From patchwork Wed Jul 3 21:25:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11030379 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7F07314DB for ; Wed, 3 Jul 2019 21:25:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6EDEB285C8 for ; Wed, 3 Jul 2019 21:25:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 630A228814; Wed, 3 Jul 2019 21:25:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 94858285C8 for ; Wed, 3 Jul 2019 21:25:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727286AbfGCVZs (ORCPT ); Wed, 3 Jul 2019 17:25:48 -0400 Received: from sonic316-13.consmr.mail.gq1.yahoo.com ([98.137.69.37]:38554 "EHLO sonic316-13.consmr.mail.gq1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727230AbfGCVZr (ORCPT ); Wed, 3 Jul 2019 17:25:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1562189146; bh=uDaZK+tmy6XVn6IfwbbUA4ENbB2YjAReMXHmAiytrSQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=YBh3zFZjlFJKf8nMd9VCC18rJAf8jhDEF+1ayK0dHJX0etf/Ue7e5pRuQrQfw2e1/SGvuNf44rmRiH1E8qdfo9p6D/rZq0bPnXw1OY63C6w5fbQX5BAKIT+XJGAExkLN5/VKStoMRGN3RwlO4d8MgvYKe3Dt6oGoG1zdltf6v+gFZk3OI6djsdQI3A9HT8dMHOHkJ3r29Ji6ytSvjyzI09cqAe6FMSjTKoR0AHodWSQUWDsPh8xcPVg5O8Hl5RHIFhm/d8QMTpd+YA+IHIGT45YsRfwFep2XKt5D/l9QD/C4LWm3okl2GXXKrnyTaXmIRA9K+hiPhbU+Tb7cCNeBxw== X-YMail-OSG: EtEd5gIVM1krIcgpQt7A.qWKyrC2etb1qCrK3DLb__U5lC39Xmst3.Um.U8qNt. Ay8TatSwfBLgCRZNIAIqdj4BLHkXidQBqtpDarjV7UHABB6MWOG9gtCwKeXfWCT7L3SNBuU8tSWh MX0sikCbT0tEFqYHJ.YVTPjTy2f1.6RJuBHXRCQ2ssmzPO5YFdF7gFma45MFIyACtoYV7ruMfIJT YYCB19AJ0npU69tWx1VBjfv2Eyw6agoKbFCS1VtVHkEwH2WqLhc1kj6VgbImn4oNKEwUq7L_vCFh 4uesqcSAxkCZqe6b1ljU7PERUgTEn1.Pw6RiBr9NxfTFX.fjITOl0IHAJ6tSLfe6prMA3vtQEb6_ DQXPcGyOb3MVYmZhA2BA0lfYgOT2r_t.Duezuten6a3NibdlBijMkVu.6G6ZKfOR66JHjB613yw0 B8TR_Zm1hsJWYugW_qZD1ruHs_pfir2FnKGPzf0lkn7awljXu8e0qcLbYb7it5d70TR1sCuPPM_J 6FYpW_NHxVxPvXlNlQJUK2Uv0AIfWtT2t3rXgjL7lmCsUFI_BJgjz4hyPUHZjmKXjetgYmyngaHC mVNST4jHejiOUEAcewvD07AnztfShP0QQ7j7bHogfgFAg.pR4Je4wSAgcMPz6z5iFukeoP7x7rZN 429PiDdsudo4O3Nh66mwy4Q6ZPUnjV4Dvv4duO0Sa57SzUS2ALMfeRSZ1CdK3ZJK1eTaaaczGXmd LuGOxAwh1Orp8J54nMxo0DHCJoJcSL1EEbUKNg8SW17zxlW6CU9Vv7.3MrV6fobodd77yg3U5tPK ZbXr7C4xRSppyn2eJO53vQdFCBTkA_fXOr64ezyzwhoKFR9ZNaTEsj9a6.s0c89XXvk.UIYzSEvo KMjrw5PfSytvJIt1W8BykBZraj1dHIQIdn6laTTBqLF1PUgKvg_sQty88sbLA5GREFtj9DDVW14V .GSU7xClLZfTSgtnllV4v7JYm7cFOuRhObeds4l8Dpw1_vEs8XakoWkbD6bqHwNDAWcu.6PC5rbQ X3sC37d9vxnCH.gBef0mSXFyELsMnOHL8TVqJRpDTE6HV8oqdnJKWZzmv8Qhu31AOOvnw1icaCVQ WfxOlWf3rIM30VozGyD8AxNdn_9Q4ANCVi1pjp.gDx6VY.iKefsIr32oDROXk9o3cYlCH.7xHHZ0 FgaBDumGddK_2FiXGnsLdyCqsecP8upk8_ZaLn1ryCLrCssiFfYk6_oJPQO0fHgQ.bMKGefm8.Y. INDo.M_gM2mNJj_Qb_FhnTjvYucoDSP_EwQfISwtN46sM1v3QktpX Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.gq1.yahoo.com with HTTP; Wed, 3 Jul 2019 21:25:46 +0000 Received: by smtp407.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 65d8826dfc020e8c34ff6376721f657c; Wed, 03 Jul 2019 21:25:42 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov Subject: [PATCH v5 03/23] LSM: Infrastructure management of the key blob Date: Wed, 3 Jul 2019 14:25:18 -0700 Message-Id: <20190703212538.7383-4-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190703212538.7383-1-casey@schaufler-ca.com> References: <20190703212538.7383-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Casey Schaufler Move management of the key->security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/security.c | 40 ++++++++++++++++++++++++++++++- security/selinux/hooks.c | 23 +++++------------- security/selinux/include/objsec.h | 7 ++++++ security/smack/smack.h | 7 ++++++ security/smack/smack_lsm.c | 33 ++++++++++++------------- 6 files changed, 75 insertions(+), 36 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index b353482ea348..3fe39abccc8f 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2050,6 +2050,7 @@ struct lsm_blob_sizes { int lbs_sock; int lbs_superblock; int lbs_ipc; + int lbs_key; int lbs_msg_msg; int lbs_task; }; diff --git a/security/security.c b/security/security.c index 2c0834db7976..7cfedb90210a 100644 --- a/security/security.c +++ b/security/security.c @@ -172,6 +172,9 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) blob_sizes.lbs_inode = sizeof(struct rcu_head); lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); +#ifdef CONFIG_KEYS + lsm_set_blob_size(&needed->lbs_key, &blob_sizes.lbs_key); +#endif lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock); lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); @@ -307,6 +310,9 @@ static void __init ordered_lsm_init(void) init_debug("file blob size = %d\n", blob_sizes.lbs_file); init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); +#ifdef CONFIG_KEYS + init_debug("key blob size = %d\n", blob_sizes.lbs_key); +#endif /* CONFIG_KEYS */ init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); @@ -573,6 +579,29 @@ static int lsm_ipc_alloc(struct kern_ipc_perm *kip) return 0; } +#ifdef CONFIG_KEYS +/** + * lsm_key_alloc - allocate a composite key blob + * @key: the key that needs a blob + * + * Allocate the key blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +static int lsm_key_alloc(struct key *key) +{ + if (blob_sizes.lbs_key == 0) { + key->security = NULL; + return 0; + } + + key->security = kzalloc(blob_sizes.lbs_key, GFP_KERNEL); + if (key->security == NULL) + return -ENOMEM; + return 0; +} +#endif /* CONFIG_KEYS */ + /** * lsm_msg_msg_alloc - allocate a composite msg_msg blob * @mp: the msg_msg that needs a blob @@ -2339,12 +2368,21 @@ EXPORT_SYMBOL(security_skb_classify_flow); int security_key_alloc(struct key *key, const struct cred *cred, unsigned long flags) { - return call_int_hook(key_alloc, 0, key, cred, flags); + int rc = lsm_key_alloc(key); + + if (unlikely(rc)) + return rc; + rc = call_int_hook(key_alloc, 0, key, cred, flags); + if (unlikely(rc)) + security_key_free(key); + return rc; } void security_key_free(struct key *key) { call_void_hook(key_free, key); + kfree(key->security); + key->security = NULL; } int security_key_permission(key_ref_t key_ref, diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5d74ed35b728..c83ec2652eda 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6353,11 +6353,7 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred, unsigned long flags) { const struct task_security_struct *tsec; - struct key_security_struct *ksec; - - ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); - if (!ksec) - return -ENOMEM; + struct key_security_struct *ksec = selinux_key(k); tsec = selinux_cred(cred); if (tsec->keycreate_sid) @@ -6365,18 +6361,9 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred, else ksec->sid = tsec->sid; - k->security = ksec; return 0; } -static void selinux_key_free(struct key *k) -{ - struct key_security_struct *ksec = k->security; - - k->security = NULL; - kfree(ksec); -} - static int selinux_key_permission(key_ref_t key_ref, const struct cred *cred, unsigned perm) @@ -6394,7 +6381,7 @@ static int selinux_key_permission(key_ref_t key_ref, sid = cred_sid(cred); key = key_ref_to_ptr(key_ref); - ksec = key->security; + ksec = selinux_key(key); return avc_has_perm(&selinux_state, sid, ksec->sid, SECCLASS_KEY, perm, NULL); @@ -6402,7 +6389,7 @@ static int selinux_key_permission(key_ref_t key_ref, static int selinux_key_getsecurity(struct key *key, char **_buffer) { - struct key_security_struct *ksec = key->security; + struct key_security_struct *ksec = selinux_key(key); char *context = NULL; unsigned len; int rc; @@ -6627,6 +6614,9 @@ struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { .lbs_file = sizeof(struct file_security_struct), .lbs_inode = sizeof(struct inode_security_struct), .lbs_ipc = sizeof(struct ipc_security_struct), +#ifdef CONFIG_KEYS + .lbs_key = sizeof(struct key_security_struct), +#endif /* CONFIG_KEYS */ .lbs_msg_msg = sizeof(struct msg_security_struct), .lbs_sock = sizeof(struct sk_security_struct), .lbs_superblock = sizeof(struct superblock_security_struct), @@ -6842,7 +6832,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { #ifdef CONFIG_KEYS LSM_HOOK_INIT(key_alloc, selinux_key_alloc), - LSM_HOOK_INIT(key_free, selinux_key_free), LSM_HOOK_INIT(key_permission, selinux_key_permission), LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), #endif diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 29f02b8f8f31..3b78aa4ee98f 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -194,6 +194,13 @@ static inline struct superblock_security_struct *selinux_superblock( return superblock->s_security + selinux_blob_sizes.lbs_superblock; } +#ifdef CONFIG_KEYS +static inline struct key_security_struct *selinux_key(const struct key *key) +{ + return key->security + selinux_blob_sizes.lbs_key; +} +#endif /* CONFIG_KEYS */ + static inline struct sk_security_struct *selinux_sock(const struct sock *sock) { return sock->sk_security + selinux_blob_sizes.lbs_sock; diff --git a/security/smack/smack.h b/security/smack/smack.h index 4ac4bf3310d7..7cc3a3382fee 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -386,6 +386,13 @@ static inline struct superblock_smack *smack_superblock( return superblock->s_security + smack_blob_sizes.lbs_superblock; } +#ifdef CONFIG_KEYS +static inline struct smack_known **smack_key(const struct key *key) +{ + return key->security + smack_blob_sizes.lbs_key; +} +#endif /* CONFIG_KEYS */ + /* * Is the directory transmuting? */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index fd69e1bd841b..e9560b078efe 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4179,23 +4179,13 @@ static void smack_inet_csk_clone(struct sock *sk, static int smack_key_alloc(struct key *key, const struct cred *cred, unsigned long flags) { + struct smack_known **blob = smack_key(key); struct smack_known *skp = smk_of_task(smack_cred(cred)); - key->security = skp; + *blob = skp; return 0; } -/** - * smack_key_free - Clear the key security blob - * @key: the object - * - * Clear the blob pointer - */ -static void smack_key_free(struct key *key) -{ - key->security = NULL; -} - /** * smack_key_permission - Smack access on a key * @key_ref: gets to the object @@ -4208,6 +4198,8 @@ static void smack_key_free(struct key *key) static int smack_key_permission(key_ref_t key_ref, const struct cred *cred, unsigned perm) { + struct smack_known **blob; + struct smack_known *skp; struct key *keyp; struct smk_audit_info ad; struct smack_known *tkp = smk_of_task(smack_cred(cred)); @@ -4227,7 +4219,9 @@ static int smack_key_permission(key_ref_t key_ref, * If the key hasn't been initialized give it access so that * it may do so. */ - if (keyp->security == NULL) + blob = smack_key(keyp); + skp = *blob; + if (skp == NULL) return 0; /* * This should not occur @@ -4247,8 +4241,8 @@ static int smack_key_permission(key_ref_t key_ref, request |= MAY_READ; if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) request |= MAY_WRITE; - rc = smk_access(tkp, keyp->security, request, &ad); - rc = smk_bu_note("key access", tkp, keyp->security, request, rc); + rc = smk_access(tkp, skp, request, &ad); + rc = smk_bu_note("key access", tkp, skp, request, rc); return rc; } @@ -4263,11 +4257,12 @@ static int smack_key_permission(key_ref_t key_ref, */ static int smack_key_getsecurity(struct key *key, char **_buffer) { - struct smack_known *skp = key->security; + struct smack_known **blob = smack_key(key); + struct smack_known *skp = *blob; size_t length; char *copy; - if (key->security == NULL) { + if (skp == NULL) { *_buffer = NULL; return 0; } @@ -4550,6 +4545,9 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_file = sizeof(struct smack_known *), .lbs_inode = sizeof(struct inode_smack), .lbs_ipc = sizeof(struct smack_known *), +#ifdef CONFIG_KEYS + .lbs_key = sizeof(struct smack_known *), +#endif /* CONFIG_KEYS */ .lbs_msg_msg = sizeof(struct smack_known *), .lbs_sock = sizeof(struct socket_smack), .lbs_superblock = sizeof(struct superblock_smack), @@ -4671,7 +4669,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { /* key management security hooks */ #ifdef CONFIG_KEYS LSM_HOOK_INIT(key_alloc, smack_key_alloc), - LSM_HOOK_INIT(key_free, smack_key_free), LSM_HOOK_INIT(key_permission, smack_key_permission), LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), #endif /* CONFIG_KEYS */