Message ID | 20200717230941.1190744-6-deven.desai@linux.microsoft.com (mailing list archive) |
---|---|
State | Superseded, archived |
Delegated to: | Mike Snitzer |
Headers | show |
Series | Integrity Policy Enforcement LSM (IPE) | expand |
On 7/17/2020 4:09 PM, Deven Bowers wrote: > Add a security blob and associated allocation, deallocation and set hooks > for a block_device structure. > > Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com> > --- > fs/block_dev.c | 8 +++++ > include/linux/fs.h | 1 + > include/linux/lsm_hook_defs.h | 5 +++ > include/linux/lsm_hooks.h | 11 +++++++ > include/linux/security.h | 22 +++++++++++++ > security/security.c | 61 +++++++++++++++++++++++++++++++++++ > 6 files changed, 108 insertions(+) > > diff --git a/fs/block_dev.c b/fs/block_dev.c > index 0ae656e022fd..8602dd62c3e2 100644 > --- a/fs/block_dev.c > +++ b/fs/block_dev.c > @@ -34,6 +34,7 @@ > #include <linux/falloc.h> > #include <linux/uaccess.h> > #include <linux/suspend.h> > +#include <linux/security.h> > #include "internal.h" > > struct bdev_inode { > @@ -768,11 +769,18 @@ static struct inode *bdev_alloc_inode(struct super_block *sb) > struct bdev_inode *ei = kmem_cache_alloc(bdev_cachep, GFP_KERNEL); > if (!ei) > return NULL; > + > + if (unlikely(security_bdev_alloc(&ei->bdev))) { > + kmem_cache_free(bdev_cachep, ei); > + return NULL; > + } > + > return &ei->vfs_inode; > } > > static void bdev_free_inode(struct inode *inode) > { > + security_bdev_free(&BDEV_I(inode)->bdev); > kmem_cache_free(bdev_cachep, BDEV_I(inode)); > } > > diff --git a/include/linux/fs.h b/include/linux/fs.h > index f5abba86107d..42d7e3ce7712 100644 > --- a/include/linux/fs.h > +++ b/include/linux/fs.h > @@ -509,6 +509,7 @@ struct block_device { > int bd_fsfreeze_count; > /* Mutex for freeze */ > struct mutex bd_fsfreeze_mutex; > + void *security; > } __randomize_layout; > > /* XArray tags, for tagging dirty and writeback pages in the pagecache. */ > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h > index af998f93d256..f3c0da0db4e8 100644 > --- a/include/linux/lsm_hook_defs.h > +++ b/include/linux/lsm_hook_defs.h > @@ -391,3 +391,8 @@ LSM_HOOK(void, LSM_RET_VOID, perf_event_free, struct perf_event *event) > LSM_HOOK(int, 0, perf_event_read, struct perf_event *event) > LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) > #endif /* CONFIG_PERF_EVENTS */ > + > +LSM_HOOK(int, 0, bdev_alloc_security, struct block_device *bdev) > +LSM_HOOK(void, LSM_RET_VOID, bdev_free_security, struct block_device *bdev) > +LSM_HOOK(int, 0, bdev_setsecurity, struct block_device *bdev, const char *name, > + const void *value, size_t size) > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index 95b7c1d32062..8a728b7dd32d 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -1507,6 +1507,16 @@ > * > * @what: kernel feature being accessed > * > + * @bdev_alloc_security: > + * Initialize the security field inside a block_device structure. > + * > + * @bdev_free_security: > + * Cleanup the security information stored inside a block_device structure. > + * > + * @bdev_setsecurity: > + * Set the security property associated with @name for @bdev with > + * value @value. @size indicates the size of the @value in bytes. > + * > * Security hooks for perf events > * > * @perf_event_open: > @@ -1553,6 +1563,7 @@ struct lsm_blob_sizes { > int lbs_ipc; > int lbs_msg_msg; > int lbs_task; > + int lbs_bdev; > }; > > /* > diff --git a/include/linux/security.h b/include/linux/security.h > index 0a0a03b36a3b..8f83fdc6c65d 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -451,6 +451,11 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); > int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); > int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); > int security_locked_down(enum lockdown_reason what); > +int security_bdev_alloc(struct block_device *bdev); > +void security_bdev_free(struct block_device *bdev); > +int security_bdev_setsecurity(struct block_device *bdev, > + const char *name, const void *value, > + size_t size); > #else /* CONFIG_SECURITY */ > > static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) > @@ -1291,6 +1296,23 @@ static inline int security_locked_down(enum lockdown_reason what) > { > return 0; > } > + > +static inline int security_bdev_alloc(struct block_device *bdev) > +{ > + return 0; > +} > + > +static inline void security_bdev_free(struct block_device *bdev) > +{ > +} > + > +static inline int security_bdev_setsecurity(struct block_device *bdev, > + const char *name, > + const void *value, size_t size) > +{ > + return 0; > +} > + > #endif /* CONFIG_SECURITY */ > > #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) > diff --git a/security/security.c b/security/security.c > index 70a7ad357bc6..8e61b7e6adfc 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -28,6 +28,7 @@ > #include <linux/string.h> > #include <linux/msg.h> > #include <net/flow.h> > +#include <linux/fs.h> > > #define MAX_LSM_EVM_XATTR 2 > > @@ -202,6 +203,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) > lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); > lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); > lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); > + lsm_set_blob_size(&needed->lbs_bdev, &blob_sizes.lbs_bdev); > } > > /* Prepare LSM for initialization. */ > @@ -337,6 +339,7 @@ static void __init ordered_lsm_init(void) > init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); > init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); > init_debug("task blob size = %d\n", blob_sizes.lbs_task); > + init_debug("bdev blob size = %d\n", blob_sizes.lbs_bdev); > > /* > * Create any kmem_caches needed for blobs > @@ -654,6 +657,28 @@ static int lsm_msg_msg_alloc(struct msg_msg *mp) > return 0; > } > > +/** > + * lsm_bdev_alloc - allocate a composite block_device blob > + * @bdev: the block_device that needs a blob > + * > + * Allocate the block_device blob for all the modules > + * > + * Returns 0, or -ENOMEM if memory can't be allocated. > + */ > +static int lsm_bdev_alloc(struct block_device *bdev) > +{ > + if (blob_sizes.lbs_bdev == 0) { > + bdev->security = NULL; > + return 0; > + } > + > + bdev->security = kzalloc(blob_sizes.lbs_bdev, GFP_KERNEL); > + if (!bdev->security) > + return -ENOMEM; > + > + return 0; > +} > + > /** > * lsm_early_task - during initialization allocate a composite task blob > * @task: the task that needs a blob > @@ -2516,6 +2541,42 @@ int security_locked_down(enum lockdown_reason what) > } > EXPORT_SYMBOL(security_locked_down); > > +int security_bdev_alloc(struct block_device *bdev) > +{ > + int rc = 0; > + > + rc = lsm_bdev_alloc(bdev); > + if (unlikely(rc)) > + return rc; > + > + rc = call_int_hook(bdev_alloc_security, 0, bdev); > + if (unlikely(rc)) > + security_bdev_free(bdev); > + > + return 0; > +} > +EXPORT_SYMBOL(security_bdev_alloc); > + > +void security_bdev_free(struct block_device *bdev) > +{ > + if (!bdev->security) > + return; > + > + call_void_hook(bdev_free_security, bdev); > + > + kfree(bdev->security); > + bdev->security = NULL; > +} > +EXPORT_SYMBOL(security_bdev_free); > + > +int security_bdev_setsecurity(struct block_device *bdev, > + const char *name, const void *value, > + size_t size) > +{ > + return call_int_hook(bdev_setsecurity, 0, bdev, name, value, size); > +} What is your expectation regarding multiple security modules using the same @name? What do you expect a security module to do if it does not support a particular @name? You may have a case where SELinux supports a @name that AppArmor (or KSRI) doesn't. -ENOSYS may be you friend here. > +EXPORT_SYMBOL(security_bdev_setsecurity); > + > #ifdef CONFIG_PERF_EVENTS > int security_perf_event_open(struct perf_event_attr *attr, int type) > { -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
On 7/17/2020 5:14 PM, Casey Schaufler wrote: [...snip] >> +EXPORT_SYMBOL(security_bdev_free); >> + >> +int security_bdev_setsecurity(struct block_device *bdev, >> + const char *name, const void *value, >> + size_t size) >> +{ >> + return call_int_hook(bdev_setsecurity, 0, bdev, name, value, size); >> +} > > What is your expectation regarding multiple security modules using the > same @name? What do you expect a security module to do if it does not > support a particular @name? You may have a case where SELinux supports > a @name that AppArmor (or KSRI) doesn't. -ENOSYS may be you friend here. > I expect that some security modules may want to use the same @name / use the data contained with @name. I cannot speak to the future cases of other LSMs, but I expect if they want the raw @value, they'll copy it into their security blob, or interpret @value to a field defined by their security blob. Originally, I expected a security module that does not implement a particular @name no-op with return 0, not -ENOSYS, but I recognize that error codes are valuable, and it's a trivial change - I'll switch the security hook to call the hooks while allowing -ENOSYS or 0 in the next iteration. >> +EXPORT_SYMBOL(security_bdev_setsecurity); >> + >> #ifdef CONFIG_PERF_EVENTS >> int security_perf_event_open(struct perf_event_attr *attr, int type) >> { -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
diff --git a/fs/block_dev.c b/fs/block_dev.c index 0ae656e022fd..8602dd62c3e2 100644 --- a/fs/block_dev.c +++ b/fs/block_dev.c @@ -34,6 +34,7 @@ #include <linux/falloc.h> #include <linux/uaccess.h> #include <linux/suspend.h> +#include <linux/security.h> #include "internal.h" struct bdev_inode { @@ -768,11 +769,18 @@ static struct inode *bdev_alloc_inode(struct super_block *sb) struct bdev_inode *ei = kmem_cache_alloc(bdev_cachep, GFP_KERNEL); if (!ei) return NULL; + + if (unlikely(security_bdev_alloc(&ei->bdev))) { + kmem_cache_free(bdev_cachep, ei); + return NULL; + } + return &ei->vfs_inode; } static void bdev_free_inode(struct inode *inode) { + security_bdev_free(&BDEV_I(inode)->bdev); kmem_cache_free(bdev_cachep, BDEV_I(inode)); } diff --git a/include/linux/fs.h b/include/linux/fs.h index f5abba86107d..42d7e3ce7712 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -509,6 +509,7 @@ struct block_device { int bd_fsfreeze_count; /* Mutex for freeze */ struct mutex bd_fsfreeze_mutex; + void *security; } __randomize_layout; /* XArray tags, for tagging dirty and writeback pages in the pagecache. */ diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index af998f93d256..f3c0da0db4e8 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -391,3 +391,8 @@ LSM_HOOK(void, LSM_RET_VOID, perf_event_free, struct perf_event *event) LSM_HOOK(int, 0, perf_event_read, struct perf_event *event) LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) #endif /* CONFIG_PERF_EVENTS */ + +LSM_HOOK(int, 0, bdev_alloc_security, struct block_device *bdev) +LSM_HOOK(void, LSM_RET_VOID, bdev_free_security, struct block_device *bdev) +LSM_HOOK(int, 0, bdev_setsecurity, struct block_device *bdev, const char *name, + const void *value, size_t size) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 95b7c1d32062..8a728b7dd32d 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1507,6 +1507,16 @@ * * @what: kernel feature being accessed * + * @bdev_alloc_security: + * Initialize the security field inside a block_device structure. + * + * @bdev_free_security: + * Cleanup the security information stored inside a block_device structure. + * + * @bdev_setsecurity: + * Set the security property associated with @name for @bdev with + * value @value. @size indicates the size of the @value in bytes. + * * Security hooks for perf events * * @perf_event_open: @@ -1553,6 +1563,7 @@ struct lsm_blob_sizes { int lbs_ipc; int lbs_msg_msg; int lbs_task; + int lbs_bdev; }; /* diff --git a/include/linux/security.h b/include/linux/security.h index 0a0a03b36a3b..8f83fdc6c65d 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -451,6 +451,11 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); int security_locked_down(enum lockdown_reason what); +int security_bdev_alloc(struct block_device *bdev); +void security_bdev_free(struct block_device *bdev); +int security_bdev_setsecurity(struct block_device *bdev, + const char *name, const void *value, + size_t size); #else /* CONFIG_SECURITY */ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) @@ -1291,6 +1296,23 @@ static inline int security_locked_down(enum lockdown_reason what) { return 0; } + +static inline int security_bdev_alloc(struct block_device *bdev) +{ + return 0; +} + +static inline void security_bdev_free(struct block_device *bdev) +{ +} + +static inline int security_bdev_setsecurity(struct block_device *bdev, + const char *name, + const void *value, size_t size) +{ + return 0; +} + #endif /* CONFIG_SECURITY */ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) diff --git a/security/security.c b/security/security.c index 70a7ad357bc6..8e61b7e6adfc 100644 --- a/security/security.c +++ b/security/security.c @@ -28,6 +28,7 @@ #include <linux/string.h> #include <linux/msg.h> #include <net/flow.h> +#include <linux/fs.h> #define MAX_LSM_EVM_XATTR 2 @@ -202,6 +203,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); + lsm_set_blob_size(&needed->lbs_bdev, &blob_sizes.lbs_bdev); } /* Prepare LSM for initialization. */ @@ -337,6 +339,7 @@ static void __init ordered_lsm_init(void) init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); init_debug("task blob size = %d\n", blob_sizes.lbs_task); + init_debug("bdev blob size = %d\n", blob_sizes.lbs_bdev); /* * Create any kmem_caches needed for blobs @@ -654,6 +657,28 @@ static int lsm_msg_msg_alloc(struct msg_msg *mp) return 0; } +/** + * lsm_bdev_alloc - allocate a composite block_device blob + * @bdev: the block_device that needs a blob + * + * Allocate the block_device blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +static int lsm_bdev_alloc(struct block_device *bdev) +{ + if (blob_sizes.lbs_bdev == 0) { + bdev->security = NULL; + return 0; + } + + bdev->security = kzalloc(blob_sizes.lbs_bdev, GFP_KERNEL); + if (!bdev->security) + return -ENOMEM; + + return 0; +} + /** * lsm_early_task - during initialization allocate a composite task blob * @task: the task that needs a blob @@ -2516,6 +2541,42 @@ int security_locked_down(enum lockdown_reason what) } EXPORT_SYMBOL(security_locked_down); +int security_bdev_alloc(struct block_device *bdev) +{ + int rc = 0; + + rc = lsm_bdev_alloc(bdev); + if (unlikely(rc)) + return rc; + + rc = call_int_hook(bdev_alloc_security, 0, bdev); + if (unlikely(rc)) + security_bdev_free(bdev); + + return 0; +} +EXPORT_SYMBOL(security_bdev_alloc); + +void security_bdev_free(struct block_device *bdev) +{ + if (!bdev->security) + return; + + call_void_hook(bdev_free_security, bdev); + + kfree(bdev->security); + bdev->security = NULL; +} +EXPORT_SYMBOL(security_bdev_free); + +int security_bdev_setsecurity(struct block_device *bdev, + const char *name, const void *value, + size_t size) +{ + return call_int_hook(bdev_setsecurity, 0, bdev, name, value, size); +} +EXPORT_SYMBOL(security_bdev_setsecurity); + #ifdef CONFIG_PERF_EVENTS int security_perf_event_open(struct perf_event_attr *attr, int type) {
Add a security blob and associated allocation, deallocation and set hooks for a block_device structure. Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com> --- fs/block_dev.c | 8 +++++ include/linux/fs.h | 1 + include/linux/lsm_hook_defs.h | 5 +++ include/linux/lsm_hooks.h | 11 +++++++ include/linux/security.h | 22 +++++++++++++ security/security.c | 61 +++++++++++++++++++++++++++++++++++ 6 files changed, 108 insertions(+)