[GIT PULL] lsm/lsm-pr-20240911
From: Paul Moore
Date: Thu Sep 12 2024 - 21:30:10 EST
Linus,
We've got a reasonably large pull request for the LSM framework this
time (at least it's large for us), here are the highlights:
* Move the LSM framework to static calls
Based on some of our exchanges over the summer, it sounds like you
are already familiar with the effort to convert the LSM callbacks
from function pointers to static calls. This pull request includes
that work and transitions the vast majority of the LSM callbacks into
static calls. Those callbacks which haven't been converted were
left as-is due to the general ugliness of the changes required to
support the static call conversion; we can revisit those callbacks
at a future date.
It is worth mentioning that Tetsuo Handa is opposed to the static call
patches, some even carry his NACK, as they make it more difficult to
dynamically load out-of-tree LSMs, or unsupported LSMs on distro kernels.
Many of us have tried to explain that out-of-tree LSMs are not a
concern for the upstream LSM framework, or the Linux kernel in general,
and that decisions around what LSMs are enabled in distro kernels is
a distro issue, not an upstream issue, but unfortunately Tetsuo
continues to disregard these arguments.
* Add the Integrity Policy Enforcement (IPE) LSM
This pull request adds a new LSM, Integrity Policy Enforcement (IPE).
There is plenty of documentation about IPE in this patches, so I'll
refrain from going into too much detail here, but the basic motivation
behind IPE is to provide a mechanism such that administrators can
restrict execution to only those binaries which come from integrity
protected storage, e.g. a dm-verity protected filesystem. You will
notice that IPE requires additional LSM hooks in the initramfs,
dm-verity, and fs-verity code, with the associated patches carrying
ACK/review tags from the associated maintainers. We couldn't find an
obvious maintainer for the initramfs code, but the IPE patchset has
been widely posted over several years.
Both Deven Bowers and Fan Wu have contributed to IPE's development
over the past several years, with Fan Wu agreeing to serve as the IPE
maintainer moving forward. Once IPE is accepted into your tree, I'll
start working with Fan to ensure he has the necessary accounts, keys,
etc. so that he can start submitting IPE pull requests to you directly
during the next merge window.
* Move the lifecycle management of the LSM blobs to the LSM framework
Management of the LSM blobs (the LSM state buffers attached to various
kernel structs, typically via a void pointer named "security" or similar)
has been mixed, some blobs were allocated/managed by individual LSMs,
others were managed by the LSM framework itself. Starting with this
pull request we move management of all the LSM blobs, minus the XFRM
blob, into the framework itself, improving consistency across LSMs, and
reducing the amount of duplicated code across LSMs. Due to some
additional work required to migrate the XFRM blob, it has been left as
a todo item for a later date; from a practical standpoint this omission
should have little impact as only SELinux provides a XFRM LSM
implementation.
* Fix problems with the LSM's handling of F_SETOWN
The LSM hook for the fcntl(F_SETOWN) operation had a couple of problems:
it was racy with itself, and it was disconnected from the associated DAC
related logic in such a way that the LSM state could be updated in cases
where the DAC state would not. We fix both of these problems by moving
the security_file_set_fowner() hook into the same section of code where
the DAC attributes are updated. Not only does this resolve the DAC/LSM
synchronization issue, but as that code block is protected by a lock, it
also resolve the race condition.
* Fix potential problems with the security_inode_free() LSM hook
Due to use of RCU to protect inodes and the placement of the LSM hook
associated with freeing the inode, there is a bit of a challenge when
it comes to managing any LSM state associated with an inode. The VFS
folks are not open to relocating the LSM hook so we have to get creative
when it comes to releasing an inode's LSM state. Traditionally we have
used a single LSM callback within the hook that is triggered when the
inode is "marked for death", but not actually released due to RCU.
Unfortunately, this causes problems for LSMs which want to take an
action when the inode's associated LSM state is actually released; this
pull request adds an additional LSM callback, inode_free_security_rcu(),
that is called when the inode's LSM state is released in the RCU free
callback.
* Refactor two LSM hooks to better fit the LSM return value patterns
The vast majority of the LSM hooks follow the "return 0 on success,
negative values on failure" pattern, however, there are a small handful
that have unique return value behaviors which has caused confusion in the
past and makes it difficult for the BPF verifier to properly vet BPF LSM
programs. This pull request includes patches to convert two of these
"special" LSM hooks to the common 0/-ERRNO pattern.
* Various cleanups and improvements
A handful of patches to remove redundant code, better leverage the
IS_ERR_OR_NULL() helper, add missing "static" markings, and do some minor
style fixups.
-Paul
--
The following changes since commit 8400291e289ee6b2bf9779ff1c83a291501f017b:
Linux 6.11-rc1 (2024-07-28 14:19:55 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
tags/lsm-pr-20240911
for you to fetch changes up to 19c9d55d72a9040cf9dc8de62633e6217381106b:
security: Update file_set_fowner documentation
(2024-09-09 12:30:51 -0400)
----------------------------------------------------------------
lsm/stable-6.12 PR 20240911
----------------------------------------------------------------
Casey Schaufler (6):
lsm: infrastructure management of the sock security
lsm: infrastructure management of the key security blob
lsm: add helper for blob allocations
lsm: infrastructure management of the dev_tun blob
lsm: infrastructure management of the infiniband blob
lsm: infrastructure management of the perf_event security blob
Deven Bowers (13):
lsm: add IPE lsm
ipe: add policy parser
ipe: add evaluation loop
ipe: add LSM hooks on execution and kernel read
ipe: add userspace interface
audit,ipe: add IPE auditing support
ipe: add permissive toggle
block,lsm: add LSM blob and new LSM hooks for block devices
dm-verity: expose root hash digest and signature data to LSMs
ipe: add support for dm-verity as a trust provider
scripts: add boot policy generation program
ipe: kunit test for parser
documentation: add IPE documentation
Fan Wu (7):
initramfs,lsm: add a security hook to do_populate_rootfs()
ipe: introduce 'boot_verified' as a trust provider
lsm: add new securityfs delete function
lsm: add security_inode_setintegrity() hook
fsverity: expose verified fsverity built-in signatures to LSMs
ipe: enable support for fs-verity as a trust provider
MAINTAINERS: add IPE entry with Fan Wu as maintainer
Hongbo Li (1):
lsm: Use IS_ERR_OR_NULL() helper function
KP Singh (4):
init/main.c: Initialize early LSMs after arch code, static keys
and calls.
kernel: Add helper macros for loop unrolling
lsm: count the LSMs enabled at compile time
lsm: replace indirect LSM hook calls with static calls
Mickaël Salaün (2):
fs: Fix file_set_fowner LSM hook inconsistencies
security: Update file_set_fowner documentation
Paul Moore (2):
lsm: cleanup lsm_hooks.h
lsm: add the inode_free_security_rcu() LSM implementation hook
Tetsuo Handa (1):
lsm: remove LSM_COUNT and LSM_CONFIG_COUNT
Xu Kuohai (2):
lsm: Refactor return value of LSM hook vm_enough_memory
lsm: Refactor return value of LSM hook inode_copy_up_xattr
Yang Li (1):
ipe: Remove duplicated include in ipe.c
Yue Haibing (1):
lockdown: Make lockdown_lsmid static
Documentation/admin-guide/LSM/index.rst | 1
Documentation/admin-guide/LSM/ipe.rst | 790 ++++++++++++
Documentation/admin-guide/kernel-parameters.txt | 12
Documentation/filesystems/fsverity.rst | 27
Documentation/security/index.rst | 1
Documentation/security/ipe.rst | 446 ++++++
MAINTAINERS | 10
block/bdev.c | 7
drivers/md/dm-verity-target.c | 118 +
drivers/md/dm-verity.h | 4
fs/fcntl.c | 14
fs/overlayfs/copy_up.c | 6
fs/verity/signature.c | 18
include/linux/args.h | 6
include/linux/blk_types.h | 3
include/linux/lsm_count.h | 135 ++
include/linux/lsm_hook_defs.h | 20
include/linux/lsm_hooks.h | 129 +
include/linux/security.h | 55
include/linux/unroll.h | 36
include/uapi/linux/audit.h | 3
include/uapi/linux/lsm.h | 1
init/initramfs.c | 3
init/main.c | 6
scripts/Makefile | 1
scripts/ipe/Makefile | 2
scripts/ipe/polgen/.gitignore | 2
scripts/ipe/polgen/Makefile | 5
scripts/ipe/polgen/polgen.c | 145 ++
security/Kconfig | 11
security/Makefile | 1
security/apparmor/include/net.h | 3
security/apparmor/lsm.c | 17
security/apparmor/net.c | 2
security/commoncap.c | 11
security/inode.c | 27
security/integrity/evm/evm_main.c | 2
security/integrity/ima/ima.h | 2
security/integrity/ima/ima_iint.c | 20
security/integrity/ima/ima_main.c | 2
security/ipe/.gitignore | 2
security/ipe/Kconfig | 97 +
security/ipe/Makefile | 31
security/ipe/audit.c | 292 ++++
security/ipe/audit.h | 19
security/ipe/digest.c | 118 +
security/ipe/digest.h | 26
security/ipe/eval.c | 393 +++++
security/ipe/eval.h | 70 +
security/ipe/fs.c | 247 +++
security/ipe/fs.h | 16
security/ipe/hooks.c | 314 ++++
security/ipe/hooks.h | 52
security/ipe/ipe.c | 98 +
security/ipe/ipe.h | 26
security/ipe/policy.c | 227 +++
security/ipe/policy.h | 98 +
security/ipe/policy_fs.c | 472 +++++++
security/ipe/policy_parser.c | 559 ++++++++
security/ipe/policy_parser.h | 11
security/ipe/policy_tests.c | 296 ++++
security/landlock/fs.c | 9
security/lockdown/lockdown.c | 2
security/security.c | 615 ++++++---
security/selinux/hooks.c | 176 --
security/selinux/include/objsec.h | 28
security/selinux/netlabel.c | 23
security/smack/smack.h | 12
security/smack/smack_lsm.c | 107 -
security/smack/smack_netfilter.c | 4
tools/testing/selftests/lsm/lsm_list_modules_test.c | 3
71 files changed, 6063 insertions(+), 484 deletions(-)
--
paul-moore.com