• Stephen Smalley's avatar
    security,lockdown,selinux: implement SELinux lockdown · 59438b46
    Stephen Smalley authored
    Implement a SELinux hook for lockdown.  If the lockdown module is also
    enabled, then a denial by the lockdown module will take precedence over
    SELinux, so SELinux can only further restrict lockdown decisions.
    The SELinux hook only distinguishes at the granularity of integrity
    versus confidentiality similar to the lockdown module, but includes the
    full lockdown reason as part of the audit record as a hint in diagnosing
    what triggered the denial.  To support this auditing, move the
    lockdown_reasons[] string array from being private to the lockdown
    module to the security framework so that it can be used by the lsm audit
    code and so that it is always available even when the lockdown module
    is disabled.
    
    Note that the SELinux implementation allows the integrity and
    confidentiality reasons to be controlled independently from one another.
    Thus, in an SELinux policy, one could allow operations that specify
    an integrity reason while blocking operations that specify a
    confidentiality reason. The SELinux hook implementation is
    stricter than the lockdown module in validating the provided reason value.
    
    Sample AVC audit output from denials:
    avc:  denied  { integrity } for pid=3402 comm="fwupd"
     lockdown_reason="/dev/mem,kmem,port" scontext=system_u:system_r:fwupd_t:s0
     tcontext=system_u:system_r:fwupd_t:s0 tclass=lockdown permissive=0
    
    avc:  denied  { confidentiality } for pid=4628 comm="cp"
     lockdown_reason="/proc/kcore access"
     scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
     tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
     tclass=lockdown permissive=0
    Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    Reviewed-by: default avatarJames Morris <jamorris@linux.microsoft.com>
    [PM: some merge fuzz do the the perf hooks]
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    59438b46
security.h 52 KB