| Message ID | 20190228221933.2551-1-casey@schaufler-ca.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | LSM: Complete module stacking | expand |
On 2/28/19 5:17 PM, Casey Schaufler wrote: > This is a preliminary version of the complete stacking > implementation. The patches need to be cleaned up, and > several are not strictly necessary. There is likely to > be work required in the audit sub-system. It does address > all the shared data, including CIPSO headers. It should > handle CALIPSO once Smack supports it. I will be revising > the set after 5.1. > > Complete the transition from module based blob management > to infrastructure based blob management. This includes > the socket, superblock and key blobs. > > Change the LSM infrastructure from exposing secids to > exposing an opaque "lsm_export" structure that can contain > information for multiple active security modules. Update > all of the security modules to use information from the > lsm_export structure. Update the LSM interfaces that expose > secids for more than one module to use the export structure. > Update all the users of these interfaces. > > Change the LSM infrastructure from using a string/size pair > for security "contexts" to a "lsm_context" structure that > can represent information for multiple modules. This contains > information that allows the "context" to be properly freed > regardless of where it is allocated and where it is used. > > Add an interface to identify which security module data > should be presented with SO_PEERSEC. /proc/.../attr/display > will set and report the name of the LSM for which the > security_secid_to_secctx() will use to translate to text. > If it is not explicitly set, the first security module that > supplies secid (now lsm_export) interfaces will be used. > To ensure consistency, a set of module hooks dealing with > the secid/context processing is maintained with each process > that explicitly sets it. > > Before sending a network packet verify that all interested > security modules agree on the labeling. Fail if the labeling > cannot be reconciled. This requires a new Netlabel interface > to compare proposed labels, and a change to the return values > from the existing netlabel attribute setting functions. Have you run any benchmarks to assess the performance impact of these changes? > > git://github.com/cschaufler/lsm-stacking.git#5.0-rc3-plus-a > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > --- > fs/kernfs/dir.c | 6 +- > fs/kernfs/inode.c | 31 +- > fs/kernfs/kernfs-internal.h | 4 +- > fs/nfs/inode.c | 13 +- > fs/nfs/internal.h | 8 +- > fs/nfs/nfs4proc.c | 17 +- > fs/nfs/nfs4xdr.c | 16 +- > fs/nfsd/nfs4proc.c | 8 +- > fs/nfsd/nfs4xdr.c | 14 +- > fs/nfsd/vfs.c | 7 +- > fs/proc/base.c | 1 + > include/linux/cred.h | 3 +- > include/linux/lsm_hooks.h | 122 ++-- > include/linux/nfs4.h | 8 +- > include/linux/security.h | 165 +++-- > include/net/netlabel.h | 18 +- > include/net/route.h | 55 +- > include/net/scm.h | 14 +- > include/net/sock.h | 14 +- > include/uapi/linux/netfilter/xt_CONNMARK.h | 45 +- > include/uapi/linux/netfilter/xt_DSCP.h | 27 +- > include/uapi/linux/netfilter/xt_MARK.h | 17 +- > include/uapi/linux/netfilter/xt_RATEEST.h | 38 +- > include/uapi/linux/netfilter/xt_TCPMSS.h | 13 +- > include/uapi/linux/netfilter_ipv4/ipt_ECN.h | 40 +- > include/uapi/linux/netfilter_ipv4/ipt_TTL.h | 14 +- > include/uapi/linux/netfilter_ipv6/ip6t_HL.h | 14 +- > kernel/audit.c | 60 +- > kernel/audit.h | 9 +- > kernel/auditfilter.c | 6 +- > kernel/auditsc.c | 61 +- > kernel/cred.c | 15 +- > net/ipv4/cipso_ipv4.c | 13 +- > net/ipv4/ip_sockglue.c | 14 +- > net/ipv4/route.c | 61 ++ > net/netfilter/nf_conntrack_netlink.c | 27 +- > net/netfilter/nf_conntrack_standalone.c | 16 +- > net/netfilter/nfnetlink_queue.c | 35 +- > net/netfilter/nft_meta.c | 8 +- > net/netfilter/xt_DSCP.c | 149 ++--- > net/netfilter/xt_HL.c | 164 ++--- > net/netfilter/xt_RATEEST.c | 278 +++------ > net/netfilter/xt_SECMARK.c | 9 +- > net/netfilter/xt_TCPMSS.c | 378 +++--------- > net/netlabel/netlabel_kapi.c | 125 +++- > net/netlabel/netlabel_unlabeled.c | 99 ++- > net/netlabel/netlabel_unlabeled.h | 2 +- > net/netlabel/netlabel_user.c | 13 +- > net/netlabel/netlabel_user.h | 2 +- > net/socket.c | 17 + > net/unix/af_unix.c | 11 +- > security/apparmor/audit.c | 4 +- > security/apparmor/include/audit.h | 2 +- > security/apparmor/include/net.h | 6 +- > security/apparmor/include/secid.h | 9 +- > security/apparmor/lsm.c | 64 +- > security/apparmor/secid.c | 42 +- > security/integrity/ima/ima.h | 14 +- > security/integrity/ima/ima_api.c | 9 +- > security/integrity/ima/ima_appraise.c | 6 +- > security/integrity/ima/ima_main.c | 34 +- > security/integrity/ima/ima_policy.c | 19 +- > security/security.c | 682 ++++++++++++++++++--- > security/selinux/hooks.c | 308 +++++----- > security/selinux/include/audit.h | 6 +- > security/selinux/include/netlabel.h | 7 + > security/selinux/include/objsec.h | 43 +- > security/selinux/netlabel.c | 69 ++- > security/selinux/ss/services.c | 19 +- > security/smack/smack.h | 34 + > security/smack/smack_access.c | 14 +- > security/smack/smack_lsm.c | 389 ++++++------ > security/smack/smack_netfilter.c | 48 +- > security/smack/smackfs.c | 23 +- > .../Z6.0+pooncelock+poonceLock+pombonce.litmus | 12 +- > 75 files changed, 2369 insertions(+), 1798 deletions(-) >
On 3/1/2019 6:17 AM, Stephen Smalley wrote: > On 2/28/19 5:17 PM, Casey Schaufler wrote: >> This is a preliminary version of the complete stacking >> implementation. The patches need to be cleaned up, and >> several are not strictly necessary. There is likely to >> be work required in the audit sub-system. It does address >> all the shared data, including CIPSO headers. It should >> handle CALIPSO once Smack supports it. I will be revising >> the set after 5.1. >> >> Complete the transition from module based blob management >> to infrastructure based blob management. This includes >> the socket, superblock and key blobs. >> >> Change the LSM infrastructure from exposing secids to >> exposing an opaque "lsm_export" structure that can contain >> information for multiple active security modules. Update >> all of the security modules to use information from the >> lsm_export structure. Update the LSM interfaces that expose >> secids for more than one module to use the export structure. >> Update all the users of these interfaces. >> >> Change the LSM infrastructure from using a string/size pair >> for security "contexts" to a "lsm_context" structure that >> can represent information for multiple modules. This contains >> information that allows the "context" to be properly freed >> regardless of where it is allocated and where it is used. >> >> Add an interface to identify which security module data >> should be presented with SO_PEERSEC. /proc/.../attr/display >> will set and report the name of the LSM for which the >> security_secid_to_secctx() will use to translate to text. >> If it is not explicitly set, the first security module that >> supplies secid (now lsm_export) interfaces will be used. >> To ensure consistency, a set of module hooks dealing with >> the secid/context processing is maintained with each process >> that explicitly sets it. >> >> Before sending a network packet verify that all interested >> security modules agree on the labeling. Fail if the labeling >> cannot be reconciled. This requires a new Netlabel interface >> to compare proposed labels, and a change to the return values >> from the existing netlabel attribute setting functions. > > Have you run any benchmarks to assess the performance impact of these > changes? Nothing I can publish. Benchmarking is getting close to the top of the list.
This is a preliminary version of the complete stacking implementation. The patches need to be cleaned up, and several are not strictly necessary. There is likely to be work required in the audit sub-system. It does address all the shared data, including CIPSO headers. It should handle CALIPSO once Smack supports it. I will be revising the set after 5.1. Complete the transition from module based blob management to infrastructure based blob management. This includes the socket, superblock and key blobs. Change the LSM infrastructure from exposing secids to exposing an opaque "lsm_export" structure that can contain information for multiple active security modules. Update all of the security modules to use information from the lsm_export structure. Update the LSM interfaces that expose secids for more than one module to use the export structure. Update all the users of these interfaces. Change the LSM infrastructure from using a string/size pair for security "contexts" to a "lsm_context" structure that can represent information for multiple modules. This contains information that allows the "context" to be properly freed regardless of where it is allocated and where it is used. Add an interface to identify which security module data should be presented with SO_PEERSEC. /proc/.../attr/display will set and report the name of the LSM for which the security_secid_to_secctx() will use to translate to text. If it is not explicitly set, the first security module that supplies secid (now lsm_export) interfaces will be used. To ensure consistency, a set of module hooks dealing with the secid/context processing is maintained with each process that explicitly sets it. Before sending a network packet verify that all interested security modules agree on the labeling. Fail if the labeling cannot be reconciled. This requires a new Netlabel interface to compare proposed labels, and a change to the return values from the existing netlabel attribute setting functions. git://github.com/cschaufler/lsm-stacking.git#5.0-rc3-plus-a Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- fs/kernfs/dir.c | 6 +- fs/kernfs/inode.c | 31 +- fs/kernfs/kernfs-internal.h | 4 +- fs/nfs/inode.c | 13 +- fs/nfs/internal.h | 8 +- fs/nfs/nfs4proc.c | 17 +- fs/nfs/nfs4xdr.c | 16 +- fs/nfsd/nfs4proc.c | 8 +- fs/nfsd/nfs4xdr.c | 14 +- fs/nfsd/vfs.c | 7 +- fs/proc/base.c | 1 + include/linux/cred.h | 3 +- include/linux/lsm_hooks.h | 122 ++-- include/linux/nfs4.h | 8 +- include/linux/security.h | 165 +++-- include/net/netlabel.h | 18 +- include/net/route.h | 55 +- include/net/scm.h | 14 +- include/net/sock.h | 14 +- include/uapi/linux/netfilter/xt_CONNMARK.h | 45 +- include/uapi/linux/netfilter/xt_DSCP.h | 27 +- include/uapi/linux/netfilter/xt_MARK.h | 17 +- include/uapi/linux/netfilter/xt_RATEEST.h | 38 +- include/uapi/linux/netfilter/xt_TCPMSS.h | 13 +- include/uapi/linux/netfilter_ipv4/ipt_ECN.h | 40 +- include/uapi/linux/netfilter_ipv4/ipt_TTL.h | 14 +- include/uapi/linux/netfilter_ipv6/ip6t_HL.h | 14 +- kernel/audit.c | 60 +- kernel/audit.h | 9 +- kernel/auditfilter.c | 6 +- kernel/auditsc.c | 61 +- kernel/cred.c | 15 +- net/ipv4/cipso_ipv4.c | 13 +- net/ipv4/ip_sockglue.c | 14 +- net/ipv4/route.c | 61 ++ net/netfilter/nf_conntrack_netlink.c | 27 +- net/netfilter/nf_conntrack_standalone.c | 16 +- net/netfilter/nfnetlink_queue.c | 35 +- net/netfilter/nft_meta.c | 8 +- net/netfilter/xt_DSCP.c | 149 ++--- net/netfilter/xt_HL.c | 164 ++--- net/netfilter/xt_RATEEST.c | 278 +++------ net/netfilter/xt_SECMARK.c | 9 +- net/netfilter/xt_TCPMSS.c | 378 +++--------- net/netlabel/netlabel_kapi.c | 125 +++- net/netlabel/netlabel_unlabeled.c | 99 ++- net/netlabel/netlabel_unlabeled.h | 2 +- net/netlabel/netlabel_user.c | 13 +- net/netlabel/netlabel_user.h | 2 +- net/socket.c | 17 + net/unix/af_unix.c | 11 +- security/apparmor/audit.c | 4 +- security/apparmor/include/audit.h | 2 +- security/apparmor/include/net.h | 6 +- security/apparmor/include/secid.h | 9 +- security/apparmor/lsm.c | 64 +- security/apparmor/secid.c | 42 +- security/integrity/ima/ima.h | 14 +- security/integrity/ima/ima_api.c | 9 +- security/integrity/ima/ima_appraise.c | 6 +- security/integrity/ima/ima_main.c | 34 +- security/integrity/ima/ima_policy.c | 19 +- security/security.c | 682 ++++++++++++++++++--- security/selinux/hooks.c | 308 +++++----- security/selinux/include/audit.h | 6 +- security/selinux/include/netlabel.h | 7 + security/selinux/include/objsec.h | 43 +- security/selinux/netlabel.c | 69 ++- security/selinux/ss/services.c | 19 +- security/smack/smack.h | 34 + security/smack/smack_access.c | 14 +- security/smack/smack_lsm.c | 389 ++++++------ security/smack/smack_netfilter.c | 48 +- security/smack/smackfs.c | 23 +- .../Z6.0+pooncelock+poonceLock+pombonce.litmus | 12 +- 75 files changed, 2369 insertions(+), 1798 deletions(-)