[PATCH v7 00/16] LSM: Full module stacking

[Casey Schaufler <casey@schaufler-ca.com>]

Provide mechanisms for security modules that use network interfaces
to operate on the same system safely. Provide mechanisms for kerfs
to maintain information about all the security modules active on
a system. With these mechanisms in place, any combination of
existing security modules can be used. 

It is not clear that all issues with the integrity calls have
been addressed. Any review there would be much appreciated.
There should be a mechanism in netfilter to identify which
security module a given rule is associated with, but none is
proposed here. Instead, the module first registered is given
the secmark. Labeled NFS is an incomplete implementation,
missing the "LFS" data needed to identify the format of the
labels passed. The first registered assumption is made here
as well. The Netlabel restriction that all sent attributes must
be agreeable to all modules is reasonable. The implementation
is awkward, and insights into improvement would be most welcome.

It is important to be aware that while the mechanisms have
been made cohabitational, there is no guarantee that the policies
imposed by the security modules will be compatible. The handling
of unlabeled IP packets using Netlabel is very different in
SELinux and Smack. The use of capabilities is also very different
in those modules.

This has been tested on Fedora29 and Ubuntu19.04 using
unmodified policies. The SELinux test suite demonstrates
policy conflict issues when used with Smack.

Patches 0001-0002 change the secmark_refcount LSM interfaces
to call only the first registered security module's hooks.
Smack is modified to use these interfaces to determine if the
Internet Protocol secmark is meaningful to Smack.

Patches 0003 and 0009 refactor security_inode_init_security() to
accomodate integrity checking on multiple active security
attributes.

Patch 0004 updates security_inode_listsecurity() to provide
multiple security attributes instead of just one.

Patches 0005-0007 address NFS and kernfs. Labeled nfs has no
mechanism to identify what kind of label (e.g. CIPSO or Flask)
that is being sent across the wire, so an arbitrary choice must
be made on how NFS labels are handled. The module in lsmslot 0
is always used. Kernfs uses context strings to store security
attributes, so those are now saved in the "compound" format.

Patch 0008 provides infrastructure management of mount
option data.

Patch 0010 addresses the case where one security module may fail
to provide a valid secid on datagrams where another succeeds.

Patches 0011-0015 allow the LSM infrastructure to check whether
the security modules agree on network security attributes when
netlabel is being used.

Patch 0016 removes the exclusive flag from Smack.

A note on the "v7" designation: This depends on the stack-5.2-v7-apparmor
patches provided earlier. Since that is "v7" I've used the same number
here in the hopes that it will reduce confusion.

https://github.com/cschaufler/lsm-stacking.git#stack-5.2-v7-full

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 fs/kernfs/inode.c                   |   3 +-
 fs/nfs/inode.c                      |   9 +-
 fs/nfsd/nfs4proc.c                  |   6 +-
 fs/nfsd/vfs.c                       |   5 +-
 include/linux/lsm_hooks.h           |  23 +-
 include/linux/security.h            |  30 ++-
 include/net/netlabel.h              |   8 +
 net/ipv4/ip_sockglue.c              |   4 +-
 net/netlabel/netlabel_kapi.c        | 120 ++++++++---
 security/security.c                 | 419 +++++++++++++++++++++++++++---------
 security/selinux/hooks.c            |  54 +++--
 security/selinux/include/netlabel.h |   7 +
 security/selinux/include/objsec.h   |   1 +
 security/selinux/netlabel.c         |  46 ++--
 security/smack/smack.h              |  17 ++
 security/smack/smack_lsm.c          | 128 +++++++----
 security/smack/smack_netfilter.c    |  45 +++-
 17 files changed, 689 insertions(+), 236 deletions(-)