Samir Bellabes | 2 Jan 14:04 2010
Picon

[RFC 0/9] snet: Security for NETwork syscalls

Hello lsm and netdev people,
I would like to submit as a RFC this linux security module.

snet provides a mecanism to defer syscall security hooks and decision (verdict)
to userspace.

I believe that snet will help to get over the classical configuration
complexity of others security modules, by providing interactivity to users.
I also think that monolithic strategy is broken with snet, as we can provide
security for others syscall's categories:
 - sfs  : security for filesystem,
 - stask: security for task,
 - smem : security for memory,

In this way, and by putting abstraction on how this subsystems can talk to each
others, we may use the security combinaison we want: choose to run sfs,
stask, but not snet nor smem. Better, developpers may investigated how to build
another security subsystem for tasks, and use others existing (smem, snet..)
which they don't want to modify

I think that interactivity is very usefull for users, as they may be notify when
something is wrong and take decision, and from userspace, the decision may be
defered to another box. In this way, snet also have a advantage for mobile
devices as the policy decision will be push to a distant server, mobile device
will then wait for verdicts and as policy strategies are centralized.

snet has some subsystems :
 - core to init and exit the system
 - kernel/user communications (genetlink)
 - hashtable for events and verdict, and managing functions.
(Continue reading)

Samir Bellabes | 2 Jan 14:04 2010
Picon

[RFC 1/9] lsm: add security_socket_closed()

Allow a module to update security informations when a socket is closed.

Signed-off-by: Samir Bellabes <sam <at> synack.fr>
---
 include/linux/security.h |   10 ++++++++++
 net/socket.c             |    1 +
 security/capability.c    |    5 +++++
 security/security.c      |    5 +++++
 4 files changed, 21 insertions(+), 0 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index 466cbad..275dd04 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
 <at>  <at>  -974,6 +974,9  <at>  <at>  static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	 <at> sock contains the socket structure.
  *	 <at> how contains the flag indicating how future sends and receives are handled.
  *	Return 0 if permission is granted.
+ *  <at> socket_close:
+ *	Allow a module to update security informations when a socket is closed
+ *	 <at> sock is closed.
  *  <at> socket_sock_rcv_skb:
  *	Check permissions on incoming network packets.  This hook is distinct
  *	from Netfilter's IP input hooks since it is the first time that the
 <at>  <at>  -1673,6 +1676,7  <at>  <at>  struct security_operations {
 	int (*socket_getsockopt) (struct socket *sock, int level, int optname);
 	int (*socket_setsockopt) (struct socket *sock, int level, int optname);
 	int (*socket_shutdown) (struct socket *sock, int how);
+	void (*socket_close) (struct socket *sock);
 	int (*socket_sock_rcv_skb) (struct sock *sk, struct sk_buff *skb);
(Continue reading)

Samir Bellabes | 2 Jan 14:04 2010
Picon

[RFC 2/9] Revert "lsm: Remove the socket_post_accept() hook"

This reverts commit 8651d5c0b1f874c5b8307ae2b858bc40f9f02482.

snet needs to reintroduce this hook, as it was designed to be: a hook for
updating security informations on objects.

Signed-off-by: Samir Bellabes <sam <at> synack.fr>
---
 include/linux/security.h |   13 +++++++++++++
 net/socket.c             |    2 ++
 security/capability.c    |    5 +++++
 security/security.c      |    5 +++++
 4 files changed, 25 insertions(+), 0 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index 275dd04..c12a286 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
 <at>  <at>  -931,6 +931,11  <at>  <at>  static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	 <at> sock contains the listening socket structure.
  *	 <at> newsock contains the newly created server socket for connection.
  *	Return 0 if permission is granted.
+ *  <at> socket_post_accept:
+ *	This hook allows a security module to copy security
+ *	information into the newly created socket's inode.
+ *	 <at> sock contains the listening socket structure.
+ *	 <at> newsock contains the newly created server socket for connection.
  *  <at> socket_sendmsg:
  *	Check permission before transmitting a message to another socket.
  *	 <at> sock contains the socket structure.
 <at>  <at>  -1667,6 +1672,8  <at>  <at>  struct security_operations {
(Continue reading)

Samir Bellabes | 2 Jan 14:04 2010
Picon

[RFC 3/9] snet: introduce security/snet, Makefile and Kconfig changes

this patch creates a entry in folder security/ and adds Kconfig and Makefile

Signed-off-by: Samir Bellabes <sam <at> synack.fr>
---
 security/Kconfig       |    1 +
 security/Makefile      |    2 ++
 security/snet/Kconfig  |   22 ++++++++++++++++++++++
 security/snet/Makefile |   13 +++++++++++++
 4 files changed, 38 insertions(+), 0 deletions(-)
 create mode 100644 security/snet/Kconfig
 create mode 100644 security/snet/Makefile

diff --git a/security/Kconfig b/security/Kconfig
index 226b955..48e8fee 100644
--- a/security/Kconfig
+++ b/security/Kconfig
 <at>  <at>  -140,6 +140,7  <at>  <at>  config LSM_MMAP_MIN_ADDR
 source security/selinux/Kconfig
 source security/smack/Kconfig
 source security/tomoyo/Kconfig
+source security/snet/Kconfig

 source security/integrity/ima/Kconfig

diff --git a/security/Makefile b/security/Makefile
index bb44e35..0870dd0 100644
--- a/security/Makefile
+++ b/security/Makefile
 <at>  <at>  -6,6 +6,7  <at>  <at>  obj-$(CONFIG_KEYS)			+= keys/
 subdir-$(CONFIG_SECURITY_SELINUX)	+= selinux
(Continue reading)

Samir Bellabes | 2 Jan 14:04 2010
Picon

[RFC 4/9] snet: introduce snet_core.c and snet.h

this patch introduce snet_core.c, which provides main functions to start and
stop snet's subsystems :
	- snet_hooks	: LSM hooks
	- snet_netlink	: kernel-user communication (genetlink)
	- snet_event	: manages the table of protected syscalls
	- snet_verdict	: provides a wait queue for syscalls and manage verdicts
			  from userspace

Signed-off-by: Samir Bellabes <sam <at> synack.fr>
---
 security/snet/include/snet.h |   29 ++++++++++++++++
 security/snet/snet_core.c    |   77 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 106 insertions(+), 0 deletions(-)
 create mode 100644 security/snet/include/snet.h
 create mode 100644 security/snet/snet_core.c

diff --git a/security/snet/include/snet.h b/security/snet/include/snet.h
new file mode 100644
index 0000000..b664a47
--- /dev/null
+++ b/security/snet/include/snet.h
 <at>  <at>  -0,0 +1,29  <at>  <at> 
+#ifndef _SNET_H
+#define _SNET_H
+
+#include "snet_hooks.h"
+
+#define SNET_VERSION	0x1
+#define SNET_NAME	"snet"
+
(Continue reading)

Samir Bellabes | 2 Jan 14:04 2010
Picon

[RFC 5/9] snet: introduce snet_event.c and snet_event.h

This patch adds the snet's subsystem responsive of managing events

snet is using the word 'event' for a couple of values [syscall, protocol]. For
example, [listen, tcp] or [sendmsg, dccp] are events.
This patch introduces a hastable 'event_hash' and operations (add/remove/search..)
in order to manage which events have to be protected.
With the help of the communication's subsystem, managing orders are coming from
userspace.

Signed-off-by: Samir Bellabes <sam <at> synack.fr>
---
 security/snet/include/snet_event.h |   20 +++
 security/snet/snet_event.c         |  229 ++++++++++++++++++++++++++++++++++++
 2 files changed, 249 insertions(+), 0 deletions(-)
 create mode 100644 security/snet/include/snet_event.h
 create mode 100644 security/snet/snet_event.c

diff --git a/security/snet/include/snet_event.h b/security/snet/include/snet_event.h
new file mode 100644
index 0000000..2c71ca7
--- /dev/null
+++ b/security/snet/include/snet_event.h
 <at>  <at>  -0,0 +1,20  <at>  <at> 
+#ifndef _SNET_EVENT_H
+#define _SNET_EVENT_H
+#include <linux/skbuff.h>
+
+extern unsigned int event_hash_size;
+
+/* manipulate the events hash table */
(Continue reading)

Samir Bellabes | 2 Jan 14:04 2010
Picon

[RFC 9/9] snet: introduce snet_utils.c and snet_utils.h

This patch provides helper functions for other subsystems

Signed-off-by: Samir Bellabes <sam <at> synack.fr>
---
 security/snet/include/snet_utils.h |    9 ++++++++
 security/snet/snet_utils.c         |   40 ++++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+), 0 deletions(-)
 create mode 100644 security/snet/include/snet_utils.h
 create mode 100644 security/snet/snet_utils.c

diff --git a/security/snet/include/snet_utils.h b/security/snet/include/snet_utils.h
new file mode 100644
index 0000000..131222a
--- /dev/null
+++ b/security/snet/include/snet_utils.h
 <at>  <at>  -0,0 +1,9  <at>  <at> 
+#ifndef _SNET_UTILS_H
+#define _SNET_UTILS_H
+
+#include <linux/types.h>
+
+const char *snet_verdict_name(const enum snet_verdict cmd);
+const char *snet_syscall_name(const enum snet_syscall sys);
+
+#endif	/* _SNET_UTILS_H */
diff --git a/security/snet/snet_utils.c b/security/snet/snet_utils.c
new file mode 100644
index 0000000..6bfdcf6
--- /dev/null
+++ b/security/snet/snet_utils.c
(Continue reading)

Samir Bellabes | 2 Jan 14:04 2010
Picon

[RFC 6/9] snet: introduce snet_hooks.c and snet_hook.h

This patch adds the snet LSM's subsystem

snet_hooks provides the security hook's functions and the security_operations
structure. Currently hook functions are only related to network stack.

For each hook function, there is a generic mecanism:
 0. check if the event [syscall, protocol] is registered
 1. prepare informations for userspace
 2. send informations to userspace (snet_netlink)
 3. wait for verdict from userspace (snet_verdict)
 4. apply verdict for the syscall

steps 3 and 4 are only valid for LSM hooks which are returning a value (a way to
'filter' the syscall). For hooks returning 'void', steps 3 and 4 don't exist,
but snet sends security informations to userspace (step 2) to update the global
security policy.

Signed-off-by: Samir Bellabes <sam <at> synack.fr>
---
 security/snet/include/snet_hooks.h |   28 ++
 security/snet/snet_hooks.c         |  686 ++++++++++++++++++++++++++++++++++++
 2 files changed, 714 insertions(+), 0 deletions(-)
 create mode 100644 security/snet/include/snet_hooks.h
 create mode 100644 security/snet/snet_hooks.c

diff --git a/security/snet/include/snet_hooks.h b/security/snet/include/snet_hooks.h
new file mode 100644
index 0000000..fbda5ed
--- /dev/null
+++ b/security/snet/include/snet_hooks.h
(Continue reading)

Samir Bellabes | 2 Jan 14:04 2010
Picon

[RFC 8/9] snet: introduce snet_verdict.c and snet_verdict.h

This patch adds the snet's subsystem responsive of managing verdicts

snet is using the word 'verdict' for the returning value of LSM hooks.
Different states exist (grant/deny/pending/none).

This patch introduces a hashtable 'verdict_hash' and operations (set/get/search..)
in order to manage verdicts. Syscalls are waiting, inside a classical waitqueue,
for theirs verdicts or for a timeout. Timeout value and the default verdict
policy are configurable at boot.
With the help of the communication's subsystem, verdicts are coming from userspace.

Signed-off-by: Samir Bellabes <sam <at> synack.fr>
---
 security/snet/include/snet_verdict.h |   33 ++++++
 security/snet/snet_verdict.c         |  210 ++++++++++++++++++++++++++++++++++
 2 files changed, 243 insertions(+), 0 deletions(-)
 create mode 100644 security/snet/include/snet_verdict.h
 create mode 100644 security/snet/snet_verdict.c

diff --git a/security/snet/include/snet_verdict.h b/security/snet/include/snet_verdict.h
new file mode 100644
index 0000000..fd9a5e5
--- /dev/null
+++ b/security/snet/include/snet_verdict.h
 <at>  <at>  -0,0 +1,33  <at>  <at> 
+#ifndef _SNET_VERDICT_H
+#define _SNET_VERDICT_H
+
+extern unsigned int verdict_hash_size;
+extern unsigned int snet_verdict_delay;
(Continue reading)

Samir Bellabes | 2 Jan 14:04 2010
Picon

[RFC 7/9] snet: introduce snet_netlink.c and snet_netlink.h

this patch adds the snet communication's subsystem.

snet_netlink is using genetlink for sending/receiving messages to/from userspace.
the genetlink operations permit to receive orders to manage the table of events
- events are values [syscall, protocol] - which is used to know which syscall
and protocol have to be protected. genl operations are also used to manage
communication of events to userspace, and to receive the related verdict.

Signed-off-by: Samir Bellabes <sam <at> synack.fr>
---
 security/snet/include/snet_netlink.h |  201 +++++++++++++
 security/snet/snet_netlink.c         |  541 ++++++++++++++++++++++++++++++++++
 2 files changed, 742 insertions(+), 0 deletions(-)
 create mode 100644 security/snet/include/snet_netlink.h
 create mode 100644 security/snet/snet_netlink.c

diff --git a/security/snet/include/snet_netlink.h b/security/snet/include/snet_netlink.h
new file mode 100644
index 0000000..d739f66
--- /dev/null
+++ b/security/snet/include/snet_netlink.h
 <at>  <at>  -0,0 +1,201  <at>  <at> 
+#ifndef _SNET_NETLINK_H
+#define _SNET_NETLINK_H
+
+/*
+ * The following payloads are supported.
+ *
+ * o VERSION:
+ *   Sent by an application to verify the snet version.
(Continue reading)


Gmane