From: "José Bollo" <jobol@nonadev.net>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
casey.schaufler@intel.com, jmorris@namei.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
keescook@chromium.org, john.johansen@canonical.com,
penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com
Subject: Re: [PATCH 00/58] LSM: Module stacking for AppArmor
Date: Fri, 7 Jun 2019 15:03:45 +0200 [thread overview]
Message-ID: <20190607150345.295c87c8@d-jobol.iot.bzh> (raw)
In-Reply-To: <66a87b0b-b6f4-74ff-2e51-afc8e2d30de1@schaufler-ca.com>
On Tue, 4 Jun 2019 09:14:42 -0700
Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 6/4/2019 5:29 AM, Stephen Smalley wrote:
> > On 6/2/19 12:50 PM, Casey Schaufler wrote:
> >> This patchset provides the changes required for
> >> the AppArmor security module to stack safely with any other.
> >
> > Please explain the motivation
>
> I'll add some explanation for the next revision.
> It won't be anything that I haven't posted many times
> before, but you're right that it belongs in the log.
>
> > - why do we want to allow AppArmor to stack with other modules,
>
> First, is there a reason not to? Sure, you can confuse
> administrators by implementing complex security policies,
> but there are lots of ways to do that already.
>
> AppArmor provides a different security model than SELinux,
> TOMOYO or Smack. Smack is better at system component
> separation, while AppArmor is better at application isolation.
> It's a win to use each to its strength rather than trying to
> stretch either to the edge of what it can do.
>
> > who would use it,
Hi all,
I would like to expose a potential use of interest for me: being able
to have containers running Smack on Ubuntu or Fedora platforms.
But it could also be interesting for running a container having fedora
on ubuntu or suse or the opposite.
How it will work? Will it work? Ask Casey.
just my 2 pennies
José Bollo
> Can't name names, but there have been multiple requests.
>
> > how would it be used,
>
> As mentioned above, Smack for system separation, AppArmor for
> application isolation.
>
> > what does it provide that isn't already possible in the absence of
> > it.
>
> It's not necessary that something be impossible to do any
> other way. The question should be whether this provides for
> a better way to achieve the goals, and this does that.
> If I tried the come up with something that's impossible I
> would expect the usual "you can do that with SELinux policy"
> argument. We know we can do things. We want to have the tools
> to do them better.
>
> > Also, Ubuntu fully upstreamed all of their changes to AppArmor,
> > would this still suffice to enable stacking of AppArmor or do they
> > rely on hooks that are not handled here?
>
> Some amount of merging will likely be required. But that's
> always going to be true with parallel development tracks.
> That's why we have git!
>
> > Please explain the cost of the change - what do we pay in terms of
> > memory, runtime, or other overheads in order to support this
> > change?
>
> Do you have particular benchmarks you want to see?
> When I've supplied numbers in the past they have not
> been remarked on.
>
> >
> >>
> >> A new process attribute identifies which security module
> >> information should be reported by SO_PEERSEC and the
> >> /proc/.../attr/current interface. This is provided by
> >> /proc/.../attr/display. Writing the name of the security
> >> module desired to this interface will set which LSM hooks
> >> will be called for this information. The first security
> >> module providing the hooks will be used by default.
> >
> > Doesn't this effectively undo making the hooks read-only after
> > init, at least for the subset involved? What are the security
> > implications thereof?
>
> Any mechanism, be it a separate set of hooks, a name used to
> do list look ups, or an sophisticated hash scheme will have that
> impact for the processes that use it. This scheme has the best
> performance profile of the mechanisms I experimented with and
> avoids all sorts of special cases.
>
> >
> >> The use of integer based security tokens (secids) is
> >> generally (but not completely) replaced by a structure
> >> lsm_export. The lsm_export structure can contain information
> >> for each of the security modules that export information
> >> outside the LSM layer.
> >>
> >> The LSM interfaces that provide "secctx" text strings
> >> have been changed to use a structure "lsm_context"
> >> instead of a pointer/length pair. In some cases the
> >> interfaces used a "char *" pointer and in others a
> >> "void *". This was necessary to ensure that the correct
> >> release mechanism for the text is used. It also makes
> >> many of the interfaces cleaner.
> >>
> >> https://github.com/cschaufler/lsm-stacking.git#stack-5.2-v1-apparmor
> >>
> >> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> >> ---
> >> drivers/android/binder.c | 25 ++-
> >> fs/kernfs/dir.c | 6 +-
> >> fs/kernfs/inode.c | 31 ++-
> >> fs/kernfs/kernfs-internal.h | 3 +-
> >> fs/nfs/inode.c | 13 +-
> >> fs/nfs/internal.h | 8 +-
> >> fs/nfs/nfs4proc.c | 17 +-
> >> fs/nfs/nfs4xdr.c | 16 +-
> >> fs/nfsd/nfs4proc.c | 8 +-
> >> fs/nfsd/nfs4xdr.c | 14 +-
> >> fs/nfsd/vfs.c | 7 +-
> >> fs/proc/base.c | 1 +
> >> include/linux/cred.h | 3 +-
> >> include/linux/lsm_hooks.h | 91 +++++----
> >> include/linux/nfs4.h | 8 +-
> >> include/linux/security.h | 133 +++++++++----
> >> include/net/af_unix.h | 2 +-
> >> include/net/netlabel.h | 10 +-
> >> include/net/scm.h | 14 +-
> >> kernel/audit.c | 43 ++--
> >> kernel/audit.h | 9 +-
> >> kernel/auditfilter.c | 6 +-
> >> kernel/auditsc.c | 77 ++++----
> >> kernel/cred.c | 15 +-
> >> net/ipv4/cipso_ipv4.c | 13 +-
> >> net/ipv4/ip_sockglue.c | 12 +-
> >> net/netfilter/nf_conntrack_netlink.c | 29 ++-
> >> net/netfilter/nf_conntrack_standalone.c | 16 +-
> >> net/netfilter/nfnetlink_queue.c | 38 ++--
> >> net/netfilter/nft_meta.c | 13 +-
> >> net/netfilter/xt_SECMARK.c | 14 +-
> >> net/netlabel/netlabel_kapi.c | 5 +-
> >> net/netlabel/netlabel_unlabeled.c | 101 +++++-----
> >> net/netlabel/netlabel_unlabeled.h | 2 +-
> >> net/netlabel/netlabel_user.c | 13 +-
> >> net/netlabel/netlabel_user.h | 2 +-
> >> net/unix/af_unix.c | 6 +-
> >> security/apparmor/audit.c | 4 +-
> >> security/apparmor/include/audit.h | 2 +-
> >> security/apparmor/include/net.h | 6 +-
> >> security/apparmor/include/secid.h | 9 +-
> >> security/apparmor/lsm.c | 64 +++---
> >> security/apparmor/secid.c | 42 ++--
> >> security/integrity/ima/ima.h | 14 +-
> >> security/integrity/ima/ima_api.c | 9 +-
> >> security/integrity/ima/ima_appraise.c | 6 +-
> >> security/integrity/ima/ima_main.c | 34 ++--
> >> security/integrity/ima/ima_policy.c | 19 +-
> >> security/security.c | 338
> >> +++++++++++++++++++++++++++-----
> >> security/selinux/hooks.c | 259
> >> ++++++++++++------------ security/selinux/include/audit.h
> >> | 5 +- security/selinux/include/objsec.h | 42 +++-
> >> security/selinux/netlabel.c | 25 +--
> >> security/selinux/ss/services.c | 18 +-
> >> security/smack/smack.h | 18 ++
> >> security/smack/smack_lsm.c | 238
> >> +++++++++++----------- security/smack/smack_netfilter.c |
> >> 8 +- security/smack/smackfs.c | 12 +- 58 files
> >> changed, 1217 insertions(+), 779 deletions(-)
> >
next prev parent reply other threads:[~2019-06-07 13:09 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-02 16:50 [PATCH 00/58] LSM: Module stacking for AppArmor Casey Schaufler
2019-06-02 16:50 ` [PATCH 01/58] LSM: Infrastructure management of the superblock Casey Schaufler
2019-06-02 16:50 ` [PATCH 02/58] LSM: Infrastructure management of the sock security Casey Schaufler
2019-06-02 16:50 ` [PATCH 03/58] LSM: Infrastructure management of the key security blob Casey Schaufler
2019-06-02 16:50 ` [PATCH 04/58] LSM: Create an lsm_export data structure Casey Schaufler
2019-06-02 16:50 ` [PATCH 05/58] LSM: Use lsm_export in the inode_getsecid hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 06/58] LSM: Use lsm_export in the cred_getsecid hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 07/58] LSM: Use lsm_export in the ipc_getsecid and task_getsecid hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 08/58] LSM: Use lsm_export in the kernel_ask_as hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 09/58] LSM: Use lsm_export in the getpeersec_dgram hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 10/58] LSM: Use lsm_export in the audit_rule_match hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 11/58] LSM: Use lsm_export in the secid_to_secctx hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 12/58] LSM: Use lsm_export in the secctx_to_secid hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 13/58] LSM: Use lsm_export in security_audit_rule_match Casey Schaufler
2019-06-02 16:50 ` [PATCH 14/58] LSM: Use lsm_export in security_kernel_act_as Casey Schaufler
2019-06-02 16:50 ` [PATCH 15/58] LSM: Use lsm_export in security_socket_getpeersec_dgram Casey Schaufler
2019-06-02 16:50 ` [PATCH 16/58] LSM: Use lsm_export in security_secctx_to_secid Casey Schaufler
2019-06-02 16:50 ` [PATCH 17/58] LSM: Use lsm_export in security_secid_to_secctx Casey Schaufler
2019-06-02 16:50 ` [PATCH 18/58] LSM: Use lsm_export in security_ipc_getsecid Casey Schaufler
2019-06-02 16:50 ` [PATCH 19/58] LSM: Use lsm_export in security_task_getsecid Casey Schaufler
2019-06-02 16:50 ` [PATCH 20/58] LSM: Use lsm_export in security_inode_getsecid Casey Schaufler
2019-06-02 16:50 ` [PATCH 21/58] LSM: Use lsm_export in security_cred_getsecid Casey Schaufler
2019-06-02 16:50 ` [PATCH 22/58] Audit: Change audit_sig_sid to audit_sig_lsm Casey Schaufler
2019-06-02 16:50 ` [PATCH 23/58] Audit: Convert target_sid to an lsm_export structure Casey Schaufler
2019-06-02 16:50 ` [PATCH 24/58] Audit: Convert osid " Casey Schaufler
2019-06-02 16:50 ` [PATCH 25/58] IMA: Clean out lsm_export scaffolding Casey Schaufler
2019-06-02 16:50 ` [PATCH 26/58] NET: Change the UNIXCB from a secid to an lsm_export Casey Schaufler
2019-06-02 16:50 ` [PATCH 27/58] NET: Remove scaffolding on secmarks Casey Schaufler
2019-06-02 16:50 ` [PATCH 28/58] NET: Remove scaffolding on new secmarks Casey Schaufler
2019-06-02 16:50 ` [PATCH 29/58] NET: Remove netfilter scaffolding for lsm_export Casey Schaufler
2019-06-02 16:50 ` [PATCH 30/58] Netlabel: Replace secids with lsm_export Casey Schaufler
2019-06-02 16:50 ` [PATCH 31/58] LSM: Remove lsm_export scaffolding functions Casey Schaufler
2019-06-02 16:50 ` [PATCH 32/58] IMA: FIXUP prototype using lsm_export Casey Schaufler
2019-06-02 16:50 ` [PATCH 33/58] Smack: Restore the release_secctx hook Casey Schaufler
2019-06-02 16:50 ` [PATCH 34/58] AppArmor: Remove unnecessary hook stub Casey Schaufler
2019-06-02 16:50 ` [PATCH 35/58] LSM: Limit calls to certain module hooks Casey Schaufler
2019-06-10 10:20 ` Ondrej Mosnacek
2019-06-02 16:50 ` [PATCH 36/58] LSM: Create a data structure for a security context Casey Schaufler
2019-06-02 16:50 ` [PATCH 37/58] LSM: Use lsm_context in secid_to_secctx hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 38/58] LSM: Use lsm_context in secctx_to_secid hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 39/58] LSM: Use lsm_context in inode_getsecctx hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 40/58] LSM: Use lsm_context in inode_notifysecctx hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 41/58] LSM: Use lsm_context in dentry_init_security hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 42/58] LSM: Use lsm_context in security_dentry_init_security Casey Schaufler
2019-06-02 16:50 ` [PATCH 43/58] LSM: Use lsm_context in security_inode_notifysecctx Casey Schaufler
2019-06-02 16:50 ` [PATCH 44/58] LSM: Use lsm_context in security_inode_getsecctx Casey Schaufler
2019-06-02 16:50 ` [PATCH 45/58] LSM: Use lsm_context in security_secctx_to_secid Casey Schaufler
2019-06-02 16:50 ` [PATCH 46/58] LSM: Use lsm_context in release_secctx hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 47/58] LSM: Use lsm_context in security_release_secctx Casey Schaufler
2019-06-02 16:50 ` [PATCH 48/58] LSM: Use lsm_context in security_secid_to_secctx Casey Schaufler
2019-06-02 16:50 ` [PATCH 49/58] fs: remove lsm_context scaffolding Casey Schaufler
2019-06-02 16:50 ` [PATCH 50/58] LSM: Add the release function to the lsm_context Casey Schaufler
2019-06-02 16:50 ` [PATCH 51/58] LSM: Use lsm_context in inode_setsecctx hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 52/58] LSM: Use lsm_context in security_inode_setsecctx Casey Schaufler
2019-06-02 16:50 ` [PATCH 53/58] kernfs: remove lsm_context scaffolding Casey Schaufler
2019-06-02 16:50 ` [PATCH 54/58] LSM: Remove unused macro Casey Schaufler
2019-06-02 16:50 ` [PATCH 55/58] LSM: Special handling for secctx lsm hooks Casey Schaufler
2019-06-02 16:50 ` [PATCH 56/58] SELinux: Use blob offset in current_sid Casey Schaufler
2019-06-02 16:51 ` [PATCH 57/58] LSM: Specify which LSM to display Casey Schaufler
2019-06-02 16:51 ` [PATCH 58/58] AppArmor: Remove the exclusive flag Casey Schaufler
2019-06-04 12:29 ` [PATCH 00/58] LSM: Module stacking for AppArmor Stephen Smalley
2019-06-04 16:14 ` Casey Schaufler
2019-06-04 17:11 ` Stephen Smalley
2019-06-04 19:58 ` Casey Schaufler
2019-06-04 20:34 ` Stephen Smalley
2019-06-04 20:42 ` James Morris
2019-06-04 21:19 ` Casey Schaufler
2019-06-07 13:03 ` José Bollo [this message]
2019-06-05 1:50 ` John Johansen
2019-06-05 3:08 ` James Morris
2019-06-05 5:03 ` John Johansen
2019-06-05 20:53 ` James Morris
2019-06-05 21:43 ` John Johansen
2019-06-05 22:28 ` James Morris
-- strict thread matches above, loose matches on Subject: below --
2019-05-31 23:30 Casey Schaufler
2019-05-31 23:09 Casey Schaufler
2019-06-01 15:13 ` Kees Cook
2019-06-02 2:56 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190607150345.295c87c8@d-jobol.iot.bzh \
--to=jobol@nonadev.net \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.