[WIP][RFC][PATCH 0/3] Introduce Infoflow LSM

From: Roberto Sassu <roberto.sassu@huawei.com>
To: <linux-integrity@vger.kernel.org>
Cc: <linux-security-module@vger.kernel.org>, <zohar@linux.ibm.com>,
	<dmitry.kasatkin@huawei.com>, <silviu.vlasceanu@huawei.com>,
	Roberto Sassu <roberto.sassu@huawei.com>
Subject: [WIP][RFC][PATCH 0/3] Introduce Infoflow LSM
Date: Mon, 19 Aug 2019 01:57:42 +0200	[thread overview]
Message-ID: <20190818235745.1417-1-roberto.sassu@huawei.com> (raw)

This patch set introduces a new security module called Infoflow LSM. Its
main purpose is to enforce the Clark-Wilson integrity policy, in order
to protect mutable files against modifications from processes outside the
Trusted Computing Base (TCB). With this protection, mutable files inside
the TCB can be safely excluded from measurement by Integrity Measurement
Architecture (IMA), and their unknown digest won't cause a failure during
the remote attestation process.

Infoflow LSM takes advantage of the LSM stacking capability and enforces
security decisions on top of other label-based LSMs such as SELinux and
SMACK. The main benefit of this design choice is that it is not necessary
to modify the policy of the existing LSMs.

Infoflow LSM has three main modes of operation:
- discover: discovers process operations based on which the information
            flow analysis can be performed and the TCB can be determined;
- enforce: enforce the Clark-Wilson policy, depending on the TCB previously
           determined
- permissive: allow operations that would be denied, but show them in a
              file in securityfs

Discovered operations can be obtained from
/sys/kernel/security/infoflow/rules and are in the format:

allow subj obj:class { permissions };

The TCB can be determined from discovered operations with the RA Verifier
tool available at:

https://github.com/euleros/ra-verifier

The tool takes as input the application that must be protected or the
initial TCB. It will then tells which subjects violate the Clark-Wilson
policy. Possible resolution strategies are to add a subject to the TCB or
to add a filtering interface to the TCB subject that reads a low integrity
object.

RA Verifier produces a policy for Infoflow LSM, with the list of TCB
subjects, objects and filtering interfaces.

This patch set can be retrieved at:

https://github.com/euleros/linux

Roberto

Roberto Sassu (3):
  security: introduce call_int_hook_and() macro
  lsm notifier: distinguish between state change and policy change
  security: add infoflow LSM

 .../admin-guide/kernel-parameters.txt         |  23 +
 drivers/infiniband/core/device.c              |   2 +-
 include/linux/lsm_audit.h                     |   3 +
 include/linux/security.h                      |   1 +
 include/uapi/linux/xattr.h                    |   2 +
 security/Kconfig                              |   1 +
 security/Makefile                             |   2 +
 security/infoflow/Kconfig                     |   6 +
 security/infoflow/Makefile                    |   7 +
 security/infoflow/infoflow.h                  | 173 ++++
 security/infoflow/infoflow_access.c           | 182 ++++
 security/infoflow/infoflow_ctx.c              | 342 ++++++++
 security/infoflow/infoflow_fs.c               | 479 +++++++++++
 security/infoflow/infoflow_lsm.c              | 778 ++++++++++++++++++
 security/integrity/evm/evm_main.c             |   1 +
 security/security.c                           |  19 +-
 security/selinux/avc.c                        |   2 +-
 security/selinux/selinuxfs.c                  |   2 +-
 18 files changed, 2020 insertions(+), 5 deletions(-)
 create mode 100644 security/infoflow/Kconfig
 create mode 100644 security/infoflow/Makefile
 create mode 100644 security/infoflow/infoflow.h
 create mode 100644 security/infoflow/infoflow_access.c
 create mode 100644 security/infoflow/infoflow_ctx.c
 create mode 100644 security/infoflow/infoflow_fs.c
 create mode 100644 security/infoflow/infoflow_lsm.c

-- 
2.17.1