User: Password:
|
|
Subscribe / Log in / New account

LSM stacking (again)

LSM stacking (again)

Posted Jun 24, 2010 14:57 UTC (Thu) by raven667 (subscriber, #5198)
In reply to: LSM stacking (again) by Cyberax
Parent article: LSM stacking (again)

The difference in complexity is massive though. To be able to effectively stack LSM modules you'd need the equivalent of a Pam config for each hook point. You cant guarantee that a coarser grained policy is going to make sense.


(Log in to post comments)

LSM stacking (again)

Posted Jun 24, 2010 15:05 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Why?

I see that we can broadly divide LSM hooks into: filesystem, network, CPU resources, misc.

So we can specify: "First use AppArmor to check filesystem access, but use SeLinux to check security labels on network packets".

LSM stacking (again)

Posted Jun 24, 2010 16:26 UTC (Thu) by bronson (subscriber, #4806) [Link]

So and AppArmor and SELinux and Smack and Tomoyo would need to be written with all possible permutations in mind? That sounds absolutely hellish to analyze and test. Remember, we're talking about security here -- failure is far worse than a kernel panic.

Maybe it would be possible if all projects split their code into completely isolated modules: AppArmor-Network, AppArmor-Filesystem, etc. No interaction allowed between the Network and Filesystem modules. But I don't think that would meet SELinux's needs.

LSM stacking (again)

Posted Jun 24, 2010 16:54 UTC (Thu) by farnz (subscriber, #17727) [Link]

A safer variation on the same theme would be to write the stacking such that each LSM only gets to check accesses that other loaded LSMs have permitted; for example "check everything with AppArmor. If AppArmor permits it, fall through to SELinux. If SELinux permits it, fall through to Yama."

If you then want to have AppArmor handle all the filesystem stuff, while SELinux only deals with networking, you have to design your AppArmor and SELinux policies to do this, and you've hopefully thought about the failure modes of doing so. If Clueless CrazyAdmin uses off-the-shelf SELinux and AppArmor policies, they get only the accesses that both LSMs believe are safe.

In practice, such a stacking method makes stacking full-fledged security modules like SELinux and Smack together rather pointless; where you benefit is with "boutique" LSMs like Yama, which aim to prevent a limited set of security flaws - you can stack Yama and SELinux, and get Yama covering everything, while SELinux only protects that part of the system that you've written policy for.

LSM stacking (again)

Posted Jun 24, 2010 17:41 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

"So and AppArmor and SELinux and Smack and Tomoyo would need to be written with all possible permutations in mind?"

Why would AppArmor need to know anything about SELinux?

A special stacking-driver should think like: "Oh, we have a file request. Let's see: - we need to pass it to AppArmor first. Done, result is OK. Then we need to pass it to Yama, result is OK. So we can perform the action".

At no point AppArmor needs to know that after it returns 'OK' further checks will be carried out.

"That sounds absolutely hellish to analyze and test. Remember, we're talking about security here -- failure is far worse than a kernel panic."

Whose who need NSA certification can go and make love with SELinux.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds