[v39,05/42] LSM: Use lsmblob in security_audit_rule_match

Message ID	20231215221636.105680-6-casey@schaufler-ca.com (mailing list archive)
State	New
Delegated to:	Paul Moore
Headers	show Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7BBCE18EA7 for <linux-security-module@vger.kernel.org>; Fri, 15 Dec 2023 22:20:00 +0000 (UTC) From: Casey Schaufler <casey@schaufler-ca.com> To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, linux-audit@redhat.com Subject: [PATCH v39 05/42] LSM: Use lsmblob in security_audit_rule_match Date: Fri, 15 Dec 2023 14:15:59 -0800 Message-ID: <20231215221636.105680-6-casey@schaufler-ca.com> In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	LSM: General module stacking \| expand [v39,00/42] LSM: General module stacking [v39,01/42] integrity: disassociate ima_filter_rule from security_audit_rule [v39,02/42] SM: Infrastructure management of the sock security [v39,03/42] LSM: Add the lsmblob data structure. [v39,04/42] IMA: avoid label collisions with stacked LSMs [v39,05/42] LSM: Use lsmblob in security_audit_rule_match [v39,06/42] LSM: Add lsmblob_to_secctx hook [v39,07/42] Audit: maintain an lsmblob in audit_context [v39,08/42] LSM: Use lsmblob in security_ipc_getsecid [v39,09/42] Audit: Update shutdown LSM data [v39,10/42] LSM: Use lsmblob in security_current_getsecid [v39,11/42] LSM: Use lsmblob in security_inode_getsecid [v39,12/42] Audit: use an lsmblob in audit_names [v39,13/42] LSM: Create new security_cred_getlsmblob LSM hook [v39,14/42] Audit: Change context data from secid to lsmblob [v39,15/42] Netlabel: Use lsmblob for audit data [v39,16/42] LSM: Ensure the correct LSM context releaser [v39,17/42] LSM: Use lsmcontext in security_secid_to_secctx [v39,18/42] LSM: Use lsmcontext in security_lsmblob_to_secctx [v39,19/42] LSM: Use lsmcontext in security_inode_getsecctx [v39,20/42] LSM: Use lsmcontext in security_dentry_init_security [v39,21/42] LSM: security_lsmblob_to_secctx module selection [v39,22/42] Audit: Create audit_stamp structure [v39,23/42] Audit: Allow multiple records in an audit_buffer [v39,24/42] Audit: Add record for multiple task security contexts [v39,25/42] audit: multiple subject lsm values for netlabel [v39,26/42] Audit: Add record for multiple object contexts [v39,27/42] LSM: Remove unused lsmcontext_init() [v39,28/42] LSM: Improve logic in security_getprocattr [v39,29/42] LSM: secctx provider check on release [v39,30/42] LSM: Single calls in socket_getpeersec hooks [v39,31/42] LSM: Exclusive secmark usage [v39,32/42] LSM: Identify which LSM handles the context string [v39,33/42] AppArmor: Remove the exclusive flag [v39,34/42] LSM: Add mount opts blob size tracking [v39,35/42] LSM: allocate mnt_opts blobs instead of module specific data [v39,36/42] LSM: Infrastructure management of the key security blob [v39,37/42] LSM: Infrastructure management of the mnt_opts security blob [v39,38/42] LSM: Correct handling of ENOSYS in inode_setxattr [v39,39/42] LSM: Remove lsmblob scaffolding [v39,40/42] LSM: Allow reservation of netlabel [v39,41/42] LSM: restrict security_cred_getsecid() to a single LSM [v39,42/42] Smack: Remove LSM_FLAG_EXCLUSIVE

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 2159013890aa..24c588b87412 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -394,8 +394,8 @@ LSM_HOOK(int, 0, key_getsecurity, struct key *key, char **buffer) LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, void **lsmrule, int lsmid) LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) -LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule, - int lsmid) +LSM_HOOK(int, 0, audit_rule_match, struct lsmblob *blob, u32 field, u32 op, + void *lsmrule, int lsmid) LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule, int lsmid) #endif /* CONFIG_AUDIT */ diff --git a/include/linux/security.h b/include/linux/security.h index 2320ed78c4de..6ded4f04f117 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2013,7 +2013,8 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer) #ifdef CONFIG_SECURITY int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); int security_audit_rule_known(struct audit_krule *krule); -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *lsmrule); void security_audit_rule_free(void *lsmrule); #else @@ -2029,8 +2030,8 @@ static inline int security_audit_rule_known(struct audit_krule *krule) return 0; } -static inline int security_audit_rule_match(u32 secid, u32 field, u32 op, - void *lsmrule) +static inline int security_audit_rule_match(struct lsmblob *blob, u32 field, + u32 op, void *lsmrule) { return 0; } @@ -2044,8 +2045,8 @@ static inline void security_audit_rule_free(void *lsmrule) #if defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, int lsmid); -int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, - int lsmid); +int ima_filter_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *lsmrule, int lsmid); void ima_filter_rule_free(void *lsmrule, int lsmid); #else @@ -2056,7 +2057,7 @@ static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, return 0; } -static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, +static inline int ima_filter_rule_match(struct lsmblob *blob, u32 field, u32 op, void *lsmrule, int lsmid) { return 0; diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 8317a37dea0b..0a6a1c4c3507 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1338,6 +1338,7 @@ int audit_filter(int msgtype, unsigned int listtype) for (i = 0; i < e->rule.field_count; i++) { struct audit_field *f = &e->rule.fields[i]; + struct lsmblob blob = { }; pid_t pid; u32 sid; @@ -1369,9 +1370,12 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: if (f->lsm_rule) { - security_current_getsecid_subj(&sid); - result = security_audit_rule_match(sid, - f->type, f->op, f->lsm_rule); + /* stacking scaffolding */ + security_current_getsecid_subj( + &blob.scaffold.secid); + result = security_audit_rule_match( + &blob, f->type, f->op, + f->lsm_rule); } break; case AUDIT_EXE: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 6f0d6fb6523f..fb001300f0c2 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -471,6 +471,7 @@ static int audit_filter_rules(struct task_struct *tsk, const struct cred *cred; int i, need_sid = 1; u32 sid; + struct lsmblob blob = { }; unsigned int sessionid; if (ctx && rule->prio <= ctx->prio) @@ -681,7 +682,10 @@ static int audit_filter_rules(struct task_struct *tsk, security_current_getsecid_subj(&sid); need_sid = 0; } - result = security_audit_rule_match(sid, f->type, + /* stacking scaffolding */ + blob.scaffold.secid = sid; + result = security_audit_rule_match(&blob, + f->type, f->op, f->lsm_rule); } @@ -696,15 +700,19 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_rule) { /* Find files that match */ if (name) { + /* stacking scaffolding */ + blob.scaffold.secid = name->osid; result = security_audit_rule_match( - name->osid, + &blob, f->type, f->op, f->lsm_rule); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { + /* stacking scaffolding */ + blob.scaffold.secid = n->osid; if (security_audit_rule_match( - n->osid, + &blob, f->type, f->op, f->lsm_rule)) { @@ -716,7 +724,9 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - if (security_audit_rule_match(ctx->ipc.osid, + /* stacking scaffolding */ + blob.scaffold.secid = ctx->ipc.osid; + if (security_audit_rule_match(&blob, f->type, f->op, f->lsm_rule)) ++result; diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 0a9f0019355a..72c414d00ba6 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -269,7 +269,8 @@ int aa_audit_rule_known(struct audit_krule *rule) return 0; } -int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid) +int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule, + int lsmid) { struct aa_audit_rule *rule = vrule; struct aa_label *label; @@ -277,7 +278,12 @@ int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid) if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_APPARMOR) return 0; - label = aa_secid_to_label(sid); + + /* stacking scaffolding */ + if (!blob->apparmor.label && blob->scaffold.secid) + label = aa_secid_to_label(blob->scaffold.secid); + else + label = blob->apparmor.label; if (!label) return -ENOENT; diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index a75c45dd059f..ae3fc4089b00 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h @@ -203,6 +203,7 @@ void aa_audit_rule_free(void *vrule, int lsmid); int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, int lsmid); int aa_audit_rule_known(struct audit_krule *rule); -int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid); +int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule, + int lsmid); #endif /* __AA_AUDIT_H */ diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index a563e0478cc6..d24205aa1beb 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -657,7 +657,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, return false; for (i = 0; i < MAX_LSM_RULES; i++) { int rc = 0; - u32 osid; + struct lsmblob blob = { }; if (!lsm_rule->lsm[i].rule) { if (!lsm_rule->lsm[i].args_p) @@ -671,8 +671,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_OBJ_USER: case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: - security_inode_getsecid(inode, &osid); - rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type, + /* stacking scaffolding */ + security_inode_getsecid(inode, &blob.scaffold.secid); + rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, Audit_equal, lsm_rule->lsm[i].rule, lsm_rule->lsm[i].lsm_id); @@ -680,7 +681,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type, + /* stacking scaffolding */ + blob.scaffold.secid = secid; + rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, Audit_equal, lsm_rule->lsm[i].rule, lsm_rule->lsm[i].lsm_id); diff --git a/security/security.c b/security/security.c index cdf9ee12b064..b3d150b6248e 100644 --- a/security/security.c +++ b/security/security.c @@ -5408,7 +5408,7 @@ void security_audit_rule_free(void *lsmrule) /** * security_audit_rule_match() - Check if a label matches an audit rule - * @secid: security label + * @lsmblob: security label * @field: LSM audit field * @op: matching operator * @lsmrule: audit rule @@ -5419,9 +5419,9 @@ void security_audit_rule_free(void *lsmrule) * Return: Returns 1 if secid matches the rule, 0 if it does not, -ERRNO on * failure. */ -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *lsmrule) { - return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule, + return call_int_hook(audit_rule_match, 0, blob, field, op, lsmrule, LSM_ID_UNDEF); } #endif /* CONFIG_AUDIT */ @@ -5443,10 +5443,10 @@ void ima_filter_rule_free(void *lsmrule, int lsmid) call_void_hook(audit_rule_free, lsmrule, lsmid); } -int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, - int lsmid) +int ima_filter_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *lsmrule, int lsmid) { - return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule, + return call_int_hook(audit_rule_match, 0, blob, field, op, lsmrule, lsmid); } #endif /* CONFIG_IMA_LSM_RULES */ diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index 59468baf0c91..61a396c9d9ae 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -42,7 +42,7 @@ void selinux_audit_rule_free(void *rule, int lsmid); /** * selinux_audit_rule_match - determine if a context ID matches a rule. - * @sid: the context ID to check + * @blob: includes the context ID to check * @field: the field this rule refers to * @op: the operator the rule uses * @rule: pointer to the audit rule to check against @@ -51,7 +51,8 @@ void selinux_audit_rule_free(void *rule, int lsmid); * Returns 1 if the context id matches the rule, 0 if it does not, and * -errno on failure. */ -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule, int lsmid); +int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *rule, int lsmid); /** * selinux_audit_rule_known - check to see if rule contains selinux fields. diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index a9fe8d85acae..eef6655f7730 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3627,7 +3627,8 @@ int selinux_audit_rule_known(struct audit_krule *rule) return 0; } -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid) +int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *vrule, int lsmid) { struct selinux_state *state = &selinux_state; struct selinux_policy *policy; @@ -3655,10 +3656,14 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid) goto out; } - ctxt = sidtab_search(policy->sidtab, sid); + /* stacking scaffolding */ + if (!blob->selinux.secid && blob->scaffold.secid) + blob->selinux.secid = blob->scaffold.secid; + + ctxt = sidtab_search(policy->sidtab, blob->selinux.secid); if (unlikely(!ctxt)) { WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n", - sid); + blob->selinux.secid); match = -ENOENT; goto out; } diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 4342947f51d8..9851d56dff69 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4726,7 +4726,7 @@ static int smack_audit_rule_known(struct audit_krule *krule) /** * smack_audit_rule_match - Audit given object ? - * @secid: security id for identifying the object to test + * @blob: security id for identifying the object to test * @field: audit rule flags given from user-space * @op: required testing operator * @vrule: smack internal rule presentation @@ -4735,8 +4735,8 @@ static int smack_audit_rule_known(struct audit_krule *krule) * The core Audit hook. It's used to take the decision of * whether to audit or not to audit a given object. */ -static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, - int lsmid) +static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *vrule, int lsmid) { struct smack_known *skp; char *rule = vrule; @@ -4751,7 +4751,11 @@ static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) return 0; - skp = smack_from_secid(secid); + /* stacking scaffolding */ + if (!blob->smack.skp && blob->scaffold.secid) + skp = smack_from_secid(blob->scaffold.secid); + else + skp = blob->smack.skp; /* * No need to do string comparisons. If a match occurs,

[v39,05/42] LSM: Use lsmblob in security_audit_rule_match

Commit Message

Patch