[RFC PATCH] selinux: add SELinux hooks for lockdown integrity and confidentiality

From: Stephen Smalley <sds@tycho.nsa.gov>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, Stephen Smalley <sds@tycho.nsa.gov>
Subject: [RFC PATCH] selinux: add SELinux hooks for lockdown integrity and confidentiality
Date: Wed, 30 Oct 2019 09:16:33 -0400	[thread overview]
Message-ID: <20191030131633.9356-1-sds@tycho.nsa.gov> (raw)

Add SELinux access control hooks for lockdown integrity and
confidentiality. This effectively mimics the current implementation of
lockdown (caveat noted below). If lockdown is enabled alongside SELinux,
then the lockdown access control will take precedence over the SELinux
lockdown implementation.

Note that this SELinux implementation allows the integrity and
confidentiality reasons to be controlled independently from one another.
Thus, in an SELinux policy, one could allow integrity operations while
blocking confidentiality operations.

(original patch authored by an intern who wishes to remain anonymous;
I am signing off on his behalf)

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 security/selinux/hooks.c            | 22 ++++++++++++++++++++++
 security/selinux/include/classmap.h |  2 ++
 2 files changed, 24 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 36e531b91df2..6722c6b4ae74 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -91,6 +91,7 @@
 #include <uapi/linux/mount.h>
 #include <linux/fsnotify.h>
 #include <linux/fanotify.h>
+#include <linux/security.h>
 
 #include "avc.h"
 #include "objsec.h"
@@ -6799,6 +6800,25 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
 }
 #endif
 
+static int selinux_lockdown(enum lockdown_reason what)
+{
+	u32 sid = current_sid();
+
+	if (what <= LOCKDOWN_INTEGRITY_MAX)
+		return avc_has_perm(&selinux_state,
+				sid, sid,
+				SECCLASS_LOCKDOWN, LOCKDOWN__INTEGRITY, NULL);
+	else if (what <= LOCKDOWN_CONFIDENTIALITY_MAX)
+		return avc_has_perm(&selinux_state,
+				sid, sid,
+				SECCLASS_LOCKDOWN, LOCKDOWN__CONFIDENTIALITY,
+				NULL);
+
+	/* invalid reason */
+	pr_warn("SELinux: invalid lockdown reason\n");
+	return -EPERM;
+}
+
 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
 	.lbs_cred = sizeof(struct task_security_struct),
 	.lbs_file = sizeof(struct file_security_struct),
@@ -7042,6 +7062,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
 #endif
+
+	LSM_HOOK_INIT(locked_down, selinux_lockdown),
 };
 
 static __init int selinux_init(void)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 32e9b03be3dd..594c32febcd8 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -244,6 +244,8 @@ struct security_class_mapping secclass_map[] = {
 	  {"map_create", "map_read", "map_write", "prog_load", "prog_run"} },
 	{ "xdp_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
+	{ "lockdown",
+	  { "integrity", "confidentiality", NULL } },
 	{ NULL }
   };
 
-- 
2.23.0

