Re: [PATCH] prlimit,security,selinux: add a security hook for prlimit

2017-02-16 Thread James Morris 
On Thu, 16 Feb 2017, Stephen Smalley wrote:

> When SELinux was first added to the kernel, a process could only get
> and set its own resource limits via getrlimit(2) and setrlimit(2), so no
> MAC checks were required for those operations, and thus no security hooks
> were defined for them. Later, SELinux introduced a hook for setlimit(2)
> with a check if the hard limit was being changed in order to be able to
> rely on the hard limit value as a safe reset point upon context
> transitions.

[...]


Queued for 4.11 at
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git#next-queue




-- 
James Morris


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [kernel-hardening] Re: [RFC v2 PATCH 1/2] security: introduce CONFIG_SECURITY_WRITABLE_HOOKS

2017-02-16 Thread Daniel Micay 
> >  At least one antivirus software (which allows
> > anonymous download of LKM source code) is using LSM hooks since
> > Linux 2.6.32
> > instead of rewriting syscall tables. We are already allowing
> > multiple concurrent
> > LSM modules (up to one fully armored module which uses "struct
> > cred"->security
> > field or exclusive hooks like security_xfrm_state_pol_flow_match(),
> > plus
> > unlimited number of lightweight modules which do not use "struct
> > cred"->security
> > nor exclusive hooks) as long as they are built into the kernel.
> > There is no
> > reason to keep LKM based LSM modules from antivirus software or
> > alike away.
> 
> We're not to the point where in-kernel modules are stacking fully.
> Not everyone is on board for that, but hope springs eternal. Part
> of the design criteria I'm working under is that it shouldn't
> preclude loadable modules, and I still think that's doable. The
> patch James proposed is completely compatible with this philosophy.
> You can argue that it requires a loadable module configuration be
> less "hardened", but the opponents of loadable modules say that is
> inherent to loadable modules.

FWIW, the full infrastructure for read-only data from PaX includes a way
to make data temporary writable for a kernel thread. In PaX,
__ro_after_init was/is called __read_only and pax_open_kernel /
pax_close_kernel make it usable for rarely written data. That could
easily land before loadable LSMs.

signature.asc
Description: This is a digitally signed message part
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 1/2] selinux-testsuite: exclude netlink_socket tests from RHEL7

2017-02-16 Thread Stephen Smalley 
RHEL7.3 updated its policy to define the new netlink socket classes,
thereby enabling execution of the netlink_socket tests, but its
kernel does not include the corresponding kernel patch implementing
them.  Disable these tests on RHEL7.

Signed-off-by: Stephen Smalley 
---
 tests/Makefile | 4 
 1 file changed, 4 insertions(+)

diff --git a/tests/Makefile b/tests/Makefile
index 1311234..11008a9 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -40,6 +40,10 @@ ifeq ($(DISTRO),RHEL6)
 SUBDIRS:=$(filter-out nnp overlay, $(SUBDIRS))
 endif
 
+ifeq ($(DISTRO),RHEL7)
+SUBDIRS:=$(filter-out netlink_socket, $(SUBDIRS))
+endif
+
 .PHONY: all test clean
 
 all:
-- 
2.7.4

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] prlimit,security,selinux: add a security hook for prlimit

2017-02-16 Thread Stephen Smalley 
When SELinux was first added to the kernel, a process could only get
and set its own resource limits via getrlimit(2) and setrlimit(2), so no
MAC checks were required for those operations, and thus no security hooks
were defined for them. Later, SELinux introduced a hook for setlimit(2)
with a check if the hard limit was being changed in order to be able to
rely on the hard limit value as a safe reset point upon context
transitions.

Later on, when prlimit(2) was added to the kernel with the ability to get
or set resource limits (hard or soft) of another process, LSM/SELinux was
not updated other than to pass the target process to the setrlimit hook.
This resulted in incomplete control over both getting and setting the
resource limits of another process.

Add a new security_task_prlimit() hook to the check_prlimit_permission()
function to provide complete mediation.  The hook is only called when
acting on another task, and only if the existing DAC/capability checks
would allow access.  Pass flags down to the hook to indicate whether the
prlimit(2) call will read, write, or both read and write the resource
limits of the target process.

The existing security_task_setrlimit() hook is left alone; it continues
to serve a purpose in supporting the ability to make decisions based on
the old and/or new resource limit values when setting limits.  This
is consistent with the DAC/capability logic, where
check_prlimit_permission() performs generic DAC/capability checks for
acting on another task, while do_prlimit() performs a capability check
based on a comparison of the old and new resource limits.  Fix the
inline documentation for the hook to match the code.

Implement the new hook for SELinux.  For setting resource limits, we
reuse the existing setrlimit permission.  Note that this does overload
the setrlimit permission to mean the ability to set the resource limit
(soft or hard) of another process or the ability to change one's own
hard limit.  For getting resource limits, a new getrlimit permission
is defined.  This was not originally defined since getrlimit(2) could
only be used to obtain a process' own limits.

Signed-off-by: Stephen Smalley 
---
 include/linux/lsm_hooks.h   | 18 +++---
 include/linux/security.h|  6 ++
 kernel/sys.c| 30 ++
 security/security.c |  8 
 security/selinux/hooks.c| 14 ++
 security/selinux/include/classmap.h |  2 +-
 6 files changed, 62 insertions(+), 16 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 6fe7a5c..5832f74 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -631,10 +631,19 @@
  * Check permission before getting the ioprio value of @p.
  * @p contains the task_struct of process.
  * Return 0 if permission is granted.
+ * @task_prlimit:
+ * Check permission before getting and/or setting the resource limits of
+ * another task.
+ * @cred points to the cred structure for the current task.
+ * @tcred points to the cred structure for the target task.
+ * @flags contains the LSM_PRLIMIT_* flag bits indicating whether the
+ * resource limits are being read, modified, or both.
+ * Return 0 if permission is granted.
  * @task_setrlimit:
- * Check permission before setting the resource limits of the current
- * process for @resource to @new_rlim.  The old resource limit values can
- * be examined by dereferencing (current->signal->rlim + resource).
+ * Check permission before setting the resource limits of process @p
+ * for @resource to @new_rlim.  The old resource limit values can
+ * be examined by dereferencing (p->signal->rlim + resource).
+ * @p points to the task_struct for the target task's group leader.
  * @resource contains the resource whose limit is being set.
  * @new_rlim contains the new limits for @resource.
  * Return 0 if permission is granted.
@@ -1495,6 +1504,8 @@ union security_list_options {
int (*task_setnice)(struct task_struct *p, int nice);
int (*task_setioprio)(struct task_struct *p, int ioprio);
int (*task_getioprio)(struct task_struct *p);
+   int (*task_prlimit)(const struct cred *cred, const struct cred *tcred,
+   unsigned int flags);
int (*task_setrlimit)(struct task_struct *p, unsigned int resource,
struct rlimit *new_rlim);
int (*task_setscheduler)(struct task_struct *p);
@@ -1756,6 +1767,7 @@ struct security_hook_heads {
struct list_head task_setnice;
struct list_head task_setioprio;
struct list_head task_getioprio;
+   struct list_head task_prlimit;
struct list_head task_setrlimit;
struct list_head task_setscheduler;
struct list_head task_getscheduler;
diff --git a/include/linux/security.h