| From: |
| jobol-AT-nonadev.net |
| To: |
| linux-security-module-AT-vger.kernel.org |
| Subject: |
| [RFC PATCH v1 0/1] LSM ptags: Secure tagging of processes |
| Date: |
| Thu, 29 Sep 2016 12:40:48 +0200 |
| Message-ID: |
| <1475145649-24293-1-git-send-email-jobol@nonadev.net> |
| Cc: |
| =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol-AT-nonadev.net> |
From: José Bollo <jobol@nonadev.net>
WHAT IS THE LSM PTAGS?
======================
The Linux Security Module ptags manages for each process a list of tags
that can be empty. Values can be attached to tags.
This tag list is accessed through the new files /proc/PID/attr/ptags
and /proc/PID/tasks/TID/attr/ptags below named "ptags file".
Except for few special tags, the meaning of the tag is free.
Tags are structured in fields separated by : (colon) with
available semantic of prefixing field(s).
The list of tags is copied (this is not shared) during 'clone'.
The list of tags is filtered during 'execve' to keep only expected tags.
Tagging is compatible with the use of other LSM like Smack,
AppAmor, SELinux, ...
Tagging is compatible with user namespaces and pid namespaces.
WHY IS IT USEFUL?
=================
Tagging processes serves multiple purposes that can be mixed
due the the prefix policy of tags:
- provide basis for managing in userland permissions, privileges
or capabilities (3 words for same concept) of processes
- provide ability to attach cookies to processes
The primary goal is to implement a user-land permission
mechanism. With that intention, the tagging feature is used to record
the list of the permissions granted to a process. Any
service that requires that their client must have a
permission can check the list to accept or refuse to serve.
WHY IS IT SECURE?
=================
By default:
- processes can NOT remove any of its tags
- processes can NOT add any tag to itself
- processes can NOT set value to any of its tag
- processes can NOT alter (add, remove or set) tags of other processes
- processes lose tags during 'execve'
- processes can read tags of other processes when DAC/MAC allows it
But some rules allow authorized processes:
- to remove some of its tags
- to add some tag to itself
- to set a value to some of its tag
- to alter (add, remove, set) some tags of other processes
- to change how tags are kept or not during 'execve'
These rules are allowing the management of the tags either using
daemons/services or using fork/exec or using both methods mixed.
HOW DOES IT DIFFER FROM PREVIOUS PROPOSAL?
==========================================
This proposal adds features and cleans the previous design.
Added features:
- structuration of tags in fields separated by : (colon)
- semantic of field-prefix for tags
- ability to grant access for specific prefix
- ability to attach value to tags
Clean up:
- clean flag setting if a tag is to keep or not across 'execve'
- clean special rights
LINKS
=====
user library: https://gitlab.com/jobol/ptags
yocto layer: https://gitlab.com/jobol/meta-ptags
José Bollo
http://IoT.BzH
José Bollo (1):
LSM ptags: Add tagging of processes
Documentation/security/ptags.txt | 428 +++++++++++
fs/proc/base.c | 3 +
include/linux/cred.h | 3 +
security/Kconfig | 1 +
security/Makefile | 2 +
security/apparmor/lsm.c | 14 +-
security/ptags/Kconfig | 8 +
security/ptags/Makefile | 6 +
security/ptags/lsm-ptags.c | 204 ++++++
security/ptags/ptags.c | 1448 ++++++++++++++++++++++++++++++++++++++
security/selinux/hooks.c | 8 +
security/smack/smack_lsm.c | 14 +-
12 files changed, 2135 insertions(+), 4 deletions(-)
create mode 100644 Documentation/security/ptags.txt
create mode 100644 security/ptags/Kconfig
create mode 100644 security/ptags/Makefile
create mode 100644 security/ptags/lsm-ptags.c
create mode 100644 security/ptags/ptags.c
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
