Discussion:
[tomoyo-users-en 541] AKARI 1.0.30 and CaitSith 0.1.9 are available.
(too old to reply)
Tetsuo Handa
2013-02-14 14:23:55 UTC
Permalink
Raw Message
Hello.

Several months have elapsed since the restart of "Multiple concurrent LSMs"
proposal. While I consider that legally supporting LKM-based LSM modules
( http://lwn.net/Articles/526983/ ) improves the value of this proposal, I
decided to suppress it until this proposal arrives at Linus's tree
( http://marc.info/?l=linux-security-module&m=135903049311553&w=3 ). Instead,
I updated AKARI and CaitSith to follow version 12 (2013/01/08) patchset.

Also, the new version of AKARI and CaitSith can now work together (other than
on Linux 2.6.29 and 2.6.30 kernels). From now on, you can enforce restriction
on some processes using AKARI while enforcing protection on specific resources
using CaitSith. This is an example usage of "Multiple concurrent LKM-based LSM
modules". ;-)

Regarding code for probing LSM hooks, it was rewritten so that both AKARI and
CaitSith can use the same code. Please test for regression about code for
probing LSM hooks, for I can't test on all possible environments.

Regarding tools packages, all tarballs are updated for rpm/deb package
management reasons (i.e. handle rpm installation error in Fedora 18, handle
missing hardening flags when compiling a deb package).

ccs-patch-1.8.3-20130214.tar.gz MD5: aaaa44ee64f36d04bfd75ebc0bd7874e
akari-1.0.30-20130214.tar.gz MD5: dddd88385c53b99cb3eb635b68753c94
caitsith-patch-0.1-20130214.tar.gz MD5: cccc3448ad2a83d03c6c611b026acd2c
ccs-tools-1.8.3-20130214.tar.gz MD5: ffff5333a3d7c4f61fb6addfbc961c65
tomoyo-tools-2.5.0-20130214.tar.gz MD5: ffff6b531ed9ac32b01722a9cd749a2f
caitsith-tools-0.1-20130214.tar.gz MD5: 3333f80afd48c7c44b56fe8748a2d143
Milton Yates
2013-02-17 19:03:33 UTC
Permalink
Raw Message
Hi Tetsuo,

Great stuff! I understand you need to have both CaitSith and AKARI as a
module for both to work.
That's actually nice as CaitSith functionality look great for overall
system hardening, while I have some targetted policies for
Tomoyo/CCS/AKARI that look hard to port to CaitSith and the resulting
policy would be much harder to read/maintain imo.

Is there any way to have both compiled in?

Cheers
Milton
Post by Tetsuo Handa
Hello.
Several months have elapsed since the restart of "Multiple concurrent LSMs"
proposal. While I consider that legally supporting LKM-based LSM modules
( http://lwn.net/Articles/526983/ ) improves the value of this proposal, I
decided to suppress it until this proposal arrives at Linus's tree
( http://marc.info/?l=linux-security-module&m=135903049311553&w=3 ). Instead,
I updated AKARI and CaitSith to follow version 12 (2013/01/08) patchset.
Also, the new version of AKARI and CaitSith can now work together (other than
on Linux 2.6.29 and 2.6.30 kernels). From now on, you can enforce restriction
on some processes using AKARI while enforcing protection on specific resources
using CaitSith. This is an example usage of "Multiple concurrent LKM-based LSM
modules". ;-)
Regarding code for probing LSM hooks, it was rewritten so that both AKARI and
CaitSith can use the same code. Please test for regression about code for
probing LSM hooks, for I can't test on all possible environments.
Regarding tools packages, all tarballs are updated for rpm/deb package
management reasons (i.e. handle rpm installation error in Fedora 18, handle
missing hardening flags when compiling a deb package).
ccs-patch-1.8.3-20130214.tar.gz MD5: aaaa44ee64f36d04bfd75ebc0bd7874e
akari-1.0.30-20130214.tar.gz MD5: dddd88385c53b99cb3eb635b68753c94
caitsith-patch-0.1-20130214.tar.gz MD5: cccc3448ad2a83d03c6c611b026acd2c
ccs-tools-1.8.3-20130214.tar.gz MD5: ffff5333a3d7c4f61fb6addfbc961c65
tomoyo-tools-2.5.0-20130214.tar.gz MD5: ffff6b531ed9ac32b01722a9cd749a2f
caitsith-tools-0.1-20130214.tar.gz MD5: 3333f80afd48c7c44b56fe8748a2d143
_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en at lists.sourceforge.jp
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
Tetsuo Handa
2013-02-18 12:03:08 UTC
Permalink
Raw Message
Post by Milton Yates
That's actually nice as CaitSith functionality look great for overall
system hardening, while I have some targetted policies for
Tomoyo/CCS/AKARI that look hard to port to CaitSith and the resulting
policy would be much harder to read/maintain imo.
Is there any way to have both compiled in?
AKARI and CaitSith (LSM) are both LKM-based LSM but cannot be built into kernel.
TOMOYO 1.8 is a superset of AKARI and can be built into kernel.
TOMOYO 2.x is a subset of AKARI and can be built into kernel.
CaitSith (non-LSM) is a superset of CaitSith (LSM) and can be built into kernel.

If you want to build them into kernel, you need to choose either
"TOMOYO 2.x (LSM) + CaitSith (non-LSM)" or "TOMOYO 1.8 (non-LSM) + CaitSith
(non-LSM)". The former is a lot easier to do.

If you can accept "TOMOYO 2.x (LSM) + CaitSith (non-LSM)", then it is nothing
but following "Configure the kernel" http://caitsith.sourceforge.jp/#2.3 with

[*] TOMOYO Linux Support
(2048) Default maximal count for learning mode
(1024) Default maximal count for audit log
[ ] Activate without calling userspace policy loader.
(/sbin/tomoyo-init) Location of userspace policy loader
(/sbin/init) Trigger for calling userspace policy loader

.

If you need to use "TOMOYO 1.8 (non-LSM) + CaitSith (non-LSM)", then you need
to combine include/linux/ccsecurity.h and include/linux/caitsith.h (e.g. from

static inline int ccs_xxx_permission(xxx)
{
int (*func) (xxx) = ccsecurity_ops.xxx_permission;
return func ? func(xxx) : 0;
}

static inline int ccs_xxx_permission(xxx)
{
int (*func) (xxx) = caitsith_ops.xxx_permission;
return func ? func(xxx) : 0;
}

to

static inline int ccs_xxx_permission(xxx)
{
int ret;
int (*func1) (xxx) = ccsecurity_ops.xxx_permission;
ret = func1 ? func1(xxx) : 0;
if (ret)
return ret;
int (*func2) (xxx) = caitsith_ops.xxx_permission;
return func2 ? func(xxx2) : 0;
}

) and add a few lines to some other files (e.g. security/Kconfig) in order to
include both TOMOYO 1.8 and CaitSith, resolve conflicts on symbol name prefix,
and then do menuconfig with both TOMOYO 1.8 and CaitSith enabled.

Regards.

Loading...