LSM stacking (again)
Kees Cook is back with another proposal for a kernel change that would, at least in his mind, provide more security, this time by restricting the ptrace() system call. But, like his earlier symbolic link patch, this one is not being particularly well-received on linux-kernel. It has, however, sparked some discussion of a topic that seems to recur with some frequency in that venue: stacking Linux security modules (LSMs).
Cook's patch is fairly straightforward; it creates a sysctl called ptrace_scope that defaults to zero, which chooses the existing behavior. If it is set to one, though, it only allows ptrace() to be called on descendants of the tracing process. The idea is to stop a vulnerability in one program (Pidgin, say) from being used to trace another program (like Firefox or GPG-agent), which would allow extracting credentials or other sensitive information. Like the previous symlink patch, it is based on a patch that has long been in the grsecurity kernel.
As with the previous proposal, Alan Cox was quick to suggest that it be put into an LSM:
But, one problem with that plan is that LSMs do not stack. One can have SELinux, Smack, and TOMOYO enabled in a kernel, but only one—chosen at boot time—can be active. There have been discussions and proposals for LSM stacking (or chaining) along the way, but nothing has ever been merged. So, two "specialized" LSMs cannot do their separate jobs in the kernel and users will have to choose between them.
For "full-featured" solutions, like SELinux, that isn't really a problem,
as users can find or create policies to handle their security
requirements. In addition, James Morris points
out that SELinux has a boolean, allow_ptrace, to do what
Cook is trying to do: "You don't need to write any policy, just set
it [allow_ptrace] to 0
". But, for those that don't want to use
SELinux, that's no solution. As Ted Ts'o puts
it:
Yet I would really like a number of features such as this ptrace scope idea --- which I think is a useful feature, and it may be that stacking is the only way we can resolve this debate. The SELinux people will never believe that their system is too complicated, and I don't like using things that are impossible for me to understand or configure, and that doesn't seem likely to change anytime in the near future.
Others were also favorably disposed toward combining LSMs, though the
consensus seems to be for chaining LSMs in the security core rather than
stacking, as was done with SELinux and Linux capabilities
(i.e. security/commoncap.c). In the stacking model, each LSM
is responsible for calling out to any other secondary LSMs for each
security
operation, whereas chaining is "just a walk over a list of
security_operations
" calling each LSM's version from the core, as
Eric
W. Biederman described. But it's not as easy as it might seem at
first glance, as Serge E. Hallyn, who proposed a stacking mechanism in
2004, points out:
It seems that there may be some discussion of LSM stacking/chaining at the Linux security summit, as part of Cook's presentation on "widely used, but out-of-tree" security solutions, but perhaps also in a "beer BOF" that Hallyn is proposing.
The way forward for both of Cook's recent proposals looks to be as an LSM and, to that end, he has posted the Yama LSM, which incorporates the symlink protections and ptrace() limitations that he previously posted. In addition, it adds the ability to restrict hard links such that they cannot be created for files that are either sensitive (e.g. setuid) or those that are not readable and writable by the link creator. Each of these measures can be enabled separately by sysctls in /proc/sys/kernel/yama/.
While "Yama" might make one start looking for completions of an acronym
("Yet Another ..."), it is actually named for a deity: "Yama is roughly the 'lord of
death/underworld' in Buddhist and Hindu tradition, kind of over-seeing
the rehabilitation of impure entities
", Cook said. Given the number
of NAKs that his recent patch proposals have received,
calling Yama the "NAKed Access Control
system
", shows a bit of a sense of humor about the situation.
DAC, MAC, RBAC, and others would now be joined by NAC if Yama gets merged.
So far, discussion of Yama has been fairly light, and without any major
complaints. While some are rather skeptical of the protections that Cook
has been proposing, they are much less likely to care if they live in an
LSM, rather than "junk randomly spewed [all] over the tree
",
as Cox put it.
Once these simpler security
tasks are encapsulated into an LSM, Morris said,
the kernel hackers "can evaluate the possible need for some form of
stacking or a security library API
" to allow these
measures to coexist with SELinux, AppArmor, and others. Given the fairly
broad support for the LSM approach, it would seem that Yama, or some
descendant, could make it into the mainline. Whether that translates
to some kind of general mechanism for combining LSMs in interesting ways
remains to be seen—it should be worth watching, stay tuned.
| Index entries for this article | |
|---|---|
| Kernel | Security/Security modules |
| Security | Linux Security Modules (LSM) |
Posted Jun 24, 2010 4:46 UTC (Thu)
by raven667 (subscriber, #5198)
[Link] (18 responses)
The take-up by individual developers to write policies for their code instead of the distributers and the understanding level of the full policy amongst anyone who isn't responsible for writing policies full time might be low but I don't think that selinux has failed at all in penetrating the marketplace and in being a useful tool that all take advantage of. I think that the set of people that aren't using selinux or another comprehensive LSM module are fairly low. The people who are disabling selinux are just very vocal and uninterested in actually solving their security policy problem, whatever it happens to be.
Posted Jun 24, 2010 7:32 UTC (Thu)
by dlang (guest, #313)
[Link] (3 responses)
ubuntu currently ships with apparmor as it's default LSM
that knocks a huge hole through your assertian
Posted Jun 24, 2010 15:13 UTC (Thu)
by raven667 (subscriber, #5198)
[Link] (2 responses)
Posted Jun 27, 2010 15:59 UTC (Sun)
by nix (subscriber, #2304)
[Link] (1 responses)
This is even true in areas such as massive stockbroking servers, where they really do care a good bit about security. Not even there do they care enough to make SELinux work with them: what in a simpler system might be a small possibility that a config fixup might break something, in a system of the complexity of shipped SELinux policies becomes a *large* possibility in these people's eyes. So they always turn SELinux off. And I think they're right.
Probably nowhere outside the military would people care enough to fix such problems. Of course, that's where SELinux emerged from: and it's probably a good fit for there.
If we want a security framework we can configure ourselves without driving ourselves insane -- if we occasionally have demands not met by our distributors -- then something simpler, something *comprehensible* is needed.
Posted Jun 27, 2010 18:00 UTC (Sun)
by raven667 (subscriber, #5198)
[Link]
A few times I needed to make a local policy to allow an app to make syscalls it otherwise wasn't allowed to do, iterations of audit2allow made short work of it. On another instance I needed to grep through the existing security context list to find a suitable policy as one already existed and I was just a chcon away from my app working. I haven't had problems with third party apps because they tend not to come with policies so just pick up the default.
I don't think selinux is bad but there does not seem to be the amount of shared knowledge and lore that would allow people to eaisly solve problems when they come up. You can find some help via google or serverfault but the quality is sometimes poor and the most common recommendation is to turn selinux off rather than use the tools that come with to actually understand and fix the problem.
Posted Jun 24, 2010 8:04 UTC (Thu)
by mjthayer (guest, #39183)
[Link]
On the other hand, SELinux is there now, and has the advantage that it is reasonably transparent to the developer, so they don't really need to understand much about how SELinux policy works when they write their application. At the worst, if it is a third-party product, some poor person working on the installer has to worry about that.
Posted Jun 24, 2010 9:26 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (12 responses)
Posted Jun 24, 2010 14:57 UTC (Thu)
by raven667 (subscriber, #5198)
[Link] (4 responses)
Posted Jun 24, 2010 15:05 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (3 responses)
I see that we can broadly divide LSM hooks into: filesystem, network, CPU resources, misc.
So we can specify: "First use AppArmor to check filesystem access, but use SeLinux to check security labels on network packets".
Posted Jun 24, 2010 16:26 UTC (Thu)
by bronson (subscriber, #4806)
[Link] (2 responses)
Maybe it would be possible if all projects split their code into completely isolated modules: AppArmor-Network, AppArmor-Filesystem, etc. No interaction allowed between the Network and Filesystem modules. But I don't think that would meet SELinux's needs.
Posted Jun 24, 2010 16:54 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
A safer variation on the same theme would be to write the stacking such that each LSM only gets to check accesses that other loaded LSMs have permitted; for example "check everything with AppArmor. If AppArmor permits it, fall through to SELinux. If SELinux permits it, fall through to Yama."
If you then want to have AppArmor handle all the filesystem stuff, while SELinux only deals with networking, you have to design your AppArmor and SELinux policies to do this, and you've hopefully thought about the failure modes of doing so. If Clueless CrazyAdmin uses off-the-shelf SELinux and AppArmor policies, they get only the accesses that both LSMs believe are safe.
In practice, such a stacking method makes stacking full-fledged security modules like SELinux and Smack together rather pointless; where you benefit is with "boutique" LSMs like Yama, which aim to prevent a limited set of security flaws - you can stack Yama and SELinux, and get Yama covering everything, while SELinux only protects that part of the system that you've written policy for.
Posted Jun 24, 2010 17:41 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Why would AppArmor need to know anything about SELinux?
A special stacking-driver should think like: "Oh, we have a file request. Let's see: - we need to pass it to AppArmor first. Done, result is OK. Then we need to pass it to Yama, result is OK. So we can perform the action".
At no point AppArmor needs to know that after it returns 'OK' further checks will be carried out.
"That sounds absolutely hellish to analyze and test. Remember, we're talking about security here -- failure is far worse than a kernel panic."
Whose who need NSA certification can go and make love with SELinux.
Posted Jun 25, 2010 14:01 UTC (Fri)
by tialaramex (subscriber, #21167)
[Link] (6 responses)
It is /way/ too easy to screw up PAM configuration and get something that doesn't work, or, worse something which gives every appearance of working but turns out to inadvertently let anyone into service X with root privilges by providing a blank username and password.
If PAM is the standard to which stacked modules will be held, they're never going to get into the Linux kernel.
Posted Jun 25, 2010 14:09 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link] (5 responses)
Posted Jun 28, 2010 1:54 UTC (Mon)
by raven667 (subscriber, #5198)
[Link] (4 responses)
Posted Jun 28, 2010 2:16 UTC (Mon)
by dlang (guest, #313)
[Link] (2 responses)
If you believe that this is the case you should have no objection to LSM stacking as you will only want to use these major frameworks that have picked things up from the small players anyway.
the rest of us who are interested in multiple small solutions that we can understand will be your beta testers for these small modules before they can get picked up.
if the only way to try something new is to either abandon all protection from anything else, or wait until the idea gets picked up in the big framework (without anyone being able to test it until then) you have very little testing of new things
Posted Jun 28, 2010 4:36 UTC (Mon)
by raven667 (subscriber, #5198)
[Link] (1 responses)
Posted Jun 29, 2010 12:54 UTC (Tue)
by mpr22 (subscriber, #60784)
[Link]
My perspective is that we're in a "pick one" scenario, with the options being roughly:
Posted Jun 28, 2010 5:47 UTC (Mon)
by nix (subscriber, #2304)
[Link]
I think I prefer stacking, at least restrictive stacking.
Posted Jun 24, 2010 8:31 UTC (Thu)
by TRS-80 (guest, #1804)
[Link]
Posted Jun 24, 2010 15:14 UTC (Thu)
by dwheeler (guest, #1216)
[Link] (2 responses)
I think it is a *good* idea to implement what this article calls "LSM chaining" (I called it LSM stacking when I wrote such an implementation for the Linux kernel). The worries about interference are overblown. I would expect that typical use would involve one "big" module (like SELinux) that covers the general case, plus zero or more "small" modules that forbid or restrict certain specific actions. If it's cumulatively restrictive, many of the problems of figuring out what's okay to combine are quite easy.
Sure, a bad configuration/implementation can mess up security... but NOT having this capability makes it impossible to easily implement security configurations that you DO want.
And PAM shows that you CAN reasonably combine modules to produce useful effects.
Posted Jun 24, 2010 23:34 UTC (Thu)
by cesarb (subscriber, #6266)
[Link] (1 responses)
Adding restrictions is not always OK. There is always the risk of creating something like the "sendmail capabilities bug" (http://userweb.kernel.org/~morgan/sendmail-capabilities-w...).
Posted Jun 27, 2010 16:00 UTC (Sun)
by nix (subscriber, #2304)
[Link]
Posted Jun 24, 2010 15:34 UTC (Thu)
by MisterIO (guest, #36192)
[Link]
Posted Jun 25, 2010 11:38 UTC (Fri)
by jengelh (subscriber, #33263)
[Link]
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
LSM stacking (again)
What about allowing multiple LSMs to be loaded, with the limitation that they can't overlap in functionality? This allows multiple specialised LSMs to be loaded, but avoids the complexity of them having to interact with each other.
LSM stacking (again)
LSM chaining ("stacking") is a good idea
LSM chaining ("stacking") is a good idea
LSM chaining ("stacking") is a good idea
LSM stacking (again)
Dear Editor,
Yama could also be just the transcription of 山 【やま】, due to the hurdle it takes to master the topic of LSM security... ;-)
LSM stacking (again)