From: Roberto Sassu <roberto.sassu@huawei.com>
To: <linux-integrity@vger.kernel.org>
Cc: <linux-security-module@vger.kernel.org>, <zohar@linux.ibm.com>,
<dmitry.kasatkin@huawei.com>, <silviu.vlasceanu@huawei.com>,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [WIP][RFC][PATCH 0/3] Introduce Infoflow LSM
Date: Mon, 19 Aug 2019 01:57:42 +0200 [thread overview]
Message-ID: <20190818235745.1417-1-roberto.sassu@huawei.com> (raw)
This patch set introduces a new security module called Infoflow LSM. Its
main purpose is to enforce the Clark-Wilson integrity policy, in order
to protect mutable files against modifications from processes outside the
Trusted Computing Base (TCB). With this protection, mutable files inside
the TCB can be safely excluded from measurement by Integrity Measurement
Architecture (IMA), and their unknown digest won't cause a failure during
the remote attestation process.
Infoflow LSM takes advantage of the LSM stacking capability and enforces
security decisions on top of other label-based LSMs such as SELinux and
SMACK. The main benefit of this design choice is that it is not necessary
to modify the policy of the existing LSMs.
Infoflow LSM has three main modes of operation:
- discover: discovers process operations based on which the information
flow analysis can be performed and the TCB can be determined;
- enforce: enforce the Clark-Wilson policy, depending on the TCB previously
determined
- permissive: allow operations that would be denied, but show them in a
file in securityfs
Discovered operations can be obtained from
/sys/kernel/security/infoflow/rules and are in the format:
allow subj obj:class { permissions };
The TCB can be determined from discovered operations with the RA Verifier
tool available at:
https://github.com/euleros/ra-verifier
The tool takes as input the application that must be protected or the
initial TCB. It will then tells which subjects violate the Clark-Wilson
policy. Possible resolution strategies are to add a subject to the TCB or
to add a filtering interface to the TCB subject that reads a low integrity
object.
RA Verifier produces a policy for Infoflow LSM, with the list of TCB
subjects, objects and filtering interfaces.
This patch set can be retrieved at:
https://github.com/euleros/linux
Roberto
Roberto Sassu (3):
security: introduce call_int_hook_and() macro
lsm notifier: distinguish between state change and policy change
security: add infoflow LSM
.../admin-guide/kernel-parameters.txt | 23 +
drivers/infiniband/core/device.c | 2 +-
include/linux/lsm_audit.h | 3 +
include/linux/security.h | 1 +
include/uapi/linux/xattr.h | 2 +
security/Kconfig | 1 +
security/Makefile | 2 +
security/infoflow/Kconfig | 6 +
security/infoflow/Makefile | 7 +
security/infoflow/infoflow.h | 173 ++++
security/infoflow/infoflow_access.c | 182 ++++
security/infoflow/infoflow_ctx.c | 342 ++++++++
security/infoflow/infoflow_fs.c | 479 +++++++++++
security/infoflow/infoflow_lsm.c | 778 ++++++++++++++++++
security/integrity/evm/evm_main.c | 1 +
security/security.c | 19 +-
security/selinux/avc.c | 2 +-
security/selinux/selinuxfs.c | 2 +-
18 files changed, 2020 insertions(+), 5 deletions(-)
create mode 100644 security/infoflow/Kconfig
create mode 100644 security/infoflow/Makefile
create mode 100644 security/infoflow/infoflow.h
create mode 100644 security/infoflow/infoflow_access.c
create mode 100644 security/infoflow/infoflow_ctx.c
create mode 100644 security/infoflow/infoflow_fs.c
create mode 100644 security/infoflow/infoflow_lsm.c
--
2.17.1
next reply other threads:[~2019-08-18 23:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-18 23:57 Roberto Sassu [this message]
2019-08-18 23:57 ` [WIP][RFC][PATCH 1/3] security: introduce call_int_hook_and() macro Roberto Sassu
2019-08-19 14:52 ` Casey Schaufler
2019-08-29 14:29 ` Roberto Sassu
2019-08-18 23:57 ` [WIP][RFC][PATCH 2/3] lsm notifier: distinguish between state change and policy change Roberto Sassu
2019-08-18 23:57 ` [WIP][RFC][PATCH 3/3] security: add infoflow LSM Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190818235745.1417-1-roberto.sassu@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=dmitry.kasatkin@huawei.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=silviu.vlasceanu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.