[v13,03/25] LSM: Use lsmblob in security_audit_rule_match

Message ID	20191224235939.7483-4-casey@schaufler-ca.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=ALVC=2P=vger.kernel.org=linux-security-module-owner@kernel.org> From: Casey Schaufler <casey@schaufler-ca.com> To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov Subject: [PATCH v13 03/25] LSM: Use lsmblob in security_audit_rule_match Date: Tue, 24 Dec 2019 15:59:17 -0800 Message-Id: <20191224235939.7483-4-casey@schaufler-ca.com> In-Reply-To: <20191224235939.7483-1-casey@schaufler-ca.com> References: <20191224235939.7483-1-casey@schaufler-ca.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk
Series	LSM: Module stacking for AppArmor \| expand [v13,00/25] LSM: Module stacking for AppArmor [v13,01/25] LSM: Infrastructure management of the sock security [v13,02/25] LSM: Create and manage the lsmblob data structure. [v13,03/25] LSM: Use lsmblob in security_audit_rule_match [v13,04/25] LSM: Use lsmblob in security_kernel_act_as [v13,05/25] net: Prepare UDS for security module stacking [v13,06/25] Use lsmblob in security_secctx_to_secid [v13,07/25] LSM: Use lsmblob in security_secid_to_secctx [v13,08/25] LSM: Use lsmblob in security_ipc_getsecid [v13,09/25] LSM: Use lsmblob in security_task_getsecid [v13,10/25] LSM: Use lsmblob in security_inode_getsecid [v13,11/25] LSM: Use lsmblob in security_cred_getsecid [v13,12/25] IMA: Change internal interfaces to use lsmblobs [v13,13/25] LSM: Specify which LSM to display [v13,14/25] LSM: Ensure the correct LSM context releaser [v13,15/25] LSM: Use lsmcontext in security_secid_to_secctx [v13,16/25] LSM: Use lsmcontext in security_dentry_init_security [v13,17/25] LSM: Use lsmcontext in security_inode_getsecctx [v13,18/25] LSM: security_secid_to_secctx in netlink netfilter [v13,19/25] NET: Store LSM netlabel data in a lsmblob [v13,20/25] LSM: Verify LSM display sanity in binder [v13,21/25] Audit: Add subj_LSM fields when necessary [v13,22/25] Audit: Include object data for all security modules [v13,23/25] NET: Add SO_PEERCONTEXT for multiple LSMs [24/25] LSM: Add /proc attr entry for full LSM context [v13,25/25] AppArmor: Remove the exclusive flag [v13,26/25] Audit: Multiple LSM support in audit rules

Message ID

20191224235939.7483-4-casey@schaufler-ca.com (mailing list archive)

State

New, archived

Headers

From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, keescook@chromium.org,
        john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
        paul@paul-moore.com, sds@tycho.nsa.gov
Subject: [PATCH v13 03/25] LSM: Use lsmblob in security_audit_rule_match
Date: Tue, 24 Dec 2019 15:59:17 -0800
Message-Id: <20191224235939.7483-4-casey@schaufler-ca.com>
In-Reply-To: <20191224235939.7483-1-casey@schaufler-ca.com>
References: <20191224235939.7483-1-casey@schaufler-ca.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Series

LSM: Module stacking for AppArmor | expand

Commit Message

Casey Schaufler Dec. 24, 2019, 11:59 p.m. UTC

Change the secid parameter of security_audit_rule_match
to a lsmblob structure pointer. Pass the entry from the
lsmblob structure for the approprite slot to the LSM hook.

Change the users of security_audit_rule_match to use the
lsmblob instead of a u32. In some cases this requires a
temporary conversion using lsmblob_init() that will go
away when other interfaces get converted.

Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/security.h            |  7 ++++---
 kernel/auditfilter.c                |  7 +++++--
 kernel/auditsc.c                    | 14 ++++++++++----
 security/integrity/ima/ima.h        |  4 ++--
 security/integrity/ima/ima_policy.c |  7 +++++--
 security/security.c                 | 18 +++++++++++++++---
 6 files changed, 41 insertions(+), 16 deletions(-)

Comments

Mimi Zohar Dec. 31, 2019, 1:13 p.m. UTC | #1

[Cc'ing Janne Karhunen based on his recent work updating IMA policy
rules LSM id's - commit b16942455193 ("ima: use the lsm policy update
notifier")]

On Tue, 2019-12-24 at 15:59 -0800, Casey Schaufler wrote:
> diff --git a/security/security.c b/security/security.c
> index 87fc70f77660..12e1e6223233 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -439,7 +439,7 @@ static int lsm_append(const char *new, char **result)
>  /*
>   * Current index to use while initializing the lsmblob secid list.
>   */
> -static int lsm_slot __initdata;
> +static int lsm_slot __lsm_ro_after_init;
> 
>  /**
>   * security_add_hooks - Add a modules hooks to the hook lists.
> @@ -2412,9 +2412,21 @@ void security_audit_rule_free(void *lsmrule)
>  	call_void_hook(audit_rule_free, lsmrule);
>  }
> 
> -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
> +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
> +			      void *lsmrule)
>  {
> -	return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
> +	struct security_hook_list *hp;
> +	int rc;
> +
> +	hlist_for_each_entry(hp, &security_hook_heads.audit_rule_match, list) {
> +		if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
> +			continue;
> +		rc = hp->hook.audit_rule_match(blob->secid[hp->lsmid->slot],
> +					       field, op, lsmrule);

IMA's policy rules may be written in terms of LSM labels.  On IMA
policy initialization and, subsequently, when the LSM policy is
updated, IMA correlates LSM labels with LSM ids.  Doesn't
security_audit_rule_init() also need to be updated to walk the LSMs?

The basic assumption with security_audit_rule_match() is that there
isn't any naming overlap.  Is that guaranteed?  With this change, do
the IMA policy rules now need to be LSM qualified?

Mimi

> +		if (rc != 0)
> +			return rc;
> +	}
> +	return 0;
>  }
>  #endif /* CONFIG_AUDIT */

Casey Schaufler Jan. 2, 2020, 11:36 p.m. UTC | #2

On 12/31/2019 5:13 AM, Mimi Zohar wrote:
> [Cc'ing Janne Karhunen based on his recent work updating IMA policy
> rules LSM id's - commit b16942455193 ("ima: use the lsm policy update
> notifier")]
>
> On Tue, 2019-12-24 at 15:59 -0800, Casey Schaufler wrote:
>> diff --git a/security/security.c b/security/security.c
>> index 87fc70f77660..12e1e6223233 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -439,7 +439,7 @@ static int lsm_append(const char *new, char **result)
>>  /*
>>   * Current index to use while initializing the lsmblob secid list.
>>   */
>> -static int lsm_slot __initdata;
>> +static int lsm_slot __lsm_ro_after_init;
>>
>>  /**
>>   * security_add_hooks - Add a modules hooks to the hook lists.
>> @@ -2412,9 +2412,21 @@ void security_audit_rule_free(void *lsmrule)
>>  	call_void_hook(audit_rule_free, lsmrule);
>>  }
>>
>> -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
>> +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
>> +			      void *lsmrule)
>>  {
>> -	return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
>> +	struct security_hook_list *hp;
>> +	int rc;
>> +
>> +	hlist_for_each_entry(hp, &security_hook_heads.audit_rule_match, list) {
>> +		if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
>> +			continue;
>> +		rc = hp->hook.audit_rule_match(blob->secid[hp->lsmid->slot],
>> +					       field, op, lsmrule);
> IMA's policy rules may be written in terms of LSM labels.  On IMA
> policy initialization and, subsequently, when the LSM policy is
> updated, IMA correlates LSM labels with LSM ids.  Doesn't
> security_audit_rule_init() also need to be updated to walk the LSMs?

Yes. I've got a change in test.

>
> The basic assumption with security_audit_rule_match() is that there
> isn't any naming overlap.  Is that guaranteed?

No. A valid SELinux label is also a valid Smack label. If someone
asks to see subj_user=whatever_t both module will look for it.

>   With this change, do
> the IMA policy rules now need to be LSM qualified?

I have a change for that in test, too.

>
> Mimi
>
>> +		if (rc != 0)
>> +			return rc;
>> +	}
>> +	return 0;
>>  }
>>  #endif /* CONFIG_AUDIT */

diff --git a/include/linux/security.h b/include/linux/security.h
index b74dc70088ca..9c6dbe248eaf 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1837,7 +1837,8 @@  static inline int security_key_getsecurity(struct key *key, char **_buffer)
 #ifdef CONFIG_SECURITY
 int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
 int security_audit_rule_known(struct audit_krule *krule);
-int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule);
+int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
+			      void *lsmrule);
 void security_audit_rule_free(void *lsmrule);
 
 #else
@@ -1853,8 +1854,8 @@  static inline int security_audit_rule_known(struct audit_krule *krule)
 	return 0;
 }
 
-static inline int security_audit_rule_match(u32 secid, u32 field, u32 op,
-					    void *lsmrule)
+static inline int security_audit_rule_match(struct lsmblob *blob, u32 field,
+					    u32 op, void *lsmrule)
 {
 	return 0;
 }
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index b0126e9c0743..356db1dd276c 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1325,6 +1325,7 @@  int audit_filter(int msgtype, unsigned int listtype)
 			struct audit_field *f = &e->rule.fields[i];
 			pid_t pid;
 			u32 sid;
+			struct lsmblob blob;
 
 			switch (f->type) {
 			case AUDIT_PID:
@@ -1355,8 +1356,10 @@  int audit_filter(int msgtype, unsigned int listtype)
 			case AUDIT_SUBJ_CLR:
 				if (f->lsm_rule) {
 					security_task_getsecid(current, &sid);
-					result = security_audit_rule_match(sid,
-						   f->type, f->op, f->lsm_rule);
+					lsmblob_init(&blob, sid);
+					result = security_audit_rule_match(
+							&blob, f->type,
+							f->op, f->lsm_rule);
 				}
 				break;
 			case AUDIT_EXE:
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4effe01ebbe2..7566e5b1c419 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -445,6 +445,7 @@  static int audit_filter_rules(struct task_struct *tsk,
 	const struct cred *cred;
 	int i, need_sid = 1;
 	u32 sid;
+	struct lsmblob blob;
 	unsigned int sessionid;
 
 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
@@ -643,7 +644,9 @@  static int audit_filter_rules(struct task_struct *tsk,
 					security_task_getsecid(tsk, &sid);
 					need_sid = 0;
 				}
-				result = security_audit_rule_match(sid, f->type,
+				lsmblob_init(&blob, sid);
+				result = security_audit_rule_match(&blob,
+								   f->type,
 								   f->op,
 								   f->lsm_rule);
 			}
@@ -658,15 +661,17 @@  static int audit_filter_rules(struct task_struct *tsk,
 			if (f->lsm_rule) {
 				/* Find files that match */
 				if (name) {
+					lsmblob_init(&blob, name->osid);
 					result = security_audit_rule_match(
-								name->osid,
+								&blob,
 								f->type,
 								f->op,
 								f->lsm_rule);
 				} else if (ctx) {
 					list_for_each_entry(n, &ctx->names_list, list) {
+						lsmblob_init(&blob, n->osid);
 						if (security_audit_rule_match(
-								n->osid,
+								&blob,
 								f->type,
 								f->op,
 								f->lsm_rule)) {
@@ -678,7 +683,8 @@  static int audit_filter_rules(struct task_struct *tsk,
 				/* Find ipc objects that match */
 				if (!ctx || ctx->type != AUDIT_IPC)
 					break;
-				if (security_audit_rule_match(ctx->ipc.osid,
+				lsmblob_init(&blob, ctx->ipc.osid);
+				if (security_audit_rule_match(&blob,
 							      f->type, f->op,
 							      f->lsm_rule))
 					++result;
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index df4ca482fb53..d95b0ece7434 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -381,8 +381,8 @@  static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr,
 	return -EINVAL;
 }
 
-static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
-					     void *lsmrule)
+static inline int security_filter_rule_match(struct lsmblob *blob, u32 field,
+					     u32 op, void *lsmrule)
 {
 	return -EINVAL;
 }
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index ef8dfd47c7e3..68fe533f8a4f 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -414,6 +414,7 @@  static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 	for (i = 0; i < MAX_LSM_RULES; i++) {
 		int rc = 0;
 		u32 osid;
+		struct lsmblob blob;
 
 		if (!rule->lsm[i].rule)
 			continue;
@@ -423,7 +424,8 @@  static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 		case LSM_OBJ_ROLE:
 		case LSM_OBJ_TYPE:
 			security_inode_getsecid(inode, &osid);
-			rc = security_filter_rule_match(osid,
+			lsmblob_init(&blob, osid);
+			rc = security_filter_rule_match(&blob,
 							rule->lsm[i].type,
 							Audit_equal,
 							rule->lsm[i].rule);
@@ -431,7 +433,8 @@  static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 		case LSM_SUBJ_USER:
 		case LSM_SUBJ_ROLE:
 		case LSM_SUBJ_TYPE:
-			rc = security_filter_rule_match(secid,
+			lsmblob_init(&blob, secid);
+			rc = security_filter_rule_match(&blob,
 							rule->lsm[i].type,
 							Audit_equal,
 							rule->lsm[i].rule);
diff --git a/security/security.c b/security/security.c
index 87fc70f77660..12e1e6223233 100644
--- a/security/security.c
+++ b/security/security.c
@@ -439,7 +439,7 @@  static int lsm_append(const char *new, char **result)
 /*
  * Current index to use while initializing the lsmblob secid list.
  */
-static int lsm_slot __initdata;
+static int lsm_slot __lsm_ro_after_init;
 
 /**
  * security_add_hooks - Add a modules hooks to the hook lists.
@@ -2412,9 +2412,21 @@  void security_audit_rule_free(void *lsmrule)
 	call_void_hook(audit_rule_free, lsmrule);
 }
 
-int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
+int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
+			      void *lsmrule)
 {
-	return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
+	struct security_hook_list *hp;
+	int rc;
+
+	hlist_for_each_entry(hp, &security_hook_heads.audit_rule_match, list) {
+		if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+			continue;
+		rc = hp->hook.audit_rule_match(blob->secid[hp->lsmid->slot],
+					       field, op, lsmrule);
+		if (rc != 0)
+			return rc;
+	}
+	return 0;
 }
 #endif /* CONFIG_AUDIT */

[v13,03/25] LSM: Use lsmblob in security_audit_rule_match

Commit Message

Comments

Patch