From: Kees Cook <keescook@chromium.org> To: James Morris <jmorris@namei.org> Cc: Kees Cook <keescook@chromium.org>, Casey Schaufler <casey@schaufler-ca.com>, John Johansen <john.johansen@canonical.com>, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>, Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>, "Schaufler, Casey" <casey.schaufler@intel.com>, LSM <linux-security-module@vger.kernel.org>, Jonathan Corbet <corbet@lwn.net>, linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 00/29] LSM: Explict LSM ordering Date: Mon, 24 Sep 2018 17:18:03 -0700 [thread overview] Message-ID: <20180925001832.18322-1-keescook@chromium.org> (raw) v3: - add CONFIG_LSM_ENABLE and refactor resulting logic v2: - add "lsm.order=" and CONFIG_LSM_ORDER instead of overloading "security=" - reorganize introduction of ordering logic code Overview: This refactors the LSM registration and initialization infrastructure to more centrally support different LSM types for more cleanly supporting the future expansion of LSM stacking via the "blob-sharing" patch series. What was considered a "major" LSM is kept for legacy use of the "security=" boot parameter, and now overlaps with the new class of "exclusive" LSMs for the future blob sharing. The "minor" LSMs become more well defined as a result of the refactoring. Approach: To better show LSMs activation some debug reporting was added (enabled with the "lsm.debug" boot commandline option). I added a WARN() around LSM initialization failures, which appear to have always been silently ignored. (Realistically any LSM init failures would have only been due to catastrophic kernel issues that would render a system unworkable anyway, but it'd be better to expose the problem as early as possible.) Instead of continuing to (somewhat improperly) overload the kernel's initcall system, this changes the LSM infrastructure to store a registration structure (struct lsm_info) table instead, where metadata about each LSM can be recorded (name, flags, order, enable flag, init function). This can be extended in the future to include things like required blob size for the coming "blob sharing" LSMs. The "major" LSMs had to individually negotiate which of them should be enabled. This didn't provide a way to negotiate combinations of other LSMs (as will be needed for "blob sharing" LSMs). This is solved by providing the LSM infrastructure with all the details needed to make the choice (exposing the per-LSM "enabled" flag, if used, the LSM characteristics, and ordering expectations). As a result of the refactoring, the "minor" LSMs are able to remove the open-coded security_add_hooks() calls for "capability", "yama", and "loadpin", and to redefine "integrity" properly as a general LSM. (Note that "integrity" actually defined _no_ hooks, but needs the early initialization). With all LSMs being proessed centrally, it was possible to implement a new boot parameter "lsm.order=" to provide explicit ordering, which is helpful for the future "blob sharing" LSMs. Matching this is the new CONFIG_LSM_ORDER, which replaces CONFIG_DEFAULT_SECURITY, as it provides a higher granularity of control. Breakdown of patches: Infrastructure improvements (no logical changes): LSM: Correctly announce start of LSM initialization vmlinux.lds.h: Avoid copy/paste of security_init section LSM: Rename .security_initcall section to .lsm_info LSM: Remove initcall tracing LSM: Convert from initcall to struct lsm_info vmlinux.lds.h: Move LSM_TABLE into INIT_DATA LSM: Convert security_initcall() into DEFINE_LSM() LSM: Record LSM name in struct lsm_info LSM: Provide init debugging infrastructure LSM: Don't ignore initialization failures Split "integrity" out into "ordered initialization" (no logical changes): LSM: Introduce LSM_FLAG_LEGACY_MAJOR LSM: Provide separate ordered initialization Provide centralized LSM enable/disable infrastructure: LoadPin: Rename "enable" to "enforce" LSM: Plumb visibility into optional "enabled" state LSM: Lift LSM selection out of individual LSMs LSM: Prepare for arbitrary LSM enabling LSM: Introduce CONFIG_LSM_ENABLE LSM: Introduce lsm.enable= and lsm.disable= LSM: Prepare for reorganizing "security=" logic LSM: Refactor "security=" in terms of enable/disable Provide centralized LSM ordering infrastructure: LSM: Build ordered list of ordered LSMs for init LSM: Introduce CONFIG_LSM_ORDER LSM: Introduce "lsm.order=" for boottime ordering Move minor LSMs into ordered LSM initialization: LoadPin: Initialize as ordered LSM Yama: Initialize as ordered LSM LSM: Introduce enum lsm_order capability: Initialize as LSM_ORDER_FIRST Move major LSMs into ordered LSM initialization: LSM: Separate idea of "major" LSM from "exclusive" LSM LSM: Add all exclusive LSMs to ordered initialization -Kees .../admin-guide/kernel-parameters.txt | 20 + arch/arc/kernel/vmlinux.lds.S | 1 - arch/arm/kernel/vmlinux-xip.lds.S | 1 - arch/arm64/kernel/vmlinux.lds.S | 1 - arch/h8300/kernel/vmlinux.lds.S | 1 - arch/microblaze/kernel/vmlinux.lds.S | 2 - arch/powerpc/kernel/vmlinux.lds.S | 2 - arch/um/include/asm/common.lds.S | 2 - arch/xtensa/kernel/vmlinux.lds.S | 1 - include/asm-generic/vmlinux.lds.h | 25 +- include/linux/init.h | 2 - include/linux/lsm_hooks.h | 43 ++- include/linux/module.h | 1 - security/Kconfig | 61 ++- security/apparmor/lsm.c | 16 +- security/commoncap.c | 8 +- security/integrity/iint.c | 5 +- security/loadpin/Kconfig | 4 +- security/loadpin/loadpin.c | 28 +- security/security.c | 351 +++++++++++++++--- security/selinux/hooks.c | 16 +- security/smack/smack_lsm.c | 8 +- security/tomoyo/tomoyo.c | 7 +- security/yama/yama_lsm.c | 7 +- 24 files changed, 438 insertions(+), 175 deletions(-) -- 2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: keescook@chromium.org (Kees Cook) To: linux-security-module@vger.kernel.org Subject: [PATCH security-next v3 00/29] LSM: Explict LSM ordering Date: Mon, 24 Sep 2018 17:18:03 -0700 [thread overview] Message-ID: <20180925001832.18322-1-keescook@chromium.org> (raw) v3: - add CONFIG_LSM_ENABLE and refactor resulting logic v2: - add "lsm.order=" and CONFIG_LSM_ORDER instead of overloading "security=" - reorganize introduction of ordering logic code Overview: This refactors the LSM registration and initialization infrastructure to more centrally support different LSM types for more cleanly supporting the future expansion of LSM stacking via the "blob-sharing" patch series. What was considered a "major" LSM is kept for legacy use of the "security=" boot parameter, and now overlaps with the new class of "exclusive" LSMs for the future blob sharing. The "minor" LSMs become more well defined as a result of the refactoring. Approach: To better show LSMs activation some debug reporting was added (enabled with the "lsm.debug" boot commandline option). I added a WARN() around LSM initialization failures, which appear to have always been silently ignored. (Realistically any LSM init failures would have only been due to catastrophic kernel issues that would render a system unworkable anyway, but it'd be better to expose the problem as early as possible.) Instead of continuing to (somewhat improperly) overload the kernel's initcall system, this changes the LSM infrastructure to store a registration structure (struct lsm_info) table instead, where metadata about each LSM can be recorded (name, flags, order, enable flag, init function). This can be extended in the future to include things like required blob size for the coming "blob sharing" LSMs. The "major" LSMs had to individually negotiate which of them should be enabled. This didn't provide a way to negotiate combinations of other LSMs (as will be needed for "blob sharing" LSMs). This is solved by providing the LSM infrastructure with all the details needed to make the choice (exposing the per-LSM "enabled" flag, if used, the LSM characteristics, and ordering expectations). As a result of the refactoring, the "minor" LSMs are able to remove the open-coded security_add_hooks() calls for "capability", "yama", and "loadpin", and to redefine "integrity" properly as a general LSM. (Note that "integrity" actually defined _no_ hooks, but needs the early initialization). With all LSMs being proessed centrally, it was possible to implement a new boot parameter "lsm.order=" to provide explicit ordering, which is helpful for the future "blob sharing" LSMs. Matching this is the new CONFIG_LSM_ORDER, which replaces CONFIG_DEFAULT_SECURITY, as it provides a higher granularity of control. Breakdown of patches: Infrastructure improvements (no logical changes): LSM: Correctly announce start of LSM initialization vmlinux.lds.h: Avoid copy/paste of security_init section LSM: Rename .security_initcall section to .lsm_info LSM: Remove initcall tracing LSM: Convert from initcall to struct lsm_info vmlinux.lds.h: Move LSM_TABLE into INIT_DATA LSM: Convert security_initcall() into DEFINE_LSM() LSM: Record LSM name in struct lsm_info LSM: Provide init debugging infrastructure LSM: Don't ignore initialization failures Split "integrity" out into "ordered initialization" (no logical changes): LSM: Introduce LSM_FLAG_LEGACY_MAJOR LSM: Provide separate ordered initialization Provide centralized LSM enable/disable infrastructure: LoadPin: Rename "enable" to "enforce" LSM: Plumb visibility into optional "enabled" state LSM: Lift LSM selection out of individual LSMs LSM: Prepare for arbitrary LSM enabling LSM: Introduce CONFIG_LSM_ENABLE LSM: Introduce lsm.enable= and lsm.disable= LSM: Prepare for reorganizing "security=" logic LSM: Refactor "security=" in terms of enable/disable Provide centralized LSM ordering infrastructure: LSM: Build ordered list of ordered LSMs for init LSM: Introduce CONFIG_LSM_ORDER LSM: Introduce "lsm.order=" for boottime ordering Move minor LSMs into ordered LSM initialization: LoadPin: Initialize as ordered LSM Yama: Initialize as ordered LSM LSM: Introduce enum lsm_order capability: Initialize as LSM_ORDER_FIRST Move major LSMs into ordered LSM initialization: LSM: Separate idea of "major" LSM from "exclusive" LSM LSM: Add all exclusive LSMs to ordered initialization -Kees .../admin-guide/kernel-parameters.txt | 20 + arch/arc/kernel/vmlinux.lds.S | 1 - arch/arm/kernel/vmlinux-xip.lds.S | 1 - arch/arm64/kernel/vmlinux.lds.S | 1 - arch/h8300/kernel/vmlinux.lds.S | 1 - arch/microblaze/kernel/vmlinux.lds.S | 2 - arch/powerpc/kernel/vmlinux.lds.S | 2 - arch/um/include/asm/common.lds.S | 2 - arch/xtensa/kernel/vmlinux.lds.S | 1 - include/asm-generic/vmlinux.lds.h | 25 +- include/linux/init.h | 2 - include/linux/lsm_hooks.h | 43 ++- include/linux/module.h | 1 - security/Kconfig | 61 ++- security/apparmor/lsm.c | 16 +- security/commoncap.c | 8 +- security/integrity/iint.c | 5 +- security/loadpin/Kconfig | 4 +- security/loadpin/loadpin.c | 28 +- security/security.c | 351 +++++++++++++++--- security/selinux/hooks.c | 16 +- security/smack/smack_lsm.c | 8 +- security/tomoyo/tomoyo.c | 7 +- security/yama/yama_lsm.c | 7 +- 24 files changed, 438 insertions(+), 175 deletions(-) -- 2.17.1
next reply other threads:[~2018-09-25 0:20 UTC|newest] Thread overview: 126+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-09-25 0:18 Kees Cook [this message] 2018-09-25 0:18 ` [PATCH security-next v3 00/29] LSM: Explict LSM ordering Kees Cook 2018-09-25 0:18 ` [PATCH security-next v3 01/29] LSM: Correctly announce start of LSM initialization Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 19:53 ` James Morris 2018-10-01 21:05 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 02/29] vmlinux.lds.h: Avoid copy/paste of security_init section Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 19:56 ` James Morris 2018-10-01 21:05 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 03/29] LSM: Rename .security_initcall section to .lsm_info Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 19:57 ` James Morris 2018-10-01 21:06 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 04/29] LSM: Remove initcall tracing Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-09-26 16:35 ` Steven Rostedt 2018-09-26 16:35 ` Steven Rostedt 2018-09-26 18:35 ` Kees Cook 2018-09-26 18:35 ` Kees Cook 2018-09-30 23:25 ` Steven Rostedt 2018-09-30 23:25 ` Steven Rostedt 2018-10-01 1:01 ` Kees Cook 2018-10-01 1:01 ` Kees Cook 2018-10-01 21:07 ` John Johansen 2018-10-01 21:23 ` Steven Rostedt 2018-10-01 22:38 ` Kees Cook 2018-09-25 0:18 ` [PATCH security-next v3 05/29] LSM: Convert from initcall to struct lsm_info Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 19:59 ` James Morris 2018-10-01 21:08 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 06/29] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 21:10 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 07/29] LSM: Convert security_initcall() into DEFINE_LSM() Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 21:12 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 08/29] LSM: Record LSM name in struct lsm_info Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 21:13 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 09/29] LSM: Provide init debugging infrastructure Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 21:14 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 10/29] LSM: Don't ignore initialization failures Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 21:14 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 11/29] LSM: Introduce LSM_FLAG_LEGACY_MAJOR Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 21:15 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 12/29] LSM: Provide separate ordered initialization Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 21:17 ` John Johansen 2018-10-01 22:03 ` Kees Cook 2018-09-25 0:18 ` [PATCH security-next v3 13/29] LoadPin: Rename "enable" to "enforce" Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 21:17 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 14/29] LSM: Plumb visibility into optional "enabled" state Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 21:18 ` John Johansen 2018-10-01 21:47 ` James Morris 2018-10-01 21:56 ` Kees Cook 2018-10-01 22:20 ` John Johansen 2018-10-01 22:29 ` Kees Cook 2018-10-01 22:53 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 15/29] LSM: Lift LSM selection out of individual LSMs Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 21:18 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 16/29] LSM: Prepare for arbitrary LSM enabling Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 21:22 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 17/29] LSM: Introduce CONFIG_LSM_ENABLE Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 21:34 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 18/29] LSM: Introduce lsm.enable= and lsm.disable= Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 21:46 ` John Johansen 2018-10-01 22:27 ` Kees Cook 2018-10-01 22:48 ` John Johansen 2018-10-01 23:30 ` Kees Cook 2018-10-01 23:38 ` Kees Cook 2018-10-01 23:57 ` John Johansen 2018-10-01 23:44 ` John Johansen 2018-10-01 23:49 ` Kees Cook 2018-09-25 0:18 ` [PATCH security-next v3 19/29] LSM: Prepare for reorganizing "security=" logic Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-10-01 21:47 ` John Johansen 2018-09-25 0:18 ` [PATCH security-next v3 20/29] LSM: Refactor "security=" in terms of enable/disable Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-09-25 0:18 ` [PATCH security-next v3 21/29] LSM: Build ordered list of ordered LSMs for init Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-09-25 0:18 ` [PATCH security-next v3 22/29] LSM: Introduce CONFIG_LSM_ORDER Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-09-25 0:18 ` [PATCH security-next v3 23/29] LSM: Introduce "lsm.order=" for boottime ordering Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-09-25 0:18 ` [PATCH security-next v3 24/29] LoadPin: Initialize as ordered LSM Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-09-25 0:18 ` [PATCH security-next v3 25/29] Yama: " Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-09-25 0:18 ` [PATCH security-next v3 26/29] LSM: Introduce enum lsm_order Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-09-25 0:18 ` [PATCH security-next v3 27/29] capability: Initialize as LSM_ORDER_FIRST Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-09-25 0:18 ` [PATCH security-next v3 28/29] LSM: Separate idea of "major" LSM from "exclusive" LSM Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-09-25 0:18 ` [PATCH security-next v3 29/29] LSM: Add all exclusive LSMs to ordered initialization Kees Cook 2018-09-25 0:18 ` Kees Cook 2018-09-28 15:55 ` [PATCH security-next v3 00/29] LSM: Explict LSM ordering Casey Schaufler 2018-09-28 15:55 ` Casey Schaufler 2018-09-28 20:01 ` Kees Cook 2018-09-28 20:01 ` Kees Cook 2018-09-28 20:25 ` Stephen Smalley 2018-09-28 20:25 ` Stephen Smalley 2018-09-28 20:33 ` Stephen Smalley 2018-09-28 20:33 ` Stephen Smalley 2018-09-28 20:54 ` Kees Cook 2018-09-28 20:54 ` Kees Cook 2018-09-29 10:48 ` Tetsuo Handa 2018-09-29 10:48 ` Tetsuo Handa 2018-09-29 18:18 ` Kees Cook 2018-09-29 18:18 ` Kees Cook 2018-09-30 2:36 ` Tetsuo Handa 2018-09-30 2:36 ` Tetsuo Handa 2018-09-30 16:57 ` Kees Cook 2018-09-30 16:57 ` Kees Cook 2018-09-29 18:19 ` John Johansen 2018-09-29 18:19 ` John Johansen
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20180925001832.18322-1-keescook@chromium.org \ --to=keescook@chromium.org \ --cc=casey.schaufler@intel.com \ --cc=casey@schaufler-ca.com \ --cc=corbet@lwn.net \ --cc=jmorris@namei.org \ --cc=john.johansen@canonical.com \ --cc=linux-arch@vger.kernel.org \ --cc=linux-doc@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=paul@paul-moore.com \ --cc=penguin-kernel@i-love.sakura.ne.jp \ --cc=sds@tycho.nsa.gov \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.