[v4,12/23] security: Introduce file_post_open hook

Message ID	20231027083558.484911-13-roberto.sassu@huaweicloud.com (mailing list archive)
State	New
Headers	show Return-Path: <keyrings-owner@vger.kernel.org> From: Roberto Sassu <roberto.sassu@huaweicloud.com> To: viro@zeniv.linux.org.uk, brauner@kernel.org, chuck.lever@oracle.com, jlayton@kernel.org, neilb@suse.de, kolga@netapp.com, Dai.Ngo@oracle.com, tom@talpey.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, dhowells@redhat.com, jarkko@kernel.org, stephen.smalley.work@gmail.com, eparis@parisplace.org, casey@schaufler-ca.com, mic@digikod.net Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-nfs@vger.kernel.org, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, keyrings@vger.kernel.org, selinux@vger.kernel.org, Roberto Sassu <roberto.sassu@huawei.com>, Stefan Berger <stefanb@linux.ibm.com> Subject: [PATCH v4 12/23] security: Introduce file_post_open hook Date: Fri, 27 Oct 2023 10:35:47 +0200 Message-Id: <20231027083558.484911-13-roberto.sassu@huaweicloud.com> In-Reply-To: <20231027083558.484911-1-roberto.sassu@huaweicloud.com> References: <20231027083558.484911-1-roberto.sassu@huaweicloud.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	security: Move IMA and EVM to the LSM infrastructure \| expand [v4,00/23] security: Move IMA and EVM to the LSM infrastructure [v4,01/23] ima: Align ima_inode_post_setattr() definition with LSM infrastructure [v4,02/23] ima: Align ima_file_mprotect() definition with LSM infrastructure [v4,03/23] ima: Align ima_inode_setxattr() definition with LSM infrastructure [v4,04/23] ima: Align ima_inode_removexattr() definition with LSM infrastructure [v4,05/23] ima: Align ima_post_read_file() definition with LSM infrastructure [v4,06/23] evm: Align evm_inode_post_setattr() definition with LSM infrastructure [v4,07/23] evm: Align evm_inode_setxattr() definition with LSM infrastructure [v4,08/23] evm: Align evm_inode_post_setxattr() definition with LSM infrastructure [v4,09/23] security: Align inode_setattr hook definition with EVM [v4,10/23] security: Introduce inode_post_setattr hook [v4,11/23] security: Introduce inode_post_removexattr hook [v4,12/23] security: Introduce file_post_open hook [v4,13/23] security: Introduce file_pre_free_security hook [v4,14/23] security: Introduce path_post_mknod hook [v4,15/23] security: Introduce inode_post_create_tmpfile hook [v4,16/23] security: Introduce inode_post_set_acl hook [v4,17/23] security: Introduce inode_post_remove_acl hook [v4,18/23] security: Introduce key_post_create_or_update hook [v4,19/23] ima: Move to LSM infrastructure [v4,20/23] ima: Move IMA-Appraisal to LSM infrastructure [v4,21/23] evm: Move to LSM infrastructure [v4,22/23] integrity: Move integrity functions to the LSM infrastructure [v4,23/23] integrity: Switch from rbtree to LSM-managed blob for integrity_iint_cache

Message ID

20231027083558.484911-13-roberto.sassu@huaweicloud.com (mailing list archive)

State

New

Headers

From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: viro@zeniv.linux.org.uk, brauner@kernel.org,
        chuck.lever@oracle.com, jlayton@kernel.org, neilb@suse.de,
        kolga@netapp.com, Dai.Ngo@oracle.com, tom@talpey.com,
        paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
        zohar@linux.ibm.com, dmitry.kasatkin@gmail.com,
        dhowells@redhat.com, jarkko@kernel.org,
        stephen.smalley.work@gmail.com, eparis@parisplace.org,
        casey@schaufler-ca.com, mic@digikod.net
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-nfs@vger.kernel.org, linux-security-module@vger.kernel.org,
        linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
        selinux@vger.kernel.org, Roberto Sassu <roberto.sassu@huawei.com>,
        Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v4 12/23] security: Introduce file_post_open hook
Date: Fri, 27 Oct 2023 10:35:47 +0200
Message-Id: <20231027083558.484911-13-roberto.sassu@huaweicloud.com>
In-Reply-To: <20231027083558.484911-1-roberto.sassu@huaweicloud.com>
References: <20231027083558.484911-1-roberto.sassu@huaweicloud.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

security: Move IMA and EVM to the LSM infrastructure | expand

Commit Message

Roberto Sassu Oct. 27, 2023, 8:35 a.m. UTC

From: Roberto Sassu <roberto.sassu@huawei.com>

In preparation to move IMA and EVM to the LSM infrastructure, introduce the
file_post_open hook. Also, export security_file_post_open() for NFS.

Based on policy, IMA calculates the digest of the file content, and decides
based on that digest whether the file should be made accessible to the
requesting process.

LSMs could similarly take action depending on the file content.

The new hook returns a value and can cause the open to be aborted.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
 fs/namei.c                    |  2 ++
 fs/nfsd/vfs.c                 |  6 ++++++
 include/linux/lsm_hook_defs.h |  1 +
 include/linux/security.h      |  6 ++++++
 security/security.c           | 17 +++++++++++++++++
 5 files changed, 32 insertions(+)

Comments

Mimi Zohar Nov. 6, 2023, 4:40 p.m. UTC | #1

On Fri, 2023-10-27 at 10:35 +0200, Roberto Sassu wrote:
> diff --git a/security/security.c b/security/security.c
> index 2ee958afaf40..d24a8f92d641 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -2947,6 +2947,23 @@ int security_file_open(struct file *file)
>         return fsnotify_perm(file, MAY_OPEN);
>  }
>  
> +/**
> + * security_file_post_open() - Recheck access to a file after it has been opened
> + * @file: the file
> + * @mask: access mask
> + *
> + * Recheck access with mask after the file has been opened. The hook is useful
> + * for LSMs that require the file content to be available in order to make
> + * decisions.
> + *

The hook isn't limited to "Recheck access".    It's used for measuring,
appraising, and auditing a file's integrity.   Sorry for suggesting an
incomplete patch description.  Please update the wording here and the
patch description accordingly.

> + * Return: Returns 0 if permission is granted.
> + */
> +int security_file_post_open(struct file *file, int mask)
> +{
> +       return call_int_hook(file_post_open, 0, file, mask);
> +}
> +EXPORT_SYMBOL_GPL(security_file_post_open);
> +
>  /**
>   * security_file_truncate() - Check if truncating a file is allowed
>   * @file: file

diff --git a/fs/namei.c b/fs/namei.c
index 567ee547492b..4b1c86934637 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3637,6 +3637,8 @@  static int do_open(struct nameidata *nd,
 	error = may_open(idmap, &nd->path, acc_mode, open_flag);
 	if (!error && !(file->f_mode & FMODE_OPENED))
 		error = vfs_open(&nd->path, file);
+	if (!error)
+		error = security_file_post_open(file, op->acc_mode);
 	if (!error)
 		error = ima_file_check(file, op->acc_mode);
 	if (!error && do_truncate)
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 48260cf68fde..7f58ba6f884f 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -862,6 +862,12 @@  __nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type,
 		goto out_nfserr;
 	}
 
+	host_err = security_file_post_open(file, may_flags);
+	if (host_err) {
+		fput(file);
+		goto out_nfserr;
+	}
+
 	host_err = ima_file_check(file, may_flags);
 	if (host_err) {
 		fput(file);
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 6b15bb747440..cab9c1265f4e 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -189,6 +189,7 @@  LSM_HOOK(int, 0, file_send_sigiotask, struct task_struct *tsk,
 	 struct fown_struct *fown, int sig)
 LSM_HOOK(int, 0, file_receive, struct file *file)
 LSM_HOOK(int, 0, file_open, struct file *file)
+LSM_HOOK(int, 0, file_post_open, struct file *file, int mask)
 LSM_HOOK(int, 0, file_truncate, struct file *file)
 LSM_HOOK(int, 0, task_alloc, struct task_struct *task,
 	 unsigned long clone_flags)
diff --git a/include/linux/security.h b/include/linux/security.h
index 5c9c426962f0..e0812da7f24d 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -409,6 +409,7 @@  int security_file_send_sigiotask(struct task_struct *tsk,
 				 struct fown_struct *fown, int sig);
 int security_file_receive(struct file *file);
 int security_file_open(struct file *file);
+int security_file_post_open(struct file *file, int mask);
 int security_file_truncate(struct file *file);
 int security_task_alloc(struct task_struct *task, unsigned long clone_flags);
 void security_task_free(struct task_struct *task);
@@ -1065,6 +1066,11 @@  static inline int security_file_open(struct file *file)
 	return 0;
 }
 
+static inline int security_file_post_open(struct file *file, int mask)
+{
+	return 0;
+}
+
 static inline int security_file_truncate(struct file *file)
 {
 	return 0;
diff --git a/security/security.c b/security/security.c
index 2ee958afaf40..d24a8f92d641 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2947,6 +2947,23 @@  int security_file_open(struct file *file)
 	return fsnotify_perm(file, MAY_OPEN);
 }
 
+/**
+ * security_file_post_open() - Recheck access to a file after it has been opened
+ * @file: the file
+ * @mask: access mask
+ *
+ * Recheck access with mask after the file has been opened. The hook is useful
+ * for LSMs that require the file content to be available in order to make
+ * decisions.
+ *
+ * Return: Returns 0 if permission is granted.
+ */
+int security_file_post_open(struct file *file, int mask)
+{
+	return call_int_hook(file_post_open, 0, file, mask);
+}
+EXPORT_SYMBOL_GPL(security_file_post_open);
+
 /**
  * security_file_truncate() - Check if truncating a file is allowed
  * @file: file

[v4,12/23] security: Introduce file_post_open hook

Commit Message

Comments

Patch