Received-SPF: pass (google.com: domain of linux-kernel+bounces-1737-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 00/42] LSM: General module stacking
Date: Fri, 15 Dec 2023 14:15:54 -0800
Message-ID: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
References: <20231215221636.105680-1-casey.ref@schaufler-ca.com>

This patchset provides the changes required to allow arbitrary
combination of all the existing Linux Security Modules (LSM).
It does not provide for all possible configurations of all of
co-existing modules. It does not ensure that the enforcement
of policy provided by one module does not interfere with the
behavior of another module.

The bulk of the code change is in support of the audit system.
Because subjects and objects may have multiple LSM specific
attributes that are used to make access control decisions it
was necessary to enhance the audit system to report these
security attributes. Separate audit records have been added
to include the additional information for each of the audit
event subject and object. Providing the required security
information using 32-bit secids was no longer sufficient. A
new structure, lsmblob, has been introduced to include the
data for all relevant modules.

The lsmblob structure has an entry for each of the modules
that has used secids. Each module provides a structure of
its own which contains the information it uses. For SELinux
this is a u32 secid. Smack provides a pointer into the label
list. Modules that are not configured use conditional compilation 
to have empty structures.

Because audit records may need to include the text representation
of more than one module's security attributes (commonly referred
to as the "security context") the interfaces that convert the
lsmblob into a text representation need to identify which module
provided the text. An structure lsmcontext has been added that
contains the text, its length and the identifier of the module
than created it.

Security attributes for network facilities have provided certain
challenges. The security information allowed in socket buffers
and secmarks is limited to a single u32 secid, and there is no
indication that this will ever be allowed to change. The netlabel
subsystem, which provides CIPSO and CALIPSO labeling on internet
packets, supports only one IP packet option at a time. Labeled
NFS3 also supports only one security module. The existing modules
have been updated to accept that they may not have access to
these networking security attributes. The first module to
register that uses them is given exclusive access.

The issue of multiple modules using the /proc/.../attr interfaces
has been largely addressed for some time by the inclusion of module
specific sub-directories. Applications should be using these except
for the case of SELinux.

Patch 0001 removes an interface dependency on audit from IMA.
Patch 0002 moves management of socket security blobs out of the
	modules and into the LSM infrastructure.
Patch 0003 introduces the lsmblob structure.
Patch 0004 introduces mechanism for the IMA mechanisms to handle
	the possibility of multiple modules that use attributes.
Patches 0005-0015 add new interfaces and change existing interfaces
	to use the lsmblob to represent security data.
Patches 0016-0021 replace a the use of string and length pairs to
	use a "security context" with an lsmcontext structure.
Patches 0022-0026 implement audit records describing the multiple
	security attributes on subjects and objects.
Patch 0027 removes scaffolding code used in support on lsmcontext.
Patches 0028-0030 optimize LSM hooks for the networking single
	module user case.
Patch 0031 implements mechanism to reserve use of network secmarks.
Patch 0032 limits security_secctx_to_secid() to a single module.
Patch 0033 removes the exclusive tag from AppArmor.
Patches 0034-0035 adds mount operation security blobs.
Patch 0036 moves management of key security blobs out of the
	modules and into the LSM infrastructure.
Patch 0037 enables management of mount operation security blobs
	in the modules.
Patches 0038-0039 remove scaffolding for lsmblobs.
Patch 0040 implements mechanism to reserve use of netlabel.
Patch 0041 restricts a hook used only by binder to a single module.
Patch 0042 removes the exclusive tag from Smack.

https://github.com:cschaufler/lsm-stacking.git#stack-6.7-rc1-pcmoore-dev-v39-b

Casey Schaufler (42):
  integrity: disassociate ima_filter_rule from security_audit_rule
  SM: Infrastructure management of the sock security
  LSM: Add the lsmblob data structure.
  IMA: avoid label collisions with stacked LSMs
  LSM: Use lsmblob in security_audit_rule_match
  LSM: Add lsmblob_to_secctx hook
  Audit: maintain an lsmblob in audit_context
  LSM: Use lsmblob in security_ipc_getsecid
  Audit: Update shutdown LSM data
  LSM: Use lsmblob in security_current_getsecid
  LSM: Use lsmblob in security_inode_getsecid
  Audit: use an lsmblob in audit_names
  LSM: Create new security_cred_getlsmblob LSM hook
  Audit: Change context data from secid to lsmblob
  Netlabel: Use lsmblob for audit data
  LSM: Ensure the correct LSM context releaser
  LSM: Use lsmcontext in security_secid_to_secctx
  LSM: Use lsmcontext in security_lsmblob_to_secctx
  LSM: Use lsmcontext in security_inode_getsecctx
  LSM: Use lsmcontext in security_dentry_init_security
  LSM: security_lsmblob_to_secctx module selection
  Audit: Create audit_stamp structure
  Audit: Allow multiple records in an audit_buffer
  Audit: Add record for multiple task security contexts
  audit: multiple subject lsm values for netlabel
  Audit: Add record for multiple object contexts
  LSM: Remove unused lsmcontext_init()
  LSM: Improve logic in security_getprocattr
  LSM: secctx provider check on release
  LSM: Single calls in socket_getpeersec hooks
  LSM: Exclusive secmark usage
  LSM: Identify which LSM handles the context string
  AppArmor: Remove the exclusive flag
  LSM: Add mount opts blob size tracking
  LSM: allocate mnt_opts blobs instead of module specific data
  LSM: Infrastructure management of the key security blob
  LSM: Infrastructure management of the mnt_opts security blob
  LSM: Correct handling of ENOSYS in inode_setxattr
  LSM: Remove lsmblob scaffolding
  LSM: Allow reservation of netlabel
  LSM: restrict security_cred_getsecid() to a single LSM
  Smack: Remove LSM_FLAG_EXCLUSIVE

 Documentation/ABI/testing/ima_policy    |   8 +-
 drivers/android/binder.c                |  25 +-
 fs/ceph/super.h                         |   3 +-
 fs/ceph/xattr.c                         |  15 +-
 fs/fuse/dir.c                           |  35 +-
 fs/nfs/dir.c                            |   2 +-
 fs/nfs/inode.c                          |  17 +-
 fs/nfs/internal.h                       |   8 +-
 fs/nfs/nfs4proc.c                       |  16 +-
 fs/nfs/nfs4xdr.c                        |  22 +-
 fs/nfsd/nfs4xdr.c                       |  21 +-
 include/linux/audit.h                   |  13 +
 include/linux/lsm/apparmor.h            |  17 +
 include/linux/lsm/bpf.h                 |  16 +
 include/linux/lsm/selinux.h             |  16 +
 include/linux/lsm/smack.h               |  17 +
 include/linux/lsm_hook_defs.h           |  35 +-
 include/linux/lsm_hooks.h               |   8 +
 include/linux/nfs4.h                    |   8 +-
 include/linux/nfs_fs.h                  |   2 +-
 include/linux/security.h                | 158 +++++++--
 include/net/netlabel.h                  |   2 +-
 include/net/scm.h                       |  12 +-
 include/uapi/linux/audit.h              |   2 +
 kernel/audit.c                          | 269 +++++++++++----
 kernel/audit.h                          |  20 +-
 kernel/auditfilter.c                    |   9 +-
 kernel/auditsc.c                        | 142 +++-----
 net/ipv4/ip_sockglue.c                  |  12 +-
 net/netfilter/nf_conntrack_netlink.c    |  16 +-
 net/netfilter/nf_conntrack_standalone.c |  11 +-
 net/netfilter/nfnetlink_queue.c         |  22 +-
 net/netlabel/netlabel_unlabeled.c       |  46 ++-
 net/netlabel/netlabel_user.c            |  10 +-
 net/netlabel/netlabel_user.h            |   2 +-
 security/apparmor/audit.c               |  19 +-
 security/apparmor/include/audit.h       |   8 +-
 security/apparmor/include/net.h         |   8 +-
 security/apparmor/include/secid.h       |   5 +-
 security/apparmor/lsm.c                 |  65 +---
 security/apparmor/net.c                 |   2 +-
 security/apparmor/secid.c               |  52 ++-
 security/bpf/hooks.c                    |   1 +
 security/integrity/ima/ima.h            |  32 +-
 security/integrity/ima/ima_api.c        |   6 +-
 security/integrity/ima/ima_appraise.c   |   6 +-
 security/integrity/ima/ima_main.c       |  60 ++--
 security/integrity/ima/ima_policy.c     |  91 +++++-
 security/security.c                     | 415 ++++++++++++++++++------
 security/selinux/hooks.c                | 285 +++++++++-------
 security/selinux/include/audit.h        |  13 +-
 security/selinux/include/netlabel.h     |   5 +
 security/selinux/include/objsec.h       |  12 +
 security/selinux/netlabel.c             |  27 +-
 security/selinux/ss/services.c          |  20 +-
 security/smack/smack.h                  |  22 ++
 security/smack/smack_lsm.c              | 347 ++++++++++++--------
 security/smack/smack_netfilter.c        |  12 +-
 security/smack/smackfs.c                |  24 +-
 59 files changed, 1691 insertions(+), 883 deletions(-)
 create mode 100644 include/linux/lsm/apparmor.h
 create mode 100644 include/linux/lsm/bpf.h
 create mode 100644 include/linux/lsm/selinux.h
 create mode 100644 include/linux/lsm/smack.h

-- 
2.41.0