RE: [RFC v2 1/2] WhiteEgret: Add WhiteEgret core functions.

[masanobu2.koike]

On Saturday, March 03, 2018 5:22 PM, Tetsuo Handa wrote:
> Masanobu Koike wrote:
> > On Friday, March 02, 2018 12:43 AM, Casey Schaufler wrote:
> > > On 2/28/2018 11:38 PM, Masanobu Koike wrote:
> > > > @@ -264,6 +266,9 @@ choice
> > > > config DEFAULT_SECURITY_APPARMOR
> > > > bool "AppArmor" if SECURITY_APPARMOR=y
> > > >
> > > > +   config DEFAULT_SECURITY_WHITEEGRET
> > > > +   bool "WhiteEgret" if SECURITY_WHITEEGRET=y
> > > > +
> > >
> > > I don't see this module using any security blobs. Is there
> > > a reason you're not making this a minor (like yama) module
> > > instead of a major (like AppArmor) module?
> >
> > Thank you for your suggestion.
> > We are now developing WhiteEgret on the environment
> > it works certainly.
> >
> 
> ??? What Casey suggested is effectively
> 
> --
> --- a/security/whiteegret/init.c
> +++ b/security/whiteegret/init.c
> @@ -48,9 +48,6 @@ static int __init we_init(void)
>  {
>   int rc;
> 
> - if (!security_module_enable("whiteegret"))
> - return 0;
> -
>   security_add_hooks(we_hooks, ARRAY_SIZE(we_hooks),
> "whiteegret");
> 
>   rc = we_specific_init();
> --
> 
> , isn't it? Unlike Yama, adding whiteegret_add_hooks() to security_init()
> is not useful, for security_init() is called too early to create securityfs
> entries for WhiteEgret.
> 
> Current version uses security= parameter as a switch for enabling/disabling
> WhiteEgret, doesn't it? If WhiteEgret does not use security= as a switch,
> is some other switch (e.g. __setup()) expected?

Sorry for the delay.
Thank you for your comment and suggestion.
I'll make this module a minor one in the
next version.

Masanobu Koike

RE: [RFC v2 1/2] WhiteEgret: Add WhiteEgret core functions.

[masanobu2.koike]

On Saturday, March 03, 2018 5:22 PM, Tetsuo Handa wrote:
> Masanobu Koike wrote:
> > On Friday, March 02, 2018 12:43 AM, Casey Schaufler wrote:
> > > On 2/28/2018 11:38 PM, Masanobu Koike wrote:
> > > > @@ -264,6 +266,9 @@ choice
> > > > config DEFAULT_SECURITY_APPARMOR
> > > > bool "AppArmor" if SECURITY_APPARMOR=y
> > > >
> > > > +   config DEFAULT_SECURITY_WHITEEGRET
> > > > +   bool "WhiteEgret" if SECURITY_WHITEEGRET=y
> > > > +
> > >
> > > I don't see this module using any security blobs. Is there
> > > a reason you're not making this a minor (like yama) module
> > > instead of a major (like AppArmor) module?
> >
> > Thank you for your suggestion.
> > We are now developing WhiteEgret on the environment
> > it works certainly.
> >
> 
> ??? What Casey suggested is effectively
> 
> --
> --- a/security/whiteegret/init.c
> +++ b/security/whiteegret/init.c
> @@ -48,9 +48,6 @@ static int __init we_init(void)
>  {
>   int rc;
> 
> - if (!security_module_enable("whiteegret"))
> - return 0;
> -
>   security_add_hooks(we_hooks, ARRAY_SIZE(we_hooks),
> "whiteegret");
> 
>   rc = we_specific_init();
> --
> 
> , isn't it? Unlike Yama, adding whiteegret_add_hooks() to security_init()
> is not useful, for security_init() is called too early to create securityfs
> entries for WhiteEgret.
> 
> Current version uses security= parameter as a switch for enabling/disabling
> WhiteEgret, doesn't it? If WhiteEgret does not use security= as a switch,
> is some other switch (e.g. __setup()) expected?

Sorry for the delay.
Thank you for your comment and suggestion.
I'll make this module a minor one in the
next version.

Masanobu Koike

RE: [RFC v2 1/2] WhiteEgret: Add WhiteEgret core functions.

[masanobu2.koike]

On Friday, March 02, 2018 12:43 AM, Casey Schaufler wrote:
> On 2/28/2018 11:38 PM, Masanobu Koike wrote:
> > This RFC provides implementation of WhiteEgret.
> >
> > Signed-off-by: Masanobu Koike 
> > ---
> >  security/Kconfig   |   6 +
> >  security/Makefile  |   2 +
> >  security/whiteegret/Kconfig|  11 ++
> >  security/whiteegret/Makefile   |   2 +
> >  security/whiteegret/init.c |  75 ++
> >  security/whiteegret/main.c | 251
> +
> >  security/whiteegret/request.c  | 151 
> >  security/whiteegret/request.h  |  52 +++
> >  security/whiteegret/we.h   |  66 +
> >  security/whiteegret/we_fs.c| 280
> +
> >  security/whiteegret/we_fs.h|  23 +++
> >  security/whiteegret/we_fs_common.h |  36 +
> >  12 files changed, 955 insertions(+)
> >  create mode 100644 security/whiteegret/Kconfig
> >  create mode 100644 security/whiteegret/Makefile
> >  create mode 100644 security/whiteegret/init.c
> >  create mode 100644 security/whiteegret/main.c
> >  create mode 100644 security/whiteegret/request.c
> >  create mode 100644 security/whiteegret/request.h
> >  create mode 100644 security/whiteegret/we.h
> >  create mode 100644 security/whiteegret/we_fs.c
> >  create mode 100644 security/whiteegret/we_fs.h
> >  create mode 100644 security/whiteegret/we_fs_common.h
> >
> > diff --git a/security/Kconfig b/security/Kconfig
> > index c4302067a3ad..f17fefecaf84 100644
> > --- a/security/Kconfig
> > +++ b/security/Kconfig
> > @@ -237,6 +237,7 @@ source security/tomoyo/Kconfig
> >  source security/apparmor/Kconfig
> >  source security/loadpin/Kconfig
> >  source security/yama/Kconfig
> > +source security/whiteegret/Kconfig
> >
> >  source security/integrity/Kconfig
> >
> > @@ -246,6 +247,7 @@ choice
> > default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
> > default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
> > default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
> > +   default DEFAULT_SECURITY_WHITEEGRET if SECURITY_WHITEEGRET
> > default DEFAULT_SECURITY_DAC
> >
> > help
> > @@ -264,6 +266,9 @@ choice
> > config DEFAULT_SECURITY_APPARMOR
> > bool "AppArmor" if SECURITY_APPARMOR=y
> >
> > +   config DEFAULT_SECURITY_WHITEEGRET
> > +   bool "WhiteEgret" if SECURITY_WHITEEGRET=y
> > +
> 
> I don't see this module using any security blobs. Is there
> a reason you're not making this a minor (like yama) module
> instead of a major (like AppArmor) module?

Thank you for your suggestion.
We are now developing WhiteEgret on the environment
it works certainly.

Masanobu Koike

> 
> > config DEFAULT_SECURITY_DAC
> > bool "Unix Discretionary Access Controls"
> >
> > @@ -275,6 +280,7 @@ config DEFAULT_SECURITY
> > default "smack" if DEFAULT_SECURITY_SMACK
> > default "tomoyo" if DEFAULT_SECURITY_TOMOYO
> > default "apparmor" if DEFAULT_SECURITY_APPARMOR
> > +   default "whiteegret" if DEFAULT_SECURITY_WHITEEGRET
> > default "" if DEFAULT_SECURITY_DAC
> >
> >  endmenu
> > diff --git a/security/Makefile b/security/Makefile
> > index 4d2d3782ddef..3a8249c77288 100644
> > --- a/security/Makefile
> > +++ b/security/Makefile
> > @@ -10,6 +10,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO)+= tomoyo
> >  subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
> >  subdir-$(CONFIG_SECURITY_YAMA) += yama
> >  subdir-$(CONFIG_SECURITY_LOADPIN)  += loadpin
> > +subdir-$(CONFIG_SECURITY_WHITEEGRET)   += whiteegret
> >
> >  # always enable default capabilities
> >  obj-y  += commoncap.o
> > @@ -25,6 +26,7 @@ obj-$(CONFIG_SECURITY_TOMOYO) +=
> tomoyo/
> >  obj-$(CONFIG_SECURITY_APPARMOR)+= apparmor/
> >  obj-$(CONFIG_SECURITY_YAMA)+= yama/
> >  obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
> > +obj-$(CONFIG_SECURITY_WHITEEGRET)  += whiteegret/
> >  obj-$(CONFIG_CGROUP_DEVICE)+= device_cgroup.o
> >
> >  # Object integrity file lists
> > diff --git a/security/whiteegret/Kconfig b/security/whiteegret/Kconfig
> > new file mode 100644
> > index ..32845977745f
> > --- /dev/null
> > +++ b/security/whiteegret/Kconfig
> > @@ -0,0 +1,11 @@
> > +config SECURITY_WHITEEGRET
> > +bool "WhiteEgret support"
> > +depends on SECURITY
> > +default n
> > +help
> > + This enables the WhiteEgret security module.
> > + WhiteEgret provides a whitelisting execution control
> capability,
> > + which helps stop the execution of unauthorized software
> > + such as malware.
> > + You will also need a user application and an execution whitelist.
> > +  If you are unsure how to answer this question, answer N.
> > diff --git a/security/whiteegret/Makefile
> b/security/whiteegret/Makefile
> > new file mode 

RE: [RFC v2 1/2] WhiteEgret: Add WhiteEgret core functions.

[masanobu2.koike]

On Friday, March 02, 2018 12:43 AM, Casey Schaufler wrote:
> On 2/28/2018 11:38 PM, Masanobu Koike wrote:
> > This RFC provides implementation of WhiteEgret.
> >
> > Signed-off-by: Masanobu Koike 
> > ---
> >  security/Kconfig   |   6 +
> >  security/Makefile  |   2 +
> >  security/whiteegret/Kconfig|  11 ++
> >  security/whiteegret/Makefile   |   2 +
> >  security/whiteegret/init.c |  75 ++
> >  security/whiteegret/main.c | 251
> +
> >  security/whiteegret/request.c  | 151 
> >  security/whiteegret/request.h  |  52 +++
> >  security/whiteegret/we.h   |  66 +
> >  security/whiteegret/we_fs.c| 280
> +
> >  security/whiteegret/we_fs.h|  23 +++
> >  security/whiteegret/we_fs_common.h |  36 +
> >  12 files changed, 955 insertions(+)
> >  create mode 100644 security/whiteegret/Kconfig
> >  create mode 100644 security/whiteegret/Makefile
> >  create mode 100644 security/whiteegret/init.c
> >  create mode 100644 security/whiteegret/main.c
> >  create mode 100644 security/whiteegret/request.c
> >  create mode 100644 security/whiteegret/request.h
> >  create mode 100644 security/whiteegret/we.h
> >  create mode 100644 security/whiteegret/we_fs.c
> >  create mode 100644 security/whiteegret/we_fs.h
> >  create mode 100644 security/whiteegret/we_fs_common.h
> >
> > diff --git a/security/Kconfig b/security/Kconfig
> > index c4302067a3ad..f17fefecaf84 100644
> > --- a/security/Kconfig
> > +++ b/security/Kconfig
> > @@ -237,6 +237,7 @@ source security/tomoyo/Kconfig
> >  source security/apparmor/Kconfig
> >  source security/loadpin/Kconfig
> >  source security/yama/Kconfig
> > +source security/whiteegret/Kconfig
> >
> >  source security/integrity/Kconfig
> >
> > @@ -246,6 +247,7 @@ choice
> > default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
> > default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
> > default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
> > +   default DEFAULT_SECURITY_WHITEEGRET if SECURITY_WHITEEGRET
> > default DEFAULT_SECURITY_DAC
> >
> > help
> > @@ -264,6 +266,9 @@ choice
> > config DEFAULT_SECURITY_APPARMOR
> > bool "AppArmor" if SECURITY_APPARMOR=y
> >
> > +   config DEFAULT_SECURITY_WHITEEGRET
> > +   bool "WhiteEgret" if SECURITY_WHITEEGRET=y
> > +
> 
> I don't see this module using any security blobs. Is there
> a reason you're not making this a minor (like yama) module
> instead of a major (like AppArmor) module?

Thank you for your suggestion.
We are now developing WhiteEgret on the environment
it works certainly.

Masanobu Koike

> 
> > config DEFAULT_SECURITY_DAC
> > bool "Unix Discretionary Access Controls"
> >
> > @@ -275,6 +280,7 @@ config DEFAULT_SECURITY
> > default "smack" if DEFAULT_SECURITY_SMACK
> > default "tomoyo" if DEFAULT_SECURITY_TOMOYO
> > default "apparmor" if DEFAULT_SECURITY_APPARMOR
> > +   default "whiteegret" if DEFAULT_SECURITY_WHITEEGRET
> > default "" if DEFAULT_SECURITY_DAC
> >
> >  endmenu
> > diff --git a/security/Makefile b/security/Makefile
> > index 4d2d3782ddef..3a8249c77288 100644
> > --- a/security/Makefile
> > +++ b/security/Makefile
> > @@ -10,6 +10,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO)+= tomoyo
> >  subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
> >  subdir-$(CONFIG_SECURITY_YAMA) += yama
> >  subdir-$(CONFIG_SECURITY_LOADPIN)  += loadpin
> > +subdir-$(CONFIG_SECURITY_WHITEEGRET)   += whiteegret
> >
> >  # always enable default capabilities
> >  obj-y  += commoncap.o
> > @@ -25,6 +26,7 @@ obj-$(CONFIG_SECURITY_TOMOYO) +=
> tomoyo/
> >  obj-$(CONFIG_SECURITY_APPARMOR)+= apparmor/
> >  obj-$(CONFIG_SECURITY_YAMA)+= yama/
> >  obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
> > +obj-$(CONFIG_SECURITY_WHITEEGRET)  += whiteegret/
> >  obj-$(CONFIG_CGROUP_DEVICE)+= device_cgroup.o
> >
> >  # Object integrity file lists
> > diff --git a/security/whiteegret/Kconfig b/security/whiteegret/Kconfig
> > new file mode 100644
> > index ..32845977745f
> > --- /dev/null
> > +++ b/security/whiteegret/Kconfig
> > @@ -0,0 +1,11 @@
> > +config SECURITY_WHITEEGRET
> > +bool "WhiteEgret support"
> > +depends on SECURITY
> > +default n
> > +help
> > + This enables the WhiteEgret security module.
> > + WhiteEgret provides a whitelisting execution control
> capability,
> > + which helps stop the execution of unauthorized software
> > + such as malware.
> > + You will also need a user application and an execution whitelist.
> > +  If you are unsure how to answer this question, answer N.
> > diff --git a/security/whiteegret/Makefile
> b/security/whiteegret/Makefile
> > new file mode 100644
> > index 

RE: [RFC 0/3] WhiteEgret LSM module

[masanobu2.koike]

Hi Mehmet,

Thank you for your suggestion to use IMA appraisal.
I'm sorry for the delay in replying to you. I'm studying IMA appraisal.

There is something I don't understand yet. Could you please teach me
the following items?
We assume that "fixing" has already finished and that IMA appraisal
is running in "enforce" mode.

- I have a question for a procedure of labeling and appraising a new
or updated executable file.
Suppose that we want to create a new executable file (included in policy)
and make it be measured and appraised.
Then what kind of procedure should I do?
Similarly, how do I update appraised file to be continuously permitted
to execute?

- When we copy (cp command with -a option) or move an appraised executable
file to somewhere, is the copied or moved executable file permitted to
execute as well?

- (related to the above question) What kind of data is hashed to security.ima?

Thanks in advance,

Masanobu Koike

> -Original Message-
> 
> > On May 31, 2017, at 6:59 AM, Peter Dolding  wrote:
> >
> > Number 1 we need to split the idea of signed and whitelisted.   IMA is
> > signed should not be confused with white-listed.You will find
> > policies stating whitelist and signed as two different things.
> 
> IMA-appraisal can do both. If the securtiy.ima extended attribute
> of the file is a hash and not a signature, then it is whitelisting.
> 
> > Like you see here in Australian government policy there is another
> > thing called whitelisted.
> >
> https://www.asd.gov.au/publications/protect/top_4_mitigations_linux.ht
> m
> > Matthew Garrett you might want to call IMA whitelisting Australian
> > government for one does not agree.  IMA is signed.   The difference
> > between signed and white-listed is you might have signed a lot more
> > than what a particular system is white-listed to allowed used.
> 
> I doubt the Australian government is an authority on Linux features.
> IMA-appraisal can be set to "fix" mode with a boot parameter. If the
> policy covers what you want to whitelist (e.g. files opened by user x),
> and then when those files are accessed, the kernel writes out the hash.
> Then, you can switch to "enforce" mode to allow only files with hashes.
> 
> Also, you can achieve the same thing by signing all whitelisted
> files and add the certificate to .ima keyring and throwing away the
> signing key.
> 
> > The feature need to include in it name whitelisting or just like the
> > Australian Department of Defence other parties will mark Linux has not
> > having this feature.
> 
> I guess we need to advertise IMA-appraisal better.
> 
> > Whitelist is program name/path and checksum/s.   If the file any more
> > than that is now not a Whitelist but a Security Policy Enforcement or
> > signing.   Whitelist and blacklists are meant to be simple things.
> > This is also why IMA fails and is signed to too complete to be a basic
> > Whitelist.
> 
> When you work out all the little details, you arrive at IMA-appraisal.
> You have to consider how the scheme is bootstrapped and how it
> is protected against the root. IMA-appraisal either relies on a boot
> parameter and write-once policy, or the trusted keyrings.
> 
> > Peter Dolding.
> 
> Mehmet
> 

RE: [RFC 0/3] WhiteEgret LSM module

[masanobu2.koike]

Hi Mehmet,

Thank you for your suggestion to use IMA appraisal.
I'm sorry for the delay in replying to you. I'm studying IMA appraisal.

There is something I don't understand yet. Could you please teach me
the following items?
We assume that "fixing" has already finished and that IMA appraisal
is running in "enforce" mode.

- I have a question for a procedure of labeling and appraising a new
or updated executable file.
Suppose that we want to create a new executable file (included in policy)
and make it be measured and appraised.
Then what kind of procedure should I do?
Similarly, how do I update appraised file to be continuously permitted
to execute?

- When we copy (cp command with -a option) or move an appraised executable
file to somewhere, is the copied or moved executable file permitted to
execute as well?

- (related to the above question) What kind of data is hashed to security.ima?

Thanks in advance,

Masanobu Koike

> -Original Message-
> 
> > On May 31, 2017, at 6:59 AM, Peter Dolding  wrote:
> >
> > Number 1 we need to split the idea of signed and whitelisted.   IMA is
> > signed should not be confused with white-listed.You will find
> > policies stating whitelist and signed as two different things.
> 
> IMA-appraisal can do both. If the securtiy.ima extended attribute
> of the file is a hash and not a signature, then it is whitelisting.
> 
> > Like you see here in Australian government policy there is another
> > thing called whitelisted.
> >
> https://www.asd.gov.au/publications/protect/top_4_mitigations_linux.ht
> m
> > Matthew Garrett you might want to call IMA whitelisting Australian
> > government for one does not agree.  IMA is signed.   The difference
> > between signed and white-listed is you might have signed a lot more
> > than what a particular system is white-listed to allowed used.
> 
> I doubt the Australian government is an authority on Linux features.
> IMA-appraisal can be set to "fix" mode with a boot parameter. If the
> policy covers what you want to whitelist (e.g. files opened by user x),
> and then when those files are accessed, the kernel writes out the hash.
> Then, you can switch to "enforce" mode to allow only files with hashes.
> 
> Also, you can achieve the same thing by signing all whitelisted
> files and add the certificate to .ima keyring and throwing away the
> signing key.
> 
> > The feature need to include in it name whitelisting or just like the
> > Australian Department of Defence other parties will mark Linux has not
> > having this feature.
> 
> I guess we need to advertise IMA-appraisal better.
> 
> > Whitelist is program name/path and checksum/s.   If the file any more
> > than that is now not a Whitelist but a Security Policy Enforcement or
> > signing.   Whitelist and blacklists are meant to be simple things.
> > This is also why IMA fails and is signed to too complete to be a basic
> > Whitelist.
> 
> When you work out all the little details, you arrive at IMA-appraisal.
> You have to consider how the scheme is bootstrapped and how it
> is protected against the root. IMA-appraisal either relies on a boot
> parameter and write-once policy, or the trusted keyrings.
> 
> > Peter Dolding.
> 
> Mehmet
> 

RE: [RFC 0/3] WhiteEgret LSM module

[masanobu2.koike]

Casey Schaufler wrote:
> On 5/30/2017 4:11 AM, Masanobu Koike wrote:
> > WhiteEgret is an LSM to simply provide a whitelisting-type
> > execution control.
> >
> > An execution-whitelist, simply called whitelist, is a list
> > of executable components (e.g., applications, libraries)
> > that are approved to run on a host. The whitelist is used
> > to decide whether executable components are permitted to
> > execute or not. This mechanism can stop an execution of
> > unknown software, so it helps to stop the execution of
> > malicious code and other unauthorized software.
> > The whitelisting-type execution control works best in the
> > execution environments that are not changed for a long time,
> > for example, servers and control devices in industrial
> > control systems. This RFC provides a whitelisting-type
> > execution control implementation WhiteEgret.
> 
> Why is this better than setting the ownership and mode bits
> appropriately on your programs and libraries?
> 
> Beyond that, I'm pretty sure you could do this with AppArmor.
> If you're only doing the set-up once I think you can do this
> with SELinux (the proponents of SELinux can tell you how).
> I know you can do it with Smack. Why is this scheme better?

Thank you for your feedback.

We assume a system whose execution environment cannot be
changed for a long time. It includes industrial control
systems, and control devices are main target.
Although operators for such systems are experts for the
industrial controllers, they are often not familiar with
information systems or OSes. So it's worth providing
a mechanism they can manage.

Writing down whitelisting like access control is as follows.
  subjects - all
  objects - each permitted executable component
  permission - yes
So operators have to know only name of permitted executable
components to make a whitelist or change it. Reducing the
number of items to be set helps operators manage the systems.

However, we assume the following for the above systems:
(1) Root is not compromised.
(2) The host does not have malicious code in initial state.
(3) Using a whitelist and a WEUA requires root privilege.
Relaxing these assumptions are welcome.

> 
> >
> > Features of WhiteEgret
> >
> > - Easier initial setup
> > All you have to do is to make a whitelist.
> 
> In practice whitelists are built by starting with everything
> and deleting items until things stop working, then putting
> them back. Whitelists are theoretically great, but very difficult
> to build and maintain in the real world.

It is true that managing whitelist for information systems
is a hard task because their execution environments are
changed frequently.
On the other hand, for such devices that continue to do the same
tasks for many years, we can use the same whitelist for a long
time once the whitelist is established. When the host does not
have malicious code in initial state, we can just register all
executable components in the host to the whitelist.

> 
> >  The whitelist
> > shall contain all components that should be permitted
> > execution in the host. When we assume that the host does
> > not have malicious code in initial state, we just register
> > all executable components in the host to the whitelist.
> > The whitelist of WhiteEgret is assumed to contain at least
> > an absolute path and a hash value of the permitted
> > executable components.
> > WhiteEgret does not require policy generation which,
> > in general, is difficult and takes time for users.
> 
> Creating a proper whitelist is every bit as difficult as
> some aspects of policy generation. Granted, it's easier
> than generating SELinux policy or a proper Smack configuration,
> but the protection is a subset of what those systems provide.
> 
> > - Shorten downtime in system updating
> > According to system update, we should update the whitelist.
> > It will take a short time. Consequently, system downtime
> > due to security configuration update can be reduced.
> >
> > - Less restriction on operational environment
> > WhiteEgret does not depend on a file system, or on TPM.
> > Thus WhiteEgret has less restriction on operating environment.
> >
> > Mechanism of WhiteEgret
> >
> > WhiteEgret requires a user application called WhiteEgret User
> > Application (WEUA, for short). WhiteEgret utilizes the
> > bprm_check_security hook and the mmap_file hook.
> > WhiteEgret asks WEUA whether an executable component hooked
> > by the above hooks is permitted to execute or not.
> 
> Really, really bad idea. One visit from the OOM killer and
> your system is dead. One user space exploit and your system
> is compromised. Performance will be dreadful. Deadlocks, races
> and stalls, oh my!

Thank you for the pointing out. We also recognized similar kind
of problems. It is true that some mechanisms are necessary to
save systems from WEUA failures.
But there are some ways in user space to deal with problems
caused by user space application. For example, cgroups prevents
OOM 

RE: [RFC 0/3] WhiteEgret LSM module

[masanobu2.koike]

Casey Schaufler wrote:
> On 5/30/2017 4:11 AM, Masanobu Koike wrote:
> > WhiteEgret is an LSM to simply provide a whitelisting-type
> > execution control.
> >
> > An execution-whitelist, simply called whitelist, is a list
> > of executable components (e.g., applications, libraries)
> > that are approved to run on a host. The whitelist is used
> > to decide whether executable components are permitted to
> > execute or not. This mechanism can stop an execution of
> > unknown software, so it helps to stop the execution of
> > malicious code and other unauthorized software.
> > The whitelisting-type execution control works best in the
> > execution environments that are not changed for a long time,
> > for example, servers and control devices in industrial
> > control systems. This RFC provides a whitelisting-type
> > execution control implementation WhiteEgret.
> 
> Why is this better than setting the ownership and mode bits
> appropriately on your programs and libraries?
> 
> Beyond that, I'm pretty sure you could do this with AppArmor.
> If you're only doing the set-up once I think you can do this
> with SELinux (the proponents of SELinux can tell you how).
> I know you can do it with Smack. Why is this scheme better?

Thank you for your feedback.

We assume a system whose execution environment cannot be
changed for a long time. It includes industrial control
systems, and control devices are main target.
Although operators for such systems are experts for the
industrial controllers, they are often not familiar with
information systems or OSes. So it's worth providing
a mechanism they can manage.

Writing down whitelisting like access control is as follows.
  subjects - all
  objects - each permitted executable component
  permission - yes
So operators have to know only name of permitted executable
components to make a whitelist or change it. Reducing the
number of items to be set helps operators manage the systems.

However, we assume the following for the above systems:
(1) Root is not compromised.
(2) The host does not have malicious code in initial state.
(3) Using a whitelist and a WEUA requires root privilege.
Relaxing these assumptions are welcome.

> 
> >
> > Features of WhiteEgret
> >
> > - Easier initial setup
> > All you have to do is to make a whitelist.
> 
> In practice whitelists are built by starting with everything
> and deleting items until things stop working, then putting
> them back. Whitelists are theoretically great, but very difficult
> to build and maintain in the real world.

It is true that managing whitelist for information systems
is a hard task because their execution environments are
changed frequently.
On the other hand, for such devices that continue to do the same
tasks for many years, we can use the same whitelist for a long
time once the whitelist is established. When the host does not
have malicious code in initial state, we can just register all
executable components in the host to the whitelist.

> 
> >  The whitelist
> > shall contain all components that should be permitted
> > execution in the host. When we assume that the host does
> > not have malicious code in initial state, we just register
> > all executable components in the host to the whitelist.
> > The whitelist of WhiteEgret is assumed to contain at least
> > an absolute path and a hash value of the permitted
> > executable components.
> > WhiteEgret does not require policy generation which,
> > in general, is difficult and takes time for users.
> 
> Creating a proper whitelist is every bit as difficult as
> some aspects of policy generation. Granted, it's easier
> than generating SELinux policy or a proper Smack configuration,
> but the protection is a subset of what those systems provide.
> 
> > - Shorten downtime in system updating
> > According to system update, we should update the whitelist.
> > It will take a short time. Consequently, system downtime
> > due to security configuration update can be reduced.
> >
> > - Less restriction on operational environment
> > WhiteEgret does not depend on a file system, or on TPM.
> > Thus WhiteEgret has less restriction on operating environment.
> >
> > Mechanism of WhiteEgret
> >
> > WhiteEgret requires a user application called WhiteEgret User
> > Application (WEUA, for short). WhiteEgret utilizes the
> > bprm_check_security hook and the mmap_file hook.
> > WhiteEgret asks WEUA whether an executable component hooked
> > by the above hooks is permitted to execute or not.
> 
> Really, really bad idea. One visit from the OOM killer and
> your system is dead. One user space exploit and your system
> is compromised. Performance will be dreadful. Deadlocks, races
> and stalls, oh my!

Thank you for the pointing out. We also recognized similar kind
of problems. It is true that some mechanisms are necessary to
save systems from WEUA failures.
But there are some ways in user space to deal with problems
caused by user space application. For example, cgroups prevents
OOM 

RE: [RFC 1/3] WhiteEgret: Add WhiteEgret core functions.

[masanobu2.koike]

Casey Schaufler wrote:
> On 5/30/2017 4:13 AM, Masanobu Koike wrote:
> > This RFC provides implementation of WhiteEgret.
> >
> > Signed-off-by: Masanobu Koike 
> > ---
> >  security/Kconfig   |   7 +-
> >  security/Makefile  |   2 +
> >  security/whiteegret/Kconfig|  21 ++
> >  security/whiteegret/Makefile   |   7 +
> >  security/whiteegret/auth.c |  19 ++
> >  security/whiteegret/auth.h |  12 ++
> >  security/whiteegret/dd_com.c   |  79 
> >  security/whiteegret/dd_com.h   |  19 ++
> >  security/whiteegret/gennl.c| 382
> +
> >  security/whiteegret/gennl.h|  32 
> >  security/whiteegret/gennl_common.h |  43 +
> >  security/whiteegret/init.c |  69 +++
> >  security/whiteegret/main.c | 340
> +
> >  security/whiteegret/print_msg.h|  19 ++
> >  security/whiteegret/request.c  | 248 
> >  security/whiteegret/request.h  |  79 
> >  security/whiteegret/returntoexec.h |  14 ++
> >  security/whiteegret/we.h   |  72 +++
> >  security/whiteegret/we_common.h|  19 ++
> >  19 files changed, 1482 insertions(+), 1 deletion(-)
> >  create mode 100644 security/whiteegret/Kconfig
> >  create mode 100644 security/whiteegret/Makefile
> >  create mode 100644 security/whiteegret/auth.c
> >  create mode 100644 security/whiteegret/auth.h
> >  create mode 100644 security/whiteegret/dd_com.c
> >  create mode 100644 security/whiteegret/dd_com.h
> >  create mode 100644 security/whiteegret/gennl.c
> >  create mode 100644 security/whiteegret/gennl.h
> >  create mode 100644 security/whiteegret/gennl_common.h
> >  create mode 100644 security/whiteegret/init.c
> >  create mode 100644 security/whiteegret/main.c
> >  create mode 100644 security/whiteegret/print_msg.h
> >  create mode 100644 security/whiteegret/request.c
> >  create mode 100644 security/whiteegret/request.h
> >  create mode 100644 security/whiteegret/returntoexec.h
> >  create mode 100644 security/whiteegret/we.h
> >  create mode 100644 security/whiteegret/we_common.h
> >
> > diff --git a/security/Kconfig b/security/Kconfig
> > index 93027fd..acfafb0 100644
> > --- a/security/Kconfig
> > +++ b/security/Kconfig
> > @@ -195,6 +195,7 @@ source security/tomoyo/Kconfig
> >  source security/apparmor/Kconfig
> >  source security/loadpin/Kconfig
> >  source security/yama/Kconfig
> > +source security/whiteegret/Kconfig
> >
> >  source security/integrity/Kconfig
> >
> > @@ -204,6 +205,7 @@ choice
> > default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
> > default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
> > default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
> > +   default DEFAULT_SECURITY_WHITEEGRET if SECURITY_WHITEEGRET
> > default DEFAULT_SECURITY_DAC
> >
> > help
> > @@ -222,6 +224,9 @@ choice
> > config DEFAULT_SECURITY_APPARMOR
> > bool "AppArmor" if SECURITY_APPARMOR=y
> >
> > +   config DEFAULT_SECURITY_WHITEEGRET
> > +   bool "WhiteEgret" if SECURITY_WHITEEGRET=y
> > +
> > config DEFAULT_SECURITY_DAC
> > bool "Unix Discretionary Access Controls"
> >
> > @@ -233,7 +238,7 @@ config DEFAULT_SECURITY
> > default "smack" if DEFAULT_SECURITY_SMACK
> > default "tomoyo" if DEFAULT_SECURITY_TOMOYO
> > default "apparmor" if DEFAULT_SECURITY_APPARMOR
> > +   default "whiteegret" if DEFAULT_SECURITY_WHITEEGRET
> > default "" if DEFAULT_SECURITY_DAC
> >
> >  endmenu
> > -
> > diff --git a/security/Makefile b/security/Makefile
> > index f2d71cd..4fd9ff9 100644
> > --- a/security/Makefile
> > +++ b/security/Makefile
> > @@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO)+= tomoyo
> >  subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
> >  subdir-$(CONFIG_SECURITY_YAMA) += yama
> >  subdir-$(CONFIG_SECURITY_LOADPIN)  += loadpin
> > +subdir-$(CONFIG_SECURITY_WHITEEGRET)   += whiteegret
> >
> >  # always enable default capabilities
> >  obj-y  += commoncap.o
> > @@ -24,6 +25,7 @@ obj-$(CONFIG_SECURITY_TOMOYO) +=
> tomoyo/
> >  obj-$(CONFIG_SECURITY_APPARMOR)+= apparmor/
> >  obj-$(CONFIG_SECURITY_YAMA)+= yama/
> >  obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
> > +obj-$(CONFIG_SECURITY_WHITEEGRET)  += whiteegret/
> >  obj-$(CONFIG_CGROUP_DEVICE)+= device_cgroup.o
> >
> >  # Object integrity file lists
> > diff --git a/security/whiteegret/Kconfig b/security/whiteegret/Kconfig
> > new file mode 100644
> > index 000..923316f
> > --- /dev/null
> > +++ b/security/whiteegret/Kconfig
> > @@ -0,0 +1,21 @@
> > +config SECURITY_WHITEEGRET
> > +bool "WhiteEgret support"
> > +depends on SECURITY
> > +default n
> > +help
> > + This enables the WhiteEgret security module.
> > + WhiteEgret 

RE: [RFC 1/3] WhiteEgret: Add WhiteEgret core functions.

[masanobu2.koike]

Casey Schaufler wrote:
> On 5/30/2017 4:13 AM, Masanobu Koike wrote:
> > This RFC provides implementation of WhiteEgret.
> >
> > Signed-off-by: Masanobu Koike 
> > ---
> >  security/Kconfig   |   7 +-
> >  security/Makefile  |   2 +
> >  security/whiteegret/Kconfig|  21 ++
> >  security/whiteegret/Makefile   |   7 +
> >  security/whiteegret/auth.c |  19 ++
> >  security/whiteegret/auth.h |  12 ++
> >  security/whiteegret/dd_com.c   |  79 
> >  security/whiteegret/dd_com.h   |  19 ++
> >  security/whiteegret/gennl.c| 382
> +
> >  security/whiteegret/gennl.h|  32 
> >  security/whiteegret/gennl_common.h |  43 +
> >  security/whiteegret/init.c |  69 +++
> >  security/whiteegret/main.c | 340
> +
> >  security/whiteegret/print_msg.h|  19 ++
> >  security/whiteegret/request.c  | 248 
> >  security/whiteegret/request.h  |  79 
> >  security/whiteegret/returntoexec.h |  14 ++
> >  security/whiteegret/we.h   |  72 +++
> >  security/whiteegret/we_common.h|  19 ++
> >  19 files changed, 1482 insertions(+), 1 deletion(-)
> >  create mode 100644 security/whiteegret/Kconfig
> >  create mode 100644 security/whiteegret/Makefile
> >  create mode 100644 security/whiteegret/auth.c
> >  create mode 100644 security/whiteegret/auth.h
> >  create mode 100644 security/whiteegret/dd_com.c
> >  create mode 100644 security/whiteegret/dd_com.h
> >  create mode 100644 security/whiteegret/gennl.c
> >  create mode 100644 security/whiteegret/gennl.h
> >  create mode 100644 security/whiteegret/gennl_common.h
> >  create mode 100644 security/whiteegret/init.c
> >  create mode 100644 security/whiteegret/main.c
> >  create mode 100644 security/whiteegret/print_msg.h
> >  create mode 100644 security/whiteegret/request.c
> >  create mode 100644 security/whiteegret/request.h
> >  create mode 100644 security/whiteegret/returntoexec.h
> >  create mode 100644 security/whiteegret/we.h
> >  create mode 100644 security/whiteegret/we_common.h
> >
> > diff --git a/security/Kconfig b/security/Kconfig
> > index 93027fd..acfafb0 100644
> > --- a/security/Kconfig
> > +++ b/security/Kconfig
> > @@ -195,6 +195,7 @@ source security/tomoyo/Kconfig
> >  source security/apparmor/Kconfig
> >  source security/loadpin/Kconfig
> >  source security/yama/Kconfig
> > +source security/whiteegret/Kconfig
> >
> >  source security/integrity/Kconfig
> >
> > @@ -204,6 +205,7 @@ choice
> > default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
> > default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
> > default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
> > +   default DEFAULT_SECURITY_WHITEEGRET if SECURITY_WHITEEGRET
> > default DEFAULT_SECURITY_DAC
> >
> > help
> > @@ -222,6 +224,9 @@ choice
> > config DEFAULT_SECURITY_APPARMOR
> > bool "AppArmor" if SECURITY_APPARMOR=y
> >
> > +   config DEFAULT_SECURITY_WHITEEGRET
> > +   bool "WhiteEgret" if SECURITY_WHITEEGRET=y
> > +
> > config DEFAULT_SECURITY_DAC
> > bool "Unix Discretionary Access Controls"
> >
> > @@ -233,7 +238,7 @@ config DEFAULT_SECURITY
> > default "smack" if DEFAULT_SECURITY_SMACK
> > default "tomoyo" if DEFAULT_SECURITY_TOMOYO
> > default "apparmor" if DEFAULT_SECURITY_APPARMOR
> > +   default "whiteegret" if DEFAULT_SECURITY_WHITEEGRET
> > default "" if DEFAULT_SECURITY_DAC
> >
> >  endmenu
> > -
> > diff --git a/security/Makefile b/security/Makefile
> > index f2d71cd..4fd9ff9 100644
> > --- a/security/Makefile
> > +++ b/security/Makefile
> > @@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO)+= tomoyo
> >  subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
> >  subdir-$(CONFIG_SECURITY_YAMA) += yama
> >  subdir-$(CONFIG_SECURITY_LOADPIN)  += loadpin
> > +subdir-$(CONFIG_SECURITY_WHITEEGRET)   += whiteegret
> >
> >  # always enable default capabilities
> >  obj-y  += commoncap.o
> > @@ -24,6 +25,7 @@ obj-$(CONFIG_SECURITY_TOMOYO) +=
> tomoyo/
> >  obj-$(CONFIG_SECURITY_APPARMOR)+= apparmor/
> >  obj-$(CONFIG_SECURITY_YAMA)+= yama/
> >  obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
> > +obj-$(CONFIG_SECURITY_WHITEEGRET)  += whiteegret/
> >  obj-$(CONFIG_CGROUP_DEVICE)+= device_cgroup.o
> >
> >  # Object integrity file lists
> > diff --git a/security/whiteegret/Kconfig b/security/whiteegret/Kconfig
> > new file mode 100644
> > index 000..923316f
> > --- /dev/null
> > +++ b/security/whiteegret/Kconfig
> > @@ -0,0 +1,21 @@
> > +config SECURITY_WHITEEGRET
> > +bool "WhiteEgret support"
> > +depends on SECURITY
> > +default n
> > +help
> > + This enables the WhiteEgret security module.
> > + WhiteEgret provides a whitelisting execution 

RE: [RFC 1/3] WhiteEgret: Add WhiteEgret core functions.

[masanobu2.koike]

Serge E. Hallyn wrote:
> Quoting Masanobu Koike (masanobu2.ko...@toshiba.co.jp):
> > This RFC provides implementation of WhiteEgret.
> >
> > Signed-off-by: Masanobu Koike 
> > ---
> >  security/Kconfig   |   7 +-
> >  security/Makefile  |   2 +
> >  security/whiteegret/Kconfig|  21 ++
> >  security/whiteegret/Makefile   |   7 +
> >  security/whiteegret/auth.c |  19 ++
> >  security/whiteegret/auth.h |  12 ++
> >  security/whiteegret/dd_com.c   |  79 
> >  security/whiteegret/dd_com.h   |  19 ++
> >  security/whiteegret/gennl.c| 382
> +
> >  security/whiteegret/gennl.h|  32 
> >  security/whiteegret/gennl_common.h |  43 +
> >  security/whiteegret/init.c |  69 +++
> >  security/whiteegret/main.c | 340
> +
> >  security/whiteegret/print_msg.h|  19 ++
> >  security/whiteegret/request.c  | 248 
> >  security/whiteegret/request.h  |  79 
> >  security/whiteegret/returntoexec.h |  14 ++
> >  security/whiteegret/we.h   |  72 +++
> >  security/whiteegret/we_common.h|  19 ++
> >  19 files changed, 1482 insertions(+), 1 deletion(-)
> >  create mode 100644 security/whiteegret/Kconfig
> >  create mode 100644 security/whiteegret/Makefile
> >  create mode 100644 security/whiteegret/auth.c
> >  create mode 100644 security/whiteegret/auth.h
> >  create mode 100644 security/whiteegret/dd_com.c
> >  create mode 100644 security/whiteegret/dd_com.h
> >  create mode 100644 security/whiteegret/gennl.c
> >  create mode 100644 security/whiteegret/gennl.h
> >  create mode 100644 security/whiteegret/gennl_common.h
> >  create mode 100644 security/whiteegret/init.c
> >  create mode 100644 security/whiteegret/main.c
> >  create mode 100644 security/whiteegret/print_msg.h
> >  create mode 100644 security/whiteegret/request.c
> >  create mode 100644 security/whiteegret/request.h
> >  create mode 100644 security/whiteegret/returntoexec.h
> >  create mode 100644 security/whiteegret/we.h
> >  create mode 100644 security/whiteegret/we_common.h
> >
> > diff --git a/security/Kconfig b/security/Kconfig
> > index 93027fd..acfafb0 100644
> > --- a/security/Kconfig
> > +++ b/security/Kconfig
> > @@ -195,6 +195,7 @@ source security/tomoyo/Kconfig
> >  source security/apparmor/Kconfig
> >  source security/loadpin/Kconfig
> >  source security/yama/Kconfig
> > +source security/whiteegret/Kconfig
> >
> >  source security/integrity/Kconfig
> >
> > @@ -204,6 +205,7 @@ choice
> > default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
> > default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
> > default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
> > +   default DEFAULT_SECURITY_WHITEEGRET if SECURITY_WHITEEGRET
> > default DEFAULT_SECURITY_DAC
> >
> > help
> > @@ -222,6 +224,9 @@ choice
> > config DEFAULT_SECURITY_APPARMOR
> > bool "AppArmor" if SECURITY_APPARMOR=y
> >
> > +   config DEFAULT_SECURITY_WHITEEGRET
> > +   bool "WhiteEgret" if SECURITY_WHITEEGRET=y
> > +
> > config DEFAULT_SECURITY_DAC
> > bool "Unix Discretionary Access Controls"
> >
> > @@ -233,7 +238,7 @@ config DEFAULT_SECURITY
> > default "smack" if DEFAULT_SECURITY_SMACK
> > default "tomoyo" if DEFAULT_SECURITY_TOMOYO
> > default "apparmor" if DEFAULT_SECURITY_APPARMOR
> > +   default "whiteegret" if DEFAULT_SECURITY_WHITEEGRET
> > default "" if DEFAULT_SECURITY_DAC
> >
> >  endmenu
> > -
> > diff --git a/security/Makefile b/security/Makefile
> > index f2d71cd..4fd9ff9 100644
> > --- a/security/Makefile
> > +++ b/security/Makefile
> > @@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO)+= tomoyo
> >  subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
> >  subdir-$(CONFIG_SECURITY_YAMA) += yama
> >  subdir-$(CONFIG_SECURITY_LOADPIN)  += loadpin
> > +subdir-$(CONFIG_SECURITY_WHITEEGRET)   += whiteegret
> >
> >  # always enable default capabilities
> >  obj-y  += commoncap.o
> > @@ -24,6 +25,7 @@ obj-$(CONFIG_SECURITY_TOMOYO) +=
> tomoyo/
> >  obj-$(CONFIG_SECURITY_APPARMOR)+= apparmor/
> >  obj-$(CONFIG_SECURITY_YAMA)+= yama/
> >  obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
> > +obj-$(CONFIG_SECURITY_WHITEEGRET)  += whiteegret/
> >  obj-$(CONFIG_CGROUP_DEVICE)+= device_cgroup.o
> >
> >  # Object integrity file lists
> > diff --git a/security/whiteegret/Kconfig b/security/whiteegret/Kconfig
> > new file mode 100644
> > index 000..923316f
> > --- /dev/null
> > +++ b/security/whiteegret/Kconfig
> > @@ -0,0 +1,21 @@
> > +config SECURITY_WHITEEGRET
> > +bool "WhiteEgret support"
> > +depends on SECURITY
> > +default n
> > +help
> > + This enables the WhiteEgret security module.
> > + 

RE: [RFC 1/3] WhiteEgret: Add WhiteEgret core functions.

[masanobu2.koike]

Serge E. Hallyn wrote:
> Quoting Masanobu Koike (masanobu2.ko...@toshiba.co.jp):
> > This RFC provides implementation of WhiteEgret.
> >
> > Signed-off-by: Masanobu Koike 
> > ---
> >  security/Kconfig   |   7 +-
> >  security/Makefile  |   2 +
> >  security/whiteegret/Kconfig|  21 ++
> >  security/whiteegret/Makefile   |   7 +
> >  security/whiteegret/auth.c |  19 ++
> >  security/whiteegret/auth.h |  12 ++
> >  security/whiteegret/dd_com.c   |  79 
> >  security/whiteegret/dd_com.h   |  19 ++
> >  security/whiteegret/gennl.c| 382
> +
> >  security/whiteegret/gennl.h|  32 
> >  security/whiteegret/gennl_common.h |  43 +
> >  security/whiteegret/init.c |  69 +++
> >  security/whiteegret/main.c | 340
> +
> >  security/whiteegret/print_msg.h|  19 ++
> >  security/whiteegret/request.c  | 248 
> >  security/whiteegret/request.h  |  79 
> >  security/whiteegret/returntoexec.h |  14 ++
> >  security/whiteegret/we.h   |  72 +++
> >  security/whiteegret/we_common.h|  19 ++
> >  19 files changed, 1482 insertions(+), 1 deletion(-)
> >  create mode 100644 security/whiteegret/Kconfig
> >  create mode 100644 security/whiteegret/Makefile
> >  create mode 100644 security/whiteegret/auth.c
> >  create mode 100644 security/whiteegret/auth.h
> >  create mode 100644 security/whiteegret/dd_com.c
> >  create mode 100644 security/whiteegret/dd_com.h
> >  create mode 100644 security/whiteegret/gennl.c
> >  create mode 100644 security/whiteegret/gennl.h
> >  create mode 100644 security/whiteegret/gennl_common.h
> >  create mode 100644 security/whiteegret/init.c
> >  create mode 100644 security/whiteegret/main.c
> >  create mode 100644 security/whiteegret/print_msg.h
> >  create mode 100644 security/whiteegret/request.c
> >  create mode 100644 security/whiteegret/request.h
> >  create mode 100644 security/whiteegret/returntoexec.h
> >  create mode 100644 security/whiteegret/we.h
> >  create mode 100644 security/whiteegret/we_common.h
> >
> > diff --git a/security/Kconfig b/security/Kconfig
> > index 93027fd..acfafb0 100644
> > --- a/security/Kconfig
> > +++ b/security/Kconfig
> > @@ -195,6 +195,7 @@ source security/tomoyo/Kconfig
> >  source security/apparmor/Kconfig
> >  source security/loadpin/Kconfig
> >  source security/yama/Kconfig
> > +source security/whiteegret/Kconfig
> >
> >  source security/integrity/Kconfig
> >
> > @@ -204,6 +205,7 @@ choice
> > default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
> > default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
> > default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
> > +   default DEFAULT_SECURITY_WHITEEGRET if SECURITY_WHITEEGRET
> > default DEFAULT_SECURITY_DAC
> >
> > help
> > @@ -222,6 +224,9 @@ choice
> > config DEFAULT_SECURITY_APPARMOR
> > bool "AppArmor" if SECURITY_APPARMOR=y
> >
> > +   config DEFAULT_SECURITY_WHITEEGRET
> > +   bool "WhiteEgret" if SECURITY_WHITEEGRET=y
> > +
> > config DEFAULT_SECURITY_DAC
> > bool "Unix Discretionary Access Controls"
> >
> > @@ -233,7 +238,7 @@ config DEFAULT_SECURITY
> > default "smack" if DEFAULT_SECURITY_SMACK
> > default "tomoyo" if DEFAULT_SECURITY_TOMOYO
> > default "apparmor" if DEFAULT_SECURITY_APPARMOR
> > +   default "whiteegret" if DEFAULT_SECURITY_WHITEEGRET
> > default "" if DEFAULT_SECURITY_DAC
> >
> >  endmenu
> > -
> > diff --git a/security/Makefile b/security/Makefile
> > index f2d71cd..4fd9ff9 100644
> > --- a/security/Makefile
> > +++ b/security/Makefile
> > @@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO)+= tomoyo
> >  subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
> >  subdir-$(CONFIG_SECURITY_YAMA) += yama
> >  subdir-$(CONFIG_SECURITY_LOADPIN)  += loadpin
> > +subdir-$(CONFIG_SECURITY_WHITEEGRET)   += whiteegret
> >
> >  # always enable default capabilities
> >  obj-y  += commoncap.o
> > @@ -24,6 +25,7 @@ obj-$(CONFIG_SECURITY_TOMOYO) +=
> tomoyo/
> >  obj-$(CONFIG_SECURITY_APPARMOR)+= apparmor/
> >  obj-$(CONFIG_SECURITY_YAMA)+= yama/
> >  obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
> > +obj-$(CONFIG_SECURITY_WHITEEGRET)  += whiteegret/
> >  obj-$(CONFIG_CGROUP_DEVICE)+= device_cgroup.o
> >
> >  # Object integrity file lists
> > diff --git a/security/whiteegret/Kconfig b/security/whiteegret/Kconfig
> > new file mode 100644
> > index 000..923316f
> > --- /dev/null
> > +++ b/security/whiteegret/Kconfig
> > @@ -0,0 +1,21 @@
> > +config SECURITY_WHITEEGRET
> > +bool "WhiteEgret support"
> > +depends on SECURITY
> > +default n
> > +help
> > + This enables the WhiteEgret security module.
> > + WhiteEgret provides a whitelisting 

RE: [RFC 0/3] WhiteEgret LSM module

[masanobu2.koike]

> -Original Message-
> 
> On Tue, May 30, 2017 at 08:11:57PM +0900, Masanobu Koike wrote:
> > An execution-whitelist, simply called whitelist, is a list
> > of executable components (e.g., applications, libraries)
> > that are approved to run on a host. The whitelist is used
> > to decide whether executable components are permitted to
> > execute or not. This mechanism can stop an execution of
> > unknown software, so it helps to stop the execution of
> > malicious code and other unauthorized software.
> > The whitelisting-type execution control works best in the
> > execution environments that are not changed for a long time,
> > for example, servers and control devices in industrial
> > control systems. This RFC provides a whitelisting-type
> > execution control implementation WhiteEgret.
> 
> There's a few assumptions made here:
> 
> 1) The system isn't subject to any form of offline attack. If it is, the
> attacker can simply replace either the whitelist agent or any of the
> executables.
> 2) The system contains no whitelisted executables that will execute
> arbitrary code. This means not shipping perl or python.
> 3) None of the whitelisted applications on the system will misbehave if
> fed invalid input.
> 4) It's impossible for a user to ptrace() any other process after it's
> been executed, and simply inject new code.
> 
> (3) is especially awkward. If you're implementing this as an LSM then
> you're giving up on being able to use any of the other LSMs to protect
> you against this - a vulnerability in a single application bypasses your
> entire security model.
> 
> The kernel already has support for application whitelisting in the form
> of IMA appraisal. All you need to do is sign the apps that you want
> whitelisted and then load a policy at runtime that enforces appraisal.
> Anything that's unsigned will then fail to execute. This deals with (1)
> (assuming that you load the policy from something that's validated
> earlier in the boot process), is no worse with respect to (2), and still
> allows you to use SELinux or Apparmor to mitigate (3) and (4). You also
> gain additional reliability by not having the system fail in the event
> of a bug in the whitelisting agent causing it to crash.
> 
> I think it would be helpful to have more details of exactly what
> circumstances this is intended to be used in and then figure out whether
> there's any way to use existing kernel functionality to provide the same
> benefits.

Thank you for a lot of comments and suggestions.

We assume a system whose execution environment cannot be
changed for a long time. It includes industrial control
systems, and control devices are main target.
Owners of these systems do not want to change their execution
environments, including kernel update, for fear that the
systems might not run correctly.
As time goes on, new security vulnerabilities might be found
and new malwares might be allowed to access such devices.
We want to prohibit unknown executable objects from executing
on the devices.

Moreover, such devices, in general, continue to do the same
tasks for many years. Namely, executable objects for the tasks
are not changed for a long time.
So permitting only pre-determined executable objects to execute,
whitelisting execution control, is suitable for such devices.

I will reply later on technical aspects.

Thanks,

Masanobu Koike

> --
> Matthew Garrett | mj...@srcf.ucam.org

RE: [RFC 0/3] WhiteEgret LSM module

[masanobu2.koike]

> -Original Message-
> 
> On Tue, May 30, 2017 at 08:11:57PM +0900, Masanobu Koike wrote:
> > An execution-whitelist, simply called whitelist, is a list
> > of executable components (e.g., applications, libraries)
> > that are approved to run on a host. The whitelist is used
> > to decide whether executable components are permitted to
> > execute or not. This mechanism can stop an execution of
> > unknown software, so it helps to stop the execution of
> > malicious code and other unauthorized software.
> > The whitelisting-type execution control works best in the
> > execution environments that are not changed for a long time,
> > for example, servers and control devices in industrial
> > control systems. This RFC provides a whitelisting-type
> > execution control implementation WhiteEgret.
> 
> There's a few assumptions made here:
> 
> 1) The system isn't subject to any form of offline attack. If it is, the
> attacker can simply replace either the whitelist agent or any of the
> executables.
> 2) The system contains no whitelisted executables that will execute
> arbitrary code. This means not shipping perl or python.
> 3) None of the whitelisted applications on the system will misbehave if
> fed invalid input.
> 4) It's impossible for a user to ptrace() any other process after it's
> been executed, and simply inject new code.
> 
> (3) is especially awkward. If you're implementing this as an LSM then
> you're giving up on being able to use any of the other LSMs to protect
> you against this - a vulnerability in a single application bypasses your
> entire security model.
> 
> The kernel already has support for application whitelisting in the form
> of IMA appraisal. All you need to do is sign the apps that you want
> whitelisted and then load a policy at runtime that enforces appraisal.
> Anything that's unsigned will then fail to execute. This deals with (1)
> (assuming that you load the policy from something that's validated
> earlier in the boot process), is no worse with respect to (2), and still
> allows you to use SELinux or Apparmor to mitigate (3) and (4). You also
> gain additional reliability by not having the system fail in the event
> of a bug in the whitelisting agent causing it to crash.
> 
> I think it would be helpful to have more details of exactly what
> circumstances this is intended to be used in and then figure out whether
> there's any way to use existing kernel functionality to provide the same
> benefits.

Thank you for a lot of comments and suggestions.

We assume a system whose execution environment cannot be
changed for a long time. It includes industrial control
systems, and control devices are main target.
Owners of these systems do not want to change their execution
environments, including kernel update, for fear that the
systems might not run correctly.
As time goes on, new security vulnerabilities might be found
and new malwares might be allowed to access such devices.
We want to prohibit unknown executable objects from executing
on the devices.

Moreover, such devices, in general, continue to do the same
tasks for many years. Namely, executable objects for the tasks
are not changed for a long time.
So permitting only pre-determined executable objects to execute,
whitelisting execution control, is suitable for such devices.

I will reply later on technical aspects.

Thanks,

Masanobu Koike

> --
> Matthew Garrett | mj...@srcf.ucam.org