabel/netlabel_user.c

[PATCH v37 32/33] LSM: Add /proc attr entry for full LSM context

one of the information will be displayed. Reviewed-by: Kees Cook Acked-by: John Johansen Signed-off-by: Casey Schaufler Cc: linux-...@vger.kernel.org Cc: linux-...@vger.kernel.org --- Documentation/security/lsm.rst | 14 + fs/proc/base.c | 1 + include/linux/l

[PATCH v37 28/33] audit: multiple subject lsm values for netlabel

Refactor audit_log_task_context(), creating a new audit_log_subject_context(). This is used in netlabel auditing to provide multiple subject security contexts as necessary. Acked-by: Paul Moore Signed-off-by: Casey Schaufler --- include/linux/audit.h| 7 +++ kernel/audit.c

[PATCH v37 29/33] Audit: Add record for multiple object contexts

t;obj=" field in other records in the event will be "obj=?". An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on an object security context. Signed-off-by: Casey Schaufler Acked-by: Paul Moore --- i

[PATCH v37 27/33] Audit: Add record for multiple task security contexts

;subj=" field in other records in the event will be "subj=?". An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on a subject security context. Acked-by: Paul Moore Signed-off-by: Casey Schaufler --- includ

[PATCH v37 25/33] LSM: Add a function to report multiple LSMs

Add a new boolean function lsm_multiple_contexts() to identify when multiple security modules provide security context strings. Signed-off-by: Casey Schaufler Acked-by: Paul Moore Reviewed-by: John Johansen --- include/linux/security.h | 9 + 1 file changed, 9 insertions(+) diff

[PATCH v37 26/33] Audit: Allow multiple records in an audit_buffer

e are currently defined) as have been added to the list. Functions are created to manage the skb list in the audit_buffer. Suggested-by: Paul Moore Signed-off-by: Casey Schaufler --- kernel/audit.c | 111 +++-- 1 file changed, 89 insertions(+), 22 dele

[PATCH v37 24/33] Audit: Create audit_stamp structure

Replace the timestamp and serial number pair used in audit records with a structure containing the two elements. Signed-off-by: Casey Schaufler Acked-by: Paul Moore --- kernel/audit.c | 17 + kernel/audit.h | 13 + kernel/auditsc.c | 22 +- 3

[PATCH v37 23/33] Audit: Keep multiple LSM data in audit_names

Replace the osid field in the audit_names structure with a lsmblob structure. This accommodates the use of an lsmblob in security_audit_rule_match() and security_inode_getsecid(). Signed-off-by: Casey Schaufler Acked-by: Paul Moore --- kernel/audit.h | 2 +- kernel/auditsc.c | 22

[PATCH v37 21/33] binder: Pass LSM identifier for confirmation

Send an identifier for the security module interface_lsm along with the security context. This allows the receiver to verify that the receiver and the sender agree on which security module's context is being used. If they don't agree the message is rejected. Signed-off-by: Casey

[PATCH v37 22/33] LSM: security_secid_to_secctx module selection

ISPLAY the "interface lsm" is used. If the value is LSMBLOB_FIRST the first security module providing a hook is used. The integrity IMA subsystem has chosen to always use the LSMBLOB_FIRST behavior, regardless of the lsm_display values. Signed-off-by: Casey Schaufler --- driv

[PATCH v37 20/33] NET: Store LSM netlabel data in a lsmblob

netlabel use the lsm_id.slot to access the correct secid when using netlabel. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org --- include/net/netlabel.h | 8 +-- net/ipv4

[PATCH v37 19/33] LSM: security_secid_to_secctx in netlink netfilter

Change netlink netfilter interfaces to use lsmcontext pointers, and remove scaffolding. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Paul Moore Acked-by: Stephen Smalley Acked-by: Pablo Neira Ayuso Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org Cc: netfilter-de

[PATCH v37 18/33] LSM: Use lsmcontext in security_dentry_init_security

new structure. Special care is taken in the NFS code, which uses the same data structure for its own copied labels as it does for the data which comes from security_dentry_init_security(). In the case of copied labels the data has to be freed, not released. Signed-off-by: Casey Schaufler --- fs

[PATCH v37 17/33] LSM: Use lsmcontext in security_inode_getsecctx

-by: Chuck Lever Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler Cc: linux-...@vger.kernel.org --- fs/nfsd/nfs4xdr.c| 23 +-- include/linux/security.h | 5 +++-- security/security.c | 13 +++-- 3 files changed, 23

[PATCH v37 16/33] LSM: Use lsmcontext in security_secid_to_secctx

new structure. security_secid_to_secctx() will now return the length value if the passed lsmcontext pointer is NULL. Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-de...@vger.kernel.org --- drivers/android/binder.c| 26

[PATCH v37 15/33] LSM: Ensure the correct LSM context releaser

allocates and destroys them on each use, whereas Smack provides a pointer to an entry in a list that never goes away. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Paul Moore Acked-by: Stephen Smalley Acked-by: Chuck Lever Signed-off-by: Casey Schaufler Cc: linux-integr...@vger.

[PATCH v37 14/33] LSM: Specify which LSM to display

ot;interface_lsm" requires that all security modules using setprocattr hooks allow the action. Each security module is responsible for defining its policy. AppArmor hook provided by John Johansen SELinux hook provided by Stephen Smalley Signed-off-by: Casey Schaufler Cc: Kees Cook Cc: S

[PATCH v37 13/33] LSM: Use lsmblob in security_cred_getsecid

: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integr...@vger.kernel.org Cc: linux-audit@redhat.com --- drivers/android/binder.c | 12 +-- include/linux/security.h | 7 --- kernel/audit.c| 25

  1   2   3   4   5   6   7   8   9   10   >