| From: |
| Casey Schaufler <casey@schaufler-ca.com> |
| To: |
| LSM <linux-security-module@vger.kernel.org>, James Morris <jmorris@namei.org> |
| Subject: |
| [PATCH RFC 00/10] LSM: Stacking for most major security modules |
| Date: |
| Mon, 11 Jul 2016 12:22:36 -0700 |
| Message-ID: |
| <a3dd7388-8864-01f7-f026-567b6628cecf@schaufler-ca.com> |
| Cc: |
| John Johansen <john.johansen@canonical.com>, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>, Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>, Casey Schaufler <casey@schaufler-ca.com> |
Subject: [PATCH RFC 00/10] LSM: Stacking for most major security modules
This patchset implements stacking for "major" security modules
that use cred and file blobs. As TOMOYO uses only cred blobs and
AppArmor cred and file blobs, this covers every existing permutation
except for SELinux and Smack. Sharing of inode, sock and various
lesser blobs are future work that will be handled similarly.
Management of these security blobs is moved from the security
modules and into the LSM infrastructure. This has been proposed
in the past by Serge Hallyn and David Howells. This implementation
owes much to their work.
The bulk of the change is in abstracting use of cred->security and
file->f_security within the security modules. This allows the
modules to share a single blob and hides the details from the code.
Modules are required to declare the amount of space they require
for each blob they use. Because modules deal with blobs during their
initialization the blob sizes must be declared prior to module
initialization. The module initialization becomes a two step process.
Security module stacking is optional. If stacking is not configured,
the CONFIG_DEFAULT_SECURITY value is used, just as before. If stacking
is configured using CONFIG_SECURITY_STACKING the modules desired for
the stack are selected individually. AppArmor would be selected by
specifying CONFIG_SECURITY_APPARMOR_STACKED. The CONFIG_DEFAULT_SECURITY
is ignored. The security= boot option is still respected and has the
same behavior as before, allowing a single module to be used instead of
the specified stack.
This is requires my earlier "LSM: security module information improvements"
patch set.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
Documentation/security/LSM.txt | 10 ++-
include/linux/lsm_hooks.h | 26 +++++-
security/Kconfig | 33 +++++++
security/apparmor/Kconfig | 13 +++
security/apparmor/context.c | 2 -
security/apparmor/include/context.h | 26 +++++-
security/apparmor/lsm.c | 83 +++++++----------
security/security.c | 141 ++++++++++++++++++++++++++++-
security/selinux/Kconfig | 13 +++
security/selinux/hooks.c | 160 ++++++++++++---------------------
security/selinux/include/objsec.h | 22 +++++
security/selinux/selinuxfs.c | 3 +-
security/selinux/xfrm.c | 4 +-
security/smack/Kconfig | 13 +++
security/smack/smack.h | 29 +++++-
security/smack/smack_access.c | 2 +-
security/smack/smack_lsm.c | 175 +++++++++++++++---------------------
security/smack/smackfs.c | 18 ++--
security/tomoyo/Kconfig | 13 +++
security/tomoyo/common.h | 25 +++++-
security/tomoyo/domain.c | 4 +-
security/tomoyo/securityfs_if.c | 13 ++-
security/tomoyo/tomoyo.c | 57 +++++++++---
23 files changed, 588 insertions(+), 297 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
