From patchwork Mon Sep 11 19:50:26 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Salvatore Mesoraca <s.mesoraca16@gmail.com>
X-Patchwork-Id: 9948001
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	B9A13603FB
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon, 11 Sep 2017 19:53:02 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AEE0728D35
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon, 11 Sep 2017 19:53:02 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A215928D3E; Mon, 11 Sep 2017 19:53:02 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, GAPPY_SUBJECT, RCVD_IN_DNSWL_HI,
	T_DKIM_INVALID autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DF0D020223
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon, 11 Sep 2017 19:53:00 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751539AbdIKTwQ (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Mon, 11 Sep 2017 15:52:16 -0400
Received: from mail-wm0-f66.google.com ([74.125.82.66]:33539 "EHLO
	mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751472AbdIKTvv (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Mon, 11 Sep 2017 15:51:51 -0400
Received: by mail-wm0-f66.google.com with SMTP id 187so7728390wmn.0;
	Mon, 11 Sep 2017 12:51:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=mayClebeHm8dX2GGPLIz5GwvNlasb/xC7YDc5zKoWqg=;
	b=IaXBQFuarz0U74ZicabTng7C+g0XzxFreVE45KG71zJFML6hPSb+qSlI+lsywF3P3a
	ictC/MK7Q+i57nj6/0YSyqk0b4Ti1aLYzfOFJx6ExJSzHmVUTjbhFb53RGPVnQXTEEis
	l7oqk8WNbtKRdoifSKq+sIq3t4C5whXhOAlpJAdYQP7sj8hoTN++OTNh2xJBE4613KVb
	XJQlNW52hPYvR6XdG73fzdyZMmysgmL9mixuK69vgxeCfucrv8MVxL/YMzIifgD9jNzP
	ySBqQcH3LdTK0xkiWplVwk/a22+VaPucOmz3b8gkCqbDGCYIGFo+m8ZUjLmpQgC3uUlJ
	kA8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=mayClebeHm8dX2GGPLIz5GwvNlasb/xC7YDc5zKoWqg=;
	b=cXt3+auYtTRqOcslOF6j+132CkhpWhqH6ifkA+cX1nn2TqWza/mMY21Z4fZpsxm2xP
	Ong1ljclBMIHkJuqFU3iSRe6tjCZ3SVFCF5WLHvckqL6eZBg0lq0hIQhvMsjY84gfbUz
	GZwQjPJEvQc1W85cs9Q2Znf9Dm/T9b+1BE4fExT+r8rqyxLgbBTpxGHLMGzUKfe7oB+U
	nMWzt+7ccMCpSaaBLvNJfbuJDLUFu3T6o8f+P3Y+5OEIeYTOG0kJrl2/g09yyuX0VoLJ
	n34Ci1lRlGStN0eybMmF7DRAW1Z2vHsIjSQMJg2XJe2MtL/FI0oVXhWzDe+vwFq4DUzU
	ng7g==
X-Gm-Message-State: AHPjjUiz7/rCZSZSnNjFx2hJYAe55+OwKGsecGEl5z8eSwbmawCDYSsM
	vvQ1ZF/KUFXanWIvinkPp0oQaOBpntc=
X-Google-Smtp-Source: 
 AOwi7QC1eoLB0pYzSTAIU8dSM/T7NC6RIErzkYwTzIS2O9ijYxCdNMxsV1Y7vgm8Vd2LYy7AY1ZQ9Q==
X-Received: by 10.28.91.73 with SMTP id p70mr10140080wmb.13.1505159509895;
	Mon, 11 Sep 2017 12:51:49 -0700 (PDT)
Received: from localhost ([93.66.104.212]) by smtp.gmail.com with ESMTPSA id
	a39sm14663448wrc.48.2017.09.11.12.51.49
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 11 Sep 2017 12:51:49 -0700 (PDT)
From: Salvatore Mesoraca <s.mesoraca16@gmail.com>
To: linux-kernel@vger.kernel.org
Cc: linux-security-module@vger.kernel.org,
	kernel-hardening@lists.openwall.com,
	Salvatore Mesoraca <s.mesoraca16@gmail.com>,
	Brad Spengler <spender@grsecurity.net>, PaX Team <pageexec@freemail.hu>,
	Casey Schaufler <casey@schaufler-ca.com>,
	Kees Cook <keescook@chromium.org>,
	James Morris <james.l.morris@oracle.com>,
	"Serge E. Hallyn" <serge@hallyn.com>
Subject: [RFC v3 8/9] Allowing for stacking procattr support in S.A.R.A.
Date: Mon, 11 Sep 2017 21:50:26 +0200
Message-Id: <1505159427-11747-9-git-send-email-s.mesoraca16@gmail.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1505159427-11747-1-git-send-email-s.mesoraca16@gmail.com>
References: <1505159427-11747-1-git-send-email-s.mesoraca16@gmail.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

This allow S.A.R.A. to use the procattr interface without interfering
with other LSMs.
This part should be reimplemented as soon as upstream procattr stacking
support is available.

Signed-off-by: Salvatore Mesoraca <s.mesoraca16@gmail.com>
---
 fs/proc/base.c      | 38 ++++++++++++++++++++++++++++++++++++++
 security/security.c | 20 ++++++++++++++++++--
 2 files changed, 56 insertions(+), 2 deletions(-)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index e5d89a0..3b10452 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2559,6 +2559,40 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
 	.llseek		= generic_file_llseek,
 };
 
+#ifdef CONFIG_SECURITY_SARA
+static const struct pid_entry sara_attr_dir_stuff[] = {
+	REG("wxprot", 0666, proc_pid_attr_operations),
+};
+
+static int proc_sara_attr_dir_readdir(struct file *file,
+				      struct dir_context *ctx)
+{
+	return proc_pident_readdir(file, ctx,
+				   sara_attr_dir_stuff,
+				   ARRAY_SIZE(sara_attr_dir_stuff));
+}
+
+static const struct file_operations proc_sara_attr_dir_ops = {
+	.read		= generic_read_dir,
+	.iterate_shared	= proc_sara_attr_dir_readdir,
+	.llseek		= generic_file_llseek,
+};
+
+static struct dentry *proc_sara_attr_dir_lookup(struct inode *dir,
+				struct dentry *dentry, unsigned int flags)
+{
+	return proc_pident_lookup(dir, dentry,
+				  sara_attr_dir_stuff,
+				  ARRAY_SIZE(sara_attr_dir_stuff));
+};
+
+static const struct inode_operations proc_sara_attr_dir_inode_ops = {
+	.lookup		= proc_sara_attr_dir_lookup,
+	.getattr	= pid_getattr,
+	.setattr	= proc_setattr,
+};
+#endif /* CONFIG_SECURITY_SARA */
+
 static const struct pid_entry attr_dir_stuff[] = {
 	REG("current",    S_IRUGO|S_IWUGO, proc_pid_attr_operations),
 	REG("prev",       S_IRUGO,	   proc_pid_attr_operations),
@@ -2566,6 +2600,10 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
 	REG("fscreate",   S_IRUGO|S_IWUGO, proc_pid_attr_operations),
 	REG("keycreate",  S_IRUGO|S_IWUGO, proc_pid_attr_operations),
 	REG("sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+#ifdef CONFIG_SECURITY_SARA
+	DIR("sara", 0555, proc_sara_attr_dir_inode_ops,
+				proc_sara_attr_dir_ops),
+#endif
 };
 
 static int proc_attr_dir_readdir(struct file *file, struct dir_context *ctx)
diff --git a/security/security.c b/security/security.c
index 4f50dc5..a27cfa8 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1277,12 +1277,28 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode)
 
 int security_getprocattr(struct task_struct *p, char *name, char **value)
 {
-	return call_int_hook(getprocattr, -EINVAL, p, name, value);
+	struct security_hook_list *hp;
+	int rc;
+
+	list_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
+		rc = hp->hook.getprocattr(p, name, value);
+		if (rc != -EINVAL)
+			return rc;
+	}
+	return -EINVAL;
 }
 
 int security_setprocattr(const char *name, void *value, size_t size)
 {
-	return call_int_hook(setprocattr, -EINVAL, name, value, size);
+	struct security_hook_list *hp;
+	int rc;
+
+	list_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
+		rc = hp->hook.setprocattr(name, value, size);
+		if (rc != -EINVAL)
+			return rc;
+	}
+	return -EINVAL;
 }
 
 int security_netlink_send(struct sock *sk, struct sk_buff *skb)