From patchwork Tue Feb 27 00:41:11 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 10244027 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3F57360384 for ; Tue, 27 Feb 2018 00:43:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2D3822A43D for ; Tue, 27 Feb 2018 00:43:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2128E2A4FD; Tue, 27 Feb 2018 00:43:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 9934C2A43D for ; Tue, 27 Feb 2018 00:43:50 +0000 (UTC) Received: (qmail 7267 invoked by uid 550); 27 Feb 2018 00:42:34 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 5921 invoked from network); 27 Feb 2018 00:42:28 -0000 From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: linux-kernel@vger.kernel.org Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Alexei Starovoitov , Andy Lutomirski , Arnaldo Carvalho de Melo , Casey Schaufler , Daniel Borkmann , David Drysdale , "David S . Miller" , "Eric W . Biederman" , James Morris , Jann Horn , Jonathan Corbet , Michael Kerrisk , Kees Cook , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Shuah Khan , Tejun Heo , Thomas Graf , Tycho Andersen , Will Drewry , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, netdev@vger.kernel.org, Alexander Viro , James Morris , John Johansen , Stephen Smalley , Tetsuo Handa , linux-fsdevel@vger.kernel.org Subject: [PATCH bpf-next v8 01/11] fs, security: Add a security blob to nameidata Date: Tue, 27 Feb 2018 01:41:11 +0100 Message-Id: <20180227004121.3633-2-mic@digikod.net> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180227004121.3633-1-mic@digikod.net> References: <20180227004121.3633-1-mic@digikod.net> MIME-Version: 1.0 X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 X-Virus-Scanned: ClamAV using ClamSMTP The function current_nameidata_security(struct inode *) can be used to retrieve a blob's pointer address tied to the inode being walk through. This enable to follow a path lookup and know where an inode access come from. This is needed for the Landlock LSM to be able to restrict access to file path. The LSM hook nameidata_free_security(struct inode *) is called before freeing the associated nameidata. Signed-off-by: Mickaël Salaün Cc: Alexander Viro Cc: Casey Schaufler Cc: James Morris Cc: John Johansen Cc: Kees Cook Cc: Paul Moore Cc: "Serge E. Hallyn" Cc: Stephen Smalley Cc: Tetsuo Handa Cc: linux-fsdevel@vger.kernel.org --- fs/namei.c | 39 +++++++++++++++++++++++++++++++++++++++ include/linux/lsm_hooks.h | 7 +++++++ include/linux/namei.h | 14 +++++++++++++- include/linux/security.h | 7 +++++++ security/security.c | 7 +++++++ 5 files changed, 73 insertions(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index 921ae32dbc80..d592b3fb0d1e 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -505,6 +505,9 @@ struct nameidata { struct inode *link_inode; unsigned root_seq; int dfd; +#ifdef CONFIG_SECURITY + struct nameidata_lookup lookup; +#endif } __randomize_layout; static void set_nameidata(struct nameidata *p, int dfd, struct filename *name) @@ -515,6 +518,9 @@ static void set_nameidata(struct nameidata *p, int dfd, struct filename *name) p->name = name; p->total_link_count = old ? old->total_link_count : 0; p->saved = old; +#ifdef CONFIG_SECURITY + p->lookup.security = NULL; +#endif current->nameidata = p; } @@ -522,6 +528,7 @@ static void restore_nameidata(void) { struct nameidata *now = current->nameidata, *old = now->saved; + security_nameidata_put_lookup(&now->lookup, now->inode); current->nameidata = old; if (old) old->total_link_count = now->total_link_count; @@ -549,6 +556,27 @@ static int __nd_alloc_stack(struct nameidata *nd) return 0; } +#ifdef CONFIG_SECURITY +/** + * current_nameidata_lookup - get the state of the current path walk + * + * @inode: inode associated to the path walk + * + * Used by LSM modules for access restriction based on path walk. The LSM is in + * charge of the lookup->security blob allocation and management. The hook + * security_nameidata_put_lookup() will be called after the path walk end. + * + * Return ERR_PTR(-ENOENT) if there is no match. + */ +struct nameidata_lookup *current_nameidata_lookup(const struct inode *inode) +{ + if (!current->nameidata || current->nameidata->inode != inode) + return ERR_PTR(-ENOENT); + return ¤t->nameidata->lookup; +} +EXPORT_SYMBOL(current_nameidata_lookup); +#endif + /** * path_connected - Verify that a path->dentry is below path->mnt.mnt_root * @path: nameidate to verify @@ -2009,6 +2037,13 @@ static inline u64 hash_name(const void *salt, const char *name) #endif +static inline void refresh_lookup(struct nameidata *nd) +{ +#ifdef CONFIG_SECURITY + nd->lookup.type = nd->last_type; +#endif +} + /* * Name resolution. * This is the basic name resolution function, turning a pathname into @@ -2025,6 +2060,8 @@ static int link_path_walk(const char *name, struct nameidata *nd) name++; if (!*name) return 0; + /* be ready for may_lookup() */ + refresh_lookup(nd); /* At this point we know we have a real path component. */ for(;;) { @@ -2064,6 +2101,8 @@ static int link_path_walk(const char *name, struct nameidata *nd) nd->last.hash_len = hash_len; nd->last.name = name; nd->last_type = type; + /* be ready for the next security_inode_permission() */ + refresh_lookup(nd); name += hashlen_len(hash_len); if (!*name) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 7161d8e7ee79..d71cf183f0be 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -428,6 +428,10 @@ * security module does not know about attribute or a negative error code * to abort the copy up. Note that the caller is responsible for reading * and writing the xattrs as this hook is merely a filter. + * @nameidata_put_lookup: + * Deallocate and clear the current's nameidata->lookup.security field. + * @lookup->security contains the security structure to be freed. + * @inode is the last associated inode to the path walk * * Security hooks for file operations * @@ -1514,6 +1518,8 @@ union security_list_options { void (*inode_getsecid)(struct inode *inode, u32 *secid); int (*inode_copy_up)(struct dentry *src, struct cred **new); int (*inode_copy_up_xattr)(const char *name); + void (*nameidata_put_lookup)(struct nameidata_lookup *lookup, + struct inode *inode); int (*file_permission)(struct file *file, int mask); int (*file_alloc_security)(struct file *file); @@ -1805,6 +1811,7 @@ struct security_hook_heads { struct list_head inode_getsecid; struct list_head inode_copy_up; struct list_head inode_copy_up_xattr; + struct list_head nameidata_put_lookup; struct list_head file_permission; struct list_head file_alloc_security; struct list_head file_free_security; diff --git a/include/linux/namei.h b/include/linux/namei.h index a982bb7cd480..ba08cbb41f97 100644 --- a/include/linux/namei.h +++ b/include/linux/namei.h @@ -14,7 +14,19 @@ enum { MAX_NESTED_LINKS = 8 }; /* * Type of the last component on LOOKUP_PARENT */ -enum {LAST_NORM, LAST_ROOT, LAST_DOT, LAST_DOTDOT, LAST_BIND}; +enum namei_type {LAST_NORM, LAST_ROOT, LAST_DOT, LAST_DOTDOT, LAST_BIND}; + +#ifdef CONFIG_SECURITY +struct nameidata_lookup { + void *security; + enum namei_type type; +}; + +struct inode; + +extern struct nameidata_lookup *current_nameidata_lookup( + const struct inode *inode); +#endif /* * The bitmask for a lookup event: diff --git a/include/linux/security.h b/include/linux/security.h index 73f1ef625d40..b1fd4370daf8 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -31,6 +31,7 @@ #include #include #include +#include struct linux_binprm; struct cred; @@ -302,6 +303,8 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer void security_inode_getsecid(struct inode *inode, u32 *secid); int security_inode_copy_up(struct dentry *src, struct cred **new); int security_inode_copy_up_xattr(const char *name); +void security_nameidata_put_lookup(struct nameidata_lookup *lookup, + struct inode *inode); int security_file_permission(struct file *file, int mask); int security_file_alloc(struct file *file); void security_file_free(struct file *file); @@ -808,6 +811,10 @@ static inline int security_inode_copy_up_xattr(const char *name) return -EOPNOTSUPP; } +static inline void security_nameidata_put_lookup( + struct nameidata_lookup *lookup, struct inode *inode) +{ } + static inline int security_file_permission(struct file *file, int mask) { return 0; diff --git a/security/security.c b/security/security.c index 1cd8526cb0b7..17053c7a1a77 100644 --- a/security/security.c +++ b/security/security.c @@ -857,6 +857,13 @@ int security_inode_copy_up_xattr(const char *name) } EXPORT_SYMBOL(security_inode_copy_up_xattr); +void security_nameidata_put_lookup(struct nameidata_lookup *lookup, + struct inode *inode) +{ + call_void_hook(nameidata_put_lookup, lookup, inode); +} +EXPORT_SYMBOL(security_nameidata_put_lookup); + int security_file_permission(struct file *file, int mask) { int ret;