Message ID | 20191113181925.2437-15-casey@schaufler-ca.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [v11,01/25] LSM: Infrastructure management of the sock security | expand |
On 11/13/19 10:19 AM, Casey Schaufler wrote: > Add a new lsmcontext data structure to hold all the information > about a "security context", including the string, its size and > which LSM allocated the string. The allocation information is > necessary because LSMs have different policies regarding the > lifecycle of these strings. SELinux allocates and destroys > them on each use, whereas Smack provides a pointer to an entry > in a list that never goes away. > > Reviewed-by: Kees Cook <keescook@chromium.org> > Reviewed-by: John Johansen <john.johansen@canonical.com> > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > cc: linux-integrity@vger.kernel.org > cc: netdev@vger.kernel.org Acked-by: John Johansen <john.johansen@canonical.com> > --- > drivers/android/binder.c | 10 +++++-- > fs/ceph/xattr.c | 6 +++- > fs/nfs/nfs4proc.c | 8 +++-- > fs/nfsd/nfs4xdr.c | 7 +++-- > include/linux/security.h | 39 +++++++++++++++++++++++-- > include/net/scm.h | 5 +++- > kernel/audit.c | 14 ++++++--- > kernel/auditsc.c | 12 ++++++-- > net/ipv4/ip_sockglue.c | 4 ++- > net/netfilter/nf_conntrack_netlink.c | 4 ++- > net/netfilter/nf_conntrack_standalone.c | 4 ++- > net/netfilter/nfnetlink_queue.c | 13 ++++++--- > net/netlabel/netlabel_unlabeled.c | 19 +++++++++--- > net/netlabel/netlabel_user.c | 4 ++- > security/security.c | 18 ++++++++---- > security/smack/smack_lsm.c | 14 ++++++--- > 16 files changed, 141 insertions(+), 40 deletions(-) > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > index 3a7fcdc8dbe2..49b84b6fafd9 100644 > --- a/drivers/android/binder.c > +++ b/drivers/android/binder.c > @@ -2865,6 +2865,7 @@ static void binder_transaction(struct binder_proc *proc, > int t_debug_id = atomic_inc_return(&binder_last_id); > char *secctx = NULL; > u32 secctx_sz = 0; > + struct lsmcontext scaff; /* scaffolding */ > > e = binder_transaction_log_add(&binder_transaction_log); > e->debug_id = t_debug_id; > @@ -3161,7 +3162,8 @@ static void binder_transaction(struct binder_proc *proc, > t->security_ctx = 0; > WARN_ON(1); > } > - security_release_secctx(secctx, secctx_sz); > + lsmcontext_init(&scaff, secctx, secctx_sz, 0); > + security_release_secctx(&scaff); > secctx = NULL; > } > t->buffer->debug_id = t->debug_id; > @@ -3494,8 +3496,10 @@ static void binder_transaction(struct binder_proc *proc, > binder_alloc_free_buf(&target_proc->alloc, t->buffer); > err_binder_alloc_buf_failed: > err_bad_extra_size: > - if (secctx) > - security_release_secctx(secctx, secctx_sz); > + if (secctx) { > + lsmcontext_init(&scaff, secctx, secctx_sz, 0); > + security_release_secctx(&scaff); > + } > err_get_secctx_failed: > kfree(tcomplete); > binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); > diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c > index cb18ee637cb7..ad501b5cad2c 100644 > --- a/fs/ceph/xattr.c > +++ b/fs/ceph/xattr.c > @@ -1271,12 +1271,16 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, > > void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx) > { > +#ifdef CONFIG_CEPH_FS_SECURITY_LABEL > + struct lsmcontext scaff; /* scaffolding */ > +#endif > #ifdef CONFIG_CEPH_FS_POSIX_ACL > posix_acl_release(as_ctx->acl); > posix_acl_release(as_ctx->default_acl); > #endif > #ifdef CONFIG_CEPH_FS_SECURITY_LABEL > - security_release_secctx(as_ctx->sec_ctx, as_ctx->sec_ctxlen); > + lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0); > + security_release_secctx(&scaff); > #endif > if (as_ctx->pagelist) > ceph_pagelist_release(as_ctx->pagelist); > diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c > index caacf5e7f5e1..74e9f4b7cc07 100644 > --- a/fs/nfs/nfs4proc.c > +++ b/fs/nfs/nfs4proc.c > @@ -131,8 +131,12 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, > static inline void > nfs4_label_release_security(struct nfs4_label *label) > { > - if (label) > - security_release_secctx(label->label, label->len); > + struct lsmcontext scaff; /* scaffolding */ > + > + if (label) { > + lsmcontext_init(&scaff, label->label, label->len, 0); > + security_release_secctx(&scaff); > + } > } > static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label) > { > diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c > index 533d0fc3c96b..b17aad082bde 100644 > --- a/fs/nfsd/nfs4xdr.c > +++ b/fs/nfsd/nfs4xdr.c > @@ -2421,6 +2421,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, > int err; > struct nfs4_acl *acl = NULL; > #ifdef CONFIG_NFSD_V4_SECURITY_LABEL > + struct lsmcontext scaff; /* scaffolding */ > void *context = NULL; > int contextlen; > #endif > @@ -2923,8 +2924,10 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, > > out: > #ifdef CONFIG_NFSD_V4_SECURITY_LABEL > - if (context) > - security_release_secctx(context, contextlen); > + if (context) { > + lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/ > + security_release_secctx(&scaff); > + } > #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ > kfree(acl); > if (tempfh) { > diff --git a/include/linux/security.h b/include/linux/security.h > index f7bc7aef95cb..9bb11d9f1348 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -126,6 +126,41 @@ enum lockdown_reason { > LOCKDOWN_CONFIDENTIALITY_MAX, > }; > > +/* > + * A "security context" is the text representation of > + * the information used by LSMs. > + * This structure contains the string, its length, and which LSM > + * it is useful for. > + */ > +struct lsmcontext { > + char *context; /* Provided by the module */ > + u32 len; > + int slot; /* Identifies the module */ > +}; > + > +/** > + * lsmcontext_init - initialize an lsmcontext structure. > + * @cp: Pointer to the context to initialize > + * @context: Initial context, or NULL > + * @size: Size of context, or 0 > + * @slot: Which LSM provided the context > + * > + * Fill in the lsmcontext from the provided information. > + * This is a scaffolding function that will be removed when > + * lsmcontext integration is complete. > + */ > +static inline void lsmcontext_init(struct lsmcontext *cp, char *context, > + u32 size, int slot) > +{ > + cp->slot = slot; > + cp->context = context; > + > + if (context == NULL || size == 0) > + cp->len = 0; > + else > + cp->len = strlen(context); > +} > + > /* > * Data exported by the security modules > * > @@ -496,7 +531,7 @@ int security_ismaclabel(const char *name); > int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); > int security_secctx_to_secid(const char *secdata, u32 seclen, > struct lsmblob *blob); > -void security_release_secctx(char *secdata, u32 seclen); > +void security_release_secctx(struct lsmcontext *cp); > void security_inode_invalidate_secctx(struct inode *inode); > int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); > int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); > @@ -1310,7 +1345,7 @@ static inline int security_secctx_to_secid(const char *secdata, > return -EOPNOTSUPP; > } > > -static inline void security_release_secctx(char *secdata, u32 seclen) > +static inline void security_release_secctx(struct lsmcontext *cp) > { > } > > diff --git a/include/net/scm.h b/include/net/scm.h > index 31ae605fcc0a..30ba801c91bd 100644 > --- a/include/net/scm.h > +++ b/include/net/scm.h > @@ -92,6 +92,7 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, > #ifdef CONFIG_SECURITY_NETWORK > static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) > { > + struct lsmcontext context; > char *secdata; > u32 seclen; > int err; > @@ -102,7 +103,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc > > if (!err) { > put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); > - security_release_secctx(secdata, seclen); > + /*scaffolding*/ > + lsmcontext_init(&context, secdata, seclen, 0); > + security_release_secctx(&context); > } > } > } > diff --git a/kernel/audit.c b/kernel/audit.c > index ba9f78e36d1e..35970e7191b6 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -1180,6 +1180,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > struct audit_sig_info *sig_data; > char *ctx = NULL; > u32 len; > + struct lsmcontext scaff; /* scaffolding */ > > err = audit_netlink_ok(skb, msg_type); > if (err) > @@ -1424,15 +1425,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > } > sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); > if (!sig_data) { > - if (lsmblob_is_set(&audit_sig_lsm)) > - security_release_secctx(ctx, len); > + if (lsmblob_is_set(&audit_sig_lsm)) { > + lsmcontext_init(&scaff, ctx, len, 0); > + security_release_secctx(&scaff); > + } > return -ENOMEM; > } > sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); > sig_data->pid = audit_sig_pid; > if (lsmblob_is_set(&audit_sig_lsm)) { > memcpy(sig_data->ctx, ctx, len); > - security_release_secctx(ctx, len); > + lsmcontext_init(&scaff, ctx, len, 0); > + security_release_secctx(&scaff); > } > audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, > sig_data, sizeof(*sig_data) + len); > @@ -2061,6 +2065,7 @@ int audit_log_task_context(struct audit_buffer *ab) > unsigned len; > int error; > struct lsmblob blob; > + struct lsmcontext scaff; /* scaffolding */ > > security_task_getsecid(current, &blob); > if (!lsmblob_is_set(&blob)) > @@ -2074,7 +2079,8 @@ int audit_log_task_context(struct audit_buffer *ab) > } > > audit_log_format(ab, " subj=%s", ctx); > - security_release_secctx(ctx, len); > + lsmcontext_init(&scaff, ctx, len, 0); > + security_release_secctx(&scaff); > return 0; > > error_path: > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index c1e3ac8eb1ad..8790e7aafa7d 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -962,6 +962,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, > struct lsmblob *blob, char *comm) > { > struct audit_buffer *ab; > + struct lsmcontext lsmcxt; > char *ctx = NULL; > u32 len; > int rc = 0; > @@ -979,7 +980,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, > rc = 1; > } else { > audit_log_format(ab, " obj=%s", ctx); > - security_release_secctx(ctx, len); > + lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/ > + security_release_secctx(&lsmcxt); > } > } > audit_log_format(ab, " ocomm="); > @@ -1192,6 +1194,7 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) > > static void show_special(struct audit_context *context, int *call_panic) > { > + struct lsmcontext lsmcxt; > struct audit_buffer *ab; > int i; > > @@ -1225,7 +1228,8 @@ static void show_special(struct audit_context *context, int *call_panic) > *call_panic = 1; > } else { > audit_log_format(ab, " obj=%s", ctx); > - security_release_secctx(ctx, len); > + lsmcontext_init(&lsmcxt, ctx, len, 0); > + security_release_secctx(&lsmcxt); > } > } > if (context->ipc.has_perm) { > @@ -1371,6 +1375,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, > char *ctx = NULL; > u32 len; > struct lsmblob blob; > + struct lsmcontext lsmcxt; > > lsmblob_init(&blob, n->osid); > if (security_secid_to_secctx(&blob, &ctx, &len)) { > @@ -1379,7 +1384,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, > *call_panic = 2; > } else { > audit_log_format(ab, " obj=%s", ctx); > - security_release_secctx(ctx, len); > + lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */ > + security_release_secctx(&lsmcxt); > } > } > > diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c > index 1ca97d0cb4a9..96d56a30ecca 100644 > --- a/net/ipv4/ip_sockglue.c > +++ b/net/ipv4/ip_sockglue.c > @@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, > > static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) > { > + struct lsmcontext context; > struct lsmblob lb; > char *secdata; > u32 seclen; > @@ -144,7 +145,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) > return; > > put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); > - security_release_secctx(secdata, seclen); > + lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */ > + security_release_secctx(&context); > } > > static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c > index 0412f6744185..78791e015d8b 100644 > --- a/net/netfilter/nf_conntrack_netlink.c > +++ b/net/netfilter/nf_conntrack_netlink.c > @@ -332,6 +332,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) > int len, ret; > char *secctx; > struct lsmblob blob; > + struct lsmcontext context; > > lsmblob_init(&blob, ct->secmark); > ret = security_secid_to_secctx(&blob, &secctx, &len); > @@ -349,7 +350,8 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) > > ret = 0; > nla_put_failure: > - security_release_secctx(secctx, len); > + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ > + security_release_secctx(&context); > return ret; > } > #else > diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c > index 183a85412155..8601fcb99f7a 100644 > --- a/net/netfilter/nf_conntrack_standalone.c > +++ b/net/netfilter/nf_conntrack_standalone.c > @@ -176,6 +176,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) > u32 len; > char *secctx; > struct lsmblob blob; > + struct lsmcontext context; > > lsmblob_init(&blob, ct->secmark); > ret = security_secid_to_secctx(&blob, &secctx, &len); > @@ -184,7 +185,8 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) > > seq_printf(s, "secctx=%s ", secctx); > > - security_release_secctx(secctx, len); > + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ > + security_release_secctx(&context); > } > #else > static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) > diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c > index bfa7f12fde99..cc3ef03ee198 100644 > --- a/net/netfilter/nfnetlink_queue.c > +++ b/net/netfilter/nfnetlink_queue.c > @@ -395,6 +395,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, > enum ip_conntrack_info uninitialized_var(ctinfo); > struct nfnl_ct_hook *nfnl_ct; > bool csum_verify; > + struct lsmcontext scaff; /* scaffolding */ > char *secdata = NULL; > u32 seclen = 0; > > @@ -625,8 +626,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, > } > > nlh->nlmsg_len = skb->len; > - if (seclen) > - security_release_secctx(secdata, seclen); > + if (seclen) { > + lsmcontext_init(&scaff, secdata, seclen, 0); > + security_release_secctx(&scaff); > + } > return skb; > > nla_put_failure: > @@ -634,8 +637,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, > kfree_skb(skb); > net_err_ratelimited("nf_queue: error creating packet message\n"); > nlmsg_failure: > - if (seclen) > - security_release_secctx(secdata, seclen); > + if (seclen) { > + lsmcontext_init(&scaff, secdata, seclen, 0); > + security_release_secctx(&scaff); > + } > return NULL; > } > > diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c > index e279b81d9545..288c005b44c7 100644 > --- a/net/netlabel/netlabel_unlabeled.c > +++ b/net/netlabel/netlabel_unlabeled.c > @@ -373,6 +373,7 @@ int netlbl_unlhsh_add(struct net *net, > struct net_device *dev; > struct netlbl_unlhsh_iface *iface; > struct audit_buffer *audit_buf = NULL; > + struct lsmcontext context; > char *secctx = NULL; > u32 secctx_len; > struct lsmblob blob; > @@ -443,7 +444,9 @@ int netlbl_unlhsh_add(struct net *net, > &secctx, > &secctx_len) == 0) { > audit_log_format(audit_buf, " sec_obj=%s", secctx); > - security_release_secctx(secctx, secctx_len); > + /* scaffolding */ > + lsmcontext_init(&context, secctx, secctx_len, 0); > + security_release_secctx(&context); > } > audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); > audit_log_end(audit_buf); > @@ -474,6 +477,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, > struct netlbl_unlhsh_addr4 *entry; > struct audit_buffer *audit_buf; > struct net_device *dev; > + struct lsmcontext context; > char *secctx; > u32 secctx_len; > struct lsmblob blob; > @@ -502,7 +506,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, > security_secid_to_secctx(&blob, > &secctx, &secctx_len) == 0) { > audit_log_format(audit_buf, " sec_obj=%s", secctx); > - security_release_secctx(secctx, secctx_len); > + /* scaffolding */ > + lsmcontext_init(&context, secctx, secctx_len, 0); > + security_release_secctx(&context); > } > audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); > audit_log_end(audit_buf); > @@ -539,6 +545,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, > struct netlbl_unlhsh_addr6 *entry; > struct audit_buffer *audit_buf; > struct net_device *dev; > + struct lsmcontext context; > char *secctx; > u32 secctx_len; > struct lsmblob blob; > @@ -566,7 +573,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, > security_secid_to_secctx(&blob, > &secctx, &secctx_len) == 0) { > audit_log_format(audit_buf, " sec_obj=%s", secctx); > - security_release_secctx(secctx, secctx_len); > + lsmcontext_init(&context, secctx, secctx_len, 0); > + security_release_secctx(&context); > } > audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); > audit_log_end(audit_buf); > @@ -1080,6 +1088,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, > int ret_val = -ENOMEM; > struct netlbl_unlhsh_walk_arg *cb_arg = arg; > struct net_device *dev; > + struct lsmcontext context; > void *data; > u32 secid; > char *secctx; > @@ -1147,7 +1156,9 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, > NLBL_UNLABEL_A_SECCTX, > secctx_len, > secctx); > - security_release_secctx(secctx, secctx_len); > + /* scaffolding */ > + lsmcontext_init(&context, secctx, secctx_len, 0); > + security_release_secctx(&context); > if (ret_val != 0) > goto list_cb_failure; > > diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c > index 893301ae0131..ef139d8ae7cd 100644 > --- a/net/netlabel/netlabel_user.c > +++ b/net/netlabel/netlabel_user.c > @@ -84,6 +84,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, > struct netlbl_audit *audit_info) > { > struct audit_buffer *audit_buf; > + struct lsmcontext context; > char *secctx; > u32 secctx_len; > struct lsmblob blob; > @@ -103,7 +104,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, > if (audit_info->secid != 0 && > security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { > audit_log_format(audit_buf, " subj=%s", secctx); > - security_release_secctx(secctx, secctx_len); > + lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/ > + security_release_secctx(&context); > } > > return audit_buf; > diff --git a/security/security.c b/security/security.c > index c2874f6587d2..c05ef9d0c8ed 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -2144,17 +2144,23 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, > } > EXPORT_SYMBOL(security_secctx_to_secid); > > -void security_release_secctx(char *secdata, u32 seclen) > +void security_release_secctx(struct lsmcontext *cp) > { > struct security_hook_list *hp; > - int *display = current->security; > + bool found = false; > > hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list) > - if (display == NULL || *display == LSMBLOB_INVALID || > - *display == hp->lsmid->slot) { > - hp->hook.release_secctx(secdata, seclen); > - return; > + if (cp->slot == hp->lsmid->slot) { > + hp->hook.release_secctx(cp->context, cp->len); > + found = true; > + break; > } > + > + memset(cp, 0, sizeof(*cp)); > + > + if (!found) > + pr_warn("%s context \"%s\" from slot %d not released\n", > + __func__, cp->context, cp->slot); > } > EXPORT_SYMBOL(security_release_secctx); > > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > index aac8cb0de733..4e464e5e942e 100644 > --- a/security/smack/smack_lsm.c > +++ b/security/smack/smack_lsm.c > @@ -4483,11 +4483,16 @@ static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) > return 0; > } > > -/* > - * There used to be a smack_release_secctx hook > - * that did nothing back when hooks were in a vector. > - * Now that there's a list such a hook adds cost. > +/** > + * smack_release_secctx - do everything necessary to free a context > + * @secdata: Unused > + * @seclen: Unused > + * > + * Do nothing but hold a slot in the hooks list. > */ > +static void smack_release_secctx(char *secdata, u32 seclen) > +{ > +} > > static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) > { > @@ -4730,6 +4735,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { > LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), > LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), > LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), > + LSM_HOOK_INIT(release_secctx, smack_release_secctx), > LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), > LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), > LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), >
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 3a7fcdc8dbe2..49b84b6fafd9 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2865,6 +2865,7 @@ static void binder_transaction(struct binder_proc *proc, int t_debug_id = atomic_inc_return(&binder_last_id); char *secctx = NULL; u32 secctx_sz = 0; + struct lsmcontext scaff; /* scaffolding */ e = binder_transaction_log_add(&binder_transaction_log); e->debug_id = t_debug_id; @@ -3161,7 +3162,8 @@ static void binder_transaction(struct binder_proc *proc, t->security_ctx = 0; WARN_ON(1); } - security_release_secctx(secctx, secctx_sz); + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); secctx = NULL; } t->buffer->debug_id = t->debug_id; @@ -3494,8 +3496,10 @@ static void binder_transaction(struct binder_proc *proc, binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: err_bad_extra_size: - if (secctx) - security_release_secctx(secctx, secctx_sz); + if (secctx) { + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); + } err_get_secctx_failed: kfree(tcomplete); binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c index cb18ee637cb7..ad501b5cad2c 100644 --- a/fs/ceph/xattr.c +++ b/fs/ceph/xattr.c @@ -1271,12 +1271,16 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx) { +#ifdef CONFIG_CEPH_FS_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ +#endif #ifdef CONFIG_CEPH_FS_POSIX_ACL posix_acl_release(as_ctx->acl); posix_acl_release(as_ctx->default_acl); #endif #ifdef CONFIG_CEPH_FS_SECURITY_LABEL - security_release_secctx(as_ctx->sec_ctx, as_ctx->sec_ctxlen); + lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0); + security_release_secctx(&scaff); #endif if (as_ctx->pagelist) ceph_pagelist_release(as_ctx->pagelist); diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index caacf5e7f5e1..74e9f4b7cc07 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -131,8 +131,12 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, static inline void nfs4_label_release_security(struct nfs4_label *label) { - if (label) - security_release_secctx(label->label, label->len); + struct lsmcontext scaff; /* scaffolding */ + + if (label) { + lsmcontext_init(&scaff, label->label, label->len, 0); + security_release_secctx(&scaff); + } } static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label) { diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 533d0fc3c96b..b17aad082bde 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -2421,6 +2421,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, int err; struct nfs4_acl *acl = NULL; #ifdef CONFIG_NFSD_V4_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ void *context = NULL; int contextlen; #endif @@ -2923,8 +2924,10 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, out: #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - if (context) - security_release_secctx(context, contextlen); + if (context) { + lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/ + security_release_secctx(&scaff); + } #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ kfree(acl); if (tempfh) { diff --git a/include/linux/security.h b/include/linux/security.h index f7bc7aef95cb..9bb11d9f1348 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -126,6 +126,41 @@ enum lockdown_reason { LOCKDOWN_CONFIDENTIALITY_MAX, }; +/* + * A "security context" is the text representation of + * the information used by LSMs. + * This structure contains the string, its length, and which LSM + * it is useful for. + */ +struct lsmcontext { + char *context; /* Provided by the module */ + u32 len; + int slot; /* Identifies the module */ +}; + +/** + * lsmcontext_init - initialize an lsmcontext structure. + * @cp: Pointer to the context to initialize + * @context: Initial context, or NULL + * @size: Size of context, or 0 + * @slot: Which LSM provided the context + * + * Fill in the lsmcontext from the provided information. + * This is a scaffolding function that will be removed when + * lsmcontext integration is complete. + */ +static inline void lsmcontext_init(struct lsmcontext *cp, char *context, + u32 size, int slot) +{ + cp->slot = slot; + cp->context = context; + + if (context == NULL || size == 0) + cp->len = 0; + else + cp->len = strlen(context); +} + /* * Data exported by the security modules * @@ -496,7 +531,7 @@ int security_ismaclabel(const char *name); int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); -void security_release_secctx(char *secdata, u32 seclen); +void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); @@ -1310,7 +1345,7 @@ static inline int security_secctx_to_secid(const char *secdata, return -EOPNOTSUPP; } -static inline void security_release_secctx(char *secdata, u32 seclen) +static inline void security_release_secctx(struct lsmcontext *cp) { } diff --git a/include/net/scm.h b/include/net/scm.h index 31ae605fcc0a..30ba801c91bd 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -92,6 +92,7 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, #ifdef CONFIG_SECURITY_NETWORK static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { + struct lsmcontext context; char *secdata; u32 seclen; int err; @@ -102,7 +103,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + /*scaffolding*/ + lsmcontext_init(&context, secdata, seclen, 0); + security_release_secctx(&context); } } } diff --git a/kernel/audit.c b/kernel/audit.c index ba9f78e36d1e..35970e7191b6 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1180,6 +1180,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_sig_info *sig_data; char *ctx = NULL; u32 len; + struct lsmcontext scaff; /* scaffolding */ err = audit_netlink_ok(skb, msg_type); if (err) @@ -1424,15 +1425,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); if (!sig_data) { - if (lsmblob_is_set(&audit_sig_lsm)) - security_release_secctx(ctx, len); + if (lsmblob_is_set(&audit_sig_lsm)) { + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); + } return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; if (lsmblob_is_set(&audit_sig_lsm)) { memcpy(sig_data->ctx, ctx, len); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); } audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, sizeof(*sig_data) + len); @@ -2061,6 +2065,7 @@ int audit_log_task_context(struct audit_buffer *ab) unsigned len; int error; struct lsmblob blob; + struct lsmcontext scaff; /* scaffolding */ security_task_getsecid(current, &blob); if (!lsmblob_is_set(&blob)) @@ -2074,7 +2079,8 @@ int audit_log_task_context(struct audit_buffer *ab) } audit_log_format(ab, " subj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); return 0; error_path: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index c1e3ac8eb1ad..8790e7aafa7d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -962,6 +962,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; + struct lsmcontext lsmcxt; char *ctx = NULL; u32 len; int rc = 0; @@ -979,7 +980,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, rc = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/ + security_release_secctx(&lsmcxt); } } audit_log_format(ab, " ocomm="); @@ -1192,6 +1194,7 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) static void show_special(struct audit_context *context, int *call_panic) { + struct lsmcontext lsmcxt; struct audit_buffer *ab; int i; @@ -1225,7 +1228,8 @@ static void show_special(struct audit_context *context, int *call_panic) *call_panic = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); + security_release_secctx(&lsmcxt); } } if (context->ipc.has_perm) { @@ -1371,6 +1375,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, char *ctx = NULL; u32 len; struct lsmblob blob; + struct lsmcontext lsmcxt; lsmblob_init(&blob, n->osid); if (security_secid_to_secctx(&blob, &ctx, &len)) { @@ -1379,7 +1384,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, *call_panic = 2; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */ + security_release_secctx(&lsmcxt); } } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 1ca97d0cb4a9..96d56a30ecca 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { + struct lsmcontext context; struct lsmblob lb; char *secdata; u32 seclen; @@ -144,7 +145,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) return; put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */ + security_release_secctx(&context); } static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 0412f6744185..78791e015d8b 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -332,6 +332,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) int len, ret; char *secctx; struct lsmblob blob; + struct lsmcontext context; lsmblob_init(&blob, ct->secmark); ret = security_secid_to_secctx(&blob, &secctx, &len); @@ -349,7 +350,8 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) ret = 0; nla_put_failure: - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); return ret; } #else diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 183a85412155..8601fcb99f7a 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -176,6 +176,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) u32 len; char *secctx; struct lsmblob blob; + struct lsmcontext context; lsmblob_init(&blob, ct->secmark); ret = security_secid_to_secctx(&blob, &secctx, &len); @@ -184,7 +185,8 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) seq_printf(s, "secctx=%s ", secctx); - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); } #else static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index bfa7f12fde99..cc3ef03ee198 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -395,6 +395,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, enum ip_conntrack_info uninitialized_var(ctinfo); struct nfnl_ct_hook *nfnl_ct; bool csum_verify; + struct lsmcontext scaff; /* scaffolding */ char *secdata = NULL; u32 seclen = 0; @@ -625,8 +626,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return skb; nla_put_failure: @@ -634,8 +637,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return NULL; } diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index e279b81d9545..288c005b44c7 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -373,6 +373,7 @@ int netlbl_unlhsh_add(struct net *net, struct net_device *dev; struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; + struct lsmcontext context; char *secctx = NULL; u32 secctx_len; struct lsmblob blob; @@ -443,7 +444,9 @@ int netlbl_unlhsh_add(struct net *net, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); audit_log_end(audit_buf); @@ -474,6 +477,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct netlbl_unlhsh_addr4 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -502,7 +506,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -539,6 +545,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct netlbl_unlhsh_addr6 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -566,7 +573,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -1080,6 +1088,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, int ret_val = -ENOMEM; struct netlbl_unlhsh_walk_arg *cb_arg = arg; struct net_device *dev; + struct lsmcontext context; void *data; u32 secid; char *secctx; @@ -1147,7 +1156,9 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, NLBL_UNLABEL_A_SECCTX, secctx_len, secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); if (ret_val != 0) goto list_cb_failure; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 893301ae0131..ef139d8ae7cd 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -84,6 +84,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct netlbl_audit *audit_info) { struct audit_buffer *audit_buf; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -103,7 +104,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, if (audit_info->secid != 0 && security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/ + security_release_secctx(&context); } return audit_buf; diff --git a/security/security.c b/security/security.c index c2874f6587d2..c05ef9d0c8ed 100644 --- a/security/security.c +++ b/security/security.c @@ -2144,17 +2144,23 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, } EXPORT_SYMBOL(security_secctx_to_secid); -void security_release_secctx(char *secdata, u32 seclen) +void security_release_secctx(struct lsmcontext *cp) { struct security_hook_list *hp; - int *display = current->security; + bool found = false; hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list) - if (display == NULL || *display == LSMBLOB_INVALID || - *display == hp->lsmid->slot) { - hp->hook.release_secctx(secdata, seclen); - return; + if (cp->slot == hp->lsmid->slot) { + hp->hook.release_secctx(cp->context, cp->len); + found = true; + break; } + + memset(cp, 0, sizeof(*cp)); + + if (!found) + pr_warn("%s context \"%s\" from slot %d not released\n", + __func__, cp->context, cp->slot); } EXPORT_SYMBOL(security_release_secctx); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index aac8cb0de733..4e464e5e942e 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4483,11 +4483,16 @@ static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) return 0; } -/* - * There used to be a smack_release_secctx hook - * that did nothing back when hooks were in a vector. - * Now that there's a list such a hook adds cost. +/** + * smack_release_secctx - do everything necessary to free a context + * @secdata: Unused + * @seclen: Unused + * + * Do nothing but hold a slot in the hooks list. */ +static void smack_release_secctx(char *secdata, u32 seclen) +{ +} static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) { @@ -4730,6 +4735,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), + LSM_HOOK_INIT(release_secctx, smack_release_secctx), LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx),