| From: |
| Casey Schaufler <casey@schaufler-ca.com> |
| To: |
| LSM <linux-security-module@vger.kernel.org>,
James Morris <jmorris@namei.org> |
| Subject: |
| [PATCH 0/5] LSM: Multiple concurrent LSMs |
| Date: |
| Tue, 04 Sep 2012 19:08:56 -0700 |
| Message-ID: |
| <5046B438.1070208@schaufler-ca.com> |
| Cc: |
| Casey Schaufler <casey@schaufler-ca.com> |
Subject: [PATCH 0/5] LSM: Multiple concurrent LSMs
Provide a backward compatible mechanism for using
multiple LSMs on the same running kernel. If an LSM is
not modified to use the interfaces provided in the new
include/linux/lsm.h header lsm_get and lsm_set that
LSM may not participate in stacking, although it will
work just fine in the traditional one at a time way.
As David Howells suggested some time back, making Smack and
SELinux available at that same time has proven quite a
challenge. That work has been deferred and that particular
configuration disallowed.
Performance measurement is in the early stages. The Smack
tests run within the noise with AppArmor, TOMOYO and Yama
enabled in addition to Smack.
This patch set is divided into 5 parts. The first is the
infrastructure and the last 4 make the various LSMs able
to work in the composed environment. Yama, which does not
use LSM security blobs, required no change and gets in free.
The Smack LSM behavior has been tested. AppArmor, TOMOYO,
Yama and SELinux have been shown to boot, but have not been
functionally tested beyond the lack of obvious error messages
and complaints from kernel debugging facilities. The kernels
have been tested with Ubuntu 12.04 and Fedora 17.
include/linux/lsm.h | 261 +++++++++
include/linux/security.h | 16 +
security/Kconfig | 57 +-
security/apparmor/context.c | 10 +-
security/apparmor/domain.c | 8 +-
security/apparmor/include/context.h | 15 +-
security/apparmor/lsm.c | 35 +-
security/capability.c | 210 ++++++++
security/inode.c | 51 +-
security/security.c | 1004 ++++++++++++++++++++++++++++-------
security/selinux/hooks.c | 264 +++++----
security/selinux/include/objsec.h | 2 +
security/selinux/include/xfrm.h | 2 +-
security/selinux/selinuxfs.c | 6 +-
security/selinux/xfrm.c | 9 +-
security/smack/smack.h | 14 +-
security/smack/smack_access.c | 2 +-
security/smack/smack_lsm.c | 265 ++++-----
security/smack/smackfs.c | 92 +++-
security/tomoyo/common.h | 6 +-
security/tomoyo/domain.c | 2 +-
security/tomoyo/securityfs_if.c | 9 +-
security/tomoyo/tomoyo.c | 29 +-
23 files changed, 1848 insertions(+), 521 deletions(-)
---
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
