selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Paul Moore <pmoore@redhat.com>
To: netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
	selinux@tycho.nsa.gov
Cc: Andy King <acking@vmware.com>, Gerd Hoffmann <kraxel@redhat.com>,
	Eric Paris <eparis@redhat.com>
Subject: AF_VSOCK and the LSMs
Date: Fri, 22 Feb 2013 17:33:18 -0500	[thread overview]
Message-ID: <1803195.0cVPJuGAEx@sifl> (raw)

With AF_VSOCK now in the next tree I've started looking at what we would need 
to do to add the appropriate LSM hooks so that AF_VSOCK traffic can be 
controlled just as we do with other protocols.  The reasons why are pretty 
simple, those users who rely on LSMs to help enforce separation between VMs 
want to be able to ensure that the separation extends down to this new method 
of communication, especially considering it provides a mechanism for 
communication between VMs.

Looking at AF_VSOCK, and the underlying VMCI transport (currently the only 
transport option), it looks fairly similar to AF_INET, at least it is much 
similar to AF_INET than it is to AF_UNIX.  With that in mind, taking an 
approach similar to what we currently do for AF_INET should make the necessary 
LSM kernel changes smaller and the related, LSM-specific security policy more 
approachable to those already familiar with the LSM's network access controls.

Perhaps the biggest different between the current AF_VSOCK/VMCI combination 
and AF_INET is the lack of labeling support at the transport layer.  Basically 
the labeling in AF_INET, via protocols that leverage IP, allow the sender to 
tag traffic with a security label that can be used to perform access control 
on receipt of the traffic.  Since AF_VSOCK traffic sent over the VMCI 
transport does not carry any LSM related information about the sender we are 
not able to do the same level of access control.  However, if we were to 
augment the current VMCI tranport to tag traffic with the security label of 
the sender we could start doing proper LSM based access control with AF_VSOCK 
traffic.

I'm currently working on a set of patches to do just that, but before I get 
too far down this path, I thought I would toss this out to the various lists 
to see if anyone had any strong feelings on this approach (either good or 
bad).  Here is what I am proposing, and currently working on ...

* Add a LSM secid/blob to the vmci_datagram struct

First some background on LSM stacking: there is a lot of work going on to look 
at stacking different LSMs (currently it is a one-at-a-time system) but 
unfortunately due to a lack of a proper security blob (e.g. we would need a 
security void pointer in the sk_buff) it is unlikely that we will be able to 
stack LSMs which use network labels anytime soon.  With that in mind, while 
some on the LSM list would likely argue for a security blob being added to 
struct vmci_datagram I think the easiest solution for the time being is to 
just add a secid field (a single u32 scalar); true it is probably not ideal 
but it simplifies the management of the field considerably and is no worse 
than what we currently have for AF_INET[6].  In the future we could always add 
a proper LSM blob if needed as this is internal and private to the kernel.

With the background out of the way, adding a LSM secid/blob to struct 
vmci_datagram would allow us to convey the sending socket's LSM label with the 
rest of the VMCI datagram/packet to the receiving socket where we could 
perform a LSM access check using the sender and receiver's LSM labels.  Once 
again, this is very similar to what we currently do with AF_INET[6].

In order to do this we would need to make some changes to a few functions, 
mostly just to ensure we have access to the necessary socket labels when 
needed:

  - vmci_transport_send_control_pkt()
  - vmci_transport_reply_control_pkt_fast() / vmci_transport_reply_reset()
  - vmci_transport_send_control_pkt_bh() / *notify_pkt() handler
  - vmci_tansport_send_control_pkt()

This may not be a complete list, and I'm being vague on the actual changes as 
this is currently a work in progress ...

* Add LSM hooks to vmci_transport_recv_{dgram,stream}_cb()

In both cases we would probably want the LSM access control hook/check to 
occur just after the call to vmci_transport_allow_dgram().  While I haven't 
gotten to this part of the patchset yet, I expect the LSM hook to look very 
similar to the existing security_sock_rcv_skb() hook; in fact, I hope to just 
reuse the existing hook but we will have to see how things develop.

* Add LSM hooks to vmci_transport_recv_connecting_{client,server}()

This isn't so much an access control point, that is handled above, but rather 
a notification for the LSM that the negotiation has finished and the sockets 
are connected.  This notification allows the LSM to update any internal state, 
e.g. the socket's peer labels.

* Update the SELinux and Smack LSMs to support the AF_VSOCK address family

Essentially this means just making sure that the socket level access controls, 
and perhaps some of the packet level controls if reused, understand the 
AF_VSOCK family and do the right thing.  For Smack this should be rather 
trivial, for SELinux it will be slightly more involved but still rather simple 
and straightforward (perhaps add a new "virt_socket" object class).

The other LSMs, TOMOYO and AppArmor, handle their network access controls 
differently and as a result, I believe there is no work needed for these LSMs 
but I would encourage the TOMOYO and AppArmor devs to correct me if I missed 
anything.

-- 
paul moore
security and virtualization @ redhat


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

             reply	other threads:[~2013-02-22 22:33 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-02-22 22:33 Paul Moore [this message]
2013-02-22 23:00 ` Casey Schaufler
2013-02-23  0:45   ` Paul Moore
2013-02-23 23:43     ` Casey Schaufler
2013-02-25 16:55       ` Paul Moore
2013-02-25 18:02         ` Casey Schaufler
2013-02-25 21:05           ` Paul Moore
2013-02-25 23:06             ` Casey Schaufler
2013-02-26 21:21               ` LSM stacking and the network access controls (was: AF_VSOCK and the LSMs) Paul Moore
2013-02-26 23:12                 ` LSM stacking and the network access controls Casey Schaufler
2013-02-27 16:43                   ` Paul Moore
2013-02-27 16:51                     ` Casey Schaufler
2013-02-27 17:31                       ` Paul Moore
2013-02-27 17:40                         ` Casey Schaufler
     [not found] ` <888679886.3769933.1361573683299.JavaMail.root@vmware.com>
2013-02-23  0:27   ` AF_VSOCK and the LSMs Paul Moore
     [not found]     ` <512B12EA.1000003@redhat.com>
2013-02-25 15:06       ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1803195.0cVPJuGAEx@sifl \
    --to=pmoore@redhat.com \
    --cc=acking@vmware.com \
    --cc=eparis@redhat.com \
    --cc=kraxel@redhat.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=selinux@tycho.nsa.gov \
    --subject='Re: AF_VSOCK and the LSMs' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).