Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Whitelist LSM #418

Closed
wants to merge 3 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion include/linux/lsm_hooks.h
Original file line number Diff line number Diff line change
Expand Up @@ -1920,5 +1920,10 @@ void __init loadpin_add_hooks(void);
#else
static inline void loadpin_add_hooks(void) { };
#endif

#ifdef CONFIG_SECURITY_WHITELIST
extern void __init whitelist_add_hooks(void);
#else
static inline void __init whitelist_add_hooks(void) { }
#endif
#
#endif /* ! __LINUX_LSM_HOOKS_H */
6 changes: 6 additions & 0 deletions security/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,7 @@ source security/tomoyo/Kconfig
source security/apparmor/Kconfig
source security/loadpin/Kconfig
source security/yama/Kconfig
source security/whitelist/Kconfig

source security/integrity/Kconfig

Expand All @@ -208,6 +209,7 @@ choice
default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
default DEFAULT_SECURITY_WHITELIST if SECURITY_WHITELIST
default DEFAULT_SECURITY_DAC

help
Expand All @@ -226,6 +228,9 @@ choice
config DEFAULT_SECURITY_APPARMOR
bool "AppArmor" if SECURITY_APPARMOR=y

config DEFAULT_SECURITY_WHITELIST
bool "Whitelist" if SECURITY_WHITELIST=y

config DEFAULT_SECURITY_DAC
bool "Unix Discretionary Access Controls"

Expand All @@ -237,6 +242,7 @@ config DEFAULT_SECURITY
default "smack" if DEFAULT_SECURITY_SMACK
default "tomoyo" if DEFAULT_SECURITY_TOMOYO
default "apparmor" if DEFAULT_SECURITY_APPARMOR
default "whitelist" if DEFAULT_SECURITY_WHITELIST
default "" if DEFAULT_SECURITY_DAC

endmenu
Expand Down
2 changes: 2 additions & 0 deletions security/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
subdir-$(CONFIG_SECURITY_YAMA) += yama
subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
subdir-$(CONFIG_SECURITY_WHITELIST) += whitelist

# always enable default capabilities
obj-y += commoncap.o
Expand All @@ -24,6 +25,7 @@ obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
obj-$(CONFIG_SECURITY_YAMA) += yama/
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
obj-$(CONFIG_SECURITY_WHITELIST) += whitelist/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o

# Object integrity file lists
Expand Down
1 change: 1 addition & 0 deletions security/security.c
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ int __init security_init(void)
capability_add_hooks();
yama_add_hooks();
loadpin_add_hooks();
whitelist_add_hooks();

/*
* Load all the remaining security modules.
Expand Down
15 changes: 15 additions & 0 deletions security/whitelist/Kconfig
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
config SECURITY_WHITELIST
bool "Whitelist Security Module"
depends on SECURITY
depends on NET
select SECURITYFS
select SECURITY_PATH
select SECURITY_NETWORK
select SRCU
select BUILD_BIN2C
default n
help
This selects an attr-based access control.
Binaries with a particular xattr setting will be
permitted to be executed by non-root users.

2 changes: 2 additions & 0 deletions security/whitelist/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
obj-y = whitelist_lsm.o

64 changes: 64 additions & 0 deletions security/whitelist/whitelist_lsm.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@

#include <linux/xattr.h>
#include <linux/binfmts.h>
#include <linux/lsm_hooks.h>
#include <linux/sysctl.h>
#include <linux/ptrace.h>
#include <linux/prctl.h>
#include <linux/ratelimit.h>
#include <linux/workqueue.h>
#include <linux/string_helpers.h>
#include <linux/task_work.h>
#include <linux/sched.h>
#include <linux/spinlock.h>

#include <linux/lsm_hooks.h>


/*
* Perform a check of a program execution/map.
*
* Return 0 if it should be allowed, -EPERM on block.
*/
static int whitelist_bprm_check_security(struct linux_binprm *bprm)
{
// The current task & the UID it is running as.
const struct task_struct *task = current;
kuid_t uid = task->cred->uid;

// The target we're checking
struct dentry *dentry = bprm->file->f_path.dentry;
struct inode *inode = d_backing_inode(dentry);
int size = 0;

// Root can access everything.
if ( uid.val == 0 )
return 0;

size = __vfs_getxattr(dentry, inode, "user.whitelisted", NULL, 0);
if ( size >= 0 )
{
printk(KERN_INFO "whitelist LSM check of %s resulted in %d bytes from 'user.whitelisted' - permitting access for UID %d\n", bprm->filename, size, uid.val );
return 0;
}

printk(KERN_INFO "whitelist LSM check of %s denying access for UID %d [ERRO:%d] \n", bprm->filename, uid.val, size );
return -EPERM;
}

/*
* The hooks we wish to be installed.
*/
static struct security_hook_list whitelist_hooks[] = {
LSM_HOOK_INIT(bprm_check_security, whitelist_bprm_check_security),
};

/*
* Initialize our module.
*/
void __init whitelist_add_hooks(void)
{
/* register ourselves with the security framework */
security_add_hooks(whitelist_hooks, ARRAY_SIZE(whitelist_hooks), "whitelist");
printk(KERN_INFO "whitelist LSM initialized\n");
}