From patchwork Fri Feb 19 23:29:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 12096371 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41D7CC433E0 for ; Fri, 19 Feb 2021 23:30:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0C65A64EB2 for ; Fri, 19 Feb 2021 23:30:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229712AbhBSXaA (ORCPT ); Fri, 19 Feb 2021 18:30:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45716 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229678AbhBSX3x (ORCPT ); Fri, 19 Feb 2021 18:29:53 -0500 Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 56EEDC06178A for ; Fri, 19 Feb 2021 15:29:07 -0800 (PST) Received: by mail-qk1-x72d.google.com with SMTP id t63so7293429qkc.1 for ; Fri, 19 Feb 2021 15:29:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:cc:date:message-id:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=wCyRr1s1Q50L7dfTjP22sXRMm4M7NMzKEpM5WNi5jqk=; b=SUufNCStg3WYL/uZgGcTRtOtGT/NFTXdRVvYywaMlBVsI8axPv/LLLS3KIoVigscHD ftH6VdVU4QpDCs5Ldj2vfqCBAWS5aprHH7z7fem3gDj8geUN7gIV45VraMHJ/8MEIinC p1l7jrUdOmtNr+vZIjoLOOTf3K4OV6FCEDFGX+dRHxREsaXKrfCBm/r1GCJdqIZGuipF gYXfeFQwO1O7DQfIAXQ9fSx5p7M5nfvAeTUFd3jk8RPVU1x2j++nPeDAQrZYKjTGJYaD DRNoSvRhapNJ0Vf4h0YPDAJmXRLyOA9gc/xY3RJFzXX30pwvL/St5v5gWS975ECbi1GV DO8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=wCyRr1s1Q50L7dfTjP22sXRMm4M7NMzKEpM5WNi5jqk=; b=Pn4CZOnBWbSdeRFa52YdSrlrGTu9Ibpg3sMGh3mLFX6SI6wr+qiSLbW1QxqGsdrqE6 G3NDrGz71Lqj/Ar8HCp4tUxRk1cXIIJdeKuNXUoVfSSXICFPLGmm+al1byxA2o4k2UWR 3PbYlqJuRO9xIEV10PODiwGmG4oEbqaHaJY6yGtOvGRDOYxtTvDrvSThKTv8yZHmKP+s JKpmru+2BDQfNem9vLLQzREsE3ziCMY3QJh+2pmD+nniJYx0wYpG0KvDvNx/4wz7L+Kj F0NUPcVsnSrNOmIvtGe6qd2XFf4hoNQ/8to7KULNm5BgoGTtnY3bc2uHgOqqg0mQBYqT TL+w== X-Gm-Message-State: AOAM533i609rDruEoctD9LOKC11kkpjxg5XvK2c3kCzEs8a5UBMa/NBC mGJsLU/fvFnww5DQhePArnGJ X-Google-Smtp-Source: ABdhPJwefJ+uwNrxQOowyEJn+AzsJsiW4N1Zdv6Kj2OjaRlAHxpVSVQQMNepnsnj6NpQpZGpUncI4A== X-Received: by 2002:a37:63c7:: with SMTP id x190mr11874580qkb.189.1613777346436; Fri, 19 Feb 2021 15:29:06 -0800 (PST) Received: from localhost ([151.203.60.33]) by smtp.gmail.com with ESMTPSA id 76sm7464944qke.95.2021.02.19.15.29.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Feb 2021 15:29:05 -0800 (PST) Subject: [RFC PATCH 1/4] lsm: separate security_task_getsecid() into subjective and objective variants From: Paul Moore To: Casey Schaufler , John Johansen Cc: linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-audit@redhat.com Date: Fri, 19 Feb 2021 18:29:05 -0500 Message-ID: <161377734508.87807.8537642254664217815.stgit@sifl> In-Reply-To: <161377712068.87807.12246856567527156637.stgit@sifl> References: <161377712068.87807.12246856567527156637.stgit@sifl> User-Agent: StGit/1.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Of the three LSMs that implement the security_task_getsecid() LSM hook, all three LSMs provide the task's objective security credentials. This turns out to be unfortunate as most of the hook's callers seem to expect the task's subjective credentials, although a small handful of callers do correctly expect the objective credentials. This patch is the first step towards fixing the problem: it splits the existing security_task_getsecid() hook into two variants, one for the subjective creds, one for the objective creds. void security_task_getsecid_subj(struct task_struct *p, u32 *secid); void security_task_getsecid_obj(struct task_struct *p, u32 *secid); While this patch does fix all of the callers to use the correct variant, in order to keep this patch focused on the callers and to ease review, the LSMs continue to use the same implementation for both hooks. The net effect is that this patch should not change the behavior of the kernel in any way, it will be up to the latter LSM specific patches in this series to change the hook implementations and return the correct credentials. Signed-off-by: Paul Moore Acked-by: Mimi Zohar (IMA) Reviewed-by: Richard Guy Briggs Reviewed-by: John Johansen --- drivers/android/binder.c | 2 +- include/linux/cred.h | 2 +- include/linux/lsm_hook_defs.h | 5 ++++- include/linux/lsm_hooks.h | 8 ++++++-- include/linux/security.h | 10 ++++++++-- kernel/audit.c | 4 ++-- kernel/auditfilter.c | 3 ++- kernel/auditsc.c | 8 ++++---- net/netlabel/netlabel_unlabeled.c | 2 +- net/netlabel/netlabel_user.h | 2 +- security/apparmor/lsm.c | 3 ++- security/integrity/ima/ima_appraise.c | 2 +- security/integrity/ima/ima_main.c | 14 +++++++------- security/security.c | 13 ++++++++++--- security/selinux/hooks.c | 3 ++- security/smack/smack_lsm.c | 3 ++- 16 files changed, 54 insertions(+), 30 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index c119736ca56ac..39d501261108d 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2700,7 +2700,7 @@ static void binder_transaction(struct binder_proc *proc, u32 secid; size_t added_size; - security_task_getsecid(proc->tsk, &secid); + security_task_getsecid_subj(proc->tsk, &secid); ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); if (ret) { return_error = BR_FAILED_REPLY; diff --git a/include/linux/cred.h b/include/linux/cred.h index 18639c069263f..42b9d88d9a565 100644 --- a/include/linux/cred.h +++ b/include/linux/cred.h @@ -140,7 +140,7 @@ struct cred { struct key *request_key_auth; /* assumed request_key authority */ #endif #ifdef CONFIG_SECURITY - void *security; /* subjective LSM security */ + void *security; /* LSM security */ #endif struct user_struct *user; /* real user ID subscription */ struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */ diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index dfd261dcbcb04..1490a185135a0 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -200,7 +200,10 @@ LSM_HOOK(int, 0, task_fix_setgid, struct cred *new, const struct cred * old, LSM_HOOK(int, 0, task_setpgid, struct task_struct *p, pid_t pgid) LSM_HOOK(int, 0, task_getpgid, struct task_struct *p) LSM_HOOK(int, 0, task_getsid, struct task_struct *p) -LSM_HOOK(void, LSM_RET_VOID, task_getsecid, struct task_struct *p, u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, task_getsecid_subj, + struct task_struct *p, u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, task_getsecid_obj, + struct task_struct *p, u32 *secid) LSM_HOOK(int, 0, task_setnice, struct task_struct *p, int nice) LSM_HOOK(int, 0, task_setioprio, struct task_struct *p, int ioprio) LSM_HOOK(int, 0, task_getioprio, struct task_struct *p) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index bdfc8a76a4f79..13d2a9a6f2014 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -706,8 +706,12 @@ * @p. * @p contains the task_struct for the process. * Return 0 if permission is granted. - * @task_getsecid: - * Retrieve the security identifier of the process @p. + * @task_getsecid_subj: + * Retrieve the subjective security identifier of the process @p. + * @p contains the task_struct for the process and place is into @secid. + * In case of failure, @secid will be set to zero. + * @task_getsecid_obj: + * Retrieve the objective security identifier of the process @p. * @p contains the task_struct for the process and place is into @secid. * In case of failure, @secid will be set to zero. * diff --git a/include/linux/security.h b/include/linux/security.h index b0d14f04b16de..1826bb0cea825 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -406,7 +406,8 @@ int security_task_fix_setgid(struct cred *new, const struct cred *old, int security_task_setpgid(struct task_struct *p, pid_t pgid); int security_task_getpgid(struct task_struct *p); int security_task_getsid(struct task_struct *p); -void security_task_getsecid(struct task_struct *p, u32 *secid); +void security_task_getsecid_subj(struct task_struct *p, u32 *secid); +void security_task_getsecid_obj(struct task_struct *p, u32 *secid); int security_task_setnice(struct task_struct *p, int nice); int security_task_setioprio(struct task_struct *p, int ioprio); int security_task_getioprio(struct task_struct *p); @@ -1084,7 +1085,12 @@ static inline int security_task_getsid(struct task_struct *p) return 0; } -static inline void security_task_getsecid(struct task_struct *p, u32 *secid) +static inline void security_task_getsecid_subj(struct task_struct *p, u32 *secid) +{ + *secid = 0; +} + +static inline void security_task_getsecid_obj(struct task_struct *p, u32 *secid) { *secid = 0; } diff --git a/kernel/audit.c b/kernel/audit.c index 1ffc2e059027d..8e725db6ecb02 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2132,7 +2132,7 @@ int audit_log_task_context(struct audit_buffer *ab) int error; u32 sid; - security_task_getsecid(current, &sid); + security_task_getsecid_subj(current, &sid); if (!sid) return 0; @@ -2353,7 +2353,7 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - security_task_getsecid(current, &audit_sig_sid); + security_task_getsecid_subj(current, &audit_sig_sid); } return audit_signal_info_syscall(t); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 333b3bcfc5458..db2c6b59dfc33 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1359,7 +1359,8 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: if (f->lsm_rule) { - security_task_getsecid(current, &sid); + security_task_getsecid_subj(current, + &sid); result = security_audit_rule_match(sid, f->type, f->op, f->lsm_rule); } diff --git a/kernel/auditsc.c b/kernel/auditsc.c index ce8c9e2279ba9..3bfbecca4664a 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -667,7 +667,7 @@ static int audit_filter_rules(struct task_struct *tsk, logged upon error */ if (f->lsm_rule) { if (need_sid) { - security_task_getsecid(tsk, &sid); + security_task_getsecid_subj(tsk, &sid); need_sid = 0; } result = security_audit_rule_match(sid, f->type, @@ -2400,7 +2400,7 @@ void __audit_ptrace(struct task_struct *t) context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getsecid(t, &context->target_sid); + security_task_getsecid_obj(t, &context->target_sid); memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2427,7 +2427,7 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getsecid(t, &ctx->target_sid); + security_task_getsecid_obj(t, &ctx->target_sid); memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2448,7 +2448,7 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getsecid(t, &axp->target_sid[axp->pid_count]); + security_task_getsecid_obj(t, &axp->target_sid[axp->pid_count]); memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index ccb4916428116..3e6ac9b790b15 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -1539,7 +1539,7 @@ int __init netlbl_unlabel_defconf(void) /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_task_getsecid(current, &audit_info.secid); + security_task_getsecid_subj(current, &audit_info.secid); audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index 3c67afce64f12..b9ba8112b3c52 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -34,7 +34,7 @@ static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, struct netlbl_audit *audit_info) { - security_task_getsecid(current, &audit_info->secid); + security_task_getsecid_subj(current, &audit_info->secid); audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 1b0aba8eb7235..15e37b9132679 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1243,7 +1243,8 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(task_free, apparmor_task_free), LSM_HOOK_INIT(task_alloc, apparmor_task_alloc), - LSM_HOOK_INIT(task_getsecid, apparmor_task_getsecid), + LSM_HOOK_INIT(task_getsecid_subj, apparmor_task_getsecid), + LSM_HOOK_INIT(task_getsecid_obj, apparmor_task_getsecid), LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), LSM_HOOK_INIT(task_kill, apparmor_task_kill), diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 8361941ee0a12..afa4923dbd33d 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -75,7 +75,7 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func) if (!ima_appraise) return 0; - security_task_getsecid(current, &secid); + security_task_getsecid_subj(current, &secid); return ima_match_policy(inode, current_cred(), secid, func, mask, IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL); } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index f87cb29329e91..97a6913bb3d86 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -391,7 +391,7 @@ int ima_file_mmap(struct file *file, unsigned long prot) u32 secid; if (file && (prot & PROT_EXEC)) { - security_task_getsecid(current, &secid); + security_task_getsecid_subj(current, &secid); return process_measurement(file, current_cred(), secid, NULL, 0, MAY_EXEC, MMAP_CHECK); } @@ -429,7 +429,7 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) return 0; - security_task_getsecid(current, &secid); + security_task_getsecid_subj(current, &secid); inode = file_inode(vma->vm_file); action = ima_get_action(inode, current_cred(), secid, MAY_EXEC, MMAP_CHECK, &pcr, &template, 0); @@ -469,7 +469,7 @@ int ima_bprm_check(struct linux_binprm *bprm) int ret; u32 secid; - security_task_getsecid(current, &secid); + security_task_getsecid_subj(current, &secid); ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, MAY_EXEC, BPRM_CHECK); if (ret) @@ -494,7 +494,7 @@ int ima_file_check(struct file *file, int mask) { u32 secid; - security_task_getsecid(current, &secid); + security_task_getsecid_subj(current, &secid); return process_measurement(file, current_cred(), secid, NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND), FILE_CHECK); @@ -679,7 +679,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id, /* Read entire file for all partial reads. */ func = read_idmap[read_id] ?: FILE_CHECK; - security_task_getsecid(current, &secid); + security_task_getsecid_subj(current, &secid); return process_measurement(file, current_cred(), secid, NULL, 0, MAY_READ, func); } @@ -722,7 +722,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, } func = read_idmap[read_id] ?: FILE_CHECK; - security_task_getsecid(current, &secid); + security_task_getsecid_subj(current, &secid); return process_measurement(file, current_cred(), secid, buf, size, MAY_READ, func); } @@ -859,7 +859,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, * buffer measurements. */ if (func) { - security_task_getsecid(current, &secid); + security_task_getsecid_subj(current, &secid); action = ima_get_action(inode, current_cred(), secid, 0, func, &pcr, &template, keyring); if (!(action & IMA_MEASURE)) diff --git a/security/security.c b/security/security.c index 401663b5b70ea..85e504df051b3 100644 --- a/security/security.c +++ b/security/security.c @@ -1757,12 +1757,19 @@ int security_task_getsid(struct task_struct *p) return call_int_hook(task_getsid, 0, p); } -void security_task_getsecid(struct task_struct *p, u32 *secid) +void security_task_getsecid_subj(struct task_struct *p, u32 *secid) { *secid = 0; - call_void_hook(task_getsecid, p, secid); + call_void_hook(task_getsecid_subj, p, secid); } -EXPORT_SYMBOL(security_task_getsecid); +EXPORT_SYMBOL(security_task_getsecid_subj); + +void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +{ + *secid = 0; + call_void_hook(task_getsecid_obj, p, secid); +} +EXPORT_SYMBOL(security_task_getsecid_obj); int security_task_setnice(struct task_struct *p, int nice) { diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index af2994adf9dd1..f311541c4972e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7143,7 +7143,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), LSM_HOOK_INIT(task_getsid, selinux_task_getsid), - LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), + LSM_HOOK_INIT(task_getsecid_subj, selinux_task_getsecid), + LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid), LSM_HOOK_INIT(task_setnice, selinux_task_setnice), LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index f69c3dd9a0c67..2bb354ef2c4a9 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4755,7 +4755,8 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), LSM_HOOK_INIT(task_getsid, smack_task_getsid), - LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), + LSM_HOOK_INIT(task_getsecid_subj, smack_task_getsecid), + LSM_HOOK_INIT(task_getsecid_obj, smack_task_getsecid), LSM_HOOK_INIT(task_setnice, smack_task_setnice), LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), From patchwork Fri Feb 19 23:29:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 12096373 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7016C43381 for ; Fri, 19 Feb 2021 23:30:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 778D264EB2 for ; Fri, 19 Feb 2021 23:30:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229678AbhBSXaA (ORCPT ); Fri, 19 Feb 2021 18:30:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45740 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229700AbhBSX37 (ORCPT ); Fri, 19 Feb 2021 18:29:59 -0500 Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7BB35C06178C for ; Fri, 19 Feb 2021 15:29:13 -0800 (PST) Received: by mail-qv1-xf2e.google.com with SMTP id e9so3469343qvy.3 for ; Fri, 19 Feb 2021 15:29:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:cc:date:message-id:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=v6NSQC50KFmeUPKJBeoKhuyWn2xCwILBIvdMD1P82gw=; b=VzhVA5AagbGb4kOzVU0A3fAW6AKt1nNLkKnm4Km6f8mSv7Oxuw4ndZIK/T4xWPryP8 9Ryrcmvbsa7hYWeaemUYG8nkOMC8reOZh0DFnmraA42MPUWYAh54EO2LVByif03vdzz9 xVplzgAqTSsQZg2s5ivvH9MVXoAk3TQb6+a19oHPa4CFzh0hdlzgKwCYJkFa8pVLDFan xLzKA2CP7jylaANxYgOl+LugiqiX56JKJT8fsFxWE6SeUs0cvS6wGAithuDdRlhfhSFK E/X4nuagHwfZmoTzboKeTudObWB0+M4gupNcSrVQK4yj/bP4aUj71u7w+vq3IM7LKxfI RkwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=v6NSQC50KFmeUPKJBeoKhuyWn2xCwILBIvdMD1P82gw=; b=XxVWYIGQhIuPVb87KDc5+UmzfSx8Xqqjm0zn2EAfVOKVWmjwJK9h8lubqzaxkYpmDf rCE4s6pva4ShueEcxMleyCifTnj06+WxJgFwQQf4Em37tgcDewz2UPPQUVA5oTwCrKxM D2S87Kq7yEXvSRhkxnQaMGjP6dqkhNzPhb7fdIvBAADHtJf33bqyR088ypYOhpx+jsHz RleFShQSstrqffqCy57qYzL9Hpe2DUwE+Ctoj/G3PZDMIV5PeU5g8F6/1sebeq5FvicI y2R1MXZFxMN3mXXAyi7GsASs/Ju24Rzkog4BXqUX66Hp2nANeqaPfU4Dgx0YcGwdr2Aa qV9g== X-Gm-Message-State: AOAM533M+MF7olcxwrdZxJ+MKzXiKyz44pTc5M8wKYtjOwwSBENFttqM E0BcvNTHCjl9DjENNSjsUEtu X-Google-Smtp-Source: ABdhPJzzBiMLcwtjpEsmxAq4hBzGFFfdNi8YiGlaj+SswkJ1hiKCM0HUDXQrbiSvSmP1pRdk/xjkdA== X-Received: by 2002:a0c:ee89:: with SMTP id u9mr11509948qvr.40.1613777352635; Fri, 19 Feb 2021 15:29:12 -0800 (PST) Received: from localhost ([151.203.60.33]) by smtp.gmail.com with ESMTPSA id w139sm1572331qka.19.2021.02.19.15.29.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Feb 2021 15:29:12 -0800 (PST) Subject: [RFC PATCH 2/4] selinux: clarify task subjective and objective credentials From: Paul Moore To: Casey Schaufler , John Johansen Cc: linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-audit@redhat.com Date: Fri, 19 Feb 2021 18:29:11 -0500 Message-ID: <161377735153.87807.7492842242100187888.stgit@sifl> In-Reply-To: <161377712068.87807.12246856567527156637.stgit@sifl> References: <161377712068.87807.12246856567527156637.stgit@sifl> User-Agent: StGit/1.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org SELinux has a function, task_sid(), which returns the task's objective credentials, but unfortunately is used in a few places where the subjective task credentials should be used. Most notably in the new security_task_getsecid_subj() LSM hook. This patch fixes this and attempts to make things more obvious by introducing a new function, task_sid_subj(), and renaming the existing task_sid() function to task_sid_obj(). Signed-off-by: Paul Moore --- security/selinux/hooks.c | 85 +++++++++++++++++++++++++++------------------- 1 file changed, 49 insertions(+), 36 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f311541c4972e..1c53000d28e37 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -229,10 +229,23 @@ static inline u32 cred_sid(const struct cred *cred) return tsec->sid; } +/* + * get the subjective security ID of a task + */ +static inline u32 task_sid_subj(const struct task_struct *task) +{ + u32 sid; + + rcu_read_lock(); + sid = cred_sid(rcu_dereference(task->cred)); + rcu_read_unlock(); + return sid; +} + /* * get the objective security ID of a task */ -static inline u32 task_sid(const struct task_struct *task) +static inline u32 task_sid_obj(const struct task_struct *task) { u32 sid; @@ -2034,11 +2047,8 @@ static inline u32 open_file_to_av(struct file *file) static int selinux_binder_set_context_mgr(struct task_struct *mgr) { - u32 mysid = current_sid(); - u32 mgrsid = task_sid(mgr); - return avc_has_perm(&selinux_state, - mysid, mgrsid, SECCLASS_BINDER, + current_sid(), task_sid_obj(mgr), SECCLASS_BINDER, BINDER__SET_CONTEXT_MGR, NULL); } @@ -2046,8 +2056,8 @@ static int selinux_binder_transaction(struct task_struct *from, struct task_struct *to) { u32 mysid = current_sid(); - u32 fromsid = task_sid(from); - u32 tosid = task_sid(to); + u32 fromsid = task_sid_subj(from); + u32 tosid = task_sid_subj(to); int rc; if (mysid != fromsid) { @@ -2066,11 +2076,9 @@ static int selinux_binder_transaction(struct task_struct *from, static int selinux_binder_transfer_binder(struct task_struct *from, struct task_struct *to) { - u32 fromsid = task_sid(from); - u32 tosid = task_sid(to); - return avc_has_perm(&selinux_state, - fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, + task_sid_subj(from), task_sid_obj(to), + SECCLASS_BINDER, BINDER__TRANSFER, NULL); } @@ -2078,7 +2086,7 @@ static int selinux_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file) { - u32 sid = task_sid(to); + u32 sid = task_sid_subj(to); struct file_security_struct *fsec = selinux_file(file); struct dentry *dentry = file->f_path.dentry; struct inode_security_struct *isec; @@ -2114,10 +2122,10 @@ static int selinux_binder_transfer_file(struct task_struct *from, } static int selinux_ptrace_access_check(struct task_struct *child, - unsigned int mode) + unsigned int mode) { u32 sid = current_sid(); - u32 csid = task_sid(child); + u32 csid = task_sid_obj(child); if (mode & PTRACE_MODE_READ) return avc_has_perm(&selinux_state, @@ -2130,15 +2138,15 @@ static int selinux_ptrace_access_check(struct task_struct *child, static int selinux_ptrace_traceme(struct task_struct *parent) { return avc_has_perm(&selinux_state, - task_sid(parent), current_sid(), SECCLASS_PROCESS, - PROCESS__PTRACE, NULL); + task_sid_subj(parent), task_sid_obj(current), + SECCLASS_PROCESS, PROCESS__PTRACE, NULL); } static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted) { return avc_has_perm(&selinux_state, - current_sid(), task_sid(target), SECCLASS_PROCESS, + current_sid(), task_sid_obj(target), SECCLASS_PROCESS, PROCESS__GETCAP, NULL); } @@ -2263,7 +2271,7 @@ static u32 ptrace_parent_sid(void) rcu_read_lock(); tracer = ptrace_parent(current); if (tracer) - sid = task_sid(tracer); + sid = task_sid_obj(tracer); rcu_read_unlock(); return sid; @@ -3916,7 +3924,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk, struct fown_struct *fown, int signum) { struct file *file; - u32 sid = task_sid(tsk); + u32 sid = task_sid_obj(tsk); u32 perm; struct file_security_struct *fsec; @@ -4135,47 +4143,52 @@ static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) { return avc_has_perm(&selinux_state, - current_sid(), task_sid(p), SECCLASS_PROCESS, + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, PROCESS__SETPGID, NULL); } static int selinux_task_getpgid(struct task_struct *p) { return avc_has_perm(&selinux_state, - current_sid(), task_sid(p), SECCLASS_PROCESS, + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, PROCESS__GETPGID, NULL); } static int selinux_task_getsid(struct task_struct *p) { return avc_has_perm(&selinux_state, - current_sid(), task_sid(p), SECCLASS_PROCESS, + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, PROCESS__GETSESSION, NULL); } -static void selinux_task_getsecid(struct task_struct *p, u32 *secid) +static void selinux_task_getsecid_subj(struct task_struct *p, u32 *secid) +{ + *secid = task_sid_subj(p); +} + +static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid) { - *secid = task_sid(p); + *secid = task_sid_obj(p); } static int selinux_task_setnice(struct task_struct *p, int nice) { return avc_has_perm(&selinux_state, - current_sid(), task_sid(p), SECCLASS_PROCESS, + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, PROCESS__SETSCHED, NULL); } static int selinux_task_setioprio(struct task_struct *p, int ioprio) { return avc_has_perm(&selinux_state, - current_sid(), task_sid(p), SECCLASS_PROCESS, + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, PROCESS__SETSCHED, NULL); } static int selinux_task_getioprio(struct task_struct *p) { return avc_has_perm(&selinux_state, - current_sid(), task_sid(p), SECCLASS_PROCESS, + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, PROCESS__GETSCHED, NULL); } @@ -4206,7 +4219,7 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, upon context transitions. See selinux_bprm_committing_creds. */ if (old_rlim->rlim_max != new_rlim->rlim_max) return avc_has_perm(&selinux_state, - current_sid(), task_sid(p), + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); return 0; @@ -4215,21 +4228,21 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, static int selinux_task_setscheduler(struct task_struct *p) { return avc_has_perm(&selinux_state, - current_sid(), task_sid(p), SECCLASS_PROCESS, + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, PROCESS__SETSCHED, NULL); } static int selinux_task_getscheduler(struct task_struct *p) { return avc_has_perm(&selinux_state, - current_sid(), task_sid(p), SECCLASS_PROCESS, + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, PROCESS__GETSCHED, NULL); } static int selinux_task_movememory(struct task_struct *p) { return avc_has_perm(&selinux_state, - current_sid(), task_sid(p), SECCLASS_PROCESS, + current_sid(), task_sid_obj(p), SECCLASS_PROCESS, PROCESS__SETSCHED, NULL); } @@ -4248,14 +4261,14 @@ static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, else secid = cred_sid(cred); return avc_has_perm(&selinux_state, - secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); + secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL); } static void selinux_task_to_inode(struct task_struct *p, struct inode *inode) { struct inode_security_struct *isec = selinux_inode(inode); - u32 sid = task_sid(p); + u32 sid = task_sid_obj(p); spin_lock(&isec->lock); isec->sclass = inode_mode_to_security_class(inode->i_mode); @@ -6148,7 +6161,7 @@ static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *m struct ipc_security_struct *isec; struct msg_security_struct *msec; struct common_audit_data ad; - u32 sid = task_sid(target); + u32 sid = task_sid_subj(target); int rc; isec = selinux_ipc(msq); @@ -7143,8 +7156,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), LSM_HOOK_INIT(task_getsid, selinux_task_getsid), - LSM_HOOK_INIT(task_getsecid_subj, selinux_task_getsecid), - LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid), + LSM_HOOK_INIT(task_getsecid_subj, selinux_task_getsecid_subj), + LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj), LSM_HOOK_INIT(task_setnice, selinux_task_setnice), LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), From patchwork Fri Feb 19 23:29:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 12096375 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E2D77C433DB for ; Fri, 19 Feb 2021 23:30:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AF05B64E28 for ; Fri, 19 Feb 2021 23:30:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229553AbhBSXaX (ORCPT ); Fri, 19 Feb 2021 18:30:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45842 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229700AbhBSXaW (ORCPT ); Fri, 19 Feb 2021 18:30:22 -0500 Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 97AA8C061794 for ; Fri, 19 Feb 2021 15:29:19 -0800 (PST) Received: by mail-qv1-xf34.google.com with SMTP id a1so3428999qvd.13 for ; Fri, 19 Feb 2021 15:29:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:cc:date:message-id:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=S6kkwPyFasGabciXBJltzlq7+5sHKuwrKAkqRgvQL3M=; b=gRrVTkMd0bLcPNErbCR+furVE3KJWXR7HYFYaD6bMbRH9z+qIWwlb3CaflWrTEc8ot EHovfFYlJdwUY6F3YfvV1XaOuFKWvqYfwgRCoGBPHTLtYABAvXLSMOmb6BmocCYjdczC dVUsgVcVf/EJkAU3ORPdjOWOmZ0DSWJbbJ1bQq1pb6aoOnQxSapoZbS5gcj32Q6a+ind wBObNxdDm/1gHJmbSpRU53uc3N6Uw0ytopufVXh+FivYgm0WRu1SkOZqlQVj4QLN5lI0 cWgvX+JaHfOXJD/qtXBKvLmCdPvoeSqZyHWpjDTkAWRaBYn3Yy5q01kaGtEAOLa4AOOa /DSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=S6kkwPyFasGabciXBJltzlq7+5sHKuwrKAkqRgvQL3M=; b=qmdSVgII9NsxnE5935yMGSU8UZD+QQvb5gNB/+nxp0AnY39e57xNwG2ZM+AI86e+sx bT7oVT+wF2WP9Tzv7SKHStrhG5CWI0A26TQHMQLaaNoFmPI/6BUs6ioJz+9TPBV6yfQn EYTMN7CJd02lcJlOvCbDlwCgyPSPERJMKWVUBp6A7gzlJhrYHiU0gBB4/6MoMCA0AXr0 ux08yPUi0RelCYyLqc/klm/sZsoG2M0wuN7oKQfcdqYCSj2pfKfMkYQ9DH6vXezEr0KL um7qy/bTjd2MgHwLx6TxUnh4Nft09vhfKXlxOqxsvL5iylNdnbE73Gr2IPjKZ/yAOjdC gjmA== X-Gm-Message-State: AOAM532q7GJKrWGX7cqtlw1raJxBI5fQbslWM6DHLNXy+Ab8VExwdkq8 F5QonwJIuy7KashsmYP+Fvqfr4uproCKcBM= X-Google-Smtp-Source: ABdhPJwHyXGvX+vZp5aaFyZsFbg5bgM6WfZ3lg0g95EmkbsrgxQTZ15j0Z3CDahrB9UZRwlnhsES0g== X-Received: by 2002:a0c:90c9:: with SMTP id p67mr3868287qvp.14.1613777358770; Fri, 19 Feb 2021 15:29:18 -0800 (PST) Received: from localhost ([151.203.60.33]) by smtp.gmail.com with ESMTPSA id a206sm7569909qkc.7.2021.02.19.15.29.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Feb 2021 15:29:18 -0800 (PST) Subject: [RFC PATCH 3/4] smack: differentiate between subjective and objective task credentials From: Paul Moore To: Casey Schaufler , John Johansen Cc: linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-audit@redhat.com Date: Fri, 19 Feb 2021 18:29:17 -0500 Message-ID: <161377735771.87807.8998552586584751981.stgit@sifl> In-Reply-To: <161377712068.87807.12246856567527156637.stgit@sifl> References: <161377712068.87807.12246856567527156637.stgit@sifl> User-Agent: StGit/1.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org With the split of the security_task_getsecid() into subjective and objective variants it's time to update Smack to ensure it is using the correct task creds. Signed-off-by: Paul Moore Reviewed-by: John Johansen --- security/smack/smack.h | 18 +++++++++++++++++- security/smack/smack_lsm.c | 40 +++++++++++++++++++++++++++------------- 2 files changed, 44 insertions(+), 14 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index a9768b12716bf..08f9cb80655ce 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -383,7 +383,23 @@ static inline struct smack_known *smk_of_task(const struct task_smack *tsp) return tsp->smk_task; } -static inline struct smack_known *smk_of_task_struct( +static inline struct smack_known *smk_of_task_struct_subj( + const struct task_struct *t) +{ + struct smack_known *skp; + const struct cred *cred; + + rcu_read_lock(); + + cred = rcu_dereference(t->cred); + skp = smk_of_task(smack_cred(cred)); + + rcu_read_unlock(); + + return skp; +} + +static inline struct smack_known *smk_of_task_struct_obj( const struct task_struct *t) { struct smack_known *skp; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 2bb354ef2c4a9..ea1a82742e8ba 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -159,7 +159,7 @@ static int smk_bu_current(char *note, struct smack_known *oskp, static int smk_bu_task(struct task_struct *otp, int mode, int rc) { struct task_smack *tsp = smack_cred(current_cred()); - struct smack_known *smk_task = smk_of_task_struct(otp); + struct smack_known *smk_task = smk_of_task_struct_obj(otp); char acc[SMK_NUM_ACCESS_TYPE + 1]; if (rc <= 0) @@ -479,7 +479,7 @@ static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) { struct smack_known *skp; - skp = smk_of_task_struct(ctp); + skp = smk_of_task_struct_obj(ctp); return smk_ptrace_rule_check(current, skp, mode, __func__); } @@ -2031,7 +2031,7 @@ static int smk_curacc_on_task(struct task_struct *p, int access, const char *caller) { struct smk_audit_info ad; - struct smack_known *skp = smk_of_task_struct(p); + struct smack_known *skp = smk_of_task_struct_subj(p); int rc; smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); @@ -2076,15 +2076,29 @@ static int smack_task_getsid(struct task_struct *p) } /** - * smack_task_getsecid - get the secid of the task - * @p: the object task + * smack_task_getsecid_subj - get the subjective secid of the task + * @p: the task * @secid: where to put the result * - * Sets the secid to contain a u32 version of the smack label. + * Sets the secid to contain a u32 version of the task's subjective smack label. + */ +static void smack_task_getsecid_subj(struct task_struct *p, u32 *secid) +{ + struct smack_known *skp = smk_of_task_struct_subj(p); + + *secid = skp->smk_secid; +} + +/** + * smack_task_getsecid_obj - get the objective secid of the task + * @p: the task + * @secid: where to put the result + * + * Sets the secid to contain a u32 version of the task's objective smack label. */ -static void smack_task_getsecid(struct task_struct *p, u32 *secid) +static void smack_task_getsecid_obj(struct task_struct *p, u32 *secid) { - struct smack_known *skp = smk_of_task_struct(p); + struct smack_known *skp = smk_of_task_struct_obj(p); *secid = skp->smk_secid; } @@ -2172,7 +2186,7 @@ static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, { struct smk_audit_info ad; struct smack_known *skp; - struct smack_known *tkp = smk_of_task_struct(p); + struct smack_known *tkp = smk_of_task_struct_obj(p); int rc; if (!sig) @@ -2210,7 +2224,7 @@ static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, static void smack_task_to_inode(struct task_struct *p, struct inode *inode) { struct inode_smack *isp = smack_inode(inode); - struct smack_known *skp = smk_of_task_struct(p); + struct smack_known *skp = smk_of_task_struct_obj(p); isp->smk_inode = skp; isp->smk_flags |= SMK_INODE_INSTANT; @@ -3481,7 +3495,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) */ static int smack_getprocattr(struct task_struct *p, char *name, char **value) { - struct smack_known *skp = smk_of_task_struct(p); + struct smack_known *skp = smk_of_task_struct_subj(p); char *cp; int slen; @@ -4755,8 +4769,8 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), LSM_HOOK_INIT(task_getsid, smack_task_getsid), - LSM_HOOK_INIT(task_getsecid_subj, smack_task_getsecid), - LSM_HOOK_INIT(task_getsecid_obj, smack_task_getsecid), + LSM_HOOK_INIT(task_getsecid_subj, smack_task_getsecid_subj), + LSM_HOOK_INIT(task_getsecid_obj, smack_task_getsecid_obj), LSM_HOOK_INIT(task_setnice, smack_task_setnice), LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), From patchwork Fri Feb 19 23:29:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 12096377 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96457C433E6 for ; Fri, 19 Feb 2021 23:30:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6414F64EAF for ; Fri, 19 Feb 2021 23:30:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229734AbhBSXaX (ORCPT ); Fri, 19 Feb 2021 18:30:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45846 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229725AbhBSXaW (ORCPT ); Fri, 19 Feb 2021 18:30:22 -0500 Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C4168C0617A7 for ; Fri, 19 Feb 2021 15:29:25 -0800 (PST) Received: by mail-qk1-x72f.google.com with SMTP id 81so7285501qkf.4 for ; Fri, 19 Feb 2021 15:29:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:cc:date:message-id:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=E8JBjLM+VrYyjykM174pAPWmD9tkjj7saJUnrbSTTIQ=; b=NGobJwWTh8zbH5rAkWvWVRcqEw3b+YYNJVeKTjUrXmga+QJLtmFGS/0mt/JvFLVNVD r/NWrI6X2OKwjMYBU0Xks39ATK+OEhEV1eYn14DTWORAJSquOMt4uN0b8PREAEWNBDRb AgdOwDLTdu1wI/u3YyZ8YOxw1kZnrvnDQtw5sRZyzs78RT0IDfeAr0iabQJp/uOpXG/K BzqliD5yEqHmKOCitwMex1wXdTp3Mzy7BkuuZ5GEiwWQd9Z2I6ASGQusWv6e4ELuifXw oR+QUMRLLaHGmskPbHZMER5DWKWFu96OHMPie09v8y062ahEiJaFnOUkd1hn/wqFLW+G HFDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=E8JBjLM+VrYyjykM174pAPWmD9tkjj7saJUnrbSTTIQ=; b=MSDt0a01lQRavKQUnNplSHuNxj7IZ/27gbNkMiLTTf5yS8cnxasCSvW5RxD87n0h70 oCOi7dDnlWDck6tH+XugRM8zEUE7sD9OrmsuAK0QpEhQLpiLpeVroa0SkjOA1MF+SSWa 2Mu5zc4wscZZvgGlhG7a9a+hwZqVdR34kJQAh4qkDPShOJ6UDr7Ed2cuV6GMTQiL0fKm 7xSyp4N9N9QfDBD+YupCxnz0XD74ihnIkC2LmRa/sV7EH8OCxoTPQ3XSo/+NKu1pCPHK tO2SZP7+pMpWwF67HS72Th85t528/LJXy8hW6pmps23b89soSNmSfyHXMgY8SQ8VHLW5 sQ1w== X-Gm-Message-State: AOAM532QD2GSOozcnMQhFu1aTJmUowp3QEw3ti8FTOT0x3aeYPBfVLtF V9SqkZNJhcGDUA1PpeNYkjusHEnGqUZFlXw= X-Google-Smtp-Source: ABdhPJxoRGMhZL78hlgpeoNTGZ7eVPG9JEN4WQFHSand8x2oz5IGs23RnAOoMBSQwfB/dM2aIvOuKQ== X-Received: by 2002:ae9:e915:: with SMTP id x21mr11772911qkf.311.1613777364889; Fri, 19 Feb 2021 15:29:24 -0800 (PST) Received: from localhost ([151.203.60.33]) by smtp.gmail.com with ESMTPSA id z139sm7433814qkb.0.2021.02.19.15.29.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Feb 2021 15:29:24 -0800 (PST) Subject: [RFC PATCH 4/4] apparmor: differentiate between subjective and objective task credentials From: Paul Moore To: Casey Schaufler , John Johansen Cc: linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-audit@redhat.com Date: Fri, 19 Feb 2021 18:29:23 -0500 Message-ID: <161377736385.87807.7033400948278183233.stgit@sifl> In-Reply-To: <161377712068.87807.12246856567527156637.stgit@sifl> References: <161377712068.87807.12246856567527156637.stgit@sifl> User-Agent: StGit/1.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org With the split of the security_task_getsecid() into subjective and objective variants it's time to update AppArmor to ensure it is using the correct task creds. Signed-off-by: Paul Moore --- security/apparmor/domain.c | 2 +- security/apparmor/include/cred.h | 19 ++++++++++++++++--- security/apparmor/include/task.h | 3 ++- security/apparmor/lsm.c | 23 +++++++++++++++-------- security/apparmor/task.c | 23 ++++++++++++++++++++--- 5 files changed, 54 insertions(+), 16 deletions(-) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index f919ebd042fd2..9ed00b8dcdf0c 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -67,7 +67,7 @@ static int may_change_ptraced_domain(struct aa_label *to_label, tracer = ptrace_parent(current); if (tracer) /* released below */ - tracerl = aa_get_task_label(tracer); + tracerl = aa_get_task_label_subj(tracer); /* not ptraced */ if (!tracer || unconfined(tracerl)) diff --git a/security/apparmor/include/cred.h b/security/apparmor/include/cred.h index 0b9ae4804ef73..43c21ef5568ab 100644 --- a/security/apparmor/include/cred.h +++ b/security/apparmor/include/cred.h @@ -64,14 +64,27 @@ static inline struct aa_label *aa_get_newest_cred_label(const struct cred *cred) } /** - * __aa_task_raw_label - retrieve another task's label + * __aa_task_raw_label_subj - retrieve another task's subjective label * @task: task to query (NOT NULL) * - * Returns: @task's label without incrementing its ref count + * Returns: @task's subjective label without incrementing its ref count * * If @task != current needs to be called in RCU safe critical section */ -static inline struct aa_label *__aa_task_raw_label(struct task_struct *task) +static inline struct aa_label *__aa_task_raw_label_subj(struct task_struct *task) +{ + return aa_cred_raw_label(rcu_dereference(task->cred)); +} + +/** + * __aa_task_raw_label_obj - retrieve another task's objective label + * @task: task to query (NOT NULL) + * + * Returns: @task's objective label without incrementing its ref count + * + * If @task != current needs to be called in RCU safe critical section + */ +static inline struct aa_label *__aa_task_raw_label_obj(struct task_struct *task) { return aa_cred_raw_label(__task_cred(task)); } diff --git a/security/apparmor/include/task.h b/security/apparmor/include/task.h index f13d12373b25e..27a2961558555 100644 --- a/security/apparmor/include/task.h +++ b/security/apparmor/include/task.h @@ -33,7 +33,8 @@ int aa_replace_current_label(struct aa_label *label); int aa_set_current_onexec(struct aa_label *label, bool stack); int aa_set_current_hat(struct aa_label *label, u64 token); int aa_restore_previous_label(u64 cookie); -struct aa_label *aa_get_task_label(struct task_struct *task); +struct aa_label *aa_get_task_label_subj(struct task_struct *task); +struct aa_label *aa_get_task_label_obj(struct task_struct *task); /** * aa_free_task_ctx - free a task_ctx diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 15e37b9132679..38430851675b9 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -119,7 +119,7 @@ static int apparmor_ptrace_access_check(struct task_struct *child, int error; tracer = __begin_current_label_crit_section(); - tracee = aa_get_task_label(child); + tracee = aa_get_task_label_obj(child); error = aa_may_ptrace(tracer, tracee, (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ : AA_PTRACE_TRACE); @@ -135,7 +135,7 @@ static int apparmor_ptrace_traceme(struct task_struct *parent) int error; tracee = __begin_current_label_crit_section(); - tracer = aa_get_task_label(parent); + tracer = aa_get_task_label_subj(parent); error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); aa_put_label(tracer); __end_current_label_crit_section(tracee); @@ -719,9 +719,16 @@ static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) return; } -static void apparmor_task_getsecid(struct task_struct *p, u32 *secid) +static void apparmor_task_getsecid_subj(struct task_struct *p, u32 *secid) { - struct aa_label *label = aa_get_task_label(p); + struct aa_label *label = aa_get_task_label_subj(p); + *secid = label->secid; + aa_put_label(label); +} + +static void apparmor_task_getsecid_obj(struct task_struct *p, u32 *secid) +{ + struct aa_label *label = aa_get_task_label_obj(p); *secid = label->secid; aa_put_label(label); } @@ -750,7 +757,7 @@ static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo * Dealing with USB IO specific behavior */ cl = aa_get_newest_cred_label(cred); - tl = aa_get_task_label(target); + tl = aa_get_task_label_obj(target); error = aa_may_signal(cl, tl, sig); aa_put_label(cl); aa_put_label(tl); @@ -758,7 +765,7 @@ static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo } cl = __begin_current_label_crit_section(); - tl = aa_get_task_label(target); + tl = aa_get_task_label_obj(target); error = aa_may_signal(cl, tl, sig); aa_put_label(tl); __end_current_label_crit_section(cl); @@ -1243,8 +1250,8 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(task_free, apparmor_task_free), LSM_HOOK_INIT(task_alloc, apparmor_task_alloc), - LSM_HOOK_INIT(task_getsecid_subj, apparmor_task_getsecid), - LSM_HOOK_INIT(task_getsecid_obj, apparmor_task_getsecid), + LSM_HOOK_INIT(task_getsecid_subj, apparmor_task_getsecid_subj), + LSM_HOOK_INIT(task_getsecid_obj, apparmor_task_getsecid_obj), LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), LSM_HOOK_INIT(task_kill, apparmor_task_kill), diff --git a/security/apparmor/task.c b/security/apparmor/task.c index d17130ee6795d..c03c8e3928055 100644 --- a/security/apparmor/task.c +++ b/security/apparmor/task.c @@ -16,17 +16,34 @@ #include "include/task.h" /** - * aa_get_task_label - Get another task's label + * aa_get_task_label_subj - Get another task's subjective label * @task: task to query (NOT NULL) * * Returns: counted reference to @task's label */ -struct aa_label *aa_get_task_label(struct task_struct *task) +struct aa_label *aa_get_task_label_subj(struct task_struct *task) { struct aa_label *p; rcu_read_lock(); - p = aa_get_newest_label(__aa_task_raw_label(task)); + p = aa_get_newest_label(__aa_task_raw_label_subj(task)); + rcu_read_unlock(); + + return p; +} + +/** + * aa_get_task_label_obj - Get another task's objective label + * @task: task to query (NOT NULL) + * + * Returns: counted reference to @task's label + */ +struct aa_label *aa_get_task_label_obj(struct task_struct *task) +{ + struct aa_label *p; + + rcu_read_lock(); + p = aa_get_newest_label(__aa_task_raw_label_obj(task)); rcu_read_unlock(); return p;