From patchwork Fri May 5 10:10:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sebastien Buisson X-Patchwork-Id: 9713279 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6440D60362 for ; Fri, 5 May 2017 10:11:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5384C28624 for ; Fri, 5 May 2017 10:11:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 47436286B3; Fri, 5 May 2017 10:11:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 42A0828624 for ; Fri, 5 May 2017 10:11:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752524AbdEEKLM (ORCPT ); Fri, 5 May 2017 06:11:12 -0400 Received: from mail-pf0-f195.google.com ([209.85.192.195]:34663 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751453AbdEEKLL (ORCPT ); Fri, 5 May 2017 06:11:11 -0400 Received: by mail-pf0-f195.google.com with SMTP id d1so213879pfe.1; Fri, 05 May 2017 03:11:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=TCCXRCtIqBdSI+5l32HFRIlRwb8kOF9ZUhUH+vWxBHI=; b=o8kAxqurgHd9OmoZS7EbFE8BPSiuWgtgdgj4bFLMS6VIe2r0081zZSXgpEKN+dg0HF lgMbNt6U/YCfs6ttg67U8fseVIp8AzEl35UBZHJK95yDq14d+bFyZY4sKaLFyawBz7a/ Ithie1wysq8lPZWglgOUGPKZFBOUKRO8+BRQuKlqR74hnuCyofOpgI6TOcYXzb8vwWRj aPaVKYQHAv6542L1rc5q7DTpy7FGX6a6Qlu0aWuNOPtA4GWDD9/qNAln/bigj5gIgStz 3wi6Qa078nNniqmS0OQAsyp8w4UW0PS1hARkoh6DuCVSYTnUK9xp6rSY+33oaPwWBOrd r9uQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=TCCXRCtIqBdSI+5l32HFRIlRwb8kOF9ZUhUH+vWxBHI=; b=Fqq1gOzeprisBszeg93BHfVq+4uVZAWGqQk1ktLS9ZnFYgZudl7t9lD1c0PnedZprB gRMFissqUvn0LRCBglDNjVJr1FteUTgD/ocXIQx9cB/osiQ+s9DZ91ApvXEuFsN/rIhd WjicNX8Q/pz3bvwj3vM9oL2CexVV6IR2opqt9YxhmLEwweecEuEdRocwgxUQ7jV2cGyc hjOmTAsn4wScMbXVrg0gOY7ODIKP6ZlcAz2ePlcXXvhDVsIYioc1IF+I7Bx6C0dgC8Br XVVHzY6VBB8qeDk13MaS3ngwJQkIon9AxIpDpmaM/m0rfS5QmjK0CUzDjtctFob++V79 dmRg== X-Gm-Message-State: AN3rC/7KBFYmil0/HIJdOriRJRajV48BeCSAXdQCMOHGOzi+w4FDBher iGd0hHFzBLhW4w== X-Received: by 10.98.17.92 with SMTP id z89mr16224414pfi.185.1493979070240; Fri, 05 May 2017 03:11:10 -0700 (PDT) Received: from ltest-vm7.localdomain (fs276ec80e.tkyc203.ap.nuro.jp. [39.110.200.14]) by smtp.gmail.com with ESMTPSA id m125sm8599687pfc.3.2017.05.05.03.11.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 May 2017 03:11:08 -0700 (PDT) From: Sebastien Buisson X-Google-Original-From: Sebastien Buisson To: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov Cc: serge@hallyn.com, james.l.morris@oracle.com, eparis@parisplace.org, sds@tycho.nsa.gov, paul@paul-moore.com, Sebastien Buisson Subject: [PATCH v2 1/2] selinux: add brief info to policydb Date: Fri, 5 May 2017 19:10:52 +0900 Message-Id: <1493979053-16691-1-git-send-email-sbuisson@ddn.com> X-Mailer: git-send-email 1.8.3.1 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Add policybrief field to struct policydb. It holds a brief info of the policydb, in the following form: <0 or 1 for enforce>:<0 or 1 for checkreqprot>:= Policy brief is computed every time the policy is loaded, and when enforce or checkreqprot are changed. Add security_policy_brief hook to give access to policy brief to the rest of the kernel. Lustre client makes use of this information. Signed-off-by: Sebastien Buisson --- include/linux/lsm_hooks.h | 2 + include/linux/security.h | 7 ++++ security/security.c | 6 +++ security/selinux/hooks.c | 11 +++++- security/selinux/include/security.h | 2 + security/selinux/selinuxfs.c | 6 ++- security/selinux/ss/policydb.c | 70 +++++++++++++++++++++++++++++++++++ security/selinux/ss/policydb.h | 3 ++ security/selinux/ss/services.c | 73 +++++++++++++++++++++++++++++++++++++ 9 files changed, 178 insertions(+), 2 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 080f34e..7139a07 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1568,6 +1568,7 @@ int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen); int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen); + int (*policy_brief)(char **brief, size_t *len, bool alloc); #ifdef CONFIG_SECURITY_NETWORK int (*unix_stream_connect)(struct sock *sock, struct sock *other, struct sock *newsk); @@ -1813,6 +1814,7 @@ struct security_hook_heads { struct list_head inode_notifysecctx; struct list_head inode_setsecctx; struct list_head inode_getsecctx; + struct list_head policy_brief; #ifdef CONFIG_SECURITY_NETWORK struct list_head unix_stream_connect; struct list_head unix_may_send; diff --git a/include/linux/security.h b/include/linux/security.h index af675b5..3b72053 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -377,6 +377,8 @@ int security_sem_semop(struct sem_array *sma, struct sembuf *sops, int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); + +int security_policy_brief(char **brief, size_t *len, bool alloc); #else /* CONFIG_SECURITY */ struct security_mnt_opts { }; @@ -1166,6 +1168,11 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 { return -EOPNOTSUPP; } + +static inline int security_policy_brief(char **brief, size_t *len, bool alloc) +{ + return -EOPNOTSUPP; +} #endif /* CONFIG_SECURITY */ #ifdef CONFIG_SECURITY_NETWORK diff --git a/security/security.c b/security/security.c index b9fea39..954b391 100644 --- a/security/security.c +++ b/security/security.c @@ -1285,6 +1285,12 @@ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) } EXPORT_SYMBOL(security_inode_getsecctx); +int security_policy_brief(char **brief, size_t *len, bool alloc) +{ + return call_int_hook(policy_brief, -EOPNOTSUPP, brief, len, alloc); +} +EXPORT_SYMBOL(security_policy_brief); + #ifdef CONFIG_SECURITY_NETWORK int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e67a526..b4dd605 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -104,8 +104,10 @@ static int __init enforcing_setup(char *str) { unsigned long enforcing; - if (!kstrtoul(str, 0, &enforcing)) + if (!kstrtoul(str, 0, &enforcing)) { selinux_enforcing = enforcing ? 1 : 0; + security_policydb_update_info(NULL); + } return 1; } __setup("enforcing=", enforcing_setup); @@ -6063,6 +6065,11 @@ static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) *ctxlen = len; return 0; } + +static int selinux_policy_brief(char **brief, size_t *len, bool alloc) +{ + return security_policydb_brief(brief, len, alloc); +} #ifdef CONFIG_KEYS static int selinux_key_alloc(struct key *k, const struct cred *cred, @@ -6277,6 +6284,8 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), + LSM_HOOK_INIT(policy_brief, selinux_policy_brief), + LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index f979c35..167e274 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -97,6 +97,8 @@ enum { int security_load_policy(void *data, size_t len); int security_read_policy(void **data, size_t *len); size_t security_policydb_len(void); +int security_policydb_brief(char **brief, size_t *len, bool alloc); +void security_policydb_update_info(void *p); int security_policycap_supported(unsigned int req_cap); diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index ce71718..b959ee7 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -55,8 +55,10 @@ static int __init checkreqprot_setup(char *str) { unsigned long checkreqprot; - if (!kstrtoul(str, 0, &checkreqprot)) + if (!kstrtoul(str, 0, &checkreqprot)) { selinux_checkreqprot = checkreqprot ? 1 : 0; + security_policydb_update_info(NULL); + } return 1; } __setup("checkreqprot=", checkreqprot_setup); @@ -159,6 +161,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, from_kuid(&init_user_ns, audit_get_loginuid(current)), audit_get_sessionid(current)); selinux_enforcing = new_value; + security_policydb_update_info(NULL); if (selinux_enforcing) avc_ss_reset(0); selnl_notify_setenforce(selinux_enforcing); @@ -621,6 +624,7 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, goto out; selinux_checkreqprot = new_value ? 1 : 0; + security_policydb_update_info(NULL); length = count; out: kfree(page); diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 0080122..9eb2f82 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -32,6 +32,8 @@ #include #include #include +#include +#include #include "security.h" #include "policydb.h" @@ -879,6 +881,8 @@ void policydb_destroy(struct policydb *p) ebitmap_destroy(&p->filename_trans_ttypes); ebitmap_destroy(&p->policycaps); ebitmap_destroy(&p->permissive_map); + + kfree(p->policybrief); } /* @@ -2220,6 +2224,67 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info, } /* + * Compute summary of a policy database binary representation file, + * and store it into a policy database structure. + */ +static int policydb_brief(struct policydb *policydb, void *ptr) +{ + struct policy_file *fp = ptr; + struct crypto_shash *tfm; + char hashalg[] = "sha256"; + int hashsize = SHA256_DIGEST_SIZE; + char hashval[hashsize]; + int idx; + unsigned char *p; + + if (policydb->policybrief) + return -EINVAL; + + tfm = crypto_alloc_shash(hashalg, 0, 0); + if (IS_ERR(tfm)) { + printk(KERN_ERR "Failed to alloc crypto hash %s\n", hashalg); + return PTR_ERR(tfm); + } + + { + int rc; + + SHASH_DESC_ON_STACK(desc, tfm); + desc->tfm = tfm; + desc->flags = 0; + rc = crypto_shash_init(desc); + if (rc) { + printk(KERN_ERR "Failed to init shash\n"); + crypto_free_shash(tfm); + return rc; + } + + crypto_shash_update(desc, fp->data, fp->len); + crypto_shash_final(desc, hashval); + crypto_free_shash(tfm); + } + + /* policy brief is in the form: + * <0 or 1 for enforce>:<0 or 1 for checkreqprot>:= + */ + policydb->policybrief = kzalloc(5 + strlen(hashalg) + 2*hashsize + 1, + GFP_KERNEL); + if (policydb->policybrief == NULL) + return -ENOMEM; + + sprintf(policydb->policybrief, "x:x:%s=", hashalg); + security_policydb_update_info(policydb); + p = policydb->policybrief + strlen(policydb->policybrief); + for (idx = 0; idx < hashsize; idx++) { + snprintf(p, 3, "%02x", (unsigned char)(hashval[idx])); + p += 2; + } + policydb->policybrief_len = (size_t)(p - policydb->policybrief); + + return 0; +} + +/* * Read the configuration data from a policy database binary * representation file into a policy database structure. */ @@ -2238,6 +2303,11 @@ int policydb_read(struct policydb *p, void *fp) if (rc) return rc; + /* Compute sumarry of policy, and store it in policydb */ + rc = policydb_brief(p, fp); + if (rc) + goto bad; + /* Read the magic number and string length. */ rc = next_entry(buf, fp, sizeof(u32) * 2); if (rc) diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index 725d594..1fca438 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h @@ -293,6 +293,9 @@ struct policydb { size_t len; unsigned int policyvers; + /* summary computed on the policy */ + unsigned char *policybrief; + size_t policybrief_len; unsigned int reject_unknown : 1; unsigned int allow_unknown : 1; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 60d9b02..9a94f8e 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2170,6 +2170,79 @@ size_t security_policydb_len(void) } /** + * security_policydb_brief - Get policydb brief + * @brief: pointer to buffer holding brief + * @len: in: brief buffer length if no alloc, out: brief string len + * @alloc: whether to allocate buffer for brief or not + * + * On success 0 is returned , or negative value on error. + **/ +int security_policydb_brief(char **brief, size_t *len, bool alloc) +{ + int rc = 0; + size_t policybrief_len; + + if (brief == NULL) + return -EINVAL; + + read_lock(&policy_rwlock); + policybrief_len = policydb.policybrief_len; + if (policydb.policybrief == NULL) + rc = -EAGAIN; + read_unlock(&policy_rwlock); + + if (rc) + return rc; + + if (alloc) + /* *brief must be kfreed by caller in this case */ + *brief = kzalloc(policybrief_len + 1, GFP_KERNEL); + else + /* + * if !alloc, caller must pass a buffer that + * can hold policybrief_len+1 chars + */ + if (*len < policybrief_len + 1) { + /* put in *len the string size we need to write */ + *len = policybrief_len; + return -ENAMETOOLONG; + } + + if (*brief == NULL) + return -ENOMEM; + + read_lock(&policy_rwlock); + strncpy(*brief, policydb.policybrief, policydb.policybrief_len); + *len = policydb.policybrief_len; + read_unlock(&policy_rwlock); + + return rc; +} + +void security_policydb_update_info(void *p) +{ + /* policy brief is in the form: + * <0 or 1 for enforce>:<0 or 1 for checkreqprot>:= + */ + if (p) { + struct policydb *poldb = p; + /* update policydb given as parameter if possible */ + if (poldb->policybrief) { + poldb->policybrief[0] = '0' + selinux_enforcing; + poldb->policybrief[2] = '0' + selinux_checkreqprot; + } + } else { + /* update global policydb, needs write lock */ + write_lock_irq(&policy_rwlock); + if (policydb.policybrief) { + policydb.policybrief[0] = '0' + selinux_enforcing; + policydb.policybrief[2] = '0' + selinux_checkreqprot; + } + write_unlock_irq(&policy_rwlock); + } +} + +/** * security_port_sid - Obtain the SID for a port. * @protocol: protocol number * @port: port number