Eric Lee / smarc-fsl-linux-kernel

08 Sep, 2016

2 commits

  • 80a77045d   Merge tag 'usercopy-v4.8-rc6-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux ... Browse Code »

    Pull more hardened usercopyfixes from Kees Cook:

    - force check_object_size() to be inline too

    - move page-spanning check behind a CONFIG since it's triggering false
    positives

    [ Changed the page-spanning config option to depend on EXPERT in the
    merge. That way it still gets build testing, and you can enable it if
    you want to, but is never enabled for "normal" configurations ]

    * tag 'usercopy-v4.8-rc6-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
    usercopy: remove page-spanning test for now
    usercopy: force check_object_size() inline

    Linus Torvalds
     
  • 8e1f74ea0   usercopy: remove page-spanning test for now ... Browse Code »

    A custom allocator without __GFP_COMP that copies to userspace has been
    found in vmw_execbuf_process[1], so this disables the page-span checker
    by placing it behind a CONFIG for future work where such things can be
    tracked down later.

    [1] https://bugzilla.redhat.com/show_bug.cgi?id=1373326

    Reported-by: Vinson Lee
    Fixes: f5509cc18daa ("mm: Hardened usercopy")
    Signed-off-by: Kees Cook

    Kees Cook
     

20 Aug, 2016

1 commit

  • 6040e5765   Make the hardened user-copy code depend on having a hardened allocator ... Browse Code »

    The kernel test robot reported a usercopy failure in the new hardened
    sanity checks, due to a page-crossing copy of the FPU state into the
    task structure.

    This happened because the kernel test robot was testing with SLOB, which
    doesn't actually do the required book-keeping for slab allocations, and
    as a result the hardening code didn't realize that the task struct
    allocation was one single allocation - and the sanity checks fail.

    Since SLOB doesn't even claim to support hardening (and you really
    shouldn't use it), the straightforward solution is to just make the
    usercopy hardening code depend on the allocator supporting it.

    Reported-by: kernel test robot
    Cc: Kees Cook
    Signed-off-by: Linus Torvalds

    Linus Torvalds
     

27 Jul, 2016

1 commit

  • f5509cc18   mm: Hardened usercopy ... Browse Code »

    This is the start of porting PAX_USERCOPY into the mainline kernel. This
    is the first set of features, controlled by CONFIG_HARDENED_USERCOPY. The
    work is based on code by PaX Team and Brad Spengler, and an earlier port
    from Casey Schaufler. Additional non-slab page tests are from Rik van Riel.

    This patch contains the logic for validating several conditions when
    performing copy_to_user() and copy_from_user() on the kernel object
    being copied to/from:
    - address range doesn't wrap around
    - address range isn't NULL or zero-allocated (with a non-zero copy size)
    - if on the slab allocator:
    - object size must be less than or equal to copy size (when check is
    implemented in the allocator, which appear in subsequent patches)
    - otherwise, object must not span page allocations (excepting Reserved
    and CMA ranges)
    - if on the stack
    - object must not extend before/after the current process stack
    - object must be contained by a valid stack frame (when there is
    arch/build support for identifying stack frames)
    - object must not overlap with kernel text

    Signed-off-by: Kees Cook
    Tested-by: Valdis Kletnieks
    Tested-by: Michael Ellerman

    Kees Cook
     

21 Apr, 2016

1 commit

  • 9b091556a   LSM: LoadPin for kernel file loading restrictions ... Browse Code »

    This LSM enforces that kernel-loaded files (modules, firmware, etc)
    must all come from the same filesystem, with the expectation that
    such a filesystem is backed by a read-only device such as dm-verity
    or CDROM. This allows systems that have a verified and/or unchangeable
    filesystem to enforce module and firmware loading restrictions without
    needing to sign the files individually.

    Signed-off-by: Kees Cook
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Kees Cook
     

28 Jul, 2015

1 commit

  • 730daa164   Yama: remove needless CONFIG_SECURITY_YAMA_STACKED ... Browse Code »

    Now that minor LSMs can cleanly stack with major LSMs, remove the unneeded
    config for Yama to be made to explicitly stack. Just selecting the main
    Yama CONFIG will allow it to work, regardless of the major LSM. Since
    distros using Yama are already forcing it to stack, this is effectively
    a no-op change.

    Additionally add MAINTAINERS entry.

    Signed-off-by: Kees Cook
    Signed-off-by: James Morris

    Kees Cook
     

16 Apr, 2015

1 commit

  • 2813893f8   kernel: conditionally support non-root users, groups and capabilities ... Browse Code »

    There are a lot of embedded systems that run most or all of their
    functionality in init, running as root:root. For these systems,
    supporting multiple users is not necessary.

    This patch adds a new symbol, CONFIG_MULTIUSER, that makes support for
    non-root users, non-root groups, and capabilities optional. It is enabled
    under CONFIG_EXPERT menu.

    When this symbol is not defined, UID and GID are zero in any possible case
    and processes always have all capabilities.

    The following syscalls are compiled out: setuid, setregid, setgid,
    setreuid, setresuid, getresuid, setresgid, getresgid, setgroups,
    getgroups, setfsuid, setfsgid, capget, capset.

    Also, groups.c is compiled out completely.

    In kernel/capability.c, capable function was moved in order to avoid
    adding two ifdef blocks.

    This change saves about 25 KB on a defconfig build. The most minimal
    kernels have total text sizes in the high hundreds of kB rather than
    low MB. (The 25k goes down a bit with allnoconfig, but not that much.

    The kernel was booted in Qemu. All the common functionalities work.
    Adding users/groups is not possible, failing with -ENOSYS.

    Bloat-o-meter output:
    add/remove: 7/87 grow/shrink: 19/397 up/down: 1675/-26325 (-24650)

    [akpm@linux-foundation.org: coding-style fixes]
    Signed-off-by: Iulia Manda
    Reviewed-by: Josh Triplett
    Acked-by: Geert Uytterhoeven
    Tested-by: Paul E. McKenney
    Reviewed-by: Paul E. McKenney
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Iulia Manda
     

05 Feb, 2014

1 commit

11 May, 2012

1 commit

10 Feb, 2012

1 commit

  • 2d514487f   security: Yama LSM ... Browse Code »

    This adds the Yama Linux Security Module to collect DAC security
    improvements (specifically just ptrace restrictions for now) that have
    existed in various forms over the years and have been carried outside the
    mainline kernel by other Linux distributions like Openwall and grsecurity.

    Signed-off-by: Kees Cook
    Acked-by: John Johansen
    Signed-off-by: James Morris

    Kees Cook
     

15 Sep, 2011

1 commit

19 Jul, 2011

1 commit

  • f381c2722   integrity: move ima inode integrity data management ... Browse Code »

    Move the inode integrity data(iint) management up to the integrity directory
    in order to share the iint among the different integrity models.

    Changelog:
    - don't define MAX_DIGEST_SIZE
    - rename several globally visible 'ima_' prefixed functions, structs,
    locks, etc to 'integrity_'
    - replace '20' with SHA1_DIGEST_SIZE
    - reflect location change in appropriate Kconfig and Makefiles
    - remove unnecessary initialization of iint_initialized to 0
    - rebased on current ima_iint.c
    - define integrity_iint_store/lock as static

    There should be no other functional changes.

    Signed-off-by: Mimi Zohar
    Acked-by: Serge Hallyn

    Mimi Zohar
     

22 Mar, 2011

1 commit

  • 580689601   security: select correct default LSM_MMAP_MIN_ADDR on ARM. ... Browse Code »

    The default for this is universally set to 64k, but the help says:

    For most ia64, ppc64 and x86 users with lots of address space
    a value of 65536 is reasonable and should cause no problems.
    On arm and other archs it should not be higher than 32768.

    The text is right, in that we are seeing selinux-enabled ARM targets
    that fail to launch /sbin/init because selinux blocks a memory map.
    So select the right value if we know we are building ARM.

    Signed-off-by: Paul Gortmaker
    Signed-off-by: James Morris

    Paul Gortmaker
     

29 Nov, 2010

2 commits

  • 7e70cb497   keys: add new key-type encrypted ... Browse Code »

    Define a new kernel key-type called 'encrypted'. Encrypted keys are kernel
    generated random numbers, which are encrypted/decrypted with a 'trusted'
    symmetric key. Encrypted keys are created/encrypted/decrypted in the kernel.
    Userspace only ever sees/stores encrypted blobs.

    Changelog:
    - bug fix: replaced master-key rcu based locking with semaphore
    (reported by David Howells)
    - Removed memset of crypto_shash_digest() digest output
    - Replaced verification of 'key-type:key-desc' using strcspn(), with
    one based on string constants.
    - Moved documentation to Documentation/keys-trusted-encrypted.txt
    - Replace hash with shash (based on comments by David Howells)
    - Make lengths/counts size_t where possible (based on comments by David Howells)
    Could not convert most lengths, as crypto expects 'unsigned int'
    (size_t: on 32 bit is defined as unsigned int, but on 64 bit is unsigned long)
    - Add 'const' where possible (based on comments by David Howells)
    - allocate derived_buf dynamically to support arbitrary length master key
    (fixed by Roberto Sassu)
    - wait until late_initcall for crypto libraries to be registered
    - cleanup security/Kconfig
    - Add missing 'update' keyword (reported/fixed by Roberto Sassu)
    - Free epayload on failure to create key (reported/fixed by Roberto Sassu)
    - Increase the data size limit (requested by Roberto Sassu)
    - Crypto return codes are always 0 on success and negative on failure,
    remove unnecessary tests.
    - Replaced kzalloc() with kmalloc()

    Signed-off-by: Mimi Zohar
    Signed-off-by: David Safford
    Reviewed-by: Roberto Sassu
    Signed-off-by: James Morris

    Mimi Zohar
     
  • d00a1c72f   keys: add new trusted key-type ... Browse Code »

    Define a new kernel key-type called 'trusted'. Trusted keys are random
    number symmetric keys, generated and RSA-sealed by the TPM. The TPM
    only unseals the keys, if the boot PCRs and other criteria match.
    Userspace can only ever see encrypted blobs.

    Based on suggestions by Jason Gunthorpe, several new options have been
    added to support additional usages.

    The new options are:
    migratable= designates that the key may/may not ever be updated
    (resealed under a new key, new pcrinfo or new auth.)

    pcrlock=n extends the designated PCR 'n' with a random value,
    so that a key sealed to that PCR may not be unsealed
    again until after a reboot.

    keyhandle= specifies the sealing/unsealing key handle.

    keyauth= specifies the sealing/unsealing key auth.

    blobauth= specifies the sealed data auth.

    Implementation of a kernel reserved locality for trusted keys will be
    investigated for a possible future extension.

    Changelog:
    - Updated and added examples to Documentation/keys-trusted-encrypted.txt
    - Moved generic TPM constants to include/linux/tpm_command.h
    (David Howell's suggestion.)
    - trusted_defined.c: replaced kzalloc with kmalloc, added pcrlock failure
    error handling, added const qualifiers where appropriate.
    - moved to late_initcall
    - updated from hash to shash (suggestion by David Howells)
    - reduced worst stack usage (tpm_seal) from 530 to 312 bytes
    - moved documentation to Documentation directory (suggestion by David Howells)
    - all the other code cleanups suggested by David Howells
    - Add pcrlock CAP_SYS_ADMIN dependency (based on comment by Jason Gunthorpe)
    - New options: migratable, pcrlock, keyhandle, keyauth, blobauth (based on
    discussions with Jason Gunthorpe)
    - Free payload on failure to create key(reported/fixed by Roberto Sassu)
    - Updated Kconfig and other descriptions (based on Serge Hallyn's suggestion)
    - Replaced kzalloc() with kmalloc() (reported by Serge Hallyn)

    Signed-off-by: David Safford
    Signed-off-by: Mimi Zohar
    Signed-off-by: James Morris

    Mimi Zohar
     

12 Nov, 2010

1 commit

  • eaf06b241   Restrict unprivileged access to kernel syslog ... Browse Code »

    The kernel syslog contains debugging information that is often useful
    during exploitation of other vulnerabilities, such as kernel heap
    addresses. Rather than futilely attempt to sanitize hundreds (or
    thousands) of printk statements and simultaneously cripple useful
    debugging functionality, it is far simpler to create an option that
    prevents unprivileged users from reading the syslog.

    This patch, loosely based on grsecurity's GRKERNSEC_DMESG, creates the
    dmesg_restrict sysctl. When set to "0", the default, no restrictions are
    enforced. When set to "1", only users with CAP_SYS_ADMIN can read the
    kernel syslog via dmesg(8) or other mechanisms.

    [akpm@linux-foundation.org: explain the config option in kernel.txt]
    Signed-off-by: Dan Rosenberg
    Acked-by: Ingo Molnar
    Acked-by: Eugene Teo
    Acked-by: Kees Cook
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Dan Rosenberg
     

02 Aug, 2010

1 commit

24 Nov, 2009

1 commit

  • b3a222e52   remove CONFIG_SECURITY_FILE_CAPABILITIES compile option ... Browse Code »

    As far as I know, all distros currently ship kernels with default
    CONFIG_SECURITY_FILE_CAPABILITIES=y. Since having the option on
    leaves a 'no_file_caps' option to boot without file capabilities,
    the main reason to keep the option is that turning it off saves
    you (on my s390x partition) 5k. In particular, vmlinux sizes
    came to:

    without patch fscaps=n: 53598392
    without patch fscaps=y: 53603406
    with this patch applied: 53603342

    with the security-next tree.

    Against this we must weigh the fact that there is no simple way for
    userspace to figure out whether file capabilities are supported,
    while things like per-process securebits, capability bounding
    sets, and adding bits to pI if CAP_SETPCAP is in pE are not supported
    with SECURITY_FILE_CAPABILITIES=n, leaving a bit of a problem for
    applications wanting to know whether they can use them and/or why
    something failed.

    It also adds another subtly different set of semantics which we must
    maintain at the risk of severe security regressions.

    So this patch removes the SECURITY_FILE_CAPABILITIES compile
    option. It drops the kernel size by about 50k over the stock
    SECURITY_FILE_CAPABILITIES=y kernel, by removing the
    cap_limit_ptraced_target() function.

    Changelog:
    Nov 20: remove cap_limit_ptraced_target() as it's logic
    was ifndef'ed.

    Signed-off-by: Serge E. Hallyn
    Acked-by: Andrew G. Morgan"
    Signed-off-by: James Morris

    Serge E. Hallyn
     

09 Nov, 2009

1 commit

  • 6e65f92ff   Config option to set a default LSM ... Browse Code »

    The LSM currently requires setting a kernel parameter at boot to select
    a specific LSM. This adds a config option that allows specifying a default
    LSM that is used unless overridden with the security= kernel parameter.
    If the the config option is not set the current behavior of first LSM
    to register is used.

    Signed-off-by: John Johansen
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    John Johansen
     

20 Oct, 2009

1 commit

  • 3e1c2515a   security: remove root_plug ... Browse Code »

    Remove the root_plug example LSM code. It's unmaintained and
    increasingly broken in various ways.

    Made at the 2009 Kernel Summit in Tokyo!

    Acked-by: Greg Kroah-Hartman
    Signed-off-by: James Morris

    James Morris
     

02 Sep, 2009

2 commits

19 Aug, 2009

2 commits

17 Aug, 2009

1 commit

  • 788084aba   Security/SELinux: seperate lsm specific mmap_min_addr ... Browse Code »

    Currently SELinux enforcement of controls on the ability to map low memory
    is determined by the mmap_min_addr tunable. This patch causes SELinux to
    ignore the tunable and instead use a seperate Kconfig option specific to how
    much space the LSM should protect.

    The tunable will now only control the need for CAP_SYS_RAWIO and SELinux
    permissions will always protect the amount of low memory designated by
    CONFIG_LSM_MMAP_MIN_ADDR.

    This allows users who need to disable the mmap_min_addr controls (usual reason
    being they run WINE as a non-root user) to do so and still have SELinux
    controls preventing confined domains (like a web server) from being able to
    map some area of low memory.

    Signed-off-by: Eric Paris
    Signed-off-by: James Morris

    Eric Paris
     

15 Aug, 2009

1 commit

22 Jul, 2009

1 commit

  • 316253406   x86, intel_txt: Intel TXT boot support ... Browse Code »

    This patch adds kernel configuration and boot support for Intel Trusted
    Execution Technology (Intel TXT).

    Intel's technology for safer computing, Intel Trusted Execution
    Technology (Intel TXT), defines platform-level enhancements that
    provide the building blocks for creating trusted platforms.

    Intel TXT was formerly known by the code name LaGrande Technology (LT).

    Intel TXT in Brief:
    o Provides dynamic root of trust for measurement (DRTM)
    o Data protection in case of improper shutdown
    o Measurement and verification of launched environment

    Intel TXT is part of the vPro(TM) brand and is also available some
    non-vPro systems. It is currently available on desktop systems based on
    the Q35, X38, Q45, and Q43 Express chipsets (e.g. Dell Optiplex 755, HP
    dc7800, etc.) and mobile systems based on the GM45, PM45, and GS45
    Express chipsets.

    For more information, see http://www.intel.com/technology/security/.
    This site also has a link to the Intel TXT MLE Developers Manual, which
    has been updated for the new released platforms.

    A much more complete description of how these patches support TXT, how to
    configure a system for it, etc. is in the Documentation/intel_txt.txt file
    in this patch.

    This patch provides the TXT support routines for complete functionality,
    documentation for TXT support and for the changes to the boot_params structure,
    and boot detection of a TXT launch. Attempts to shutdown (reboot, Sx) the system
    will result in platform resets; subsequent patches will support these shutdown modes
    properly.

    Documentation/intel_txt.txt | 210 +++++++++++++++++++++
    Documentation/x86/zero-page.txt | 1
    arch/x86/include/asm/bootparam.h | 3
    arch/x86/include/asm/fixmap.h | 3
    arch/x86/include/asm/tboot.h | 197 ++++++++++++++++++++
    arch/x86/kernel/Makefile | 1
    arch/x86/kernel/setup.c | 4
    arch/x86/kernel/tboot.c | 379 +++++++++++++++++++++++++++++++++++++++
    security/Kconfig | 30 +++
    9 files changed, 827 insertions(+), 1 deletion(-)

    Signed-off-by: Joseph Cihula
    Signed-off-by: Shane Wang
    Signed-off-by: Gang Wei
    Signed-off-by: H. Peter Anvin

    Joseph Cihula
     

04 Jun, 2009

1 commit

12 Feb, 2009

1 commit

06 Feb, 2009

2 commits

  • cb5629b10   Merge branch 'master' into next ... Browse Code »

    Conflicts:
    fs/namei.c

    Manually merged per:

    diff --cc fs/namei.c
    index 734f2b5,bbc15c2..0000000
    --- a/fs/namei.c
    +++ b/fs/namei.c
    @@@ -860,9 -848,8 +849,10 @@@ static int __link_path_walk(const char
    nd->flags |= LOOKUP_CONTINUE;
    err = exec_permission_lite(inode);
    if (err == -EAGAIN)
    - err = vfs_permission(nd, MAY_EXEC);
    + err = inode_permission(nd->path.dentry->d_inode,
    + MAY_EXEC);
    + if (!err)
    + err = ima_path_check(&nd->path, MAY_EXEC);
    if (err)
    break;

    @@@ -1525,14 -1506,9 +1509,14 @@@ int may_open(struct path *path, int acc
    flag &= ~O_TRUNC;
    }

    - error = vfs_permission(nd, acc_mode);
    + error = inode_permission(inode, acc_mode);
    if (error)
    return error;
    +
    - error = ima_path_check(&nd->path,
    ++ error = ima_path_check(path,
    + acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC));
    + if (error)
    + return error;
    /*
    * An append-only file must be opened in append mode for writing.
    */

    Signed-off-by: James Morris

    James Morris
     
  • 3323eec92   integrity: IMA as an integrity service provider ... Browse Code »

    IMA provides hardware (TPM) based measurement and attestation for
    file measurements. As the Trusted Computing (TPM) model requires,
    IMA measures all files before they are accessed in any way (on the
    integrity_bprm_check, integrity_path_check and integrity_file_mmap
    hooks), and commits the measurements to the TPM. Once added to the
    TPM, measurements can not be removed.

    In addition, IMA maintains a list of these file measurements, which
    can be used to validate the aggregate value stored in the TPM. The
    TPM can sign these measurements, and thus the system can prove, to
    itself and to a third party, the system's integrity in a way that
    cannot be circumvented by malicious or compromised software.

    - alloc ima_template_entry before calling ima_store_template()
    - log ima_add_boot_aggregate() failure
    - removed unused IMA_TEMPLATE_NAME_LEN
    - replaced hard coded string length with #define name

    Signed-off-by: Mimi Zohar
    Signed-off-by: James Morris

    Mimi Zohar
     

01 Jan, 2009

1 commit

28 Aug, 2008

1 commit

  • da31894ed   securityfs: do not depend on CONFIG_SECURITY ... Browse Code »

    Add a new Kconfig option SECURITYFS which will build securityfs support
    but does not require CONFIG_SECURITY. The only current user of
    securityfs does not depend on CONFIG_SECURITY and there is no reason the
    full LSM needs to be built to build this fs.

    Signed-off-by: Eric Paris
    Signed-off-by: James Morris

    Eric Paris
     

25 Jul, 2008

1 commit

14 Jul, 2008

2 commits

18 Apr, 2008

1 commit

  • 5f46ce14b   security: enhance DEFAULT_MMAP_MIN_ADDR description ... Browse Code »

    Got burned by setting the proposed default of 65536
    across all Debian archs.

    Thus proposing to be more specific on which archs you may
    set this. Also propose a value for arm and friends that
    doesn't break sshd.

    Reword to mention working archs ia64 and ppc64 too.

    Signed-off-by: maximilian attems
    Cc: Martin Michlmayr
    Cc: Gordon Farquharson
    Acked-by: Eric Paris
    Signed-off-by: James Morris

    maximilian attems
     

06 Feb, 2008

2 commits

  • a5ecbcb8c   security: allow Kconfig to set default mmap_min_addr protection ... Browse Code »

    Since it was decided that low memory protection from userspace couldn't
    be turned on by default add a Kconfig option to allow users/distros to
    set a default at compile time. This value is still tunable after boot
    in /proc/sys/vm/mmap_min_addr

    Discussion:
    http://www.mail-archive.com/linux-security-module@vger.kernel.org/msg02543.html

    Signed-off-by: Eric Paris
    Signed-off-by: James Morris

    Eric Paris
     
  • e114e4737   Smack: Simplified Mandatory Access Control Kernel ... Browse Code »

    Smack is the Simplified Mandatory Access Control Kernel.

    Smack implements mandatory access control (MAC) using labels
    attached to tasks and data containers, including files, SVIPC,
    and other tasks. Smack is a kernel based scheme that requires
    an absolute minimum of application support and a very small
    amount of configuration data.

    Smack uses extended attributes and
    provides a set of general mount options, borrowing technics used
    elsewhere. Smack uses netlabel for CIPSO labeling. Smack provides
    a pseudo-filesystem smackfs that is used for manipulation of
    system Smack attributes.

    The patch, patches for ls and sshd, a README, a startup script,
    and x86 binaries for ls and sshd are also available on

    http://www.schaufler-ca.com

    Development has been done using Fedora Core 7 in a virtual machine
    environment and on an old Sony laptop.

    Smack provides mandatory access controls based on the label attached
    to a task and the label attached to the object it is attempting to
    access. Smack labels are deliberately short (1-23 characters) text
    strings. Single character labels using special characters are reserved
    for system use. The only operation applied to Smack labels is equality
    comparison. No wildcards or expressions, regular or otherwise, are
    used. Smack labels are composed of printable characters and may not
    include "/".

    A file always gets the Smack label of the task that created it.

    Smack defines and uses these labels:

    "*" - pronounced "star"
    "_" - pronounced "floor"
    "^" - pronounced "hat"
    "?" - pronounced "huh"

    The access rules enforced by Smack are, in order:

    1. Any access requested by a task labeled "*" is denied.
    2. A read or execute access requested by a task labeled "^"
    is permitted.
    3. A read or execute access requested on an object labeled "_"
    is permitted.
    4. Any access requested on an object labeled "*" is permitted.
    5. Any access requested by a task on an object with the same
    label is permitted.
    6. Any access requested that is explicitly defined in the loaded
    rule set is permitted.
    7. Any other access is denied.

    Rules may be explicitly defined by writing subject,object,access
    triples to /smack/load.

    Smack rule sets can be easily defined that describe Bell&LaPadula
    sensitivity, Biba integrity, and a variety of interesting
    configurations. Smack rule sets can be modified on the fly to
    accommodate changes in the operating environment or even the time
    of day.

    Some practical use cases:

    Hierarchical levels. The less common of the two usual uses
    for MLS systems is to define hierarchical levels, often
    unclassified, confidential, secret, and so on. To set up smack
    to support this, these rules could be defined:

    C Unclass rx
    S C rx
    S Unclass rx
    TS S rx
    TS C rx
    TS Unclass rx

    A TS process can read S, C, and Unclass data, but cannot write it.
    An S process can read C and Unclass. Note that specifying that
    TS can read S and S can read C does not imply TS can read C, it
    has to be explicitly stated.

    Non-hierarchical categories. This is the more common of the
    usual uses for an MLS system. Since the default rule is that a
    subject cannot access an object with a different label no
    access rules are required to implement compartmentalization.

    A case that the Bell & LaPadula policy does not allow is demonstrated
    with this Smack access rule:

    A case that Bell&LaPadula does not allow that Smack does:

    ESPN ABC r
    ABC ESPN r

    On my portable video device I have two applications, one that
    shows ABC programming and the other ESPN programming. ESPN wants
    to show me sport stories that show up as news, and ABC will
    only provide minimal information about a sports story if ESPN
    is covering it. Each side can look at the other's info, neither
    can change the other. Neither can see what FOX is up to, which
    is just as well all things considered.

    Another case that I especially like:

    SatData Guard w
    Guard Publish w

    A program running with the Guard label opens a UDP socket and
    accepts messages sent by a program running with a SatData label.
    The Guard program inspects the message to ensure it is wholesome
    and if it is sends it to a program running with the Publish label.
    This program then puts the information passed in an appropriate
    place. Note that the Guard program cannot write to a Publish
    file system object because file system semanitic require read as
    well as write.

    The four cases (categories, levels, mutual read, guardbox) here
    are all quite real, and problems I've been asked to solve over
    the years. The first two are easy to do with traditonal MLS systems
    while the last two you can't without invoking privilege, at least
    for a while.

    Signed-off-by: Casey Schaufler
    Cc: Joshua Brindle
    Cc: Paul Moore
    Cc: Stephen Smalley
    Cc: Chris Wright
    Cc: James Morris
    Cc: "Ahmed S. Darwish"
    Cc: Andrew G. Morgan
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Casey Schaufler
     

30 Jan, 2008

1 commit