LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* Re: [Patch 7/7] IBAC Patch
  2007-03-25 16:31   ` Serge E. Hallyn
@ 2007-03-22 23:10     ` Pavel Machek
  0 siblings, 0 replies; 4+ messages in thread
From: Pavel Machek @ 2007-03-22 23:10 UTC (permalink / raw)
  To: Serge E. Hallyn
  Cc: Mimi Zohar, linux-kernel, safford, serue, kjhall, zohar, akpm

Hi!

> > > This is a new Integrity Based Access Control(IBAC) LSM module which 
> > > bases access control decisions on the new integrity framework services. 
> > > IBAC is a sample LSM module to help clarify the interaction between 
> > > LSM and Linux Integrity Modules(LIM).
> > > 
> > >    - Updated Kconfig SECURITY_IBAC description
> > >      and SECURITY_IBAC_BOOTPARAM default value
> > >    - Prefixed all log messages with "ibac:"
> > >    - Redefined a couple of 'int' variables as 'static int'
> > > 
> > > signed-off-by: Mimi Zohar <zohar@us.ibm.com>
> > > ---
> > > Index: linux-2.6.21-rc4-mm1/security/ibac/Kconfig
> > > ===================================================================
> > > --- /dev/null
> > > +++ linux-2.6.21-rc4-mm1/security/ibac/Kconfig
> > > @@ -0,0 +1,41 @@
> > > +config SECURITY_IBAC
> > > +	boolean "IBAC support"
> > > +	depends on SECURITY && SECURITY_NETWORK && INTEGRITY
> > > +	help
> > > +	  Integrity Based Access Control(IBAC) uses the Linux
> > > +	  Integrity Module(LIM) API calls to verify an executable's
> > > +	  metadata and data's integrity.  Based on the results,
> > > +	  execution permission is permitted/denied.  Integrity
> > > +	  providers may implement the LIM hooks differently.  For
> > > +	  more information on integrity verification refer to the
> > > +	  specific integrity provider documentation.
> > 
> > ...sounds like pseudosecurity piece of **** whose only purpose is to
> > prevent computer's owner to hack his own system?
> > 
> > Why do we want it?
> 
> I assume, as it says not too far above, we want it as
> 
> 	"a sample LSM module to help clarify the interaction between LSM
> 	and Linux Integrity Modules(LIM)"
> 
> Since the LIM stuff is infrastructure code, a simple user is nice of her
> to provide, like the root_plug LSM.
> 
> Perhaps the comments should warn that using this for real by itself
> would be trivial to work around?

Certainly. And I'm not sure if we are not carying enough example code
already :-).
							Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Patch 7/7] IBAC Patch
@ 2007-03-23 16:10 Mimi Zohar
  2007-03-25 12:38 ` Pavel Machek
  0 siblings, 1 reply; 4+ messages in thread
From: Mimi Zohar @ 2007-03-23 16:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: safford, serue, kjhall, zohar, akpm

This is a new Integrity Based Access Control(IBAC) LSM module which 
bases access control decisions on the new integrity framework services. 
IBAC is a sample LSM module to help clarify the interaction between 
LSM and Linux Integrity Modules(LIM).

   - Updated Kconfig SECURITY_IBAC description
     and SECURITY_IBAC_BOOTPARAM default value
   - Prefixed all log messages with "ibac:"
   - Redefined a couple of 'int' variables as 'static int'

signed-off-by: Mimi Zohar <zohar@us.ibm.com>
---
Index: linux-2.6.21-rc4-mm1/security/ibac/Kconfig
===================================================================
--- /dev/null
+++ linux-2.6.21-rc4-mm1/security/ibac/Kconfig
@@ -0,0 +1,41 @@
+config SECURITY_IBAC
+	boolean "IBAC support"
+	depends on SECURITY && SECURITY_NETWORK && INTEGRITY
+	help
+	  Integrity Based Access Control(IBAC) uses the Linux
+	  Integrity Module(LIM) API calls to verify an executable's
+	  metadata and data's integrity.  Based on the results,
+	  execution permission is permitted/denied.  Integrity
+	  providers may implement the LIM hooks differently.  For
+	  more information on integrity verification refer to the
+	  specific integrity provider documentation.
+
+config SECURITY_IBAC_BOOTPARAM
+	bool "IBAC boot parameter"
+	depends on SECURITY_IBAC
+	default n
+	help
+	  This option adds a kernel parameter 'ibac', which allows IBAC
+	  to be disabled at boot.  If this option is selected, IBAC
+	  functionality can be disabled with ibac=0 on the kernel
+	  command line.  The purpose of this option is to allow a
+	  single kernel image to be distributed with IBAC built in,
+	  but not necessarily enabled.
+
+	  If you are unsure how to answer this question, answer N.
+
+config SECURITY_IBAC_BOOTPARAM_VALUE
+	int "IBAC boot parameter default value"
+	depends on SECURITY_IBAC_BOOTPARAM
+	range 0 1
+	default 0
+	help
+	  This option sets the default value for the kernel parameter
+	  'ibac', which allows IBAC to be disabled at boot.  If this
+	  option is set to 0 (zero), the IBAC kernel parameter will
+	  default to 0, disabling IBAC at bootup.  If this option is
+	  set to 1 (one), the IBAC kernel parameter will default to 1,
+	  enabling IBAC at bootup.
+
+	  If you are unsure how to answer this question, answer 0.
+
Index: linux-2.6.21-rc4-mm1/security/ibac/Makefile
===================================================================
--- /dev/null
+++ linux-2.6.21-rc4-mm1/security/ibac/Makefile
@@ -0,0 +1,6 @@
+#
+# Makefile for building IBAC
+#
+
+obj-$(CONFIG_SECURITY_IBAC) += ibac.o
+ibac-y 	:= ibac_main.o
Index: linux-2.6.21-rc4-mm1/security/ibac/ibac_main.c
===================================================================
--- /dev/null
+++ linux-2.6.21-rc4-mm1/security/ibac/ibac_main.c
@@ -0,0 +1,123 @@
+/*
+ * Integrity Based Access Control(IBAC) sample LSM module calling LIM hooks
+ *
+ * Copyright (C) 2007 IBM Corporation
+ * Author: Mimi Zohar <zohar@us.ibm.com>
+ *
+ *      This program is free software; you can redistribute it and/or modify
+ *      it under the terms of the GNU General Public License as published by
+ *      the Free Software Foundation, version 2 of the License.
+ */
+
+#include <linux/module.h>
+#include <linux/moduleparam.h>
+#include <linux/kernel.h>
+#include <linux/security.h>
+#include <linux/integrity.h>
+
+#ifdef CONFIG_SECURITY_IBAC_BOOTPARAM
+static int ibac_enabled = CONFIG_SECURITY_IBAC_BOOTPARAM_VALUE;
+
+static int __init ibac_enabled_setup(char *str)
+{
+	ibac_enabled = simple_strtol(str, NULL, 0);
+	return 1;
+}
+
+__setup("ibac=", ibac_enabled_setup);
+#else
+static int ibac_enabled = 1;
+#endif
+
+static unsigned int integrity_enforce;
+static int __init integrity_enforce_setup(char *str)
+{
+	integrity_enforce = simple_strtol(str, NULL, 0);
+	return 1;
+}
+
+__setup("ibac_enforce=", integrity_enforce_setup);
+
+static inline int is_kernel_thread(struct task_struct *tsk)
+{
+	return (!tsk->mm) ? 1 : 0;
+}
+
+static int ibac_bprm_check_security(struct linux_binprm *bprm)
+{
+	struct dentry *dentry = bprm->file->f_dentry;
+	char *xattr_value = NULL;
+	int rc, status;
+
+	rc = integrity_verify_metadata(dentry, NULL, NULL, NULL, &status);
+	if (rc == -EOPNOTSUPP) {
+		kfree(xattr_value);
+		return 0;
+	}
+
+	if (rc < 0) {
+		printk(KERN_INFO "ibac: verify_metadata %s failed "
+		       "(rc: %d - status: %d)\n", bprm->filename, rc, status);
+		if (!integrity_enforce)
+			rc = 0;
+		goto out;
+	}
+	if (status != INTEGRITY_PASS) {	/* FAIL | NO_LABEL */
+		if (!is_kernel_thread(current)) {
+			printk(KERN_INFO "ibac: verify_metadata %s "
+			       "(Integrity status: %s)\n", bprm->filename,
+				status == INTEGRITY_FAIL ? "FAIL" : "NOLABEL");
+			if (integrity_enforce) {
+				rc = -EACCES;
+				goto out;
+			}
+		}
+	}
+
+	rc = integrity_verify_data(dentry, &status);
+	if (rc < 0) {
+		printk(KERN_INFO "ibac: %s verify_data failed "
+		       "(rc: %d - status: %d)\n", bprm->filename, rc, status);
+		if (!integrity_enforce)
+			rc = 0;
+		goto out;
+	}
+	if (status != INTEGRITY_PASS) {
+		if (!is_kernel_thread(current)) {
+			printk(KERN_INFO "ibac: verify_data %s "
+			       "(Integrity status: FAIL)\n", bprm->filename);
+			if (integrity_enforce) {
+				rc = -EACCES;
+				goto out;
+			}
+		}
+	}
+
+	kfree(xattr_value);
+
+	/* measure all executables */
+	integrity_measure(dentry, bprm->filename, MAY_EXEC);
+	return 0;
+out:
+	kfree(xattr_value);
+	return rc;
+}
+
+static struct security_operations ibac_security_ops = {
+	.bprm_check_security = ibac_bprm_check_security
+};
+
+static int __init init_ibac(void)
+{
+	int rc;
+
+	if (!ibac_enabled)
+		return 0;
+
+	rc = register_security(&ibac_security_ops);
+	if (rc != 0)
+		panic("ibac: unable to register with kernel\n");
+	return rc;
+}
+
+security_initcall(init_ibac);
Index: linux-2.6.21-rc4-mm1/security/Kconfig
===================================================================
--- linux-2.6.21-rc4-mm1.orig/security/Kconfig
+++ linux-2.6.21-rc4-mm1/security/Kconfig
@@ -125,5 +125,6 @@ config SECURITY_ROOTPLUG
 source security/selinux/Kconfig
 
 source security/slim/Kconfig
+source security/ibac/Kconfig
 endmenu
 
Index: linux-2.6.21-rc4-mm1/security/Makefile
===================================================================
--- linux-2.6.21-rc4-mm1.orig/security/Makefile
+++ linux-2.6.21-rc4-mm1/security/Makefile
@@ -14,6 +14,7 @@ endif
 obj-$(CONFIG_SECURITY)			+= security.o dummy.o inode.o
 obj-$(CONFIG_INTEGRITY)		+= integrity.o integrity_dummy.o
 obj-$(CONFIG_INTEGRITY_EVM)		+= evm/
+obj-$(CONFIG_SECURITY_IBAC)		+= ibac/
 # Must precede capability.o in order to stack properly.
 obj-$(CONFIG_SECURITY_SLIM)		+= slim/
 obj-$(CONFIG_SECURITY_SELINUX)		+= selinux/built-in.o



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Patch 7/7] IBAC Patch
  2007-03-23 16:10 [Patch 7/7] IBAC Patch Mimi Zohar
@ 2007-03-25 12:38 ` Pavel Machek
  2007-03-25 16:31   ` Serge E. Hallyn
  0 siblings, 1 reply; 4+ messages in thread
From: Pavel Machek @ 2007-03-25 12:38 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: linux-kernel, safford, serue, kjhall, zohar, akpm

Hi!

> This is a new Integrity Based Access Control(IBAC) LSM module which 
> bases access control decisions on the new integrity framework services. 
> IBAC is a sample LSM module to help clarify the interaction between 
> LSM and Linux Integrity Modules(LIM).
> 
>    - Updated Kconfig SECURITY_IBAC description
>      and SECURITY_IBAC_BOOTPARAM default value
>    - Prefixed all log messages with "ibac:"
>    - Redefined a couple of 'int' variables as 'static int'
> 
> signed-off-by: Mimi Zohar <zohar@us.ibm.com>
> ---
> Index: linux-2.6.21-rc4-mm1/security/ibac/Kconfig
> ===================================================================
> --- /dev/null
> +++ linux-2.6.21-rc4-mm1/security/ibac/Kconfig
> @@ -0,0 +1,41 @@
> +config SECURITY_IBAC
> +	boolean "IBAC support"
> +	depends on SECURITY && SECURITY_NETWORK && INTEGRITY
> +	help
> +	  Integrity Based Access Control(IBAC) uses the Linux
> +	  Integrity Module(LIM) API calls to verify an executable's
> +	  metadata and data's integrity.  Based on the results,
> +	  execution permission is permitted/denied.  Integrity
> +	  providers may implement the LIM hooks differently.  For
> +	  more information on integrity verification refer to the
> +	  specific integrity provider documentation.

...sounds like pseudosecurity piece of **** whose only purpose is to
prevent computer's owner to hack his own system?

Why do we want it?
						Pavel


> + * Integrity Based Access Control(IBAC) sample LSM module calling LIM hooks

sample?

> +static inline int is_kernel_thread(struct task_struct *tsk)
> +{
> +	return (!tsk->mm) ? 1 : 0;
> +}

Obfuscated C code contest?

						Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Patch 7/7] IBAC Patch
  2007-03-25 12:38 ` Pavel Machek
@ 2007-03-25 16:31   ` Serge E. Hallyn
  2007-03-22 23:10     ` Pavel Machek
  0 siblings, 1 reply; 4+ messages in thread
From: Serge E. Hallyn @ 2007-03-25 16:31 UTC (permalink / raw)
  To: Pavel Machek
  Cc: Mimi Zohar, linux-kernel, safford, serue, kjhall, zohar, akpm

Quoting Pavel Machek (pavel@ucw.cz):
> Hi!
> 
> > This is a new Integrity Based Access Control(IBAC) LSM module which 
> > bases access control decisions on the new integrity framework services. 
> > IBAC is a sample LSM module to help clarify the interaction between 
> > LSM and Linux Integrity Modules(LIM).
> > 
> >    - Updated Kconfig SECURITY_IBAC description
> >      and SECURITY_IBAC_BOOTPARAM default value
> >    - Prefixed all log messages with "ibac:"
> >    - Redefined a couple of 'int' variables as 'static int'
> > 
> > signed-off-by: Mimi Zohar <zohar@us.ibm.com>
> > ---
> > Index: linux-2.6.21-rc4-mm1/security/ibac/Kconfig
> > ===================================================================
> > --- /dev/null
> > +++ linux-2.6.21-rc4-mm1/security/ibac/Kconfig
> > @@ -0,0 +1,41 @@
> > +config SECURITY_IBAC
> > +	boolean "IBAC support"
> > +	depends on SECURITY && SECURITY_NETWORK && INTEGRITY
> > +	help
> > +	  Integrity Based Access Control(IBAC) uses the Linux
> > +	  Integrity Module(LIM) API calls to verify an executable's
> > +	  metadata and data's integrity.  Based on the results,
> > +	  execution permission is permitted/denied.  Integrity
> > +	  providers may implement the LIM hooks differently.  For
> > +	  more information on integrity verification refer to the
> > +	  specific integrity provider documentation.
> 
> ...sounds like pseudosecurity piece of **** whose only purpose is to
> prevent computer's owner to hack his own system?
> 
> Why do we want it?

I assume, as it says not too far above, we want it as

	"a sample LSM module to help clarify the interaction between LSM
	and Linux Integrity Modules(LIM)"

Since the LIM stuff is infrastructure code, a simple user is nice of her
to provide, like the root_plug LSM.

Perhaps the comments should warn that using this for real by itself
would be trivial to work around?

-serge

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2007-03-27 16:14 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-03-23 16:10 [Patch 7/7] IBAC Patch Mimi Zohar
2007-03-25 12:38 ` Pavel Machek
2007-03-25 16:31   ` Serge E. Hallyn
2007-03-22 23:10     ` Pavel Machek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).