From patchwork Tue Aug 29 20:58:41 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 9928307 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id EE8A160380 for ; Tue, 29 Aug 2017 20:58:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E0BD328A5F for ; Tue, 29 Aug 2017 20:58:46 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D5ACB28A62; Tue, 29 Aug 2017 20:58:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5430D28A5F for ; Tue, 29 Aug 2017 20:58:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751274AbdH2U6p (ORCPT ); Tue, 29 Aug 2017 16:58:45 -0400 Received: from nm17-vm3.bullet.mail.ne1.yahoo.com ([98.138.91.147]:45775 "EHLO nm17-vm3.bullet.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751240AbdH2U6p (ORCPT ); Tue, 29 Aug 2017 16:58:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1504040324; bh=vDI+8VAx01Hcs/5bZI7J5x7mSTd/9fhfItiDvWgnDpo=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=n44liy3MjQ1VzkGbZ4/HVBcjXJ1LAJq6LBGagca4Cl+WdkKY4/5TWB31i1bdFxcUx2OJs/BYCoTIkwxspnK9pnta/m1AjvN5oDkGwd1VwRIz0fg0bT04P3VW1qBaEV1isbc0LC/N7lDTL2rLwY9d4BpIzw0LhaDgtLqUugMxvuqB93eknSi7TtxSQ9Cb25YlCjo1217/a3l804qQlkWDeQhH+OPHRzImpmz8LJmTPFYCOkxohG5sFkssTVrteLj/7sVw0WE5gn95c8UuJMSHwqTluK/THnjvuZYeSKJyggfKXipGyjwqQsw6B0LQVH4I7AhQUXrB08/mwZWoVXLE9g== Received: from [98.138.100.115] by nm17.bullet.mail.ne1.yahoo.com with NNFMP; 29 Aug 2017 20:58:44 -0000 Received: from [98.138.84.45] by tm106.bullet.mail.ne1.yahoo.com with NNFMP; 29 Aug 2017 20:58:44 -0000 Received: from [127.0.0.1] by smtp113.mail.ne1.yahoo.com with NNFMP; 29 Aug 2017 20:58:44 -0000 X-Yahoo-Newman-Id: 664057.30805.bm@smtp113.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: AMBoh80VM1kri0eIYNXAEwt5.6HvlcgfNT4l3JizHi.GWZU 2u.K81FDURo7MVSCet9UQ1E_nx8dbLjL46UvV6cicpnbjHCKqV.XekkSqqxm 5XZSuC9FELDsLwaCVSBoJVi35xepRSPNTBwaUvZpIa53mo3zYeExUFyktdhN P9aaDeRXA6LXJ3NC1NoEIeCqBi7GgIow9l9FZjZythUrUZWVakXQDprAQbtO 46n2UMUWoELMUDyxwHh5OgrOY_uzkzKGibpJwA6SaZI55fnIPJmwHuKWKtCB mnhJhcvEbTpZ5pv3zAceMi2L9LORiz1cFDDExL1NdjmQgXEaXGOjpsMMQ7Gg cU.vYgiAMdSs7W_yn_aj1WBSRl25x23iLcyBbeKfxFrBGdTk7OEahkMnrKV6 MB6qKMqCx5n5JlyNpnbYLAoefE5FuO6JBVnD9Qb3k3zRlUDnGVxhkfRYQXwj hzH1nPrcWmVE1ds8286rN4CxzOxGyMsoXaLU8xq578kFTLQRXo9kM_i9VhiG s_wz9xbVZdjhxREAITBbcLyb5H54- X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: [PATCH 04/11] LSM: manage task security blobs To: LSM , James Morris Cc: John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , Kees Cook , Casey Schaufler References: From: Casey Schaufler Message-ID: <601810ff-d4be-fc64-5514-8dbbdb45e3f5@schaufler-ca.com> Date: Tue, 29 Aug 2017 13:58:41 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Subject: [PATCH 04/11] LSM: manage task security blobs Move management of task security blobs into the security infrastructure. Modules are required to identify the space they require. At this time there are no modules that use task blobs. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/security.c | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 0603c57726e4..8d6e757e78dc 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1924,6 +1924,7 @@ struct security_hook_list { struct lsm_blob_sizes { int lbs_cred; int lbs_file; + int lbs_task; }; /* diff --git a/security/security.c b/security/security.c index b9346db8a2d4..3ab260b6ae96 100644 --- a/security/security.c +++ b/security/security.c @@ -92,6 +92,7 @@ int __init security_init(void) #ifdef CONFIG_SECURITY_LSM_DEBUG pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred); pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file); + pr_info("LSM: task blob size = %d\n", blob_sizes.lbs_task); #endif return 0; @@ -269,6 +270,7 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed) { lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred); lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file); + lsm_set_size(&needed->lbs_task, &blob_sizes.lbs_task); } /** @@ -294,6 +296,29 @@ int lsm_file_alloc(struct file *file) return 0; } +/** + * lsm_task_alloc - allocate a composite task blob + * @task: the task that needs a blob + * + * Allocate the task blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +int lsm_task_alloc(struct task_struct *task) +{ +#ifdef CONFIG_SECURITY_LSM_DEBUG + if (task->security) + pr_info("%s: Inbound task blob is not NULL.\n", __func__); +#endif + if (blob_sizes.lbs_task == 0) + return 0; + + task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL); + if (task->security == NULL) + return -ENOMEM; + return 0; +} + /* * Hook list operation macros. * @@ -1102,6 +1127,9 @@ int security_task_alloc(struct task_struct *task, unsigned long clone_flags) void security_task_free(struct task_struct *task) { call_void_hook(task_free, task); + + kfree(task->security); + task->security = NULL; } int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)