On Wed, Nov 27, 2019 at 12:04 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> Implement a SELinux hook for lockdown. If the lockdown module is also
> enabled, then a denial by the lockdown module will take precedence over
> SELinux, so SELinux can only further restrict lockdown decisions.
> The SELinux hook only distinguishes at the granularity of integrity
> versus confidentiality similar to the lockdown module, but includes the
> full lockdown reason as part of the audit record as a hint in diagnosing
> what triggered the denial. To support this auditing, move the
> lockdown_reasons[] string array from being private to the lockdown
> module to the security framework so that it can be used by the lsm audit
> code and so that it is always available even when the lockdown module
> is disabled.
>
> Note that the SELinux implementation allows the integrity and
> confidentiality reasons to be controlled independently from one another.
> Thus, in an SELinux policy, one could allow operations that specify
> an integrity reason while blocking operations that specify a
> confidentiality reason. The SELinux hook implementation is
> stricter than the lockdown module in validating the provided reason value.
>
> Sample AVC audit output from denials:
> avc: denied { integrity } for pid=3402 comm="fwupd"
> lockdown_reason="/dev/mem,kmem,port" scontext=system_u:system_r:fwupd_t:s0
> tcontext=system_u:system_r:fwupd_t:s0 tclass=lockdown permissive=0
>
> avc: denied { confidentiality } for pid=4628 comm="cp"
> lockdown_reason="/proc/kcore access"
> scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
> tclass=lockdown permissive=0
>
> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
> ---
> include/linux/lsm_audit.h | 2 ++
> include/linux/security.h | 2 ++
> security/lockdown/lockdown.c | 24 -----------------------
> security/lsm_audit.c | 5 +++++
> security/security.c | 30 +++++++++++++++++++++++++++++
> security/selinux/hooks.c | 30 +++++++++++++++++++++++++++++
> security/selinux/include/classmap.h | 2 ++
> 7 files changed, 71 insertions(+), 24 deletions(-)
While I remain concerned about the granularity, I think this is about
as good as we can get right now without potentially messing things up
in the future. Applied to selinux/next, thanks Stephen.
--
paul moore
www.paul-moore.com
