Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
From: Roberto Sassu <roberto.sassu@huawei.com>
To: <linux-integrity@vger.kernel.org>
Cc: <linux-security-module@vger.kernel.org>, <zohar@linux.ibm.com>,
	<dmitry.kasatkin@huawei.com>, <silviu.vlasceanu@huawei.com>,
	Roberto Sassu <roberto.sassu@huawei.com>
Subject: [WIP][RFC][PATCH 0/3] Introduce Infoflow LSM
Date: Mon, 19 Aug 2019 01:57:42 +0200
Message-ID: <20190818235745.1417-1-roberto.sassu@huawei.com> (raw)

This patch set introduces a new security module called Infoflow LSM. Its
main purpose is to enforce the Clark-Wilson integrity policy, in order
to protect mutable files against modifications from processes outside the
Trusted Computing Base (TCB). With this protection, mutable files inside
the TCB can be safely excluded from measurement by Integrity Measurement
Architecture (IMA), and their unknown digest won't cause a failure during
the remote attestation process.

Infoflow LSM takes advantage of the LSM stacking capability and enforces
security decisions on top of other label-based LSMs such as SELinux and
SMACK. The main benefit of this design choice is that it is not necessary
to modify the policy of the existing LSMs.

Infoflow LSM has three main modes of operation:
- discover: discovers process operations based on which the information
            flow analysis can be performed and the TCB can be determined;
- enforce: enforce the Clark-Wilson policy, depending on the TCB previously
           determined
- permissive: allow operations that would be denied, but show them in a
              file in securityfs

Discovered operations can be obtained from
/sys/kernel/security/infoflow/rules and are in the format:

allow subj obj:class { permissions };

The TCB can be determined from discovered operations with the RA Verifier
tool available at:

https://github.com/euleros/ra-verifier

The tool takes as input the application that must be protected or the
initial TCB. It will then tells which subjects violate the Clark-Wilson
policy. Possible resolution strategies are to add a subject to the TCB or
to add a filtering interface to the TCB subject that reads a low integrity
object.

RA Verifier produces a policy for Infoflow LSM, with the list of TCB
subjects, objects and filtering interfaces.

This patch set can be retrieved at:

https://github.com/euleros/linux

Roberto


Roberto Sassu (3):
  security: introduce call_int_hook_and() macro
  lsm notifier: distinguish between state change and policy change
  security: add infoflow LSM

 .../admin-guide/kernel-parameters.txt         |  23 +
 drivers/infiniband/core/device.c              |   2 +-
 include/linux/lsm_audit.h                     |   3 +
 include/linux/security.h                      |   1 +
 include/uapi/linux/xattr.h                    |   2 +
 security/Kconfig                              |   1 +
 security/Makefile                             |   2 +
 security/infoflow/Kconfig                     |   6 +
 security/infoflow/Makefile                    |   7 +
 security/infoflow/infoflow.h                  | 173 ++++
 security/infoflow/infoflow_access.c           | 182 ++++
 security/infoflow/infoflow_ctx.c              | 342 ++++++++
 security/infoflow/infoflow_fs.c               | 479 +++++++++++
 security/infoflow/infoflow_lsm.c              | 778 ++++++++++++++++++
 security/integrity/evm/evm_main.c             |   1 +
 security/security.c                           |  19 +-
 security/selinux/avc.c                        |   2 +-
 security/selinux/selinuxfs.c                  |   2 +-
 18 files changed, 2020 insertions(+), 5 deletions(-)
 create mode 100644 security/infoflow/Kconfig
 create mode 100644 security/infoflow/Makefile
 create mode 100644 security/infoflow/infoflow.h
 create mode 100644 security/infoflow/infoflow_access.c
 create mode 100644 security/infoflow/infoflow_ctx.c
 create mode 100644 security/infoflow/infoflow_fs.c
 create mode 100644 security/infoflow/infoflow_lsm.c

-- 
2.17.1


             reply index

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-18 23:57 Roberto Sassu [this message]
2019-08-18 23:57 ` [WIP][RFC][PATCH 1/3] security: introduce call_int_hook_and() macro Roberto Sassu
2019-08-19 14:52   ` Casey Schaufler
2019-08-29 14:29     ` Roberto Sassu
2019-08-18 23:57 ` [WIP][RFC][PATCH 2/3] lsm notifier: distinguish between state change and policy change Roberto Sassu
2019-08-18 23:57 ` [WIP][RFC][PATCH 3/3] security: add infoflow LSM Roberto Sassu

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190818235745.1417-1-roberto.sassu@huawei.com \
    --to=roberto.sassu@huawei.com \
    --cc=dmitry.kasatkin@huawei.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=silviu.vlasceanu@huawei.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org linux-security-module@archiver.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/ public-inbox