From patchwork Sun Apr 9 10:42:10 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Djalal Harouni X-Patchwork-Id: 9671509 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8FFEC601EB for ; Sun, 9 Apr 2017 10:44:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6D54928474 for ; Sun, 9 Apr 2017 10:44:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 61D01284CF; Sun, 9 Apr 2017 10:44:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C174E28474 for ; Sun, 9 Apr 2017 10:44:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752351AbdDIKnu (ORCPT ); Sun, 9 Apr 2017 06:43:50 -0400 Received: from mail-wm0-f65.google.com ([74.125.82.65]:36201 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752075AbdDIKna (ORCPT ); Sun, 9 Apr 2017 06:43:30 -0400 Received: by mail-wm0-f65.google.com with SMTP id q125so5052909wmd.3; Sun, 09 Apr 2017 03:43:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=F7YG0xihv+U2G5rw7IQ5+2T3/7arfAJ7pTkUb0k7jfs=; b=GL8TPnA8Sutgutyfyyjhd4e3AYkYFIsj9a5IUOV5Z1xuVupKF94FfypJ9bouqdRilK DCQWqxBz5t5Gv3M80guUsZPjbKJKrS9B/rwxz4riNiLYcXdJDB409/5VdWPsmNq/Ld1S 0w7aWQTBfbSH0v2dljf5VUJp60gy0Nc9+bZnmewTKKw95VujrA1yLAtTfIYHlqDHHdYA xXBVDjnL4dUqAyhTo7lferwY51bPNd4Yk2DzDVrUdPceZ46xTMYOQbMNGsnnsncGECK9 THnTlPru1Zu6hYUeaapuUUEau94NSOVEhIDiyKHG6ODUnjn2RH4rfJC3LXZMXdGnswvo tcPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=F7YG0xihv+U2G5rw7IQ5+2T3/7arfAJ7pTkUb0k7jfs=; b=GYF+4Zj3rqf5fBcON9Y4PnYbm9QsQvQt8TzOT5fde0RhwDkUzZGwlC0XC1tRbYdMis xQHnOIZj+cMe4CTMwB37sL2jF7/R0nJvNPjeopiZKmQVSeZ5dewt90swIapBWl+k5jaP 6vo8JYkmMLBYuwqKshEKMeB4q4ntFm+rCS6nRoiwTihxgCrGjnOlne/+8LxV/cX9iLtB LCshnG8BQt+CROO5Caa+kUSClxnEUcJeOocmezeVM292H4LG5l7drj+/sZAmrdPRZWoM uW4+ps0Z/5WTP3dZCnWVBdW73JEDAJIhLvywoJX6wWgG3WLEQeTj9FjwuuJ8CBO6H515 DS0Q== X-Gm-Message-State: AN3rC/6VgTG5ib1dJ7iYDaFU9kKxVdd+ahHfAKO9xXxfGjj8X07Vh+5j5KgKVjBDEBYmoQ== X-Received: by 10.28.156.140 with SMTP id f134mr5598611wme.40.1491734608958; Sun, 09 Apr 2017 03:43:28 -0700 (PDT) Received: from dztty2.Speedport_W723_V_Typ_A_1_01_018 (p5DDB52B0.dip0.t-ipconnect.de. [93.219.82.176]) by smtp.gmail.com with ESMTPSA id v29sm13053611wrv.66.2017.04.09.03.43.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 09 Apr 2017 03:43:28 -0700 (PDT) From: Djalal Harouni To: Linux Kernel Mailing List , Andy Lutomirski , Kees Cook , Andrew Morton , kernel-hardening@lists.openwall.com, linux-security-module@vger.kernel.org Cc: Linux API , Dongsu Park , Casey Schaufler , James Morris , , Paul Moore , Tetsuo Handa , Greg Kroah-Hartman , Djalal Harouni Subject: [PATCH RFC v2 3/3] Documentation: add ModAutoRestrict LSM documentation Date: Sun, 9 Apr 2017 12:42:10 +0200 Message-Id: <1491734530-25002-4-git-send-email-tixxdz@gmail.com> X-Mailer: git-send-email 2.5.5 In-Reply-To: <1491734530-25002-1-git-send-email-tixxdz@gmail.com> References: <1491734530-25002-1-git-send-email-tixxdz@gmail.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Cc: Andy Lutomirski Cc: James Morris Cc: Tetsuo Handa Cc: Kees Cook Signed-off-by: Djalal Harouni --- Documentation/security/00-INDEX | 2 + Documentation/security/ModAutoRestrict.txt | 77 ++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 Documentation/security/ModAutoRestrict.txt diff --git a/Documentation/security/00-INDEX b/Documentation/security/00-INDEX index 45c82fd..35dbdf0 100644 --- a/Documentation/security/00-INDEX +++ b/Documentation/security/00-INDEX @@ -24,3 +24,5 @@ tomoyo.txt - documentation on the TOMOYO Linux Security Module. IMA-templates.txt - documentation on the template management mechanism for IMA. +ModAutoRestrict.txt + - documentation on the ModAutoRestrict Linux Security Module. diff --git a/Documentation/security/ModAutoRestrict.txt b/Documentation/security/ModAutoRestrict.txt new file mode 100644 index 0000000..47acae8 --- /dev/null +++ b/Documentation/security/ModAutoRestrict.txt @@ -0,0 +1,77 @@ +ModAutoRestrict is a Linux Security Module that applies restrictions on +automatic module loading operations. This is selectable at build-time +with CONFIG_SECURITY_MODAUTORESTRICT, and can be controlled at run-time +through sysctls in /proc/sys/kernel/modautorestrict/autoload or as a +per-process setting via a prctl() interface. + +=========================================== + +A userspace request to use a kernel feature that is implemented by modules +that are not loaded may trigger the module auto-load feature to load +these modules in order to satisfy userspace. However as today's Linux use +cases cover embedded systems to containers where applications are running +in their own separate environments, reducing or preventing operations +that may affect external environments is an important constraint. +Therefore, we need a way to control if automatic module loading is +allowed or which applications are allowed to trigger the module +auto-load feature. + +The ModAutoRestrict LSM allows system administrators or sandbox +mechanisms to control the module auto-load feature and prevent loading +unneeded modules or abuse the interface. + +The settings can be applied globally using a sysctl interface which +completes the core kernel interface "modules_disable". + +The feature is also available as a prctl() interface. This allows to +apply restrictions when sandboxing processes. On embedded Linux systems, +or containers where only some containers/processes should have the +right privileges to load modules, this allows to restrict those +processes from inserting modules. Only privileged processes can be +allowed to perform so. A more restrictive access can be applied where +the module autoload feature is completely disabled. +In this schema the access rules are per-process and inherited by +children created by fork(2) and clone(2), and preserved across execve(2). + +Interface: + +*) The per-process prctl() settings are: + + prctl(PR_MOD_AUTO_RESTRICT_OPTS, PR_SET_MOD_AUTO_RESTRICT, value, 0, 0) + + Where value means: + + 0 - Classic module auto-load permissions, nothing changes. + + 1 - The current process must have CAP_SYS_MODULE to be able to + auto-load modules. CAP_NET_ADMIN should allow to auto-load + modules with a 'netdev-%s' alias. + + 2 - Current process can not auto-load modules. Once set, this prctl + value can not be changed. + + The per-process value may only be increased, never decreased, thus ensuring + that once applied, processes can never relaxe their setting. + +*) The global sysctl setting can be set by writting an integer value to + '/proc/sys/kernel/modautorestrict/autoload' + + The valid values are: + + 0 - Classic module auto-load permissions, nothing changes. + + 1 - Processes must have CAP_SYS_MODULE to be able to auto-load modules. + CAP_NET_ADMIN should allow to auto-load modules with a 'netdev-%s' + alias. + + 2 - Processes can not auto-load modules. Once set, this sysctl value + can not be changed. + +*) Access rules: + First the prctl() settings are checked, if the access is not denied + then the global sysctl settings are checked. + + +The original idea and inspiration is from grsecurity 'GRKERNSEC_MODHARDEN'. + +==========================================================================