[v5,23/38] SELinux: Remove cred security blob poisoning

Message ID	80666d37-ea25-1b25-5108-426ebbc384ce@schaufler-ca.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> Subject: [PATCH v5 23/38] SELinux: Remove cred security blob poisoning To: James Morris <jmorris@namei.org>, LSM <linux-security-module@vger.kernel.org>, LKLM <linux-kernel@vger.kernel.org>, SE Linux <selinux@tycho.nsa.gov> Cc: John Johansen <john.johansen@canonical.com>, Kees Cook <keescook@chromium.org>, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>, Paul Moore <paul@paul-moore.com>, "linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>, Stephen Smalley <sds@tycho.nsa.gov>, Alexey Dobriyan <adobriyan@gmail.com>, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>, Salvatore Mesoraca <s.mesoraca16@gmail.com> References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler <casey@schaufler-ca.com> Message-ID: <80666d37-ea25-1b25-5108-426ebbc384ce@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:44:17 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk
Series	LSM: Module stacking for SARA and Landlock \| expand [v5,00/38] LSM: Module stacking for SARA and Landlock [v5,01/38] LSM: Introduce LSM_FLAG_LEGACY_MAJOR [v5,02/38] LSM: Provide separate ordered initialization [v5,03/38] LSM: Plumb visibility into optional "enabled" state [v5,04/38] LSM: Lift LSM selection out of individual LSMs [v5,05/38] LSM: Build ordered list of LSMs to initialize [v5,06/38] LSM: Introduce CONFIG_LSM [v5,07/38] LSM: Introduce "lsm=" for boottime LSM selection [v5,08/38] LSM: Tie enabling logic to presence in ordered list [v5,09/38] LSM: Prepare for reorganizing "security=" logic [v5,10/38] LSM: Refactor "security=" in terms of enable/disable [v5,11/38] LSM: Separate idea of "major" LSM from "exclusive" LSM [v5,12/38] apparmor: Remove SECURITY_APPARMOR_BOOTPARAM_VALUE [v5,13/38] selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE [v5,14/38] LSM: Add all exclusive LSMs to ordered initialization [v5,15/38] LSM: Split LSM preparation from initialization [v5,16/38] LoadPin: Initialize as ordered LSM [v5,17/38] Yama: Initialize as ordered LSM [v5,18/38] LSM: Introduce enum lsm_order [v5,19/38] capability: Initialize as LSM_ORDER_FIRST [v5,20/38] procfs: add smack subdir to attrs [v5,21/38] Smack: Abstract use of cred security blob [v5,22/38] SELinux: Abstract use of cred security blob [v5,23/38] SELinux: Remove cred security blob poisoning [v5,24/38] SELinux: Remove unused selinux_is_enabled [v5,25/38] AppArmor: Abstract use of cred security blob [v5,26/38] TOMOYO: Abstract use of cred security blob [v5,27/38] Infrastructure management of the cred security blob [v5,28/38] SELinux: Abstract use of file security blob [v5,29/38] Smack: Abstract use of file security blob [v5,30/38] LSM: Infrastructure management of the file security [v5,31/38] SELinux: Abstract use of inode security blob [v5,32/38] Smack: Abstract use of inode security blob [v5,33/38] LSM: Infrastructure management of the inode security [v5,34/38] LSM: Infrastructure management of the task security [v5,35/38] SELinux: Abstract use of ipc security blobs [v5,36/38] Smack: Abstract use of ipc security blobs [v5,37/38] LSM: Infrastructure management of the ipc security blob [v5,38/38] TOMOYO: Update LSM flags to no longer be exclusive

Message ID

80666d37-ea25-1b25-5108-426ebbc384ce@schaufler-ca.com (mailing list archive)

State

New, archived

Headers

Subject: [PATCH v5 23/38] SELinux: Remove cred security blob poisoning
To: James Morris <jmorris@namei.org>,
        LSM <linux-security-module@vger.kernel.org>,
        LKLM <linux-kernel@vger.kernel.org>,
        SE Linux <selinux@tycho.nsa.gov>
Cc: John Johansen <john.johansen@canonical.com>,
 Kees Cook <keescook@chromium.org>,
 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
 Paul Moore <paul@paul-moore.com>,
 "linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
 Stephen Smalley <sds@tycho.nsa.gov>, Alexey Dobriyan <adobriyan@gmail.com>,
	=?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>,
 Salvatore Mesoraca <s.mesoraca16@gmail.com>
References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com>
From: Casey Schaufler <casey@schaufler-ca.com>
Message-ID: <80666d37-ea25-1b25-5108-426ebbc384ce@schaufler-ca.com>
Date: Mon, 26 Nov 2018 15:44:17 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Series

LSM: Module stacking for SARA and Landlock | expand

Commit Message

Casey Schaufler Nov. 26, 2018, 11:44 p.m. UTC

The SELinux specific credential poisioning only makes sense
if SELinux is managing the credentials. As the intent of this
patch set is to move the blob management out of the modules
and into the infrastructure, the SELinux specific code has
to go. The poisioning could be introduced into the infrastructure
at some later date.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 kernel/cred.c            | 13 -------------
 security/selinux/hooks.c |  6 ------
 2 files changed, 19 deletions(-)

diff --git a/kernel/cred.c b/kernel/cred.c
index ecf03657e71c..fa2061ee4955 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -704,19 +704,6 @@  bool creds_are_invalid(const struct cred *cred)
 {
 	if (cred->magic != CRED_MAGIC)
 		return true;
-#ifdef CONFIG_SECURITY_SELINUX
-	/*
-	 * cred->security == NULL if security_cred_alloc_blank() or
-	 * security_prepare_creds() returned an error.
-	 */
-	if (selinux_is_enabled() && cred->security) {
-		if ((unsigned long) cred->security < PAGE_SIZE)
-			return true;
-		if ((*(u32 *)cred->security & 0xffffff00) ==
-		    (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
-			return true;
-	}
-#endif
 	return false;
 }
 EXPORT_SYMBOL(creds_are_invalid);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 24b6b459fa2a..41b230d459a6 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3922,12 +3922,6 @@  static void selinux_cred_free(struct cred *cred)
 {
 	struct task_security_struct *tsec = selinux_cred(cred);
 
-	/*
-	 * cred->security == NULL if security_cred_alloc_blank() or
-	 * security_prepare_creds() returned an error.
-	 */
-	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
-	cred->security = (void *) 0x7UL;
 	kfree(tsec);
 }

[v5,23/38] SELinux: Remove cred security blob poisoning

Commit Message

Patch