[RFC 0/1] LSM ptags: Secure tagging of processes

From: jobol
Date: Wed Nov 23 2016 - 04:40:45 EST


From: Josà Bollo <jobol@xxxxxxxxxxx>

RELEASE NOTE
============
New version rebased on 4.9-rc6

Q: is there an interest in protection of values with "ptags:..:get" ?

WHAT IS THE LSM PTAGS?
======================
The Linux Security Module ptags manages for each process a list of tags
that can be empty. Values can be attached to tags.

This tag list is accessed through the new files /proc/PID/attr/ptags
and /proc/PID/tasks/TID/attr/ptags below named "ptags file".

Except for few special tags, the meaning of the tag is free.
Tags are structured in fields separated by : (colon) with
available semantic of prefixing field(s).

The list of tags is copied (this is not shared) during 'clone'.
The list of tags is filtered during 'execve' to keep only expected tags.

Tagging is compatible with the use of other LSM like Smack,
AppAmor, SELinux, ...

Tagging is compatible with user namespaces and pid namespaces.

WHY IS IT USEFUL?
=================
Tagging processes serves multiple purposes that can be mixed
due the the prefix policy of tags:
- provide basis for managing in userland permissions, privileges
or capabilities (3 words for same concept) of processes
- provide ability to attach cookies to processes

The primary goal is to implement a user-land permission
mechanism. With that intention, the tagging feature is used to record
the list of the permissions granted to a process. Any
service that requires that their client must have a
permission can check the list to accept or refuse to serve.

WHY IS IT SECURE?
=================
By default:
- processes can NOT remove any of its tags
- processes can NOT add any tag to itself
- processes can NOT set value to any of its tag
- processes can NOT alter (add, remove or set) tags of other processes
- processes lose tags during 'execve'
- processes can read tags of other processes when DAC/MAC allows it

But some rules allow authorized processes:
- to remove some of its tags
- to add some tag to itself
- to set a value to some of its tag
- to alter (add, remove, set) some tags of other processes
- to change how tags are kept or not during 'execve'

These rules are allowing the management of the tags either using
daemons/services or using fork/exec or using both methods mixed.

LINKS
=====

user library: https://gitlab.com/jobol/ptags
yocto layer: https://gitlab.com/jobol/meta-ptags

Josà Bollo
http://IoT.BzH


Josà Bollo (1):
LSM ptags: Add tagging of processes

Documentation/security/ptags.txt | 428 +++++++
fs/proc/base.c | 3 +
include/linux/cred.h | 3 +
include/linux/user_namespace.h | 23 +
kernel/cred.c | 6 +
kernel/user_namespace.c | 3 +
security/Kconfig | 1 +
security/Makefile | 2 +
security/apparmor/lsm.c | 14 +-
security/ptags/Kconfig | 16 +
security/ptags/Makefile | 6 +
security/ptags/ptags-lsm.c | 213 ++++
security/ptags/ptags.c | 2377 ++++++++++++++++++++++++++++++++++++++
security/selinux/hooks.c | 8 +
security/smack/smack_lsm.c | 14 +-
15 files changed, 3113 insertions(+), 4 deletions(-)
create mode 100644 Documentation/security/ptags.txt
create mode 100644 security/ptags/Kconfig
create mode 100644 security/ptags/Makefile
create mode 100644 security/ptags/ptags-lsm.c
create mode 100644 security/ptags/ptags.c
--
2.7.4