From patchwork Mon Jun 12 16:56:52 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Salvatore Mesoraca <s.mesoraca16@gmail.com>
X-Patchwork-Id: 9782297
Return-Path: 
 <kernel-hardening-return-8536-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	08B9D60244 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Mon, 12 Jun 2017 16:58:21 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EB4A3284C7
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Mon, 12 Jun 2017 16:58:20 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id DE1D1284DA; Mon, 12 Jun 2017 16:58:20 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id C0ED4284C7
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Mon, 12 Jun 2017 16:58:19 +0000 (UTC)
Received: (qmail 5436 invoked by uid 550); 12 Jun 2017 16:58:17 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 3976 invoked from network); 12 Jun 2017 16:58:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=WWmPp4J2Rp51P3oVooKMBJ/3DMzQv8CcZqi9TPgnYc4=;
	b=ZQJZ2DIGdoEAdfJSLzBHWOUVpfaog8nLn47jKcdguSlOYkiFT2uE1ydO1AUB7H4V0E
	4zN4h3FVg6nzljgIYfVXVQEhpp2rhLMYrag6lbqjG67WbwLkp56j3FcwfMPBXBDf+BA2
	r01lYf6LC0KeIa3GbE+RBy8LkupZtnZ+eDT9gjxEOEA1tS+fdJMNmwdQVYqbwTXnjRXc
	NGErG/hbhzOCVBl6oby2h/Aq6KRqBC795wSueO7eGUMQ/I1znPPc+ryDF5TN2clyLJXR
	chaSMXYUkUAM8U4/+YQY1qFBS8ZV77+bqsFEAVLd403+nthhAF0w5gzBtbGUpapDJ1WQ
	owmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=WWmPp4J2Rp51P3oVooKMBJ/3DMzQv8CcZqi9TPgnYc4=;
	b=ICw8lbqn3uMgNAnFdNq55Gkh+hy/pDOJ5QeP7z+MBJZzquHldA+Lqldq8FUvN/bKwQ
	NlE8UtSaPmziQrcYzZ1VigyXdirWpMWqJ6Mi7lPQHqDwoEYhYpFNzs9H/179bAZ6yZwL
	HLfWGOJ8pmPOovwGrbvGetF2pWMCxvtuXpnm08Rb/9e/Z1Qba24j8qwbIsBH+x1lw6iE
	9cC7yvqzkQHhlAM97w0QXx+fwjmbfsWxBsZIkjGuUQxjWOnnpodhWSQhUxcaDJvS1NQ+
	LUExW+sCYDhhPpeBQaXzAvbt6pQgI0k4IjcVUR+MUy2RXQMkjeZHnSXusPC/O4Tk57Vg
	2m2w==
X-Gm-Message-State: AODbwcCEz/UL/c7UMG9OaHrTJ8IwrOl3eM0R3oNDp1x775OD1GJoqE8g
	08bqAblru4lAXA==
X-Received: by 10.223.168.75 with SMTP id l69mr9014719wrc.127.1497286681056;
	Mon, 12 Jun 2017 09:58:01 -0700 (PDT)
From: Salvatore Mesoraca <s.mesoraca16@gmail.com>
To: linux-kernel@vger.kernel.org
Cc: linux-security-module@vger.kernel.org,
	kernel-hardening@lists.openwall.com,
	Salvatore Mesoraca <s.mesoraca16@gmail.com>,
	Brad Spengler <spender@grsecurity.net>, PaX Team <pageexec@freemail.hu>,
	Casey Schaufler <casey@schaufler-ca.com>,
	Kees Cook <keescook@chromium.org>,
	James Morris <james.l.morris@oracle.com>,
	"Serge E. Hallyn" <serge@hallyn.com>, linux-usb@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 12 Jun 2017 18:56:52 +0200
Message-Id: <1497286620-15027-4-git-send-email-s.mesoraca16@gmail.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1497286620-15027-1-git-send-email-s.mesoraca16@gmail.com>
References: <1497286620-15027-1-git-send-email-s.mesoraca16@gmail.com>
Subject: [kernel-hardening] [PATCH 03/11] Creation of "usb_device_auth" LSM
	hook
X-Virus-Scanned: ClamAV using ClamSMTP

Creation of a new LSM hook that can be used to authorize or deauthorize
new USB devices via the usb authorization interface.
The same hook can also prevent the authorization of a USB device via
"/sys/bus/usb/devices/DEVICE/authorized".
Using this hook an LSM could provide an higher level of granularity
than the current authorization interface.

Signed-off-by: Salvatore Mesoraca <s.mesoraca16@gmail.com>
Cc: linux-usb@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/hub.c    | 4 ++++
 drivers/usb/core/sysfs.c  | 6 +++++-
 include/linux/lsm_hooks.h | 6 ++++++
 include/linux/security.h  | 7 +++++++
 security/security.c       | 5 +++++
 5 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index b8bb20d..58be4f0 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -28,6 +28,7 @@
 #include <linux/mutex.h>
 #include <linux/random.h>
 #include <linux/pm_qos.h>
+#include <linux/security.h>
 
 #include <linux/uaccess.h>
 #include <asm/byteorder.h>
@@ -4831,6 +4832,9 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
 		if (udev->quirks & USB_QUIRK_DELAY_INIT)
 			msleep(1000);
 
+		if (security_usb_device_auth(udev))
+			usb_deauthorize_device(udev);
+
 		/* consecutive bus-powered hubs aren't reliable; they can
 		 * violate the voltage drop budget.  if the new child has
 		 * a "powered" LED, users should notice we didn't enable it
diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
index dfc68ed..fce9d39 100644
--- a/drivers/usb/core/sysfs.c
+++ b/drivers/usb/core/sysfs.c
@@ -17,6 +17,7 @@
 #include <linux/usb.h>
 #include <linux/usb/quirks.h>
 #include <linux/of.h>
+#include <linux/security.h>
 #include "usb.h"
 
 /* Active configuration fields */
@@ -742,8 +743,11 @@ static ssize_t authorized_store(struct device *dev,
 		result = -EINVAL;
 	else if (val == 0)
 		result = usb_deauthorize_device(usb_dev);
-	else
+	else {
+		if (security_usb_device_auth(usb_dev))
+			return -EPERM;
 		result = usb_authorize_device(usb_dev);
+	}
 	return result < 0 ? result : size;
 }
 static DEVICE_ATTR_IGNORE_LOCKDEP(authorized, S_IRUGO | S_IWUSR,
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index bd274db..cc0937e 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1189,6 +1189,10 @@
  *	to the @parent process for tracing.
  *	@parent contains the task_struct structure for debugger process.
  *	Return 0 if permission is granted.
+ * @usb_device_auth:
+ *	Check if @udev device should be authorized or not.
+ *	@udev contains the usb_device structure for the USB device.
+ *	Return 0 if the device is allowed.
  * @capget:
  *	Get the @effective, @inheritable, and @permitted capability sets for
  *	the @target process.  The hook may also perform permission checking to
@@ -1352,6 +1356,7 @@
 	int (*ptrace_access_check)(struct task_struct *child,
 					unsigned int mode);
 	int (*ptrace_traceme)(struct task_struct *parent);
+	int (*usb_device_auth)(const struct usb_device *udev);
 	int (*capget)(struct task_struct *target, kernel_cap_t *effective,
 			kernel_cap_t *inheritable, kernel_cap_t *permitted);
 	int (*capset)(struct cred *new, const struct cred *old,
@@ -1670,6 +1675,7 @@ struct security_hook_heads {
 	struct list_head binder_transfer_file;
 	struct list_head ptrace_access_check;
 	struct list_head ptrace_traceme;
+	struct list_head usb_device_auth;
 	struct list_head capget;
 	struct list_head capset;
 	struct list_head capable;
diff --git a/include/linux/security.h b/include/linux/security.h
index af675b5..19bc364 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -30,6 +30,7 @@
 #include <linux/string.h>
 #include <linux/mm.h>
 #include <linux/fs.h>
+#include <linux/usb.h>
 
 struct linux_binprm;
 struct cred;
@@ -196,6 +197,7 @@ int security_binder_transfer_file(struct task_struct *from,
 				  struct task_struct *to, struct file *file);
 int security_ptrace_access_check(struct task_struct *child, unsigned int mode);
 int security_ptrace_traceme(struct task_struct *parent);
+int security_usb_device_auth(const struct usb_device *udev);
 int security_capget(struct task_struct *target,
 		    kernel_cap_t *effective,
 		    kernel_cap_t *inheritable,
@@ -434,6 +436,11 @@ static inline int security_ptrace_traceme(struct task_struct *parent)
 	return cap_ptrace_traceme(parent);
 }
 
+static inline int security_usb_device_auth(const struct usb_device *udev)
+{
+	return 0;
+}
+
 static inline int security_capget(struct task_struct *target,
 				   kernel_cap_t *effective,
 				   kernel_cap_t *inheritable,
diff --git a/security/security.c b/security/security.c
index 42c8028..e390f99 100644
--- a/security/security.c
+++ b/security/security.c
@@ -214,6 +214,11 @@ int security_ptrace_traceme(struct task_struct *parent)
 	return call_int_hook(ptrace_traceme, 0, parent);
 }
 
+int security_usb_device_auth(const struct usb_device *udev)
+{
+	return call_int_hook(usb_device_auth, 0, udev);
+}
+
 int security_capget(struct task_struct *target,
 		     kernel_cap_t *effective,
 		     kernel_cap_t *inheritable,