Many of the Linux Security Module (LSM) interfaces use u32 security ID values (secids) to identify module specific security attributes. This is an artifact of the SELinux security server architecture and compromises made to allow security attributes to be associated with networking mechanisms. There are significant performance implications to using this approach, as access control decisions must map the secids to the real data to be used. There is also impact on the audit system, which must provide textual values for security attributes. The secid based interfaces are also constrained to supporting a single security module. There are clever mechanisms for representing multiple 32 bit values in a single 32 bit value, but they add overhead and complexity. While the issue of multiple concurrent security modules is not explicity addressed here, the move away from secids is required to make that possible. Most uses of secids can be replaced by a security module specific value. In SELinux this remains a u32 secid. In Smack the value is a pointer into the system label list. In AppArmor a pointer to a security context can be used. Because the active security module can be specified at boot time using the "security=" or "lsm=" flags, the system must be able to use any of the possible values. A struct lsmblob is introduced to contain the attribute values. This struct includes a member for each of the security modules that are built into the kernel. Where possible, uses of secids are replaced with a lsmblob. LSM interfaces have been modified to use lsmblob pointers instead of secids in most cases. Some new interfaces have been introduced where it is not practical to replace an existing secid interface. This occurs in several networking code paths. https://github.com/cschaufler/lsm-stacking.git#lsmblob-6.11-rc3#lsmblob-6.11-rc3-v2 Revisons: v2: Feedback on v1 - Share common code in apparmor_*_to_secctx() - Remove stale review tags - Fix mistakes in comments Casey Schaufler (13): LSM: Add the lsmblob data structure. LSM: Use lsmblob in security_audit_rule_match LSM: Add lsmblob_to_secctx hook Audit: maintain an lsmblob in audit_context LSM: Use lsmblob in security_ipc_getsecid Audit: Update shutdown LSM data LSM: Use lsmblob in security_current_getsecid LSM: Use lsmblob in security_inode_getsecid Audit: use an lsmblob in audit_names LSM: Create new security_cred_getlsmblob LSM hook Audit: Change context data from secid to lsmblob Netlabel: Use lsmblob for audit data LSM: Remove lsmblob scaffolding include/linux/lsm/apparmor.h | 17 +++++ include/linux/lsm/bpf.h | 16 ++++ include/linux/lsm/selinux.h | 16 ++++ include/linux/lsm/smack.h | 17 +++++ include/linux/lsm_hook_defs.h | 20 +++-- include/linux/security.h | 90 ++++++++++++++++++---- include/net/netlabel.h | 2 +- kernel/audit.c | 21 +++--- kernel/audit.h | 7 +- kernel/auditfilter.c | 9 ++- kernel/auditsc.c | 61 ++++++++------- net/netlabel/netlabel_unlabeled.c | 2 +- net/netlabel/netlabel_user.c | 7 +- net/netlabel/netlabel_user.h | 2 +- security/apparmor/audit.c | 4 +- security/apparmor/include/audit.h | 2 +- security/apparmor/include/secid.h | 2 + security/apparmor/lsm.c | 17 +++-- security/apparmor/secid.c | 21 +++++- security/integrity/ima/ima.h | 6 +- security/integrity/ima/ima_api.c | 6 +- security/integrity/ima/ima_appraise.c | 6 +- security/integrity/ima/ima_main.c | 60 +++++++-------- security/integrity/ima/ima_policy.c | 20 ++--- security/security.c | 105 ++++++++++++++++++-------- security/selinux/hooks.c | 49 +++++++----- security/selinux/include/audit.h | 5 +- security/selinux/ss/services.c | 7 +- security/smack/smack_lsm.c | 97 +++++++++++++++--------- security/smack/smackfs.c | 4 +- 30 files changed, 471 insertions(+), 227 deletions(-) create mode 100644 include/linux/lsm/apparmor.h create mode 100644 include/linux/lsm/bpf.h create mode 100644 include/linux/lsm/selinux.h create mode 100644 include/linux/lsm/smack.h -- 2.46.0
