[security-next,v3,00/29] LSM: Explict LSM ordering

Message ID	20180925001832.18322-1-keescook@chromium.org (mailing list archive)
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: Kees Cook <keescook@chromium.org> To: James Morris <jmorris@namei.org> Cc: Kees Cook <keescook@chromium.org>, Casey Schaufler <casey@schaufler-ca.com>, John Johansen <john.johansen@canonical.com>, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>, Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>, "Schaufler, Casey" <casey.schaufler@intel.com>, LSM <linux-security-module@vger.kernel.org>, Jonathan Corbet <corbet@lwn.net>, linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 00/29] LSM: Explict LSM ordering Date: Mon, 24 Sep 2018 17:18:03 -0700 Message-Id: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk
Series	LSM: Explict LSM ordering \| expand [security-next,v3,00/29] LSM: Explict LSM ordering [security-next,v3,01/29] LSM: Correctly announce start of LSM initialization [security-next,v3,02/29] vmlinux.lds.h: Avoid copy/paste of security_init section [security-next,v3,03/29] LSM: Rename .security_initcall section to .lsm_info [security-next,v3,04/29] LSM: Remove initcall tracing [security-next,v3,05/29] LSM: Convert from initcall to struct lsm_info [security-next,v3,06/29] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA [security-next,v3,07/29] LSM: Convert security_initcall() into DEFINE_LSM() [security-next,v3,08/29] LSM: Record LSM name in struct lsm_info [security-next,v3,09/29] LSM: Provide init debugging infrastructure [security-next,v3,10/29] LSM: Don't ignore initialization failures [security-next,v3,11/29] LSM: Introduce LSM_FLAG_LEGACY_MAJOR [security-next,v3,12/29] LSM: Provide separate ordered initialization [security-next,v3,13/29] LoadPin: Rename "enable" to "enforce" [security-next,v3,14/29] LSM: Plumb visibility into optional "enabled" state [security-next,v3,15/29] LSM: Lift LSM selection out of individual LSMs [security-next,v3,16/29] LSM: Prepare for arbitrary LSM enabling [security-next,v3,17/29] LSM: Introduce CONFIG_LSM_ENABLE [security-next,v3,18/29] LSM: Introduce lsm.enable= and lsm.disable= [security-next,v3,19/29] LSM: Prepare for reorganizing "security=" logic [security-next,v3,20/29] LSM: Refactor "security=" in terms of enable/disable [security-next,v3,21/29] LSM: Build ordered list of ordered LSMs for init [security-next,v3,22/29] LSM: Introduce CONFIG_LSM_ORDER [security-next,v3,23/29] LSM: Introduce "lsm.order=" for boottime ordering [security-next,v3,24/29] LoadPin: Initialize as ordered LSM [security-next,v3,25/29] Yama: Initialize as ordered LSM [security-next,v3,26/29] LSM: Introduce enum lsm_order [security-next,v3,27/29] capability: Initialize as LSM_ORDER_FIRST [security-next,v3,28/29] LSM: Separate idea of "major" LSM from "exclusive" LSM [security-next,v3,29/29] LSM: Add all exclusive LSMs to ordered initialization

Kees Cook Sept. 25, 2018, 12:18 a.m. UTC

v3:
- add CONFIG_LSM_ENABLE and refactor resulting logic

v2:
- add "lsm.order=" and CONFIG_LSM_ORDER instead of overloading "security="
- reorganize introduction of ordering logic code

Overview:

This refactors the LSM registration and initialization infrastructure to
more centrally support different LSM types for more cleanly supporting the
future expansion of LSM stacking via the "blob-sharing" patch series. What
was considered a "major" LSM is kept for legacy use of the "security="
boot parameter, and now overlaps with the new class of "exclusive" LSMs
for the future blob sharing. The "minor" LSMs become more well defined
as a result of the refactoring.

Approach:

To better show LSMs activation some debug reporting was added (enabled
with the "lsm.debug" boot commandline option).

I added a WARN() around LSM initialization failures, which appear to
have always been silently ignored. (Realistically any LSM init failures
would have only been due to catastrophic kernel issues that would render
a system unworkable anyway, but it'd be better to expose the problem as
early as possible.)

Instead of continuing to (somewhat improperly) overload the kernel's
initcall system, this changes the LSM infrastructure to store a
registration structure (struct lsm_info) table instead, where metadata
about each LSM can be recorded (name, flags, order, enable flag, init
function). This can be extended in the future to include things like
required blob size for the coming "blob sharing" LSMs.

The "major" LSMs had to individually negotiate which of them should be
enabled. This didn't provide a way to negotiate combinations of other
LSMs (as will be needed for "blob sharing" LSMs). This is solved by
providing the LSM infrastructure with all the details needed to make
the choice (exposing the per-LSM "enabled" flag, if used, the LSM
characteristics, and ordering expectations).

As a result of the refactoring, the "minor" LSMs are able to remove
the open-coded security_add_hooks() calls for "capability", "yama",
and "loadpin", and to redefine "integrity" properly as a general LSM.
(Note that "integrity" actually defined _no_ hooks, but needs the early
initialization).

With all LSMs being proessed centrally, it was possible to implement
a new boot parameter "lsm.order=" to provide explicit ordering, which
is helpful for the future "blob sharing" LSMs. Matching this is the
new CONFIG_LSM_ORDER, which replaces CONFIG_DEFAULT_SECURITY, as it
provides a higher granularity of control.

Breakdown of patches:

Infrastructure improvements (no logical changes):
  LSM: Correctly announce start of LSM initialization
  vmlinux.lds.h: Avoid copy/paste of security_init section
  LSM: Rename .security_initcall section to .lsm_info
  LSM: Remove initcall tracing
  LSM: Convert from initcall to struct lsm_info
  vmlinux.lds.h: Move LSM_TABLE into INIT_DATA
  LSM: Convert security_initcall() into DEFINE_LSM()
  LSM: Record LSM name in struct lsm_info
  LSM: Provide init debugging infrastructure
  LSM: Don't ignore initialization failures

Split "integrity" out into "ordered initialization" (no logical changes):
  LSM: Introduce LSM_FLAG_LEGACY_MAJOR
  LSM: Provide separate ordered initialization

Provide centralized LSM enable/disable infrastructure:
  LoadPin: Rename "enable" to "enforce"
  LSM: Plumb visibility into optional "enabled" state
  LSM: Lift LSM selection out of individual LSMs
  LSM: Prepare for arbitrary LSM enabling
  LSM: Introduce CONFIG_LSM_ENABLE
  LSM: Introduce lsm.enable= and lsm.disable=
  LSM: Prepare for reorganizing "security=" logic
  LSM: Refactor "security=" in terms of enable/disable

Provide centralized LSM ordering infrastructure:
  LSM: Build ordered list of ordered LSMs for init
  LSM: Introduce CONFIG_LSM_ORDER
  LSM: Introduce "lsm.order=" for boottime ordering

Move minor LSMs into ordered LSM initialization:
  LoadPin: Initialize as ordered LSM
  Yama: Initialize as ordered LSM
  LSM: Introduce enum lsm_order
  capability: Initialize as LSM_ORDER_FIRST

Move major LSMs into ordered LSM initialization:
  LSM: Separate idea of "major" LSM from "exclusive" LSM
  LSM: Add all exclusive LSMs to ordered initialization

-Kees

 .../admin-guide/kernel-parameters.txt         |  20 +
 arch/arc/kernel/vmlinux.lds.S                 |   1 -
 arch/arm/kernel/vmlinux-xip.lds.S             |   1 -
 arch/arm64/kernel/vmlinux.lds.S               |   1 -
 arch/h8300/kernel/vmlinux.lds.S               |   1 -
 arch/microblaze/kernel/vmlinux.lds.S          |   2 -
 arch/powerpc/kernel/vmlinux.lds.S             |   2 -
 arch/um/include/asm/common.lds.S              |   2 -
 arch/xtensa/kernel/vmlinux.lds.S              |   1 -
 include/asm-generic/vmlinux.lds.h             |  25 +-
 include/linux/init.h                          |   2 -
 include/linux/lsm_hooks.h                     |  43 ++-
 include/linux/module.h                        |   1 -
 security/Kconfig                              |  61 ++-
 security/apparmor/lsm.c                       |  16 +-
 security/commoncap.c                          |   8 +-
 security/integrity/iint.c                     |   5 +-
 security/loadpin/Kconfig                      |   4 +-
 security/loadpin/loadpin.c                    |  28 +-
 security/security.c                           | 351 +++++++++++++++---
 security/selinux/hooks.c                      |  16 +-
 security/smack/smack_lsm.c                    |   8 +-
 security/tomoyo/tomoyo.c                      |   7 +-
 security/yama/yama_lsm.c                      |   7 +-
 24 files changed, 438 insertions(+), 175 deletions(-)

Casey Schaufler Sept. 28, 2018, 3:55 p.m. UTC | #1

On 9/24/2018 5:18 PM, Kees Cook wrote:
> v3:
> - add CONFIG_LSM_ENABLE and refactor resulting logic

Kees, you can add my

	Reviewed-by:Casey Schaufler <casey@schaufler-ca.com>

for this entire patch set. Thank you for taking this on, it's
a significant and important chunk of the LSM infrastructure
update.


> ...
> Breakdown of patches:
>
> Infrastructure improvements (no logical changes):
>   LSM: Correctly announce start of LSM initialization
>   vmlinux.lds.h: Avoid copy/paste of security_init section
>   LSM: Rename .security_initcall section to .lsm_info
>   LSM: Remove initcall tracing
>   LSM: Convert from initcall to struct lsm_info
>   vmlinux.lds.h: Move LSM_TABLE into INIT_DATA
>   LSM: Convert security_initcall() into DEFINE_LSM()
>   LSM: Record LSM name in struct lsm_info
>   LSM: Provide init debugging infrastructure
>   LSM: Don't ignore initialization failures
>
> Split "integrity" out into "ordered initialization" (no logical changes):
>   LSM: Introduce LSM_FLAG_LEGACY_MAJOR
>   LSM: Provide separate ordered initialization
>
> Provide centralized LSM enable/disable infrastructure:
>   LoadPin: Rename "enable" to "enforce"
>   LSM: Plumb visibility into optional "enabled" state
>   LSM: Lift LSM selection out of individual LSMs
>   LSM: Prepare for arbitrary LSM enabling
>   LSM: Introduce CONFIG_LSM_ENABLE
>   LSM: Introduce lsm.enable= and lsm.disable=
>   LSM: Prepare for reorganizing "security=" logic
>   LSM: Refactor "security=" in terms of enable/disable
>
> Provide centralized LSM ordering infrastructure:
>   LSM: Build ordered list of ordered LSMs for init
>   LSM: Introduce CONFIG_LSM_ORDER
>   LSM: Introduce "lsm.order=" for boottime ordering
>
> Move minor LSMs into ordered LSM initialization:
>   LoadPin: Initialize as ordered LSM
>   Yama: Initialize as ordered LSM
>   LSM: Introduce enum lsm_order
>   capability: Initialize as LSM_ORDER_FIRST
>
> Move major LSMs into ordered LSM initialization:
>   LSM: Separate idea of "major" LSM from "exclusive" LSM
>   LSM: Add all exclusive LSMs to ordered initialization
>
> -Kees
>
>  .../admin-guide/kernel-parameters.txt         |  20 +
>  arch/arc/kernel/vmlinux.lds.S                 |   1 -
>  arch/arm/kernel/vmlinux-xip.lds.S             |   1 -
>  arch/arm64/kernel/vmlinux.lds.S               |   1 -
>  arch/h8300/kernel/vmlinux.lds.S               |   1 -
>  arch/microblaze/kernel/vmlinux.lds.S          |   2 -
>  arch/powerpc/kernel/vmlinux.lds.S             |   2 -
>  arch/um/include/asm/common.lds.S              |   2 -
>  arch/xtensa/kernel/vmlinux.lds.S              |   1 -
>  include/asm-generic/vmlinux.lds.h             |  25 +-
>  include/linux/init.h                          |   2 -
>  include/linux/lsm_hooks.h                     |  43 ++-
>  include/linux/module.h                        |   1 -
>  security/Kconfig                              |  61 ++-
>  security/apparmor/lsm.c                       |  16 +-
>  security/commoncap.c                          |   8 +-
>  security/integrity/iint.c                     |   5 +-
>  security/loadpin/Kconfig                      |   4 +-
>  security/loadpin/loadpin.c                    |  28 +-
>  security/security.c                           | 351 +++++++++++++++---
>  security/selinux/hooks.c                      |  16 +-
>  security/smack/smack_lsm.c                    |   8 +-
>  security/tomoyo/tomoyo.c                      |   7 +-
>  security/yama/yama_lsm.c                      |   7 +-
>  24 files changed, 438 insertions(+), 175 deletions(-)
>

Kees Cook Sept. 28, 2018, 8:01 p.m. UTC | #2

On Fri, Sep 28, 2018 at 8:55 AM, Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 9/24/2018 5:18 PM, Kees Cook wrote:
>> v3:
>> - add CONFIG_LSM_ENABLE and refactor resulting logic
>
> Kees, you can add my
>
>         Reviewed-by:Casey Schaufler <casey@schaufler-ca.com>
>
> for this entire patch set. Thank you for taking this on, it's
> a significant and important chunk of the LSM infrastructure
> update.

Thanks!

John, you'd looked at this a bit too -- do the results line up with
your expectations?

Any thoughts from SELinux, TOMOYO, or IMA folks?

-Kees

>
>
>> ...
>> Breakdown of patches:
>>
>> Infrastructure improvements (no logical changes):
>>   LSM: Correctly announce start of LSM initialization
>>   vmlinux.lds.h: Avoid copy/paste of security_init section
>>   LSM: Rename .security_initcall section to .lsm_info
>>   LSM: Remove initcall tracing
>>   LSM: Convert from initcall to struct lsm_info
>>   vmlinux.lds.h: Move LSM_TABLE into INIT_DATA
>>   LSM: Convert security_initcall() into DEFINE_LSM()
>>   LSM: Record LSM name in struct lsm_info
>>   LSM: Provide init debugging infrastructure
>>   LSM: Don't ignore initialization failures
>>
>> Split "integrity" out into "ordered initialization" (no logical changes):
>>   LSM: Introduce LSM_FLAG_LEGACY_MAJOR
>>   LSM: Provide separate ordered initialization
>>
>> Provide centralized LSM enable/disable infrastructure:
>>   LoadPin: Rename "enable" to "enforce"
>>   LSM: Plumb visibility into optional "enabled" state
>>   LSM: Lift LSM selection out of individual LSMs
>>   LSM: Prepare for arbitrary LSM enabling
>>   LSM: Introduce CONFIG_LSM_ENABLE
>>   LSM: Introduce lsm.enable= and lsm.disable=
>>   LSM: Prepare for reorganizing "security=" logic
>>   LSM: Refactor "security=" in terms of enable/disable
>>
>> Provide centralized LSM ordering infrastructure:
>>   LSM: Build ordered list of ordered LSMs for init
>>   LSM: Introduce CONFIG_LSM_ORDER
>>   LSM: Introduce "lsm.order=" for boottime ordering
>>
>> Move minor LSMs into ordered LSM initialization:
>>   LoadPin: Initialize as ordered LSM
>>   Yama: Initialize as ordered LSM
>>   LSM: Introduce enum lsm_order
>>   capability: Initialize as LSM_ORDER_FIRST
>>
>> Move major LSMs into ordered LSM initialization:
>>   LSM: Separate idea of "major" LSM from "exclusive" LSM
>>   LSM: Add all exclusive LSMs to ordered initialization
>>
>> -Kees
>>
>>  .../admin-guide/kernel-parameters.txt         |  20 +
>>  arch/arc/kernel/vmlinux.lds.S                 |   1 -
>>  arch/arm/kernel/vmlinux-xip.lds.S             |   1 -
>>  arch/arm64/kernel/vmlinux.lds.S               |   1 -
>>  arch/h8300/kernel/vmlinux.lds.S               |   1 -
>>  arch/microblaze/kernel/vmlinux.lds.S          |   2 -
>>  arch/powerpc/kernel/vmlinux.lds.S             |   2 -
>>  arch/um/include/asm/common.lds.S              |   2 -
>>  arch/xtensa/kernel/vmlinux.lds.S              |   1 -
>>  include/asm-generic/vmlinux.lds.h             |  25 +-
>>  include/linux/init.h                          |   2 -
>>  include/linux/lsm_hooks.h                     |  43 ++-
>>  include/linux/module.h                        |   1 -
>>  security/Kconfig                              |  61 ++-
>>  security/apparmor/lsm.c                       |  16 +-
>>  security/commoncap.c                          |   8 +-
>>  security/integrity/iint.c                     |   5 +-
>>  security/loadpin/Kconfig                      |   4 +-
>>  security/loadpin/loadpin.c                    |  28 +-
>>  security/security.c                           | 351 +++++++++++++++---
>>  security/selinux/hooks.c                      |  16 +-
>>  security/smack/smack_lsm.c                    |   8 +-
>>  security/tomoyo/tomoyo.c                      |   7 +-
>>  security/yama/yama_lsm.c                      |   7 +-
>>  24 files changed, 438 insertions(+), 175 deletions(-)
>>
>

Stephen Smalley Sept. 28, 2018, 8:25 p.m. UTC | #3

On 09/28/2018 04:01 PM, Kees Cook wrote:
> On Fri, Sep 28, 2018 at 8:55 AM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 9/24/2018 5:18 PM, Kees Cook wrote:
>>> v3:
>>> - add CONFIG_LSM_ENABLE and refactor resulting logic
>>
>> Kees, you can add my
>>
>>          Reviewed-by:Casey Schaufler <casey@schaufler-ca.com>
>>
>> for this entire patch set. Thank you for taking this on, it's
>> a significant and important chunk of the LSM infrastructure
>> update.
> 
> Thanks!
> 
> John, you'd looked at this a bit too -- do the results line up with
> your expectations?
> 
> Any thoughts from SELinux, TOMOYO, or IMA folks?

What's it relative to?  First patch fails for me on current security/next.

Is there a branch in your repo that has the v3 patches?

> 
> -Kees
> 
>>
>>
>>> ...
>>> Breakdown of patches:
>>>
>>> Infrastructure improvements (no logical changes):
>>>    LSM: Correctly announce start of LSM initialization
>>>    vmlinux.lds.h: Avoid copy/paste of security_init section
>>>    LSM: Rename .security_initcall section to .lsm_info
>>>    LSM: Remove initcall tracing
>>>    LSM: Convert from initcall to struct lsm_info
>>>    vmlinux.lds.h: Move LSM_TABLE into INIT_DATA
>>>    LSM: Convert security_initcall() into DEFINE_LSM()
>>>    LSM: Record LSM name in struct lsm_info
>>>    LSM: Provide init debugging infrastructure
>>>    LSM: Don't ignore initialization failures
>>>
>>> Split "integrity" out into "ordered initialization" (no logical changes):
>>>    LSM: Introduce LSM_FLAG_LEGACY_MAJOR
>>>    LSM: Provide separate ordered initialization
>>>
>>> Provide centralized LSM enable/disable infrastructure:
>>>    LoadPin: Rename "enable" to "enforce"
>>>    LSM: Plumb visibility into optional "enabled" state
>>>    LSM: Lift LSM selection out of individual LSMs
>>>    LSM: Prepare for arbitrary LSM enabling
>>>    LSM: Introduce CONFIG_LSM_ENABLE
>>>    LSM: Introduce lsm.enable= and lsm.disable=
>>>    LSM: Prepare for reorganizing "security=" logic
>>>    LSM: Refactor "security=" in terms of enable/disable
>>>
>>> Provide centralized LSM ordering infrastructure:
>>>    LSM: Build ordered list of ordered LSMs for init
>>>    LSM: Introduce CONFIG_LSM_ORDER
>>>    LSM: Introduce "lsm.order=" for boottime ordering
>>>
>>> Move minor LSMs into ordered LSM initialization:
>>>    LoadPin: Initialize as ordered LSM
>>>    Yama: Initialize as ordered LSM
>>>    LSM: Introduce enum lsm_order
>>>    capability: Initialize as LSM_ORDER_FIRST
>>>
>>> Move major LSMs into ordered LSM initialization:
>>>    LSM: Separate idea of "major" LSM from "exclusive" LSM
>>>    LSM: Add all exclusive LSMs to ordered initialization
>>>
>>> -Kees
>>>
>>>   .../admin-guide/kernel-parameters.txt         |  20 +
>>>   arch/arc/kernel/vmlinux.lds.S                 |   1 -
>>>   arch/arm/kernel/vmlinux-xip.lds.S             |   1 -
>>>   arch/arm64/kernel/vmlinux.lds.S               |   1 -
>>>   arch/h8300/kernel/vmlinux.lds.S               |   1 -
>>>   arch/microblaze/kernel/vmlinux.lds.S          |   2 -
>>>   arch/powerpc/kernel/vmlinux.lds.S             |   2 -
>>>   arch/um/include/asm/common.lds.S              |   2 -
>>>   arch/xtensa/kernel/vmlinux.lds.S              |   1 -
>>>   include/asm-generic/vmlinux.lds.h             |  25 +-
>>>   include/linux/init.h                          |   2 -
>>>   include/linux/lsm_hooks.h                     |  43 ++-
>>>   include/linux/module.h                        |   1 -
>>>   security/Kconfig                              |  61 ++-
>>>   security/apparmor/lsm.c                       |  16 +-
>>>   security/commoncap.c                          |   8 +-
>>>   security/integrity/iint.c                     |   5 +-
>>>   security/loadpin/Kconfig                      |   4 +-
>>>   security/loadpin/loadpin.c                    |  28 +-
>>>   security/security.c                           | 351 +++++++++++++++---
>>>   security/selinux/hooks.c                      |  16 +-
>>>   security/smack/smack_lsm.c                    |   8 +-
>>>   security/tomoyo/tomoyo.c                      |   7 +-
>>>   security/yama/yama_lsm.c                      |   7 +-
>>>   24 files changed, 438 insertions(+), 175 deletions(-)
>>>
>>
> 
> 
>

Stephen Smalley Sept. 28, 2018, 8:33 p.m. UTC | #4

On 09/28/2018 04:25 PM, Stephen Smalley wrote:
> On 09/28/2018 04:01 PM, Kees Cook wrote:
>> On Fri, Sep 28, 2018 at 8:55 AM, Casey Schaufler 
>> <casey@schaufler-ca.com> wrote:
>>> On 9/24/2018 5:18 PM, Kees Cook wrote:
>>>> v3:
>>>> - add CONFIG_LSM_ENABLE and refactor resulting logic
>>>
>>> Kees, you can add my
>>>
>>>          Reviewed-by:Casey Schaufler <casey@schaufler-ca.com>
>>>
>>> for this entire patch set. Thank you for taking this on, it's
>>> a significant and important chunk of the LSM infrastructure
>>> update.
>>
>> Thanks!
>>
>> John, you'd looked at this a bit too -- do the results line up with
>> your expectations?
>>
>> Any thoughts from SELinux, TOMOYO, or IMA folks?
> 
> What's it relative to?  First patch fails for me on current security/next.

Never mind - user error ;)

> Is there a branch in your repo that has the v3 patches?

But still wondered about this one.

> 
>>
>> -Kees
>>
>>>
>>>
>>>> ...
>>>> Breakdown of patches:
>>>>
>>>> Infrastructure improvements (no logical changes):
>>>>    LSM: Correctly announce start of LSM initialization
>>>>    vmlinux.lds.h: Avoid copy/paste of security_init section
>>>>    LSM: Rename .security_initcall section to .lsm_info
>>>>    LSM: Remove initcall tracing
>>>>    LSM: Convert from initcall to struct lsm_info
>>>>    vmlinux.lds.h: Move LSM_TABLE into INIT_DATA
>>>>    LSM: Convert security_initcall() into DEFINE_LSM()
>>>>    LSM: Record LSM name in struct lsm_info
>>>>    LSM: Provide init debugging infrastructure
>>>>    LSM: Don't ignore initialization failures
>>>>
>>>> Split "integrity" out into "ordered initialization" (no logical 
>>>> changes):
>>>>    LSM: Introduce LSM_FLAG_LEGACY_MAJOR
>>>>    LSM: Provide separate ordered initialization
>>>>
>>>> Provide centralized LSM enable/disable infrastructure:
>>>>    LoadPin: Rename "enable" to "enforce"
>>>>    LSM: Plumb visibility into optional "enabled" state
>>>>    LSM: Lift LSM selection out of individual LSMs
>>>>    LSM: Prepare for arbitrary LSM enabling
>>>>    LSM: Introduce CONFIG_LSM_ENABLE
>>>>    LSM: Introduce lsm.enable= and lsm.disable=
>>>>    LSM: Prepare for reorganizing "security=" logic
>>>>    LSM: Refactor "security=" in terms of enable/disable
>>>>
>>>> Provide centralized LSM ordering infrastructure:
>>>>    LSM: Build ordered list of ordered LSMs for init
>>>>    LSM: Introduce CONFIG_LSM_ORDER
>>>>    LSM: Introduce "lsm.order=" for boottime ordering
>>>>
>>>> Move minor LSMs into ordered LSM initialization:
>>>>    LoadPin: Initialize as ordered LSM
>>>>    Yama: Initialize as ordered LSM
>>>>    LSM: Introduce enum lsm_order
>>>>    capability: Initialize as LSM_ORDER_FIRST
>>>>
>>>> Move major LSMs into ordered LSM initialization:
>>>>    LSM: Separate idea of "major" LSM from "exclusive" LSM
>>>>    LSM: Add all exclusive LSMs to ordered initialization
>>>>
>>>> -Kees
>>>>
>>>>   .../admin-guide/kernel-parameters.txt         |  20 +
>>>>   arch/arc/kernel/vmlinux.lds.S                 |   1 -
>>>>   arch/arm/kernel/vmlinux-xip.lds.S             |   1 -
>>>>   arch/arm64/kernel/vmlinux.lds.S               |   1 -
>>>>   arch/h8300/kernel/vmlinux.lds.S               |   1 -
>>>>   arch/microblaze/kernel/vmlinux.lds.S          |   2 -
>>>>   arch/powerpc/kernel/vmlinux.lds.S             |   2 -
>>>>   arch/um/include/asm/common.lds.S              |   2 -
>>>>   arch/xtensa/kernel/vmlinux.lds.S              |   1 -
>>>>   include/asm-generic/vmlinux.lds.h             |  25 +-
>>>>   include/linux/init.h                          |   2 -
>>>>   include/linux/lsm_hooks.h                     |  43 ++-
>>>>   include/linux/module.h                        |   1 -
>>>>   security/Kconfig                              |  61 ++-
>>>>   security/apparmor/lsm.c                       |  16 +-
>>>>   security/commoncap.c                          |   8 +-
>>>>   security/integrity/iint.c                     |   5 +-
>>>>   security/loadpin/Kconfig                      |   4 +-
>>>>   security/loadpin/loadpin.c                    |  28 +-
>>>>   security/security.c                           | 351 
>>>> +++++++++++++++---
>>>>   security/selinux/hooks.c                      |  16 +-
>>>>   security/smack/smack_lsm.c                    |   8 +-
>>>>   security/tomoyo/tomoyo.c                      |   7 +-
>>>>   security/yama/yama_lsm.c                      |   7 +-
>>>>   24 files changed, 438 insertions(+), 175 deletions(-)
>>>>
>>>
>>
>>
>>
>

Kees Cook Sept. 28, 2018, 8:54 p.m. UTC | #5

On Fri, Sep 28, 2018 at 1:33 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 09/28/2018 04:25 PM, Stephen Smalley wrote:
>>
>> On 09/28/2018 04:01 PM, Kees Cook wrote:
>>>
>>> On Fri, Sep 28, 2018 at 8:55 AM, Casey Schaufler <casey@schaufler-ca.com>
>>> wrote:
>>>>
>>>> On 9/24/2018 5:18 PM, Kees Cook wrote:
>>>>>
>>>>> v3:
>>>>> - add CONFIG_LSM_ENABLE and refactor resulting logic
>>>>
>>>>
>>>> Kees, you can add my
>>>>
>>>>          Reviewed-by:Casey Schaufler <casey@schaufler-ca.com>
>>>>
>>>> for this entire patch set. Thank you for taking this on, it's
>>>> a significant and important chunk of the LSM infrastructure
>>>> update.
>>>
>>>
>>> Thanks!
>>>
>>> John, you'd looked at this a bit too -- do the results line up with
>>> your expectations?
>>>
>>> Any thoughts from SELinux, TOMOYO, or IMA folks?
>>
>>
>> What's it relative to?  First patch fails for me on current security/next.
>
> Never mind - user error ;)

FWIW, it's against v4.19-rc2.

>> Is there a branch in your repo that has the v3 patches?
>
> But still wondered about this one.

Oops! Sorry, I didn't push to kernel.org. Now pushed!

https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=lsm/ordering-v3

(and "preview" v4 also with Reviewed-bys added and a cosmetic fix.)

-Kees

Tetsuo Handa Sept. 29, 2018, 10:48 a.m. UTC | #6

On 2018/09/29 5:01, Kees Cook wrote:
> On Fri, Sep 28, 2018 at 8:55 AM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 9/24/2018 5:18 PM, Kees Cook wrote:
>>> v3:
>>> - add CONFIG_LSM_ENABLE and refactor resulting logic
>>
>> Kees, you can add my
>>
>>         Reviewed-by:Casey Schaufler <casey@schaufler-ca.com>
>>
>> for this entire patch set. Thank you for taking this on, it's
>> a significant and important chunk of the LSM infrastructure
>> update.
> 
> Thanks!
> 
> John, you'd looked at this a bit too -- do the results line up with
> your expectations?
> 
> Any thoughts from SELinux, TOMOYO, or IMA folks?

I'm OK with this approach. Thank you.



Just wondering what is "__lsm_name_##lsm" for...

+#define DEFINE_LSM(lsm)                                                        \
+       static const char __lsm_name_##lsm[] __initconst                \
+               __aligned(1) = #lsm;                                    \
+       static struct lsm_info __lsm_##lsm                              \
+               __used __section(.lsm_info.init)                        \
+               __aligned(sizeof(unsigned long))                        \
+               = {                                                     \
+                       .name = __lsm_name_##lsm,                       \
+
+#define END_LSM          }

We could do something like below so that funny END_LSM is not required?
I felt } like a typo error at the first glance. What we need is to
gather into one section with appropriate alignment, isn't it?

#define LSM_INFO                                                        \
	static struct lsm_info __lsm_                                   \
		__used __section(.lsm_info.init)                        \
		__aligned(sizeof(unsigned long))                        \

LSM_INFO = {
	.name = "tomoyo",
	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
	.init = tomoyo_init,
};

Kees Cook Sept. 29, 2018, 6:18 p.m. UTC | #7

On Sat, Sep 29, 2018 at 3:48 AM, Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
> On 2018/09/29 5:01, Kees Cook wrote:
>> On Fri, Sep 28, 2018 at 8:55 AM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>>> On 9/24/2018 5:18 PM, Kees Cook wrote:
>>>> v3:
>>>> - add CONFIG_LSM_ENABLE and refactor resulting logic
>>>
>>> Kees, you can add my
>>>
>>>         Reviewed-by:Casey Schaufler <casey@schaufler-ca.com>
>>>
>>> for this entire patch set. Thank you for taking this on, it's
>>> a significant and important chunk of the LSM infrastructure
>>> update.
>>
>> Thanks!
>>
>> John, you'd looked at this a bit too -- do the results line up with
>> your expectations?
>>
>> Any thoughts from SELinux, TOMOYO, or IMA folks?
>
> I'm OK with this approach. Thank you.

Thanks for looking it over!

> Just wondering what is "__lsm_name_##lsm" for...
>
> +#define DEFINE_LSM(lsm)                                                        \
> +       static const char __lsm_name_##lsm[] __initconst                \
> +               __aligned(1) = #lsm;                                    \
> +       static struct lsm_info __lsm_##lsm                              \
> +               __used __section(.lsm_info.init)                        \
> +               __aligned(sizeof(unsigned long))                        \
> +               = {                                                     \
> +                       .name = __lsm_name_##lsm,                       \
> +
> +#define END_LSM          }

I wasn't super happy with the END_LSM thing, but I wanted to be able
to declare the name as __initconst, otherwise it needlessly stays in
memory after init. That said, it's not a huge deal, and maybe
readability trumps a tiny meory savings?

> We could do something like below so that funny END_LSM is not required?
> I felt } like a typo error at the first glance. What we need is to
> gather into one section with appropriate alignment, isn't it?
>
> #define LSM_INFO                                                        \
>         static struct lsm_info __lsm_                                   \
>                 __used __section(.lsm_info.init)                        \
>                 __aligned(sizeof(unsigned long))                        \
>
> LSM_INFO = {
>         .name = "tomoyo",
>         .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
>         .init = tomoyo_init,
> };

I thought the structure instances would need a unique name, but it
seems the section naming removes that requirement. This seems only to
be needed if we had multiple LSMs defined in the same source file.
Though I wonder if this would be a problem for LTO in the future?

I'm happy to do whatever.

-Kees

John Johansen Sept. 29, 2018, 6:19 p.m. UTC | #8

On 09/29/2018 03:48 AM, Tetsuo Handa wrote:
> On 2018/09/29 5:01, Kees Cook wrote:
>> On Fri, Sep 28, 2018 at 8:55 AM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>>> On 9/24/2018 5:18 PM, Kees Cook wrote:
>>>> v3:
>>>> - add CONFIG_LSM_ENABLE and refactor resulting logic
>>>
>>> Kees, you can add my
>>>
>>>         Reviewed-by:Casey Schaufler <casey@schaufler-ca.com>
>>>
>>> for this entire patch set. Thank you for taking this on, it's
>>> a significant and important chunk of the LSM infrastructure
>>> update.
>>
>> Thanks!
>>
>> John, you'd looked at this a bit too -- do the results line up with
>> your expectations?
>>
>> Any thoughts from SELinux, TOMOYO, or IMA folks?
> 
> I'm OK with this approach. Thank you.
> 
> 
> 
> Just wondering what is "__lsm_name_##lsm" for...
> 
> +#define DEFINE_LSM(lsm)                                                        \
> +       static const char __lsm_name_##lsm[] __initconst                \
> +               __aligned(1) = #lsm;                                    \
> +       static struct lsm_info __lsm_##lsm                              \
> +               __used __section(.lsm_info.init)                        \
> +               __aligned(sizeof(unsigned long))                        \
> +               = {                                                     \
> +                       .name = __lsm_name_##lsm,                       \
> +
> +#define END_LSM          }
> 
> We could do something like below so that funny END_LSM is not required?
> I felt } like a typo error at the first glance. What we need is to
> gather into one section with appropriate alignment, isn't it?
> 

well and Kees was trying to automagically set the name. This threw
me off too at first and I am still trying to figure out if I would
prefer something simpler, and more standard like below.

> #define LSM_INFO                                                        \
> 	static struct lsm_info __lsm_                                   \
> 		__used __section(.lsm_info.init)                        \
> 		__aligned(sizeof(unsigned long))                        \
> 
> LSM_INFO = {
> 	.name = "tomoyo",
> 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
> 	.init = tomoyo_init,
> };
>

Tetsuo Handa Sept. 30, 2018, 2:36 a.m. UTC | #9

On 2018/09/30 3:18, Kees Cook wrote:
>> Just wondering what is "__lsm_name_##lsm" for...
>>
>> +#define DEFINE_LSM(lsm)                                                        \
>> +       static const char __lsm_name_##lsm[] __initconst                \
>> +               __aligned(1) = #lsm;                                    \
>> +       static struct lsm_info __lsm_##lsm                              \
>> +               __used __section(.lsm_info.init)                        \
>> +               __aligned(sizeof(unsigned long))                        \
>> +               = {                                                     \
>> +                       .name = __lsm_name_##lsm,                       \
>> +
>> +#define END_LSM          }
> 
> I wasn't super happy with the END_LSM thing, but I wanted to be able
> to declare the name as __initconst, otherwise it needlessly stays in
> memory after init. That said, it's not a huge deal, and maybe
> readability trumps a tiny meory savings?

The value of .name field is a few bytes string, and is not sensitive
information. Keeping such string in non-__initdata section unlikely
increases total memory pages required for that module.

Unless we need to generate unique address of such string for some reason,
I think that this saving is pointless.

Kees Cook Sept. 30, 2018, 4:57 p.m. UTC | #10

On Sat, Sep 29, 2018 at 7:36 PM, Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
> On 2018/09/30 3:18, Kees Cook wrote:
>>> Just wondering what is "__lsm_name_##lsm" for...
>>>
>>> +#define DEFINE_LSM(lsm)                                                        \
>>> +       static const char __lsm_name_##lsm[] __initconst                \
>>> +               __aligned(1) = #lsm;                                    \
>>> +       static struct lsm_info __lsm_##lsm                              \
>>> +               __used __section(.lsm_info.init)                        \
>>> +               __aligned(sizeof(unsigned long))                        \
>>> +               = {                                                     \
>>> +                       .name = __lsm_name_##lsm,                       \
>>> +
>>> +#define END_LSM          }
>>
>> I wasn't super happy with the END_LSM thing, but I wanted to be able
>> to declare the name as __initconst, otherwise it needlessly stays in
>> memory after init. That said, it's not a huge deal, and maybe
>> readability trumps a tiny meory savings?
>
> The value of .name field is a few bytes string, and is not sensitive
> information. Keeping such string in non-__initdata section unlikely
> increases total memory pages required for that module.
>
> Unless we need to generate unique address of such string for some reason,
> I think that this saving is pointless.

Okay, sounds good. I will adjust the macro and respin with a v4.

Thanks!

-Kees

[security-next,v3,00/29] LSM: Explict LSM ordering

Message

Comments