From patchwork Wed Oct 14 12:41:55 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lukasz Pawelczyk X-Patchwork-Id: 7394651 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id B6B81BEEA4 for ; Wed, 14 Oct 2015 13:00:48 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 8460120562 for ; Wed, 14 Oct 2015 13:00:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 70226206DD for ; Wed, 14 Oct 2015 13:00:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753690AbbJNNAB (ORCPT ); Wed, 14 Oct 2015 09:00:01 -0400 Received: from mailout4.w1.samsung.com ([210.118.77.14]:61626 "EHLO mailout4.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752994AbbJNMm3 (ORCPT ); Wed, 14 Oct 2015 08:42:29 -0400 Received: from eucpsbgm2.samsung.com (unknown [203.254.199.245]) by mailout4.w1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0NW7004UVNAP1600@mailout4.w1.samsung.com>; Wed, 14 Oct 2015 13:42:26 +0100 (BST) X-AuditID: cbfec7f5-f794b6d000001495-73-561e4db10c48 Received: from eusync2.samsung.com ( [203.254.199.212]) by eucpsbgm2.samsung.com (EUCPMTA) with SMTP id 9C.3E.05269.1BD4E165; Wed, 14 Oct 2015 13:42:25 +0100 (BST) Received: from amdc2143.DIGITAL.local ([106.120.53.33]) by eusync2.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0NW700BB0NAK6E50@eusync2.samsung.com>; Wed, 14 Oct 2015 13:42:25 +0100 (BST) From: Lukasz Pawelczyk To: "David S. Miller" , "Eric W. Biederman" , "Serge E. Hallyn" , Al Viro , Alexey Dobriyan , Andrew Morton , Andy Lutomirski , Calvin Owens , Casey Schaufler , David Howells , Eric Dumazet , Eric Paris , Greg Kroah-Hartman , James Morris , Jann Horn , Jiri Slaby , Joe Perches , John Johansen , Jonathan Corbet , Kees Cook , Lukasz Pawelczyk , Mauro Carvalho Chehab , NeilBrown , Paul Moore , Serge Hallyn , Stephen Smalley , Tejun Heo , Tetsuo Handa , containers@lists.linuxfoundation.org, linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov Cc: Lukasz Pawelczyk Subject: [PATCH v4 01/11] user_ns: 3 new LSM hooks for user namespace operations Date: Wed, 14 Oct 2015 14:41:55 +0200 Message-id: <1444826525-9758-2-git-send-email-l.pawelczyk@samsung.com> X-Mailer: git-send-email 2.4.3 In-reply-to: <1444826525-9758-1-git-send-email-l.pawelczyk@samsung.com> References: <1444826525-9758-1-git-send-email-l.pawelczyk@samsung.com> X-Brightmail-Tracker: H4sIAAAAAAAAAzWRa0hTYRjHe3fenXMcDU7T6mCmMLEg0kz98BQW0oc6FYFkCfklpx5Uciqb 2p1mm1pqNV2QOs1bdjHnVEScly6LpjJ1hhZ2mXZTicKWFOlM19bo2/95fr+H/4eHJiQ27E+n Z+bwikxZhpQUYevqwERo+5HA+HBXgz/cyj8E1cYWEox1QTDV5STBunqfgs9PihBU2zQY5i8v Y3B1aSiYsXyk4OqHEQLUjUYSXF+3w/VPR2FwdkYI+ulPGAZ/FpBws80hgOESOQyX1wugvvAO hr7+IQzjPdUkOEo/kmDrMQjh4ewZ6K9VYXhbfguDXjMvhGe9jQToPpsxjObPYbCNjVLgvPcc gW1lQBgTzFWprpGcXvUCc50PXgu4MvU8xZmq7BRX15HLveo9wZkMzQKuo/kqyQ1WLGPucU0L xS0v6hDXeF0n5H7MvHFf3nD7I78SYgMSRNEpfEZ6Hq/YsTdRlPbFqiOyp6LPvLeXYhWyRhQj H5plotjJ6UGhN29gx6aMZDES0RKmCbFDjirKO+QLWEttJfJYJBPO/h7rJzzAj9GKWI12gvQA gtnKNunV2JN9mVjW1Foi8GTMhLAGS9+/CjGznx03aChvXSA7avzp9mnahznAdhbs8awlbuWx 1o61SFyH1jSj9XxucrYyKVUeEaaUyZW5malhyVnyDuR9869u1GTZbUYMjaRrxU8Mm+MlQlme 8qzcjFiakPqJ/4QHxkvEKbKz53hF1klFbgavNKNNNJZuFFf2fD8mYVJlOfwpns/mFf+pgPbx V6FdcZdOvg3atyXB93XxgkySF+RoLzuevqp+Fqz+Hi5tXbCUuaqCK6cTL86/fxRaSgSEGOIq dHO1H76Zc15ufue7/mD3pL3TGbN4I/NdZJb8tCOqfLGh7cL44ai7C3NaZxJAXoHy9nl609JS ZNyV34r0daZCke7pwws5RTWilbmvIMXKNNnObYRCKfsLk7tP0OICAAA= Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This commit implements 3 new LSM hooks that provide the means for LSMs to embed their own security context within user namespace, effectively creating some sort of a user_ns related security namespace. The first one to take advantage of this mechanism is Smack. The hooks has been documented in the in the security.h below. Signed-off-by: Lukasz Pawelczyk Reviewed-by: Casey Schaufler Acked-by: Paul Moore Acked-by: Casey Schaufler --- include/linux/lsm_hooks.h | 28 ++++++++++++++++++++++++++++ include/linux/security.h | 23 +++++++++++++++++++++++ include/linux/user_namespace.h | 4 ++++ kernel/user.c | 3 +++ kernel/user_namespace.c | 18 ++++++++++++++++++ security/security.c | 28 ++++++++++++++++++++++++++++ 6 files changed, 104 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index ec3a6ba..18c9160 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1261,6 +1261,23 @@ * audit_rule_init. * @rule contains the allocated rule * + * @userns_create: + * Allocates and fills the security part of a new user namespace. + * @ns points to a newly created user namespace. + * Returns 0 or an error code. + * + * @userns_free: + * Deallocates the security part of a user namespace. + * @ns points to a user namespace about to be destroyed. + * + * @userns_setns: + * Run during a setns syscall to add a process to an already existing + * user namespace. Returning failure here will block the operation + * requested from userspace (setns() with CLONE_NEWUSER). + * @nsproxy contains nsproxy to which the user namespace will be assigned. + * @ns contains user namespace that is to be incorporated to the nsproxy. + * Returns 0 or an error code. + * * @inode_notifysecctx: * Notify the security module of what the security context of an inode * should be. Initializes the incore security context managed by the @@ -1613,6 +1630,12 @@ union security_list_options { struct audit_context *actx); void (*audit_rule_free)(void *lsmrule); #endif /* CONFIG_AUDIT */ + +#ifdef CONFIG_USER_NS + int (*userns_create)(struct user_namespace *ns); + void (*userns_free)(struct user_namespace *ns); + int (*userns_setns)(struct nsproxy *nsproxy, struct user_namespace *ns); +#endif /* CONFIG_USER_NS */ }; struct security_hook_heads { @@ -1824,6 +1847,11 @@ struct security_hook_heads { struct list_head audit_rule_match; struct list_head audit_rule_free; #endif /* CONFIG_AUDIT */ +#ifdef CONFIG_USER_NS + struct list_head userns_create; + struct list_head userns_free; + struct list_head userns_setns; +#endif /* CONFIG_USER_NS */ }; /* diff --git a/include/linux/security.h b/include/linux/security.h index 2f4c1f7..91ffba2 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1584,6 +1584,29 @@ static inline void security_audit_rule_free(void *lsmrule) #endif /* CONFIG_SECURITY */ #endif /* CONFIG_AUDIT */ +#ifdef CONFIG_USER_NS +int security_userns_create(struct user_namespace *ns); +void security_userns_free(struct user_namespace *ns); +int security_userns_setns(struct nsproxy *nsproxy, struct user_namespace *ns); + +#else + +static inline int security_userns_create(struct user_namespace *ns) +{ + return 0; +} + +static inline void security_userns_free(struct user_namespace *ns) +{ } + +static inline int security_userns_setns(struct nsproxy *nsproxy, + struct user_namespace *ns) +{ + return 0; +} + +#endif /* CONFIG_USER_NS */ + #ifdef CONFIG_SECURITYFS extern struct dentry *securityfs_create_file(const char *name, umode_t mode, diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h index 8297e5b..a9400cc 100644 --- a/include/linux/user_namespace.h +++ b/include/linux/user_namespace.h @@ -39,6 +39,10 @@ struct user_namespace { struct key *persistent_keyring_register; struct rw_semaphore persistent_keyring_register_sem; #endif + +#ifdef CONFIG_SECURITY + void *security; +#endif }; extern struct user_namespace init_user_ns; diff --git a/kernel/user.c b/kernel/user.c index b069ccb..ce5419e 100644 --- a/kernel/user.c +++ b/kernel/user.c @@ -59,6 +59,9 @@ struct user_namespace init_user_ns = { .persistent_keyring_register_sem = __RWSEM_INITIALIZER(init_user_ns.persistent_keyring_register_sem), #endif +#ifdef CONFIG_SECURITY + .security = NULL, +#endif }; EXPORT_SYMBOL_GPL(init_user_ns); diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index 88fefa6..daef188 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -22,6 +22,7 @@ #include #include #include +#include static struct kmem_cache *user_ns_cachep __read_mostly; static DEFINE_MUTEX(userns_state_mutex); @@ -109,6 +110,15 @@ int create_user_ns(struct cred *new) set_cred_user_ns(new, ns); +#ifdef CONFIG_SECURITY + ret = security_userns_create(ns); + if (ret) { + ns_free_inum(&ns->ns); + kmem_cache_free(user_ns_cachep, ns); + return ret; + } +#endif + #ifdef CONFIG_PERSISTENT_KEYRINGS init_rwsem(&ns->persistent_keyring_register_sem); #endif @@ -144,6 +154,9 @@ void free_user_ns(struct user_namespace *ns) #ifdef CONFIG_PERSISTENT_KEYRINGS key_put(ns->persistent_keyring_register); #endif +#ifdef CONFIG_SECURITY + security_userns_free(ns); +#endif ns_free_inum(&ns->ns); kmem_cache_free(user_ns_cachep, ns); ns = parent; @@ -970,6 +983,7 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns) { struct user_namespace *user_ns = to_user_ns(ns); struct cred *cred; + int err; /* Don't allow gaining capabilities by reentering * the same user namespace. @@ -987,6 +1001,10 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns) if (!ns_capable(user_ns, CAP_SYS_ADMIN)) return -EPERM; + err = security_userns_setns(nsproxy, user_ns); + if (err) + return err; + cred = prepare_creds(); if (!cred) return -ENOMEM; diff --git a/security/security.c b/security/security.c index 46f405c..e571127 100644 --- a/security/security.c +++ b/security/security.c @@ -25,6 +25,7 @@ #include #include #include +#include #include #define MAX_LSM_EVM_XATTR 2 @@ -1538,6 +1539,25 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, } #endif /* CONFIG_AUDIT */ +#ifdef CONFIG_USER_NS + +int security_userns_create(struct user_namespace *ns) +{ + return call_int_hook(userns_create, 0, ns); +} + +void security_userns_free(struct user_namespace *ns) +{ + call_void_hook(userns_free, ns); +} + +int security_userns_setns(struct nsproxy *nsproxy, struct user_namespace *ns) +{ + return call_int_hook(userns_setns, 0, nsproxy, ns); +} + +#endif /* CONFIG_USER_NS */ + struct security_hook_heads security_hook_heads = { .binder_set_context_mgr = LIST_HEAD_INIT(security_hook_heads.binder_set_context_mgr), @@ -1882,4 +1902,12 @@ struct security_hook_heads security_hook_heads = { .audit_rule_free = LIST_HEAD_INIT(security_hook_heads.audit_rule_free), #endif /* CONFIG_AUDIT */ +#ifdef CONFIG_USER_NS + .userns_create = + LIST_HEAD_INIT(security_hook_heads.userns_create), + .userns_free = + LIST_HEAD_INIT(security_hook_heads.userns_free), + .userns_setns = + LIST_HEAD_INIT(security_hook_heads.userns_setns), +#endif /* CONFIG_USER_NS */ };