[RFC PATCH] selinux: add SELinux hooks for lockdown integrity and confidentiality

[RFC PATCH] selinux: add SELinux hooks for lockdown integrity and confidentiality

[Stephen Smalley]

Add SELinux access control hooks for lockdown integrity and
confidentiality. This effectively mimics the current implementation of
lockdown (caveat noted below). If lockdown is enabled alongside SELinux,
then the lockdown access control will take precedence over the SELinux
lockdown implementation.

Note that this SELinux implementation allows the integrity and
confidentiality reasons to be controlled independently from one another.
Thus, in an SELinux policy, one could allow integrity operations while
blocking confidentiality operations.

(original patch authored by an intern who wishes to remain anonymous;
I am signing off on his behalf)

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 security/selinux/hooks.c            | 22 ++++++++++++++++++++++
 security/selinux/include/classmap.h |  2 ++
 2 files changed, 24 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 36e531b91df2..6722c6b4ae74 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -91,6 +91,7 @@
 #include <uapi/linux/mount.h>
 #include <linux/fsnotify.h>
 #include <linux/fanotify.h>
+#include <linux/security.h>
 
 #include "avc.h"
 #include "objsec.h"
@@ -6799,6 +6800,25 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
 }
 #endif
 
+static int selinux_lockdown(enum lockdown_reason what)
+{
+	u32 sid = current_sid();
+
+	if (what <= LOCKDOWN_INTEGRITY_MAX)
+		return avc_has_perm(&selinux_state,
+				sid, sid,
+				SECCLASS_LOCKDOWN, LOCKDOWN__INTEGRITY, NULL);
+	else if (what <= LOCKDOWN_CONFIDENTIALITY_MAX)
+		return avc_has_perm(&selinux_state,
+				sid, sid,
+				SECCLASS_LOCKDOWN, LOCKDOWN__CONFIDENTIALITY,
+				NULL);
+
+	/* invalid reason */
+	pr_warn("SELinux: invalid lockdown reason\n");
+	return -EPERM;
+}
+
 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
 	.lbs_cred = sizeof(struct task_security_struct),
 	.lbs_file = sizeof(struct file_security_struct),
@@ -7042,6 +7062,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
 #endif
+
+	LSM_HOOK_INIT(locked_down, selinux_lockdown),
 };
 
 static __init int selinux_init(void)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 32e9b03be3dd..594c32febcd8 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -244,6 +244,8 @@ struct security_class_mapping secclass_map[] = {
 	  {"map_create", "map_read", "map_write", "prog_load", "prog_run"} },
 	{ "xdp_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
+	{ "lockdown",
+	  { "integrity", "confidentiality", NULL } },
 	{ NULL }
   };
 
-- 
2.23.0

Re: [RFC PATCH] selinux: add SELinux hooks for lockdown integrity and confidentiality

[Stephen Smalley]

On 10/30/19 9:16 AM, Stephen Smalley wrote:
> Add SELinux access control hooks for lockdown integrity and
> confidentiality. This effectively mimics the current implementation of
> lockdown (caveat noted below). If lockdown is enabled alongside SELinux,
> then the lockdown access control will take precedence over the SELinux
> lockdown implementation.
> 
> Note that this SELinux implementation allows the integrity and
> confidentiality reasons to be controlled independently from one another.
> Thus, in an SELinux policy, one could allow integrity operations while
> blocking confidentiality operations.

NB This is intended to be the first of a series that will ultimately 
lead to finer-grained controls than just integrity and confidentiality, 
but wanted to get some feedback on it at this stage.  Also anticipate 
greater controversy over exposing finer granularity since the lockdown 
reasons are free to change at any time, so this would be the baseline 
fallback position if finer grained controls are rejected.

> 
> (original patch authored by an intern who wishes to remain anonymous;
> I am signing off on his behalf)
> 
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>   security/selinux/hooks.c            | 22 ++++++++++++++++++++++
>   security/selinux/include/classmap.h |  2 ++
>   2 files changed, 24 insertions(+)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 36e531b91df2..6722c6b4ae74 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -91,6 +91,7 @@
>   #include <uapi/linux/mount.h>
>   #include <linux/fsnotify.h>
>   #include <linux/fanotify.h>
> +#include <linux/security.h>
>   
>   #include "avc.h"
>   #include "objsec.h"
> @@ -6799,6 +6800,25 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
>   }
>   #endif
>   
> +static int selinux_lockdown(enum lockdown_reason what)
> +{
> +	u32 sid = current_sid();
> +
> +	if (what <= LOCKDOWN_INTEGRITY_MAX)
> +		return avc_has_perm(&selinux_state,
> +				sid, sid,
> +				SECCLASS_LOCKDOWN, LOCKDOWN__INTEGRITY, NULL);
> +	else if (what <= LOCKDOWN_CONFIDENTIALITY_MAX)
> +		return avc_has_perm(&selinux_state,
> +				sid, sid,
> +				SECCLASS_LOCKDOWN, LOCKDOWN__CONFIDENTIALITY,
> +				NULL);
> +
> +	/* invalid reason */
> +	pr_warn("SELinux: invalid lockdown reason\n");
> +	return -EPERM;
> +}
> +
>   struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
>   	.lbs_cred = sizeof(struct task_security_struct),
>   	.lbs_file = sizeof(struct file_security_struct),
> @@ -7042,6 +7062,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
>   	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
>   	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
>   #endif
> +
> +	LSM_HOOK_INIT(locked_down, selinux_lockdown),
>   };
>   
>   static __init int selinux_init(void)
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index 32e9b03be3dd..594c32febcd8 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -244,6 +244,8 @@ struct security_class_mapping secclass_map[] = {
>   	  {"map_create", "map_read", "map_write", "prog_load", "prog_run"} },
>   	{ "xdp_socket",
>   	  { COMMON_SOCK_PERMS, NULL } },
> +	{ "lockdown",
> +	  { "integrity", "confidentiality", NULL } },
>   	{ NULL }
>     };
>   
> 

Re: [RFC PATCH] selinux: add SELinux hooks for lockdown integrity and confidentiality

[Paul Moore]

On Wed, Oct 30, 2019 at 11:29 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 10/30/19 9:16 AM, Stephen Smalley wrote:
> > Add SELinux access control hooks for lockdown integrity and
> > confidentiality. This effectively mimics the current implementation of
> > lockdown (caveat noted below). If lockdown is enabled alongside SELinux,
> > then the lockdown access control will take precedence over the SELinux
> > lockdown implementation.
> >
> > Note that this SELinux implementation allows the integrity and
> > confidentiality reasons to be controlled independently from one another.
> > Thus, in an SELinux policy, one could allow integrity operations while
> > blocking confidentiality operations.
>
> NB This is intended to be the first of a series that will ultimately
> lead to finer-grained controls than just integrity and confidentiality,
> but wanted to get some feedback on it at this stage.  Also anticipate
> greater controversy over exposing finer granularity since the lockdown
> reasons are free to change at any time, so this would be the baseline
> fallback position if finer grained controls are rejected.
>
> > (original patch authored by an intern who wishes to remain anonymous;
> > I am signing off on his behalf)

I'm not going to comment on this on-list because IANAL, but it might
be best to leave the comment above off of future postings as I think
it somewhat confuses the principle behind the sign-off line.  I
understand you want to give credit where it is due, but without an
explicit author's name/email I believe it is safer for you to assume
that role.

Put another way, the comment above makes me nervous about adding my
own sign-off and merging it into the SELinux tree.

> > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> > ---
> >   security/selinux/hooks.c            | 22 ++++++++++++++++++++++
> >   security/selinux/include/classmap.h |  2 ++
> >   2 files changed, 24 insertions(+)

-- 
paul moore
www.paul-moore.com

Re: [RFC PATCH] selinux: add SELinux hooks for lockdown integrity and confidentiality

[Paul Moore]

On Wed, Oct 30, 2019 at 9:16 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> Add SELinux access control hooks for lockdown integrity and
> confidentiality. This effectively mimics the current implementation of
> lockdown (caveat noted below). If lockdown is enabled alongside SELinux,
> then the lockdown access control will take precedence over the SELinux
> lockdown implementation.
>
> Note that this SELinux implementation allows the integrity and
> confidentiality reasons to be controlled independently from one another.
> Thus, in an SELinux policy, one could allow integrity operations while
> blocking confidentiality operations.
>
> (original patch authored by an intern who wishes to remain anonymous;
> I am signing off on his behalf)
>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>  security/selinux/hooks.c            | 22 ++++++++++++++++++++++
>  security/selinux/include/classmap.h |  2 ++
>  2 files changed, 24 insertions(+)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 36e531b91df2..6722c6b4ae74 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -91,6 +91,7 @@
>  #include <uapi/linux/mount.h>
>  #include <linux/fsnotify.h>
>  #include <linux/fanotify.h>
> +#include <linux/security.h>
>
>  #include "avc.h"
>  #include "objsec.h"
> @@ -6799,6 +6800,25 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
>  }
>  #endif
>
> +static int selinux_lockdown(enum lockdown_reason what)
> +{
> +       u32 sid = current_sid();
> +
> +       if (what <= LOCKDOWN_INTEGRITY_MAX)
> +               return avc_has_perm(&selinux_state,
> +                               sid, sid,
> +                               SECCLASS_LOCKDOWN, LOCKDOWN__INTEGRITY, NULL);
> +       else if (what <= LOCKDOWN_CONFIDENTIALITY_MAX)
> +               return avc_has_perm(&selinux_state,
> +                               sid, sid,
> +                               SECCLASS_LOCKDOWN, LOCKDOWN__CONFIDENTIALITY,
> +                               NULL);
> +
> +       /* invalid reason */
> +       pr_warn("SELinux: invalid lockdown reason\n");
> +       return -EPERM;
> +}

I don't have any objections to adding a hook to control access to the
lockdown functionality (I think it's a good idea), but I am a little
nervous about the granularity of the control.  Sticking with just an
integrity and a confidentiality permission seems okay, but I worry
about adding additional permissions until we have a better idea of how
the lockdown functionality is adopted by developers and we see how the
lockdown_reason evolves.

-- 
paul moore
www.paul-moore.com

Re: [RFC PATCH] selinux: add SELinux hooks for lockdown integrity and confidentiality

[Stephen Smalley]

On 10/31/19 5:59 AM, Paul Moore wrote:
> On Wed, Oct 30, 2019 at 9:16 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> Add SELinux access control hooks for lockdown integrity and
>> confidentiality. This effectively mimics the current implementation of
>> lockdown (caveat noted below). If lockdown is enabled alongside SELinux,
>> then the lockdown access control will take precedence over the SELinux
>> lockdown implementation.
>>
>> Note that this SELinux implementation allows the integrity and
>> confidentiality reasons to be controlled independently from one another.
>> Thus, in an SELinux policy, one could allow integrity operations while
>> blocking confidentiality operations.
>>
>> (original patch authored by an intern who wishes to remain anonymous;
>> I am signing off on his behalf)
>>
>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>> ---
>>   security/selinux/hooks.c            | 22 ++++++++++++++++++++++
>>   security/selinux/include/classmap.h |  2 ++
>>   2 files changed, 24 insertions(+)
>>
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 36e531b91df2..6722c6b4ae74 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -91,6 +91,7 @@
>>   #include <uapi/linux/mount.h>
>>   #include <linux/fsnotify.h>
>>   #include <linux/fanotify.h>
>> +#include <linux/security.h>
>>
>>   #include "avc.h"
>>   #include "objsec.h"
>> @@ -6799,6 +6800,25 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
>>   }
>>   #endif
>>
>> +static int selinux_lockdown(enum lockdown_reason what)
>> +{
>> +       u32 sid = current_sid();
>> +
>> +       if (what <= LOCKDOWN_INTEGRITY_MAX)
>> +               return avc_has_perm(&selinux_state,
>> +                               sid, sid,
>> +                               SECCLASS_LOCKDOWN, LOCKDOWN__INTEGRITY, NULL);
>> +       else if (what <= LOCKDOWN_CONFIDENTIALITY_MAX)
>> +               return avc_has_perm(&selinux_state,
>> +                               sid, sid,
>> +                               SECCLASS_LOCKDOWN, LOCKDOWN__CONFIDENTIALITY,
>> +                               NULL);
>> +
>> +       /* invalid reason */
>> +       pr_warn("SELinux: invalid lockdown reason\n");
>> +       return -EPERM;
>> +}
> 
> I don't have any objections to adding a hook to control access to the
> lockdown functionality (I think it's a good idea), but I am a little
> nervous about the granularity of the control.  Sticking with just an
> integrity and a confidentiality permission seems okay, but I worry
> about adding additional permissions until we have a better idea of how
> the lockdown functionality is adopted by developers and we see how the
> lockdown_reason evolves.

Ok, so let's discuss what if anything else is needed for a final non-RFC 
version of this patch.

One thing that I wondered about was whether we ought to include the 
reason information in the audit record as supplemental data via a new 
LSM_AUDIT_DATA_* type for help in policy debugging / development. 
However, the lockdown_reasons[] string array is presently private to the 
lockdown module so we would have to export that or replicate it for 
creating a string representation of the reason if we were to do so. 
That would expose the reasons in terms of audit data but not as a basis 
for the permission check. Note that the lockdown module logs these 
reason strings via pr_notice() when it denies access, so it appears that 
exposing the strings as part of audit data would not introduce any extra 
kernel stable ABI guarantees?

I also wasn't sure about the pr_warn() above.  If we reach it, it is 
effectively a kernel bug. We could mirror what the lockdown module does 
in lockdown_is_locked_down(), i.e. use WARN() instead.  Of course, the 
SELinux hook won't even be reached in this case if the lockdown module 
is enabled, but the lockdown module could be disabled so I guess we need 
to check it too.

If we take the lockdown class with just integrity and confidentiality 
permissions now and later introduce finer granularity, we'll presumably 
need a policy capability to select whether the coarse-grained or 
fine-grained permissions are used.

Re: [RFC PATCH] selinux: add SELinux hooks for lockdown integrity and confidentiality

[Paul Moore]

On Thu, Oct 31, 2019 at 10:01 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 10/31/19 5:59 AM, Paul Moore wrote:
> > On Wed, Oct 30, 2019 at 9:16 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >> Add SELinux access control hooks for lockdown integrity and
> >> confidentiality. This effectively mimics the current implementation of
> >> lockdown (caveat noted below). If lockdown is enabled alongside SELinux,
> >> then the lockdown access control will take precedence over the SELinux
> >> lockdown implementation.
> >>
> >> Note that this SELinux implementation allows the integrity and
> >> confidentiality reasons to be controlled independently from one another.
> >> Thus, in an SELinux policy, one could allow integrity operations while
> >> blocking confidentiality operations.

...

> > I don't have any objections to adding a hook to control access to the
> > lockdown functionality (I think it's a good idea), but I am a little
> > nervous about the granularity of the control.  Sticking with just an
> > integrity and a confidentiality permission seems okay, but I worry
> > about adding additional permissions until we have a better idea of how
> > the lockdown functionality is adopted by developers and we see how the
> > lockdown_reason evolves.
>
> Ok, so let's discuss what if anything else is needed for a final non-RFC
> version of this patch.
>
> One thing that I wondered about was whether we ought to include the
> reason information in the audit record as supplemental data via a new
> LSM_AUDIT_DATA_* type for help in policy debugging / development.
> However, the lockdown_reasons[] string array is presently private to the
> lockdown module so we would have to export that or replicate it for
> creating a string representation of the reason if we were to do so.
> That would expose the reasons in terms of audit data but not as a basis
> for the permission check. Note that the lockdown module logs these
> reason strings via pr_notice() when it denies access, so it appears that
> exposing the strings as part of audit data would not introduce any extra
> kernel stable ABI guarantees?

That is an interesting question: do we consider dmesg output to be
part of the stable kernel API?  My hunch would be "no", as I've seen
things change quite a bit there over the years, but IANL (I Am Not
Linus).  However, that said, logging a reason string via audit seems
like a good idea (especially since there is presently a many-to-one
mapping between reasons and the SELinux permission).  Further, while
the audit field name is part of the kernel API, the value is much more
open.

> I also wasn't sure about the pr_warn() above.  If we reach it, it is
> effectively a kernel bug. We could mirror what the lockdown module does
> in lockdown_is_locked_down(), i.e. use WARN() instead.  Of course, the
> SELinux hook won't even be reached in this case if the lockdown module
> is enabled, but the lockdown module could be disabled so I guess we need
> to check it too.

Since this seems security relevant, I wonder if we should be using SELINUX_ERR?

> If we take the lockdown class with just integrity and confidentiality
> permissions now and later introduce finer granularity, we'll presumably
> need a policy capability to select whether the coarse-grained or
> fine-grained permissions are used.

True, although I'm not overly worried about the need to use policy
capabilities; I'm more worried about jumping into too fine a
granularity before we see how this will be used.

-- 
paul moore
www.paul-moore.com

Re: [RFC PATCH] selinux: add SELinux hooks for lockdown integrity and confidentiality

[Stephen Smalley]

On 11/7/19 12:48 PM, Paul Moore wrote:
 > On Thu, Oct 31, 2019 at 10:01 AM Stephen Smalley <sds@tycho.nsa.gov> 
wrote:
> That is an interesting question: do we consider dmesg output to be
> part of the stable kernel API?  My hunch would be "no", as I've seen
> things change quite a bit there over the years, but IANL (I Am Not
> Linus).  However, that said, logging a reason string via audit seems
> like a good idea (especially since there is presently a many-to-one
> mapping between reasons and the SELinux permission).  Further, while
> the audit field name is part of the kernel API, the value is much more
> open.

Ok, any preferences on the audit field name or should we just create one 
and cc linux-audit on the next RFC?  lockdown_reason=?

>> I also wasn't sure about the pr_warn() above.  If we reach it, it is
>> effectively a kernel bug. We could mirror what the lockdown module does
>> in lockdown_is_locked_down(), i.e. use WARN() instead.  Of course, the
>> SELinux hook won't even be reached in this case if the lockdown module
>> is enabled, but the lockdown module could be disabled so I guess we need
>> to check it too.
> 
> Since this seems security relevant, I wonder if we should be using SELINUX_ERR?

The benefit of a WARN() is that it will give us a stack trace showing 
the offending caller in the kernel, which would be useful since it would 
be a buggy caller passing an invalid lockdown reason (LOCKDOWN_NONE or 
 >= LOCKDOWN_CONFIDENTIALITY_MAX).  pr_warn() or audit_log() won't give 
us that info.  We could do both of course.

Re: [RFC PATCH] selinux: add SELinux hooks for lockdown integrity and confidentiality

[Paul Moore]

On Thu, Nov 7, 2019 at 1:07 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 11/7/19 12:48 PM, Paul Moore wrote:
>  > On Thu, Oct 31, 2019 at 10:01 AM Stephen Smalley <sds@tycho.nsa.gov>
> wrote:
> > That is an interesting question: do we consider dmesg output to be
> > part of the stable kernel API?  My hunch would be "no", as I've seen
> > things change quite a bit there over the years, but IANL (I Am Not
> > Linus).  However, that said, logging a reason string via audit seems
> > like a good idea (especially since there is presently a many-to-one
> > mapping between reasons and the SELinux permission).  Further, while
> > the audit field name is part of the kernel API, the value is much more
> > open.
>
> Ok, any preferences on the audit field name or should we just create one
> and cc linux-audit on the next RFC?  lockdown_reason=?

Definitely CC linux-audit as I expect Steve will want to have his say.
FWIW, "lockdown_reason" seems reasonable to me.

> >> I also wasn't sure about the pr_warn() above.  If we reach it, it is
> >> effectively a kernel bug. We could mirror what the lockdown module does
> >> in lockdown_is_locked_down(), i.e. use WARN() instead.  Of course, the
> >> SELinux hook won't even be reached in this case if the lockdown module
> >> is enabled, but the lockdown module could be disabled so I guess we need
> >> to check it too.
> >
> > Since this seems security relevant, I wonder if we should be using SELINUX_ERR?
>
> The benefit of a WARN() is that it will give us a stack trace showing
> the offending caller in the kernel, which would be useful since it would
> be a buggy caller passing an invalid lockdown reason (LOCKDOWN_NONE or
>  >= LOCKDOWN_CONFIDENTIALITY_MAX).  pr_warn() or audit_log() won't give
> us that info.  We could do both of course.

It's a balance between development needs and freaking out
administrators (although perhaps rightly so).  I also worry a bit that
WARN can be disabled at build time so having something like
SELINUX_ERR could be a good fallback, assuming we did both.

-- 
paul moore
www.paul-moore.com