| Message ID | 20250319222744.17576-3-casey@schaufler-ca.com (mailing list archive) |
|---|---|
| State | Under Review |
| Headers | show |
| Series | Audit: Records for multiple security contexts | expand |
On Wed, Mar 19, 2025 at 7:50 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > > Add a parameter lsmid to security_lsmblob_to_secctx() to identify which > of the security modules that may be active should provide the security > context. If the value of lsmid is LSM_ID_UNDEF the first LSM providing > a hook is used. security_secid_to_secctx() is unchanged, and will > always report the first LSM providing a hook. > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> ... > diff --git a/security/security.c b/security/security.c > index 143561ebc3e8..55f9c7ad3f89 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -4312,6 +4312,7 @@ EXPORT_SYMBOL(security_ismaclabel); > * security_secid_to_secctx() - Convert a secid to a secctx > * @secid: secid > * @cp: the LSM context > + * @lsmid: which security module to report > * > * Convert secid to security context. If @cp is NULL the length of the > * result will be returned, but no data will be returned. This > @@ -4338,9 +4339,17 @@ EXPORT_SYMBOL(security_secid_to_secctx); > * > * Return: Return length of data on success, error on failure. > */ > -int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp) > +int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp, > + int lsmid) > { > - return call_int_hook(lsmprop_to_secctx, prop, cp); > + struct lsm_static_call *scall; > + > + lsm_for_each_hook(scall, lsmprop_to_secctx) { > + if (lsmid != 0 && lsmid != scall->hl->lsmid->id) It took me some time to figure out why if LSM_ID_UNDEF is passed the first LSM providing a hook is used, might be better to change it to: if (lsmid != LSM_ID_UNDEF && lsmid != scall->hl->lsmid->id) Otherwise, it works as described. I'm working on adding a new IPE property based on SELinux file labels, and this just came up as I needed it. Thank you. Tested-by: Fan Wu <wufan@kernel.org> > + continue; > + return scall->hl->hook.lsmprop_to_secctx(prop, cp); > + } > + return LSM_RET_DEFAULT(lsmprop_to_secctx); > } > EXPORT_SYMBOL(security_lsmprop_to_secctx); > > -- > 2.47.0 > >
On 3/25/2025 4:44 PM, Fan Wu wrote: > On Wed, Mar 19, 2025 at 7:50 PM Casey Schaufler <casey@schaufler-ca.com> wrote: >> Add a parameter lsmid to security_lsmblob_to_secctx() to identify which >> of the security modules that may be active should provide the security >> context. If the value of lsmid is LSM_ID_UNDEF the first LSM providing >> a hook is used. security_secid_to_secctx() is unchanged, and will >> always report the first LSM providing a hook. >> >> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > .. >> diff --git a/security/security.c b/security/security.c >> index 143561ebc3e8..55f9c7ad3f89 100644 >> --- a/security/security.c >> +++ b/security/security.c >> @@ -4312,6 +4312,7 @@ EXPORT_SYMBOL(security_ismaclabel); >> * security_secid_to_secctx() - Convert a secid to a secctx >> * @secid: secid >> * @cp: the LSM context >> + * @lsmid: which security module to report >> * >> * Convert secid to security context. If @cp is NULL the length of the >> * result will be returned, but no data will be returned. This >> @@ -4338,9 +4339,17 @@ EXPORT_SYMBOL(security_secid_to_secctx); >> * >> * Return: Return length of data on success, error on failure. >> */ >> -int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp) >> +int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp, >> + int lsmid) >> { >> - return call_int_hook(lsmprop_to_secctx, prop, cp); >> + struct lsm_static_call *scall; >> + >> + lsm_for_each_hook(scall, lsmprop_to_secctx) { >> + if (lsmid != 0 && lsmid != scall->hl->lsmid->id) > It took me some time to figure out why if LSM_ID_UNDEF is passed the > first LSM providing a hook is used, might be better to change it to: > > if (lsmid != LSM_ID_UNDEF && lsmid != scall->hl->lsmid->id) Thank you. That change will be in v4. > > Otherwise, it works as described. I'm working on adding a new IPE > property based on SELinux file labels, and this just came up as I > needed it. Thank you. > > Tested-by: Fan Wu <wufan@kernel.org> > >> + continue; >> + return scall->hl->hook.lsmprop_to_secctx(prop, cp); >> + } >> + return LSM_RET_DEFAULT(lsmprop_to_secctx); >> } >> EXPORT_SYMBOL(security_lsmprop_to_secctx); >> >> -- >> 2.47.0 >> >>
diff --git a/include/linux/security.h b/include/linux/security.h index 980b6c207cad..540894695c4b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -566,7 +566,8 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, struct lsm_context *cp); -int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp); +int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp, + int lsmid); int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); void security_release_secctx(struct lsm_context *cp); void security_inode_invalidate_secctx(struct inode *inode); @@ -1543,7 +1544,8 @@ static inline int security_secid_to_secctx(u32 secid, struct lsm_context *cp) } static inline int security_lsmprop_to_secctx(struct lsm_prop *prop, - struct lsm_context *cp) + struct lsm_context *cp, + int lsmid) { return -EOPNOTSUPP; } diff --git a/kernel/audit.c b/kernel/audit.c index 2a567f667528..6bbadb605ca3 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1473,7 +1473,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh, case AUDIT_SIGNAL_INFO: if (lsmprop_is_set(&audit_sig_lsm)) { err = security_lsmprop_to_secctx(&audit_sig_lsm, - &lsmctx); + &lsmctx, LSM_ID_UNDEF); if (err < 0) return err; } @@ -2188,7 +2188,7 @@ int audit_log_task_context(struct audit_buffer *ab) if (!lsmprop_is_set(&prop)) return 0; - error = security_lsmprop_to_secctx(&prop, &ctx); + error = security_lsmprop_to_secctx(&prop, &ctx, LSM_ID_UNDEF); if (error < 0) { if (error != -EINVAL) goto error_path; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 60f2c927afd7..dc3f7e9666f2 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1109,7 +1109,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (lsmprop_is_set(prop)) { - if (security_lsmprop_to_secctx(prop, &ctx) < 0) { + if (security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF) < 0) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1395,7 +1395,8 @@ static void show_special(struct audit_context *context, int *call_panic) struct lsm_context lsmctx; if (security_lsmprop_to_secctx(&context->ipc.oprop, - &lsmctx) < 0) { + &lsmctx, + LSM_ID_UNDEF) < 0) { *call_panic = 1; } else { audit_log_format(ab, " obj=%s", lsmctx.context); @@ -1560,7 +1561,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, if (lsmprop_is_set(&n->oprop)) { struct lsm_context ctx; - if (security_lsmprop_to_secctx(&n->oprop, &ctx) < 0) { + if (security_lsmprop_to_secctx(&n->oprop, &ctx, + LSM_ID_UNDEF) < 0) { if (call_panic) *call_panic = 2; } else { diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 0d04d23aafe7..6d6545297ee3 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -98,7 +98,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, audit_info->sessionid); if (lsmprop_is_set(&audit_info->prop) && - security_lsmprop_to_secctx(&audit_info->prop, &ctx) > 0) { + security_lsmprop_to_secctx(&audit_info->prop, &ctx, + LSM_ID_UNDEF) > 0) { audit_log_format(audit_buf, " subj=%s", ctx.context); security_release_secctx(&ctx); } diff --git a/security/security.c b/security/security.c index 143561ebc3e8..55f9c7ad3f89 100644 --- a/security/security.c +++ b/security/security.c @@ -4312,6 +4312,7 @@ EXPORT_SYMBOL(security_ismaclabel); * security_secid_to_secctx() - Convert a secid to a secctx * @secid: secid * @cp: the LSM context + * @lsmid: which security module to report * * Convert secid to security context. If @cp is NULL the length of the * result will be returned, but no data will be returned. This @@ -4338,9 +4339,17 @@ EXPORT_SYMBOL(security_secid_to_secctx); * * Return: Return length of data on success, error on failure. */ -int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp) +int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp, + int lsmid) { - return call_int_hook(lsmprop_to_secctx, prop, cp); + struct lsm_static_call *scall; + + lsm_for_each_hook(scall, lsmprop_to_secctx) { + if (lsmid != 0 && lsmid != scall->hl->lsmid->id) + continue; + return scall->hl->hook.lsmprop_to_secctx(prop, cp); + } + return LSM_RET_DEFAULT(lsmprop_to_secctx); } EXPORT_SYMBOL(security_lsmprop_to_secctx);
Add a parameter lsmid to security_lsmblob_to_secctx() to identify which of the security modules that may be active should provide the security context. If the value of lsmid is LSM_ID_UNDEF the first LSM providing a hook is used. security_secid_to_secctx() is unchanged, and will always report the first LSM providing a hook. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- include/linux/security.h | 6 ++++-- kernel/audit.c | 4 ++-- kernel/auditsc.c | 8 +++++--- net/netlabel/netlabel_user.c | 3 ++- security/security.c | 13 +++++++++++-- 5 files changed, 24 insertions(+), 10 deletions(-)