Received: by 10.223.164.202 with SMTP id h10csp857817wrb;
        Sun, 26 Nov 2017 14:17:54 -0800 (PST)
X-Google-Smtp-Source: AGs4zMbv1NEjKSFNWQWp4OxKU4/C6kiZbCICQdcvpSzOLd7UNXtCMUNeMkCZ84fJBfhbF2zm+kxR
X-Received: by 10.159.242.4 with SMTP id t4mr35699805plr.411.1511734674282;
        Sun, 26 Nov 2017 14:17:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511734674; cv=none;
        d=google.com; s=arc-20160816;
        b=vK8jS8nnV5dRTtO3i+kINJcZNaAOYHcwf2HyuHTKxTsL0MsEwAuvXDoSD/tui9pmhJ
         1oc/Snpr3yHo1loIh0X3V7jUqZWXmhMyameBQTOTR6w8tnubTKj+M75IRZAv0+OFMj7T
         9EexUYWZ1b5xWR7gtrO92GbhzFZhCaqCG86EDmEIbQUMj1Co1dual/IqmF1FfqXWMCJY
         wRmtwmfZTKLANn2OeHS5LnppBpx/g2AeDy27Ryz7JMshNyO5EUOYWwIFqgwk6/wNZGlE
         WxL7e++61ZbiFH5ZtVkLnzGRrVGCtf1ldcmmwCILi85WeR38tZiZWJgxc5texpTWcuhh
         whEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:content-disposition
         :mime-version:message-id:subject:cc:to:date:from:dkim-signature
         :arc-authentication-results;
        bh=UDU0SUlD83Ag/hN7iJNGN3JY/3zPQiiUkZZNlrs51Kc=;
        b=tmzZi0tAOd925M/K4cO2qRAbK+QuOeojjLLymCB84XYzBRKJJqagwZ3w4y0AVikDIw
         W2NIYYOjzx2eWaKPLqqa4789TGL+h7ISOkyt2+QWVq6iNmDwsIxJXRWZspCA3OPCE7/E
         7Bxk2IP7kUIUWwCUEBFhXYRhbWZNumckgFvmCBjK/U/79uVWYTFx33fVmcqdcrhHLoE+
         m0OowL0W/vHwETeyWLvIfmqona6EiVpYELEobpyfQBnNaqOHRq+vWQA4JPPwsKP6Zqvw
         ODX8LDbwWZe/y0QHYT0978cYUiBtbMIMkc+UfTR2dM/z0tLtClLMJdfdCIhjDQlwP1OV
         ycew==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@sargun.me header.s=google header.b=Q5pFCcRi;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d7si6807254pgv.92.2017.11.26.14.17.42;
        Sun, 26 Nov 2017 14:17:54 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sargun.me header.s=google header.b=Q5pFCcRi;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752110AbdKZWPv (ORCPT <rfc822;xqjcool@gmail.com> + 78 others);
        Sun, 26 Nov 2017 17:15:51 -0500
Received: from mail-it0-f66.google.com ([209.85.214.66]:32880 "EHLO
        mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751816AbdKZWPu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 26 Nov 2017 17:15:50 -0500
Received: by mail-it0-f66.google.com with SMTP id o130so18863848itg.0
        for <linux-kernel@vger.kernel.org>; Sun, 26 Nov 2017 14:15:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sargun.me; s=google;
        h=from:date:to:cc:subject:message-id:mime-version:content-disposition
         :user-agent;
        bh=UDU0SUlD83Ag/hN7iJNGN3JY/3zPQiiUkZZNlrs51Kc=;
        b=Q5pFCcRiPSYKSuTwSrObaPz7mCPSyUsumC6ZHUfd0QUmG6od/+W20XS4/r2Udthh6W
         5dAd94yo1NeXbJ8ehlaj9XDqolaBSPDsheTtltkHQ2Io57+OGfe6xnEsaPV8XRTL/lB4
         Y0UTxr2tqVMESfiM7N3NhMYVQfjaSV9i9GaCU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:date:to:cc:subject:message-id:mime-version
         :content-disposition:user-agent;
        bh=UDU0SUlD83Ag/hN7iJNGN3JY/3zPQiiUkZZNlrs51Kc=;
        b=IFAERtj5XEn5Ubzs2FcVWJcgM4wWoq+TsTqJFHZhwaVmUc62ldC80wy6joQ7vRhlPJ
         m4on5zeCydicGKZhQGS+suaS3cKHi6VtG13dWb4JRuHu2i7DyKYmKYnpZB/GQCAsfX4w
         HMmvJyXonTJ8Z/2vyH/l7quxItdZ9Nl1BNSSNY2TO27FrW2yU3aOSASVncK+pSQ1nXJs
         aqbmHVkJWOITcQfqorSGt1nZ1y2bwg8jud84fCo5u8zZQ9MJflWmS0p+bm68X7JQJkLm
         h2BcOjeeIHkDLVe1twyRBhlEmKtb4kuT69gDVJKm3B3p/rbSKqziysrnxvPA+5CCA2Bs
         5i3g==
X-Gm-Message-State: AJaThX4fkRXDa9RliiJJ3Qt5dg3EQ9VXmvuCRdcrmTE7jEuMrWxQ4XJ2
        Ni+iD9xGtCUigsu3p5PxntTokw==
X-Received: by 10.36.121.150 with SMTP id z144mr1997330itc.140.1511734549426;
        Sun, 26 Nov 2017 14:15:49 -0800 (PST)
Received: from ircssh-2.c.rugged-nimbus-611.internal (80.60.198.104.bc.googleusercontent.com. [104.198.60.80])
        by smtp.gmail.com with ESMTPSA id m21sm25637itb.43.2017.11.26.14.15.48
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 26 Nov 2017 14:15:48 -0800 (PST)
From:   Sargun Dhillon <sargun@sargun.me>
X-Google-Original-From: Sargun Dhillon <sargun@netflix.com>
Date:   Sun, 26 Nov 2017 22:15:47 +0000
To:     linux-security-module@vger.kernel.org
Cc:     keescook@chromium.org, igor.stoppa@huawei.com,
        casey@schaufler-ca.com, linux-kernel@vger.kernel.org
Subject: [RFC 0/3] Safe, dynamically (un)loadable LSMs
Message-ID: <20171126221545.GA13751@ircssh-2.c.rugged-nimbus-611.internal>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patchset introduces safe dynamic LSM support. It does this via
SRCU-protected security hooks. It also EXPORT_SYMBOL_GPLs the symbols
required to perform runtime loading, and unloading. The patchset is
meant to introduce as little overhead as possible when not used.
Additionally, the functionality is disabled by default.

The SRCU was made safe to call from an interrupt context in the patch
"srcu: Allow use of Classic SRCU from both process and interrupt context"
(1123a6041654e8f889014659593bad4168e542c2) by Paolo Bonzini. Therefore
this mechanism is safe to use for traversal of the callback list,
even when a hook is called from the interrupt context.

Currently, this maintains an entirely seperate mechanism to attach hooks
because the hooks are behind managed static_keys to prevent overhead.
This is also done so sealable memory support could be added at a later
point. The callbacks currently include a percpu_counter, but that could
sit outside of the struct itself. This may also have a benefit that these
counters, could have __cacheline_aligned_in_smp. Although, in my testing
I was unable to find much performance delta with percpu_counters that
were not aligned.

It includes an example LSM that prevents specific time travel.

Sargun Dhillon (3):
  security: Add safe, dynamic (runtime-loadable) hook support
  LSM: Add statistics about the invocation of dynamic hooks
  LSM: Add an example sample dynamic LSM

 include/linux/lsm_hooks.h | 254 +++++++++++++++++++++++++++++++++++++
 samples/Kconfig           |   6 +
 samples/Makefile          |   2 +-
 samples/lsm/Makefile      |   4 +
 samples/lsm/lsm_example.c |  46 +++++++
 security/Kconfig          |  16 +++
 security/Makefile         |   2 +
 security/dynamic.c        | 316 ++++++++++++++++++++++++++++++++++++++++++++++
 security/dynamic.h        |  33 +++++
 security/dynamicfs.c      | 118 +++++++++++++++++
 security/inode.c          |   2 +
 security/security.c       |  66 +++++++++-
 12 files changed, 863 insertions(+), 2 deletions(-)
 create mode 100644 samples/lsm/Makefile
 create mode 100644 samples/lsm/lsm_example.c
 create mode 100644 security/dynamic.c
 create mode 100644 security/dynamic.h
 create mode 100644 security/dynamicfs.c

-- 
2.9.3


From 1586148078760855892@xxx Thu Dec 07 17:44:44 +0000 2017
X-GM-THRID: 1586148078760855892
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread