[v19,19/23] LSM: Verify LSM display sanity in binder

Message ID	20200724203226.16374-20-casey@schaufler-ca.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=RoHj=BD=vger.kernel.org=linux-security-module-owner@kernel.org> From: Casey Schaufler <casey@schaufler-ca.com> To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov Subject: [PATCH v19 19/23] LSM: Verify LSM display sanity in binder Date: Fri, 24 Jul 2020 13:32:22 -0700 Message-Id: <20200724203226.16374-20-casey@schaufler-ca.com> In-Reply-To: <20200724203226.16374-1-casey@schaufler-ca.com> References: <20200724203226.16374-1-casey@schaufler-ca.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk
Series	LSM: Module stacking for AppArmor \| expand [v19,00/23] LSM: Module stacking for AppArmor [v19,01/23] LSM: Infrastructure management of the sock security [v19,02/23] LSM: Create and manage the lsmblob data structure. [v19,03/23] LSM: Use lsmblob in security_audit_rule_match [v19,04/23] LSM: Use lsmblob in security_kernel_act_as [v19,05/23] net: Prepare UDS for security module stacking [v19,06/23] LSM: Use lsmblob in security_secctx_to_secid [v19,07/23] LSM: Use lsmblob in security_secid_to_secctx [v19,08/23] LSM: Use lsmblob in security_ipc_getsecid [v19,09/23] LSM: Use lsmblob in security_task_getsecid [v19,10/23] LSM: Use lsmblob in security_inode_getsecid [v19,11/23] LSM: Use lsmblob in security_cred_getsecid [v19,12/23] IMA: Change internal interfaces to use lsmblobs [v19,13/23] LSM: Specify which LSM to display [v19,14/23] LSM: Ensure the correct LSM context releaser [v19,15/23] LSM: Use lsmcontext in security_secid_to_secctx [v19,16/23] LSM: Use lsmcontext in security_inode_getsecctx [v19,17/23] LSM: security_secid_to_secctx in netlink netfilter [v19,18/23] NET: Store LSM netlabel data in a lsmblob [v19,19/23] LSM: Verify LSM display sanity in binder [v19,20/23] Audit: Add new record for multiple process LSM attributes [v19,21/23] Audit: Add a new record for multiple object LSM attributes [v19,22/23] LSM: Add /proc attr entry for full LSM context [v19,23/23] AppArmor: Remove the exclusive flag

Message ID

20200724203226.16374-20-casey@schaufler-ca.com (mailing list archive)

State

New, archived

Headers

From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, linux-audit@redhat.com,
        keescook@chromium.org, john.johansen@canonical.com,
        penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com,
        sds@tycho.nsa.gov
Subject: [PATCH v19 19/23] LSM: Verify LSM display sanity in binder
Date: Fri, 24 Jul 2020 13:32:22 -0700
Message-Id: <20200724203226.16374-20-casey@schaufler-ca.com>
In-Reply-To: <20200724203226.16374-1-casey@schaufler-ca.com>
References: <20200724203226.16374-1-casey@schaufler-ca.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Series

LSM: Module stacking for AppArmor | expand

Commit Message

Casey Schaufler July 24, 2020, 8:32 p.m. UTC

Verify that the tasks on the ends of a binder transaction
use the same "display" security module. This prevents confusion
of security "contexts".

Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/security.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

Comments

John Johansen July 30, 2020, 8:40 a.m. UTC | #1

On 7/24/20 1:32 PM, Casey Schaufler wrote:
> Verify that the tasks on the ends of a binder transaction
> use the same "display" security module. This prevents confusion
> of security "contexts".
> 

Reviewed-by: John Johansen <john.johansen@canonical.com>

> Reviewed-by: Kees Cook <keescook@chromium.org>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
>  security/security.c | 29 +++++++++++++++++++++++++++++
>  1 file changed, 29 insertions(+)
> 
> diff --git a/security/security.c b/security/security.c
> index ddbaf2073b02..95b48721fb17 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -788,9 +788,38 @@ int security_binder_set_context_mgr(struct task_struct *mgr)
>  	return call_int_hook(binder_set_context_mgr, 0, mgr);
>  }
>  
> +/**
> + * security_binder_transaction - Binder driver transaction check
> + * @from: source of the transaction
> + * @to: destination of the transaction
> + *
> + * Verify that the tasks have the same LSM "display", then
> + * call the security module hooks.
> + *
> + * Returns -EINVAL if the displays don't match, or the
> + * result of the security module checks.
> + */
>  int security_binder_transaction(struct task_struct *from,
>  				struct task_struct *to)
>  {
> +	int from_display = lsm_task_display(from);
> +	int to_display = lsm_task_display(to);
> +
> +	/*
> +	 * If the display is LSMBLOB_INVALID the first module that has
> +	 * an entry is used. This will be in the 0 slot.
> +	 *
> +	 * This is currently only required if the server has requested
> +	 * peer contexts, but it would be unwieldly to have too much of
> +	 * the binder driver detail here.
> +	 */
> +	if (from_display == LSMBLOB_INVALID)
> +		from_display = 0;
> +	if (to_display == LSMBLOB_INVALID)
> +		to_display = 0;
> +	if (from_display != to_display)
> +		return -EINVAL;
> +
>  	return call_int_hook(binder_transaction, 0, from, to);
>  }
>  
>

diff --git a/security/security.c b/security/security.c
index ddbaf2073b02..95b48721fb17 100644
--- a/security/security.c
+++ b/security/security.c
@@ -788,9 +788,38 @@  int security_binder_set_context_mgr(struct task_struct *mgr)
 	return call_int_hook(binder_set_context_mgr, 0, mgr);
 }
 
+/**
+ * security_binder_transaction - Binder driver transaction check
+ * @from: source of the transaction
+ * @to: destination of the transaction
+ *
+ * Verify that the tasks have the same LSM "display", then
+ * call the security module hooks.
+ *
+ * Returns -EINVAL if the displays don't match, or the
+ * result of the security module checks.
+ */
 int security_binder_transaction(struct task_struct *from,
 				struct task_struct *to)
 {
+	int from_display = lsm_task_display(from);
+	int to_display = lsm_task_display(to);
+
+	/*
+	 * If the display is LSMBLOB_INVALID the first module that has
+	 * an entry is used. This will be in the 0 slot.
+	 *
+	 * This is currently only required if the server has requested
+	 * peer contexts, but it would be unwieldly to have too much of
+	 * the binder driver detail here.
+	 */
+	if (from_display == LSMBLOB_INVALID)
+		from_display = 0;
+	if (to_display == LSMBLOB_INVALID)
+		to_display = 0;
+	if (from_display != to_display)
+		return -EINVAL;
+
 	return call_int_hook(binder_transaction, 0, from, to);
 }

[v19,19/23] LSM: Verify LSM display sanity in binder

Commit Message

Comments

Patch