LSM: Add /sys/kernel/security/lsm
authorCasey Schaufler <casey@schaufler-ca.com>
Thu, 19 Jan 2017 01:09:05 +0000 (17:09 -0800)
committerJames Morris <james.l.morris@oracle.com>
Thu, 19 Jan 2017 02:18:29 +0000 (13:18 +1100)
I am still tired of having to find indirect ways to determine
what security modules are active on a system. I have added
/sys/kernel/security/lsm, which contains a comma separated
list of the active security modules. No more groping around
in /proc/filesystems or other clever hacks.

Unchanged from previous versions except for being updated
to the latest security next branch.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Documentation/security/LSM.txt
include/linux/lsm_hooks.h
security/apparmor/lsm.c
security/commoncap.c
security/inode.c
security/loadpin/loadpin.c
security/security.c
security/selinux/hooks.c
security/smack/smack_lsm.c
security/tomoyo/tomoyo.c
security/yama/yama_lsm.c

index 3db7e671c440050a4046fbd5263e7b1b4959f9b9..c2683f28ed367b51118a81c37be8ab696743dda4 100644 (file)
@@ -22,6 +22,13 @@ system, building their checks on top of the defined capability hooks.
 For more details on capabilities, see capabilities(7) in the Linux
 man-pages project.
 
+A list of the active security modules can be found by reading
+/sys/kernel/security/lsm. This is a comma separated list, and
+will always include the capability module. The list reflects the
+order in which checks are made. The capability module will always
+be first, followed by any "minor" modules (e.g. Yama) and then
+the one "major" module (e.g. SELinux) if there is one configured.
+
 Based on https://lkml.org/lkml/2007/10/26/215,
 a new LSM is accepted into the kernel when its intent (a description of
 what it tries to protect against and in what cases one would expect to
index 9cf50ad2fe205f8e4260921b842ee617e94d3ffb..0f3c309065d7869336b89c38e376d5bf9bd578f5 100644 (file)
@@ -1875,6 +1875,7 @@ struct security_hook_list {
        struct list_head                list;
        struct list_head                *head;
        union security_list_options     hook;
+       char                            *lsm;
 };
 
 /*
@@ -1887,15 +1888,10 @@ struct security_hook_list {
        { .head = &security_hook_heads.HEAD, .hook = { .HEAD = HOOK } }
 
 extern struct security_hook_heads security_hook_heads;
+extern char *lsm_names;
 
-static inline void security_add_hooks(struct security_hook_list *hooks,
-                                     int count)
-{
-       int i;
-
-       for (i = 0; i < count; i++)
-               list_add_tail_rcu(&hooks[i].list, hooks[i].head);
-}
+extern void security_add_hooks(struct security_hook_list *hooks, int count,
+                               char *lsm);
 
 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
 /*
index 5217a0a54047d78941e5ee5571421d7bd83bb376..b63d39ca6278193ce9f27742c82c3d5702e2c92a 100644 (file)
@@ -999,7 +999,8 @@ static int __init apparmor_init(void)
                aa_free_root_ns();
                goto buffers_out;
        }
-       security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks));
+       security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
+                               "apparmor");
 
        /* Report that AppArmor successfully initialized */
        apparmor_initialized = 1;
index 8df676fbd39366274bf7da334ac5f2aca00c36ae..6d4d586b9356240660e75506d3daacb7ebb8a853 100644 (file)
@@ -1093,7 +1093,8 @@ struct security_hook_list capability_hooks[] = {
 
 void __init capability_add_hooks(void)
 {
-       security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks));
+       security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks),
+                               "capability");
 }
 
 #endif /* CONFIG_SECURITY */
index c83db05c15aba95801c49418d51728d5774bfdf0..2cb14162ff8d5fa2f2ebfdd58061c07f4569f34c 100644 (file)
@@ -20,6 +20,7 @@
 #include <linux/init.h>
 #include <linux/namei.h>
 #include <linux/security.h>
+#include <linux/lsm_hooks.h>
 #include <linux/magic.h>
 
 static struct vfsmount *mount;
@@ -204,6 +205,21 @@ void securityfs_remove(struct dentry *dentry)
 }
 EXPORT_SYMBOL_GPL(securityfs_remove);
 
+#ifdef CONFIG_SECURITY
+static struct dentry *lsm_dentry;
+static ssize_t lsm_read(struct file *filp, char __user *buf, size_t count,
+                       loff_t *ppos)
+{
+       return simple_read_from_buffer(buf, count, ppos, lsm_names,
+               strlen(lsm_names));
+}
+
+static const struct file_operations lsm_ops = {
+       .read = lsm_read,
+       .llseek = generic_file_llseek,
+};
+#endif
+
 static int __init securityfs_init(void)
 {
        int retval;
@@ -213,9 +229,15 @@ static int __init securityfs_init(void)
                return retval;
 
        retval = register_filesystem(&fs_type);
-       if (retval)
+       if (retval) {
                sysfs_remove_mount_point(kernel_kobj, "security");
-       return retval;
+               return retval;
+       }
+#ifdef CONFIG_SECURITY
+       lsm_dentry = securityfs_create_file("lsm", 0444, NULL, NULL,
+                                               &lsm_ops);
+#endif
+       return 0;
 }
 
 core_initcall(securityfs_init);
index 89a46f10b8a7b27d3adcad7b5df9a63b15fd84ba..1d82eae3a5b834c4beadf9bdf79415ecb9078ffe 100644 (file)
@@ -182,7 +182,7 @@ static struct security_hook_list loadpin_hooks[] = {
 void __init loadpin_add_hooks(void)
 {
        pr_info("ready to pin (currently %sabled)", enabled ? "en" : "dis");
-       security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks));
+       security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
 }
 
 /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */
index f825304f04a773763cad9c36ac5bc68f9e7a9aa1..f0a802ee29b645e1bab160b1d165cf601cf7205b 100644 (file)
@@ -32,6 +32,7 @@
 /* Maximum number of letters for an LSM name string */
 #define SECURITY_NAME_MAX      10
 
+char *lsm_names;
 /* Boot-time LSM user choice */
 static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
        CONFIG_DEFAULT_SECURITY;
@@ -78,6 +79,22 @@ static int __init choose_lsm(char *str)
 }
 __setup("security=", choose_lsm);
 
+static int lsm_append(char *new, char **result)
+{
+       char *cp;
+
+       if (*result == NULL) {
+               *result = kstrdup(new, GFP_KERNEL);
+       } else {
+               cp = kasprintf(GFP_KERNEL, "%s,%s", *result, new);
+               if (cp == NULL)
+                       return -ENOMEM;
+               kfree(*result);
+               *result = cp;
+       }
+       return 0;
+}
+
 /**
  * security_module_enable - Load given security module on boot ?
  * @module: the name of the module
@@ -97,6 +114,27 @@ int __init security_module_enable(const char *module)
        return !strcmp(module, chosen_lsm);
 }
 
+/**
+ * security_add_hooks - Add a modules hooks to the hook lists.
+ * @hooks: the hooks to add
+ * @count: the number of hooks to add
+ * @lsm: the name of the security module
+ *
+ * Each LSM has to register its hooks with the infrastructure.
+ */
+void __init security_add_hooks(struct security_hook_list *hooks, int count,
+                               char *lsm)
+{
+       int i;
+
+       for (i = 0; i < count; i++) {
+               hooks[i].lsm = lsm;
+               list_add_tail_rcu(&hooks[i].list, hooks[i].head);
+       }
+       if (lsm_append(lsm, &lsm_names) < 0)
+               panic("%s - Cannot get early memory.\n", __func__);
+}
+
 /*
  * Hook list operation macros.
  *
index c7c6619431d5fb4922dd729e9e49dd910d7967d2..fdc24ea65fd0615d5961b66d5e87944d8fc93007 100644 (file)
@@ -6349,7 +6349,7 @@ static __init int selinux_init(void)
                                            0, SLAB_PANIC, NULL);
        avc_init();
 
-       security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
+       security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
 
        if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
                panic("SELinux: Unable to register AVC netcache callback\n");
index 94dc9d406ce33060513231c1f93727a51a106e14..839150e40eb1c5a1a212fe198b08857742dc1d81 100644 (file)
@@ -4819,7 +4819,7 @@ static __init int smack_init(void)
        /*
         * Register with LSM
         */
-       security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks));
+       security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
 
        return 0;
 }
index 75c998700190ce260f54926e2d49236c154229e6..edc52d620f29cf7b027dd962ab0976a75eef3ba4 100644 (file)
@@ -542,7 +542,7 @@ static int __init tomoyo_init(void)
        if (!security_module_enable("tomoyo"))
                return 0;
        /* register ourselves with the security framework */
-       security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks));
+       security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo");
        printk(KERN_INFO "TOMOYO Linux initialized\n");
        cred->security = &tomoyo_kernel_domain;
        tomoyo_mm_init();
index 968e5e0a3f81c611a953875ce1e2b8f14ec2e1fe..88271a3bf37f8378fbc6be1d63dd6b4d2de8054c 100644 (file)
@@ -485,6 +485,6 @@ static inline void yama_init_sysctl(void) { }
 void __init yama_add_hooks(void)
 {
        pr_info("Yama: becoming mindful.\n");
-       security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks));
+       security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama");
        yama_init_sysctl();
 }