Re: [dm-devel] [PATCH v10 8/8] selinux: include a consumer of the new IMA critical data hook

2021-01-12 Thread Paul Moore
6 files changed, 149 insertions(+), 11 deletions(-) > create mode 100644 security/selinux/ima.c > create mode 100644 security/selinux/include/ima.h I remain concerned about the possibility of bypassing a measurement by tampering with the time, but I appear to be the only one who is worried a

Re: [dm-devel] [PATCH v10 8/8] selinux: include a consumer of the new IMA critical data hook

2021-01-14 Thread Paul Moore
serspace applications are dependent > on it. Unless everyone is on board that removing the timestamp > wouldn't be considered a regression, it cannot be upstreamed. I'm not a fan of merging things which are known to be broken only with the promise of fixing it later. That goes double when the proper fix will result in a user visible breaking change. -- paul moore www.paul-moore.com -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel

Re: [dm-devel] [PATCH v10 8/8] selinux: include a consumer of the new IMA critical data hook

2021-01-13 Thread Paul Moore
On Wed, Jan 13, 2021 at 2:13 PM Mimi Zohar wrote: > On Tue, 2021-01-12 at 11:27 -0500, Paul Moore wrote: > > On Thu, Jan 7, 2021 at 11:07 PM Tushar Sugandhi > > wrote: > > > From: Lakshmi Ramasubramanian > > > > > > SELinux stores the active pol

Re: [dm-devel] [PATCH v10 8/8] selinux: include a consumer of the new IMA critical data hook

2021-01-13 Thread Paul Moore
On Wed, Jan 13, 2021 at 4:11 PM Mimi Zohar wrote: > On Wed, 2021-01-13 at 14:19 -0500, Paul Moore wrote: > > On Wed, Jan 13, 2021 at 2:13 PM Mimi Zohar wrote: > > > On Tue, 2021-01-12 at 11:27 -0500, Paul Moore wrote: > > > > On Thu, Jan 7, 2021 at 11:07 PM

Re: [dm-devel] [PATCH v10 8/8] selinux: include a consumer of the new IMA critical data hook

2021-01-13 Thread Paul Moore
On Wed, Jan 13, 2021 at 6:11 PM Mimi Zohar wrote: > On Wed, 2021-01-13 at 17:10 -0500, Paul Moore wrote: > > On Wed, Jan 13, 2021 at 4:11 PM Mimi Zohar wrote: > > > On Wed, 2021-01-13 at 14:19 -0500, Paul Moore wrote: > > > > On Wed, Jan 13, 2021 at 2:13 PM Mimi

Re: [dm-devel] [PATCH v9 8/8] selinux: include a consumer of the new IMA critical data hook

2021-01-04 Thread Paul Moore
with policy_mutex held. > + */ > +int security_read_policy_kernel(struct selinux_state *state, > + void **data, size_t *len) Let's call this "security_read_state_kernel()". > +{ > + struct selinux_policy *policy; > + int rc = 0; See below, the rc variable is not needed. > - *len = (unsigned long)fp.data - (unsigned long)*data; > - return 0; > + policy = rcu_dereference_protected( > + state->policy, lockdep_is_held(>policy_mutex)); > + if (!policy) { > + rc = -EINVAL; > + goto out; Jumping to the out label is a little silly since it is just a return; do a "return -EINVAL;" here instead. > + } > + > + *len = policy->policydb.len; > + *data = vmalloc(*len); > + if (!*data) { > + rc = -ENOMEM; > + goto out; Same as above, "return -ENOMEM;" please. > + } > > + rc = security_read_selinux_policy(policy, *data, len); You should be able to do "return security_read_selinux_policy(...);" here. > + > +out: > + return rc; > } -- paul moore www.paul-moore.com -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel

Re: [dm-devel] [PATCH v9 8/8] selinux: include a consumer of the new IMA critical data hook

2021-01-04 Thread Paul Moore
On Mon, Jan 4, 2021 at 6:30 PM Lakshmi Ramasubramanian wrote: > On 12/23/20 1:10 PM, Paul Moore wrote: > Hi Paul, Hello. > >> diff --git a/security/selinux/measure.c b/security/selinux/measure.c > >> new file mode 100644 > >> index ..b7e24358e

Re: [dm-devel] [PATCH v2 1/3] dm: introduce audit event module for device mapper

2021-08-18 Thread Paul Moore
dev=%s op=%s error_msg='%s' res=%d" "... module=%s dev=%s op=%s res=%d" The first thing that jumps out is that some fields, e.g. "sector", are not always present in the record; we typically handle this by using a "?" for the field value in those cases where you

Re: [dm-devel] [PATCH v3 1/3] dm: introduce audit event module for device mapper

2021-09-03 Thread Paul Moore
break; > + } > + audit_log_format(ab, " res=%d", result); > + audit_log_end(ab); > +} > +EXPORT_SYMBOL_GPL(dm_audit_log_ti); Just checking, but are you okay when the inevitable happens and someone passes an @audit_type that is not either AUDIT_C

Re: [dm-devel] [PATCH] audit: correct the AUDIT_DM_CTRL and AUDIT_DM_EVENT numbering

2021-10-19 Thread Paul Moore
On Tue, Oct 19, 2021 at 9:15 PM Paul Moore wrote: > > Due to conflict with the audit and SELinux trees the device mapper > audit record types need to be renumbered before landing in Linus' > tree. > > Link: > https://lore.kernel.org/lkml/cahc9vhtlmzdqpqsj+vybnua1x1

[dm-devel] [PATCH] audit: correct the AUDIT_DM_CTRL and AUDIT_DM_EVENT numbering

2021-10-19 Thread Paul Moore
odule for device mapper") Signed-off-by: Paul Moore --- include/uapi/linux/audit.h |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 6650ab6def2a..809e4c2041b3 100644 --- a/include/uapi/linux/audit.h +++

Re: [dm-devel] audit: correct the AUDIT_DM_CTRL and AUDIT_DM_EVENT numbering

2021-10-27 Thread Paul Moore
On Wed, Oct 27, 2021 at 4:57 PM Mike Snitzer wrote: > > On Tue, Oct 26 2021 at 10:22P -0400, > Paul Moore wrote: > > > On Tue, Oct 19, 2021 at 9:17 PM Paul Moore wrote: > > > On Tue, Oct 19, 2021 at 9:15 PM Paul Moore wrote: > > > > > > > &g

Re: [dm-devel] [PATCH] audit: correct the AUDIT_DM_CTRL and AUDIT_DM_EVENT numbering

2021-10-26 Thread Paul Moore
On Tue, Oct 19, 2021 at 9:17 PM Paul Moore wrote: > On Tue, Oct 19, 2021 at 9:15 PM Paul Moore wrote: > > > > Due to conflict with the audit and SELinux trees the device mapper > > audit record types need to be renumbered before landing in Linus' > > tre

Re: [PATCH RFC v11 2/19] ipe: add policy parser

2023-10-26 Thread Paul Moore
On Wed, Oct 25, 2023 at 6:46 PM Fan Wu wrote: > On 10/23/2023 8:52 PM, Paul Moore wrote: > > On Oct 4, 2023 Fan Wu wrote: > >> > >> IPE's interpretation of the what the user trusts is accomplished through > >> its policy. IPE's design is to not provide supp

Re: [PATCH RFC v11 5/19] ipe: introduce 'boot_verified' as a trust provider

2023-10-26 Thread Paul Moore
On Thu, Oct 26, 2023 at 5:33 PM Fan Wu wrote: > On 10/23/2023 8:52 PM, Paul Moore wrote: > > On Oct 4, 2023 Fan Wu wrote: > >> > >> IPE is designed to provide system level trust guarantees, this usually > >> implies that trust starts from bootup with

Re: [PATCH RFC v11 2/19] ipe: add policy parser

2023-10-23 Thread Paul Moore
On Oct 4, 2023 Fan Wu wrote: > > IPE's interpretation of the what the user trusts is accomplished through > its policy. IPE's design is to not provide support for a single trust > provider, but to support multiple providers to enable the end-user to > choose the best one to seek their needs. >

Re: [PATCH RFC v11 14/19] ipe: add support for dm-verity as a trust provider

2023-10-23 Thread Paul Moore
On Oct 4, 2023 Fan Wu wrote: > > Allows author of IPE policy to indicate trust for a singular dm-verity > volume, identified by roothash, through "dmverity_roothash" and all > signed dm-verity volumes, through "dmverity_signature". > > Signed-off-by: Deven Bowers > Signed-off-by: Fan Wu >

Re: [PATCH RFC v11 17/19] scripts: add boot policy generation program

2023-10-23 Thread Paul Moore
On Oct 4, 2023 Fan Wu wrote: > > Enables an IPE policy to be enforced from kernel start, enabling access > control based on trust from kernel startup. This is accomplished by > transforming an IPE policy indicated by CONFIG_IPE_BOOT_POLICY into a > c-string literal that is parsed at kernel

Re: [PATCH RFC v11 15/19] fsverity: consume builtin signature via LSM hook

2023-10-23 Thread Paul Moore
On Oct 4, 2023 Fan Wu wrote: > > fsverity represents a mechanism to support both integrity and > authenticity protection of a file, supporting both signed and unsigned > digests. > > An LSM which controls access to a resource based on authenticity and > integrity of said resource, can then use

Re: [PATCH RFC v11 13/19] dm verity: consume root hash digest and signature data via LSM hook

2023-10-23 Thread Paul Moore
On Oct 4, 2023 Fan Wu wrote: > > dm-verity provides a strong guarantee of a block device's integrity. As > a generic way to check the integrity of a block device, it provides > those integrity guarantees to its higher layers, including the filesystem > level. > > An LSM that control access to

Re: [PATCH RFC v11 3/19] ipe: add evaluation loop

2023-10-23 Thread Paul Moore
On Oct 4, 2023 Fan Wu wrote: > > IPE must have a centralized function to evaluate incoming callers > against IPE's policy. This iteration of the policy for against the rules > for that specific caller is known as the evaluation loop. > > Signed-off-by: Deven Bowers > Signed-off-by: Fan Wu >

Re: [PATCH RFC v11 5/19] ipe: introduce 'boot_verified' as a trust provider

2023-10-23 Thread Paul Moore
On Oct 4, 2023 Fan Wu wrote: > > IPE is designed to provide system level trust guarantees, this usually > implies that trust starts from bootup with a hardware root of trust, > which validates the bootloader. After this, the bootloader verifies the > kernel and the initramfs. > > As there's no

Re: [PATCH RFC v11 8/19] uapi|audit|ipe: add ipe auditing support

2023-10-23 Thread Paul Moore
On Oct 4, 2023 Fan Wu wrote: > > Users of IPE require a way to identify when and why an operation fails, > allowing them to both respond to violations of policy and be notified > of potentially malicious actions on their systems with respect to IPE > itself. > > This patch introduces 3 new

Re: [PATCH RFC v11 4/19] ipe: add LSM hooks on execution and kernel read

2023-10-23 Thread Paul Moore
On Oct 4, 2023 Fan Wu wrote: > > IPE's initial goal is to control both execution and the loading of > kernel modules based on the system's definition of trust. It > accomplishes this by plugging into the security hooks for > bprm_check_security, file_mprotect, mmap_file, kernel_load_data, > and

Re: [PATCH RFC v11 12/19] dm: add finalize hook to target_type

2023-10-23 Thread Paul Moore
On Oct 4, 2023 Fan Wu wrote: > > This patch adds a target finalize hook. > > The hook is triggered just before activating an inactive table of a > mapped device. If it returns an error the __bind get cancelled. > > The dm-verity target will use this hook to attach the dm-verity's > roothash

Re: [PATCH RFC v11 16/19] ipe: enable support for fs-verity as a trust provider

2023-10-23 Thread Paul Moore
On Oct 4, 2023 Fan Wu wrote: > > Enable IPE policy authors to indicate trust for a singular fsverity > file, identified by the digest information, through "fsverity_digest" > and all files using fsverity's builtin signatures via > "fsverity_signature". > > This enables file-level integrity

Re: [PATCH RFC v11 9/19] ipe: add permissive toggle

2023-10-23 Thread Paul Moore
On Oct 4, 2023 Fan Wu wrote: > > IPE, like SELinux, supports a permissive mode. This mode allows policy > authors to test and evaluate IPE policy without it effecting their > programs. When the mode is changed, a 1404 AUDIT_MAC_STATUS > be reported. > > This patch adds the following audit

Re: [PATCH RFC v11 11/19] dm verity: set DM_TARGET_SINGLETON feature flag

2023-10-23 Thread Paul Moore
On Oct 4, 2023 Fan Wu wrote: > > The device-mapper has a flag to mark targets as singleton, which is a > required flag for immutable targets. Without this flag, multiple > dm-verity targets can be added to a mapped device, which has no > practical use cases and will let

Re: [PATCH RFC v11 18/19] ipe: kunit test for parser

2023-10-23 Thread Paul Moore
On Oct 4, 2023 Fan Wu wrote: > > Add various happy/unhappy unit tests for both IPE's parser. I'm going to suggest: "... for IPE's policy parser." Also, aside from the policy parser tests, are there any other IPE functional tests? We do have a testing guideline for new LSM submissions: "New

Re: [dm-devel] [RFC PATCH v8 07/17] ipe: add auditing support

2022-06-15 Thread Paul Moore
On Wed, Jun 8, 2022 at 3:01 PM Deven Bowers wrote: > > Users of IPE require a way to identify when and why an operation fails, > allowing them to both respond to violations of policy and be notified > of potentially malicious actions on their systens with respect to IPE > itself. > > The new 1420

Re: [dm-devel] [RFC PATCH v8 02/17] ipe: add policy parser

2022-06-15 Thread Paul Moore
On Wed, Jun 8, 2022 at 3:03 PM Deven Bowers wrote: > > IPE's interpretation of the what the user trusts is accomplished through > its policy. IPE's design is to not provide support for a single trust > provider, but to support multiple providers to enable the end-user to > choose the best one to

Re: [dm-devel] [RFC PATCH v9 02/16] ipe: add policy parser

2023-03-02 Thread Paul Moore
On Mon, Jan 30, 2023 at 5:58 PM Fan Wu wrote: > > From: Deven Bowers > > IPE's interpretation of the what the user trusts is accomplished through > its policy. IPE's design is to not provide support for a single trust > provider, but to support multiple providers to enable the end-user to >

Re: [dm-devel] [RFC PATCH v9 03/16] ipe: add evaluation loop and introduce 'boot_verified' as a trust provider

2023-03-02 Thread Paul Moore
On Mon, Jan 30, 2023 at 5:58 PM Fan Wu wrote: > > From: Deven Bowers > > IPE must have a centralized function to evaluate incoming callers > against IPE's policy. This iteration of the policy against the rules > for that specific caller is known as the evaluation loop. > > In addition, IPE is

Re: [dm-devel] [RFC PATCH v9 09/16] block|security: add LSM blob to block_device

2023-03-02 Thread Paul Moore
On Mon, Jan 30, 2023 at 5:58 PM Fan Wu wrote: > > From: Deven Bowers > > block_device structures can have valuable security properties, > based on how they are created, and what subsystem manages them. > > By adding LSM storage to this structure, this data can be accessed > at the LSM layer. > >

Re: [dm-devel] [RFC PATCH v9 11/16] ipe: add support for dm-verity as a trust provider

2023-03-02 Thread Paul Moore
On Mon, Jan 30, 2023 at 5:58 PM Fan Wu wrote: > > From: Deven Bowers > > Allows author of IPE policy to indicate trust for a singular dm-verity > volume, identified by roothash, through "dmverity_roothash" and all > signed dm-verity volumes, through "dmverity_signature". > > Signed-off-by: Deven

Re: [dm-devel] [RFC PATCH v9 05/16] ipe: add userspace interface

2023-03-02 Thread Paul Moore
On Mon, Jan 30, 2023 at 5:58 PM Fan Wu wrote: > > From: Deven Bowers > > As is typical with LSMs, IPE uses securityfs as its interface with > userspace. for a complete list of the interfaces and the respective > inputs/outputs, please see the documentation under > admin-guide/LSM/ipe.rst > >

Re: [dm-devel] [RFC PATCH v9 01/16] security: add ipe lsm

2023-03-02 Thread Paul Moore
On Mon, Jan 30, 2023 at 5:58 PM Fan Wu wrote: > > From: Deven Bowers > > Integrity Policy Enforcement (IPE) is an LSM that provides an > complimentary approach to Mandatory Access Control than existing LSMs > today. > > Existing LSMs have centered around the concept of access to a resource >

Re: [dm-devel] [RFC PATCH v9 08/16] ipe: add permissive toggle

2023-03-02 Thread Paul Moore
On Mon, Jan 30, 2023 at 5:58 PM Fan Wu wrote: > > From: Deven Bowers > > IPE, like SELinux, supports a permissive mode. This mode allows policy > authors to test and evaluate IPE policy without it effecting their > programs. When the mode is changed, a 1404 AUDIT_MAC_STATUS > be reported. > >

Re: [dm-devel] [RFC PATCH v9 06/16] ipe: add LSM hooks on execution and kernel read

2023-03-02 Thread Paul Moore
On Mon, Jan 30, 2023 at 5:59 PM Fan Wu wrote: > > From: Deven Bowers > > IPE's initial goal is to control both execution and the loading of > kernel modules based on the system's definition of trust. It > accomplishes this by plugging into the security hooks for > bprm_check_security,

Re: [dm-devel] [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support

2023-03-02 Thread Paul Moore
On Tue, Jan 31, 2023 at 12:11 PM Steve Grubb wrote: > > Hello, > > On Monday, January 30, 2023 5:57:22 PM EST Fan Wu wrote: > > From: Deven Bowers > > > > Users of IPE require a way to identify when and why an operation fails, > > allowing them to both respond to violations of policy and be

Re: [dm-devel] [PATCH] dm verity: log audit events for dm-verity target

2023-03-01 Thread Paul Moore
t(1677619596.727:1162): module=verity > op=verify-data dev=7:0 sector=1000 res=0 > > type=DM_EVENT msg=audit(1677619596.731:1163): module=verity > op=max-corrupted-errors dev=254:3 sector=? res=0 > > Signed-off-by: Michael Weiß > --- > drivers/md/dm-verity-target.c | 20 +

Re: [dm-devel] [RFC PATCH v9 03/16] ipe: add evaluation loop and introduce 'boot_verified' as a trust provider

2023-03-01 Thread Paul Moore
On Fri, Feb 10, 2023 at 6:21 PM Fan Wu wrote: > On Tue, Jan 31, 2023 at 04:49:44PM +0100, Roberto Sassu wrote: > > On Mon, 2023-01-30 at 14:57 -0800, Fan Wu wrote: > > > From: Deven Bowers > > > > > > IPE must have a centralized function to evaluate incoming callers > > > against IPE's policy.

Re: [dm-devel] [RFC PATCH v9 05/16] ipe: add userspace interface

2023-04-17 Thread Paul Moore
On Mon, Apr 17, 2023 at 2:06 PM Fan Wu wrote: > On Thu, Apr 13, 2023 at 02:45:07PM -0400, Paul Moore wrote: > > On Wed, Apr 12, 2023 at 7:36???PM Fan Wu wrote: > > > On Tue, Apr 11, 2023 at 05:45:41PM -0400, Paul Moore wrote: > > > > On Mon, Apr 10, 2023 at 3:

Re: [dm-devel] [RFC PATCH v9 05/16] ipe: add userspace interface

2023-04-17 Thread Paul Moore
On Mon, Apr 17, 2023 at 5:18 PM Fan Wu wrote: > On Mon, Apr 17, 2023 at 04:16:29PM -0400, Paul Moore wrote: > > On Mon, Apr 17, 2023 at 2:06???PM Fan Wu wrote: > > > On Thu, Apr 13, 2023 at 02:45:07PM -0400, Paul Moore wrote: > > > > On Wed, Apr 12, 2023 at 7:

Re: [dm-devel] [RFC PATCH v9 02/16] ipe: add policy parser

2023-04-11 Thread Paul Moore
On Thu, Apr 6, 2023 at 4:00 PM Fan Wu wrote: > On Thu, Mar 02, 2023 at 02:02:32PM -0500, Paul Moore wrote: > > On Mon, Jan 30, 2023 at 5:58???PM Fan Wu wrote: > > > > > > From: Deven Bowers > > > > > > IPE's interpretation of the what the user tr

Re: [dm-devel] [RFC PATCH v9 03/16] ipe: add evaluation loop and introduce 'boot_verified' as a trust provider

2023-04-11 Thread Paul Moore
On Mon, Apr 10, 2023 at 2:53 PM Fan Wu wrote: > On Thu, Mar 02, 2023 at 02:03:11PM -0500, Paul Moore wrote: > > On Mon, Jan 30, 2023 at 5:58???PM Fan Wu wrote: > > > > > > From: Deven Bowers > > > > > > IPE must have a centralized function to evaluat

Re: [dm-devel] [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support

2023-04-11 Thread Paul Moore
On Thu, Mar 2, 2023 at 2:05 PM Paul Moore wrote: > On Tue, Jan 31, 2023 at 12:11 PM Steve Grubb wrote: > > On Monday, January 30, 2023 5:57:22 PM EST Fan Wu wrote: ... > > > audit: MAC_POLICY_LOAD policy_name="dmverity_roothash" > >

Re: [dm-devel] [RFC PATCH v9 05/16] ipe: add userspace interface

2023-04-11 Thread Paul Moore
On Mon, Apr 10, 2023 at 3:10 PM Fan Wu wrote: > On Thu, Mar 02, 2023 at 02:04:42PM -0500, Paul Moore wrote: > > On Mon, Jan 30, 2023 at 5:58???PM Fan Wu wrote: > > > > > > From: Deven Bowers > > > > > > As is typical with LSMs, IPE uses sec

Re: [dm-devel] [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support

2023-04-11 Thread Paul Moore
On Thu, Mar 16, 2023 at 6:53 PM Fan Wu wrote: > On Thu, Mar 02, 2023 at 02:05:33PM -0500, Paul Moore wrote: > > On Tue, Jan 31, 2023 at 12:11???PM Steve Grubb wrote: > > > > > > Hello, > > > > > > On Monday, January 30, 2023 5:57:22 PM

Re: [dm-devel] [RFC PATCH v9 05/16] ipe: add userspace interface

2023-04-13 Thread Paul Moore
On Wed, Apr 12, 2023 at 7:36 PM Fan Wu wrote: > On Tue, Apr 11, 2023 at 05:45:41PM -0400, Paul Moore wrote: > > On Mon, Apr 10, 2023 at 3:10???PM Fan Wu wrote: > > > On Thu, Mar 02, 2023 at 02:04:42PM -0500, Paul Moore wrote: > > > > On Mon, Jan 30, 2023 at 5:

Re: [dm-devel] [PATCH RFC v10 2/17] ipe: add policy parser

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > IPE's interpretation of the what the user trusts is accomplished through > its policy. IPE's design is to not provide support for a single trust > provider, but to support multiple providers to enable the end-user to > choose the best one to seek their needs. >

Re: [dm-devel] [PATCH RFC v10 3/17] ipe: add evaluation loop

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > IPE must have a centralized function to evaluate incoming callers > against IPE's policy. This iteration of the policy for against the rules > for that specific caller is known as the evaluation loop. Can you rewrite that second sentence, it reads a bit awkward

Re: [dm-devel] [PATCH RFC v10 4/17] ipe: add LSM hooks on execution and kernel read

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > IPE's initial goal is to control both execution and the loading of > kernel modules based on the system's definition of trust. It > accomplishes this by plugging into the security hooks for > bprm_check_security, file_mprotect, mmap_file, kernel_load_data, > and

Re: [dm-devel] [PATCH RFC v10 5/17] ipe: introduce 'boot_verified' as a trust provider

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > IPE is designed to provide system level trust guarantees, this usually > implies that trust starts from bootup with a hardware root of trust, > which validates the bootloader. After this, the bootloader verifies the > kernel and the initramfs. > > As there's no

Re: [dm-devel] [PATCH RFC v10 9/17] ipe: add permissive toggle

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > IPE, like SELinux, supports a permissive mode. This mode allows policy > authors to test and evaluate IPE policy without it effecting their > programs. When the mode is changed, a 1404 AUDIT_MAC_STATUS > be reported. > > This patch adds the following audit

Re: [dm-devel] [PATCH RFC v10 8/17] uapi|audit|ipe: add ipe auditing support

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > Users of IPE require a way to identify when and why an operation fails, > allowing them to both respond to violations of policy and be notified > of potentially malicious actions on their systems with respect to IPE > itself. > > This patch introduces 3 new

Re: [dm-devel] [PATCH RFC v10 1/17] security: add ipe lsm

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > Integrity Policy Enforcement (IPE) is an LSM that provides an > complimentary approach to Mandatory Access Control than existing LSMs > today. > > Existing LSMs have centered around the concept of access to a resource > should be controlled by the current

Re: [dm-devel] [PATCH RFC v10 7/17] ipe: add userspace interface

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > As is typical with LSMs, IPE uses securityfs as its interface with > userspace. for a complete list of the interfaces and the respective > inputs/outputs, please see the documentation under > admin-guide/LSM/ipe.rst > > Signed-off-by: Deven Bowers >

Re: [dm-devel] [PATCH RFC v10 6/17] security: add new securityfs delete function

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > When deleting a directory in the security file system, the existing > securityfs_remove requires the directory to be empty, otherwise > it will do nothing. This leads to a potential risk that the security > file system might be in an unclean state when the

Re: [dm-devel] [PATCH RFC v10 12/17] ipe: add support for dm-verity as a trust provider

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > Allows author of IPE policy to indicate trust for a singular dm-verity > volume, identified by roothash, through "dmverity_roothash" and all > signed dm-verity volumes, through "dmverity_signature". > > Signed-off-by: Deven Bowers > Signed-off-by: Fan Wu >

Re: [dm-devel] [PATCH RFC v10 1/17] security: add ipe lsm

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > Integrity Policy Enforcement (IPE) is an LSM that provides an > complimentary approach to Mandatory Access Control than existing LSMs > today. > > Existing LSMs have centered around the concept of access to a resource > should be controlled by the current

Re: [dm-devel] [PATCH RFC v10 4/17] ipe: add LSM hooks on execution and kernel read

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > IPE's initial goal is to control both execution and the loading of > kernel modules based on the system's definition of trust. It > accomplishes this by plugging into the security hooks for > bprm_check_security, file_mprotect, mmap_file, kernel_load_data, > and

Re: [dm-devel] [PATCH RFC v10 8/17] uapi|audit|ipe: add ipe auditing support

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > Users of IPE require a way to identify when and why an operation fails, > allowing them to both respond to violations of policy and be notified > of potentially malicious actions on their systems with respect to IPE > itself. > > This patch introduces 3 new

Re: [dm-devel] [PATCH RFC v10 9/17] ipe: add permissive toggle

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > IPE, like SELinux, supports a permissive mode. This mode allows policy > authors to test and evaluate IPE policy without it effecting their > programs. When the mode is changed, a 1404 AUDIT_MAC_STATUS > be reported. > > This patch adds the following audit

Re: [dm-devel] [PATCH RFC v10 7/17] ipe: add userspace interface

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > As is typical with LSMs, IPE uses securityfs as its interface with > userspace. for a complete list of the interfaces and the respective > inputs/outputs, please see the documentation under > admin-guide/LSM/ipe.rst > > Signed-off-by: Deven Bowers >

Re: [dm-devel] [PATCH RFC v10 5/17] ipe: introduce 'boot_verified' as a trust provider

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > IPE is designed to provide system level trust guarantees, this usually > implies that trust starts from bootup with a hardware root of trust, > which validates the bootloader. After this, the bootloader verifies the > kernel and the initramfs. > > As there's no

Re: [dm-devel] [PATCH RFC v10 6/17] security: add new securityfs delete function

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > When deleting a directory in the security file system, the existing > securityfs_remove requires the directory to be empty, otherwise > it will do nothing. This leads to a potential risk that the security > file system might be in an unclean state when the

Re: [dm-devel] [PATCH RFC v10 3/17] ipe: add evaluation loop

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > IPE must have a centralized function to evaluate incoming callers > against IPE's policy. This iteration of the policy for against the rules > for that specific caller is known as the evaluation loop. Can you rewrite that second sentence, it reads a bit awkward

Re: [dm-devel] [PATCH RFC v10 12/17] ipe: add support for dm-verity as a trust provider

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > Allows author of IPE policy to indicate trust for a singular dm-verity > volume, identified by roothash, through "dmverity_roothash" and all > signed dm-verity volumes, through "dmverity_signature". > > Signed-off-by: Deven Bowers > Signed-off-by: Fan Wu >

Re: [dm-devel] [PATCH RFC v10 2/17] ipe: add policy parser

2023-07-07 Thread Paul Moore
On Jun 28, 2023 Fan Wu wrote: > > IPE's interpretation of the what the user trusts is accomplished through > its policy. IPE's design is to not provide support for a single trust > provider, but to support multiple providers to enable the end-user to > choose the best one to seek their needs. >

Re: [dm-devel] [PATCH RFC v10 7/17] ipe: add userspace interface

2023-08-01 Thread Paul Moore
On Fri, Jul 14, 2023 at 11:26 PM Fan Wu wrote: > On Sat, Jul 08, 2023 at 12:23:04AM -0400, Paul Moore wrote: > > On Jun 28, 2023 Fan Wu wrote: > > > > > > As is typical with LSMs, IPE uses securityfs as its interface with > > > userspace. for a complete list

Re: [dm-devel] [PATCH RFC v10 8/17] uapi|audit|ipe: add ipe auditing support

2023-08-01 Thread Paul Moore
On Fri, Jul 14, 2023 at 11:57 PM Fan Wu wrote: > On Sat, Jul 08, 2023 at 12:23:05AM -0400, Paul Moore wrote: > > On Jun 28, 2023 Fan Wu wrote: > > > > > > Users of IPE require a way to identify when and why an operation fails, > > > allowing them to

Re: [dm-devel] [RFC PATCH v10 11/17] dm-verity: consume root hash digest and signature data via LSM hook

2023-07-25 Thread Paul Moore
On Tue, Jul 11, 2023 at 11:43 PM Fan Wu wrote: > On Fri, Jul 07, 2023 at 10:53:45AM -0400, Mike Snitzer wrote: ... > > Both of your calls to security_bdev_setsecurity() to set your blobs in > > the bdev are suspect because you're doing so from the verity_ctr(). > > The mapped_device has 2