kernel-5.15/0002-Documentation-for-AltHa-LSM.patch

From b7faaef27bb8ede32f5cf2958fa6d84976806f14 Mon Sep 17 00:00:00 2001
From: "Anton V. Boyarshinov" <boyarsh@altlinux.org>
Date: Thu, 17 May 2018 08:30:25 +0000
Subject: [PATCH 2/2] Documentation for AltHa LSM

---
 Documentation/admin-guide/LSM/AltHa.rst | 43 +++++++++++++++++++++++++
 Documentation/admin-guide/LSM/index.rst |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 Documentation/admin-guide/LSM/AltHa.rst

diff --git a/Documentation/admin-guide/LSM/AltHa.rst b/Documentation/admin-guide/LSM/AltHa.rst
new file mode 100644
index 000000000000..0b2ad0c8dd17
--- /dev/null
+++ b/Documentation/admin-guide/LSM/AltHa.rst
@@ -0,0 +1,43 @@
+====
+AltHa
+====
+
+AltHa is a Linux Security Module currently has three userspace hardening options:
+    * ignore SUID on binaries (with exceptions possible);
+    * prevent running selected script interprers in interactive move;
+    * disable open file unlinking in selected dirs.
+
+
+It is selectable at build-time with ``CONFIG_SECURITY_ALTHA``, and should be
+enabled in runtime by command line option ``altha=1`` and configuded
+through sysctls in ``/proc/sys/kernel/altha``.
+
+NoSUID
+============
+Modern Linux systems can be used with minimal (or even zero at least for OWL and ALT) usage of SUID programms, but in many cases in full-featured desktop or server systems there ara plenty of them: uncounted and sometimes unnessesary. Privileged programms are always a attack surface, but mounting filesystems with ``nosuid`` flag doesn't provide enouth granularity in SUID binaries manageent. This LSM module provides a single control point for all SUID binaries. When this submodule is enabled, SUID bits on all binaries except explicitally listed are system-wide ignored.
+
+Sysctl parameters and defaults:
+
+* ``kernel.altha.nosuid.enabled = 0``, set to 1 to enable
+* ``kernel.altha.nosuid.exceptions =``, colon-separated list of enabled SUID binaries, for example: ``/bin/su:/usr/libexec/hasher-priv/hasher-priv``
+
+RestrScript
+============
+There is a one way to hardening: prevent users from executing ther own arbitrary code. Thraditionally it can be done setting on user-writable filesystems ``noexec`` flag. But modern script languages such as Python also can be used to write exploits or even load arbitary machine code via ``dlopen`` and users can start scripts from ``noexec`` filesystem starting interpreter directly.
+Restrscript LSM submodule provides a way to restrict some programms to be executed directly, but allows to execute them as shebang handler.
+
+Sysctl parameters and defaults:
+
+* ``kernel.altha.rstrscript.enabled = 0``, set to 1 to enable
+* ``kernel.altha.rstrscript.interpreters =``, colon-separated list of restricted interpreters for example: ``/usr/bin/python:/usr/bin/python3:/usr/bin/perl:/usr/bin/tclsh``. Simlinks are suporrted in both ways: you can set symlink to interpreter as exception and interpreter and all symlinks on it will be restricted.
+
+Note: in this configuration all scripts starting with ``#!/usr/bin/env python`` will be blocked.
+
+OLock
+============
+Unlink disabling for open files needed for Russian sertification, but this is a nasty feature leading to DOS.
+
+Sysctl parameters and defaults:
+
+* ``kernel.altha.olock.enabled = 0``, set to 1 to enable
+* ``kernel.altha.olock.dirs =``, colon-separated list of dirs, for example: ``/var/lib/something:/tmp/something``.
diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst
index a6ba95fbaa9f..20b57e7adadd 100644
--- a/Documentation/admin-guide/LSM/index.rst
+++ b/Documentation/admin-guide/LSM/index.rst
@@ -47,3 +47,4 @@ subdirectories.
    tomoyo
    Yama
    SafeSetID
+   AltHa
-- 
2.20.1