Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
* [WIP][RFC][PATCH 0/3] Introduce Infoflow LSM
@ 2019-08-18 23:57 Roberto Sassu
  2019-08-18 23:57 ` [WIP][RFC][PATCH 1/3] security: introduce call_int_hook_and() macro Roberto Sassu
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Roberto Sassu @ 2019-08-18 23:57 UTC (permalink / raw)
  To: linux-integrity
  Cc: linux-security-module, zohar, dmitry.kasatkin, silviu.vlasceanu,
	Roberto Sassu

This patch set introduces a new security module called Infoflow LSM. Its
main purpose is to enforce the Clark-Wilson integrity policy, in order
to protect mutable files against modifications from processes outside the
Trusted Computing Base (TCB). With this protection, mutable files inside
the TCB can be safely excluded from measurement by Integrity Measurement
Architecture (IMA), and their unknown digest won't cause a failure during
the remote attestation process.

Infoflow LSM takes advantage of the LSM stacking capability and enforces
security decisions on top of other label-based LSMs such as SELinux and
SMACK. The main benefit of this design choice is that it is not necessary
to modify the policy of the existing LSMs.

Infoflow LSM has three main modes of operation:
- discover: discovers process operations based on which the information
            flow analysis can be performed and the TCB can be determined;
- enforce: enforce the Clark-Wilson policy, depending on the TCB previously
           determined
- permissive: allow operations that would be denied, but show them in a
              file in securityfs

Discovered operations can be obtained from
/sys/kernel/security/infoflow/rules and are in the format:

allow subj obj:class { permissions };

The TCB can be determined from discovered operations with the RA Verifier
tool available at:

https://github.com/euleros/ra-verifier

The tool takes as input the application that must be protected or the
initial TCB. It will then tells which subjects violate the Clark-Wilson
policy. Possible resolution strategies are to add a subject to the TCB or
to add a filtering interface to the TCB subject that reads a low integrity
object.

RA Verifier produces a policy for Infoflow LSM, with the list of TCB
subjects, objects and filtering interfaces.

This patch set can be retrieved at:

https://github.com/euleros/linux

Roberto


Roberto Sassu (3):
  security: introduce call_int_hook_and() macro
  lsm notifier: distinguish between state change and policy change
  security: add infoflow LSM

 .../admin-guide/kernel-parameters.txt         |  23 +
 drivers/infiniband/core/device.c              |   2 +-
 include/linux/lsm_audit.h                     |   3 +
 include/linux/security.h                      |   1 +
 include/uapi/linux/xattr.h                    |   2 +
 security/Kconfig                              |   1 +
 security/Makefile                             |   2 +
 security/infoflow/Kconfig                     |   6 +
 security/infoflow/Makefile                    |   7 +
 security/infoflow/infoflow.h                  | 173 ++++
 security/infoflow/infoflow_access.c           | 182 ++++
 security/infoflow/infoflow_ctx.c              | 342 ++++++++
 security/infoflow/infoflow_fs.c               | 479 +++++++++++
 security/infoflow/infoflow_lsm.c              | 778 ++++++++++++++++++
 security/integrity/evm/evm_main.c             |   1 +
 security/security.c                           |  19 +-
 security/selinux/avc.c                        |   2 +-
 security/selinux/selinuxfs.c                  |   2 +-
 18 files changed, 2020 insertions(+), 5 deletions(-)
 create mode 100644 security/infoflow/Kconfig
 create mode 100644 security/infoflow/Makefile
 create mode 100644 security/infoflow/infoflow.h
 create mode 100644 security/infoflow/infoflow_access.c
 create mode 100644 security/infoflow/infoflow_ctx.c
 create mode 100644 security/infoflow/infoflow_fs.c
 create mode 100644 security/infoflow/infoflow_lsm.c

-- 
2.17.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-18 23:57 [WIP][RFC][PATCH 0/3] Introduce Infoflow LSM Roberto Sassu
2019-08-18 23:57 ` [WIP][RFC][PATCH 1/3] security: introduce call_int_hook_and() macro Roberto Sassu
2019-08-19 14:52   ` Casey Schaufler
2019-08-29 14:29     ` Roberto Sassu
2019-08-18 23:57 ` [WIP][RFC][PATCH 2/3] lsm notifier: distinguish between state change and policy change Roberto Sassu
2019-08-18 23:57 ` [WIP][RFC][PATCH 3/3] security: add infoflow LSM Roberto Sassu

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org linux-security-module@archiver.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/ public-inbox