LKML Archive on lore.kernel.org
 help / color / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: "Ahmed S. Darwish" <darwish.07@gmail.com>,
	Chris Wright <chrisw@sous-sol.org>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	James Morris <jmorris@namei.org>,
	Eric Paris <eparis@parisplace.org>,
	Casey Schaufler <casey@schaufler-ca.com>,
	Alexey Dobriyan <adobriyan@sw.ru>
Cc: LKML <linux-kernel@vger.kernel.org>,
	LSM-ML <linux-security-module@vger.kernel.org>
Subject: Re: [RFC PATCH -mm] LSM: Add lsm= boot parameter
Date: Sat, 1 Mar 2008 12:28:43 -0800 (PST)
Message-ID: <804479.65789.qm@web36610.mail.mud.yahoo.com> (raw)
In-Reply-To: <20080301190718.GA16307@ubuntu>


--- "Ahmed S. Darwish" <darwish.07@gmail.com> wrote:

> Hi everybody,
> 
> This is a first try of adding lsm= boot parameter. 
> 
> Current situation is:
> 1- Ignore wrong input, with a small warning to users.
> 2- If user didn't specify a specific module, none will be loaded

I'm not fond of this behavior for the case where only one LSM
has been built in. Fedora, for example, ought to boot SELinux
without specifing lsm=SELinux, and all the rest should boot
whatever they are built with. In the case where a kernel is
built with conflicting LSMs (today SELinux and Smack) I see
this as a useful way to decide which to use until you get
your kernel rebuilt sanely, so it appears to be worth having.

> 
> Basically, the patch adds a @name attribute to each LSM. It
> also adds a security_module_chosen(op) method where each
> LSM _must_ pass before calling register_security().
> 
> Thanks,
> 
>  Documentation/kernel-parameters.txt |    4 ++++
>  include/linux/security.h            |   10 ++++++++++
>  security/dummy.c                    |    3 ++-
>  security/security.c                 |   35
> +++++++++++++++++++++++++++++++++++
>  security/selinux/hooks.c            |    5 ++++-
>  security/smack/smack_lsm.c          |    7 +++++++
>  6 files changed, 62 insertions(+), 2 deletions(-)
> 
> Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
> ---
> diff --git a/Documentation/kernel-parameters.txt
> b/Documentation/kernel-parameters.txt
> index c64dfd7..dde04c8 100644
> --- a/Documentation/kernel-parameters.txt
> +++ b/Documentation/kernel-parameters.txt
> @@ -374,6 +374,10 @@ and is between 256 and 4096 characters. It is defined in
> the file
>  			possible to determine what the correct size should be.
>  			This option provides an override for these situations.
>  
> +	lsm=		[SECURITY] Choose an LSM to enable at boot. If this boot
> +			parameter is not specified, no security module will be 
> +			loaded.
> +
>  	capability.disable=
>  			[SECURITY] Disable capabilities.  This would normally
>  			be used only if an alternative security model is to be
> diff --git a/include/linux/security.h b/include/linux/security.h
> index eb663e5..4f695c0 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -42,6 +42,9 @@
>  
>  extern unsigned securebits;
>  
> +/* Maximum number of letters for an LSM name string */
> +#define SECURITY_NAME_MAX	10
> +
>  struct ctl_table;
>  struct audit_krule;
>  
> @@ -118,6 +121,10 @@ struct request_sock;
>  /**
>   * struct security_operations - main security structure
>   *
> + * Security module identifier.
> + *
> + * @name: LSM name
> + *
>   * Security hooks for program execution operations.
>   *
>   * @bprm_alloc_security:
> @@ -1262,6 +1269,8 @@ struct request_sock;
>   * This is the main security structure.
>   */
>  struct security_operations {
> +	char name[SECURITY_NAME_MAX + 1];
> +
>  	int (*ptrace) (struct task_struct * parent, struct task_struct * child);
>  	int (*capget) (struct task_struct * target,
>  		       kernel_cap_t * effective,
> @@ -1530,6 +1539,7 @@ struct security_operations {
>  
>  /* prototypes */
>  extern int security_init	(void);
> +extern int security_module_chosen(struct security_operations *ops);
>  extern int register_security	(struct security_operations *ops);
>  extern int mod_reg_security	(const char *name, struct security_operations
> *ops);
>  extern struct dentry *securityfs_create_file(const char *name, mode_t mode,
> diff --git a/security/dummy.c b/security/dummy.c
> index 241ab20..ed11f97 100644
> --- a/security/dummy.c
> +++ b/security/dummy.c
> @@ -1022,7 +1022,7 @@ static inline void dummy_audit_rule_free(void *lsmrule)
>  
>  #endif /* CONFIG_AUDIT */
>  
> -struct security_operations dummy_security_ops;
> +struct security_operations dummy_security_ops = { "dummy" };
>  
>  #define set_to_dummy_if_null(ops, function)				\
>  	do {								\
> @@ -1035,6 +1035,7 @@ struct security_operations dummy_security_ops;
>  
>  void security_fixup_ops (struct security_operations *ops)
>  {
> +	BUG_ON(!ops->name);
>  	set_to_dummy_if_null(ops, ptrace);
>  	set_to_dummy_if_null(ops, capget);
>  	set_to_dummy_if_null(ops, capset_check);
> diff --git a/security/security.c b/security/security.c
> index 1bf2ee4..7a84b4e 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -17,6 +17,8 @@
>  #include <linux/kernel.h>
>  #include <linux/security.h>
>  
> +/* Boot time LSM user choice */
> +char chosen_lsm[SECURITY_NAME_MAX + 1];
>  
>  /* things that live in dummy.c */
>  extern struct security_operations dummy_security_ops;
> @@ -67,6 +69,39 @@ int __init security_init(void)
>  	return 0;
>  }
>  
> +/* Save user chosen LSM */
> +static int __init choose_lsm(char *str)
> +{
> +	if (strlen(str) > SECURITY_NAME_MAX) {
> +		printk(KERN_INFO "Security: LSM name length extends possible "
> +		       "limit.\n");
> +		printk(KERN_INFO "Security: Ignoring passed lsm= parameter.\n");
> +		return 0;
> +	}
> +
> +	strncpy(chosen_lsm, str, SECURITY_NAME_MAX);
> +	return 1;
> +}
> +__setup("lsm=", choose_lsm);
> +
> +/**
> + * security_module_chosen - Load given security module on boot ?
> + * @ops: a pointer to the struct security_operations that is to be checked.
> + *
> + * Return true if the passed LSM is the one chosen by user at
> + * boot time, otherwise return false.
> + */
> +int security_module_chosen(struct security_operations *ops)
> +{
> +	if (!ops || !ops->name)
> +		return 0;
> +
> +	if (strncmp(ops->name, chosen_lsm, SECURITY_NAME_MAX))
> +		return 0;
> +	
> +	return 1;
> +}
> +
>  /**
>   * register_security - registers a security framework with the kernel
>   * @ops: a pointer to the struct security_options that is to be registered
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index bef1834..d4926b0 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5247,6 +5247,8 @@ static int selinux_key_getsecurity(struct key *key,
> char **_buffer)
>  #endif
>  
>  static struct security_operations selinux_ops = {
> +	.name =				"selinux",
> +
>  	.ptrace =			selinux_ptrace,
>  	.capget =			selinux_capget,
>  	.capset_check =			selinux_capset_check,
> @@ -5443,7 +5445,8 @@ static __init int selinux_init(void)
>  {
>  	struct task_security_struct *tsec;
>  
> -	if (!selinux_enabled) {
> +	if (!selinux_enabled || !security_module_chosen(&selinux_ops)) {
> +		selinux_enabled = 0;
>  		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
>  		return 0;
>  	}
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 2b5d6f7..4348257 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -2358,6 +2358,8 @@ static void smack_release_secctx(char *secdata, u32
> seclen)
>  }
>  
>  static struct security_operations smack_ops = {
> +	.name =				"smack",
> +
>  	.ptrace = 			smack_ptrace,
>  	.capget = 			cap_capget,
>  	.capset_check = 		cap_capset_check,
> @@ -2485,6 +2487,11 @@ static struct security_operations smack_ops = {
>   */
>  static __init int smack_init(void)
>  {
> +	if (!security_module_chosen(&smack_ops)) {
> +		printk(KERN_INFO "Smack: Disabled at boot.\n");
> +		return 0;
> +	}
> +
>  	printk(KERN_INFO "Smack:  Initializing.\n");
>  
>  	/*
> 
> -- 
> 
> "Better to light a candle, than curse the darkness"
> 
> Ahmed S. Darwish
> Homepage: http://darwish.07.googlepages.com
> Blog: http://darwish-07.blogspot.com
> 
> 
> 


Casey Schaufler
casey@schaufler-ca.com

  reply index

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-03-01 19:07 Ahmed S. Darwish
2008-03-01 20:28 ` Casey Schaufler [this message]
2008-03-01 21:11   ` Adrian Bunk
2008-03-01 21:29     ` Casey Schaufler
2008-03-01 23:27       ` [PATCH -v2 -mm] LSM: Add security= " Ahmed S. Darwish
2008-03-02  3:41         ` Casey Schaufler
2008-03-02  7:55           ` Ahmed S. Darwish
2008-03-02  7:49         ` Ahmed S. Darwish
2008-03-02 10:59           ` [PATCH -v3 " Ahmed S. Darwish
2008-03-02 18:37             ` Casey Schaufler
2008-03-03  8:29             ` James Morris
2008-03-03 15:35               ` Ahmed S. Darwish
2008-03-03 15:54                 ` Stephen Smalley
2008-03-03 21:24                   ` [PATCH -v4 " Ahmed S. Darwish
2008-03-03 22:16                     ` James Morris
2008-03-04  3:04                       ` [PATCH -v5 " Ahmed S. Darwish
2008-03-04  4:07                         ` James Morris
2008-03-05 22:29                         ` Andrew Morton
2008-03-05 22:56                           ` Ahmed S. Darwish
2008-03-05 23:06                             ` Ahmed S. Darwish
2008-03-05 22:56                           ` James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=804479.65789.qm@web36610.mail.mud.yahoo.com \
    --to=casey@schaufler-ca.com \
    --cc=adobriyan@sw.ru \
    --cc=chrisw@sous-sol.org \
    --cc=darwish.07@gmail.com \
    --cc=eparis@parisplace.org \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=sds@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lkml.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lkml.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lkml.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lkml.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lkml.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lkml.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lkml.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lkml.kernel.org/lkml/7 lkml/git/7.git
	git clone --mirror https://lkml.kernel.org/lkml/8 lkml/git/8.git
	git clone --mirror https://lkml.kernel.org/lkml/9 lkml/git/9.git
	git clone --mirror https://lkml.kernel.org/lkml/10 lkml/git/10.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lkml.kernel.org/lkml \
		linux-kernel@vger.kernel.org
	public-inbox-index lkml

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git