SELinux Archive on
 help / color / Atom feed
From: Casey Schaufler <>
Subject: [PATCH v7 00/16] LSM: Full module stacking
Date: Wed,  7 Aug 2019 15:42:29 -0700
Message-ID: <> (raw)
In-Reply-To: <>

Provide mechanisms for security modules that use network interfaces
to operate on the same system safely. Provide mechanisms for kerfs
to maintain information about all the security modules active on
a system. With these mechanisms in place, any combination of
existing security modules can be used. 

It is not clear that all issues with the integrity calls have
been addressed. Any review there would be much appreciated.
There should be a mechanism in netfilter to identify which
security module a given rule is associated with, but none is
proposed here. Instead, the module first registered is given
the secmark. Labeled NFS is an incomplete implementation,
missing the "LFS" data needed to identify the format of the
labels passed. The first registered assumption is made here
as well. The Netlabel restriction that all sent attributes must
be agreeable to all modules is reasonable. The implementation
is awkward, and insights into improvement would be most welcome.

It is important to be aware that while the mechanisms have
been made cohabitational, there is no guarantee that the policies
imposed by the security modules will be compatible. The handling
of unlabeled IP packets using Netlabel is very different in
SELinux and Smack. The use of capabilities is also very different
in those modules.

This has been tested on Fedora29 and Ubuntu19.04 using
unmodified policies. The SELinux test suite demonstrates
policy conflict issues when used with Smack.

Patches 0001-0002 change the secmark_refcount LSM interfaces
to call only the first registered security module's hooks.
Smack is modified to use these interfaces to determine if the
Internet Protocol secmark is meaningful to Smack.

Patches 0003 and 0009 refactor security_inode_init_security() to
accommodate integrity checking on multiple active security

Patch 0004 updates security_inode_listsecurity() to provide
multiple security attributes instead of just one.

Patches 0005-0007 address NFS and kernfs. Labeled nfs has no
mechanism to identify what kind of label (e.g. CIPSO or Flask)
that is being sent across the wire, so an arbitrary choice must
be made on how NFS labels are handled. The module in lsmslot 0
is always used. Kernfs uses context strings to store security
attributes, so those are now saved in the "compound" format.

Patch 0008 provides infrastructure management of mount
option data.

Patch 0010 addresses the case where one security module may fail
to provide a valid secid on datagrams where another succeeds.

Patches 0011-0015 allow the LSM infrastructure to check whether
the security modules agree on network security attributes when
netlabel is being used.

Patch 0016 removes the exclusive flag from Smack.

A note on the "v7" designation: This depends on the stack-5.2-v7-apparmor
patches provided earlier. Since that is "v7" I've used the same number
here in the hopes that it will reduce confusion.

Signed-off-by: Casey Schaufler <>
 fs/kernfs/inode.c                   |   3 +-
 fs/nfs/inode.c                      |   9 +-
 fs/nfsd/nfs4proc.c                  |   6 +-
 fs/nfsd/vfs.c                       |   5 +-
 include/linux/lsm_hooks.h           |  23 +-
 include/linux/security.h            |  30 ++-
 include/net/netlabel.h              |   8 +
 net/ipv4/ip_sockglue.c              |   4 +-
 net/netlabel/netlabel_kapi.c        | 120 ++++++++---
 security/security.c                 | 419 +++++++++++++++++++++++++++---------
 security/selinux/hooks.c            |  54 +++--
 security/selinux/include/netlabel.h |   7 +
 security/selinux/include/objsec.h   |   1 +
 security/selinux/netlabel.c         |  46 ++--
 security/smack/smack.h              |  17 ++
 security/smack/smack_lsm.c          | 128 +++++++----
 security/smack/smack_netfilter.c    |  45 +++-
 17 files changed, 689 insertions(+), 236 deletions(-)

  reply index

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-07 22:42 Casey Schaufler
2019-08-07 22:42 ` Casey Schaufler [this message]
2019-08-07 22:42 ` [PATCH v7 01/16] LSM: Single hook called in secmark refcounting Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 02/16] Smack: Detect if secmarks can be safely used Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 03/16] LSM: Support multiple LSMs using inode_init_security Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 04/16] LSM: List multiple security attributes in security_inode_listsecurity Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 05/16] LSM: Multiple modules using security_ismaclabel Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 06/16] LSM: Make multiple MAC modules safe in nfs and kernfs Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 07/16] LSM: Correct handling of ENOSYS in inode_setxattr Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 08/16] LSM: Infrastructure security blobs for mount options Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 09/16] LSM: Fix for security_init_inode_security Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 10/16] LSM: Change error detection for UDP peer security Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 11/16] Netlabel: Add a secattr comparison API function Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 12/16] Netlabel: Provide labeling type to security modules Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 13/16] LSM: Remember the NLTYPE of netlabel sockets Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 14/16] LSM: Hook for netlabel reconciliation Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 15/16] LSM: Avoid network conflicts in SELinux and Smack Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 16/16] Smack: Remove the exclusive flag Casey Schaufler

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on

Archives are clonable:
	git clone --mirror selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ \
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone