From patchwork Wed Nov 13 00:08:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240477 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9128D14E5 for ; Wed, 13 Nov 2019 00:09:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 57A1821A49 for ; Wed, 13 Nov 2019 00:09:32 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="ZCJtX7Gs" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726962AbfKMAJc (ORCPT ); Tue, 12 Nov 2019 19:09:32 -0500 Received: from sonic306-28.consmr.mail.ne1.yahoo.com ([66.163.189.90]:39820 "EHLO sonic306-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726960AbfKMAJb (ORCPT ); Tue, 12 Nov 2019 19:09:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603767; bh=9MZzR0Xx/JpXwxs3apQVPWaGX8pyWgvPtTmFeWS/vto=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=ZCJtX7GsMcL4OF1jWlYghc8cne+cbhMbRwiWUuHIy0XD62iQN+WTAWRUqCH2p122CbITBwIYdd8kNwbWla5VpkdSFL7SWILqJH4yJsRzYG8hL5jUZhi0w4HsWD/6UBE5PqJpEOYUJliP1RaaqAyo2C7cM348cuw6WEIPvhhAStDAItsZzv+g3a+IvB5JnXTnD2tQl03e7EeYOhcd8EbJ6jzdod1ym0kU7EmYWbAgFc/zTDr682vbdVxzPpA/RwkoiVLXJXXQIRz/3x7115njye+PurR0mNrVMlUvi4yLCkHwX7ncED+OTT++mR8SdwVYtpJ4JybMuwGiQJqFA+3qPw== X-YMail-OSG: VKRwn6IVM1mXfogkd7mUcQQ_ZhAACf7QP4jSyjNTYEoK1.n25ONwLzbGk6ycZ63 kQEq5pr1XmqhhdLKu2J.hJHwLvF1HUZ46W.674mebpfdWz6muRAAIxqpVCISw2bNSPsLqG8h371q SAjg_mwiQUsbY0.ttcUXTPs5.X31zf2Mkgl.xgg9L.w4xo6749GYeCuKkeo3jnjJlLBAfDDHdZrP 26ssOhWqNWSdmM2aj71N8piIlb4GfXBqDRrxe38JfoHX0m_mvTRWL4f8Xnlew.FY4zpeHJxukbjS mF4VXPHm4U.5TWN2vdxBorqJ9lr5UNNOO0Zh1yWkYLnfqNf7U7QtmY8X.DDoL_h2E95oRc4lYnWR ERB88coa_eQhcEQSyiun28M62YBJvbyWYoiKknZ0dcdwK24QyVcgT4rbEXmpNipEigKfB6xlxQfp E.GfNJFuwf7ZIRofOuJJmflxyK8Sp1taGmlwE4kKk6SBkTmVNCm_Y3O_q.ELd4aP3xcAzOHC9x_W y7.1KQz25WS.34iJ5ZhzzMsr6cJBAX_o.gGF2.jirgQIFavuaPT9y4IxAdXvE.G5dU5ibWFPg4DL EOEKrSPciSTv1vjTkUv0W_r_Dxb7j1Rjx_rkETMpC92yDseJQwaRWBMQa_ImoOsjjZPPArZErQnl d6q7FSb4qzoeI6qqwfm5BUUKjvgwRgJn2Tyr879qIuIJ8LjpPgIKKR4T0Z3fAEj.aS1u0wlXNZVX sM1e2ziizTG.IGQmWLUFAv43wQE1oNM9ZLZ9einHmKn2UROj0nl1nlqaNdtaHlRLtPSigDb5ti2m 0hwzI1XkyL2G.wHThTUlYJ_SnG5yQqO6OunTDV3OEVhqXzAEXd84vZYEH_quBMUxPkGZ9tKyX7pz 3r2WV4k66o7kBInOPCwGwgsskwMd6_dA9dTvFWeC349NE9wxCPhQb1Lpo47vO5X51AkbluDGFpSe TNjVINPYtJO8UznbDvehihwNl59RShlpIQeu_lKiCA_dgLvpXOkaxP12ELWmGp2nnTKmtUXda1aC 6khvyI4bjo1ZyviyEUqu9G8VeclM0fpHa6VINVUF15670Y.VqL6b2Nef4O0jPwZRoNLEiSdX5Sxx ohmTNu2mxrZ1Alh8IlzJk95gG9i_h2wULqx7LSbrWBV8WUZ_SX1UeJqlpJUPhF6DNI5nj90VXndP AN2TXdHVbnbE.8x7CsXxlP5vXF08YeNRv3qZQ4WsIVYBwUGnzn7lsb9_aSmoOSvIb90z3MczguFN O9cz.umi9ypgVJvm_hWsunwIBvMHQ2dPXixUWoRPRynKsTxWdrEZoDd0lTuV6_el5eE92_PtHo9K mR20K3ZbnFwhhVex3Zab5wF839ix9KcYEPzZHnhGRmekUbpo_g9iINNpoQ.qZ8VnlSQ8x2sZ18wp gv6ld9fHx_gM5lZIVkmsypb0MNKfCq8jEEJzDcl40 Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:09:27 +0000 Received: by smtp428.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 6f1d82c7e28d32d4ef3c31a06032e5a8; Wed, 13 Nov 2019 00:09:22 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov Subject: [PATCH 01/25] LSM: Infrastructure management of the sock security Date: Tue, 12 Nov 2019 16:08:49 -0800 Message-Id: <20191113000913.5414-2-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Move management of the sock->sk_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/apparmor/include/net.h | 6 ++- security/apparmor/lsm.c | 38 ++++----------- security/security.c | 36 +++++++++++++- security/selinux/hooks.c | 78 +++++++++++++++---------------- security/selinux/include/objsec.h | 5 ++ security/selinux/netlabel.c | 23 ++++----- security/smack/smack.h | 5 ++ security/smack/smack_lsm.c | 64 ++++++++++++------------- security/smack/smack_netfilter.c | 8 ++-- 10 files changed, 144 insertions(+), 120 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index a3763247547c..13a67fd1a767 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2080,6 +2080,7 @@ struct lsm_blob_sizes { int lbs_cred; int lbs_file; int lbs_inode; + int lbs_sock; int lbs_ipc; int lbs_msg_msg; int lbs_task; diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h index 2431c011800d..5b6f52c62058 100644 --- a/security/apparmor/include/net.h +++ b/security/apparmor/include/net.h @@ -51,7 +51,11 @@ struct aa_sk_ctx { struct aa_label *peer; }; -#define SK_CTX(X) ((X)->sk_security) +static inline struct aa_sk_ctx *aa_sock(const struct sock *sk) +{ + return sk->sk_security + apparmor_blob_sizes.lbs_sock; +} + #define SOCK_ctx(X) SOCK_INODE(X)->i_security #define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \ struct lsm_network_audit NAME ## _net = { .sk = (SK), \ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index ec3a928af829..4093fa231671 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -753,33 +753,15 @@ static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo return error; } -/** - * apparmor_sk_alloc_security - allocate and attach the sk_security field - */ -static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) -{ - struct aa_sk_ctx *ctx; - - ctx = kzalloc(sizeof(*ctx), flags); - if (!ctx) - return -ENOMEM; - - SK_CTX(sk) = ctx; - - return 0; -} - /** * apparmor_sk_free_security - free the sk_security field */ static void apparmor_sk_free_security(struct sock *sk) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); - SK_CTX(sk) = NULL; aa_put_label(ctx->label); aa_put_label(ctx->peer); - kfree(ctx); } /** @@ -788,8 +770,8 @@ static void apparmor_sk_free_security(struct sock *sk) static void apparmor_sk_clone_security(const struct sock *sk, struct sock *newsk) { - struct aa_sk_ctx *ctx = SK_CTX(sk); - struct aa_sk_ctx *new = SK_CTX(newsk); + struct aa_sk_ctx *ctx = aa_sock(sk); + struct aa_sk_ctx *new = aa_sock(newsk); new->label = aa_get_label(ctx->label); new->peer = aa_get_label(ctx->peer); @@ -840,7 +822,7 @@ static int apparmor_socket_post_create(struct socket *sock, int family, label = aa_get_current_label(); if (sock->sk) { - struct aa_sk_ctx *ctx = SK_CTX(sock->sk); + struct aa_sk_ctx *ctx = aa_sock(sock->sk); aa_put_label(ctx->label); ctx->label = aa_get_label(label); @@ -1025,7 +1007,7 @@ static int apparmor_socket_shutdown(struct socket *sock, int how) */ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); if (!skb->secmark) return 0; @@ -1038,7 +1020,7 @@ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) static struct aa_label *sk_peer_label(struct sock *sk) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); if (ctx->peer) return ctx->peer; @@ -1122,7 +1104,7 @@ static int apparmor_socket_getpeersec_dgram(struct socket *sock, */ static void apparmor_sock_graft(struct sock *sk, struct socket *parent) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); if (!ctx->label) ctx->label = aa_get_current_label(); @@ -1132,7 +1114,7 @@ static void apparmor_sock_graft(struct sock *sk, struct socket *parent) static int apparmor_inet_conn_request(struct sock *sk, struct sk_buff *skb, struct request_sock *req) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); if (!skb->secmark) return 0; @@ -1149,6 +1131,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct aa_task_ctx *), .lbs_file = sizeof(struct aa_file_ctx), .lbs_task = sizeof(struct aa_task_ctx), + .lbs_sock = sizeof(struct aa_sk_ctx), }; static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { @@ -1185,7 +1168,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), - LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), @@ -1624,7 +1606,7 @@ static unsigned int apparmor_ip_postroute(void *priv, if (sk == NULL) return NF_ACCEPT; - ctx = SK_CTX(sk); + ctx = aa_sock(sk); if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND, skb->secmark, sk)) return NF_ACCEPT; diff --git a/security/security.c b/security/security.c index 1bc000f834e2..5e43d3f64c1f 100644 --- a/security/security.c +++ b/security/security.c @@ -28,6 +28,7 @@ #include #include #include +#include #define MAX_LSM_EVM_XATTR 2 @@ -169,6 +170,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); + lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock); lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); } @@ -304,6 +306,7 @@ static void __init ordered_lsm_init(void) init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); + init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); init_debug("task blob size = %d\n", blob_sizes.lbs_task); /* @@ -622,6 +625,28 @@ static int lsm_msg_msg_alloc(struct msg_msg *mp) return 0; } +/** + * lsm_sock_alloc - allocate a composite sock blob + * @sock: the sock that needs a blob + * @priority: allocation mode + * + * Allocate the sock blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +static int lsm_sock_alloc(struct sock *sock, gfp_t priority) +{ + if (blob_sizes.lbs_sock == 0) { + sock->sk_security = NULL; + return 0; + } + + sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority); + if (sock->sk_security == NULL) + return -ENOMEM; + return 0; +} + /** * lsm_early_task - during initialization allocate a composite task blob * @task: the task that needs a blob @@ -2066,12 +2091,21 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram); int security_sk_alloc(struct sock *sk, int family, gfp_t priority) { - return call_int_hook(sk_alloc_security, 0, sk, family, priority); + int rc = lsm_sock_alloc(sk, priority); + + if (unlikely(rc)) + return rc; + rc = call_int_hook(sk_alloc_security, 0, sk, family, priority); + if (unlikely(rc)) + security_sk_free(sk); + return rc; } void security_sk_free(struct sock *sk) { call_void_hook(sk_free_security, sk); + kfree(sk->sk_security); + sk->sk_security = NULL; } void security_sk_clone(const struct sock *sk, struct sock *newsk) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9625b99e677f..3feb971068e2 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4467,7 +4467,7 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec, static int sock_has_perm(struct sock *sk, u32 perms) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; struct lsm_network_audit net = {0,}; @@ -4524,7 +4524,7 @@ static int selinux_socket_post_create(struct socket *sock, int family, isec->initialized = LABEL_INITIALIZED; if (sock->sk) { - sksec = sock->sk->sk_security; + sksec = selinux_sock(sock->sk); sksec->sclass = sclass; sksec->sid = sid; /* Allows detection of the first association on this socket */ @@ -4540,8 +4540,8 @@ static int selinux_socket_post_create(struct socket *sock, int family, static int selinux_socket_socketpair(struct socket *socka, struct socket *sockb) { - struct sk_security_struct *sksec_a = socka->sk->sk_security; - struct sk_security_struct *sksec_b = sockb->sk->sk_security; + struct sk_security_struct *sksec_a = selinux_sock(socka->sk); + struct sk_security_struct *sksec_b = selinux_sock(sockb->sk); sksec_a->peer_sid = sksec_b->sid; sksec_b->peer_sid = sksec_a->sid; @@ -4556,7 +4556,7 @@ static int selinux_socket_socketpair(struct socket *socka, static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) { struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u16 family; int err; @@ -4691,7 +4691,7 @@ static int selinux_socket_connect_helper(struct socket *sock, struct sockaddr *address, int addrlen) { struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); int err; err = sock_has_perm(sk, SOCKET__CONNECT); @@ -4870,9 +4870,9 @@ static int selinux_socket_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk) { - struct sk_security_struct *sksec_sock = sock->sk_security; - struct sk_security_struct *sksec_other = other->sk_security; - struct sk_security_struct *sksec_new = newsk->sk_security; + struct sk_security_struct *sksec_sock = selinux_sock(sock); + struct sk_security_struct *sksec_other = selinux_sock(other); + struct sk_security_struct *sksec_new = selinux_sock(newsk); struct common_audit_data ad; struct lsm_network_audit net = {0,}; int err; @@ -4904,8 +4904,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock, static int selinux_socket_unix_may_send(struct socket *sock, struct socket *other) { - struct sk_security_struct *ssec = sock->sk->sk_security; - struct sk_security_struct *osec = other->sk->sk_security; + struct sk_security_struct *ssec = selinux_sock(sock->sk); + struct sk_security_struct *osec = selinux_sock(other->sk); struct common_audit_data ad; struct lsm_network_audit net = {0,}; @@ -4947,7 +4947,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, u16 family) { int err = 0; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u32 sk_sid = sksec->sid; struct common_audit_data ad; struct lsm_network_audit net = {0,}; @@ -4980,7 +4980,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { int err; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u16 family = sk->sk_family; u32 sk_sid = sksec->sid; struct common_audit_data ad; @@ -5048,13 +5048,15 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) return err; } -static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, - int __user *optlen, unsigned len) +static int selinux_socket_getpeersec_stream(struct socket *sock, + char __user *optval, + int __user *optlen, + unsigned int len) { int err = 0; char *scontext; u32 scontext_len; - struct sk_security_struct *sksec = sock->sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sock->sk); u32 peer_sid = SECSID_NULL; if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || @@ -5114,34 +5116,27 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) { - struct sk_security_struct *sksec; - - sksec = kzalloc(sizeof(*sksec), priority); - if (!sksec) - return -ENOMEM; + struct sk_security_struct *sksec = selinux_sock(sk); sksec->peer_sid = SECINITSID_UNLABELED; sksec->sid = SECINITSID_UNLABELED; sksec->sclass = SECCLASS_SOCKET; selinux_netlbl_sk_security_reset(sksec); - sk->sk_security = sksec; return 0; } static void selinux_sk_free_security(struct sock *sk) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); - sk->sk_security = NULL; selinux_netlbl_sk_security_free(sksec); - kfree(sksec); } static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) { - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); + struct sk_security_struct *newsksec = selinux_sock(newsk); newsksec->sid = sksec->sid; newsksec->peer_sid = sksec->peer_sid; @@ -5155,7 +5150,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid) if (!sk) *secid = SECINITSID_ANY_SOCKET; else { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); *secid = sksec->sid; } @@ -5165,7 +5160,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent) { struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(parent)); - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || sk->sk_family == PF_UNIX) @@ -5180,7 +5175,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent) static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, struct sk_buff *skb) { - struct sk_security_struct *sksec = ep->base.sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(ep->base.sk); struct common_audit_data ad; struct lsm_network_audit net = {0,}; u8 peerlbl_active; @@ -5331,8 +5326,8 @@ static int selinux_sctp_bind_connect(struct sock *sk, int optname, static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, struct sock *newsk) { - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); + struct sk_security_struct *newsksec = selinux_sock(newsk); /* If policy does not support SECCLASS_SCTP_SOCKET then call * the non-sctp clone version. @@ -5349,7 +5344,7 @@ static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, struct request_sock *req) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); int err; u16 family = req->rsk_ops->family; u32 connsid; @@ -5370,7 +5365,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, static void selinux_inet_csk_clone(struct sock *newsk, const struct request_sock *req) { - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *newsksec = selinux_sock(newsk); newsksec->sid = req->secid; newsksec->peer_sid = req->peer_secid; @@ -5387,7 +5382,7 @@ static void selinux_inet_csk_clone(struct sock *newsk, static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) { u16 family = sk->sk_family; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); /* handle mapped IPv4 packets arriving via IPv6 sockets */ if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) @@ -5471,7 +5466,7 @@ static int selinux_tun_dev_attach_queue(void *security) static int selinux_tun_dev_attach(struct sock *sk, void *security) { struct tun_security_struct *tunsec = security; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); /* we don't currently perform any NetLabel based labeling here and it * isn't clear that we would want to do so anyway; while we could apply @@ -5512,7 +5507,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) int err = 0; u32 perm; struct nlmsghdr *nlh; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (skb->len < NLMSG_HDRLEN) { err = -EINVAL; @@ -5653,7 +5648,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb, return NF_ACCEPT; /* standard practice, label using the parent socket */ - sksec = sk->sk_security; + sksec = selinux_sock(sk); sid = sksec->sid; } else sid = SECINITSID_KERNEL; @@ -5692,7 +5687,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, if (sk == NULL) return NF_ACCEPT; - sksec = sk->sk_security; + sksec = selinux_sock(sk); ad.type = LSM_AUDIT_DATA_NET; ad.u.net = &net; @@ -5784,7 +5779,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, u32 skb_sid; struct sk_security_struct *sksec; - sksec = sk->sk_security; + sksec = selinux_sock(sk); if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) return NF_DROP; /* At this point, if the returned skb peerlbl is SECSID_NULL @@ -5813,7 +5808,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, } else { /* Locally generated packet, fetch the security label from the * associated socket. */ - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); peer_sid = sksec->sid; secmark_perm = PACKET__SEND; } @@ -6793,6 +6788,7 @@ struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { .lbs_inode = sizeof(struct inode_security_struct), .lbs_ipc = sizeof(struct ipc_security_struct), .lbs_msg_msg = sizeof(struct msg_security_struct), + .lbs_sock = sizeof(struct sk_security_struct), }; static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 586b7abd0aa7..3e2bb90dc868 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -185,4 +185,9 @@ static inline u32 current_sid(void) return tsec->sid; } +static inline struct sk_security_struct *selinux_sock(const struct sock *sock) +{ + return sock->sk_security + selinux_blob_sizes.lbs_sock; +} + #endif /* _SELINUX_OBJSEC_H_ */ diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index abaab7683840..6a94b31b5472 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -67,7 +68,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk) { int rc; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr; if (sksec->nlbl_secattr != NULL) @@ -100,7 +101,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr( const struct sock *sk, u32 sid) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr = sksec->nlbl_secattr; if (secattr == NULL) @@ -235,7 +236,7 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, * being labeled by it's parent socket, if it is just exit */ sk = skb_to_full_sk(skb); if (sk != NULL) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (sksec->nlbl_state != NLBL_REQSKB) return 0; @@ -273,7 +274,7 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep, { int rc; struct netlbl_lsm_secattr secattr; - struct sk_security_struct *sksec = ep->base.sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(ep->base.sk); struct sockaddr_in addr4; struct sockaddr_in6 addr6; @@ -352,7 +353,7 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family) */ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (family == PF_INET) sksec->nlbl_state = NLBL_LABELED; @@ -370,8 +371,8 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) */ void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk) { - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); + struct sk_security_struct *newsksec = selinux_sock(newsk); newsksec->nlbl_state = sksec->nlbl_state; } @@ -389,7 +390,7 @@ void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk) int selinux_netlbl_socket_post_create(struct sock *sk, u16 family) { int rc; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr; if (family != PF_INET && family != PF_INET6) @@ -504,7 +505,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock, { int rc = 0; struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr secattr; if (selinux_netlbl_option(level, optname) && @@ -542,7 +543,7 @@ static int selinux_netlbl_socket_connect_helper(struct sock *sk, struct sockaddr *addr) { int rc; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr; /* connected sockets are allowed to disconnect when the address family @@ -581,7 +582,7 @@ static int selinux_netlbl_socket_connect_helper(struct sock *sk, int selinux_netlbl_socket_connect_locked(struct sock *sk, struct sockaddr *addr) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (sksec->nlbl_state != NLBL_REQSKB && sksec->nlbl_state != NLBL_CONNLABELED) diff --git a/security/smack/smack.h b/security/smack/smack.h index 62529f382942..2836540f9577 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -372,6 +372,11 @@ static inline struct smack_known **smack_ipc(const struct kern_ipc_perm *ipc) return ipc->security + smack_blob_sizes.lbs_ipc; } +static inline struct socket_smack *smack_sock(const struct sock *sock) +{ + return sock->sk_security + smack_blob_sizes.lbs_sock; +} + /* * Is the directory transmuting? */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index abeb09c30633..796f78580c17 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1456,7 +1456,7 @@ static int smack_inode_getsecurity(struct inode *inode, if (sock == NULL || sock->sk == NULL) return -EOPNOTSUPP; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (strcmp(name, XATTR_SMACK_IPIN) == 0) isp = ssp->smk_in; @@ -1838,7 +1838,7 @@ static int smack_file_receive(struct file *file) if (inode->i_sb->s_magic == SOCKFS_MAGIC) { sock = SOCKET_I(inode); - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); tsp = smack_cred(current_cred()); /* * If the receiving process can't write to the @@ -2245,11 +2245,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode) static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) { struct smack_known *skp = smk_of_current(); - struct socket_smack *ssp; - - ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); - if (ssp == NULL) - return -ENOMEM; + struct socket_smack *ssp = smack_sock(sk); /* * Sockets created by kernel threads receive web label. @@ -2263,11 +2259,10 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) } ssp->smk_packet = NULL; - sk->sk_security = ssp; - return 0; } +#ifdef SMACK_IPV6_PORT_LABELING /** * smack_sk_free_security - Free a socket blob * @sk: the socket @@ -2276,7 +2271,6 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) */ static void smack_sk_free_security(struct sock *sk) { -#ifdef SMACK_IPV6_PORT_LABELING struct smk_port_label *spp; if (sk->sk_family == PF_INET6) { @@ -2289,9 +2283,8 @@ static void smack_sk_free_security(struct sock *sk) } rcu_read_unlock(); } -#endif - kfree(sk->sk_security); } +#endif /** * smack_ipv4host_label - check host based restrictions @@ -2409,7 +2402,7 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) static int smack_netlabel(struct sock *sk, int labeled) { struct smack_known *skp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); int rc = 0; /* @@ -2454,7 +2447,7 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) int rc; int sk_lbl; struct smack_known *hkp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smk_audit_info ad; rcu_read_lock(); @@ -2530,7 +2523,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) { struct sock *sk = sock->sk; struct sockaddr_in6 *addr6; - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); struct smk_port_label *spp; unsigned short port = 0; @@ -2618,7 +2611,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, int act) { struct smk_port_label *spp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = NULL; unsigned short port; struct smack_known *object; @@ -2712,7 +2705,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, if (sock == NULL || sock->sk == NULL) return -EOPNOTSUPP; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (strcmp(name, XATTR_SMACK_IPIN) == 0) ssp->smk_in = skp; @@ -2760,7 +2753,7 @@ static int smack_socket_post_create(struct socket *sock, int family, * Sockets created by kernel threads receive web label. */ if (unlikely(current->flags & PF_KTHREAD)) { - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); ssp->smk_in = &smack_known_web; ssp->smk_out = &smack_known_web; } @@ -2785,8 +2778,8 @@ static int smack_socket_post_create(struct socket *sock, int family, static int smack_socket_socketpair(struct socket *socka, struct socket *sockb) { - struct socket_smack *asp = socka->sk->sk_security; - struct socket_smack *bsp = sockb->sk->sk_security; + struct socket_smack *asp = smack_sock(socka->sk); + struct socket_smack *bsp = smack_sock(sockb->sk); asp->smk_packet = bsp->smk_out; bsp->smk_packet = asp->smk_out; @@ -2844,7 +2837,7 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, return 0; #ifdef SMACK_IPV6_SECMARK_LABELING - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); #endif switch (sock->sk->sk_family) { @@ -3586,9 +3579,9 @@ static int smack_unix_stream_connect(struct sock *sock, { struct smack_known *skp; struct smack_known *okp; - struct socket_smack *ssp = sock->sk_security; - struct socket_smack *osp = other->sk_security; - struct socket_smack *nsp = newsk->sk_security; + struct socket_smack *ssp = smack_sock(sock); + struct socket_smack *osp = smack_sock(other); + struct socket_smack *nsp = smack_sock(newsk); struct smk_audit_info ad; int rc = 0; #ifdef CONFIG_AUDIT @@ -3634,8 +3627,8 @@ static int smack_unix_stream_connect(struct sock *sock, */ static int smack_unix_may_send(struct socket *sock, struct socket *other) { - struct socket_smack *ssp = sock->sk->sk_security; - struct socket_smack *osp = other->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); + struct socket_smack *osp = smack_sock(other->sk); struct smk_audit_info ad; int rc; @@ -3672,7 +3665,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; #endif #ifdef SMACK_IPV6_SECMARK_LABELING - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); struct smack_known *rsp; #endif int rc = 0; @@ -3845,7 +3838,7 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { struct netlbl_lsm_secattr secattr; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = NULL; int rc = 0; struct smk_audit_info ad; @@ -3966,7 +3959,7 @@ static int smack_socket_getpeersec_stream(struct socket *sock, int slen = 1; int rc = 0; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (ssp->smk_packet != NULL) { rcp = ssp->smk_packet->smk_known; slen = strlen(rcp) + 1; @@ -4016,7 +4009,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock, switch (family) { case PF_UNIX: - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); s = ssp->smk_out->smk_secid; break; case PF_INET: @@ -4029,7 +4022,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock, * Translate what netlabel gave us. */ if (sock != NULL && sock->sk != NULL) - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); netlbl_secattr_init(&secattr); rc = netlbl_skbuff_getattr(skb, family, &secattr); if (rc == 0) { @@ -4067,7 +4060,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent) (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) return; - ssp = sk->sk_security; + ssp = smack_sock(sk); ssp->smk_in = skp; ssp->smk_out = skp; /* cssp->smk_packet is already set in smack_inet_csk_clone() */ @@ -4087,7 +4080,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, { u16 family = sk->sk_family; struct smack_known *skp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct netlbl_lsm_secattr secattr; struct sockaddr_in addr; struct iphdr *hdr; @@ -4186,7 +4179,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, static void smack_inet_csk_clone(struct sock *sk, const struct request_sock *req) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp; if (req->peer_secid != 0) { @@ -4590,6 +4583,7 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_inode = sizeof(struct inode_smack), .lbs_ipc = sizeof(struct smack_known *), .lbs_msg_msg = sizeof(struct smack_known *), + .lbs_sock = sizeof(struct socket_smack), }; static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { @@ -4699,7 +4693,9 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), +#ifdef SMACK_IPV6_PORT_LABELING LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), +#endif LSM_HOOK_INIT(sock_graft, smack_sock_graft), LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c index fc7399b45373..635e2339579e 100644 --- a/security/smack/smack_netfilter.c +++ b/security/smack/smack_netfilter.c @@ -28,8 +28,8 @@ static unsigned int smack_ipv6_output(void *priv, struct socket_smack *ssp; struct smack_known *skp; - if (sk && sk->sk_security) { - ssp = sk->sk_security; + if (sk && smack_sock(sk)) { + ssp = smack_sock(sk); skp = ssp->smk_out; skb->secmark = skp->smk_secid; } @@ -46,8 +46,8 @@ static unsigned int smack_ipv4_output(void *priv, struct socket_smack *ssp; struct smack_known *skp; - if (sk && sk->sk_security) { - ssp = sk->sk_security; + if (sk && smack_sock(sk)) { + ssp = smack_sock(sk); skp = ssp->smk_out; skb->secmark = skp->smk_secid; } From patchwork Wed Nov 13 00:08:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240473 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A78C013BD for ; Wed, 13 Nov 2019 00:09:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 762A72196E for ; Wed, 13 Nov 2019 00:09:31 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="milSa72e" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726910AbfKMAJb (ORCPT ); Tue, 12 Nov 2019 19:09:31 -0500 Received: from sonic306-28.consmr.mail.ne1.yahoo.com ([66.163.189.90]:44696 "EHLO sonic306-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727119AbfKMAJb (ORCPT ); Tue, 12 Nov 2019 19:09:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603768; bh=i6tPPr7x71/s61Wwgk9lK2odZ7QDHQgW26n+sD1MkVQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=milSa72ehRygHI6MrUh/4Xvi5UtYjwVzxBs49iPneCDNj+3PsP2N85s8RLWEMVcFsSVr05W911Kj24QmuXm/JXmyuwBFoPEaluarODjqWi1X+BLseJoTamvHtDgPBl1APY4UC4lQdtUeeA1AUWjM6ekwrvZtSxAWKmeE546hXnqAxfDHe4xXHCf5vOZomAIe5oe2pwELqzN1QsKjw1yeM7bdzsaAXiUxBXB+FVxW7tkjG0H/xwjUAKSyuoQd8alXaSaZj9leekuE6zwXOh9W0x4z36+Z4EkTZx1TNiuWRqmV7C5DqKN8HiqBBTZl3BWM+BU7YxxQW3zg6JND/S0WRA== X-YMail-OSG: eKZZ97IVM1kkJ6_0iiyKO4pIw5rYE04bqYYxKwoGzi0JbgV.giKbSsKuyx6fZyY zLJVZyV37eNUPhRJX5OJaWTb1mRAKmzOcunw.LtDy3TdUWT69hPz.bOx3cM5COeuhgjh2n0L7Ubt eEaGE2ioz2msXfo6UhDboxztnjldDWR7OcaO4e1UfJ5B6.8A99TAMvuVeKnlk_69hYmK1iUisr01 8UHYpeiXdJPWhmtXwh_mYh.y1z2IvsAdhmE_d2ljLM9EBqKuSLUJNA7PB0wwQNba0fwpkGyOGgaa 2lrXifxNbt5GcTgMjkWMuV9B0lgregYbZLKfQokd4WHGwdwLaW.LYV.NGaBzmg4P4Uvh1ACvCQFK oilekDT2gKE_C3MDL4WQkVwnVTyzIiHfhoSqyzDMn_nVqBfPKZCnoBNLtTTKhJGd1asoAjxIqxu6 a4AqlDEv2VfgWPQ2aTAffDdGbZXWzuRzuEEZgYZldHkkqGlM0lwto8.xscYPy0Jpjt2p62iVf9LM 3dF5p2yehnv6PHS2GLp9xVjfXLiwSIG_Nki9uHttFyXNomJdapvtEqlM43LjOI0GP4mw993S9K_n jEABLvnSMix5M0DRoxo13sESWBPxhw5Jp2A89kM0mKBTMh5u3O1ebeEH8kWGgfffWhNmWZjGzgwa _A4RPSZEm5e8YL.qu9eL433e4G_1DazL6cZ.JYHxoBay65JoIaE2ZSFIuc98MnevntdEOICKLUUq n7EKfq07ViZZwf9z6cv.7Dg4DE9VVa_cKCocXPAqqyky3M0ikUeWyv7UGnLsbQe57SdgTrHHtfhK ePIJgnXC4aZtREMAVL01r7Gdj74m5Pp5HcaZcMIffEzOTPMeS2RMNsttt6BCf9skI8FGob3IR9eL 5PnSeLuys.PFw8hugA69FprkKEmucIDa3k15jxOK9i4HitmjlHXaj8dlrTXlixssKbORx7xsqrZA Z88AbjKbGm5S_eKKWyS14yqMiKwKg_k5jt7vjg6FV33N9G0_wfYC2ub3fu0Amii.BMlpg6d_bd63 r3qrfZ5184nN8w8QjOxSVFKxP5hEN6MmWvREK6T6ixHDu_Q.03F09OQCU9U1QTxHaI7Wv1w42ikq Z.vwHg5UgyEFLyvpFZCzeLUr9pBQYA_lFpcZ.uF8XGh9PHCS2sGB2E7Ft1SLzow2HKA2Ew4Z31LX ey8mOkEOCxTDUF7dZ5TG6RGOyYw.QK6OvCpfEQVUFWgTykmbD6CXOegBYbzRbZQgwPSIjJPg3a2B QAjrBmrK5UUzZCTAaZqz9uJgTfNmgMsB_cM1ylfGMb2ET3.q0YmyBT4xd0xTFh3rUk0w1_E6Ey.s aYNi6OE51T2uSvaV4DBUYD.Ja3ObhduTGJ4IAzRGfDoKy319b1M6Zv3qUdZlY7u84OWkdyFxUwF9 iaFK92mXbJlu3bwr9blKq.JNA_bj4OJTSzDc.bi4jXvtqzyYOhpq3kmZoSj96R.6vZw-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:09:28 +0000 Received: by smtp428.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 6f1d82c7e28d32d4ef3c31a06032e5a8; Wed, 13 Nov 2019 00:09:26 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov Subject: [PATCH 02/25] LSM: Create and manage the lsmblob data structure. Date: Tue, 12 Nov 2019 16:08:50 -0800 Message-Id: <20191113000913.5414-3-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org When more than one security module is exporting data to audit and networking sub-systems a single 32 bit integer is no longer sufficient to represent the data. Add a structure to be used instead. The lsmblob structure is currently an array of u32 "secids". There is an entry for each of the security modules built into the system that would use secids if active. The system assigns the module a "slot" when it registers hooks. If modules are compiled in but not registered there will be unused slots. A new lsm_id structure, which contains the name of the LSM and its slot number, is created. There is an instance for each LSM, which assigns the name and passes it to the infrastructure to set the slot. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 12 ++++++-- include/linux/security.h | 58 ++++++++++++++++++++++++++++++++++++++ security/apparmor/lsm.c | 7 ++++- security/commoncap.c | 7 ++++- security/loadpin/loadpin.c | 8 +++++- security/safesetid/lsm.c | 8 +++++- security/security.c | 28 ++++++++++++++---- security/selinux/hooks.c | 8 +++++- security/smack/smack_lsm.c | 7 ++++- security/tomoyo/tomoyo.c | 8 +++++- security/yama/yama_lsm.c | 7 ++++- 11 files changed, 142 insertions(+), 16 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 13a67fd1a767..cfe5393840c7 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2062,6 +2062,14 @@ struct security_hook_heads { struct hlist_head locked_down; } __randomize_layout; +/* + * Information that identifies a security module. + */ +struct lsm_id { + const char *lsm; /* Name of the LSM */ + int slot; /* Slot in lsmblob if one is allocated */ +}; + /* * Security module hook list structure. * For use with generic list macros for common operations. @@ -2070,7 +2078,7 @@ struct security_hook_list { struct hlist_node list; struct hlist_head *head; union security_list_options hook; - char *lsm; + struct lsm_id *lsmid; } __randomize_layout; /* @@ -2099,7 +2107,7 @@ extern struct security_hook_heads security_hook_heads; extern char *lsm_names; extern void security_add_hooks(struct security_hook_list *hooks, int count, - char *lsm); + struct lsm_id *lsmid); #define LSM_FLAG_LEGACY_MAJOR BIT(0) #define LSM_FLAG_EXCLUSIVE BIT(1) diff --git a/include/linux/security.h b/include/linux/security.h index 9df7547afc0c..5eced28fa0c9 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -126,6 +126,64 @@ enum lockdown_reason { LOCKDOWN_CONFIDENTIALITY_MAX, }; +/* + * Data exported by the security modules + * + * Any LSM that provides secid or secctx based hooks must be included. + */ +#define LSMBLOB_ENTRIES ( \ + (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0)) + +struct lsmblob { + u32 secid[LSMBLOB_ENTRIES]; +}; + +#define LSMBLOB_INVALID -1 /* Not a valid LSM slot number */ +#define LSMBLOB_NEEDED -2 /* Slot requested on initialization */ +#define LSMBLOB_NOT_NEEDED -3 /* Slot not requested */ + +/** + * lsmblob_init - initialize an lsmblob structure. + * @blob: Pointer to the data to initialize + * @secid: The initial secid value + * + * Set all secid for all modules to the specified value. + */ +static inline void lsmblob_init(struct lsmblob *blob, u32 secid) +{ + int i; + + for (i = 0; i < LSMBLOB_ENTRIES; i++) + blob->secid[i] = secid; +} + +/** + * lsmblob_is_set - report if there is an value in the lsmblob + * @blob: Pointer to the exported LSM data + * + * Returns true if there is a secid set, false otherwise + */ +static inline bool lsmblob_is_set(struct lsmblob *blob) +{ + struct lsmblob empty = {}; + + return !!memcmp(blob, &empty, sizeof(*blob)); +} + +/** + * lsmblob_equal - report if the two lsmblob's are equal + * @bloba: Pointer to one LSM data + * @blobb: Pointer to the other LSM data + * + * Returns true if all entries in the two are equal, false otherwise + */ +static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb) +{ + return !memcmp(bloba, blobb, sizeof(*bloba)); +} + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 4093fa231671..11845348eefb 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1134,6 +1134,11 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { .lbs_sock = sizeof(struct aa_sk_ctx), }; +static struct lsm_id apparmor_lsmid __lsm_ro_after_init = { + .lsm = "apparmor", + .slot = LSMBLOB_NEEDED +}; + static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), @@ -1722,7 +1727,7 @@ static int __init apparmor_init(void) goto buffers_out; } security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), - "apparmor"); + &apparmor_lsmid); /* Report that AppArmor successfully initialized */ apparmor_initialized = 1; diff --git a/security/commoncap.c b/security/commoncap.c index f4ee0ae106b2..9dcfd2a0e891 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -1339,6 +1339,11 @@ int cap_mmap_file(struct file *file, unsigned long reqprot, #ifdef CONFIG_SECURITY +static struct lsm_id capability_lsmid __lsm_ro_after_init = { + .lsm = "capability", + .slot = LSMBLOB_NOT_NEEDED +}; + static struct security_hook_list capability_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(capable, cap_capable), LSM_HOOK_INIT(settime, cap_settime), @@ -1363,7 +1368,7 @@ static struct security_hook_list capability_hooks[] __lsm_ro_after_init = { static int __init capability_init(void) { security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks), - "capability"); + &capability_lsmid); return 0; } diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index ee5cb944f4ad..86317e78899f 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -180,6 +180,11 @@ static int loadpin_load_data(enum kernel_load_data_id id) return loadpin_read_file(NULL, (enum kernel_read_file_id) id); } +static struct lsm_id loadpin_lsmid __lsm_ro_after_init = { + .lsm = "loadpin", + .slot = LSMBLOB_NOT_NEEDED +}; + static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security), LSM_HOOK_INIT(kernel_read_file, loadpin_read_file), @@ -227,7 +232,8 @@ static int __init loadpin_init(void) pr_info("ready to pin (currently %senforcing)\n", enforce ? "" : "not "); parse_exclude(); - security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin"); + security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), + &loadpin_lsmid); return 0; } diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c index 7760019ad35d..950dfb7f931e 100644 --- a/security/safesetid/lsm.c +++ b/security/safesetid/lsm.c @@ -149,6 +149,11 @@ static int safesetid_task_fix_setuid(struct cred *new, return -EACCES; } +static struct lsm_id safesetid_lsmid __lsm_ro_after_init = { + .lsm = "safesetid", + .slot = LSMBLOB_NOT_NEEDED +}; + static struct security_hook_list safesetid_security_hooks[] = { LSM_HOOK_INIT(task_fix_setuid, safesetid_task_fix_setuid), LSM_HOOK_INIT(capable, safesetid_security_capable) @@ -157,7 +162,8 @@ static struct security_hook_list safesetid_security_hooks[] = { static int __init safesetid_security_init(void) { security_add_hooks(safesetid_security_hooks, - ARRAY_SIZE(safesetid_security_hooks), "safesetid"); + ARRAY_SIZE(safesetid_security_hooks), + &safesetid_lsmid); /* Report that SafeSetID successfully initialized */ safesetid_initialized = 1; diff --git a/security/security.c b/security/security.c index 5e43d3f64c1f..5f503cadf7f3 100644 --- a/security/security.c +++ b/security/security.c @@ -308,6 +308,7 @@ static void __init ordered_lsm_init(void) init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); init_debug("task blob size = %d\n", blob_sizes.lbs_task); + init_debug("lsmblob size = %lu\n", sizeof(struct lsmblob)); /* * Create any kmem_caches needed for blobs @@ -435,21 +436,36 @@ static int lsm_append(const char *new, char **result) return 0; } +/* + * Current index to use while initializing the lsmblob secid list. + */ +static int lsm_slot __initdata; + /** * security_add_hooks - Add a modules hooks to the hook lists. * @hooks: the hooks to add * @count: the number of hooks to add - * @lsm: the name of the security module + * @lsmid: the the identification information for the security module * * Each LSM has to register its hooks with the infrastructure. + * If the LSM is using hooks that export secids allocate a slot + * for it in the lsmblob. */ void __init security_add_hooks(struct security_hook_list *hooks, int count, - char *lsm) + struct lsm_id *lsmid) { int i; + if (lsmid->slot == LSMBLOB_NEEDED) { + if (lsm_slot >= LSMBLOB_ENTRIES) + panic("%s Too many LSMs registered.\n", __func__); + lsmid->slot = lsm_slot++; + init_debug("%s assigned lsmblob slot %d\n", lsmid->lsm, + lsmid->slot); + } + for (i = 0; i < count; i++) { - hooks[i].lsm = lsm; + hooks[i].lsmid = lsmid; hlist_add_tail_rcu(&hooks[i].list, hooks[i].head); } @@ -458,7 +474,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, * and fix this up afterwards. */ if (slab_is_available()) { - if (lsm_append(lsm, &lsm_names) < 0) + if (lsm_append(lsmid->lsm, &lsm_names) < 0) panic("%s - Cannot get early memory.\n", __func__); } } @@ -1906,7 +1922,7 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name, struct security_hook_list *hp; hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) { - if (lsm != NULL && strcmp(lsm, hp->lsm)) + if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; return hp->hook.getprocattr(p, name, value); } @@ -1919,7 +1935,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, struct security_hook_list *hp; hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) { - if (lsm != NULL && strcmp(lsm, hp->lsm)) + if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; return hp->hook.setprocattr(name, value, size); } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3feb971068e2..5570a6ed49d5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6791,6 +6791,11 @@ struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { .lbs_sock = sizeof(struct sk_security_struct), }; +static struct lsm_id selinux_lsmid __lsm_ro_after_init = { + .lsm = "selinux", + .slot = LSMBLOB_NEEDED +}; + static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), @@ -7051,7 +7056,8 @@ static __init int selinux_init(void) hashtab_cache_init(); - security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); + security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), + &selinux_lsmid); if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) panic("SELinux: Unable to register AVC netcache callback\n"); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 796f78580c17..e42336328446 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4586,6 +4586,11 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_sock = sizeof(struct socket_smack), }; +static struct lsm_id smack_lsmid __lsm_ro_after_init = { + .lsm = "smack", + .slot = LSMBLOB_NEEDED +}; + static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), @@ -4784,7 +4789,7 @@ static __init int smack_init(void) /* * Register with LSM */ - security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); + security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid); smack_enabled = 1; pr_info("Smack: Initializing.\n"); diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 716c92ec941a..f1968e80f06d 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -529,6 +529,11 @@ static void tomoyo_task_free(struct task_struct *task) } } +static struct lsm_id tomoyo_lsmid __lsm_ro_after_init = { + .lsm = "tomoyo", + .slot = LSMBLOB_NOT_NEEDED +}; + /* * tomoyo_security_ops is a "struct security_operations" which is used for * registering TOMOYO. @@ -581,7 +586,8 @@ static int __init tomoyo_init(void) struct tomoyo_task *s = tomoyo_task(current); /* register ourselves with the security framework */ - security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); + security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), + &tomoyo_lsmid); pr_info("TOMOYO Linux initialized\n"); s->domain_info = &tomoyo_kernel_domain; atomic_inc(&tomoyo_kernel_domain.users); diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 94dc346370b1..0f0cf7136929 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -421,6 +421,11 @@ static int yama_ptrace_traceme(struct task_struct *parent) return rc; } +static struct lsm_id yama_lsmid __lsm_ro_after_init = { + .lsm = "yama", + .slot = LSMBLOB_NOT_NEEDED +}; + static struct security_hook_list yama_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme), @@ -477,7 +482,7 @@ static inline void yama_init_sysctl(void) { } static int __init yama_init(void) { pr_info("Yama: becoming mindful.\n"); - security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama"); + security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), &yama_lsmid); yama_init_sysctl(); return 0; } From patchwork Wed Nov 13 00:08:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240481 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C94D313BD for ; Wed, 13 Nov 2019 00:09:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A120221A49 for ; Wed, 13 Nov 2019 00:09:35 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="oyqY5470" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726923AbfKMAJf (ORCPT ); Tue, 12 Nov 2019 19:09:35 -0500 Received: from sonic313-15.consmr.mail.ne1.yahoo.com ([66.163.185.38]:32993 "EHLO sonic313-15.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727126AbfKMAJf (ORCPT ); Tue, 12 Nov 2019 19:09:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603773; bh=zwtwS+X4xVmleeqnR0L11e8Hd0N9+6mQMB6qAtbcndI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=oyqY54702AtQd+3CcoURzVqaTXE9MCHKR4ddbFG88xirlHoVgj2Nt+CsnO27v5LXUbxISvH+LI0SaHL93tgBYPEL3LZekrnldALQ2oriyjZi+hb2Ldp+e2HB6NWOSZ2PCXPskpFGtQsn5TPe1gJf2T+PP4FFDlYRLTiDWld709xLWiQ3gxYpVLWUbAyIowRCK/4zXYFb4/twhrawceaL2h/ios4RtjCBqsAha7UnZs1RRFUtFJoRm7FVhEch/f/OIrvX76OBLuzqeeqU5FTx17//8LuILlVBYPA5d+O9EcTpcuRChfQb7T0XlF17gyWTHwvJHOZulwjXSyzpdBrIdg== X-YMail-OSG: 8REAj2sVM1kCKutIkHlwBUoA4h6fNEsu41LmSsQu4TzghMs3g.ZEjQNT_K6Mh5S yRDIwSHKGDSQF6yE8CCefvIfK6d8hcOPjUYk8sQcBTgCuyHp47HBUKC7O.EMDviyuNWjWf.15T3j l0.UM0pE0CkXcGx_nmJJS7mhkGiDZmzTR5U7jjJTPsfFvPKyQCvLBfNX1OTzNo7sQwTyZk3akGjj OD0FEK7U.5e55WT285igb.Pm7rV9l_i4o7aLTuSJq6ZTvnR0CgqrcP_eiVN1hlcBS87S5XuGlCgy ehp3T0LeaxBf9vpmbo5Urw9NZkDsjEJ7oH9LdW_i9Ml9hJGXV3kX76NFtBnLlhz1TzTIb9nsHDxZ xisNbwtRCnKTAzav8u.jloNnAgFaTy_wzKrkxbkwvjbSwiGE6UcG4epZJXYTMXpjs6aBS.0CCE6s nXQi8pwU6ZBJkURZ3cx2bATFhSNEmHEV0hTHrkYbZx.U9CqUHEKYOpXzBG1XrdibWMAbYB4.9ti0 Qibs01lo5VTUELZ1QQRYpmQvyVktxj9KenBZUlah.k3uu6I1cYrUt_ZMi6RWBpMIy_5kz9CU2NF4 ovXAfKvSPETE5cBP84vo1lRkyrU88vAtsBaM3LIMjejY_URmqbhSJcs90mswOP7Pmtu0r6S1zgVR WRPEcy0bEWeCUM3rgSyjLLHcW.j6G9ao43lA4.BO9h1nmJMxwy5iMZL2a43HbZWppXphtM9bWKX8 TpphVAkEK79eLYngC6ClxrjOBdGDdVoQCH_oCEVtl4ypHRn.EgyRsMStRx2O9XLFINLSK7VSU2FZ wvW7WWupWdtbIqlroLlkklFbkWhIBDQx0XF9h1GLI3Kp1CfK1qqC1s2TS26cCKWVZc8dWXY6_fOi LzIjvrZjhFgI3Gx_ekKpn135855y.cMLtVIRJCQPORt8wY6jYrpJir4d_YVskrLHlou4JAh5njCC ETsABFryvRjuT0UeRFjt64cNjOHY.qhDiHE.1.UObWCuF1bD0RoUyYy_cyrBgAPO39haXuc9uLea UUVkyy.qwsXYgmpm2xmnt4SCjjEN.QGzuU6ZCXCuWkDZWSwISQ3wbuURWIgCT2kDkAZkGEgfoAHm QIPb89JPGwEjHWd7RCb7nq.wOzB.9vnhrYR11iu_gDjM9ZG_fLeuOOJqtqzXIjpMQaHqLcEzkpwZ Hinv7Bag58M4ID5oAmyoIIifSTlhXhfVS4wlIAnvaYyrheeQ_jgf2_ZUO4lY0pKDMFfEeo7YAdcn LPQN9RU1LUsc1xOyYcKIS1cWpEPnzqGtKu7cZlqvzi8aJlw5r1SwJbf.c_2Rm9ZTc5liHEyGfFzl 29.gSIms3lns1iAeeZghrVeRArNUkFa7to0USMQZ.48WoUtYY.KRmoqM9tjvjiV8HPaRubwUyyyU qwlknY.B0wgkowPmw8CkTMTqqzR3s2r7o Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:09:33 +0000 Received: by smtp428.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 6f1d82c7e28d32d4ef3c31a06032e5a8; Wed, 13 Nov 2019 00:09:29 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-audit@redhat.com Subject: [PATCH 03/25] LSM: Use lsmblob in security_audit_rule_match Date: Tue, 12 Nov 2019 16:08:51 -0800 Message-Id: <20191113000913.5414-4-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Change the secid parameter of security_audit_rule_match to a lsmblob structure pointer. Pass the entry from the lsmblob structure for the approprite slot to the LSM hook. Change the users of security_audit_rule_match to use the lsmblob instead of a u32. In some cases this requires a temporary conversion using lsmblob_init() that will go away when other interfaces get converted. Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler cc: linux-audit@redhat.com --- include/linux/security.h | 7 ++++--- kernel/auditfilter.c | 7 +++++-- kernel/auditsc.c | 14 ++++++++++---- security/integrity/ima/ima.h | 4 ++-- security/integrity/ima/ima_policy.c | 7 +++++-- security/security.c | 18 +++++++++++++++--- 6 files changed, 41 insertions(+), 16 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 5eced28fa0c9..2df58448f1f2 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1835,7 +1835,8 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer) #ifdef CONFIG_SECURITY int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); int security_audit_rule_known(struct audit_krule *krule); -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *lsmrule); void security_audit_rule_free(void *lsmrule); #else @@ -1851,8 +1852,8 @@ static inline int security_audit_rule_known(struct audit_krule *krule) return 0; } -static inline int security_audit_rule_match(u32 secid, u32 field, u32 op, - void *lsmrule) +static inline int security_audit_rule_match(struct lsmblob *blob, u32 field, + u32 op, void *lsmrule) { return 0; } diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index b0126e9c0743..356db1dd276c 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1325,6 +1325,7 @@ int audit_filter(int msgtype, unsigned int listtype) struct audit_field *f = &e->rule.fields[i]; pid_t pid; u32 sid; + struct lsmblob blob; switch (f->type) { case AUDIT_PID: @@ -1355,8 +1356,10 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_CLR: if (f->lsm_rule) { security_task_getsecid(current, &sid); - result = security_audit_rule_match(sid, - f->type, f->op, f->lsm_rule); + lsmblob_init(&blob, sid); + result = security_audit_rule_match( + &blob, f->type, + f->op, f->lsm_rule); } break; case AUDIT_EXE: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4effe01ebbe2..7566e5b1c419 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -445,6 +445,7 @@ static int audit_filter_rules(struct task_struct *tsk, const struct cred *cred; int i, need_sid = 1; u32 sid; + struct lsmblob blob; unsigned int sessionid; cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); @@ -643,7 +644,9 @@ static int audit_filter_rules(struct task_struct *tsk, security_task_getsecid(tsk, &sid); need_sid = 0; } - result = security_audit_rule_match(sid, f->type, + lsmblob_init(&blob, sid); + result = security_audit_rule_match(&blob, + f->type, f->op, f->lsm_rule); } @@ -658,15 +661,17 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_rule) { /* Find files that match */ if (name) { + lsmblob_init(&blob, name->osid); result = security_audit_rule_match( - name->osid, + &blob, f->type, f->op, f->lsm_rule); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { + lsmblob_init(&blob, n->osid); if (security_audit_rule_match( - n->osid, + &blob, f->type, f->op, f->lsm_rule)) { @@ -678,7 +683,8 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - if (security_audit_rule_match(ctx->ipc.osid, + lsmblob_init(&blob, ctx->ipc.osid); + if (security_audit_rule_match(&blob, f->type, f->op, f->lsm_rule)) ++result; diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 3689081aaf38..5bcd6011ef8c 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -370,8 +370,8 @@ static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr, return -EINVAL; } -static inline int security_filter_rule_match(u32 secid, u32 field, u32 op, - void *lsmrule) +static inline int security_filter_rule_match(struct lsmblob *blob, u32 field, + u32 op, void *lsmrule) { return -EINVAL; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 5380aca2b351..7711cc6a3fe3 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -414,6 +414,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, for (i = 0; i < MAX_LSM_RULES; i++) { int rc = 0; u32 osid; + struct lsmblob blob; if (!rule->lsm[i].rule) continue; @@ -423,7 +424,8 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: security_inode_getsecid(inode, &osid); - rc = security_filter_rule_match(osid, + lsmblob_init(&blob, osid); + rc = security_filter_rule_match(&blob, rule->lsm[i].type, Audit_equal, rule->lsm[i].rule); @@ -431,7 +433,8 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - rc = security_filter_rule_match(secid, + lsmblob_init(&blob, secid); + rc = security_filter_rule_match(&blob, rule->lsm[i].type, Audit_equal, rule->lsm[i].rule); diff --git a/security/security.c b/security/security.c index 5f503cadf7f3..7c386cbe4cf3 100644 --- a/security/security.c +++ b/security/security.c @@ -439,7 +439,7 @@ static int lsm_append(const char *new, char **result) /* * Current index to use while initializing the lsmblob secid list. */ -static int lsm_slot __initdata; +static int lsm_slot __lsm_ro_after_init; /** * security_add_hooks - Add a modules hooks to the hook lists. @@ -2412,9 +2412,21 @@ void security_audit_rule_free(void *lsmrule) call_void_hook(audit_rule_free, lsmrule); } -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *lsmrule) { - return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule); + struct security_hook_list *hp; + int rc; + + hlist_for_each_entry(hp, &security_hook_heads.audit_rule_match, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.audit_rule_match(blob->secid[hp->lsmid->slot], + field, op, lsmrule); + if (rc != 0) + return rc; + } + return 0; } #endif /* CONFIG_AUDIT */ From patchwork Wed Nov 13 00:08:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240485 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 995F813BD for ; Wed, 13 Nov 2019 00:09:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 71BAF21A49 for ; Wed, 13 Nov 2019 00:09:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="E/Q593ZJ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726991AbfKMAJj (ORCPT ); Tue, 12 Nov 2019 19:09:39 -0500 Received: from sonic306-28.consmr.mail.ne1.yahoo.com ([66.163.189.90]:40008 "EHLO sonic306-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726952AbfKMAJj (ORCPT ); Tue, 12 Nov 2019 19:09:39 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603777; bh=eVAcx7o8q0AFLreBS98x3GgYwdFEcr7jaVdmiN42/p8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=E/Q593ZJN9+vG+mqxgzSKgYMyec1k4rByLbcA8w+uNqkM3ZUwXXuzqfe0o+oeg7y0ylhMMBSzMogRj4L/VZAkdLgpnaw4oqdez9jdlb3wbie5ySQYTsuwAGSEQ1c7RhNn//VEOem/rksZtPJ9Hbi2xbUMoerSigqptHJJvQhAOoq7L1LehOrLUWGaSOQq4P9brXOluZV9mNjzv5/osLWBG+/OAVsDc3M1EUhB0PYqnbFd+NJ2GBNg28bZ7I8vynuXQ523S1WR3SUyOM9sCZSZ5vBgU2MubFi3Z5qAL/OpnNCOFR1YNgLlCNKO55ARMO5i2flSNu1I7L8gDm1vn0L4A== X-YMail-OSG: x2yE95wVM1lOJGLrlegJfpsqH1MO.nCRLG10MO1waS9CeP50mtXtUTZZXl5fi5l UFEyND.eCXJ1nvScqaDQyinuizCu1fmQ_.OMj8YJ4WjqQv4hwDYKTcfFOk392MeU_MzFPAGLF5U8 sFt6W12WobOC2WTByUuMfWXiPeiycNDXb7sRqrD0matouwXz5bER6KvKBl8dv2rm1sbzI4KjyMHS kER2ZZJ20b8yKwpzOco46iCkl9FrwyMsP0GvSrrNbF9YPKRaZCImV1kfQEiiOdo4maj25gP12Jb0 l5XLcQzUCqCD7CQnDeV4PQC_1QjA7D0h9uRYj5pe26qjCO8ojRR3Y0KaMafRFrIiorNHnOpVpIWm j.M2MdAMhrzlvqR.IN4AwGV1SBfPHYYnx7Q8Es1xhtEUIDpEvdbCCJ3x8y.W0SEo.Pvl.vkezrv5 S_o1_hrHNTPYxA4tEZy7fjYwTMG02Gk3zWlmwlZP87T_23XSb5ZYizOOeAsB1_O21A3n9vKas8Im bjpud5wNXxWSL.GiXXVcwxwYV_gmsJAWwELUeB4Xoc3ixMAiyDYH_UGAvQxya3Ssk2eqhciMlKWj OMRe.cv4B4rvD36fMpKhwjLae8G_fyKtIZ4aov4DsG9PjMJJOBqoRC0dHOKfqBCrErahZPHMPGWm LQRblJ4lpIvM.RXt_nyoOFhm2qqSuWfjRgznGAv9v2mrvWYTkcx21hnYIO_fNmfGtUC9QQHAw5G5 o6WLOTBlhcsLSFNW5QA0a536YfEB4oCptOdSsv442NWg4aKZ9RNEkEvpePzLphWaPY0gBVZ9jd7D KjBjdJcMbwW2Fvhs9uieGN8LBDB0zHHHPPm.zHKLG1DgfmE8ntiWML7CCR2.WZT26fTT9MFP44hm khRODGzL5rG05cQqbvvX0_xVbLe_W.aZINZ7ZLIeuHVoioJc7BQ0r79lqDWKuNrDdhzl5xZm1Fti 81J829sOD2HcLIcDhEGYLRJiqEuKLUMxGR.OyUyuoRK.5Uqb9xnWRTTZWYkE1uXy5.3rR_bNvRx5 DXlwwA2rt42HX9EByLEB9.1LbYQgTCPdDtN5uRcwkREfIJ3_wRO5NLI4kX_9J1LPZ1JWw9K1iEY1 3oCHAc1LDA7TUiEhmAmwkSMQrxPlsVdMpiTeHH2eNnVdEmL1pUb0MKUOd.Pa_et0.1m2.uxJqlWM eAzfFHUfSpMPiGeCk7koXv0JNyIF2MbAHwa6f5.zJOEc4LcljRwAYBtNi2S0ZCwlDhRSELaPVYFB uIkbk4Jt24WZ.n2aQ0wfdXaLcEuybqcYDIsTs7xyYbSzgq2KcPXm.ekUci4u1tMfhImufbfosIDi RCzgCJ9DlUXgepioYdWFSeRHX3No9gwaTRWOiMk0utsjjOWFG3pcpvuP.zhA8xUp.U.UbdhqVJrO qZ3w3z8NlIrpxIcp16nyL.3Ug6nfvC8RPzIfDWVSnch_TKUWehMIprHwt38DTqA5w Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:09:37 +0000 Received: by smtp427.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID eba4c54ba4d55f2cad95fb20ef489486; Wed, 13 Nov 2019 00:09:37 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov Subject: [PATCH 04/25] LSM: Use lsmblob in security_kernel_act_as Date: Tue, 12 Nov 2019 16:08:52 -0800 Message-Id: <20191113000913.5414-5-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Change the security_kernel_act_as interface to use a lsmblob structure in place of the single u32 secid in support of module stacking. Change it's only caller, set_security_override, to do the same. Change that one's only caller, set_security_override_from_ctx, to call it with the new parameter type. Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler --- include/linux/cred.h | 3 ++- include/linux/security.h | 5 +++-- kernel/cred.c | 10 ++++++---- security/security.c | 14 ++++++++++++-- 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/include/linux/cred.h b/include/linux/cred.h index 18639c069263..03ae0182cba6 100644 --- a/include/linux/cred.h +++ b/include/linux/cred.h @@ -18,6 +18,7 @@ struct cred; struct inode; +struct lsmblob; /* * COW Supplementary groups list @@ -165,7 +166,7 @@ extern const struct cred *override_creds(const struct cred *); extern void revert_creds(const struct cred *); extern struct cred *prepare_kernel_cred(struct task_struct *); extern int change_create_files_as(struct cred *, struct inode *); -extern int set_security_override(struct cred *, u32); +extern int set_security_override(struct cred *, struct lsmblob *); extern int set_security_override_from_ctx(struct cred *, const char *); extern int set_create_files_as(struct cred *, struct inode *); extern int cred_fscmp(const struct cred *, const struct cred *); diff --git a/include/linux/security.h b/include/linux/security.h index 2df58448f1f2..2b0ab47cfb26 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -435,7 +435,7 @@ void security_cred_free(struct cred *cred); int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); void security_transfer_creds(struct cred *new, const struct cred *old); void security_cred_getsecid(const struct cred *c, u32 *secid); -int security_kernel_act_as(struct cred *new, u32 secid); +int security_kernel_act_as(struct cred *new, struct lsmblob *blob); int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); int security_kernel_load_data(enum kernel_load_data_id id); @@ -1041,7 +1041,8 @@ static inline void security_transfer_creds(struct cred *new, { } -static inline int security_kernel_act_as(struct cred *cred, u32 secid) +static inline int security_kernel_act_as(struct cred *cred, + struct lsmblob *blob) { return 0; } diff --git a/kernel/cred.c b/kernel/cred.c index c0a4c12d38b2..846ac4b23c16 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -732,14 +732,14 @@ EXPORT_SYMBOL(prepare_kernel_cred); /** * set_security_override - Set the security ID in a set of credentials * @new: The credentials to alter - * @secid: The LSM security ID to set + * @blob: The LSM security information to set * * Set the LSM security ID in a set of credentials so that the subjective * security is overridden when an alternative set of credentials is used. */ -int set_security_override(struct cred *new, u32 secid) +int set_security_override(struct cred *new, struct lsmblob *blob) { - return security_kernel_act_as(new, secid); + return security_kernel_act_as(new, blob); } EXPORT_SYMBOL(set_security_override); @@ -755,6 +755,7 @@ EXPORT_SYMBOL(set_security_override); */ int set_security_override_from_ctx(struct cred *new, const char *secctx) { + struct lsmblob blob; u32 secid; int ret; @@ -762,7 +763,8 @@ int set_security_override_from_ctx(struct cred *new, const char *secctx) if (ret < 0) return ret; - return set_security_override(new, secid); + lsmblob_init(&blob, secid); + return set_security_override(new, &blob); } EXPORT_SYMBOL(set_security_override_from_ctx); diff --git a/security/security.c b/security/security.c index 7c386cbe4cf3..dd6f212e11af 100644 --- a/security/security.c +++ b/security/security.c @@ -1615,9 +1615,19 @@ void security_cred_getsecid(const struct cred *c, u32 *secid) } EXPORT_SYMBOL(security_cred_getsecid); -int security_kernel_act_as(struct cred *new, u32 secid) +int security_kernel_act_as(struct cred *new, struct lsmblob *blob) { - return call_int_hook(kernel_act_as, 0, new, secid); + struct security_hook_list *hp; + int rc; + + hlist_for_each_entry(hp, &security_hook_heads.kernel_act_as, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.kernel_act_as(new, blob->secid[hp->lsmid->slot]); + if (rc != 0) + return rc; + } + return 0; } int security_kernel_create_files_as(struct cred *new, struct inode *inode) From patchwork Wed Nov 13 00:08:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240489 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 865FD14E5 for ; Wed, 13 Nov 2019 00:09:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5EDB221D7F for ; Wed, 13 Nov 2019 00:09:43 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="VIrKDrhy" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726988AbfKMAJn (ORCPT ); Tue, 12 Nov 2019 19:09:43 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:36214 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727126AbfKMAJm (ORCPT ); Tue, 12 Nov 2019 19:09:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603781; bh=fQopPU+QHEIhU1rMxngnZt5dLriz8PONEvXZFfDzj2M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=VIrKDrhyq9bFHOTNVoJJR+7kFNmfXmjbQnWVLE5ZMITv5HHkWVODswQ7TawSpL+0BfOABsLv6pWEY4YkFnzLEKJy+NBMaBz1cg5oQzbNq3iGvNZ3y4PfpAV/SadXkC+sT2dKPnPnKMLA6R4Bh/fxQ+qJZ6kAoqjcsd1t/FJdLyYDP+sDJMSNDdSZ78Tl9c53TfciZxPsEqmAi9EIhb0lMk0i90bmY8RIigXHwUKusVFSUekNvt1HUBoEb18RzOQAh1tNw14uG0p5xhuAOhn+E9NaCThL37OdPRoNFm+19vuo6qo1d5n6Em5xelZXbCLEsxD4HTNGnW95a3huhpr7JA== X-YMail-OSG: nXHSJ0UVM1mNznJO.AkXuFiBGQrd1UtHzHox9XQuRYjtuL.PPsY6OcT2bZATAJq BIWMN_dylpUvbmeayEpGIo_SXDa40KAATm8.ypX7vNTajR5CaK2X7hSfM1ZqKE96dtNDiQtFFXx2 LZjV4M5HgZoQA1KJVwG0AGQLXYZAYrwin.PfH23XNkJKDX_RS.BLh2fPmoEUooNWXVecoOkyb4aH KproHUnRvb18gFL01wZ76sR.ulGjEJLomrMIbHq56W5Y.z72E8jmmXCnbKlaFO3RXROOHrQ6J6IL lBl82YQk3UIPs8uu3vK8PoevcHNbNRBDBenI1reJNA7k5LrDiM4JxnFn_vicDTaJpkEkqbd.gV2K N9sPZjXjpguVg_lajo9YmNBrfoOsWS9QoVYwROE1Pn6ru9L7FyI1Kdsxf4.r.ikEjvSzvD6hjXJo 6QmBNhSR4yh73ZR4h.wZ7egE9lAKvZ0LsGeGuBmqMANtRBD0chUYN2FuxNWMvhRQW94bnWk.2tXJ kJ6Xk7Qi7n12m4tnhYZK49EIaMkGzOMKMFXNmdS3U.GdDHVk7g82lJocxV_QtdACIG9bM9x1UJo_ 43Pt3.MMQ6SxBHrQrcyP4zpvHCCcHGK_DQraGzpafZTmdp7fUQDspAP2gJ2hMBF9Q1joeMN8VOQr DnZx63hmO2z5Fnv1Nt8yJhlDP4shkiomIgiVPaS2ihudi9IYCoEATUxR6TZdblaoK0BMGMlu8.Q3 STvSB1HNMksBxo0nEqbKU1MTZD94oM3HkFbvr8ABUARJ5MYhpKHShhx.rgyBqtadUgWCApbMHoBJ RrdhGDR_MyxEUcC1AMwgYcqzGwaaTCcC3j1ytpuM6nOs_XlioTKWX_5.Eg7OusOVGYLRx0lgMANg 9unbRS01iF.JlZ__0EBcrs6gRyMLVFXy.83nD3Z9llo8l5fcU6BFPx8915g.9Jp2wv4mLBEMlQz_ Kn3pDCEGWPDRE3p6FoaGeE9N4vPz4Al4b03iVZRpSKUVvnQD03n97Jw8l1iyG65K7xHjJXH2E8.m z3ElSlJIzo1Yo9vGhFK5Po27hq7GtuGEUXkkt7E01fu04t8WDLE2WlgUQ6_kPBECFZaswMS9Scnx zOnW6lf6EDtY0gGyOpyugl1ePgZWF4kHrZrJ1sXUqaWxkg6gFs3gmzOUATUYrW0nFZunoOXNFsyP NCHxcFok18aPiis9kcQ7o9UdionZEJFKXcMrMJqVa2ZbhbtTrJ61ufEFfgaLCL5082DFNUG.3Eco 0XrXhanRHnvbdiFoZb.rUBxfTbT6mzOyhmE_e4E7a3DxRrExybCUTmlZSiP0fg7K56TT2yxDDSUU CQA2VJLqogykdyhIXkEP6huKziOHE8eyripBT3wGlfJ.Tq_FcY709ZupsYElAMF9nlknlIUW1OJ7 iFMASNAM0hZCRr1miiwcX5V8bjaMIMfeEssGy8qc61jwz.Lqni5rF.bTDZSKm.4F9kl5BSg-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:09:41 +0000 Received: by smtp427.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID eba4c54ba4d55f2cad95fb20ef489486; Wed, 13 Nov 2019 00:09:38 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, netdev@vger.kernel.org Subject: [PATCH 05/25] net: Prepare UDS for security module stacking Date: Tue, 12 Nov 2019 16:08:53 -0800 Message-Id: <20191113000913.5414-6-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Change the data used in UDS SO_PEERSEC processing from a secid to a more general struct lsmblob. Update the security_socket_getpeersec_dgram() interface to use the lsmblob. There is a small amount of scaffolding code that will come out when the security_secid_to_secctx() code is brought in line with the lsmblob. Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler cc: netdev@vger.kernel.org --- include/linux/security.h | 7 +++++-- include/net/af_unix.h | 2 +- include/net/scm.h | 8 +++++--- net/ipv4/ip_sockglue.c | 8 +++++--- net/unix/af_unix.c | 6 +++--- security/security.c | 18 +++++++++++++++--- 6 files changed, 34 insertions(+), 15 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 2b0ab47cfb26..d57f400a307e 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1354,7 +1354,8 @@ int security_socket_shutdown(struct socket *sock, int how); int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb); int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, int __user *optlen, unsigned len); -int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid); +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, + struct lsmblob *blob); int security_sk_alloc(struct sock *sk, int family, gfp_t priority); void security_sk_free(struct sock *sk); void security_sk_clone(const struct sock *sk, struct sock *newsk); @@ -1492,7 +1493,9 @@ static inline int security_socket_getpeersec_stream(struct socket *sock, char __ return -ENOPROTOOPT; } -static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) +static inline int security_socket_getpeersec_dgram(struct socket *sock, + struct sk_buff *skb, + struct lsmblob *blob) { return -ENOPROTOOPT; } diff --git a/include/net/af_unix.h b/include/net/af_unix.h index 3426d6dacc45..933492c08b8c 100644 --- a/include/net/af_unix.h +++ b/include/net/af_unix.h @@ -36,7 +36,7 @@ struct unix_skb_parms { kgid_t gid; struct scm_fp_list *fp; /* Passed files */ #ifdef CONFIG_SECURITY_NETWORK - u32 secid; /* Security ID */ + struct lsmblob lsmblob; /* Security LSM data */ #endif u32 consumed; } __randomize_layout; diff --git a/include/net/scm.h b/include/net/scm.h index 1ce365f4c256..e2e71c4bf9d0 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -33,7 +33,7 @@ struct scm_cookie { struct scm_fp_list *fp; /* Passed files */ struct scm_creds creds; /* Skb credentials */ #ifdef CONFIG_SECURITY_NETWORK - u32 secid; /* Passed security ID */ + struct lsmblob lsmblob; /* Passed LSM data */ #endif }; @@ -46,7 +46,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl); #ifdef CONFIG_SECURITY_NETWORK static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm) { - security_socket_getpeersec_dgram(sock, NULL, &scm->secid); + security_socket_getpeersec_dgram(sock, NULL, &scm->lsmblob); } #else static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm) @@ -97,7 +97,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { - err = security_secid_to_secctx(scm->secid, &secdata, &seclen); + /* Scaffolding - it has to be element 0 for now */ + err = security_secid_to_secctx(scm->lsmblob.secid[0], + &secdata, &seclen); if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index aa3fd61818c4..6cf57d5ac899 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -130,15 +130,17 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { + struct lsmblob lb; char *secdata; - u32 seclen, secid; + u32 seclen; int err; - err = security_socket_getpeersec_dgram(NULL, skb, &secid); + err = security_socket_getpeersec_dgram(NULL, skb, &lb); if (err) return; - err = security_secid_to_secctx(secid, &secdata, &seclen); + /* Scaffolding - it has to be element 0 */ + err = security_secid_to_secctx(lb.secid[0], &secdata, &seclen); if (err) return; diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 0d8da809bea2..189fd6644e7f 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -138,17 +138,17 @@ static struct hlist_head *unix_sockets_unbound(void *addr) #ifdef CONFIG_SECURITY_NETWORK static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb) { - UNIXCB(skb).secid = scm->secid; + UNIXCB(skb).lsmblob = scm->lsmblob; } static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb) { - scm->secid = UNIXCB(skb).secid; + scm->lsmblob = UNIXCB(skb).lsmblob; } static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb) { - return (scm->secid == UNIXCB(skb).secid); + return lsmblob_equal(&scm->lsmblob, &(UNIXCB(skb).lsmblob)); } #else static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb) diff --git a/security/security.c b/security/security.c index dd6f212e11af..55837706e3ef 100644 --- a/security/security.c +++ b/security/security.c @@ -2108,10 +2108,22 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, optval, optlen, len); } -int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, + struct lsmblob *blob) { - return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, - skb, secid); + struct security_hook_list *hp; + int rc = -ENOPROTOOPT; + + hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram, + list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.socket_getpeersec_dgram(sock, skb, + &blob->secid[hp->lsmid->slot]); + if (rc != 0) + break; + } + return rc; } EXPORT_SYMBOL(security_socket_getpeersec_dgram); From patchwork Wed Nov 13 00:08:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240491 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AD6D81850 for ; Wed, 13 Nov 2019 00:09:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8E47521E6F for ; Wed, 13 Nov 2019 00:09:43 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="sc5+O79U" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727137AbfKMAJn (ORCPT ); Tue, 12 Nov 2019 19:09:43 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:33603 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726936AbfKMAJm (ORCPT ); Tue, 12 Nov 2019 19:09:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603781; bh=co4jpZY+mhudboH3Pzmlm1GU8BGwBGVp+kygYlsjIuI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=sc5+O79U2g8mvon/Kfb6Z58FdIsfnPMcGwmKeP/dXfY2Y3JahW5HnvnDLO19JH2i/jSAKsmStFLzMe6MgasD8vonLtXVksFoV9WLzIrV16KzIMuiR98LaEkT55mWdZzP7ZAzjQFNcKcudav/3bwdUOrwljOfQpuXOaMlr0tfHkUrkcJ9l1TyfCs60kvE3aD1Tgkp91fx2HpAsUivOACZA/2Qc+4KzU1THSFsSUYRwLC23b6cQEzYKQvyrH5ffYQXBRbII+SxzPaHzhmLQnBsbchBAuISOw46wB1YRPfp87MyGxCdngN6aeker+/aAv6JmbofMj76T2GeAsmEiQgACA== X-YMail-OSG: duWiNj8VM1kWGio0c7v0TjNmXFZm4sb0DDVN56LeFgDNeVJnXNC3_5WNotV6Scy cyKHhcZctV9moIseQxpQgFd9eLYm2EH9VF0cw7po7rEG6d6JEULuUDMaC_FCBCsBuaKyOuv0QXSD 7MC7xNDAIAaox6jgtdd6Ti2C_q6R2SxHwOR33_eRsyM0rZbMQyoa3KEAvlkNbMApULRKauPe1EKI NXMz1jlbYj8Z7zJm9OgZGFbTa1e.ZXz1dmlO3hpGDzUPHhzKl1eMVS0DeCMoZBygbOyKNNKJKsiu AL1Klcg.i6ob4CjD5aZHq2CMSwx7a_InP_CnwKy3v3uixRDSt_trf.OM6AsOnGiWQ4.zlHmlxTfq RQoD4u2FPasi1Ds6d96uLgO0eoh.lfJjidEU7ny4kw3Hv9a1Kk68d13zCKiDHn9bTdrLvtTkADnk DvYUkqJfrHrgZHOJUQNr8NVUiJYq_JO1972IQQ717sbo_dYctPLmtDlObqzpW_Umlxah74LH6I.x 1IyMpzlsoKDX5y2k1KUHusFp60qAU1oIEMKUaZA5N2t3VH7P3TqEr.GOOHjIzrXybbXwU2OjDQJm DZOm9l9QU8b4IuU5bJxpCmLn1odWSizZDpKpYf6tUw77xALq8dUl6AHIxoxJMOw1l8KOmtgtA.zq loykfiEApdYFCTbB6_u0aIChsizFfPuALD6WWvUqJykbbVYRQc1q4OrsL_rAI55UrjHzMsHR98AS rD.XNV7p4KnmbrWyIhrPy32SN2Kmu1kpvyHguASNUX..cdtU52oWzpbbNH8625wkoqOCJsfXtrm5 _.BLCEGLPAzbjRxd_19S4MGdVZuqKcwvQITqYYk4N4TUHVSKEJgbZI2rbV0P6DlG1pUHYjJwWgjt NTuXTH0o2tMvq9tccmAu_WFI5IpD_oH2BBb5q0lDVDCjMHZeem_nHEUrxrmd19Tjd5UrH8pMhPQB Nkg6v2or_Sc3PPwpLwMTGevPzN3G1meG_.ZzR6FDlab_DR3N.zVQ8576rscKjQffkNBKVIfctM58 sS6xSoqSLd_LsoBxPIAsBPwWDC7cH50wRhPlhfsXqxBwv_2a6iR91R6V7AvhSTdJdtcSSreQOLjI nc4_8IO.Ay50wqGh3IhNd2JKeBJk7Qdj3CTED08sxg9UyQK3DSk41ChqQCAapxhvGhElNu1j_E7o SbNe3NN3rQoH9ABYzFPjfBl8gPACP.SRG5bfvslXSji7h4Dd5evXKG8st6MLrvyVgiVGY6fUcjFR uc53.sJK0Fq_yl78BVqWMz2ZynSJDpkG7S18nP5HMM74GlzD9cK5toxduTEU9OQw1X7qmYPmvMqV 3b9mDjRpfTZBq3MnVr0CpR5Xlmn8J_5_OUIn5P0cVETijpUzN2b0d57BwATogEwvorXozT.4c87e Hmhl5QNsreHbcm.JH28PX5qqsY11TmaKKfNUAazc5Gmc4W1D7rACIJ2JV.CH7R6kpdA-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:09:41 +0000 Received: by smtp427.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID eba4c54ba4d55f2cad95fb20ef489486; Wed, 13 Nov 2019 00:09:39 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov Subject: [PATCH 06/25] LSM: Use lsmblob in security_secctx_to_secid Date: Tue, 12 Nov 2019 16:08:54 -0800 Message-Id: <20191113000913.5414-7-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Change security_secctx_to_secid() to fill in a lsmblob instead of a u32 secid. Multiple LSMs may be able to interpret the string, and this allows for setting whichever secid is appropriate. In some cases there is scaffolding where other interfaces have yet to be converted. Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler --- include/linux/security.h | 5 +++-- kernel/cred.c | 4 +--- net/netfilter/nft_meta.c | 13 ++++++------- net/netfilter/xt_SECMARK.c | 5 ++++- net/netlabel/netlabel_unlabeled.c | 14 ++++++++------ security/security.c | 18 +++++++++++++++--- 6 files changed, 37 insertions(+), 22 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index d57f400a307e..b69877a13efa 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -494,7 +494,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value, int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); -int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); +int security_secctx_to_secid(const char *secdata, u32 seclen, + struct lsmblob *blob); void security_release_secctx(char *secdata, u32 seclen); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); @@ -1300,7 +1301,7 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle static inline int security_secctx_to_secid(const char *secdata, u32 seclen, - u32 *secid) + struct lsmblob *blob) { return -EOPNOTSUPP; } diff --git a/kernel/cred.c b/kernel/cred.c index 846ac4b23c16..7fef90f3f10b 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -756,14 +756,12 @@ EXPORT_SYMBOL(set_security_override); int set_security_override_from_ctx(struct cred *new, const char *secctx) { struct lsmblob blob; - u32 secid; int ret; - ret = security_secctx_to_secid(secctx, strlen(secctx), &secid); + ret = security_secctx_to_secid(secctx, strlen(secctx), &blob); if (ret < 0) return ret; - lsmblob_init(&blob, secid); return set_security_override(new, &blob); } EXPORT_SYMBOL(set_security_override_from_ctx); diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index 317e3a9e8c5b..7c49397c33fd 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -617,21 +617,20 @@ static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = { static int nft_secmark_compute_secid(struct nft_secmark *priv) { - u32 tmp_secid = 0; + struct lsmblob blob; int err; - err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid); + err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &blob); if (err) return err; - if (!tmp_secid) - return -ENOENT; - - err = security_secmark_relabel_packet(tmp_secid); + /* Using le[0] is scaffolding */ + err = security_secmark_relabel_packet(blob.secid[0]); if (err) return err; - priv->secid = tmp_secid; + /* Using le[0] is scaffolding */ + priv->secid = blob.secid[0]; return 0; } diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index 2317721f3ecb..2d68416b4552 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c @@ -45,13 +45,14 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par) static int checkentry_lsm(struct xt_secmark_target_info *info) { + struct lsmblob blob; int err; info->secctx[SECMARK_SECCTX_MAX - 1] = '\0'; info->secid = 0; err = security_secctx_to_secid(info->secctx, strlen(info->secctx), - &info->secid); + &blob); if (err) { if (err == -EINVAL) pr_info_ratelimited("invalid security context \'%s\'\n", @@ -59,6 +60,8 @@ static int checkentry_lsm(struct xt_secmark_target_info *info) return err; } + /* scaffolding during the transition */ + info->secid = blob.secid[0]; if (!info->secid) { pr_info_ratelimited("unable to map security context \'%s\'\n", info->secctx); diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index d2e4ab8d1cb1..7a5a87f15736 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -881,7 +881,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, void *addr; void *mask; u32 addr_len; - u32 secid; + struct lsmblob blob; struct netlbl_audit audit_info; /* Don't allow users to add both IPv4 and IPv6 addresses for a @@ -905,12 +905,13 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, ret_val = security_secctx_to_secid( nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), - &secid); + &blob); if (ret_val != 0) return ret_val; + /* scaffolding with the [0] */ return netlbl_unlhsh_add(&init_net, - dev_name, addr, mask, addr_len, secid, + dev_name, addr, mask, addr_len, blob.secid[0], &audit_info); } @@ -932,7 +933,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, void *addr; void *mask; u32 addr_len; - u32 secid; + struct lsmblob blob; struct netlbl_audit audit_info; /* Don't allow users to add both IPv4 and IPv6 addresses for a @@ -954,12 +955,13 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, ret_val = security_secctx_to_secid( nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), - &secid); + &blob); if (ret_val != 0) return ret_val; + /* scaffolding with the [0] */ return netlbl_unlhsh_add(&init_net, - NULL, addr, mask, addr_len, secid, + NULL, addr, mask, addr_len, blob.secid[0], &audit_info); } diff --git a/security/security.c b/security/security.c index 55837706e3ef..32bb5383de9b 100644 --- a/security/security.c +++ b/security/security.c @@ -1970,10 +1970,22 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) } EXPORT_SYMBOL(security_secid_to_secctx); -int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) +int security_secctx_to_secid(const char *secdata, u32 seclen, + struct lsmblob *blob) { - *secid = 0; - return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid); + struct security_hook_list *hp; + int rc; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.secctx_to_secid(secdata, seclen, + &blob->secid[hp->lsmid->slot]); + if (rc != 0) + return rc; + } + return 0; } EXPORT_SYMBOL(security_secctx_to_secid); From patchwork Wed Nov 13 00:08:55 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240499 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9104A1850 for ; Wed, 13 Nov 2019 00:09:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 71B8121D7F for ; Wed, 13 Nov 2019 00:09:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="ue/Xbsnd" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727152AbfKMAJt (ORCPT ); Tue, 12 Nov 2019 19:09:49 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:35795 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727159AbfKMAJs (ORCPT ); Tue, 12 Nov 2019 19:09:48 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603786; bh=opt8tjFp3SF7qIll5OOhVEGsXSDibyOxeBMKDxDgh+A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=ue/XbsndKyn9MrLpv2NDaKOOzgrcId00gaxPBmH9Cjh2KvMmEXa4/Yv3F5IcZ9hBAW7bq+7vRHGCn7DfD0AnEYxJptnA5O6OmYnvK6Vg50fZk6JREIynYkvQaNjKKVhz1BsS3l9xucA/2icb1eXV81RFfNDm0h8O4ykfe/PD2saGnOeflHxl7/pfH654GLfUEF8WjBBd6NK9u0r/xOHiCbujU7BSJ3F3uXG8Z/FzIaOdP03y/diJAWSMWV8ZWi1upWym26iNoeBrmBzt65Eww7rmqqBd33zLADPPilPjfXUKCWzCViwaqFVoo0rVa5W/eCHkyrkuAoTWPMn0udbCMQ== X-YMail-OSG: UGsuAawVM1mP6lWAXw2NDrSAKoGZLYlY_yWVfXIHTd7dkc_E4tu4Nqx7U7D3ps_ jtghsuCAszBAmCMwmWZSmh08iVieTeCFDsHi1trkPtLjrUalGmNvf0OvxGcYHWVC7BfWJh9NElKk HGhA1rqTqh0kUSYvyo3FHyIOPfq0WA0kdOL5O69.IYO3nPpZ0mLrS3f8XgYuSbg11kmU6UmYEMQa w4ruZqAsUb5oNmRmfZuQD3kntEkDP0ltqvqkg45T2WIZbDA7fInSxPU4BklWf3Jt4LmiyI848Ng. AsTWxcH4oRjyZ8JgSZPCed4nru.fppUMeJE9OBKQEL.udsGdhWs5DI7RuoqYAYDM3mPyzU7dBePq N.1BzLaxWWr14oA5zcWofxFYCI5jAIOCulUlp4ObllRMgZYXp4L_c3XENwcIkj0sWRpC9BfV0nqD 4Wc_fxC7dLXOuiS_VEkhxa2QUfAPxCzWaiEpKtlPoJs2t7537FQw_LsK2HN1tbPTMMBTTiPmNJDU MVfzCEPZ1DG9SZ3FAwN9XiQGpYA1M2cVK8DopoAst_t2Is7xrQV7owg0sPgb4r_W_3yb.P2QHTpE jgIG2f4RloEkevjmAtUzm3O4OODZgGENgx.vRAJpCy5Yvz515cl2BCylYf7g9cUbe4wDLY5dpPSq bFZnm9YOxNSVO1yxQOexHU_tuVJqpxAx1L3GMhH6ob5E3J666ADmad21u6hPdMi0_qGbW8TLBaIw zdjXm_m0MiaaPeSSPHqqIQyb5YiUExBIvQHL1sRILJSnb5b.PBb8sOqf0vRiNapUDuDpKKjiJ9By v_kBrvDM.HUMC7KRHcJgTK6yeT6oF1_7WHx_YuMpYVRJ8EpWJdbG3poCmyjFF5kRY.css8jj8qdK YU1HxvPa2wAGKfgdZ79sabrWzGeHfFXFkvQh6Jvy.kUqSyQ8fkY99fj.mnsGcPO6Ph6aSqGRAQ3t GyZc36spX9aC13BhE7Fospx2.nsSPp3aEDLsXgFWNq6DgfGXtV6Ev15fpCwidNQ1MyBeZN7MK9rg AZxHXV.SSaVnyDoP5kvoEeOOQwp742iLEwGBtLFIH2y3bG0OgyNKqwAIc1cdCJ_HVTNZxK.UPOCV UAxzzAMICwXlUUHg.12hch3u2UaoC20Z3VZBPENlkPwhM8mrq6jlhGvl3UHBZD99WIInUP1YGMlU y.KeZ4kEvcC_TMkujpTYzGp2gJFw0UsisIBcRRte4C6j4b.LwM9_QHQkVqwRTxGcg.3UsjfcEYqi vsw1axcKqlWfOwtNgcHtmeldM4fHlsYRc6ZOV2e0najSloS8pkw5ypibHJGSjhffxmftN.MRmWt. OtIn9gS6MN_2JVMNSxP_t9h4ff74ymkfNDXGOi9hcXf_LAHdSwBCvVZCL4zZHbHrpUMYsutbV3HP utet0nx_lK9OyWZQNPOVaYLktvP7RGRnVxPQQpnUt Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:09:46 +0000 Received: by smtp427.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID eba4c54ba4d55f2cad95fb20ef489486; Wed, 13 Nov 2019 00:09:41 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-audit@redhat.com, netdev@vger.kernel.org Subject: [PATCH 07/25] LSM: Use lsmblob in security_secid_to_secctx Date: Tue, 12 Nov 2019 16:08:55 -0800 Message-Id: <20191113000913.5414-8-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Change security_secid_to_secctx() to take a lsmblob as input instead of a u32 secid. It will then call the LSM hooks using the lsmblob element allocated for that module. The callers have been updated as well. This allows for the possibility that more than one module may be called upon to translate a secid to a string, as can occur in the audit code. Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler cc: linux-audit@redhat.com cc: netdev@vger.kernel.org --- drivers/android/binder.c | 4 +++- include/linux/security.h | 5 +++-- include/net/scm.h | 5 ++--- kernel/audit.c | 9 +++++++-- kernel/auditsc.c | 14 ++++++++++---- net/ipv4/ip_sockglue.c | 3 +-- net/netfilter/nf_conntrack_netlink.c | 8 ++++++-- net/netfilter/nf_conntrack_standalone.c | 4 +++- net/netfilter/nfnetlink_queue.c | 8 ++++++-- net/netlabel/netlabel_unlabeled.c | 18 ++++++++++++++---- net/netlabel/netlabel_user.c | 6 +++--- security/security.c | 16 +++++++++++++--- 12 files changed, 71 insertions(+), 29 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 265d9dd46a5e..5f4702b4c507 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3109,10 +3109,12 @@ static void binder_transaction(struct binder_proc *proc, if (target_node && target_node->txn_security_ctx) { u32 secid; + struct lsmblob blob; size_t added_size; security_task_getsecid(proc->tsk, &secid); - ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); + lsmblob_init(&blob, secid); + ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz); if (ret) { return_error = BR_FAILED_REPLY; return_error_param = ret; diff --git a/include/linux/security.h b/include/linux/security.h index b69877a13efa..a3e99bccb1bb 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -493,7 +493,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); +int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); void security_release_secctx(char *secdata, u32 seclen); @@ -1294,7 +1294,8 @@ static inline int security_ismaclabel(const char *name) return 0; } -static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +static inline int security_secid_to_secctx(struct lsmblob *blob, + char **secdata, u32 *seclen) { return -EOPNOTSUPP; } diff --git a/include/net/scm.h b/include/net/scm.h index e2e71c4bf9d0..31ae605fcc0a 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -97,9 +97,8 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { - /* Scaffolding - it has to be element 0 for now */ - err = security_secid_to_secctx(scm->lsmblob.secid[0], - &secdata, &seclen); + err = security_secid_to_secctx(&scm->lsmblob, &secdata, + &seclen); if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); diff --git a/kernel/audit.c b/kernel/audit.c index da8dc0db5bd3..2f8e89eaf3e5 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1417,7 +1417,10 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) case AUDIT_SIGNAL_INFO: len = 0; if (audit_sig_sid) { - err = security_secid_to_secctx(audit_sig_sid, &ctx, &len); + struct lsmblob blob; + + lsmblob_init(&blob, audit_sig_sid); + err = security_secid_to_secctx(&blob, &ctx, &len); if (err) return err; } @@ -2060,12 +2063,14 @@ int audit_log_task_context(struct audit_buffer *ab) unsigned len; int error; u32 sid; + struct lsmblob blob; security_task_getsecid(current, &sid); if (!sid) return 0; - error = security_secid_to_secctx(sid, &ctx, &len); + lsmblob_init(&blob, sid); + error = security_secid_to_secctx(&blob, &ctx, &len); if (error) { if (error != -EINVAL) goto error_path; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 7566e5b1c419..04803c3099b2 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -966,6 +966,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, char *ctx = NULL; u32 len; int rc = 0; + struct lsmblob blob; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); if (!ab) @@ -975,7 +976,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (sid) { - if (security_secid_to_secctx(sid, &ctx, &len)) { + lsmblob_init(&blob, sid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1218,7 +1220,10 @@ static void show_special(struct audit_context *context, int *call_panic) if (osid) { char *ctx = NULL; u32 len; - if (security_secid_to_secctx(osid, &ctx, &len)) { + struct lsmblob blob; + + lsmblob_init(&blob, osid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " osid=%u", osid); *call_panic = 1; } else { @@ -1368,9 +1373,10 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, if (n->osid != 0) { char *ctx = NULL; u32 len; + struct lsmblob blob; - if (security_secid_to_secctx( - n->osid, &ctx, &len)) { + lsmblob_init(&blob, n->osid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " osid=%u", n->osid); if (call_panic) *call_panic = 2; diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 6cf57d5ac899..1ca97d0cb4a9 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -139,8 +139,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) if (err) return; - /* Scaffolding - it has to be element 0 */ - err = security_secid_to_secctx(lb.secid[0], &secdata, &seclen); + err = security_secid_to_secctx(&lb, &secdata, &seclen); if (err) return; diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index e2d13cd18875..0412f6744185 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -331,8 +331,10 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) struct nlattr *nest_secctx; int len, ret; char *secctx; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, &secctx, &len); if (ret) return 0; @@ -621,8 +623,10 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct) { #ifdef CONFIG_NF_CONNTRACK_SECMARK int len, ret; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, NULL, &len); + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, NULL, &len); if (ret) return 0; diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 410809c669e1..183a85412155 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -175,8 +175,10 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) int ret; u32 len; char *secctx; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, &secctx, &len); if (ret) return; diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index feabdfb22920..bfa7f12fde99 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -305,13 +305,17 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) { u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) + struct lsmblob blob; + if (!skb || !sk_fullsock(skb->sk)) return 0; read_lock_bh(&skb->sk->sk_callback_lock); - if (skb->secmark) - security_secid_to_secctx(skb->secmark, secdata, &seclen); + if (skb->secmark) { + lsmblob_init(&blob, skb->secmark); + security_secid_to_secctx(&blob, secdata, &seclen); + } read_unlock_bh(&skb->sk->sk_callback_lock); #endif diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 7a5a87f15736..0cda17cb44a0 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -375,6 +375,7 @@ int netlbl_unlhsh_add(struct net *net, struct audit_buffer *audit_buf = NULL; char *secctx = NULL; u32 secctx_len; + struct lsmblob blob; if (addr_len != sizeof(struct in_addr) && addr_len != sizeof(struct in6_addr)) @@ -437,7 +438,8 @@ int netlbl_unlhsh_add(struct net *net, unlhsh_add_return: rcu_read_unlock(); if (audit_buf != NULL) { - if (security_secid_to_secctx(secid, + lsmblob_init(&blob, secid); + if (security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); @@ -474,6 +476,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct net_device *dev; char *secctx; u32 secctx_len; + struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr, @@ -493,8 +496,10 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, addr->s_addr, mask->s_addr); if (dev != NULL) dev_put(dev); + if (entry != NULL) + lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(entry->secid, + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -536,6 +541,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct net_device *dev; char *secctx; u32 secctx_len; + struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list); @@ -554,8 +560,10 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, addr, mask); if (dev != NULL) dev_put(dev); + if (entry != NULL) + lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(entry->secid, + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -1076,6 +1084,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, u32 secid; char *secctx; u32 secctx_len; + struct lsmblob blob; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, cb_arg->seq, &netlbl_unlabel_gnl_family, @@ -1130,7 +1139,8 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, secid = addr6->secid; } - ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len); + lsmblob_init(&blob, secid); + ret_val = security_secid_to_secctx(&blob, &secctx, &secctx_len); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 3ed4fea2a2de..893301ae0131 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -86,6 +86,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct audit_buffer *audit_buf; char *secctx; u32 secctx_len; + struct lsmblob blob; if (audit_enabled == AUDIT_OFF) return NULL; @@ -98,10 +99,9 @@ struct audit_buffer *netlbl_audit_start_common(int type, from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); + lsmblob_init(&blob, audit_info->secid); if (audit_info->secid != 0 && - security_secid_to_secctx(audit_info->secid, - &secctx, - &secctx_len) == 0) { + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); security_release_secctx(secctx, secctx_len); } diff --git a/security/security.c b/security/security.c index 32bb5383de9b..0fc75a31a6bb 100644 --- a/security/security.c +++ b/security/security.c @@ -1963,10 +1963,20 @@ int security_ismaclabel(const char *name) } EXPORT_SYMBOL(security_ismaclabel); -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) { - return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid, secdata, - seclen); + struct security_hook_list *hp; + int rc; + + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.secid_to_secctx(blob->secid[hp->lsmid->slot], + secdata, seclen); + if (rc != 0) + return rc; + } + return 0; } EXPORT_SYMBOL(security_secid_to_secctx); From patchwork Wed Nov 13 00:08:56 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240501 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A87CE13BD for ; Wed, 13 Nov 2019 00:09:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8910621A49 for ; Wed, 13 Nov 2019 00:09:54 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="CZ5mY4Hy" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727004AbfKMAJy (ORCPT ); Tue, 12 Nov 2019 19:09:54 -0500 Received: from sonic306-28.consmr.mail.ne1.yahoo.com ([66.163.189.90]:45331 "EHLO sonic306-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727185AbfKMAJy (ORCPT ); Tue, 12 Nov 2019 19:09:54 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603792; bh=DNCo0JuQorE9PAmGgQWZPLTpILlPu5l/KRbFUnDCaw8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=CZ5mY4Hy85+L4SCcWzdwF+xe6YjrdJ8pNSzOQtNuen15FYfX3xgwUI4JQgSTD757CG8BljzOkL51aMA8YLHeibjWROGOgixeO6kr1YnSFTsNCjOuDcK3PRlZKdQwIvHpVWssdr5Mc59E0DwNrU1UKsduVm9Y3z5ALxjwS6uSn5SxXLGCGEb7B0VCTiSG/9moZJYehsgneybA30P8BqK2E6p9t9TnAUBJIRJFt0ZTXKg2Mmq/Px+pEf1Q/uPQeLJyUZ0bvCy2Xk171xLizlV2kyA2DblN8xXygGMlF8wt4WyE4IsDbk15Z/6dk+gUyepll1Chph+TWdalktjdbvHkvw== X-YMail-OSG: wVt3b2EVM1lTb20fAdzJnVQrO2OioyTMp2HsxdhPfL97v.l4L4jlqeQpxgV84BV 320LH7lxbsKQprEGwm2JEc9_gR5IAdXpKYZn7yJ5JWAB_I69P92TXo.d79y8ELk4jNLYUB70ZJk1 MTAlTf4HIHoQPxR5_u6RDIJGfkxdy.QcMtpxvpK6vdnXODUBUk5cjXAfWGBobPGoLVDt9eEQQYUM O0i0Gi9rRVpcaE2oiD0q578rxByr9zz3oYI0g5h96lR6g_.TYQt0fFNBt2wsmI9EzFGSpFfthqR3 7olofh9mAqBirrL0UKrGDAJ3Eki6Pc5zNEC5WI1vbeMHOHSbZwSuSS73O6TmKmTvGIu9yHhwzXc4 ZxqYUCrz_.r1.AmJ9UAmsOUniEwfKfVo.YRF7mBXCgEB6Hbr0Ge0W_isq8.3SYiSgJyC4nJnzQ8G Cz9fWc4wdrDoyq5GJzP8AY3oSsNg8Cc9TrYQadMU6wYn3AqjLsegdIzn3I8i1H_egrE_VgEStAM4 Ev_aE.TBTmRyfn.TJFHoJkfJNTx2ivRQ8y_otAMCBcEcStkhR5bWKAkuiJSMa4k93_EPbDDsllOk 89WKWa_dloL1dasxOu.wazj_Ctg7TMGsO8PM1ss565xt4mksrLUYWzRzS6GZenHMw0olvJOt4zyW bU5U9ED65V6p.IXlWmmbwTR_MbtDLkE2mBETy7G_E1pot4u7Wt5K4bk2SYudOMi_fi1Ma0cTWpv2 G7rL9t_oLzEZMXaF0zlnOcT8a1agXV5ZF01EixuZ2N2_mXWgVkMYU_yxKtdb42aKLzYo9sV5Jt4B 80zA0xvPyHko4mar9E2Jnr__4MqyiP67AjHi.WyWpUKLT3PWL0ucu3DvxPyjUUTnLNA44YdeUHvg SgwEmGrPmPFrFUhvDUzhu.j_WAqjsNh9lq8Z1evxEQqF8h53Ujy3ysIyG1fYGvheI5TmkucMEmjY H83Ymr7mzrJ_rmOelF2Ikqi8VUe7xTKzMC0ebAhNtTYhsxMOLEjy7nGg.4vtYCx67uwZ03sAal0c IRPtMXwNSyhsi2YgQo8PbcSHozaK4XHI7QeSMFgwIQoKFFzg5zCmo6F7UTcQyrUjcgnopflPHbF5 0o0nV9LBQPbv__qZf4am8JT8TpBccZLDnH8_uZjpYtwREu92iDilkwgtk3LKLccNtJ4iP3IaydCa qB17HUIowWn5DggtVzv0EJEc7JiYxauNnyStRHvdY8zf.bxXSRZ2fwZ2tpm9FsrCi0PplN4SLION eRAQarN0ENpVBw.NXvgkHZPSQGbahCwGHbV0mpB4V.oPRul7fU1HOrv0zY0I4axWukNgaLLX7hSY UZgOVEaGtnNA0.ZvwfQdNOwB7mmtrELB7SYIkEmc9i7m6mZbWNKKbV2bVgkRFAfwqeiYHpriZ61g 6fp0u3j_D8Q4O0jgoEk3fVZyygqJWrMea_Q-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:09:52 +0000 Received: by smtp432.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID a194c842b715663bc900de4e5d395aa8; Wed, 13 Nov 2019 00:09:49 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-audit@redhat.com Subject: [PATCH 08/25] LSM: Use lsmblob in security_ipc_getsecid Date: Tue, 12 Nov 2019 16:08:56 -0800 Message-Id: <20191113000913.5414-9-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org There may be more than one LSM that provides IPC data for auditing. Change security_ipc_getsecid() to fill in a lsmblob structure instead of the u32 secid. The audit data structure containing the secid will be updated later, so there is a bit of scaffolding here. Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler cc: linux-audit@redhat.com --- include/linux/security.h | 7 ++++--- kernel/auditsc.c | 5 ++++- security/security.c | 12 +++++++++--- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index a3e99bccb1bb..9519b4fb43ae 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -464,7 +464,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); void security_task_to_inode(struct task_struct *p, struct inode *inode); int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid); +void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct lsmblob *blob); int security_msg_msg_alloc(struct msg_msg *msg); void security_msg_msg_free(struct msg_msg *msg); int security_msg_queue_alloc(struct kern_ipc_perm *msq); @@ -1172,9 +1172,10 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp, return 0; } -static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } static inline int security_msg_msg_alloc(struct msg_msg *msg) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 04803c3099b2..ce8bf2d8f8d2 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2285,11 +2285,14 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) void __audit_ipc_obj(struct kern_ipc_perm *ipcp) { struct audit_context *context = audit_context(); + struct lsmblob blob; context->ipc.uid = ipcp->uid; context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - security_ipc_getsecid(ipcp, &context->ipc.osid); + security_ipc_getsecid(ipcp, &blob); + /* scaffolding on the [0] - change "osid" to a lsmblob */ + context->ipc.osid = blob.secid[0]; context->type = AUDIT_IPC; } diff --git a/security/security.c b/security/security.c index 0fc75a31a6bb..b60c6a51f622 100644 --- a/security/security.c +++ b/security/security.c @@ -1783,10 +1783,16 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) return call_int_hook(ipc_permission, 0, ipcp, flag); } -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct lsmblob *blob) { - *secid = 0; - call_void_hook(ipc_getsecid, ipcp, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.ipc_getsecid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.ipc_getsecid(ipcp, &blob->secid[hp->lsmid->slot]); + } } int security_msg_msg_alloc(struct msg_msg *msg) From patchwork Wed Nov 13 00:08:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240505 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CCC5F13BD for ; Wed, 13 Nov 2019 00:09:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9C11E2196E for ; Wed, 13 Nov 2019 00:09:57 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="cWNgmiPu" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727192AbfKMAJ5 (ORCPT ); Tue, 12 Nov 2019 19:09:57 -0500 Received: from sonic313-15.consmr.mail.ne1.yahoo.com ([66.163.185.38]:36306 "EHLO sonic313-15.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727187AbfKMAJ5 (ORCPT ); Tue, 12 Nov 2019 19:09:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603795; bh=Uch5FeLojZqD7t2WLz34beHxU2ee3C06hYp8rOB512g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=cWNgmiPuaFnstqmn+8+JfnjqmUwEEuYaXiwyvxtWC2aI1y0jVvL6u0cjMjv+CEaoulh4xN20PkCJpFynysD1VruTzCORinSeAb99uzQfAGlPqQnlPqM7VGlY1nT9Zrni5nnFjqRmud8XTIwN7L/XgW35JG0HSNgfiJX0z1EIQua+H+Fbwo954oae6nGhcHS5j3xFpcTck+HbhGRFm18COtnV2p62HUU7kwbxpLos1yRILHHCsUBcXs9MZIdf8c2Exy1HB7G+D51Nr1TVZ23WvIkOffL0p5pmII32RyrWliE/GPShQeh+0wyBn+KlLUM8eE/BYrH3DXsloNEOqfbdeA== X-YMail-OSG: 0MaaMNIVM1mEiIVBJvRslAHBxw3jCM8znhuHELoFqr8OM9hAeB.uwxdtbXAXtKg BTrwsqedvA03WNaxIVYMYWtBEeK0Rgh6kdBeXl_rKTN2BPAwXQ0rlzJWMAtjBdwkJTXMWL1L_XqI 5vIlHWiwk7tgjxZJGgcNx7A_UeWQ1uD9iUiGNyA8FPyMy2NiJWmdQFxRPsVI24fqxNbSLJCVqOoX sIai8Drf5skkUWFy4nmKacjd8aokYQVNIPUMvhE13tkYMc7DvIztmpU2S0QUhklmdAcgGZSli_p9 ZAHzt8WBhAVMlDnhZxpvZJo_08pZeToiswORB9jWQxKxzCf9HQmSTOnAywLvceuH1SBD07RqVjuL 547Q1IhzkOWPdkbJBYk4iB8Vi751wyfFQXZsyFgIhDpx6HjpcJjqYPJt6lOSN_Cv6IPISGyzV8xP 5jtiOBDOUPTTxinT4AJ4Efd7jYCFdnbX2J1WhCx74omewBbWklAOGqE1DLpFLiVKhh1lYXpEUBfU xyPlO48qw5lua_LMpnFU80YPP9Xwimnv6o2jT8a5L.UYly.BFf.ABXMiHDaAI0VxPC.d8vSlIFvI Tvwqt3o7JUDylUe5fU75xhyoRY8uQUVBDROAizvEWo8OZ4n8BLdafsb9XoBcKwAbIk_pZmbIi7Rr 9Cx7b1UlvANKTQSdhf1JRKOa1RyTCV1hXOgNijfG.JogYoXK0qMfJZJ6tj310MPybxDs4yxJqZgj zbyy9aeyz2rZu_WjdrcCEWbM30jBMpYluXj90yz7sL8hcpmM8SEU2JVTfbAO7qKrHnhNDVT_nbAl jv6VyaDxeBIq2fKw0sjX__rIoWNdKa3xn0hoyiDg9A4akLdCgymWOOWd8rzn_UrfwV09LSVP9iHO Tg9o8CIaXa5nSmIenVWTeaz3USIE7oSYunfK25Nm7bnFTB7QL5u_CgoTMZvYKAES.KITOkobPWaW DD4WJU.LST9kJzAh8qsLYTjbzBd4EnLlmQjFTYz4t0wwsnyZAHLEeY1Lx.isEd9qYySNWPEysWCe BUC4Cjaeic.n98kW6zNFu07JrQcVpo8bqZ87zvfIEOT8HUrUs15gGdGQz05ruSWvMrBBeh_v.4sv WmmsrFTtY8FbBF5nBSPXbcxvsI_ZpeKZwbct595ToAO4Z2nZHk57GYwgGjwfYb9BTWmrgJrOpdl6 qyhO9afPnlzsyZSQJEa9IOhfHnX7cKai0N.OLlCD_YT4G8fulyN9b_d0RwbwEEqLVlSxNZe6Wrrl VtqEFqW8AKRIimVLHUB3yATBTais_8Mdt2P86iC3R96bwFFTcMcZu5aK0FVu8LmlXxYiD6rdZgXc SqhsjTmHG7W1JqColwJ1ozAQUZS.SI27k7d4p1ep9SoDbznmFA4VN17ZJ.bd4hrhmcjcOeXZZP6m VCCyjErdbLmcqEkLvsJTVzEC1PlgKTBHIz9ZQCQM- Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:09:55 +0000 Received: by smtp432.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID a194c842b715663bc900de4e5d395aa8; Wed, 13 Nov 2019 00:09:51 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-audit@redhat.com, linux-integrity@vger.kernel.org Subject: [PATCH 09/25] LSM: Use lsmblob in security_task_getsecid Date: Tue, 12 Nov 2019 16:08:57 -0800 Message-Id: <20191113000913.5414-10-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Change the security_task_getsecid() interface to fill in a lsmblob structure instead of a u32 secid in support of LSM stacking. Audit interfaces will need to collect all possible secids for possible reporting. Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler cc: linux-audit@redhat.com cc: linux-integrity@vger.kernel.org --- drivers/android/binder.c | 4 +-- include/linux/security.h | 7 ++--- kernel/audit.c | 11 ++++---- kernel/auditfilter.c | 4 +-- kernel/auditsc.c | 18 ++++++++----- net/netlabel/netlabel_unlabeled.c | 5 +++- net/netlabel/netlabel_user.h | 6 ++++- security/integrity/ima/ima_appraise.c | 4 ++- security/integrity/ima/ima_main.c | 39 ++++++++++++++++----------- security/security.c | 12 ++++++--- 10 files changed, 68 insertions(+), 42 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 5f4702b4c507..3a7fcdc8dbe2 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3108,12 +3108,10 @@ static void binder_transaction(struct binder_proc *proc, t->priority = task_nice(current); if (target_node && target_node->txn_security_ctx) { - u32 secid; struct lsmblob blob; size_t added_size; - security_task_getsecid(proc->tsk, &secid); - lsmblob_init(&blob, secid); + security_task_getsecid(proc->tsk, &blob); ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz); if (ret) { return_error = BR_FAILED_REPLY; diff --git a/include/linux/security.h b/include/linux/security.h index 9519b4fb43ae..67f95a335b5d 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -447,7 +447,7 @@ int security_task_fix_setuid(struct cred *new, const struct cred *old, int security_task_setpgid(struct task_struct *p, pid_t pgid); int security_task_getpgid(struct task_struct *p); int security_task_getsid(struct task_struct *p); -void security_task_getsecid(struct task_struct *p, u32 *secid); +void security_task_getsecid(struct task_struct *p, struct lsmblob *blob); int security_task_setnice(struct task_struct *p, int nice); int security_task_setioprio(struct task_struct *p, int ioprio); int security_task_getioprio(struct task_struct *p); @@ -1099,9 +1099,10 @@ static inline int security_task_getsid(struct task_struct *p) return 0; } -static inline void security_task_getsecid(struct task_struct *p, u32 *secid) +static inline void security_task_getsecid(struct task_struct *p, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } static inline int security_task_setnice(struct task_struct *p, int nice) diff --git a/kernel/audit.c b/kernel/audit.c index 2f8e89eaf3e5..fd29186ae977 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2062,14 +2062,12 @@ int audit_log_task_context(struct audit_buffer *ab) char *ctx = NULL; unsigned len; int error; - u32 sid; struct lsmblob blob; - security_task_getsecid(current, &sid); - if (!sid) + security_task_getsecid(current, &blob); + if (!lsmblob_is_set(&blob)) return 0; - lsmblob_init(&blob, sid); error = security_secid_to_secctx(&blob, &ctx, &len); if (error) { if (error != -EINVAL) @@ -2276,6 +2274,7 @@ int audit_set_loginuid(kuid_t loginuid) int audit_signal_info(int sig, struct task_struct *t) { kuid_t uid = current_uid(), auid; + struct lsmblob blob; if (auditd_test_task(t) && (sig == SIGTERM || sig == SIGHUP || @@ -2286,7 +2285,9 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - security_task_getsecid(current, &audit_sig_sid); + security_task_getsecid(current, &blob); + /* scaffolding until audit_sig_sid is converted */ + audit_sig_sid = blob.secid[0]; } return audit_signal_info_syscall(t); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 356db1dd276c..19cfbe716f9d 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1324,7 +1324,6 @@ int audit_filter(int msgtype, unsigned int listtype) for (i = 0; i < e->rule.field_count; i++) { struct audit_field *f = &e->rule.fields[i]; pid_t pid; - u32 sid; struct lsmblob blob; switch (f->type) { @@ -1355,8 +1354,7 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: if (f->lsm_rule) { - security_task_getsecid(current, &sid); - lsmblob_init(&blob, sid); + security_task_getsecid(current, &blob); result = security_audit_rule_match( &blob, f->type, f->op, f->lsm_rule); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index ce8bf2d8f8d2..cccb681ad081 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -444,7 +444,6 @@ static int audit_filter_rules(struct task_struct *tsk, { const struct cred *cred; int i, need_sid = 1; - u32 sid; struct lsmblob blob; unsigned int sessionid; @@ -641,10 +640,9 @@ static int audit_filter_rules(struct task_struct *tsk, logged upon error */ if (f->lsm_rule) { if (need_sid) { - security_task_getsecid(tsk, &sid); + security_task_getsecid(tsk, &blob); need_sid = 0; } - lsmblob_init(&blob, sid); result = security_audit_rule_match(&blob, f->type, f->op, @@ -2382,12 +2380,15 @@ int __audit_sockaddr(int len, void *a) void __audit_ptrace(struct task_struct *t) { struct audit_context *context = audit_context(); + struct lsmblob blob; context->target_pid = task_tgid_nr(t); context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getsecid(t, &context->target_sid); + security_task_getsecid(t, &blob); + /* scaffolding - until target_sid is converted */ + context->target_sid = blob.secid[0]; memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2403,6 +2404,7 @@ int audit_signal_info_syscall(struct task_struct *t) struct audit_aux_data_pids *axp; struct audit_context *ctx = audit_context(); kuid_t t_uid = task_uid(t); + struct lsmblob blob; if (!audit_signals || audit_dummy_context()) return 0; @@ -2414,7 +2416,9 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getsecid(t, &ctx->target_sid); + security_task_getsecid(t, &blob); + /* scaffolding until target_sid is converted */ + ctx->target_sid = blob.secid[0]; memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2435,7 +2439,9 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getsecid(t, &axp->target_sid[axp->pid_count]); + security_task_getsecid(t, &blob); + /* scaffolding until target_sid is converted */ + axp->target_sid[axp->pid_count] = blob.secid[0]; memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 0cda17cb44a0..e279b81d9545 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -1539,11 +1539,14 @@ int __init netlbl_unlabel_defconf(void) int ret_val; struct netlbl_dom_map *entry; struct netlbl_audit audit_info; + struct lsmblob blob; /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_task_getsecid(current, &audit_info.secid); + security_task_getsecid(current, &blob); + /* scaffolding until audit_info.secid is converted */ + audit_info.secid = blob.secid[0]; audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index 3c67afce64f1..438b5db6c714 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -34,7 +34,11 @@ static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, struct netlbl_audit *audit_info) { - security_task_getsecid(current, &audit_info->secid); + struct lsmblob blob; + + security_task_getsecid(current, &blob); + /* scaffolding until secid is converted */ + audit_info->secid = blob.secid[0]; audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 136ae4e0ee92..7288a574459b 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -48,11 +48,13 @@ bool is_ima_appraise_enabled(void) int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func) { u32 secid; + struct lsmblob blob; if (!ima_appraise) return 0; - security_task_getsecid(current, &secid); + security_task_getsecid(current, &blob); + lsmblob_secid(&blob, &secid); return ima_match_policy(inode, current_cred(), secid, func, mask, IMA_APPRAISE | IMA_HASH, NULL, NULL); } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 60027c643ecd..cac654c2faaf 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -380,12 +380,13 @@ static int process_measurement(struct file *file, const struct cred *cred, */ int ima_file_mmap(struct file *file, unsigned long prot) { - u32 secid; + struct lsmblob blob; if (file && (prot & PROT_EXEC)) { - security_task_getsecid(current, &secid); - return process_measurement(file, current_cred(), secid, NULL, - 0, MAY_EXEC, MMAP_CHECK); + security_task_getsecid(current, &blob); + /* scaffolding - until process_measurement changes */ + return process_measurement(file, current_cred(), blob.secid[0], + NULL, 0, MAY_EXEC, MMAP_CHECK); } return 0; @@ -408,10 +409,12 @@ int ima_bprm_check(struct linux_binprm *bprm) { int ret; u32 secid; + struct lsmblob blob; - security_task_getsecid(current, &secid); - ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, - MAY_EXEC, BPRM_CHECK); + security_task_getsecid(current, &blob); + /* scaffolding until process_measurement changes */ + ret = process_measurement(bprm->file, current_cred(), blob.secid[0], + NULL, 0, MAY_EXEC, BPRM_CHECK); if (ret) return ret; @@ -432,10 +435,11 @@ int ima_bprm_check(struct linux_binprm *bprm) */ int ima_file_check(struct file *file, int mask) { - u32 secid; + struct lsmblob blob; - security_task_getsecid(current, &secid); - return process_measurement(file, current_cred(), secid, NULL, 0, + security_task_getsecid(current, &blob); + /* scaffolding until process_measurement changes */ + return process_measurement(file, current_cred(), blob.secid[0], NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND), FILE_CHECK); } @@ -544,7 +548,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, enum kernel_read_file_id read_id) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; if (!file && read_id == READING_FIRMWARE) { if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && @@ -566,9 +570,10 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, } func = read_idmap[read_id] ?: FILE_CHECK; - security_task_getsecid(current, &secid); - return process_measurement(file, current_cred(), secid, buf, size, - MAY_READ, func); + security_task_getsecid(current, &blob); + /* scaffolding until process_measurement changes */ + return process_measurement(file, current_cred(), blob.secid[0], buf, + size, MAY_READ, func); } /** @@ -687,11 +692,13 @@ static void process_buffer_measurement(const void *buf, int size, void ima_kexec_cmdline(const void *buf, int size) { u32 secid; + struct lsmblob blob; if (buf && size != 0) { - security_task_getsecid(current, &secid); + security_task_getsecid(current, &blob); + /* scaffolding */ process_buffer_measurement(buf, size, "kexec-cmdline", - current_cred(), secid); + current_cred(), blob.secid[0]); } } diff --git a/security/security.c b/security/security.c index b60c6a51f622..e1f216d453bf 100644 --- a/security/security.c +++ b/security/security.c @@ -1700,10 +1700,16 @@ int security_task_getsid(struct task_struct *p) return call_int_hook(task_getsid, 0, p); } -void security_task_getsecid(struct task_struct *p, u32 *secid) +void security_task_getsecid(struct task_struct *p, struct lsmblob *blob) { - *secid = 0; - call_void_hook(task_getsecid, p, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.task_getsecid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.task_getsecid(p, &blob->secid[hp->lsmid->slot]); + } } EXPORT_SYMBOL(security_task_getsecid); From patchwork Wed Nov 13 00:08:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240515 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EFC0618B6 for ; Wed, 13 Nov 2019 00:09:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D01B921E6F for ; Wed, 13 Nov 2019 00:09:59 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="ffcaCBgt" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727216AbfKMAJ7 (ORCPT ); Tue, 12 Nov 2019 19:09:59 -0500 Received: from sonic306-28.consmr.mail.ne1.yahoo.com ([66.163.189.90]:37472 "EHLO sonic306-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727187AbfKMAJ7 (ORCPT ); Tue, 12 Nov 2019 19:09:59 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603797; bh=IV/8fV3RewhDG+57mk0yypWNQe7gvXfW8jZ3Ya363tw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=ffcaCBgtk6LEqPFLDi6KI7VsE/y7FTHgenROpJzc8o7AC45gwqqFeYYh7ZbHWVfp/qFOFrypKkMkM4QgWTwZQmrF1WVj5A4ubitk9QUD/NxPWIPEeh0twerpbGyIR44/Bqd81DWlxtPk53qfc03IscaPC63Km1Hm64hr601SnjwFQhUVjs2zpWsH64VCuKrbQt7cnwAvRNOM3I6uGpNA3GkPt2QP90Bnfm8rqRUryRob7oRFQGo5LaLxDo9YmnY82MqjvFnbji9MnKCL36HGEFNcXnVpVouoeWzxjJW0YqdveTGs7ug46rjMPO6URvoC4cCpVLWxFqpFmB+v17p9UQ== X-YMail-OSG: mjrhndcVM1mcUIO_IW57vE4_6UFqmlONISQ3zimXfL3EcLSpZXYBLWB0bujfx0q nTEkGbz3.5lxAXNymSQK9mvxY3w9Fgh48qjbdWTX.FbXkXrLej0yWg1m5bsX1S8JCziu0reXx8qR NQjvVdMRNimzgbGi_jqqSp2AiFECfw_a9T90SeEaqX1YZufIO9dovIlmceFw8zKzBWRA8lAx9jmt wSUnJ710b82s.zVXke0sC00ioYIeqF6xRCbkYjmlBB_ApzutjhH1Wp6_bjbyo95d1J3FGmX1PPPZ cBTuRQii.wrk_GX8P3v.N84TXBJB56kzsXc9PIXqhHNOLmMHHJnI1Bnsa0HHxEgOHgsonCNgqQM9 h3VNyHc1SQWuPM4dlvY2RvdAXZFL_WRybNWO_7P2dxb4ln4mrLCLsosngGfDB0kugoDMBVrKVpbt IsHAtei1BatThmZ7kiCQBIVVXoo_ZVABp1njVYENOMeWj8QysiM_rrnZVW1RyS14zUz_Ulv0zCPU 0ccJFnUIKYOa2EbrEaMnNOh_1ASFqwTrB1XwOjYYMaPhgWdctLKrQIDkrkRl2s_Fl16U_uqpOJNZ EB3qLH9zydlsbrc7nKWY02GA.dfW52NRSpZldl4.yEfcupKo2VShh0XNs6zslTjCi0xyPLThgFGp Y1Qhf1yowhw46EG1_ExpoY9OTbi6S8enc3BbGCztutUOlEwpAL0BEKln_nMJGuI9IWvmdefnQ7qd 5DYMzrxGixZGsX6vPHijkXG7x5HnFxvWxu5V_UohD3SJbfbV3E9kpAS7rv3z2xaRWAGzWWHnnf6C thkjnEmvwE36U0Rn4JnKEuPn0VE_iLqtEkHaN0Vl6Pcu0dZ3klf2RTjCiXfTi3tClkuOeUh1Cyec XsVMe6jiaL3haTZMCAeyQYlAQJXuacT5Pg0C2DdjFqML0Fv0H_41TRyoJ24YqdBPkyyDETRsw6.Y DrsfM9fhk.T.SXgCy3.Bz80PyNPZeox7.66FiJW3Mo1ysdCBheM080m89pw3rXAqSNGEE31pNdsL uZHtO.fDJlf6C6azlHdYxCmVjwauthvHsTD.zGNk_ply7RKPKzOZrcIcVwl5729c6uys2zcF1fuc aax9m4e1d3rWL2ncTrT9v9S2esbi0wjIKxDFuELR9_936KmiWi7usMgRWyxg0vE7j1KD3BJh91Nv tplSMxdssIja1yc7UMq5j3ollu6C_Y03PuQ4iQ2ryEt3Y8DoZ8.COtrLRN.cmmM5amGbPMuHXOVx ZwSkzFCEFymXUZqBqsmuigBX1VGISX5kvC3jucrqTffmbO3hWhkDK9mSWN9zFL5tFv0CNn.ZZH2W 7ovpn7h5c_7P5bHfLKwoo1Zt9cjCn9HPZ3e18dVom.bJnUA1GGwjEPMR4gvp4uO4znFlzupeGXFK DJjK325VTIeEsTjeXBGx8rGx4QyQWyn23ulHVlw-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:09:57 +0000 Received: by smtp432.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID a194c842b715663bc900de4e5d395aa8; Wed, 13 Nov 2019 00:09:54 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-audit@redhat.com, linux-integrity@vger.kernel.org Subject: [PATCH 10/25] LSM: Use lsmblob in security_inode_getsecid Date: Tue, 12 Nov 2019 16:08:58 -0800 Message-Id: <20191113000913.5414-11-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Change the security_inode_getsecid() interface to fill in a lsmblob structure instead of a u32 secid. This allows for its callers to gather data from all registered LSMs. Data is provided for IMA and audit. Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler cc: linux-audit@redhat.com cc: linux-integrity@vger.kernel.org --- include/linux/security.h | 7 ++++--- kernel/auditsc.c | 6 +++++- security/integrity/ima/ima_policy.c | 4 +--- security/security.c | 11 +++++++++-- 4 files changed, 19 insertions(+), 9 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 67f95a335b5d..a845254fc415 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -407,7 +407,7 @@ int security_inode_killpriv(struct dentry *dentry); int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc); int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); -void security_inode_getsecid(struct inode *inode, u32 *secid); +void security_inode_getsecid(struct inode *inode, struct lsmblob *blob); int security_inode_copy_up(struct dentry *src, struct cred **new); int security_inode_copy_up_xattr(const char *name); int security_kernfs_init_security(struct kernfs_node *kn_dir, @@ -922,9 +922,10 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer, return 0; } -static inline void security_inode_getsecid(struct inode *inode, u32 *secid) +static inline void security_inode_getsecid(struct inode *inode, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } static inline int security_inode_copy_up(struct dentry *src, struct cred **new) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index cccb681ad081..5752e51883d5 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1931,13 +1931,17 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { + struct lsmblob blob; + name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getsecid(inode, &name->osid); + security_inode_getsecid(inode, &blob); + /* scaffolding until osid is updated */ + name->osid = blob.secid[0]; if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 7711cc6a3fe3..c5417045e165 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -413,7 +413,6 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, return false; for (i = 0; i < MAX_LSM_RULES; i++) { int rc = 0; - u32 osid; struct lsmblob blob; if (!rule->lsm[i].rule) @@ -423,8 +422,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, case LSM_OBJ_USER: case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: - security_inode_getsecid(inode, &osid); - lsmblob_init(&blob, osid); + security_inode_getsecid(inode, &blob); rc = security_filter_rule_match(&blob, rule->lsm[i].type, Audit_equal, diff --git a/security/security.c b/security/security.c index e1f216d453bf..bd279a24adfc 100644 --- a/security/security.c +++ b/security/security.c @@ -1386,9 +1386,16 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer } EXPORT_SYMBOL(security_inode_listsecurity); -void security_inode_getsecid(struct inode *inode, u32 *secid) +void security_inode_getsecid(struct inode *inode, struct lsmblob *blob) { - call_void_hook(inode_getsecid, inode, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.inode_getsecid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.inode_getsecid(inode, &blob->secid[hp->lsmid->slot]); + } } int security_inode_copy_up(struct dentry *src, struct cred **new) From patchwork Wed Nov 13 00:08:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240525 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C530314E5 for ; Wed, 13 Nov 2019 00:10:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9C3702196E for ; Wed, 13 Nov 2019 00:10:01 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="Foz60bTo" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727200AbfKMAKB (ORCPT ); Tue, 12 Nov 2019 19:10:01 -0500 Received: from sonic313-15.consmr.mail.ne1.yahoo.com ([66.163.185.38]:36575 "EHLO sonic313-15.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727206AbfKMAKB (ORCPT ); Tue, 12 Nov 2019 19:10:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603798; bh=HCCg6h+FVGpUDOzChI/0u/Itu+cOitTV+BqJf27OtHM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=Foz60bToLLySd3L+O5FPW4eE5b2d9Y1lsgRYyczX8K+tZfZ6ZDIN3b9V/gGF9dxxkGAoAl31R6MR4bDEzSpAyEg2RcNJ//Nd0PMWWsHug0nSyNrOT0mnjmLJY5ep39Yw1TQgVzjsOgGAzXGB9pSeSbcF50aoqyAiZpYxMMsxru8qxaWurqXK9h1yCeA/aanHK9icTMRscQwQ7HlcmT8URaskZxSwtFZddQVgjwY+HJASy4Js4sO51QGhsmTdCCzoxrmpon/PrGPW8ijuBBvW1WfwKa2Y1ZmKveaeZiO0bQsSA7ie0WsMYiOQHeZG1I+M0378829dTk3hR3rNQPwj2Q== X-YMail-OSG: mWkj9uoVM1kc0s7XxG.KGm0WxzQEYEf9lg28DY6dyVKXRFuWQwQFDC.Bi1tZ7l7 FFIhIBP6PBLUn1vk1MYkQBEi2XA8pB68BgL1AjnhqEjuaSN6pC8VZ2u29Nahz9fGqy50SIZse2B4 k3SExeTXP.4lOYCnDCfIoS3zaPQbCE.usLl6WJuXbluYGRpZqZHXymZFSPTCnbwEdAGHo.gBDrUg .cuk63k9F9c4hCD8DR.hkPrQJhyWXKaNbzbUL85Wcaq_mExUKFOMJWTcXpTfbQRN4DaM6LcScs3n IcntEdjDK0L5UAettO4llKPJEP6wGHzXWL4XqHq9s3Ut_oNVKCNLtfA2Lv3BD7gHlbEHi0qTTRV0 BDwG2qe4TuFLhE.JFFA9qmTQ_0qjtNzlU1cyMFAwNhOBmAbeX11BaW3EfD46VS677QKGa5m4HYw0 Z.z2UUAoAj1122LhSzRXTd8JBuD8SCIGCWeT.YTNbE9Fgcn_LdthaXghxrTccVCogBPcvphWGSYp iAuQ9pC9uqon8h2MxnYDAj.xJpoqXHNk0WHRfX_trPTt69EaTzDa4xNbzNkT4AtsT2Pxqju63zWQ 1orior9T296Ii9Y3OD2moXvoZ0qOhoB0q4QMQHeB12C4p7.Wvzur.Y63aYPZZ11Y_9SGJ0ZVqHl3 xDMMjIm9uSi.Z.yyLXdgrMl1roEbvlKrWGy4Y_5xjNYh5jklklTTpoLqDf3M8oCT9VeyVUhB2O9N 7chXFSQ2SNsPqJtXm7BcpbjBob_k2YL2yH2bNqEURWXq2ABHr8lxbnv2MYAYhtmArBNU4jx0Anb0 ORURhC4UQNhrYm5cmUvVDkuwXlLbOz_oyYEUqW7GLad8LvnjsJzEeqhExqUChraIMcrt3_daEocd OHJOqLbhj4HK1X4INwvwaWcPRVAz7NeZtcTjGAXsYKWCMpoSMlSVhK7wyZB0_7Z596T8NXENZLdO bFBU1VnD8oKfyRqKiWJj7sSAeD47ZS9Nlo4TCSkeWglHYp55zjJR8947Jf0Yv2L4bUZABhxBZEEQ gOxb._5i3EYwSsws2nqmqF382yl8ckC37rb0mU49HbFWJCuBhWQG5rWTO7VPeQF4v5y9mb2PnmO3 6KTXEZTFPajNZJCfMzT8m3e7PVqhqY.j70rYwVygaUOCCmjAYY.0KhM3efH4AvdF6Tg5lYBBjVKr D27CJVZ501.GgURM9TwXpPShe346FZJ1H7NxeUrpCCONLHMplUcQPFEAQTGBz5GbKk5dTyAnCXI6 5AF8R6.d3l7F8CyVfFdayt6op0ec8cTzTXVgM8LGzwUcx7yUrOhPyeJ7c7Kdlbg40Mnwo50suZ7O 8fbpOEgM9Bt5cq5wkceI4zQGzOAiNFBn9IJ8J1BG.9iFnEBq.7famBWm2ludp_l.10e3QCNGI_p. 8eir9oBw3dhHgCEH7rJNJrU5RXZ7P6g9f Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:09:58 +0000 Received: by smtp432.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID a194c842b715663bc900de4e5d395aa8; Wed, 13 Nov 2019 00:09:56 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-audit@redhat.com, linux-integrity@vger.kernel.org Subject: [PATCH 11/25] LSM: Use lsmblob in security_cred_getsecid Date: Tue, 12 Nov 2019 16:08:59 -0800 Message-Id: <20191113000913.5414-12-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Change the security_cred_getsecid() interface to fill in a lsmblob instead of a u32 secid. The associated data elements in the audit sub-system are changed from a secid to a lsmblob to accommodate multiple possible LSM audit users. Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler cc: linux-audit@redhat.com cc: linux-integrity@vger.kernel.org --- include/linux/security.h | 2 +- kernel/audit.c | 19 +++++++----------- kernel/audit.h | 5 +++-- kernel/auditsc.c | 33 +++++++++++-------------------- security/integrity/ima/ima_main.c | 8 ++++---- security/security.c | 12 ++++++++--- 6 files changed, 36 insertions(+), 43 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index a845254fc415..f7bc7aef95cb 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -434,7 +434,7 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp); void security_cred_free(struct cred *cred); int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); void security_transfer_creds(struct cred *new, const struct cred *old); -void security_cred_getsecid(const struct cred *c, u32 *secid); +void security_cred_getsecid(const struct cred *c, struct lsmblob *blob); int security_kernel_act_as(struct cred *new, struct lsmblob *blob); int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); diff --git a/kernel/audit.c b/kernel/audit.c index fd29186ae977..ba9f78e36d1e 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -124,7 +124,7 @@ static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; /* The identity of the user shutting down the audit system. */ kuid_t audit_sig_uid = INVALID_UID; pid_t audit_sig_pid = -1; -u32 audit_sig_sid = 0; +struct lsmblob audit_sig_lsm; /* Records can be lost in several ways: 0) [suppressed in audit_alloc] @@ -1416,23 +1416,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } case AUDIT_SIGNAL_INFO: len = 0; - if (audit_sig_sid) { - struct lsmblob blob; - - lsmblob_init(&blob, audit_sig_sid); - err = security_secid_to_secctx(&blob, &ctx, &len); + if (lsmblob_is_set(&audit_sig_lsm)) { + err = security_secid_to_secctx(&audit_sig_lsm, &ctx, + &len); if (err) return err; } sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); if (!sig_data) { - if (audit_sig_sid) + if (lsmblob_is_set(&audit_sig_lsm)) security_release_secctx(ctx, len); return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; - if (audit_sig_sid) { + if (lsmblob_is_set(&audit_sig_lsm)) { memcpy(sig_data->ctx, ctx, len); security_release_secctx(ctx, len); } @@ -2274,7 +2272,6 @@ int audit_set_loginuid(kuid_t loginuid) int audit_signal_info(int sig, struct task_struct *t) { kuid_t uid = current_uid(), auid; - struct lsmblob blob; if (auditd_test_task(t) && (sig == SIGTERM || sig == SIGHUP || @@ -2285,9 +2282,7 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - security_task_getsecid(current, &blob); - /* scaffolding until audit_sig_sid is converted */ - audit_sig_sid = blob.secid[0]; + security_task_getsecid(current, &audit_sig_lsm); } return audit_signal_info_syscall(t); diff --git a/kernel/audit.h b/kernel/audit.h index 6fb7160412d4..af9bc09e656c 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -9,6 +9,7 @@ #include #include #include +#include #include #include @@ -134,7 +135,7 @@ struct audit_context { kuid_t target_auid; kuid_t target_uid; unsigned int target_sessionid; - u32 target_sid; + struct lsmblob target_lsm; char target_comm[TASK_COMM_LEN]; struct audit_tree_refs *trees, *first_trees; @@ -329,7 +330,7 @@ extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len); extern pid_t audit_sig_pid; extern kuid_t audit_sig_uid; -extern u32 audit_sig_sid; +extern struct lsmblob audit_sig_lsm; extern int audit_filter(int msgtype, unsigned int listtype); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 5752e51883d5..c1e3ac8eb1ad 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -112,7 +112,7 @@ struct audit_aux_data_pids { kuid_t target_auid[AUDIT_AUX_PIDS]; kuid_t target_uid[AUDIT_AUX_PIDS]; unsigned int target_sessionid[AUDIT_AUX_PIDS]; - u32 target_sid[AUDIT_AUX_PIDS]; + struct lsmblob target_lsm[AUDIT_AUX_PIDS]; char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN]; int pid_count; }; @@ -957,14 +957,14 @@ static inline void audit_free_context(struct audit_context *context) } static int audit_log_pid_context(struct audit_context *context, pid_t pid, - kuid_t auid, kuid_t uid, unsigned int sessionid, - u32 sid, char *comm) + kuid_t auid, kuid_t uid, + unsigned int sessionid, + struct lsmblob *blob, char *comm) { struct audit_buffer *ab; char *ctx = NULL; u32 len; int rc = 0; - struct lsmblob blob; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); if (!ab) @@ -973,9 +973,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (sid) { - lsmblob_init(&blob, sid); - if (security_secid_to_secctx(&blob, &ctx, &len)) { + if (lsmblob_is_set(blob)) { + if (security_secid_to_secctx(blob, &ctx, &len)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1546,7 +1545,7 @@ static void audit_log_exit(void) axs->target_auid[i], axs->target_uid[i], axs->target_sessionid[i], - axs->target_sid[i], + &axs->target_lsm[i], axs->target_comm[i])) call_panic = 1; } @@ -1555,7 +1554,7 @@ static void audit_log_exit(void) audit_log_pid_context(context, context->target_pid, context->target_auid, context->target_uid, context->target_sessionid, - context->target_sid, context->target_comm)) + &context->target_lsm, context->target_comm)) call_panic = 1; if (context->pwd.dentry && context->pwd.mnt) { @@ -1733,7 +1732,7 @@ void __audit_syscall_exit(int success, long return_code) context->aux = NULL; context->aux_pids = NULL; context->target_pid = 0; - context->target_sid = 0; + lsmblob_init(&context->target_lsm, 0); context->sockaddr_len = 0; context->type = 0; context->fds[0] = -1; @@ -2384,15 +2383,12 @@ int __audit_sockaddr(int len, void *a) void __audit_ptrace(struct task_struct *t) { struct audit_context *context = audit_context(); - struct lsmblob blob; context->target_pid = task_tgid_nr(t); context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getsecid(t, &blob); - /* scaffolding - until target_sid is converted */ - context->target_sid = blob.secid[0]; + security_task_getsecid(t, &context->target_lsm); memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2408,7 +2404,6 @@ int audit_signal_info_syscall(struct task_struct *t) struct audit_aux_data_pids *axp; struct audit_context *ctx = audit_context(); kuid_t t_uid = task_uid(t); - struct lsmblob blob; if (!audit_signals || audit_dummy_context()) return 0; @@ -2420,9 +2415,7 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getsecid(t, &blob); - /* scaffolding until target_sid is converted */ - ctx->target_sid = blob.secid[0]; + security_task_getsecid(t, &ctx->target_lsm); memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2443,9 +2436,7 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getsecid(t, &blob); - /* scaffolding until target_sid is converted */ - axp->target_sid[axp->pid_count] = blob.secid[0]; + security_task_getsecid(t, &axp->target_lsm[axp->pid_count]); memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index cac654c2faaf..305a00a6b087 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -408,7 +408,6 @@ int ima_file_mmap(struct file *file, unsigned long prot) int ima_bprm_check(struct linux_binprm *bprm) { int ret; - u32 secid; struct lsmblob blob; security_task_getsecid(current, &blob); @@ -418,9 +417,10 @@ int ima_bprm_check(struct linux_binprm *bprm) if (ret) return ret; - security_cred_getsecid(bprm->cred, &secid); - return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, - MAY_EXEC, CREDS_CHECK); + security_cred_getsecid(bprm->cred, &blob); + /* scaffolding until process_measurement changes */ + return process_measurement(bprm->file, bprm->cred, blob.secid[0], + NULL, 0, MAY_EXEC, CREDS_CHECK); } /** diff --git a/security/security.c b/security/security.c index bd279a24adfc..3aba440624f9 100644 --- a/security/security.c +++ b/security/security.c @@ -1615,10 +1615,16 @@ void security_transfer_creds(struct cred *new, const struct cred *old) call_void_hook(cred_transfer, new, old); } -void security_cred_getsecid(const struct cred *c, u32 *secid) +void security_cred_getsecid(const struct cred *c, struct lsmblob *blob) { - *secid = 0; - call_void_hook(cred_getsecid, c, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.cred_getsecid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.cred_getsecid(c, &blob->secid[hp->lsmid->slot]); + } } EXPORT_SYMBOL(security_cred_getsecid); From patchwork Wed Nov 13 00:09:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240535 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2DFA71850 for ; Wed, 13 Nov 2019 00:10:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0950321D7F for ; Wed, 13 Nov 2019 00:10:10 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="XAxAW2HC" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727128AbfKMAKJ (ORCPT ); Tue, 12 Nov 2019 19:10:09 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:43929 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727046AbfKMAKJ (ORCPT ); Tue, 12 Nov 2019 19:10:09 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603806; bh=FYxlMd2GXASX0hT4D9+5hQ2oTZcSBQP8pqujkxGfOEQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=XAxAW2HCx1FTJDmWqUOBKx/wZZvwhseUFVJz2aqsm+8Wb1F93YI3NJsIYeqSrj6nk4pA+uuAZUHDRXb4pUJoKMxSZGIT1IxUJS8dg88L/W99uv1Qi34weEp9fDh+VNoiQhD31P3BKfnnVZwr9aRsafIil8U+8PNlxytBVWwS53P0rX5g1PJyScGPx0MoL0P1oedm3dCk7QO9Y2bcdcxnjOvRwQEKTOocfbck22kzcyePiBANuHoOKXbjR7EUr4x92uVZtFsDUUghXXATu6lDt5DCxAgKjahVC0N1vLimbYzcGmgAQu4Bs8ET1JTBTNBNiPENehLLj+6A3Bx1OfqV2w== X-YMail-OSG: x43czz0VM1l83mN5x91mJPQKY4DPumKxKtVIKgrBwoDqctR0f8IXjrOTaEixBJt qB9mSp2lPPH_qmKPAV3VRc0Ny5j37e.om1EyKIOsFxuWRgWVoUv4JUFVBaA9CJ9nYMADVvpVrI2L Ww4NXpq2AsjlsqOxnZuMKlesRGR1_OePDpJgsAEG2sjAW.5lVPMttINhMphN48RHNIk_frtptgoL VskFLaixiZUQ.wD7EoSyfM.WXomgb_OcRuzGPidX08apx7hZ64_gHotbaGRtEvTxMT6ccfQBhSBJ OZwLTwniHZ6N06USv.abRwBPwokh563rnM8MojYyqtXIwA9VjKQ4WVZOscwP7y9Rb4hEry6sWEXm G7MtEGjIxES38T0ednvO.ov4BU78zLVCeHOvN_SpGdCPrHWzxzSimJEpI8XrWT5nwJMdH0dxCjP_ hs_cG4P37gH7j745DhTQTW26cZHp5ugHRVQn3GC2MM0RpteWXeShAscThPcXhhdyLHws1v1PF2XC mSw9ZqUrIKBF6X3nKeuGo6jxI_RoI.a9sSrve4oFKgzpYBNJ.Sz87Ztp4UUH5g0tG6uQezE0aDZL edAFPg39GrmtgyUn2cFWvGddBW8ROxT.gG1EmPbbK16m.8XATO18z1zIzqhglMc_U7QFeYShrbyw bwZHttOSt21KPEzTsx8IyA1YcORKFUnv5btxRdXoIUWbyecuNe9zKLnPKv6UjIHDpfLGyCO3Aj6k wxb7k5GD.HJfy0KyGrviyVmQBHGX9vezddVj7DLqL_VBuq.d7rJ7WUwOmCuZ2YGNwTbpeB065sRR O2uCnghFTIMQU8iAgVRRPldJAj.G45QGK0KfBS4TAPuexl8S7FhdbTrZYbg99__S3JyiNfVJnEg. 7B4rDciM0K49dt1E_WRHBw3K2CyM58QErhSe49vz5Nyx89iWddKqlV3tHmFfAIqyanHvD7oPwQ9w ncqJbuBPjCksz.a7LJhr1Lgcbke2gKLx0JWzQ22xpVSFNwoxU_lPS9Fxf0G1vatSrqza4ZBVg_3m hsZx5Cn1FFRVIdJkIiyZ_5If9DcXBP59uogdRbQvoz9wf2poz1X_XzdhY0EZetNUrzmFXwtJlw7a 9RDTVK.Vw.Z.T84CezQEc5nhriavyTZtgW7.FQ430NA.SQ8BzUXDC9u3D.AopZKDtNQGNRnlhioh XbEjBrcQKyen.wNixvx8wnv_khmth5ybPwlIa1tJHtZfdnqSU5MtgMKscdHNfflkwRr2Z0rhnnLY pL8rTYFkqWu9X1idbayb_WDA.ejZGkZa5vIPPiSLobA3xe8mlFoHUyKjqJkL9iozNrwXo6uyJhOA E_X6DBEwkt4tjR75WNgKsr2OS5fpcSWrmM4ajkXp1JJaIOY159iFqRPqWGMUpGiW.oFao50p2rOy LB7LmCxiTYECj_gGwT8sUTBNilK5oRYRk309g Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:10:06 +0000 Received: by smtp428.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 93aa6347d771200c823c70ba6657789f; Wed, 13 Nov 2019 00:10:04 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-audit@redhat.com, linux-integrity@vger.kernel.org Subject: [PATCH 12/25] IMA: Change internal interfaces to use lsmblobs Date: Tue, 12 Nov 2019 16:09:00 -0800 Message-Id: <20191113000913.5414-13-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org The IMA interfaces ima_get_action() and ima_match_policy() call LSM functions that use lsmblobs. Change the IMA functions to pass the lsmblob to be compatible with the LSM functions. Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler cc: linux-audit@redhat.com cc: linux-integrity@vger.kernel.org --- security/integrity/ima/ima.h | 11 ++++---- security/integrity/ima/ima_api.c | 10 +++---- security/integrity/ima/ima_appraise.c | 4 +-- security/integrity/ima/ima_main.c | 38 +++++++++++---------------- security/integrity/ima/ima_policy.c | 12 ++++----- 5 files changed, 34 insertions(+), 41 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 5bcd6011ef8c..4226622f50b1 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -205,9 +205,9 @@ extern const char *const func_tokens[]; struct modsig; /* LIM API function definitions */ -int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, - int mask, enum ima_hooks func, int *pcr, - struct ima_template_desc **template_desc); +int ima_get_action(struct inode *inode, const struct cred *cred, + struct lsmblob *blob, int mask, enum ima_hooks func, + int *pcr, struct ima_template_desc **template_desc); int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); int ima_collect_measurement(struct integrity_iint_cache *iint, struct file *file, void *buf, loff_t size, @@ -229,8 +229,9 @@ void ima_free_template_entry(struct ima_template_entry *entry); const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); /* IMA policy related functions */ -int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, - enum ima_hooks func, int mask, int flags, int *pcr, +int ima_match_policy(struct inode *inode, const struct cred *cred, + struct lsmblob *blob, enum ima_hooks func, int mask, + int flags, int *pcr, struct ima_template_desc **template_desc); void ima_init_policy(void); void ima_update_policy(void); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 610759fe63b8..1ab769fa7df6 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -163,7 +163,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * ima_get_action - appraise & measure decision based on policy. * @inode: pointer to inode to measure * @cred: pointer to credentials structure to validate - * @secid: secid of the task being validated + * @blob: LSM data of the task being validated * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC, * MAY_APPEND) * @func: caller identifier @@ -181,15 +181,15 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * Returns IMA_MEASURE, IMA_APPRAISE mask. * */ -int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, - int mask, enum ima_hooks func, int *pcr, - struct ima_template_desc **template_desc) +int ima_get_action(struct inode *inode, const struct cred *cred, + struct lsmblob *blob, int mask, enum ima_hooks func, + int *pcr, struct ima_template_desc **template_desc) { int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH; flags &= ima_policy_flag; - return ima_match_policy(inode, cred, secid, func, mask, flags, pcr, + return ima_match_policy(inode, cred, blob, func, mask, flags, pcr, template_desc); } diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 7288a574459b..bc04c6f4bb20 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -47,15 +47,13 @@ bool is_ima_appraise_enabled(void) */ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func) { - u32 secid; struct lsmblob blob; if (!ima_appraise) return 0; security_task_getsecid(current, &blob); - lsmblob_secid(&blob, &secid); - return ima_match_policy(inode, current_cred(), secid, func, mask, + return ima_match_policy(inode, current_cred(), &blob, func, mask, IMA_APPRAISE | IMA_HASH, NULL, NULL); } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 305a00a6b087..a8e7e11b1c84 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -190,8 +190,8 @@ void ima_file_free(struct file *file) } static int process_measurement(struct file *file, const struct cred *cred, - u32 secid, char *buf, loff_t size, int mask, - enum ima_hooks func) + struct lsmblob *blob, char *buf, loff_t size, + int mask, enum ima_hooks func) { struct inode *inode = file_inode(file); struct integrity_iint_cache *iint = NULL; @@ -214,7 +214,7 @@ static int process_measurement(struct file *file, const struct cred *cred, * bitmask based on the appraise/audit/measurement policy. * Included is the appraise submask. */ - action = ima_get_action(inode, cred, secid, mask, func, &pcr, + action = ima_get_action(inode, cred, blob, mask, func, &pcr, &template_desc); violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && (ima_policy_flag & IMA_MEASURE)); @@ -384,8 +384,7 @@ int ima_file_mmap(struct file *file, unsigned long prot) if (file && (prot & PROT_EXEC)) { security_task_getsecid(current, &blob); - /* scaffolding - until process_measurement changes */ - return process_measurement(file, current_cred(), blob.secid[0], + return process_measurement(file, current_cred(), &blob, NULL, 0, MAY_EXEC, MMAP_CHECK); } @@ -411,16 +410,14 @@ int ima_bprm_check(struct linux_binprm *bprm) struct lsmblob blob; security_task_getsecid(current, &blob); - /* scaffolding until process_measurement changes */ - ret = process_measurement(bprm->file, current_cred(), blob.secid[0], - NULL, 0, MAY_EXEC, BPRM_CHECK); + ret = process_measurement(bprm->file, current_cred(), &blob, NULL, 0, + MAY_EXEC, BPRM_CHECK); if (ret) return ret; security_cred_getsecid(bprm->cred, &blob); - /* scaffolding until process_measurement changes */ - return process_measurement(bprm->file, bprm->cred, blob.secid[0], - NULL, 0, MAY_EXEC, CREDS_CHECK); + return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0, + MAY_EXEC, CREDS_CHECK); } /** @@ -438,8 +435,7 @@ int ima_file_check(struct file *file, int mask) struct lsmblob blob; security_task_getsecid(current, &blob); - /* scaffolding until process_measurement changes */ - return process_measurement(file, current_cred(), blob.secid[0], NULL, 0, + return process_measurement(file, current_cred(), &blob, NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND), FILE_CHECK); } @@ -571,9 +567,8 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, func = read_idmap[read_id] ?: FILE_CHECK; security_task_getsecid(current, &blob); - /* scaffolding until process_measurement changes */ - return process_measurement(file, current_cred(), blob.secid[0], buf, - size, MAY_READ, func); + return process_measurement(file, current_cred(), &blob, buf, size, + MAY_READ, func); } /** @@ -632,13 +627,14 @@ int ima_load_data(enum kernel_load_data_id id) * @size: size of buffer(in bytes). * @eventname: event name to be used for the buffer entry. * @cred: a pointer to a credentials structure for user validation. - * @secid: the secid of the task to be validated. + * @blob: the LSM data of the task to be validated. * * Based on policy, the buffer is measured into the ima log. */ static void process_buffer_measurement(const void *buf, int size, const char *eventname, - const struct cred *cred, u32 secid) + const struct cred *cred, + struct lsmblob *blob) { int ret = 0; struct ima_template_entry *entry = NULL; @@ -656,7 +652,7 @@ static void process_buffer_measurement(const void *buf, int size, int pcr = CONFIG_IMA_MEASURE_PCR_IDX; int action = 0; - action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr, + action = ima_get_action(NULL, cred, blob, 0, KEXEC_CMDLINE, &pcr, &template_desc); if (!(action & IMA_MEASURE)) return; @@ -691,14 +687,12 @@ static void process_buffer_measurement(const void *buf, int size, */ void ima_kexec_cmdline(const void *buf, int size) { - u32 secid; struct lsmblob blob; if (buf && size != 0) { security_task_getsecid(current, &blob); - /* scaffolding */ process_buffer_measurement(buf, size, "kexec-cmdline", - current_cred(), blob.secid[0]); + current_cred(), &blob); } } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index c5417045e165..e863c0d0f9b7 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -368,7 +368,7 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, * Returns true on rule match, false on failure. */ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, - const struct cred *cred, u32 secid, + const struct cred *cred, struct lsmblob *blob, enum ima_hooks func, int mask) { int i; @@ -431,7 +431,6 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - lsmblob_init(&blob, secid); rc = security_filter_rule_match(&blob, rule->lsm[i].type, Audit_equal, @@ -475,7 +474,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * @inode: pointer to an inode for which the policy decision is being made * @cred: pointer to a credentials structure for which the policy decision is * being made - * @secid: LSM secid of the task to be validated + * @blob: LSM data of the task to be validated * @func: IMA hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @pcr: set the pcr to extend @@ -488,8 +487,9 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * list when walking it. Reads are many orders of magnitude more numerous * than writes so ima_match_policy() is classical RCU candidate. */ -int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, - enum ima_hooks func, int mask, int flags, int *pcr, +int ima_match_policy(struct inode *inode, const struct cred *cred, + struct lsmblob *blob, enum ima_hooks func, int mask, + int flags, int *pcr, struct ima_template_desc **template_desc) { struct ima_rule_entry *entry; @@ -504,7 +504,7 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, if (!(entry->action & actmask)) continue; - if (!ima_match_rules(entry, inode, cred, secid, func, mask)) + if (!ima_match_rules(entry, inode, cred, blob, func, mask)) continue; action |= entry->flags & IMA_ACTION_FLAGS; From patchwork Wed Nov 13 00:09:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240533 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 012EF13BD for ; Wed, 13 Nov 2019 00:10:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C429C21D7F for ; Wed, 13 Nov 2019 00:10:09 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="BuM0yZpY" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727233AbfKMAKJ (ORCPT ); Tue, 12 Nov 2019 19:10:09 -0500 Received: from sonic306-28.consmr.mail.ne1.yahoo.com ([66.163.189.90]:40705 "EHLO sonic306-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727208AbfKMAKJ (ORCPT ); Tue, 12 Nov 2019 19:10:09 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603807; bh=T+7vkOglemjDcJCtI0jsgL0AaHeYGYB4YiqPLcOqBMY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=BuM0yZpYF8rarAlhhmXna60LcZZh+R+kUEGIBIKqAaYkHavw240Kgj2uTippjYGgFzTPZ2MvIbj+ZgHCsdE5nPlLmU7wfi/oqujXRJi44wQwjzMrvtHl1d9z+43suoCQnsnF8wgy3zTz9dNyYpu+1oOnXL78Zehn2OUZKEp1U69MLWrxhuTbaeO2hFgHh/oJ9uY9BTXrnrM3oNgX6CqVSRRNrEGPo+N6AXCEWdHdjDjKpTj/OWAbZD/c7h0TRypBMvMuX/XEn7Z8EnHccWHT7AjRw8oLLDujkcb62wCD/rImFsa4LWft2pQn+mm9p0aX22WTUH/zC+1VdoWBGzI8Bw== X-YMail-OSG: YTAhPScVM1lX89mWhRT1xUS4q8VX8gltH2Vvept_r7aHxccNi3DzUQfTjk5hpPg DrE9vFRHZ3.z014S8hVrNBv3yHctIWWjeJHjyaHAm_98Dz4vWdx2xStVi5XyGXrAWqTcMP.mv3Vq HrNU6bVNsiSzFVfaTHUwzEW1r7q8wcmS1YKp4Td3SUdnWCyuByYHHIf_Crgf22F_64qB7LLzZf5l Hj.cB2RKQufYpvgv7p1BdfuVEQG8a_Xnz4885XZhj83N30uRzgL_3Z.6aYdvX1M8Ra3GpIVHcRaj FaKArtDDAQ1KnWCUHFHV9cc3B63cpA14X.07MamK0K3tPZ_rOpwUn2xyHaKDIICTpGHXi49m04PO kxym4QI.V.a7Xl5OxjMBGdRWDGATVH5HCTP5pd68RkrYWl_LqOAqfveTPOJ7tzoXVv9af6WsC6OI V9s3hk0rO47ko.kIq.0Fz9khTRSx7ISC44mEm4DQWfwQLfz86yTb42rIqxr_tlqOt8koPZ8iALKG _A_dQvJ8qdtjhO0X2dXZ5GO_wiN6OnHuOFP2SE8FR28Dax.x7mL5lUu0Bx4PXkBhipI6gtTfC_s2 _4Ip27hfd3P9ghud8xFYIgd4pilf9h1miifKL3FQtuNfBKP35gthaBh6ZY7GKnTPB06zokQRTQ1k fE7ZjYdNMkfZp8fI0LpztNCWE23VaxpdouV4xSRaTBIwvzad4N0YTpKQ5tvW67_M3Aldu.8l0nb3 09fLhCChmPcEn_ztBWw9hti.1Yo1QH0.TLdq0StTXUNBzquCy_RvlwKj.TOwC5rcRMOPaO3FaiC5 cdRttkeY.e5xXirSpCd7WkKH1t4Z3EkQs7eQ.pGVuS2dKlDkt6DeFGVnTrs18XqY9NBdTqHPfDlt ayfNR0ShwNB_s2scctzG_r0oyfGSLGeeKM6ZVIxH_vL9kJhapL8EY46zUth31y2LJalPSkn1gaa3 BfrMb958MnNSY98z5dihbENZzsVtKJVaVlVYlC5ttiq7iTm_6jssAB5sGSXkhxEaKp2UqFp9uLiu hIxBJbWJC9Isii6oIKYLFKVJWmyZbeucPOIAOnxy.d1amkNCSwN_I_GYMq00TtvMp91RRalWcGtL L6U8SuOeQIDQc63iyxc_NGe1fFTEDixHjfqNyJI4T9F0XQ1ApG4f1_mi5e__SCqOAN6OisJVGA5_ qTt8BMMundYjNIrwwPydfgzUVz07CUc2Y1LwOxZuRWnINVNphCCHTD6Oy0l4nrq_jbMMeLnIO90t BsuBbWaiA_E5PSU.ujYfI42bG.a8KijM0_McMbXJ1.flnTkl.G57GVG9P0bXAjrjmokLjtkTGKGw 4Qnf.yrzUUyIPL2vC9w8vGvwH52BdXelQTxoOvu.NvrU.HgNp4CXEvDqLxJpykscYLEeGizUaebf RRg4hxuLerez2btftsrokVD5ZIW6ELv48fF1ozgr1RfG6OZse31Zg8tedv3t1Po92CA-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:10:07 +0000 Received: by smtp428.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 93aa6347d771200c823c70ba6657789f; Wed, 13 Nov 2019 00:10:05 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov Subject: [PATCH 13/25] LSM: Specify which LSM to display Date: Tue, 12 Nov 2019 16:09:01 -0800 Message-Id: <20191113000913.5414-14-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Create a new entry "display" in the procfs attr directory for controlling which LSM security information is displayed for a process. A process can only read or write its own display value. The name of an active LSM that supplies hooks for human readable data may be written to "display" to set the value. The name of the LSM currently in use can be read from "display". At this point there can only be one LSM capable of display active. A helper function lsm_task_display() is provided to get the display slot for a task_struct. Setting the "display" requires that all security modules using setprocattr hooks allow the action. Each security module is responsible for defining its policy. AppArmor hook provided by John Johansen SELinux hook provided by Stephen Smalley Signed-off-by: Casey Schaufler --- fs/proc/base.c | 1 + include/linux/lsm_hooks.h | 15 +++ security/apparmor/include/apparmor.h | 3 +- security/apparmor/lsm.c | 32 +++++ security/security.c | 169 ++++++++++++++++++++++++--- security/selinux/hooks.c | 11 ++ security/selinux/include/classmap.h | 2 +- security/smack/smack_lsm.c | 7 ++ 8 files changed, 221 insertions(+), 19 deletions(-) diff --git a/fs/proc/base.c b/fs/proc/base.c index ebea9501afb8..950c200cb9ad 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2652,6 +2652,7 @@ static const struct pid_entry attr_dir_stuff[] = { ATTR(NULL, "fscreate", 0666), ATTR(NULL, "keycreate", 0666), ATTR(NULL, "sockcreate", 0666), + ATTR(NULL, "display", 0666), #ifdef CONFIG_SECURITY_SMACK DIR("smack", 0555, proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops), diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index cfe5393840c7..b2ec81fcd1e2 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2171,4 +2171,19 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, extern int lsm_inode_alloc(struct inode *inode); +/** + * lsm_task_display - the "display" LSM for this task + * @task: The task to report on + * + * Returns the task's display LSM slot. + */ +static inline int lsm_task_display(struct task_struct *task) +{ + int *display = task->security; + + if (display) + return *display; + return LSMBLOB_INVALID; +} + #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h index 6b7e6e13176e..e4b43e5bb8f9 100644 --- a/security/apparmor/include/apparmor.h +++ b/security/apparmor/include/apparmor.h @@ -28,8 +28,9 @@ #define AA_CLASS_SIGNAL 10 #define AA_CLASS_NET 14 #define AA_CLASS_LABEL 16 +#define AA_CLASS_DISPLAY_LSM 17 -#define AA_CLASS_LAST AA_CLASS_LABEL +#define AA_CLASS_LAST AA_CLASS_DISPLAY_LSM /* Control parameters settable through module/boot flags */ extern enum audit_mode aa_g_audit; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 11845348eefb..fefccd559541 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -599,6 +599,25 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, return error; } + +static int profile_display_lsm(struct aa_profile *profile, + struct common_audit_data *sa) +{ + struct aa_perms perms = { }; + unsigned int state; + + state = PROFILE_MEDIATES(profile, AA_CLASS_DISPLAY_LSM); + if (state) { + aa_compute_perms(profile->policy.dfa, state, &perms); + aa_apply_modes_to_perms(profile, &perms); + aad(sa)->label = &profile->label; + + return aa_check_perms(profile, &perms, AA_MAY_WRITE, sa, NULL); + } + + return 0; +} + static int apparmor_setprocattr(const char *name, void *value, size_t size) { @@ -610,6 +629,19 @@ static int apparmor_setprocattr(const char *name, void *value, if (size == 0) return -EINVAL; + /* LSM infrastructure does actual setting of display if allowed */ + if (!strcmp(name, "display")) { + struct aa_profile *profile; + struct aa_label *label; + + aad(&sa)->info = "set display lsm"; + label = begin_current_label_crit_section(); + error = fn_for_each_confined(label, profile, + profile_display_lsm(profile, &sa)); + end_current_label_crit_section(label); + return error; + } + /* AppArmor requires that the buffer must be null terminated atm */ if (args[size - 1] != '\0') { /* null terminate */ diff --git a/security/security.c b/security/security.c index 3aba440624f9..c2874f6587d2 100644 --- a/security/security.c +++ b/security/security.c @@ -27,6 +27,7 @@ #include #include #include +#include #include #include @@ -43,7 +44,14 @@ static struct kmem_cache *lsm_file_cache; static struct kmem_cache *lsm_inode_cache; char *lsm_names; -static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init; + +/* + * The task blob includes the "display" slot used for + * chosing which module presents contexts. + */ +static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init = { + .lbs_task = sizeof(int), +}; /* Boot-time LSM user choice */ static __initdata const char *chosen_lsm_order; @@ -438,8 +446,10 @@ static int lsm_append(const char *new, char **result) /* * Current index to use while initializing the lsmblob secid list. + * Pointers to the LSM id structures for local use. */ static int lsm_slot __lsm_ro_after_init; +static struct lsm_id *lsm_slotlist[LSMBLOB_ENTRIES]; /** * security_add_hooks - Add a modules hooks to the hook lists. @@ -459,6 +469,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, if (lsmid->slot == LSMBLOB_NEEDED) { if (lsm_slot >= LSMBLOB_ENTRIES) panic("%s Too many LSMs registered.\n", __func__); + lsm_slotlist[lsm_slot] = lsmid; lsmid->slot = lsm_slot++; init_debug("%s assigned lsmblob slot %d\n", lsmid->lsm, lsmid->slot); @@ -588,6 +599,8 @@ int lsm_inode_alloc(struct inode *inode) */ static int lsm_task_alloc(struct task_struct *task) { + int *display; + if (blob_sizes.lbs_task == 0) { task->security = NULL; return 0; @@ -596,6 +609,15 @@ static int lsm_task_alloc(struct task_struct *task) task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL); if (task->security == NULL) return -ENOMEM; + + /* + * The start of the task blob contains the "display" LSM slot number. + * Start with it set to the invalid slot number, indicating that the + * default first registered LSM be displayed. + */ + display = task->security; + *display = LSMBLOB_INVALID; + return 0; } @@ -1551,14 +1573,26 @@ int security_file_open(struct file *file) int security_task_alloc(struct task_struct *task, unsigned long clone_flags) { + int *odisplay = current->security; + int *ndisplay; int rc = lsm_task_alloc(task); - if (rc) + if (unlikely(rc)) return rc; + rc = call_int_hook(task_alloc, 0, task, clone_flags); - if (unlikely(rc)) + if (unlikely(rc)) { security_task_free(task); - return rc; + return rc; + } + + if (odisplay) { + ndisplay = task->security; + if (ndisplay) + *ndisplay = *odisplay; + } + + return 0; } void security_task_free(struct task_struct *task) @@ -1955,23 +1989,110 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name, char **value) { struct security_hook_list *hp; + int display = lsm_task_display(current); + int slot = 0; + + if (!strcmp(name, "display")) { + /* + * lsm_slot will be 0 if there are no displaying modules. + */ + if (lsm_slot == 0) + return -EINVAL; + + /* + * Only allow getting the current process' display. + * There are too few reasons to get another process' + * display and too many LSM policy issues. + */ + if (current != p) + return -EINVAL; + + display = lsm_task_display(p); + if (display != LSMBLOB_INVALID) + slot = display; + *value = kstrdup(lsm_slotlist[slot]->lsm, GFP_KERNEL); + if (*value) + return strlen(*value); + return -ENOMEM; + } hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) { if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; + if (lsm == NULL && display != LSMBLOB_INVALID && + display != hp->lsmid->slot) + continue; return hp->hook.getprocattr(p, name, value); } return -EINVAL; } +/** + * security_setprocattr - Set process attributes via /proc + * @lsm: name of module involved, or NULL + * @name: name of the attribute + * @value: value to set the attribute to + * @size: size of the value + * + * Set the process attribute for the specified security module + * to the specified value. Note that this can only be used to set + * the process attributes for the current, or "self" process. + * The /proc code has already done this check. + * + * Returns 0 on success, an appropriate code otherwise. + */ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size) { struct security_hook_list *hp; + char *term; + char *cp; + int *display = current->security; + int rc = -EINVAL; + int slot = 0; + + if (!strcmp(name, "display")) { + /* + * Change the "display" value only if all the security + * modules that support setting a procattr allow it. + * It is assumed that all such security modules will be + * cooperative. + */ + if (size == 0) + return -EINVAL; + + hlist_for_each_entry(hp, &security_hook_heads.setprocattr, + list) { + rc = hp->hook.setprocattr(name, value, size); + if (rc < 0) + return rc; + } + + rc = -EINVAL; + + term = kmemdup_nul(value, size, GFP_KERNEL); + if (term == NULL) + return -ENOMEM; + + cp = strsep(&term, " \n"); + + for (slot = 0; slot < lsm_slot; slot++) + if (!strcmp(cp, lsm_slotlist[slot]->lsm)) { + *display = lsm_slotlist[slot]->slot; + rc = size; + break; + } + + kfree(cp); + return rc; + } hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) { if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; + if (lsm == NULL && *display != LSMBLOB_INVALID && + *display != hp->lsmid->slot) + continue; return hp->hook.setprocattr(name, value, size); } return -EINVAL; @@ -1991,15 +2112,15 @@ EXPORT_SYMBOL(security_ismaclabel); int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) { struct security_hook_list *hp; - int rc; + int display = lsm_task_display(current); hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; - rc = hp->hook.secid_to_secctx(blob->secid[hp->lsmid->slot], - secdata, seclen); - if (rc != 0) - return rc; + if (display == LSMBLOB_INVALID || display == hp->lsmid->slot) + return hp->hook.secid_to_secctx( + blob->secid[hp->lsmid->slot], + secdata, seclen); } return 0; } @@ -2009,16 +2130,15 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob) { struct security_hook_list *hp; - int rc; + int display = lsm_task_display(current); lsmblob_init(blob, 0); hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; - rc = hp->hook.secctx_to_secid(secdata, seclen, - &blob->secid[hp->lsmid->slot]); - if (rc != 0) - return rc; + if (display == LSMBLOB_INVALID || display == hp->lsmid->slot) + return hp->hook.secctx_to_secid(secdata, seclen, + &blob->secid[hp->lsmid->slot]); } return 0; } @@ -2026,7 +2146,15 @@ EXPORT_SYMBOL(security_secctx_to_secid); void security_release_secctx(char *secdata, u32 seclen) { - call_void_hook(release_secctx, secdata, seclen); + struct security_hook_list *hp; + int *display = current->security; + + hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list) + if (display == NULL || *display == LSMBLOB_INVALID || + *display == hp->lsmid->slot) { + hp->hook.release_secctx(secdata, seclen); + return; + } } EXPORT_SYMBOL(security_release_secctx); @@ -2151,8 +2279,15 @@ EXPORT_SYMBOL(security_sock_rcv_skb); int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, int __user *optlen, unsigned len) { - return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock, - optval, optlen, len); + int display = lsm_task_display(current); + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_stream, + list) + if (display == LSMBLOB_INVALID || display == hp->lsmid->slot) + return hp->hook.socket_getpeersec_stream(sock, optval, + optlen, len); + return -ENOPROTOOPT; } int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5570a6ed49d5..5f50dae7c107 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6315,6 +6315,17 @@ static int selinux_setprocattr(const char *name, void *value, size_t size) /* * Basic control over ability to set these attributes at all. */ + + /* + * For setting display, we only perform a permission check; + * the actual update to the display value is handled by the + * LSM framework. + */ + if (!strcmp(name, "display")) + return avc_has_perm(&selinux_state, + mysid, mysid, SECCLASS_PROCESS2, + PROCESS2__SETDISPLAY, NULL); + if (!strcmp(name, "exec")) error = avc_has_perm(&selinux_state, mysid, mysid, SECCLASS_PROCESS, diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 32e9b03be3dd..ab68612d0885 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -52,7 +52,7 @@ struct security_class_mapping secclass_map[] = { "execmem", "execstack", "execheap", "setkeycreate", "setsockcreate", "getrlimit", NULL } }, { "process2", - { "nnp_transition", "nosuid_transition", NULL } }, + { "nnp_transition", "nosuid_transition", "setdisplay", NULL } }, { "system", { "ipc_info", "syslog_read", "syslog_mod", "syslog_console", "module_request", "module_load", NULL } }, diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index e42336328446..aac8cb0de733 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3519,6 +3519,13 @@ static int smack_setprocattr(const char *name, void *value, size_t size) struct smack_known_list_elem *sklep; int rc; + /* + * Allow the /proc/.../attr/current and SO_PEERSEC "display" + * to be reset at will. + */ + if (strcmp(name, "display") == 0) + return 0; + if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) return -EPERM; From patchwork Wed Nov 13 00:09:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240543 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 278C013BD for ; Wed, 13 Nov 2019 00:10:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E2C8E2196E for ; Wed, 13 Nov 2019 00:10:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="fmVHO0LP" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727238AbfKMAKL (ORCPT ); Tue, 12 Nov 2019 19:10:11 -0500 Received: from sonic313-15.consmr.mail.ne1.yahoo.com ([66.163.185.38]:34535 "EHLO sonic313-15.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727226AbfKMAKK (ORCPT ); Tue, 12 Nov 2019 19:10:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603809; bh=3DGCbwEZhoi3LiQz+TuVsl3UVgwOsrdqkddkSVfW48A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=fmVHO0LPrnMpk7ToUGOIacXoYHQFdCUEX37vMgOqzUZoTt2TaugKilq/27O1biEq9aRCb7LjtUCWTWwcnE/zDDefjaGCqg88A6MS8dLKr4thvrb5fmUOLmCT15kGBg8EIC0akzNTGLOAL74VqApfJGe5s/Y/FLY3egSPw3s3x2PYL3lxdVQ6fORtvz0AfjlOomw9FgughYsTNDBQO3G/UXYxg6TVO9oBQLWOSrhkXCWAY+PWTIB9xkqNKxU1B76fvwm7+hSnA0T++n/VT9oAB0M52vVRRpad95iFP8VJNvzyTIJWjyhOcgvAmtyKWeYYkvTfvt6Y1krW5QMWwiWUDA== X-YMail-OSG: 8KtC9ZMVM1nTzkyQOaFOxS9SSmb7JcPjiogDHcmzm3EefHyHeEKO_xI.0.vf6Vp FcHzcZ_o1tO4mWpIdzC69bYcDN_Zx3D2ygN3mwftF.fCviUv4tz7E6vlDAqn5wnwYUGasycBrwD2 kzxNSwdHTT6cXfLzfsHgdbwaG.2SDGQYRD7oQFb4gVVZUug7hdPU.OPg42xeeLyx.iVZp3xtV_2H CU_P4TkImo.VC3uor5s29fkMFU6.NmzEbUu1i5gZQ43KdR1Jv2d9vNURdxWrYlPlGbm7keT8i2kd 6mr_rNickBwznwizg7syrppRD3LGkJxnigeUVlB93fQcpPIxQK_zsw9uDTAEjgonuidB7qa4Uvve g8QhjR_Ekxgc3JM7CmTbmVzABBrHtECKgjoAubBYL_y4Ho771HVZijh4Dl7Ch_FB6iCWcW62FL0b xs0uBDsEY.25fxMBpiZv_kH...PAvHZAR5upV2cG.FYgHElTA1EkWjspD1yd.c.SKUqg4o1PRAKE skEAfnbK90A_D415f7E9CSGiTVVe6Se_VNJ3BS6_CsPmPP6McMmpkW6bIg69LZNfToiJJSK1wUa6 gXPFeittizuE4EMB4tyvOhQdTI_aeiSvSD.2DxJoOWcqeIE5r40i5_n2l20w1NComYJEkNdrFIMs a_KSrhLrh3ntPy1XXxq87147z9E6VOF5nWLwYdPaKKY3v0_HbhPWiUDrEldtZIAqepLxdvWZ5a3H hg57OdNZIGRIFv4JBmQ1Lq3VAYwNTuM8kNkpZARtt7yVCwBqD6Ap_fN3GAnCw30mvuvMg5BZZEB7 K9V.DONXuRQvQ58CwHwtSpWk7.2LAGnjJ.AMFAIdFVO0NVDVx9ybp00sJgTTNTaysiqM7FcpDgfv c3zHO4NZ36EZSy6S4fnaOG_ULI2McmwsesSFY4lfB57TXBZwclIDYaLrtPGHLfTWnsZOh9p0Gfj5 dNuHAr1LAcYGaJwyjmWiyLNnrF7bXIbxXeTGUUIUxuszBnjVUUCvWfZ1JXrJwDiL70b4WNS_7axG YkWm6i.UYvduKQP8Xb0uVU4uEfPvSatE1Qd18AhfLh9_2axZivFGYgduY1iIsoZHsVfVrNDfeWBc onfuxHsOnUWqwdQ7UFPrAmJASFTLGGI5Qgp81zUxZxBXOgg3LARpI6ROuywFb02v2W0wNa9vSK6N Rpp7eC7DxOvQjehCf73UpG0PlUoeoFG0wrmtFSFJZlRzQ1VHyKDCLUyABiloZrUFQsPbV_d1aVxZ 8_KMfRm5b.twCy1L9G437rXasGSmZVSbUJ84sxQP1fbAiP6ZqHJ65mc1c1gyau25qmuyYc9eThgP .NzNU1cJOmpffmlAclhXlwkaJmHuscfO5BSARACQHEWpB5R9w7admzGt3js.lLH4nm3iW945wNuG O3ZpLxS1ExZDy5OFyEAhsWhnAoh7PRb8tSDt2_0ob Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:10:09 +0000 Received: by smtp428.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 93aa6347d771200c823c70ba6657789f; Wed, 13 Nov 2019 00:10:07 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-audit@redhat.com, linux-integrity@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH 14/25] LSM: Ensure the correct LSM context releaser Date: Tue, 12 Nov 2019 16:09:02 -0800 Message-Id: <20191113000913.5414-15-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a new lsmcontext data structure to hold all the information about a "security context", including the string, its size and which LSM allocated the string. The allocation information is necessary because LSMs have different policies regarding the lifecycle of these strings. SELinux allocates and destroys them on each use, whereas Smack provides a pointer to an entry in a list that never goes away. Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler cc: linux-audit@redhat.com cc: linux-integrity@vger.kernel.org cc: netdev@vger.kernel.org --- drivers/android/binder.c | 10 +++++-- fs/ceph/xattr.c | 6 +++- fs/nfs/nfs4proc.c | 8 +++-- fs/nfsd/nfs4xdr.c | 7 +++-- include/linux/security.h | 39 +++++++++++++++++++++++-- include/net/scm.h | 5 +++- kernel/audit.c | 14 ++++++--- kernel/auditsc.c | 12 ++++++-- net/ipv4/ip_sockglue.c | 4 ++- net/netfilter/nf_conntrack_netlink.c | 4 ++- net/netfilter/nf_conntrack_standalone.c | 4 ++- net/netfilter/nfnetlink_queue.c | 13 ++++++--- net/netlabel/netlabel_unlabeled.c | 19 +++++++++--- net/netlabel/netlabel_user.c | 4 ++- security/security.c | 18 ++++++++---- security/smack/smack_lsm.c | 14 ++++++--- 16 files changed, 141 insertions(+), 40 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 3a7fcdc8dbe2..49b84b6fafd9 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2865,6 +2865,7 @@ static void binder_transaction(struct binder_proc *proc, int t_debug_id = atomic_inc_return(&binder_last_id); char *secctx = NULL; u32 secctx_sz = 0; + struct lsmcontext scaff; /* scaffolding */ e = binder_transaction_log_add(&binder_transaction_log); e->debug_id = t_debug_id; @@ -3161,7 +3162,8 @@ static void binder_transaction(struct binder_proc *proc, t->security_ctx = 0; WARN_ON(1); } - security_release_secctx(secctx, secctx_sz); + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); secctx = NULL; } t->buffer->debug_id = t->debug_id; @@ -3494,8 +3496,10 @@ static void binder_transaction(struct binder_proc *proc, binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: err_bad_extra_size: - if (secctx) - security_release_secctx(secctx, secctx_sz); + if (secctx) { + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); + } err_get_secctx_failed: kfree(tcomplete); binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c index cb18ee637cb7..ad501b5cad2c 100644 --- a/fs/ceph/xattr.c +++ b/fs/ceph/xattr.c @@ -1271,12 +1271,16 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx) { +#ifdef CONFIG_CEPH_FS_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ +#endif #ifdef CONFIG_CEPH_FS_POSIX_ACL posix_acl_release(as_ctx->acl); posix_acl_release(as_ctx->default_acl); #endif #ifdef CONFIG_CEPH_FS_SECURITY_LABEL - security_release_secctx(as_ctx->sec_ctx, as_ctx->sec_ctxlen); + lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0); + security_release_secctx(&scaff); #endif if (as_ctx->pagelist) ceph_pagelist_release(as_ctx->pagelist); diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index caacf5e7f5e1..74e9f4b7cc07 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -131,8 +131,12 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, static inline void nfs4_label_release_security(struct nfs4_label *label) { - if (label) - security_release_secctx(label->label, label->len); + struct lsmcontext scaff; /* scaffolding */ + + if (label) { + lsmcontext_init(&scaff, label->label, label->len, 0); + security_release_secctx(&scaff); + } } static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label) { diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 533d0fc3c96b..b17aad082bde 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -2421,6 +2421,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, int err; struct nfs4_acl *acl = NULL; #ifdef CONFIG_NFSD_V4_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ void *context = NULL; int contextlen; #endif @@ -2923,8 +2924,10 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, out: #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - if (context) - security_release_secctx(context, contextlen); + if (context) { + lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/ + security_release_secctx(&scaff); + } #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ kfree(acl); if (tempfh) { diff --git a/include/linux/security.h b/include/linux/security.h index f7bc7aef95cb..9bb11d9f1348 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -126,6 +126,41 @@ enum lockdown_reason { LOCKDOWN_CONFIDENTIALITY_MAX, }; +/* + * A "security context" is the text representation of + * the information used by LSMs. + * This structure contains the string, its length, and which LSM + * it is useful for. + */ +struct lsmcontext { + char *context; /* Provided by the module */ + u32 len; + int slot; /* Identifies the module */ +}; + +/** + * lsmcontext_init - initialize an lsmcontext structure. + * @cp: Pointer to the context to initialize + * @context: Initial context, or NULL + * @size: Size of context, or 0 + * @slot: Which LSM provided the context + * + * Fill in the lsmcontext from the provided information. + * This is a scaffolding function that will be removed when + * lsmcontext integration is complete. + */ +static inline void lsmcontext_init(struct lsmcontext *cp, char *context, + u32 size, int slot) +{ + cp->slot = slot; + cp->context = context; + + if (context == NULL || size == 0) + cp->len = 0; + else + cp->len = strlen(context); +} + /* * Data exported by the security modules * @@ -496,7 +531,7 @@ int security_ismaclabel(const char *name); int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); -void security_release_secctx(char *secdata, u32 seclen); +void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); @@ -1310,7 +1345,7 @@ static inline int security_secctx_to_secid(const char *secdata, return -EOPNOTSUPP; } -static inline void security_release_secctx(char *secdata, u32 seclen) +static inline void security_release_secctx(struct lsmcontext *cp) { } diff --git a/include/net/scm.h b/include/net/scm.h index 31ae605fcc0a..30ba801c91bd 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -92,6 +92,7 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, #ifdef CONFIG_SECURITY_NETWORK static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { + struct lsmcontext context; char *secdata; u32 seclen; int err; @@ -102,7 +103,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + /*scaffolding*/ + lsmcontext_init(&context, secdata, seclen, 0); + security_release_secctx(&context); } } } diff --git a/kernel/audit.c b/kernel/audit.c index ba9f78e36d1e..35970e7191b6 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1180,6 +1180,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_sig_info *sig_data; char *ctx = NULL; u32 len; + struct lsmcontext scaff; /* scaffolding */ err = audit_netlink_ok(skb, msg_type); if (err) @@ -1424,15 +1425,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); if (!sig_data) { - if (lsmblob_is_set(&audit_sig_lsm)) - security_release_secctx(ctx, len); + if (lsmblob_is_set(&audit_sig_lsm)) { + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); + } return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; if (lsmblob_is_set(&audit_sig_lsm)) { memcpy(sig_data->ctx, ctx, len); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); } audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, sizeof(*sig_data) + len); @@ -2061,6 +2065,7 @@ int audit_log_task_context(struct audit_buffer *ab) unsigned len; int error; struct lsmblob blob; + struct lsmcontext scaff; /* scaffolding */ security_task_getsecid(current, &blob); if (!lsmblob_is_set(&blob)) @@ -2074,7 +2079,8 @@ int audit_log_task_context(struct audit_buffer *ab) } audit_log_format(ab, " subj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); return 0; error_path: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index c1e3ac8eb1ad..8790e7aafa7d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -962,6 +962,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; + struct lsmcontext lsmcxt; char *ctx = NULL; u32 len; int rc = 0; @@ -979,7 +980,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, rc = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/ + security_release_secctx(&lsmcxt); } } audit_log_format(ab, " ocomm="); @@ -1192,6 +1194,7 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) static void show_special(struct audit_context *context, int *call_panic) { + struct lsmcontext lsmcxt; struct audit_buffer *ab; int i; @@ -1225,7 +1228,8 @@ static void show_special(struct audit_context *context, int *call_panic) *call_panic = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); + security_release_secctx(&lsmcxt); } } if (context->ipc.has_perm) { @@ -1371,6 +1375,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, char *ctx = NULL; u32 len; struct lsmblob blob; + struct lsmcontext lsmcxt; lsmblob_init(&blob, n->osid); if (security_secid_to_secctx(&blob, &ctx, &len)) { @@ -1379,7 +1384,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, *call_panic = 2; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */ + security_release_secctx(&lsmcxt); } } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 1ca97d0cb4a9..96d56a30ecca 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { + struct lsmcontext context; struct lsmblob lb; char *secdata; u32 seclen; @@ -144,7 +145,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) return; put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */ + security_release_secctx(&context); } static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 0412f6744185..78791e015d8b 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -332,6 +332,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) int len, ret; char *secctx; struct lsmblob blob; + struct lsmcontext context; lsmblob_init(&blob, ct->secmark); ret = security_secid_to_secctx(&blob, &secctx, &len); @@ -349,7 +350,8 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) ret = 0; nla_put_failure: - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); return ret; } #else diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 183a85412155..8601fcb99f7a 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -176,6 +176,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) u32 len; char *secctx; struct lsmblob blob; + struct lsmcontext context; lsmblob_init(&blob, ct->secmark); ret = security_secid_to_secctx(&blob, &secctx, &len); @@ -184,7 +185,8 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) seq_printf(s, "secctx=%s ", secctx); - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); } #else static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index bfa7f12fde99..cc3ef03ee198 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -395,6 +395,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, enum ip_conntrack_info uninitialized_var(ctinfo); struct nfnl_ct_hook *nfnl_ct; bool csum_verify; + struct lsmcontext scaff; /* scaffolding */ char *secdata = NULL; u32 seclen = 0; @@ -625,8 +626,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return skb; nla_put_failure: @@ -634,8 +637,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return NULL; } diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index e279b81d9545..288c005b44c7 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -373,6 +373,7 @@ int netlbl_unlhsh_add(struct net *net, struct net_device *dev; struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; + struct lsmcontext context; char *secctx = NULL; u32 secctx_len; struct lsmblob blob; @@ -443,7 +444,9 @@ int netlbl_unlhsh_add(struct net *net, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); audit_log_end(audit_buf); @@ -474,6 +477,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct netlbl_unlhsh_addr4 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -502,7 +506,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -539,6 +545,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct netlbl_unlhsh_addr6 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -566,7 +573,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -1080,6 +1088,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, int ret_val = -ENOMEM; struct netlbl_unlhsh_walk_arg *cb_arg = arg; struct net_device *dev; + struct lsmcontext context; void *data; u32 secid; char *secctx; @@ -1147,7 +1156,9 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, NLBL_UNLABEL_A_SECCTX, secctx_len, secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); if (ret_val != 0) goto list_cb_failure; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 893301ae0131..ef139d8ae7cd 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -84,6 +84,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct netlbl_audit *audit_info) { struct audit_buffer *audit_buf; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -103,7 +104,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, if (audit_info->secid != 0 && security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/ + security_release_secctx(&context); } return audit_buf; diff --git a/security/security.c b/security/security.c index c2874f6587d2..c05ef9d0c8ed 100644 --- a/security/security.c +++ b/security/security.c @@ -2144,17 +2144,23 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, } EXPORT_SYMBOL(security_secctx_to_secid); -void security_release_secctx(char *secdata, u32 seclen) +void security_release_secctx(struct lsmcontext *cp) { struct security_hook_list *hp; - int *display = current->security; + bool found = false; hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list) - if (display == NULL || *display == LSMBLOB_INVALID || - *display == hp->lsmid->slot) { - hp->hook.release_secctx(secdata, seclen); - return; + if (cp->slot == hp->lsmid->slot) { + hp->hook.release_secctx(cp->context, cp->len); + found = true; + break; } + + memset(cp, 0, sizeof(*cp)); + + if (!found) + pr_warn("%s context \"%s\" from slot %d not released\n", + __func__, cp->context, cp->slot); } EXPORT_SYMBOL(security_release_secctx); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index aac8cb0de733..4e464e5e942e 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4483,11 +4483,16 @@ static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) return 0; } -/* - * There used to be a smack_release_secctx hook - * that did nothing back when hooks were in a vector. - * Now that there's a list such a hook adds cost. +/** + * smack_release_secctx - do everything necessary to free a context + * @secdata: Unused + * @seclen: Unused + * + * Do nothing but hold a slot in the hooks list. */ +static void smack_release_secctx(char *secdata, u32 seclen) +{ +} static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) { @@ -4730,6 +4735,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), + LSM_HOOK_INIT(release_secctx, smack_release_secctx), LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), From patchwork Wed Nov 13 00:09:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240549 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D29DB14E5 for ; Wed, 13 Nov 2019 00:10:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 981F121A49 for ; Wed, 13 Nov 2019 00:10:17 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="hQn3rhDN" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727262AbfKMAKQ (ORCPT ); Tue, 12 Nov 2019 19:10:16 -0500 Received: from sonic313-15.consmr.mail.ne1.yahoo.com ([66.163.185.38]:46157 "EHLO sonic313-15.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727257AbfKMAKQ (ORCPT ); Tue, 12 Nov 2019 19:10:16 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603814; bh=KLbg7/TPn6TCFO2Gn7cUIlNzcOoZhrJusQzMi3c8JUw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=hQn3rhDNo/KNRm6OWEhvA5g30Nq44f/MEmuy5EGvkAMiY+4xBLX6HAtcLIkRoAk9LAwdo0Msk7FyoC/PM/u/LwWJTEoMS6lWWvLa3Av+lznzED9tEfTt6f85wO9wPOCRrWE5DHADcxjT/TqETTJ0jJJW0UGA+Zly21mSeIb3YR9TLCcDDJuau/rV12FeIeyMef1A8hfp+cPI+0AB8QBU5YK6m3vBIDM4OsuYAvAF7jUNNV+6QiKRC6b81LAULww6TOClVJxhMu9B1sUQLoBjYkvGMQdbzuZX3/+2zhv0fxiK3IgDfOHlzGQIvhLIowBs+Dz33HIelzhv9lzz00OsVw== X-YMail-OSG: oH8VXwoVM1kBSJYUi3s_a6bxK34MCVcBfOi9VZJgzvsb1.OLdHszhP5WfJCOIuj d2z2jEibRH4DIP5SjFWs92vs4MBb8jHY5BVigDi62p0ztmlpO_afi382hnWoMdWcLJuyG3iPbFz6 FrtBIy6GrtEGoPSWU0XTP_bOG3ZeJiw.6vQXggKlx4OvFOJsOwKzhxLtNAJFSfuU3Gz.KMBtaqHV yxx5wv2MVm65ZJ8bepkBc6L96YegcOuo0I3CtCsq6fAHSiNeomVFXDgzQS2IDD7u0NSkSODugSEy EqtNF5vuPzQdvkY_39F0ASZyvF9snflQ0FnFuqiXCHDZTidPCFR6.yE0AckrN5fpbSCNLp0CNB4i lX_vSa076kawtwdT2zE350TfxDXuZygI82qewiJogujtR77K8xbc0rymmJ6E3pVQqQsUmItiQd0T aO5dUIMCg2K5I6zKen1IARd5kP4abVCoIWRT24e5QatkxdCfZuewtVtdjlx1tRobTQ5V1KnpnWCG meV0ZujSS2KIgUgs_mAFEyb_MX9pkW4I5ig5pWO8pHYLaUbAO_mmWxs2I.KsqL5hBWIkjmfS6jY6 SbIL9XX6EizTLpb0eLWgt3hsRiHVOJERM_EAYfNxiWVLSxvQS7830w6R5syHyLUCFXk2s56A9.bJ J4t0b1bMXZw9zjzuMK.ng.tCvJPqjRVDY5jV6FcTpXxOgecPqhEkZ1UpAFY0TXNnAZUVAH5XN2gz _Q7CLNYkeZTbHMYG4boJJRTilS.cqIQ7v7w7LZOECIICFoGQdvyg1j8ytJdjoRFEKMJoz1ETLyb. haLZsWj_lxaniv7DvNw.XHww0aSM2ul10xeXu3dBh092ujKPM6NULv_OBk2A2aMJwwE9h_lwc1bH BBYdYkZLFxJATb4WitxjvEz1W8Q_ekZeXg0qeyNYMpK8pyKL3zf_7LCCrpfR4QpSRvsPAHVcgQHS zcuGNWiE4TCWWbj69mclJJQ2oOdYTzdEUGrmmE2ngbtwKqOZJ4VUO1tvjSIbk5hg4K6Iyjxp2yrN SL9mYzH..fWx4TY18wiguxBoIdfAq3zU0jRS2nmbgn0.etQTde1d8l8LLWirjIzKKw2otAE8FRqd XOzvCifH5CWdjnOS38245LmeyqkQfyB6vZfqhuI2t3H7sGHF54HxKAUuBthiWTJBw2e9DWiSD3tj xaW3GatYzjwE3ocpzPbualN1ReNWANNxqV6H089h660hUgqsiE8r6GqNLxm89ee3f0Ziu4Uab5zs jsocT7g1OAJnZo6IpYYvSqubwEZaYZsGZ3Iw1RQWA0RIYlEAGrAq1EDrCPK_2CgpJUP6UFoiLltW PB2Ga.BoJG0PxM7yokx.GSNqxZA4jaDagbk74uNpRaVTsHW.yt_wxmXv5W6XCccPGMfy3jF7AgDb qiOQ1OYioCeDefoSPaHGAf4pkyEVHpILyPBq1_B0J Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:10:14 +0000 Received: by smtp428.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 93aa6347d771200c823c70ba6657789f; Wed, 13 Nov 2019 00:10:08 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-audit@redhat.com, netdev@vger.kernel.org Subject: [PATCH 15/25] LSM: Use lsmcontext in security_secid_to_secctx Date: Tue, 12 Nov 2019 16:09:03 -0800 Message-Id: <20191113000913.5414-16-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Replace the (secctx,seclen) pointer pair with a single lsmcontext pointer to allow return of the LSM identifier along with the context and context length. This allows security_release_secctx() to know how to release the context. Callers have been modified to use or save the returned data from the new structure. Signed-off-by: Casey Schaufler cc: linux-audit@redhat.com cc: netdev@vger.kernel.org --- drivers/android/binder.c | 26 +++++++--------- include/linux/security.h | 4 +-- include/net/scm.h | 10 ++----- kernel/audit.c | 29 +++++++----------- kernel/auditsc.c | 31 +++++++------------ net/ipv4/ip_sockglue.c | 7 ++--- net/netfilter/nf_conntrack_netlink.c | 14 +++++---- net/netfilter/nf_conntrack_standalone.c | 7 ++--- net/netfilter/nfnetlink_queue.c | 5 +++- net/netlabel/netlabel_unlabeled.c | 40 ++++++++----------------- net/netlabel/netlabel_user.c | 7 ++--- security/security.c | 10 +++++-- 12 files changed, 74 insertions(+), 116 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 49b84b6fafd9..cc81d0f540fd 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2863,9 +2863,7 @@ static void binder_transaction(struct binder_proc *proc, binder_size_t last_fixup_min_off = 0; struct binder_context *context = proc->context; int t_debug_id = atomic_inc_return(&binder_last_id); - char *secctx = NULL; - u32 secctx_sz = 0; - struct lsmcontext scaff; /* scaffolding */ + struct lsmcontext lsmctx = { }; e = binder_transaction_log_add(&binder_transaction_log); e->debug_id = t_debug_id; @@ -3113,14 +3111,14 @@ static void binder_transaction(struct binder_proc *proc, size_t added_size; security_task_getsecid(proc->tsk, &blob); - ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz); + ret = security_secid_to_secctx(&blob, &lsmctx); if (ret) { return_error = BR_FAILED_REPLY; return_error_param = ret; return_error_line = __LINE__; goto err_get_secctx_failed; } - added_size = ALIGN(secctx_sz, sizeof(u64)); + added_size = ALIGN(lsmctx.len, sizeof(u64)); extra_buffers_size += added_size; if (extra_buffers_size < added_size) { /* integer overflow of extra_buffers_size */ @@ -3147,24 +3145,22 @@ static void binder_transaction(struct binder_proc *proc, t->buffer = NULL; goto err_binder_alloc_buf_failed; } - if (secctx) { + if (lsmctx.context) { int err; size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) + ALIGN(tr->offsets_size, sizeof(void *)) + ALIGN(extra_buffers_size, sizeof(void *)) - - ALIGN(secctx_sz, sizeof(u64)); + ALIGN(lsmctx.len, sizeof(u64)); t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset; err = binder_alloc_copy_to_buffer(&target_proc->alloc, t->buffer, buf_offset, - secctx, secctx_sz); + lsmctx.context, lsmctx.len); if (err) { t->security_ctx = 0; WARN_ON(1); } - lsmcontext_init(&scaff, secctx, secctx_sz, 0); - security_release_secctx(&scaff); - secctx = NULL; + security_release_secctx(&lsmctx); } t->buffer->debug_id = t->debug_id; t->buffer->transaction = t; @@ -3220,7 +3216,7 @@ static void binder_transaction(struct binder_proc *proc, off_end_offset = off_start_offset + tr->offsets_size; sg_buf_offset = ALIGN(off_end_offset, sizeof(void *)); sg_buf_end_offset = sg_buf_offset + extra_buffers_size - - ALIGN(secctx_sz, sizeof(u64)); + ALIGN(lsmctx.len, sizeof(u64)); off_min = 0; for (buffer_offset = off_start_offset; buffer_offset < off_end_offset; buffer_offset += sizeof(binder_size_t)) { @@ -3496,10 +3492,8 @@ static void binder_transaction(struct binder_proc *proc, binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: err_bad_extra_size: - if (secctx) { - lsmcontext_init(&scaff, secctx, secctx_sz, 0); - security_release_secctx(&scaff); - } + if (lsmctx.context) + security_release_secctx(&lsmctx); err_get_secctx_failed: kfree(tcomplete); binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); diff --git a/include/linux/security.h b/include/linux/security.h index 9bb11d9f1348..e47cef3d62f0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -528,7 +528,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); void security_release_secctx(struct lsmcontext *cp); @@ -1333,7 +1333,7 @@ static inline int security_ismaclabel(const char *name) } static inline int security_secid_to_secctx(struct lsmblob *blob, - char **secdata, u32 *seclen) + struct lsmcontext *cp) { return -EOPNOTSUPP; } diff --git a/include/net/scm.h b/include/net/scm.h index 30ba801c91bd..4a6ad8caf423 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -93,18 +93,14 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { struct lsmcontext context; - char *secdata; - u32 seclen; int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { - err = security_secid_to_secctx(&scm->lsmblob, &secdata, - &seclen); + err = security_secid_to_secctx(&scm->lsmblob, &context); if (!err) { - put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); - /*scaffolding*/ - lsmcontext_init(&context, secdata, seclen, 0); + put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, + context.len, context.context); security_release_secctx(&context); } } diff --git a/kernel/audit.c b/kernel/audit.c index 35970e7191b6..cd0024c89807 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1178,9 +1178,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_buffer *ab; u16 msg_type = nlh->nlmsg_type; struct audit_sig_info *sig_data; - char *ctx = NULL; u32 len; - struct lsmcontext scaff; /* scaffolding */ + struct lsmcontext context = { }; err = audit_netlink_ok(skb, msg_type); if (err) @@ -1418,25 +1417,22 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) case AUDIT_SIGNAL_INFO: len = 0; if (lsmblob_is_set(&audit_sig_lsm)) { - err = security_secid_to_secctx(&audit_sig_lsm, &ctx, - &len); + err = security_secid_to_secctx(&audit_sig_lsm, + &context); if (err) return err; } sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); if (!sig_data) { - if (lsmblob_is_set(&audit_sig_lsm)) { - lsmcontext_init(&scaff, ctx, len, 0); - security_release_secctx(&scaff); - } + if (lsmblob_is_set(&audit_sig_lsm)) + security_release_secctx(&context); return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; if (lsmblob_is_set(&audit_sig_lsm)) { - memcpy(sig_data->ctx, ctx, len); - lsmcontext_init(&scaff, ctx, len, 0); - security_release_secctx(&scaff); + memcpy(sig_data->ctx, context.context, context.len); + security_release_secctx(&context); } audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, sizeof(*sig_data) + len); @@ -2061,26 +2057,23 @@ void audit_log_key(struct audit_buffer *ab, char *key) int audit_log_task_context(struct audit_buffer *ab) { - char *ctx = NULL; - unsigned len; int error; struct lsmblob blob; - struct lsmcontext scaff; /* scaffolding */ + struct lsmcontext context; security_task_getsecid(current, &blob); if (!lsmblob_is_set(&blob)) return 0; - error = security_secid_to_secctx(&blob, &ctx, &len); + error = security_secid_to_secctx(&blob, &context); if (error) { if (error != -EINVAL) goto error_path; return 0; } - audit_log_format(ab, " subj=%s", ctx); - lsmcontext_init(&scaff, ctx, len, 0); - security_release_secctx(&scaff); + audit_log_format(ab, " subj=%s", context.context); + security_release_secctx(&context); return 0; error_path: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 8790e7aafa7d..6d273183dd87 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -962,9 +962,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; - struct lsmcontext lsmcxt; - char *ctx = NULL; - u32 len; + struct lsmcontext lsmctx; int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); @@ -975,13 +973,12 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (lsmblob_is_set(blob)) { - if (security_secid_to_secctx(blob, &ctx, &len)) { + if (security_secid_to_secctx(blob, &lsmctx)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/ - security_release_secctx(&lsmcxt); + audit_log_format(ab, " obj=%s", lsmctx.context); + security_release_secctx(&lsmctx); } } audit_log_format(ab, " ocomm="); @@ -1194,7 +1191,6 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) static void show_special(struct audit_context *context, int *call_panic) { - struct lsmcontext lsmcxt; struct audit_buffer *ab; int i; @@ -1218,17 +1214,15 @@ static void show_special(struct audit_context *context, int *call_panic) from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); if (osid) { - char *ctx = NULL; - u32 len; + struct lsmcontext lsmcxt; struct lsmblob blob; lsmblob_init(&blob, osid); - if (security_secid_to_secctx(&blob, &ctx, &len)) { + if (security_secid_to_secctx(&blob, &lsmcxt)) { audit_log_format(ab, " osid=%u", osid); *call_panic = 1; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); + audit_log_format(ab, " obj=%s", lsmcxt.context); security_release_secctx(&lsmcxt); } } @@ -1372,20 +1366,17 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, MAJOR(n->rdev), MINOR(n->rdev)); if (n->osid != 0) { - char *ctx = NULL; - u32 len; struct lsmblob blob; - struct lsmcontext lsmcxt; + struct lsmcontext lsmctx; lsmblob_init(&blob, n->osid); - if (security_secid_to_secctx(&blob, &ctx, &len)) { + if (security_secid_to_secctx(&blob, &lsmctx)) { audit_log_format(ab, " osid=%u", n->osid); if (call_panic) *call_panic = 2; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */ - security_release_secctx(&lsmcxt); + audit_log_format(ab, " obj=%s", lsmctx.context); + security_release_secctx(&lsmctx); } } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 96d56a30ecca..27af7a6b8780 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -132,20 +132,17 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { struct lsmcontext context; struct lsmblob lb; - char *secdata; - u32 seclen; int err; err = security_socket_getpeersec_dgram(NULL, skb, &lb); if (err) return; - err = security_secid_to_secctx(&lb, &secdata, &seclen); + err = security_secid_to_secctx(&lb, &context); if (err) return; - put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); - lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */ + put_cmsg(msg, SOL_IP, SCM_SECURITY, context.len, context.context); security_release_secctx(&context); } diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 78791e015d8b..7c8a7edac36d 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -329,13 +329,12 @@ static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) { struct nlattr *nest_secctx; - int len, ret; - char *secctx; + int ret; struct lsmblob blob; struct lsmcontext context; lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &secctx, &len); + ret = security_secid_to_secctx(&blob, &context); if (ret) return 0; @@ -344,13 +343,12 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) if (!nest_secctx) goto nla_put_failure; - if (nla_put_string(skb, CTA_SECCTX_NAME, secctx)) + if (nla_put_string(skb, CTA_SECCTX_NAME, context.context)) goto nla_put_failure; nla_nest_end(skb, nest_secctx); ret = 0; nla_put_failure: - lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ security_release_secctx(&context); return ret; } @@ -626,12 +624,16 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct) #ifdef CONFIG_NF_CONNTRACK_SECMARK int len, ret; struct lsmblob blob; + struct lsmcontext context; lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, NULL, &len); + ret = security_secid_to_secctx(&blob, &context); if (ret) return 0; + len = context.len; + security_release_secctx(&context); + return nla_total_size(0) /* CTA_SECCTX */ + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */ #else diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 8601fcb99f7a..8969754d7fe9 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -173,19 +173,16 @@ static void ct_seq_stop(struct seq_file *s, void *v) static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) { int ret; - u32 len; - char *secctx; struct lsmblob blob; struct lsmcontext context; lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &secctx, &len); + ret = security_secid_to_secctx(&blob, &context); if (ret) return; - seq_printf(s, "secctx=%s ", secctx); + seq_printf(s, "secctx=%s ", context.context); - lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ security_release_secctx(&context); } #else diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index cc3ef03ee198..2d6668fd026c 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -306,6 +306,7 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) struct lsmblob blob; + struct lsmcontext context = { }; if (!skb || !sk_fullsock(skb->sk)) return 0; @@ -314,10 +315,12 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) if (skb->secmark) { lsmblob_init(&blob, skb->secmark); - security_secid_to_secctx(&blob, secdata, &seclen); + security_secid_to_secctx(&blob, &context); + *secdata = context.context; } read_unlock_bh(&skb->sk->sk_callback_lock); + seclen = context.len; #endif return seclen; } diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 288c005b44c7..c03fe9a4f7b9 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -374,8 +374,6 @@ int netlbl_unlhsh_add(struct net *net, struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; struct lsmcontext context; - char *secctx = NULL; - u32 secctx_len; struct lsmblob blob; if (addr_len != sizeof(struct in_addr) && @@ -440,12 +438,9 @@ int netlbl_unlhsh_add(struct net *net, rcu_read_unlock(); if (audit_buf != NULL) { lsmblob_init(&blob, secid); - if (security_secid_to_secctx(&blob, - &secctx, - &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - /* scaffolding */ - lsmcontext_init(&context, secctx, secctx_len, 0); + if (security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", + context.context); security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); @@ -478,8 +473,6 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - char *secctx; - u32 secctx_len; struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); @@ -503,11 +496,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, if (entry != NULL) lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, - &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - /* scaffolding */ - lsmcontext_init(&context, secctx, secctx_len, 0); + security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", + context.context); security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); @@ -546,8 +537,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - char *secctx; - u32 secctx_len; struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); @@ -570,10 +559,9 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, if (entry != NULL) lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, - &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - lsmcontext_init(&context, secctx, secctx_len, 0); + security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", + context.context); security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); @@ -1091,8 +1079,6 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, struct lsmcontext context; void *data; u32 secid; - char *secctx; - u32 secctx_len; struct lsmblob blob; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, @@ -1149,15 +1135,13 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, } lsmblob_init(&blob, secid); - ret_val = security_secid_to_secctx(&blob, &secctx, &secctx_len); + ret_val = security_secid_to_secctx(&blob, &context); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, NLBL_UNLABEL_A_SECCTX, - secctx_len, - secctx); - /* scaffolding */ - lsmcontext_init(&context, secctx, secctx_len, 0); + context.len, + context.context); security_release_secctx(&context); if (ret_val != 0) goto list_cb_failure; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index ef139d8ae7cd..951ba0639d20 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -85,8 +85,6 @@ struct audit_buffer *netlbl_audit_start_common(int type, { struct audit_buffer *audit_buf; struct lsmcontext context; - char *secctx; - u32 secctx_len; struct lsmblob blob; if (audit_enabled == AUDIT_OFF) @@ -102,9 +100,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, lsmblob_init(&blob, audit_info->secid); if (audit_info->secid != 0 && - security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " subj=%s", secctx); - lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/ + security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " subj=%s", context.context); security_release_secctx(&context); } diff --git a/security/security.c b/security/security.c index c05ef9d0c8ed..618d4f90936b 100644 --- a/security/security.c +++ b/security/security.c @@ -2109,18 +2109,22 @@ int security_ismaclabel(const char *name) } EXPORT_SYMBOL(security_ismaclabel); -int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp) { struct security_hook_list *hp; int display = lsm_task_display(current); + memset(cp, 0, sizeof(*cp)); + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; - if (display == LSMBLOB_INVALID || display == hp->lsmid->slot) + if (display == LSMBLOB_INVALID || display == hp->lsmid->slot) { + cp->slot = hp->lsmid->slot; return hp->hook.secid_to_secctx( blob->secid[hp->lsmid->slot], - secdata, seclen); + &cp->context, &cp->len); + } } return 0; } From patchwork Wed Nov 13 00:09:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 11240553 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AADB413BD for ; Wed, 13 Nov 2019 00:10:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8BB7521A49 for ; Wed, 13 Nov 2019 00:10:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="WdeTnsc+" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727298AbfKMAKV (ORCPT ); Tue, 12 Nov 2019 19:10:21 -0500 Received: from sonic313-15.consmr.mail.ne1.yahoo.com ([66.163.185.38]:45433 "EHLO sonic313-15.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727284AbfKMAKU (ORCPT ); Tue, 12 Nov 2019 19:10:20 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573603819; bh=5a1Bn2oGXej0Jcc78dgWtIiwCtWaGO4LPz5VJ3J/aYQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=WdeTnsc+XRjCTTiPmXqStR1If2y5WBap2N1/5v04YScpJHtGMUZ0b/bUfYE6rmbHmq0Av2cAYrJi+HzPiZPm68cdu7R1OvT0jsPu7ngaq5aG0eC1XN0APDM3kzT6UEel20nmGfGNKRcuOIb3ACpQ+AW4HkW+M/YFjjVgzTVHs3bbbVefAutsj4f+OGCAByubEEZrz5+CjXosdDWGB3ukpDuhEPZebJrSBXIvDiHENQzOjtS4GqTE4L4j54zDhUxf7+JMHWctenGHGNPpYAeqAwz9IMZIYp21pLCdzMBvttB7jbv1+idZcfHfaKjXtdsqtwnuhfG1KhPBaOkqoPqN6A== X-YMail-OSG: CjaTNY0VM1mBn3tSY1XQtKEGjPGG4zwjvkgWceVbO5IfUEd_9lmmsjrarjGsMIX SOyEcc3wEaa5GZDYE4mTHnLeZTHnTPq6nm9YXfMk.qT5ZdVGD9cdYrhxLNTKAsRKv9F9GV4SZedI 4mTnjZhXVOxFY3zbA2l1Late9U1kc8omS1Fhyfu3pTsm1AQsla0ycF1IyoqW3hN3cOQpcCvnWntU 6aMu21WUAkpqQqe4272nfykAVaT1mKidi4rLzbqPzbClV3C9auC.4Fo5qSbzPQJPPrJJQ2TEfYWh p31kIjeKooUwfliRAKvHou.YZpSVGXzVT1l78mchcoum1xX5unEdB6.0gXQRLqOibUY9VAocRyDR CAe4TMwC7A.lEt2z4un3bsBQc5YiqRyvHn.cKI.BBV8pxeKPVMRITD5ufP2.3_G1d_xeOWjymCFv aRg1GmTZT7w8LrdWiazPgxq3LvhqoMPkN4EO0Sqsx8rq3Qjv5HbgUSXRTqF72UMBIHpwUNGV.lcW AJE4Q.Em1MgroZjhk2cMJyZa86ayti9PzR8d9ZU7Bu0Cre0r9HoE35ba3uACxx_jPhWjB6WvIZSW MgBz2FHLdGBsGt_pcQWEdbzeubakfu9PtKVdPgaaYZIbx6RE3V9LrNfjeWcmzhVjbNvBNAhj2kWu Pv08CvNGdMFhrBTTy9mXZfSXoqQczIgH_vIuVXRXDXfMK_ZkOLd3LWTuwTw05KG9hBP3YZGTZoa8 MVJwaF744T.fAMOCP3zoBThb096akxwydzy6g_0mu2jVOtqAQ_UCI0A36xPmHXh041alFl0A.Nci c4vYonrDuYiuLFfw0B.iC2xu73MTQus6CkAzy2Trehm15eh0M1QuDC.ooT3.BXY9e6xLzFp5lViw tOoG9Cuuj4uN5gluF1mnqYRf6YjMMGTMHi1IG0JDzW.mJuUfZDDCwx5gctcJIX6XsBVF_KdVUjsn amcJHjsUqJxS5Jm4RilfM253W9h3Zrz86e7_xISNaiqvECSvtV8UiDEhuIP8nnS_D_T0nfOTyNCT PubOnyn3X55eOoelb8mPGxZOFpQ025pCasCxZpu2srh0MiiyeS3dVMMJjnZuVd2IEbXyR6Svp8W4 JqnQ4fPp0GvAIG5x.B6wFWj4rVLL39_VrOTKvUej3f8PD9TthtIOOUyS4K2FL9cUKEGusDFkHadc jAfcJnj.cS7N_eaeRRq9kbH0GUdH.29lASU.56ua.H5k.UY7Ee1Ot7fX8N_ZYrPxsgsKyk2ADxBK DMYU5wTg2S8M0zBRdO76tq3OnL..kSJCMwr1._d2cMzy1Dhhg9jACFm6bd1Cb7CWf8QvQr.JzlO9 9S6.LOrRa7D1yTXqMBMQ6fjeH.bji2iS_QwJa8J_e.7brNWQd0HZz8W1qwQ_b_1Gf7UQjQyl32XU RTeWZjQ37HZQu5O4hdYy3xWSulSDAU4kv0ubf5OsC8l4ivWwypZte3G0zMrEdnrG0EV0h9g-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Nov 2019 00:10:19 +0000 Received: by smtp407.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 33c25a8a04c7aa40c3f2a9c521ee5947; Wed, 13 Nov 2019 00:10:16 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov Subject: [PATCH 16/25] LSM: Use lsmcontext in security_dentry_init_security Date: Tue, 12 Nov 2019 16:09:04 -0800 Message-Id: <20191113000913.5414-17-casey@schaufler-ca.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191113000913.5414-1-casey@schaufler-ca.com> References: <20191113000913.5414-1-casey@schaufler-ca.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Change the security_dentry_init_security() interface to fill an lsmcontext structure instead of a void * data area and a length. The lone caller of this interface is NFS4, which may make copies of the data using its own mechanisms. A rework of the nfs4 code to use the lsmcontext properly is a significant project, so the coward's way out is taken, and the lsmcontext data from security_dentry_init_security() is copied, then released directly. This interface does not use the "display". There is currently not case where that is useful or reasonable. Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler --- fs/nfs/nfs4proc.c | 26 ++++++++++++++++---------- include/linux/security.h | 7 +++---- security/security.c | 29 +++++++++++++++++++++++++---- 3 files changed, 44 insertions(+), 18 deletions(-) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 74e9f4b7cc07..2f76741ee528 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -113,6 +113,7 @@ static inline struct nfs4_label * nfs4_label_init_security(struct inode *dir, struct dentry *dentry, struct iattr *sattr, struct nfs4_label *label) { + struct lsmcontext context; int err; if (label == NULL) @@ -122,21 +123,26 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, return NULL; err = security_dentry_init_security(dentry, sattr->ia_mode, - &dentry->d_name, (void **)&label->label, &label->len); - if (err == 0) - return label; + &dentry->d_name, &context); + + if (err) + return NULL; + + label->label = kmemdup(context.context, context.len, GFP_KERNEL); + if (label->label == NULL) + label = NULL; + else + label->len = context.len; + + security_release_secctx(&context); + + return label; - return NULL; } static inline void nfs4_label_release_security(struct nfs4_label *label) { - struct lsmcontext scaff; /* scaffolding */ - - if (label) { - lsmcontext_init(&scaff, label->label, label->len, 0); - security_release_secctx(&scaff); - } + kfree(label->label); } static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label) { diff --git a/include/linux/security.h b/include/linux/security.h index e47cef3d62f0..3e333104720d 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -396,8 +396,8 @@ int security_add_mnt_opt(const char *option, const char *val, int len, void **mnt_opts); int security_move_mount(const struct path *from_path, const struct path *to_path); int security_dentry_init_security(struct dentry *dentry, int mode, - const struct qstr *name, void **ctx, - u32 *ctxlen); + const struct qstr *name, + struct lsmcontext *ctx); int security_dentry_create_files_as(struct dentry *dentry, int mode, struct qstr *name, const struct cred *old, @@ -788,8 +788,7 @@ static inline void security_inode_free(struct inode *inode) static inline int security_dentry_init_security(struct dentry *dentry, int mode, const struct qstr *name, - void **ctx, - u32 *ctxlen) + struct lsmcontext *ctx) { return -EOPNOTSUPP; } diff --git a/security/security.c b/security/security.c index 618d4f90936b..6f43dafe1249 100644 --- a/security/security.c +++ b/security/security.c @@ -1011,12 +1011,33 @@ void security_inode_free(struct inode *inode) inode_free_by_rcu); } +/* + * security_dentry_init_security - initial context for a dentry + * @dentry: directory entry + * @mode: access mode + * @name: path name + * @context: resulting security context + * + * Use at most one security module to get the initial + * security context. Do not use the "display". + * + * Returns -EOPNOTSUPP if not supplied by any module or the module result. + */ int security_dentry_init_security(struct dentry *dentry, int mode, - const struct qstr *name, void **ctx, - u32 *ctxlen) + const struct qstr *name, + struct lsmcontext *cp) { - return call_int_hook(dentry_init_security, -EOPNOTSUPP, dentry, mode, - name, ctx, ctxlen); + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &security_hook_heads.dentry_init_security, + list) { + cp->slot = hp->lsmid->slot; + return hp->hook.dentry_init_security(dentry, mode, name, + (void **)&cp->context, + &cp->len); + } + + return -EOPNOTSUPP; } EXPORT_SYMBOL(security_dentry_init_security);