From 1335fb742ecf58282a8e1d9f91c7f6e89ba4aee2 Mon Sep 17 00:00:00 2001 From: "Anton V. Boyarshinov" Date: Thu, 17 May 2018 08:30:25 +0000 Subject: [PATCH] altha: Documentation for AltHa LSM Signed-off-by: Anton V. Boyarshinov [ fix typos and misspells in documentation ] Signed-off-by: Oleg Solovyov [ note about blocking ld-linux ] Signed-off-by: Kernel Bot --- Documentation/admin-guide/LSM/AltHa.rst | 45 +++++++++++++++++++++++++ Documentation/admin-guide/LSM/index.rst | 1 + 2 files changed, 46 insertions(+) create mode 100644 Documentation/admin-guide/LSM/AltHa.rst diff --git a/Documentation/admin-guide/LSM/AltHa.rst b/Documentation/admin-guide/LSM/AltHa.rst new file mode 100644 index 000000000000..34d010740bda --- /dev/null +++ b/Documentation/admin-guide/LSM/AltHa.rst @@ -0,0 +1,45 @@ +==== +AltHa +==== + +AltHa is a Linux Security Module currently has three userspace hardening options: + * ignore SUID on binaries (with exceptions possible); + * prevent running selected script interpreters in interactive mode; + * disable open file unlinking in selected dirs. + + +It is selectable at build-time with ``CONFIG_SECURITY_ALTHA``, and should be +enabled in runtime by command line option ``altha=1`` and configured +through sysctls in ``/proc/sys/kernel/altha``. + +NoSUID +============ +Modern Linux systems can be used with minimal (or even zero at least for OWL and ALT) usage of SUID programms, but in many cases in full-featured desktop or server systems there are plenty of them: uncounted and sometimes unnecessary. Privileged programms are always an attack surface, but mounting filesystems with ``nosuid`` flag doesn't provide enough granularity in SUID binaries management. This LSM module provides a single control point for all SUID binaries. When this submodule is enabled, SUID bits on all binaries except explicitly listed are system-wide ignored. + +Sysctl parameters and defaults: + +* ``kernel.altha.nosuid.enabled = 0``, set to 1 to enable +* ``kernel.altha.nosuid.exceptions =``, colon-separated list of enabled SUID binaries, for example: ``/bin/su:/usr/libexec/hasher-priv/hasher-priv`` + +RestrScript +============ +There is a one way to hardening: prevent users from executing ther own arbitrary code. Traditionally it can be done setting on user-writable filesystems ``noexec`` flag. But modern script languages such as Python also can be used to write exploits or even load arbitary machine code via ``dlopen`` and users can start scripts from ``noexec`` filesystem starting interpreter directly. +Restrscript LSM submodule provides a way to restrict some programms to be executed directly, but allows to execute them as shebang handler. + +Sysctl parameters and defaults: + +* ``kernel.altha.rstrscript.enabled = 0``, set to 1 to enable +* ``kernel.altha.rstrscript.interpreters =``, colon-separated list of restricted interpreters for example: ``/lib64/ld-linux-x86-64.so.2:/usr/bin/python:/usr/bin/python3:/usr/bin/perl:/usr/bin/tclsh``. Symlinks are supported in both ways: you can set symlink to interpreter as exception and interpreter and all symlinks on it will be restricted. + +Adding ld-linux into blocking list prevents running interpreters via ``ld-linux interpreter``. + +Note: in this configuration all scripts starting with ``#!/usr/bin/env python`` will be blocked. + +OLock +============ +Unlink disabling for open files needed for Russian certification, but this is a nasty feature leading to DOS. + +Sysctl parameters and defaults: + +* ``kernel.altha.olock.enabled = 0``, set to 1 to enable +* ``kernel.altha.olock.dirs =``, colon-separated list of dirs, for example: ``/var/lib/something:/tmp/something``. diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst index a6ba95fbaa9f..20b57e7adadd 100644 --- a/Documentation/admin-guide/LSM/index.rst +++ b/Documentation/admin-guide/LSM/index.rst @@ -47,3 +47,4 @@ subdirectories. tomoyo Yama SafeSetID + AltHa -- 2.40.1