selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com
Subject: Re: [RFC PATCH] selinux: add SELinux hooks for lockdown integrity and confidentiality
Date: Wed, 30 Oct 2019 11:29:33 -0400	[thread overview]
Message-ID: <365ca063-6efd-8051-8d4b-5c8aef0d2e12@tycho.nsa.gov> (raw)
In-Reply-To: <20191030131633.9356-1-sds@tycho.nsa.gov>

On 10/30/19 9:16 AM, Stephen Smalley wrote:
> Add SELinux access control hooks for lockdown integrity and
> confidentiality. This effectively mimics the current implementation of
> lockdown (caveat noted below). If lockdown is enabled alongside SELinux,
> then the lockdown access control will take precedence over the SELinux
> lockdown implementation.
> 
> Note that this SELinux implementation allows the integrity and
> confidentiality reasons to be controlled independently from one another.
> Thus, in an SELinux policy, one could allow integrity operations while
> blocking confidentiality operations.

NB This is intended to be the first of a series that will ultimately 
lead to finer-grained controls than just integrity and confidentiality, 
but wanted to get some feedback on it at this stage.  Also anticipate 
greater controversy over exposing finer granularity since the lockdown 
reasons are free to change at any time, so this would be the baseline 
fallback position if finer grained controls are rejected.

> 
> (original patch authored by an intern who wishes to remain anonymous;
> I am signing off on his behalf)
> 
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>   security/selinux/hooks.c            | 22 ++++++++++++++++++++++
>   security/selinux/include/classmap.h |  2 ++
>   2 files changed, 24 insertions(+)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 36e531b91df2..6722c6b4ae74 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -91,6 +91,7 @@
>   #include <uapi/linux/mount.h>
>   #include <linux/fsnotify.h>
>   #include <linux/fanotify.h>
> +#include <linux/security.h>
>   
>   #include "avc.h"
>   #include "objsec.h"
> @@ -6799,6 +6800,25 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
>   }
>   #endif
>   
> +static int selinux_lockdown(enum lockdown_reason what)
> +{
> +	u32 sid = current_sid();
> +
> +	if (what <= LOCKDOWN_INTEGRITY_MAX)
> +		return avc_has_perm(&selinux_state,
> +				sid, sid,
> +				SECCLASS_LOCKDOWN, LOCKDOWN__INTEGRITY, NULL);
> +	else if (what <= LOCKDOWN_CONFIDENTIALITY_MAX)
> +		return avc_has_perm(&selinux_state,
> +				sid, sid,
> +				SECCLASS_LOCKDOWN, LOCKDOWN__CONFIDENTIALITY,
> +				NULL);
> +
> +	/* invalid reason */
> +	pr_warn("SELinux: invalid lockdown reason\n");
> +	return -EPERM;
> +}
> +
>   struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
>   	.lbs_cred = sizeof(struct task_security_struct),
>   	.lbs_file = sizeof(struct file_security_struct),
> @@ -7042,6 +7062,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
>   	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
>   	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
>   #endif
> +
> +	LSM_HOOK_INIT(locked_down, selinux_lockdown),
>   };
>   
>   static __init int selinux_init(void)
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index 32e9b03be3dd..594c32febcd8 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -244,6 +244,8 @@ struct security_class_mapping secclass_map[] = {
>   	  {"map_create", "map_read", "map_write", "prog_load", "prog_run"} },
>   	{ "xdp_socket",
>   	  { COMMON_SOCK_PERMS, NULL } },
> +	{ "lockdown",
> +	  { "integrity", "confidentiality", NULL } },
>   	{ NULL }
>     };
>   
> 


  reply	other threads:[~2019-10-30 15:29 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-30 13:16 [RFC PATCH] selinux: add SELinux hooks for lockdown integrity and confidentiality Stephen Smalley
2019-10-30 15:29 ` Stephen Smalley [this message]
2019-10-31  9:47   ` Paul Moore
2019-10-31  9:59 ` Paul Moore
2019-10-31 14:01   ` Stephen Smalley
2019-11-07 17:48     ` Paul Moore
2019-11-07 18:07       ` Stephen Smalley
2019-11-08 18:38         ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=365ca063-6efd-8051-8d4b-5c8aef0d2e12@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).