From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
paul@paul-moore.com, sds@tycho.nsa.gov
Subject: [PATCH 00/58] LSM: Module stacking for AppArmor
Date: Fri, 31 May 2019 16:30:51 -0700 [thread overview]
Message-ID: <20190531233149.715-1-casey@schaufler-ca.com> (raw)
This patchset provides the changes required for
the AppArmor security module to stack safely with any other.
A new process attribute identifies which security module
information should be reported by SO_PEERSEC and the
/proc/.../attr/current interface. This is provided by
/proc/.../attr/display. Writing the name of the security
module desired to this interface will set which LSM hooks
will be called for this information. The first security
module providing the hooks will be used by default.
The use of integer based security tokens (secids) is
generally (but not completely) replaced by a structure
lsm_export. The lsm_export structure can contain information
for each of the security modules that export information
outside the LSM layer.
The LSM interfaces that provide "secctx" text strings
have been changed to use a structure "lsm_context"
instead of a pointer/length pair. In some cases the
interfaces used a "char *" pointer and in others a
"void *". This was necessary to ensure that the correct
release mechanism for the text is used. It also makes
many of the interfaces cleaner.
https://github.com/cschaufler/lsm-stacking.git#stack-5.2-v1-apparmor
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
drivers/android/binder.c | 25 ++-
fs/kernfs/dir.c | 6 +-
fs/kernfs/inode.c | 31 ++-
fs/kernfs/kernfs-internal.h | 3 +-
fs/nfs/inode.c | 13 +-
fs/nfs/internal.h | 8 +-
fs/nfs/nfs4proc.c | 17 +-
fs/nfs/nfs4xdr.c | 16 +-
fs/nfsd/nfs4proc.c | 8 +-
fs/nfsd/nfs4xdr.c | 14 +-
fs/nfsd/vfs.c | 7 +-
fs/proc/base.c | 1 +
include/linux/cred.h | 3 +-
include/linux/lsm_hooks.h | 91 +++++----
include/linux/nfs4.h | 8 +-
include/linux/security.h | 133 +++++++++----
include/net/af_unix.h | 2 +-
include/net/netlabel.h | 10 +-
include/net/scm.h | 14 +-
kernel/audit.c | 43 ++--
kernel/audit.h | 9 +-
kernel/auditfilter.c | 6 +-
kernel/auditsc.c | 77 ++++----
kernel/cred.c | 15 +-
net/ipv4/cipso_ipv4.c | 13 +-
net/ipv4/ip_sockglue.c | 12 +-
net/netfilter/nf_conntrack_netlink.c | 29 ++-
net/netfilter/nf_conntrack_standalone.c | 16 +-
net/netfilter/nfnetlink_queue.c | 38 ++--
net/netfilter/nft_meta.c | 13 +-
net/netfilter/xt_SECMARK.c | 14 +-
net/netlabel/netlabel_kapi.c | 5 +-
net/netlabel/netlabel_unlabeled.c | 101 +++++-----
net/netlabel/netlabel_unlabeled.h | 2 +-
net/netlabel/netlabel_user.c | 13 +-
net/netlabel/netlabel_user.h | 2 +-
net/unix/af_unix.c | 6 +-
security/apparmor/audit.c | 4 +-
security/apparmor/include/audit.h | 2 +-
security/apparmor/include/net.h | 6 +-
security/apparmor/include/secid.h | 9 +-
security/apparmor/lsm.c | 64 +++---
security/apparmor/secid.c | 42 ++--
security/integrity/ima/ima.h | 14 +-
security/integrity/ima/ima_api.c | 9 +-
security/integrity/ima/ima_appraise.c | 6 +-
security/integrity/ima/ima_main.c | 34 ++--
security/integrity/ima/ima_policy.c | 19 +-
security/security.c | 338 +++++++++++++++++++++++++++-----
security/selinux/hooks.c | 259 ++++++++++++------------
security/selinux/include/audit.h | 5 +-
security/selinux/include/objsec.h | 42 +++-
security/selinux/netlabel.c | 25 +--
security/selinux/ss/services.c | 18 +-
security/smack/smack.h | 18 ++
security/smack/smack_lsm.c | 238 +++++++++++-----------
security/smack/smack_netfilter.c | 8 +-
security/smack/smackfs.c | 12 +-
58 files changed, 1217 insertions(+), 779 deletions(-)
next reply other threads:[~2019-05-31 23:32 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-31 23:30 Casey Schaufler [this message]
2019-05-31 23:30 ` [PATCH 01/58] LSM: Infrastructure management of the superblock Casey Schaufler
2019-05-31 23:30 ` [PATCH 02/58] LSM: Infrastructure management of the sock security Casey Schaufler
2019-05-31 23:30 ` [PATCH 03/58] LSM: Infrastructure management of the key security blob Casey Schaufler
2019-05-31 23:30 ` [PATCH 04/58] LSM: Create an lsm_export data structure Casey Schaufler
2019-05-31 23:30 ` [PATCH 05/58] LSM: Use lsm_export in the inode_getsecid hooks Casey Schaufler
2019-05-31 23:30 ` [PATCH 06/58] LSM: Use lsm_export in the cred_getsecid hooks Casey Schaufler
2019-05-31 23:30 ` [PATCH 07/58] LSM: Use lsm_export in the ipc_getsecid and task_getsecid hooks Casey Schaufler
2019-05-31 23:30 ` [PATCH 08/58] LSM: Use lsm_export in the kernel_ask_as hooks Casey Schaufler
2019-05-31 23:31 ` [PATCH 09/58] LSM: Use lsm_export in the getpeersec_dgram hooks Casey Schaufler
2019-05-31 23:31 ` [PATCH 10/58] LSM: Use lsm_export in the audit_rule_match hooks Casey Schaufler
2019-05-31 23:31 ` [PATCH 11/58] LSM: Use lsm_export in the secid_to_secctx hooks Casey Schaufler
2019-05-31 23:31 ` [PATCH 12/58] LSM: Use lsm_export in the secctx_to_secid hooks Casey Schaufler
2019-05-31 23:31 ` [PATCH 13/58] LSM: Use lsm_export in security_audit_rule_match Casey Schaufler
2019-05-31 23:31 ` [PATCH 14/58] LSM: Use lsm_export in security_kernel_act_as Casey Schaufler
2019-05-31 23:31 ` [PATCH 15/58] LSM: Use lsm_export in security_socket_getpeersec_dgram Casey Schaufler
2019-05-31 23:31 ` [PATCH 16/58] LSM: Use lsm_export in security_secctx_to_secid Casey Schaufler
2019-05-31 23:31 ` [PATCH 17/58] LSM: Use lsm_export in security_secid_to_secctx Casey Schaufler
-- strict thread matches above, loose matches on Subject: below --
2019-06-02 16:50 [PATCH 00/58] LSM: Module stacking for AppArmor Casey Schaufler
2019-06-04 12:29 ` Stephen Smalley
2019-06-04 16:14 ` Casey Schaufler
2019-06-04 17:11 ` Stephen Smalley
2019-06-04 19:58 ` Casey Schaufler
2019-06-04 20:34 ` Stephen Smalley
2019-06-04 20:42 ` James Morris
2019-06-04 21:19 ` Casey Schaufler
2019-06-07 13:03 ` José Bollo
2019-06-05 1:50 ` John Johansen
2019-06-05 3:08 ` James Morris
2019-06-05 5:03 ` John Johansen
2019-06-05 20:53 ` James Morris
2019-06-05 21:43 ` John Johansen
2019-06-05 22:28 ` James Morris
2019-05-31 23:09 Casey Schaufler
2019-06-01 15:13 ` Kees Cook
2019-06-02 2:56 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190531233149.715-1-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=casey.schaufler@intel.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.