Making the LSM available to containers FOSDEM18 Presentation by John Johansen john.johansen@canonical.com www.canonical.com February 2018

Linux Security Modules (LSM) Provide Security - Often MAC but not necessarily Kernel provides security Hooks Security field in various objects selinux, smack, apparmor, tomoyo, IMA/EVM, loadpin, yama proposed: LSMs: LandLock, CaitSith, Checmate, HardChroot, PTAGS, SimpleFlow, SafeName, WhiteEgret, shebang, S.A.R.A. - what is the LSM - an infrastructure to provide security in linux - lots of none MAC LSMs

The LSM is not namespaced And doesn’t want to be Problem The LSM is not namespaced And doesn’t want to be Container gets system LSM System Container - can’t change LSM - can’t change policy/rules - effectively boot no LSM App Container - can’t carry an LSM policy - eg. snappy fedora/RHEL – selinux ubuntu/suse - apparmor

The LSM is not namespaced and doesn’t want to be Problem The LSM is not namespaced and doesn’t want to be - at least not in the traditional sense - its keeping the system safe by restricting what the container can do to the system - not every LSM has the same reqs system vs. app confinement… - container system must work with it - any “namespacing” must apply system rules

Have multiple LSMs enforcing at the same time LSM Stacking Have multiple LSMs enforcing at the same time So how do we fix - Seems simple enough

Have multiple LSMs enforcing at the same time LSM Stacking Have multiple LSMs enforcing at the same time Minor LSM stacking merge in 4.2 And the kernel already supports stacking! - limitations only 1 major LSM - major = store state in security blob Can have - selinux + yama Or - smack + yama - apparmor + yama But not Selinux and Smack ...

Have multiple LSMs enforcing at the same time LSM Stacking Have multiple LSMs enforcing at the same time Minor LSM stacking merge in 4.2 Major LSM stacking Move security blob management into the infrastructure Casey Schaufler has been working on improving stacking - move security blobs into the infrastructure - get rid of the major/minor distinction

Problem Its not that simple Container gets system LSM System Container - can’t change LSM - can’t change policy/rules - effectively boot no LSM App Container - can’t carry an LSM policy - eg. snappy fedora/RHEL – selinux ubuntu/suse - apparmor

Kernel infrastructure not designed for sharing More Problems Kernel infrastructure not designed for sharing LSM infrastructure isn’t the only problem

Virtualize – per task default LSM More Problems Kernel infrastructure not designed for sharing Problem Userspace Interfaces /proc/pid/attr/* SO_PEERSEC Fix Virtualize – per task default LSM - each task gets marked with a default LSM, to virtualize legacy interfaces - inherited from parent

Kernel infrastructure not designed for sharing More Problems Kernel infrastructure not designed for sharing Problem Userspace Interfaces /proc/pid/attr/* SO_PEERSEC Fix Virtualize – per task default LSM Interface to set default LSM - add interface to control default LSM - also

Kernel infrastructure not designed for sharing More Problems Kernel infrastructure not designed for sharing Problem Userspace Interfaces /proc/pid/attr/* SO_PEERSEC Fix Virtualize – per task default LSM Interface to set default LSM New versions of interfaces /proc/pid/attr/apparmor/* /proc/pid/attr/smack/* … - new versions of interfaces - tools and libs need to be updated to use them -libapparmor -libselinux - ps -Z

Kernel infrastructure not designed for sharing More Problems Kernel infrastructure not designed for sharing Problem Userspace Interfaces /proc/pid/attr/* SO_PEERSEC Networking secids Fix Virtualize – per task default LSM Interface to set default LSM New versions of interfaces /proc/pid/attr/apparmor/* /proc/pid/attr/smack/* … Dynamically compose & remap - Networking area of active development/refinement - 32 bit number to carry security info – network subsystem – audit subsystem. – global – part of some LSMs policy (# exposed to userspace) – can’t get a pointer LSM infrastructure dynamically - remap and compose - system number → per LSM module number LIFE TIME issue

Kernel infrastructure not designed for sharing More Problems Kernel infrastructure not designed for sharing Problem Userspace Interfaces /proc/pid/attr/* SO_PEERSEC Networking secids secmark Fix Virtualize – per task default LSM Interface to set default LSM New versions of interfaces /proc/pid/attr/apparmor/* /proc/pid/attr/smack/* … Dynamically compose & remap Extend to support multiple LSMs - secmarks visible to iptables - secmark can only carry 1 LSM type - need to support stack of types - need to define what rules should be

Kernel infrastructure not designed for sharing More Problems Kernel infrastructure not designed for sharing Problem Userspace Interfaces /proc/pid/attr/* SO_PEERSEC Networking secids secmark Netlabel cipso/calypso/xfrm Fix Virtualize – per task default LSM Interface to set default LSM New versions of interfaces /proc/pid/attr/apparmor/* /proc/pid/attr/smack/* … Dynamically compose & remap Extend to support multiple LSMs ? - not designed for this - may have to be limited to one LSM - or only if all LSMs request the same label

LSM stacking is not namespacing But... LSM stacking is not namespacing - LSM stacking designed to support multiple LSMs on host system - not how containers want to use it

Current Situation with Stacking apparmor container selinux smack - all LSMs in use need to be set at boot - containers still don’t get to set their LSM - eg. fedora or policy in the container

Even Worse - LSMs aren’t namespaced yet IMA Discussing namespacing Patch to ns IMA audit Smack patches to label namespaces Per process rules SeLinux Discussing/Designing namespacing Patches to refactor/remove global state Audit wip to support namespaces Layering issues AppArmor Policy namespaces Virtualized interfaces Internal stacking - LSMs aren’t namespaced yet - the exception is apparmor within limits - namespacing issues - LXD can do apparmor system within apparmor system without LSM stacking patches

More Infastructure Problems LSM needs to be update Security blob for namespaces New hooks around interfaces Attributes (ie. xattrs) need to be namespaced Interface to setup an LSM namespace No consensus on what it means to be a container LSM infrastructure isn’t the only problem

Leveraging LSM stacking Remember the Default LSM?

Leveraging LSM stacking Remember the Default LSM? LSM stacking can call a Module multiple times extend to per task LSM namespace is a visible subset of stack module that needs to be setup from boot, can be hidden revealed only when added to stack Needs an interface Container Needs to setup the LSM namespace Additional LSM specific setup labeling mounts that are mapped in - namespacing the LSM can be done as a thin veneer

Casey Schaufler – LSM Stacking Special thanks Casey Schaufler – LSM Stacking AppArmor team IMA team Smack team Selinux team LXD team - this isn’t just the work of one individual - Casey for persistences

Questions please Thank you https://github.com/cschaufler/lsm- stacking https://github.com/jrjohansen/lsm- stacking John Johansen john.johansen@canonical.com www.canonical.com