From patchwork Sun Nov 26 22:16:20 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sargun Dhillon X-Patchwork-Id: 10075597 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B1C30602BD for ; Sun, 26 Nov 2017 22:16:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A31DB28AAC for ; Sun, 26 Nov 2017 22:16:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 97CF228AD3; Sun, 26 Nov 2017 22:16:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E8D9028AAC for ; Sun, 26 Nov 2017 22:16:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752219AbdKZWQY (ORCPT ); Sun, 26 Nov 2017 17:16:24 -0500 Received: from mail-io0-f194.google.com ([209.85.223.194]:42133 "EHLO mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752207AbdKZWQX (ORCPT ); Sun, 26 Nov 2017 17:16:23 -0500 Received: by mail-io0-f194.google.com with SMTP id u42so34316826ioi.9 for ; Sun, 26 Nov 2017 14:16:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=from:date:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=nJ9YS/bQyRyH1Wb5x1Epujpej/ygsJPjHIcSZKpYpqM=; b=WB6pLsJg+Ktwe8ArrgF64ouNB+hzRLdJixpDr03CPcKyFJNpBS8XlIKZJRWfYzhDZP BHbDw6lvCyHsFp2rGQzSJLFKtxhMvU6OeRCs1HCgluB2uvh1vbIoRSV4v0YTFn0FUUwm YL4Wc6xAJCHzHsxIIMDk8Qfd7AuqwQjt6eqQA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=nJ9YS/bQyRyH1Wb5x1Epujpej/ygsJPjHIcSZKpYpqM=; b=Jy144bRXEPHXD9KQGPFFLh5pk9HrUiueL/ICVBxdYdMdBJ1dzMkLsHR8QkQrdMA2t9 roRlY6SQh99p3HR0wFgteJMXyH3kSqD13Z5I3aaEEYgeCXy6mqkyS9CHGz/iJcv+f6Fw 4xHS3qSoyD81TEzf3CQGrapJ6LSsc5CWgjgqcup/nFMpeXTIj4CA++xv57nNDs6LeYmt n5aHCCE+TY+rAeWXanc2YBeTZRT/UI0oDYtlCMCCh1LvrXghpJy2IUzQL1q/y/dkRe5V Ez+jxVfGVvXaA3+l0smFhBoMOrgslGuwytzALhHlzk12I5LoZMw8gvBOdWZtCAI4G2FU +9FA== X-Gm-Message-State: AJaThX4Yv6A14ljPU7ZBdM4OdDbotkNyIGuEZyWRcgqh4x9aJ0zlj8OM qhNe7OA81IX03bGr2ziCv+BhoB7Wxtk= X-Google-Smtp-Source: AGs4zMYnKqaHXayHBa5ySTlW9EZZrJEKJ9Hlb9hN35BLAJJZcZkpFJWjZei+d7bb3N52jMx/rYkX0A== X-Received: by 10.107.20.21 with SMTP id 21mr41386959iou.116.1511734582340; Sun, 26 Nov 2017 14:16:22 -0800 (PST) Received: from ircssh-2.c.rugged-nimbus-611.internal (80.60.198.104.bc.googleusercontent.com. [104.198.60.80]) by smtp.gmail.com with ESMTPSA id m21sm26105itb.43.2017.11.26.14.16.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Nov 2017 14:16:22 -0800 (PST) From: Sargun Dhillon X-Google-Original-From: Sargun Dhillon Date: Sun, 26 Nov 2017 22:16:20 +0000 To: linux-security-module@vger.kernel.org Cc: keescook@chromium.org, igor.stoppa@huawei.com, casey@schaufler-ca.com, linux-kernel@vger.kernel.org Subject: [RFC 2/3] LSM: Add statistics about the invocation of dynamic hooks Message-ID: <20171126221619.GA13769@ircssh-2.c.rugged-nimbus-611.internal> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This patch builds on the dynamic hooks patch. With dynamic hooks, /sys/kernel/security/lsm doesn't really make a lot of sense, because the administrator is more likely interested in the per-hook modules. There is now a /sys/kernel/security/dynamic_hooks/${HOOK_NAME} which has the currently attached LSMs for that given hook. Not only does it list which LSMs are hooked into each dynamic hook, but it also lists the global accept / deny count, as well as the per-hook accept / deny count. The earlier is useful to keep consistent statistics across the attachment, and unattachment of LSMs. Signed-off-by: Sargun Dhillon --- security/Kconfig | 7 +++ security/Makefile | 1 + security/dynamic.h | 9 ++++ security/dynamicfs.c | 118 +++++++++++++++++++++++++++++++++++++++++++++++++++ security/inode.c | 2 + 5 files changed, 137 insertions(+) create mode 100644 security/dynamicfs.c diff --git a/security/Kconfig b/security/Kconfig index 77841bd..d6c579d 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -94,6 +94,13 @@ config SECURITY_DYNAMIC_HOOKS They cannot circumvent the built-in LSMs. If you are unsure how to answer this question, answer N. +config SECURITY_DYNAMIC_HOOKS_FS + bool + default y if SECURITY_DYNAMIC_HOOKS && SECURITYFS + depends on SECURITY_DYNAMIC_HOOKS && SECURITYFS + help + This option enables listing of dynamically loaded LSM hooks. + config INTEL_TXT bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" depends on HAVE_INTEL_TXT diff --git a/security/Makefile b/security/Makefile index 59e695a..51cbec0 100644 --- a/security/Makefile +++ b/security/Makefile @@ -19,6 +19,7 @@ obj-$(CONFIG_MMU) += min_addr.o obj-$(CONFIG_SECURITY) += security.o obj-$(CONFIG_SECURITYFS) += inode.o obj-$(CONFIG_SECURITY_DYNAMIC_HOOKS) += dynamic.o +obj-$(CONFIG_SECURITY_DYNAMIC_HOOKS_FS) += dynamicfs.o obj-$(CONFIG_SECURITY_SELINUX) += selinux/ obj-$(CONFIG_SECURITY_SMACK) += smack/ obj-$(CONFIG_AUDIT) += lsm_audit.o diff --git a/security/dynamic.h b/security/dynamic.h index 6823e38..1362b08 100644 --- a/security/dynamic.h +++ b/security/dynamic.h @@ -13,6 +13,9 @@ struct dynamic_hook { struct percpu_counter invocation; struct percpu_counter deny; const char *name; +#ifdef CONFIG_SECURITY_DYNAMIC_HOOKS_FS + struct dentry *dentry; +#endif struct list_head head; struct srcu_struct srcu; }; @@ -22,3 +25,9 @@ extern void security_init_dynamic_hooks(void); #else static void security_init_dynamic_hooks(void) {} #endif + +#ifdef CONFIG_SECURITY_DYNAMIC_HOOKS_FS +extern void securityfs_init_dynamic_hooks(void); +#else +static void securityfs_init_dynamic_hooks(void) {} +#endif diff --git a/security/dynamicfs.c b/security/dynamicfs.c new file mode 100644 index 0000000..a9292e2 --- /dev/null +++ b/security/dynamicfs.c @@ -0,0 +1,118 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include +#include +#include +#include +#include +#include + +#include "dynamic.h" + +struct seq_private_data { + struct dynamic_hook *dh; + int srcu_lock_index; +}; + +static void *dynamic_hooks_sop_start(struct seq_file *s, loff_t *pos) +{ + struct seq_private_data *pd = s->private; + + pd->srcu_lock_index = srcu_read_lock(&pd->dh->srcu); + return seq_list_start_head(&pd->dh->head, *pos); +} + +static void *dynamic_hooks_sop_next(struct seq_file *s, void *v, loff_t *pos) +{ + struct seq_private_data *pd = s->private; + + return seq_list_next(v, &pd->dh->head, pos); +} + +static int dynamic_hooks_sop_show(struct seq_file *s, void *v) +{ + struct seq_private_data *pd = s->private; + struct dynamic_security_hook *dsh; + + if (v == (void *)&pd->dh->head) { + seq_puts(s, "name\tinvocations\tdenies\n"); + seq_printf(s, "all\t%lld\t%lld\n", + percpu_counter_sum(&pd->dh->invocation), + percpu_counter_sum(&pd->dh->deny)); + return 0; + } + + dsh = list_entry(v, typeof(*dsh), list); + seq_printf(s, "%s\t%lld\t%lld\n", dsh->lsm, + percpu_counter_sum(&dsh->invocation), + percpu_counter_sum(&dsh->deny)); + + return 0; +} + +static void dynamic_hooks_sop_stop(struct seq_file *s, void *v) +{ + struct seq_private_data *pd = s->private; + + srcu_read_unlock(&pd->dh->srcu, pd->srcu_lock_index); +} + +static const struct seq_operations dynamic_hooks_sops = { + .start = dynamic_hooks_sop_start, + .next = dynamic_hooks_sop_next, + .show = dynamic_hooks_sop_show, + .stop = dynamic_hooks_sop_stop, +}; + +static int security_dynamic_hook_open(struct inode *inode, struct file *file) +{ + struct seq_private_data *pd; + + pd = (struct seq_private_data *)__seq_open_private(file, + &dynamic_hooks_sops, + sizeof(*pd)); + + if (!pd) + return -ENOMEM; + + pd->dh = inode->i_private; + + return 0; +} + +static const struct file_operations dynamic_hooks_fops = { + .open = security_dynamic_hook_open, + .read = seq_read, + .llseek = seq_lseek, + .release = seq_release, +}; + +static struct dentry *dynamic_hooks_dir; +void securityfs_init_dynamic_hooks(void) +{ + struct dynamic_hook *dh; + int i; + + dynamic_hooks_dir = securityfs_create_dir("dynamic_hooks", NULL); + if (IS_ERR(dynamic_hooks_dir)) { + pr_err("Unable to create dynamic hooks LSM directory - %ld\n", + PTR_ERR(dynamic_hooks_dir)); + return; + } + + for (i = 0; i < __MAX_DYNAMIC_SECURITY_HOOK; i++) { + + dh = &dynamic_hooks[i]; + dh->dentry = securityfs_create_file(dh->name, 0444, + dynamic_hooks_dir, dh, + &dynamic_hooks_fops); + if (IS_ERR(dh->dentry)) + goto err; + } + return; + +err: + pr_err("Unable to create dynamic hook directory - %s - %ld\n", + dh->name, PTR_ERR(dh->dentry)); +} diff --git a/security/inode.c b/security/inode.c index 8dd9ca8..0862be1 100644 --- a/security/inode.c +++ b/security/inode.c @@ -22,6 +22,7 @@ #include #include #include +#include "dynamic.h" static struct vfsmount *mount; static int mount_count; @@ -335,6 +336,7 @@ static int __init securityfs_init(void) sysfs_remove_mount_point(kernel_kobj, "security"); return retval; } + securityfs_init_dynamic_hooks(); #ifdef CONFIG_SECURITY lsm_dentry = securityfs_create_file("lsm", 0444, NULL, NULL, &lsm_ops);