Message ID | 20200724203226.16374-20-casey@schaufler-ca.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | LSM: Module stacking for AppArmor | expand |
On 7/24/20 1:32 PM, Casey Schaufler wrote: > Verify that the tasks on the ends of a binder transaction > use the same "display" security module. This prevents confusion > of security "contexts". > Reviewed-by: John Johansen <john.johansen@canonical.com> > Reviewed-by: Kees Cook <keescook@chromium.org> > Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > --- > security/security.c | 29 +++++++++++++++++++++++++++++ > 1 file changed, 29 insertions(+) > > diff --git a/security/security.c b/security/security.c > index ddbaf2073b02..95b48721fb17 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -788,9 +788,38 @@ int security_binder_set_context_mgr(struct task_struct *mgr) > return call_int_hook(binder_set_context_mgr, 0, mgr); > } > > +/** > + * security_binder_transaction - Binder driver transaction check > + * @from: source of the transaction > + * @to: destination of the transaction > + * > + * Verify that the tasks have the same LSM "display", then > + * call the security module hooks. > + * > + * Returns -EINVAL if the displays don't match, or the > + * result of the security module checks. > + */ > int security_binder_transaction(struct task_struct *from, > struct task_struct *to) > { > + int from_display = lsm_task_display(from); > + int to_display = lsm_task_display(to); > + > + /* > + * If the display is LSMBLOB_INVALID the first module that has > + * an entry is used. This will be in the 0 slot. > + * > + * This is currently only required if the server has requested > + * peer contexts, but it would be unwieldly to have too much of > + * the binder driver detail here. > + */ > + if (from_display == LSMBLOB_INVALID) > + from_display = 0; > + if (to_display == LSMBLOB_INVALID) > + to_display = 0; > + if (from_display != to_display) > + return -EINVAL; > + > return call_int_hook(binder_transaction, 0, from, to); > } > >
diff --git a/security/security.c b/security/security.c index ddbaf2073b02..95b48721fb17 100644 --- a/security/security.c +++ b/security/security.c @@ -788,9 +788,38 @@ int security_binder_set_context_mgr(struct task_struct *mgr) return call_int_hook(binder_set_context_mgr, 0, mgr); } +/** + * security_binder_transaction - Binder driver transaction check + * @from: source of the transaction + * @to: destination of the transaction + * + * Verify that the tasks have the same LSM "display", then + * call the security module hooks. + * + * Returns -EINVAL if the displays don't match, or the + * result of the security module checks. + */ int security_binder_transaction(struct task_struct *from, struct task_struct *to) { + int from_display = lsm_task_display(from); + int to_display = lsm_task_display(to); + + /* + * If the display is LSMBLOB_INVALID the first module that has + * an entry is used. This will be in the 0 slot. + * + * This is currently only required if the server has requested + * peer contexts, but it would be unwieldly to have too much of + * the binder driver detail here. + */ + if (from_display == LSMBLOB_INVALID) + from_display = 0; + if (to_display == LSMBLOB_INVALID) + to_display = 0; + if (from_display != to_display) + return -EINVAL; + return call_int_hook(binder_transaction, 0, from, to); }