From 80c520bb46847a5e35487458901c62b1b5a86d8a Mon Sep 17 00:00:00 2001 From: Alberto Faria Date: Fri, 19 Apr 2024 08:34:48 +0100 Subject: [PATCH 1/4] config: Enable CONFIG_SECURITY_SELINUX A couple fixes to SELinux code are needed to account for the new TSI address family. Signed-off-by: Alberto Faria --- config-libkrunfw-sev_x86_64 | 4 +- config-libkrunfw_aarch64 | 1 + config-libkrunfw_x86_64 | 4 +- ...-Socket-Impersonation-implementation.patch | 45 +++++++++++++++---- 4 files changed, 41 insertions(+), 13 deletions(-) diff --git a/config-libkrunfw-sev_x86_64 b/config-libkrunfw-sev_x86_64 index d7c58c5..f13b3f6 100644 --- a/config-libkrunfw-sev_x86_64 +++ b/config-libkrunfw-sev_x86_64 @@ -1806,7 +1806,7 @@ CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y # CONFIG_HARDENED_USERCOPY is not set CONFIG_FORTIFY_SOURCE=y # CONFIG_STATIC_USERMODEHELPER is not set -# CONFIG_SECURITY_SELINUX is not set +CONFIG_SECURITY_SELINUX=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set @@ -1817,7 +1817,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_LANDLOCK is not set # CONFIG_INTEGRITY is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" +CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,bpf" # # Kernel hardening options diff --git a/config-libkrunfw_aarch64 b/config-libkrunfw_aarch64 index 1d5fb2b..96d2005 100644 --- a/config-libkrunfw_aarch64 +++ b/config-libkrunfw_aarch64 @@ -2619,6 +2619,7 @@ CONFIG_KEY_DH_OPERATIONS=y # CONFIG_HARDENED_USERCOPY is not set # CONFIG_FORTIFY_SOURCE is not set # CONFIG_STATIC_USERMODEHELPER is not set +CONFIG_SECURITY_SELINUX=y CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" diff --git a/config-libkrunfw_x86_64 b/config-libkrunfw_x86_64 index 8fb4eb1..8d59f3b 100644 --- a/config-libkrunfw_x86_64 +++ b/config-libkrunfw_x86_64 @@ -1812,7 +1812,7 @@ CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y # CONFIG_HARDENED_USERCOPY is not set CONFIG_FORTIFY_SOURCE=y # CONFIG_STATIC_USERMODEHELPER is not set -# CONFIG_SECURITY_SELINUX is not set +CONFIG_SECURITY_SELINUX=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set @@ -1823,7 +1823,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_LANDLOCK is not set # CONFIG_INTEGRITY is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" +CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,bpf" # # Kernel hardening options diff --git a/patches/0010-Transparent-Socket-Impersonation-implementation.patch b/patches/0010-Transparent-Socket-Impersonation-implementation.patch index d1913a1..9a56ad9 100644 --- a/patches/0010-Transparent-Socket-Impersonation-implementation.patch +++ b/patches/0010-Transparent-Socket-Impersonation-implementation.patch @@ -22,15 +22,17 @@ TODO - implement remote [get|set]sockopt Signed-off-by: Sergio Lopez --- - include/linux/socket.h | 4 +- - net/Kconfig | 1 + - net/Makefile | 1 + - net/socket.c | 1 + - net/tsi/Kconfig | 7 + - net/tsi/Makefile | 4 + - net/tsi/af_tsi.c | 1280 ++++++++++++++++++++++++++++++++++++++++ - net/tsi/af_tsi.h | 100 ++++ - 8 files changed, 1397 insertions(+), 1 deletion(-) + include/linux/socket.h | 4 +- + net/Kconfig | 1 + + net/Makefile | 1 + + net/socket.c | 1 + + net/tsi/Kconfig | 7 + + net/tsi/Makefile | 4 + + net/tsi/af_tsi.c | 1280 +++++++++++++++++++++++++++ + net/tsi/af_tsi.h | 100 +++ + security/selinux/hooks.c | 2 +- + security/selinux/include/classmap.h | 2 +- + 10 files changed, 1399 insertions(+), 3 deletions(-) create mode 100644 net/tsi/Kconfig create mode 100644 net/tsi/Makefile create mode 100644 net/tsi/af_tsi.c @@ -1507,6 +1509,31 @@ index 000000000000..cf381734bebe +} __attribute__((packed)); + +#endif +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 53cfeefb2f19..428801687e5c 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -1295,7 +1295,7 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc + return SECCLASS_XDP_SOCKET; + case PF_MCTP: + return SECCLASS_MCTP_SOCKET; +-#if PF_MAX > 46 ++#if PF_MAX > 47 + #error New address family defined, please update this function. + #endif + } +diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h +index a3c380775d41..06cb017611f8 100644 +--- a/security/selinux/include/classmap.h ++++ b/security/selinux/include/classmap.h +@@ -259,6 +259,6 @@ const struct security_class_mapping secclass_map[] = { + { NULL } + }; + +-#if PF_MAX > 46 ++#if PF_MAX > 47 + #error New address family defined, please update secclass_map. + #endif -- 2.43.0 From 6d167507fa360905846aaa4b2869d34991e321cd Mon Sep 17 00:00:00 2001 From: Alberto Faria Date: Fri, 19 Apr 2024 10:14:52 +0100 Subject: [PATCH 2/4] config: Enable CONFIG_EXT4_FS_SECURITY Signed-off-by: Alberto Faria --- config-libkrunfw-sev_x86_64 | 2 +- config-libkrunfw_x86_64 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config-libkrunfw-sev_x86_64 b/config-libkrunfw-sev_x86_64 index f13b3f6..37450d4 100644 --- a/config-libkrunfw-sev_x86_64 +++ b/config-libkrunfw-sev_x86_64 @@ -1652,7 +1652,7 @@ CONFIG_FS_IOMAP=y CONFIG_EXT4_FS=y CONFIG_EXT4_USE_FOR_EXT2=y # CONFIG_EXT4_FS_POSIX_ACL is not set -# CONFIG_EXT4_FS_SECURITY is not set +CONFIG_EXT4_FS_SECURITY=y # CONFIG_EXT4_DEBUG is not set CONFIG_JBD2=y # CONFIG_JBD2_DEBUG is not set diff --git a/config-libkrunfw_x86_64 b/config-libkrunfw_x86_64 index 8d59f3b..7e33fc8 100644 --- a/config-libkrunfw_x86_64 +++ b/config-libkrunfw_x86_64 @@ -1653,7 +1653,7 @@ CONFIG_FS_IOMAP=y CONFIG_EXT4_FS=y CONFIG_EXT4_USE_FOR_EXT2=y # CONFIG_EXT4_FS_POSIX_ACL is not set -# CONFIG_EXT4_FS_SECURITY is not set +CONFIG_EXT4_FS_SECURITY=y # CONFIG_EXT4_DEBUG is not set CONFIG_JBD2=y # CONFIG_JBD2_DEBUG is not set From f238cf736e7ed227fab00967b041484964a10210 Mon Sep 17 00:00:00 2001 From: Alberto Faria Date: Fri, 19 Apr 2024 07:47:54 +0100 Subject: [PATCH 3/4] config: Enable CONFIG_XFS_FS Signed-off-by: Alberto Faria --- config-libkrunfw-sev_x86_64 | 2 +- config-libkrunfw_aarch64 | 2 +- config-libkrunfw_x86_64 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config-libkrunfw-sev_x86_64 b/config-libkrunfw-sev_x86_64 index 37450d4..14ee07f 100644 --- a/config-libkrunfw-sev_x86_64 +++ b/config-libkrunfw-sev_x86_64 @@ -1659,7 +1659,7 @@ CONFIG_JBD2=y CONFIG_FS_MBCACHE=y # CONFIG_REISERFS_FS is not set # CONFIG_JFS_FS is not set -# CONFIG_XFS_FS is not set +CONFIG_XFS_FS=y # CONFIG_GFS2_FS is not set # CONFIG_BTRFS_FS is not set # CONFIG_NILFS2_FS is not set diff --git a/config-libkrunfw_aarch64 b/config-libkrunfw_aarch64 index 96d2005..526e3d5 100644 --- a/config-libkrunfw_aarch64 +++ b/config-libkrunfw_aarch64 @@ -2507,7 +2507,7 @@ CONFIG_JBD2=y CONFIG_FS_MBCACHE=y # CONFIG_REISERFS_FS is not set # CONFIG_JFS_FS is not set -# CONFIG_XFS_FS is not set +CONFIG_XFS_FS=y # CONFIG_GFS2_FS is not set # CONFIG_OCFS2_FS is not set # CONFIG_BTRFS_FS is not set diff --git a/config-libkrunfw_x86_64 b/config-libkrunfw_x86_64 index 7e33fc8..2e9358d 100644 --- a/config-libkrunfw_x86_64 +++ b/config-libkrunfw_x86_64 @@ -1660,7 +1660,7 @@ CONFIG_JBD2=y CONFIG_FS_MBCACHE=y # CONFIG_REISERFS_FS is not set # CONFIG_JFS_FS is not set -# CONFIG_XFS_FS is not set +CONFIG_XFS_FS=y # CONFIG_GFS2_FS is not set # CONFIG_BTRFS_FS is not set # CONFIG_NILFS2_FS is not set From 1b1154ac29b05d80e03d23e20c1fe597742bd175 Mon Sep 17 00:00:00 2001 From: Alberto Faria Date: Fri, 19 Apr 2024 10:24:50 +0100 Subject: [PATCH 4/4] Enable CONFIG_VFAT_FS and CONFIG_NLS_{CODEPAGE_437,ISO8859_1} Signed-off-by: Alberto Faria --- config-libkrunfw-sev_x86_64 | 6 +++--- config-libkrunfw_aarch64 | 6 ++++-- config-libkrunfw_x86_64 | 6 +++--- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/config-libkrunfw-sev_x86_64 b/config-libkrunfw-sev_x86_64 index 14ee07f..0b2786e 100644 --- a/config-libkrunfw-sev_x86_64 +++ b/config-libkrunfw-sev_x86_64 @@ -1698,7 +1698,7 @@ CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y # DOS/FAT/EXFAT/NT Filesystems # # CONFIG_MSDOS_FS is not set -# CONFIG_VFAT_FS is not set +CONFIG_VFAT_FS=y # CONFIG_EXFAT_FS is not set # CONFIG_NTFS_FS is not set # CONFIG_NTFS3_FS is not set @@ -1733,7 +1733,7 @@ CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_NETWORK_FILESYSTEMS is not set CONFIG_NLS=y CONFIG_NLS_DEFAULT="utf8" -# CONFIG_NLS_CODEPAGE_437 is not set +CONFIG_NLS_CODEPAGE_437=y # CONFIG_NLS_CODEPAGE_737 is not set # CONFIG_NLS_CODEPAGE_775 is not set # CONFIG_NLS_CODEPAGE_850 is not set @@ -1757,7 +1757,7 @@ CONFIG_NLS_DEFAULT="utf8" # CONFIG_NLS_CODEPAGE_1250 is not set # CONFIG_NLS_CODEPAGE_1251 is not set # CONFIG_NLS_ASCII is not set -# CONFIG_NLS_ISO8859_1 is not set +CONFIG_NLS_ISO8859_1=y # CONFIG_NLS_ISO8859_2 is not set # CONFIG_NLS_ISO8859_3 is not set # CONFIG_NLS_ISO8859_4 is not set diff --git a/config-libkrunfw_aarch64 b/config-libkrunfw_aarch64 index 526e3d5..a2eea6e 100644 --- a/config-libkrunfw_aarch64 +++ b/config-libkrunfw_aarch64 @@ -2564,7 +2564,7 @@ CONFIG_CACHEFILES=y # DOS/FAT/EXFAT/NT Filesystems # # CONFIG_MSDOS_FS is not set -# CONFIG_VFAT_FS is not set +CONFIG_VFAT_FS=y # CONFIG_EXFAT_FS is not set # CONFIG_NTFS_FS is not set # CONFIG_NTFS3_FS is not set @@ -2594,7 +2594,9 @@ CONFIG_CONFIGFS_FS=y # CONFIG_MISC_FILESYSTEMS is not set # CONFIG_NETWORK_FILESYSTEMS is not set -# CONFIG_NLS is not set +CONFIG_NLS=y +CONFIG_NLS_CODEPAGE_437=y +CONFIG_NLS_ISO8859_1=y # CONFIG_DLM is not set CONFIG_UNICODE=y # CONFIG_UNICODE_NORMALIZATION_SELFTEST is not set diff --git a/config-libkrunfw_x86_64 b/config-libkrunfw_x86_64 index 2e9358d..09e9bc7 100644 --- a/config-libkrunfw_x86_64 +++ b/config-libkrunfw_x86_64 @@ -1704,7 +1704,7 @@ CONFIG_FUSE_DAX=y # DOS/FAT/EXFAT/NT Filesystems # # CONFIG_MSDOS_FS is not set -# CONFIG_VFAT_FS is not set +CONFIG_VFAT_FS=y # CONFIG_EXFAT_FS is not set # CONFIG_NTFS_FS is not set # CONFIG_NTFS3_FS is not set @@ -1739,7 +1739,7 @@ CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_NETWORK_FILESYSTEMS is not set CONFIG_NLS=y CONFIG_NLS_DEFAULT="utf8" -# CONFIG_NLS_CODEPAGE_437 is not set +CONFIG_NLS_CODEPAGE_437=y # CONFIG_NLS_CODEPAGE_737 is not set # CONFIG_NLS_CODEPAGE_775 is not set # CONFIG_NLS_CODEPAGE_850 is not set @@ -1763,7 +1763,7 @@ CONFIG_NLS_DEFAULT="utf8" # CONFIG_NLS_CODEPAGE_1250 is not set # CONFIG_NLS_CODEPAGE_1251 is not set # CONFIG_NLS_ASCII is not set -# CONFIG_NLS_ISO8859_1 is not set +CONFIG_NLS_ISO8859_1=y # CONFIG_NLS_ISO8859_2 is not set # CONFIG_NLS_ISO8859_3 is not set # CONFIG_NLS_ISO8859_4 is not set