[PATCH 0/3][E] LSM changes for Eoan

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/3][E] LSM changes for Eoan

Tyler Hicks-2
BugLink: https://launchpad.net/bugs/1845383
BugLink: https://launchpad.net/bugs/1845391

I set out to enable building the SafeSetID LSM in our Eoan kernel and
came across a needed bug fix and a small cleanup for the CONFIG_LSM
value that we have in our kernel configs.

None of these changes are urgent and could be deferred to E+1, if
needed.

The functional result of the patch set is that the SafeSetID LSM will be
built but not enabled by default. A system administrator can then make
use of SafeSetID, if desired, using the "lsm" kernel command-line
parameter.

Tyler

Micah Morton (1):
  LSM: SafeSetID: Stop releasing uninitialized ruleset

Tyler Hicks (2):
  UBUNTU: [Config] loadpin shouldn't be in CONFIG_LSM
  UBUNTU: [Config] Build SafeSetID LSM but don't enable it by default

 debian.master/config/annotations          | 6 +++---
 debian.master/config/config.common.ubuntu | 4 ++--
 security/safesetid/securityfs.c           | 3 ++-
 3 files changed, 7 insertions(+), 6 deletions(-)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/3] UBUNTU: [Config] loadpin shouldn't be in CONFIG_LSM

Tyler Hicks-2
BugLink: https://launchpad.net/bugs/1845383

CONFIG_SECURITY_LOADPIN is disabled so it doesn't make sense to include
"loadpin" in CONFIG_LSM.

Signed-off-by: Tyler Hicks <[hidden email]>
---
 debian.master/config/annotations          | 2 +-
 debian.master/config/config.common.ubuntu | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 3951b0e900d1..ff5c7c95f3dc 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -12625,7 +12625,7 @@ CONFIG_LOCK_DOWN_KERNEL                         policy<{'amd64': 'y', 'arm64': '
 CONFIG_LOCK_DOWN_KERNEL_FORCE                   policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 's390x': 'n'}>
 CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ             policy<{'amd64': 'y', 'i386': 'y'}>
 CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
-CONFIG_LSM                                      policy<{'amd64': '"yama,loadpin,integrity,apparmor"', 'arm64': '"yama,loadpin,integrity,apparmor"', 'armhf': '"yama,loadpin,integrity,apparmor"', 'i386': '"yama,loadpin,integrity,apparmor"', 'ppc64el': '"yama,loadpin,integrity,apparmor"', 's390x': '"yama,loadpin,integrity,apparmor"'}>
+CONFIG_LSM                                      policy<{'amd64': '"yama,integrity,apparmor"', 'arm64': '"yama,integrity,apparmor"', 'armhf': '"yama,integrity,apparmor"', 'i386': '"yama,integrity,apparmor"', 'ppc64el': '"yama,integrity,apparmor"', 's390x': '"yama,integrity,apparmor"'}>
 #
 CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             mark<ENFORCED>
 CONFIG_LOCK_DOWN_KERNEL                         mark<ENFORCED> flag<REVIEW>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index a8d8746194fe..3fe1950d0fff 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -5201,7 +5201,7 @@ CONFIG_LPARCFG=y
 # CONFIG_LP_CONSOLE is not set
 CONFIG_LRU_CACHE=m
 CONFIG_LSI_ET1011C_PHY=m
-CONFIG_LSM="yama,loadpin,integrity,apparmor"
+CONFIG_LSM="yama,integrity,apparmor"
 CONFIG_LSM_MMAP_MIN_ADDR=0
 CONFIG_LS_SCFG_MSI=y
 CONFIG_LTC1660=m
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 2/3] LSM: SafeSetID: Stop releasing uninitialized ruleset

Tyler Hicks-2
In reply to this post by Tyler Hicks-2
From: Micah Morton <[hidden email]>

BugLink: https://launchpad.net/bugs/1845391

The first time a rule set is configured for SafeSetID, we shouldn't be
trying to release the previously configured ruleset, since there isn't
one. Currently, the pointer that would point to a previously configured
ruleset is uninitialized on first rule set configuration, leading to a
crash when we try to call release_ruleset with that pointer.

Acked-by: Jann Horn <[hidden email]>
Signed-off-by: Micah Morton <[hidden email]>

(cherry picked from commit 21ab8580b383f27b7f59b84ac1699cb26d6c3d69)
Signed-off-by: Tyler Hicks <[hidden email]>
---
 security/safesetid/securityfs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c
index d568e17dd773..74a13d432ed8 100644
--- a/security/safesetid/securityfs.c
+++ b/security/safesetid/securityfs.c
@@ -187,7 +187,8 @@ static ssize_t handle_policy_update(struct file *file,
 out_free_buf:
  kfree(buf);
 out_free_pol:
- release_ruleset(pol);
+ if (pol)
+                release_ruleset(pol);
  return err;
 }
 
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 3/3] UBUNTU: [Config] Build SafeSetID LSM but don't enable it by default

Tyler Hicks-2
In reply to this post by Tyler Hicks-2
BugLink: https://launchpad.net/bugs/1845391

We can safely build the SafeSetID LSM while leaving it turned off by
default. It will be off by default due to CONFIG_LSM not containing
"safesetid" in our kernel configs. A security-minded system integrator
may want to make use of SafeSetID and can do so by enabling it with the
"lsm" kernel command-line parameter.

Signed-off-by: Tyler Hicks <[hidden email]>
---
 debian.master/config/annotations          | 4 ++--
 debian.master/config/config.common.ubuntu | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index ff5c7c95f3dc..093107b7ea40 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -12653,12 +12653,12 @@ CONFIG_SECURITY_APPARMOR_HASH_DEFAULT           policy<{'amd64': 'y', 'arm64': '
 CONFIG_SECURITY_APPARMOR_DEBUG                  policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_SECURITY_LOADPIN                         policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_SECURITY_YAMA                            policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_SECURITY_SAFESETID                       policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
+CONFIG_SECURITY_SAFESETID                       policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 #
 CONFIG_SECURITY                                 mark<ENFORCED>
 CONFIG_LSM_MMAP_MIN_ADDR                        mark<ENFORCED> flag<REVIEW>
 CONFIG_SECURITY_YAMA                            mark<ENFORCED>
-CONFIG_SECURITY_SAFESETID                       flag<REVIEW>
+CONFIG_SECURITY_SAFESETID                       mark<ENFORCED> note<LP:#1845391>
 
 # Menu: Security options >> Enable different security models >> Integrity subsystem
 CONFIG_INTEGRITY                                policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 3fe1950d0fff..9baba5706552 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -8404,7 +8404,7 @@ CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
 CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_SAFESETID=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 1/3] UBUNTU: [Config] loadpin shouldn't be in CONFIG_LSM

John Johansen-2
In reply to this post by Tyler Hicks-2
On 9/25/19 2:43 PM, Tyler Hicks wrote:
> BugLink: https://launchpad.net/bugs/1845383
>
> CONFIG_SECURITY_LOADPIN is disabled so it doesn't make sense to include
> "loadpin" in CONFIG_LSM.
>
> Signed-off-by: Tyler Hicks <[hidden email]>

Acked-by: John Johansen <[hidden email]>

> ---
>  debian.master/config/annotations          | 2 +-
>  debian.master/config/config.common.ubuntu | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/debian.master/config/annotations b/debian.master/config/annotations
> index 3951b0e900d1..ff5c7c95f3dc 100644
> --- a/debian.master/config/annotations
> +++ b/debian.master/config/annotations
> @@ -12625,7 +12625,7 @@ CONFIG_LOCK_DOWN_KERNEL                         policy<{'amd64': 'y', 'arm64': '
>  CONFIG_LOCK_DOWN_KERNEL_FORCE                   policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 's390x': 'n'}>
>  CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ             policy<{'amd64': 'y', 'i386': 'y'}>
>  CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
> -CONFIG_LSM                                      policy<{'amd64': '"yama,loadpin,integrity,apparmor"', 'arm64': '"yama,loadpin,integrity,apparmor"', 'armhf': '"yama,loadpin,integrity,apparmor"', 'i386': '"yama,loadpin,integrity,apparmor"', 'ppc64el': '"yama,loadpin,integrity,apparmor"', 's390x': '"yama,loadpin,integrity,apparmor"'}>
> +CONFIG_LSM                                      policy<{'amd64': '"yama,integrity,apparmor"', 'arm64': '"yama,integrity,apparmor"', 'armhf': '"yama,integrity,apparmor"', 'i386': '"yama,integrity,apparmor"', 'ppc64el': '"yama,integrity,apparmor"', 's390x': '"yama,integrity,apparmor"'}>
>  #
>  CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             mark<ENFORCED>
>  CONFIG_LOCK_DOWN_KERNEL                         mark<ENFORCED> flag<REVIEW>
> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
> index a8d8746194fe..3fe1950d0fff 100644
> --- a/debian.master/config/config.common.ubuntu
> +++ b/debian.master/config/config.common.ubuntu
> @@ -5201,7 +5201,7 @@ CONFIG_LPARCFG=y
>  # CONFIG_LP_CONSOLE is not set
>  CONFIG_LRU_CACHE=m
>  CONFIG_LSI_ET1011C_PHY=m
> -CONFIG_LSM="yama,loadpin,integrity,apparmor"
> +CONFIG_LSM="yama,integrity,apparmor"
>  CONFIG_LSM_MMAP_MIN_ADDR=0
>  CONFIG_LS_SCFG_MSI=y
>  CONFIG_LTC1660=m
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 2/3] LSM: SafeSetID: Stop releasing uninitialized ruleset

John Johansen-2
In reply to this post by Tyler Hicks-2
On 9/25/19 2:43 PM, Tyler Hicks wrote:

> From: Micah Morton <[hidden email]>
>
> BugLink: https://launchpad.net/bugs/1845391
>
> The first time a rule set is configured for SafeSetID, we shouldn't be
> trying to release the previously configured ruleset, since there isn't
> one. Currently, the pointer that would point to a previously configured
> ruleset is uninitialized on first rule set configuration, leading to a
> crash when we try to call release_ruleset with that pointer.
>
> Acked-by: Jann Horn <[hidden email]>
> Signed-off-by: Micah Morton <[hidden email]>
>
> (cherry picked from commit 21ab8580b383f27b7f59b84ac1699cb26d6c3d69)
> Signed-off-by: Tyler Hicks <[hidden email]>

Acked-by: John Johansen <[hidden email]>

> ---
>  security/safesetid/securityfs.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c
> index d568e17dd773..74a13d432ed8 100644
> --- a/security/safesetid/securityfs.c
> +++ b/security/safesetid/securityfs.c
> @@ -187,7 +187,8 @@ static ssize_t handle_policy_update(struct file *file,
>  out_free_buf:
>   kfree(buf);
>  out_free_pol:
> - release_ruleset(pol);
> + if (pol)
> +                release_ruleset(pol);
>   return err;
>  }
>  
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 3/3] UBUNTU: [Config] Build SafeSetID LSM but don't enable it by default

John Johansen-2
In reply to this post by Tyler Hicks-2
On 9/25/19 2:43 PM, Tyler Hicks wrote:
> BugLink: https://launchpad.net/bugs/1845391
>
> We can safely build the SafeSetID LSM while leaving it turned off by
> default. It will be off by default due to CONFIG_LSM not containing
> "safesetid" in our kernel configs. A security-minded system integrator
> may want to make use of SafeSetID and can do so by enabling it with the
> "lsm" kernel command-line parameter.
>
> Signed-off-by: Tyler Hicks <[hidden email]>

Acked-by: John Johansen <[hidden email]>

> ---
>  debian.master/config/annotations          | 4 ++--
>  debian.master/config/config.common.ubuntu | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/debian.master/config/annotations b/debian.master/config/annotations
> index ff5c7c95f3dc..093107b7ea40 100644
> --- a/debian.master/config/annotations
> +++ b/debian.master/config/annotations
> @@ -12653,12 +12653,12 @@ CONFIG_SECURITY_APPARMOR_HASH_DEFAULT           policy<{'amd64': 'y', 'arm64': '
>  CONFIG_SECURITY_APPARMOR_DEBUG                  policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
>  CONFIG_SECURITY_LOADPIN                         policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
>  CONFIG_SECURITY_YAMA                            policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
> -CONFIG_SECURITY_SAFESETID                       policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
> +CONFIG_SECURITY_SAFESETID                       policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
>  #
>  CONFIG_SECURITY                                 mark<ENFORCED>
>  CONFIG_LSM_MMAP_MIN_ADDR                        mark<ENFORCED> flag<REVIEW>
>  CONFIG_SECURITY_YAMA                            mark<ENFORCED>
> -CONFIG_SECURITY_SAFESETID                       flag<REVIEW>
> +CONFIG_SECURITY_SAFESETID                       mark<ENFORCED> note<LP:#1845391>
>  
>  # Menu: Security options >> Enable different security models >> Integrity subsystem
>  CONFIG_INTEGRITY                                policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
> index 3fe1950d0fff..9baba5706552 100644
> --- a/debian.master/config/config.common.ubuntu
> +++ b/debian.master/config/config.common.ubuntu
> @@ -8404,7 +8404,7 @@ CONFIG_SECURITY_NETWORK=y
>  CONFIG_SECURITY_NETWORK_XFRM=y
>  CONFIG_SECURITY_PATH=y
>  CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
> -# CONFIG_SECURITY_SAFESETID is not set
> +CONFIG_SECURITY_SAFESETID=y
>  CONFIG_SECURITY_SELINUX=y
>  CONFIG_SECURITY_SELINUX_AVC_STATS=y
>  CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 0/3][E] LSM changes for Eoan

Steve Beattie-3
In reply to this post by Tyler Hicks-2
On Wed, Sep 25, 2019 at 09:43:51PM +0000, Tyler Hicks wrote:

> BugLink: https://launchpad.net/bugs/1845383
> BugLink: https://launchpad.net/bugs/1845391
>
> I set out to enable building the SafeSetID LSM in our Eoan kernel and
> came across a needed bug fix and a small cleanup for the CONFIG_LSM
> value that we have in our kernel configs.
>
> None of these changes are urgent and could be deferred to E+1, if
> needed.
>
> The functional result of the patch set is that the SafeSetID LSM will be
> built but not enabled by default. A system administrator can then make
> use of SafeSetID, if desired, using the "lsm" kernel command-line
> parameter.
>
> Tyler
>
> Micah Morton (1):
>   LSM: SafeSetID: Stop releasing uninitialized ruleset
>
> Tyler Hicks (2):
>   UBUNTU: [Config] loadpin shouldn't be in CONFIG_LSM
>   UBUNTU: [Config] Build SafeSetID LSM but don't enable it by default
>
>  debian.master/config/annotations          | 6 +++---
>  debian.master/config/config.common.ubuntu | 4 ++--
>  security/safesetid/securityfs.c           | 3 ++-
>  3 files changed, 7 insertions(+), 6 deletions(-)
Acked-by: Steve Beattie <[hidden email]>

--
Steve Beattie
<[hidden email]>
http://NxNW.org/~steve/

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

APPLIED: [PATCH 0/3][E] LSM changes for Eoan

Seth Forshee
In reply to this post by Tyler Hicks-2
On Wed, Sep 25, 2019 at 09:43:51PM +0000, Tyler Hicks wrote:

> BugLink: https://launchpad.net/bugs/1845383
> BugLink: https://launchpad.net/bugs/1845391
>
> I set out to enable building the SafeSetID LSM in our Eoan kernel and
> came across a needed bug fix and a small cleanup for the CONFIG_LSM
> value that we have in our kernel configs.
>
> None of these changes are urgent and could be deferred to E+1, if
> needed.
>
> The functional result of the patch set is that the SafeSetID LSM will be
> built but not enabled by default. A system administrator can then make
> use of SafeSetID, if desired, using the "lsm" kernel command-line
> parameter.
>
> Tyler

Applied to eoan/master-next, thanks!

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team