From patchwork Mon Nov 26 23:26:46 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699343 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4289717D5 for ; Mon, 26 Nov 2018 23:27:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 31E472A5B2 for ; Mon, 26 Nov 2018 23:27:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 24F152A63A; Mon, 26 Nov 2018 23:27:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C146D2A5B2 for ; Mon, 26 Nov 2018 23:27:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726448AbeK0KWp (ORCPT ); Tue, 27 Nov 2018 05:22:45 -0500 Received: from sonic302-28.consmr.mail.ne1.yahoo.com ([66.163.186.154]:39867 "EHLO sonic302-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726634AbeK0KWk (ORCPT ); Tue, 27 Nov 2018 05:22:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543274812; bh=mdy2YdUdtSJS+oWKPUtutk2c4C3wLLPLrYrGLBo+7N8=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=p/JeJBcAiLq17bJWVyy9tmqSP1VEwJZOxnPc5f/lLRd/r24uHLo5Jj5vB4DxOiPp+PqNP4btZVhrO/f7N7UFBHPho1QWjA+3r9DQ+To9eHCBmnqiZgESLcsdnxIfpc0cFNBqQcMKp9padW3OVs99MkPkOWMt61KpYfWTcS3cOeOBi6LA5q1XoIjIWtHTjthBgC9l3ZKJTVnEkelrQMmwMsMNsoey3EXOW3Da3Mzypb7IG1GUUhm/fRQM/vCUPPamOKO08Kvxj3JR7ujLn3TxlO8nmgaSRcqNcqgpO+pCWjGjbuN/uULTdAD/dLLAD3zz6ZS7QyzTM8DgpM6dUonAug== X-YMail-OSG: _cZQ2iYVM1k_4JyYuTwv5LfT8_Pl6w2BJwh10yHM6HKOlwiM9HZM8KBI9.G_MuT bwg2kme0j3iFs.tRkrbx8OamVLTGVyPKX2w3EmL.NERv0K8rVVe9P1u5yB9Z_U92F1ZjEgtfiPdZ .VfZN2GAP5FEgnNjWDMsIAokUDD1awKLHKT5K92bZ9A3q3F3pCOrJtC4BR.UTj7tTiZ3DRYVbdhA FabhdXlJh4Wje7lFxbRafA84MpkjIDHZ_kHhlreqGBeSjTyf5OpJJl4p98T5GsA8WlrGYlRmC7p4 mtP6b1Z0gVfwXDFlOnFs5V.MJyvkgsa_ajHTEZqIcpuBM22LlGLlwCXsnR6uLzJTd2n8Nk8A4Mm3 zjHsHcPtMBQXvq.r5DKWhQffgUQyPnG6Ofy9d6jjJBKV2i5ZvHFHAfIsRxkKbUYFBET.gY2FZKty As_0qWpU7jcx1t0FfyCziDJhWrvvdDv6E0Q4ROcX2Ls7N1J_betq_xGWRrkzcu6pW6nnotMN8znK Fgp1fInBGIDm2BIMFJMjES8TmMSkU6pth1WGdMpUR1lesOSDgPdu8XntHF.wZr56CtQQ3CevdjYx lpKUbKg.7iJjKB.cOC1QVs8XhGTcTEl3gtWLKmhTwdF3rxxNnZ8PGioNIt7QTBytqK2nZADcuMTo i6N.FRJ3yxB9lp53KcGZPc.exxIH3RlAjvM7ZF0cYP.CwR.d4LeUGL.smD3wj3jq5i91Tqx6fGmu fD5UFyWGSE2WppJ.7lJGezJWvWTcor.w5nU.s7vsIvuJlLLGjJPCbduoKYXfrZDGWvLSrUn__IHk 9HT3LXk4ZnBafsviOxfP_HpcJHT5Y7__6kQhxhKbkszrkI6b9H2XIDTqDe06bxrs5ZydK_4R.tFr VbnpH03B8K.K0t8.JY7gQopntEmC0ZmbQW02EuRmKMqtlSOrmvHPbMV2IYcFG_gsfSZMSihdDmOx 2rm694vb6SUmCIuB8WquVB48inQE7jj5eN87cN2ne15E0GVoRytammRF9Gzv7zIZQ6r.2tLtQrx0 ZWL8DJDooA2CAA8eyR3.wcGt1RqTWrYbCKbkgcBxhlJ8WZ3PwvN6v8_8iEIt.bf7Xuz9APQbwuH7 Iz9jP79eExK8Ie0hKLNee4o9EqUEwgJW41NY- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:26:52 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp429.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 29dff8d62ab536d21f7d336a2d7a212f; Mon, 26 Nov 2018 23:26:49 +0000 (UTC) Subject: [PATCH v5 01/38] LSM: Introduce LSM_FLAG_LEGACY_MAJOR To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: Date: Mon, 26 Nov 2018 15:26:46 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This adds a flag for the current "major" LSMs to distinguish them when we have a universal method for ordering all LSMs. It's called "legacy" since the distinction of "major" will go away in the blob-sharing world. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen --- include/linux/lsm_hooks.h | 3 +++ security/apparmor/lsm.c | 1 + security/selinux/hooks.c | 1 + security/smack/smack_lsm.c | 1 + security/tomoyo/tomoyo.c | 1 + 5 files changed, 7 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index aaeb7fa24dc4..63c0e102de20 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2039,8 +2039,11 @@ extern char *lsm_names; extern void security_add_hooks(struct security_hook_list *hooks, int count, char *lsm); +#define LSM_FLAG_LEGACY_MAJOR BIT(0) + struct lsm_info { const char *name; /* Required. */ + unsigned long flags; /* Optional: flags describing LSM */ int (*init)(void); /* Required. */ }; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 42446a216f3b..2edd35ca5044 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1728,5 +1728,6 @@ static int __init apparmor_init(void) DEFINE_LSM(apparmor) = { .name = "apparmor", + .flags = LSM_FLAG_LEGACY_MAJOR, .init = apparmor_init, }; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7ce683259357..56c6f1849c80 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7209,6 +7209,7 @@ void selinux_complete_init(void) all processes and objects when they are created. */ DEFINE_LSM(selinux) = { .name = "selinux", + .flags = LSM_FLAG_LEGACY_MAJOR, .init = selinux_init, }; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 81fb4c1631e9..3639e55b1f4b 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4891,5 +4891,6 @@ static __init int smack_init(void) */ DEFINE_LSM(smack) = { .name = "smack", + .flags = LSM_FLAG_LEGACY_MAJOR, .init = smack_init, }; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 1b5b5097efd7..09f7af130d3a 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -552,5 +552,6 @@ static int __init tomoyo_init(void) DEFINE_LSM(tomoyo) = { .name = "tomoyo", + .flags = LSM_FLAG_LEGACY_MAJOR, .init = tomoyo_init, }; From patchwork Mon Nov 26 23:27:49 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699345 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 45B9D17D5 for ; Mon, 26 Nov 2018 23:27:57 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 33CB72A5B2 for ; Mon, 26 Nov 2018 23:27:57 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2454A2A63B; Mon, 26 Nov 2018 23:27:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BB2062A5B2 for ; Mon, 26 Nov 2018 23:27:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727456AbeK0KXm (ORCPT ); Tue, 27 Nov 2018 05:23:42 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:46196 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727445AbeK0KXl (ORCPT ); Tue, 27 Nov 2018 05:23:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543274875; bh=uAsv0IIeDWSBnAMhoEuAjy66Q65DNfoetbmf/Y4U8Ws=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=Vv+oDbGt6fv+Z0GzAncTzpPLUgB1s/WrJOkqTVOQ8y7OLpOci6wwLj+NxAOBohmcHgkqqMSmZ7CvD8wYbk0klI9cputrVrf6lHeB7uaAdV1/z6co/RhR+eu3HS1tmEhQo6z4Xs0FjMnUwQsSH1mZxIOxtMV5CPVpV4iOJO4y+7BdeUWcVdV/KlhmvV4Lf8sM9z3304T8wQWu1LyHsF93S9P051gV/AjAAQN6VguKn8FEaQ7STyBK/4GEwgA/tXkovgu38IHGZkHQy6YjsrOlolve6cftPtSrJhLQSOgYHVluT3t9zl4Q4MjZtEV0rXGN8tfaljXQdwOsP+N20bjn0Q== X-YMail-OSG: Nj.aEXIVM1lUXF02v81_KH.zP1WeFBOlEm4HBVY9SelHVnfAuIZvsG78agi8mkd 8zgi8Zqs92zwbuFR_P2b2UxT3GXTXsK3NQn5BeON4BSB8kvc_alDbpbtIrzBBJBy583TRUMXU1eN LRd3y599IVYMK_BJS_EO14Su8OaWXRiaSPv7zC.EJQTeFxZMM6l7nGh4Wn_zbiq.y1fCy4BbIeqF ON5Laoq1euO_M3GEcadMYviaGc8geHLFZvBBqbri4fR91A7y7k4ud1YqOC34Z7dymPm3YeiwCIzj KXaynErXdn.ye5HkJEPh7ZsgK9XtBFAdeXYi1dfRNxemKGD3B2HxgO8EAR1SYgOOLfSTuKolIbCL bNPMpR223fIJfb9o0NaLDphXYgHTw.xQF8E1N4DVjZ00rfuyvA3HdTERpfcv9rzCO65hXtnNhfCn kyFlQNZQo.c1R9_H4a2yOubfHb6vLQtBvjybI9OwU_UcuaN9ZYHU_dRS7vXVDSkxsLy5fmfRUxhu kiSpwr_HMkdVCK6tUSNFM3RMtDBn7PLY4Th35DdGJEpfLX8veRr3GVWqF6hXmiQWnw9kTnnxRBYY aibpGNd0NDKWsqag.2jfDVGVmGtjcCdUrJ_z9ZF4SYxe_zwPiPiV3IXu_29jJu2d0dv_RWWMxJLT 0flmRtYohdY4pDz1jGDLk2oiRx_nRQUIg_wzaaM2ENddTq.n2xcqo39j2CXNY0ErnjCiaCs7RtaB ouEMHLpTub72FYyVNQIE8NTt9WNSHZFx8MZSPbkapePuTneAbCo4pPNK1kxqyW2agtwhBmD7am6f YWUTAbrBTT5O3XMd7eiKxewqYhwTUJ0cRWGE.C2hH3ECdCyOcuS6CmqotlQTZWI63au_vNTwxW95 aZmtXZbPqZb7lgZJ7Dm.iWAMZIfj6hKtCYqaQetLdJDQCwqXokevll1.vXVKo7cCyjLQAT8unuSa OPajpEYYPnIh3CYEQm3k77KY7Ehs89sNCY12Yy7FtUuta293Ym5EaS54W0Hhzbbm2g6aGlJyiBHB z2QHDtHY9MhA6obP3bYn2CFD1nNj0W9yGaaLcyicS_YOS5jhT8zVLHiSnSMF1.u_iNZ6ExqfR6Wq MYclnfJ4Y8px_lp7CbHs30FtwcDVR.rwk2emkaBfq Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:27:55 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp428.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 70cf2dfb53e39d77ff97b153171fb3f4; Mon, 26 Nov 2018 23:27:52 +0000 (UTC) Subject: [PATCH v5 02/38] LSM: Provide separate ordered initialization To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <163ac5dd-b78f-15d9-79c8-5adbe3fa100c@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:27:49 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This provides a place for ordered LSMs to be initialized, separate from the "major" LSMs. This is mainly a copy/paste from major_lsm_init() to ordered_lsm_init(), but it will change drastically in later patches. What is not obvious in the patch is that this change moves the integrity LSM from major_lsm_init() into ordered_lsm_init(), since it is not marked with the LSM_FLAG_LEGACY_MAJOR. As it is the only LSM in the "ordered" list, there is no reordering yet created. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen --- security/security.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/security/security.c b/security/security.c index 04d173eb93f6..0688dfd57e95 100644 --- a/security/security.c +++ b/security/security.c @@ -52,12 +52,30 @@ static __initdata bool debug; pr_info(__VA_ARGS__); \ } while (0) +static void __init ordered_lsm_init(void) +{ + struct lsm_info *lsm; + int ret; + + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) != 0) + continue; + + init_debug("initializing %s\n", lsm->name); + ret = lsm->init(); + WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); + } +} + static void __init major_lsm_init(void) { struct lsm_info *lsm; int ret; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) + continue; + init_debug("initializing %s\n", lsm->name); ret = lsm->init(); WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); @@ -87,6 +105,9 @@ int __init security_init(void) yama_add_hooks(); loadpin_add_hooks(); + /* Load LSMs in specified order. */ + ordered_lsm_init(); + /* * Load all the remaining security modules. */ From patchwork Mon Nov 26 23:28:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699351 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8C01717D5 for ; Mon, 26 Nov 2018 23:28:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 792032A367 for ; Mon, 26 Nov 2018 23:28:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6B8962A3D6; Mon, 26 Nov 2018 23:28:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F07B62A367 for ; Mon, 26 Nov 2018 23:28:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727552AbeK0KYf (ORCPT ); Tue, 27 Nov 2018 05:24:35 -0500 Received: from sonic302-28.consmr.mail.ne1.yahoo.com ([66.163.186.154]:46283 "EHLO sonic302-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727456AbeK0KYf (ORCPT ); Tue, 27 Nov 2018 05:24:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543274928; bh=312IAhYZpl8ub+eZq6+4gtdGxApt35wUQovj9MI+k8s=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=jxSfTQKiXJNJOIBP6MKetpVELei/t6KLUZ8Z8L/uezkH318j8B+3NFFpQrNPLgFZ7CsqeLWoDL/vzUuVxA9Oz9FZRiOVK9xuVB2icuCdbs84j9g/s1KoNpxCLAq5U5oTdHQSxWBy5ldN7LBoQn/AVitL1u60L9jGM1CetlBNT8b7sIpS3ljtlQHjm0Tpwz1njUVdXHkyFs4vTpGRIZEhdyhLMQjCP3v8NZd3V1ULfECg8AXnNqk7GY9NaSr6dN9aIoc+Y69J0H2n2tLaUWCT/0OiNQSTQYbcgHUP8CseZ4oKMprivpZCPXs0jGXAMRz4H8C1UrVkPhgyJ+om9DryLA== X-YMail-OSG: ZRU9.DsVM1lZhUH8LFy0FYsBONEzzJH5xVBuACBIohjVWeCKGsW68MkoQgyCA2_ H7XvjpEdVzTK6JHIjFDZLubD67fZT01qny2n3vvIUJKQa.5T.33NBzSHYkqbSqG5FhEUTP5xeO0f 1nwIw54uYxFH0oxAcHlZjTB5HljMpzE5w4jPm0DilTnE0QRss_xzppNWg.AUtK2ki2AWHCy.nhy5 vikiqbNBqPYWRlShr8mWPhXH_eleC6r_hmq.BTSZdzbQcbvYLQe4Po9G9wj6gsErWbdU.DJwJewQ 1_v9x_KaMGW1FwBduaen1iN1R_oyBhlF9JQG_XZvmQAnHJR9MZUKmadPkPcS60p0tilJPEwwm2vC iieibhzBG0evktE_jRnfjT.QfWXmdnxvY6szkc2D3_5SO1L0s8O_KokmTU6jYUMW_9vHaNo86Tws 41Huz77RY8EzcAH.MKp3vku5CRqaTBk0x4YSa1XsZyO_dBKQ6PN3VED8p5wDXgSepE3k1YGW4Ytu CodmcfbBpP_XLtP5EqwCu.oN7MhHz.0qlNeTvmWf87GM7OAnLi2lzgFdQyTR_UU9GQql_hYF0H9t da31R6Su9cx7_e0jqwfq4oa8h.9crg.f4vlH4Yf0eKDjDb_Ppe9FpZLc2_40R7ToYX0DNnjkIDF6 1At9wVXmGRGwwTqIUsPBNeESHaDWoDNRDDo.zp1KXJ1qxG66nZivxw6TD2IrQ4HGAubhJXE9Zwr3 ULmitct8p3Nb0WQrccxrbEktBt6nlUB0JQYRxpeOn740eEmrKwMNtougjgFulRhIHencW8ZdbQ.Y VPP7hd5oqhfv3cd4kHA_QGR2ywdbDW_z5eC.n0Yg29XUyNxFALP32ewPmZmw7yPi5GcshU33mSgU sEWoKdx5QvKxfOxi4LR3B3moHFR_qkmABhejK5qE5XNPA3HVR_uBdp57oNhfzbBma7eIWwYGMNjf o7KgM9I8FK3Kg8HAuNnXuTEZ1NfZzxnmUBYkfQLhFIfxRWXcQiFiSFdKJagUK9TNotSUif0GpAps SPh1Z5s2SNDUtC8DVZMfoPME.0MToc2bJk_Xlr66LXgl08C8nx4Ek0mzGKZT2yzrm7A_HoJEahy. .UKDQWxyKenYwRvreJ3v_0PHddtK5hRQwxPw- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:28:48 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp419.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 3d12d55a43ffd32d6288c356d89534e8; Mon, 26 Nov 2018 23:28:47 +0000 (UTC) Subject: [PATCH v5 03/38] LSM: Plumb visibility into optional "enabled" state To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: Date: Mon, 26 Nov 2018 15:28:45 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In preparation for lifting the "is this LSM enabled?" logic out of the individual LSMs, pass in any special enabled state tracking (as needed for SELinux, AppArmor, and LoadPin). This should be an "int" to include handling any future cases where "enabled" is exposed via sysctl which has no "bool" type. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen --- include/linux/lsm_hooks.h | 1 + security/apparmor/lsm.c | 5 +++-- security/selinux/hooks.c | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 63c0e102de20..4e2e9cdf78c6 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2044,6 +2044,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, struct lsm_info { const char *name; /* Required. */ unsigned long flags; /* Optional: flags describing LSM */ + int *enabled; /* Optional: NULL means enabled. */ int (*init)(void); /* Required. */ }; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 2edd35ca5044..127a540ef63a 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1332,8 +1332,8 @@ bool aa_g_paranoid_load = true; module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); /* Boot time disable flag */ -static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; -module_param_named(enabled, apparmor_enabled, bool, S_IRUGO); +static int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; +module_param_named(enabled, apparmor_enabled, int, 0444); static int __init apparmor_enabled_setup(char *str) { @@ -1729,5 +1729,6 @@ static int __init apparmor_init(void) DEFINE_LSM(apparmor) = { .name = "apparmor", .flags = LSM_FLAG_LEGACY_MAJOR, + .enabled = &apparmor_enabled, .init = apparmor_init, }; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 56c6f1849c80..efc0ac1b5019 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7210,6 +7210,7 @@ void selinux_complete_init(void) DEFINE_LSM(selinux) = { .name = "selinux", .flags = LSM_FLAG_LEGACY_MAJOR, + .enabled = &selinux_enabled, .init = selinux_init, }; From patchwork Mon Nov 26 23:29:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699359 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1F50A17D5 for ; Mon, 26 Nov 2018 23:29:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 113372A63D for ; Mon, 26 Nov 2018 23:29:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 05A352A63F; Mon, 26 Nov 2018 23:29:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 609222A63D for ; Mon, 26 Nov 2018 23:29:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727684AbeK0KZb (ORCPT ); Tue, 27 Nov 2018 05:25:31 -0500 Received: from sonic304-28.consmr.mail.ne1.yahoo.com ([66.163.191.154]:45809 "EHLO sonic304-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727244AbeK0KZb (ORCPT ); Tue, 27 Nov 2018 05:25:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543274982; bh=Ya7Phvm+WiI8d4/gPHrsBV24paT3pkpeWbno0iaac1A=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=g8Z+N/JB5ib9tb4u6lqmZO/0N7MfwJV6YUe927WMsZ69rE7z1V+2scF1GbTNxpN1xZtv/t26XAHTJ6VP+gWk+vSzWg/sR1JHxAYIVQky0FO7i+kxox3B7UO4JFheNc4Sbs+9sryfOxmLXIOVCP8uWOz909A9Wf4hdhN/3ukIhb/c815mtIr4r62Ju+5yrlfq1iMjhimVQCQ+3hbXSH6IQ0f8cWGrImHsrXAu7gMtCcgbkzZcePpvr9Zo5eGco1Qr8cs+Ft+noIaqcbvICZHvDhsiudi4PulXlYQRiNj/6NgeI7+NvOxCHFeXxz36rDOLwUxWofPXa/aaCH6zN1SeUA== X-YMail-OSG: GNYzrEUVM1kuC7ec_zv5qAali_PwYKhswLLGVujRMA1PeO0xm2nPQCMQ4sxkGf4 IcWejIK4OBf2ASPWehr674MwOxZQCjHJi_EkVKzmcGj4JMdZaJsB3yg8eATxtCzEThuwZSYb0wN. PyZbjoHFsrZyTEfsAVBxJ3DWkZiyGbQ0c5XLs1zG_UymryRD.jo1Yldlx1rFwxL0zxYC89Uim11W 0zyE4jLOVEa_yztXA28YsgOM8ek54_a.sbZ0CCW.mlXvXBekTRhzkGV1tAu3wZ0jmFiQYpC2e6Qc AeXINxcQ_fZ0cx_21Xz4q0G9QgEjLMHuS1Tv3tuYP7BjNijpB2Nd8zd0JgmlIxM.ElkxgJ3WvBT4 bECkPlY0nzRHvfvQxjzw6rNIoO4X64Gs8PYG7zrMbRCdvT7Z5FPfme_Vo7ZFt3iMbadNStIsiJq8 40obd9R30_hgiDeK_ENoJe7TysYjmv037iCCkWq8mXGKB3lvWv5WCsk9KJ3VzReVrMuDGEQN1OqG A2HewvajEMYdlHRrFrcll_HTcV0G9aeEumkSQQ9H7T2NPq9FzE2oEPFFPuMHdvrbV2C0P00MdF9m atsvzbHGtNR1TTkcT9ryXZups1nRNwuiUqjsDcHtuPbGy1AOBSdjaRm.3PszKZTaj6Y2PhqROZkm HQngC7NFWeQdicUJIj88BnHVhO_WCLTzpL3DK1emZfB4sPh.joSZrN.nNIBU00BWIKGYErjI5qba cFeNaHWhmOzDXrhHNjaYLS6JJyjm8kLnDXpiIqx8NxgZHHUTFK9QZBPxoUp6k9rDKffGE7BgpNew xG.uCUG6pPPYDpmYPCOtemmun9V0pvjiJnEfeCkwqRgMm4nUc48PEeN5f4bur7AnSeAnZ6TZKmfW R2iynRhGs6kM1IKjqwUQsX5Pw9qqC_Bgs188Z0G.iZazTnWPJCPLt95N0mVwaMZx35coKyGEn3Wz 0YjR_oiAurixZZXN1LOW_uJbqg072Vt9v3uC05uWFHY0XaYCWPTNuzLlYm3PYG50QlG7bdRCKEJB 4xwWA3NnfqHe1lI.DL4hxrhDhIQK27..Mfz7HDJGvHcEnz.9HsuP7MbuPNpoSRSuv5JU9nZoFemC pSFpDaio0vd8MM1DwmnTVdzeyt7jOrndCmly2AWMn Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:29:42 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp430.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 37e4085ac49bce8b94538b8e3540aa56; Mon, 26 Nov 2018 23:29:41 +0000 (UTC) Subject: [PATCH v5 04/38] LSM: Lift LSM selection out of individual LSMs To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <60a53863-a05e-cbbd-d73e-5a0d2fc6567c@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:29:39 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP As a prerequisite to adjusting LSM selection logic in the future, this moves the selection logic up out of the individual major LSMs, making their init functions only run when actually enabled. This considers all LSMs enabled by default unless they specified an external "enable" variable. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen --- include/linux/lsm_hooks.h | 1 - security/apparmor/lsm.c | 6 --- security/security.c | 102 +++++++++++++++++++++++++++++++-------------- security/selinux/hooks.c | 10 ----- security/smack/smack_lsm.c | 3 -- security/tomoyo/tomoyo.c | 2 - 6 files changed, 71 insertions(+), 53 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 4e2e9cdf78c6..dabd2761acfc 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2085,7 +2085,6 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, #define __lsm_ro_after_init __ro_after_init #endif /* CONFIG_SECURITY_WRITABLE_HOOKS */ -extern int __init security_module_enable(const char *module); extern void __init capability_add_hooks(void); #ifdef CONFIG_SECURITY_YAMA extern void __init yama_add_hooks(void); diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 127a540ef63a..d840c1ef3e4d 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1662,12 +1662,6 @@ static int __init apparmor_init(void) { int error; - if (!apparmor_enabled || !security_module_enable("apparmor")) { - aa_info_message("AppArmor disabled by boot time parameter"); - apparmor_enabled = false; - return 0; - } - aa_secids_init(); error = aa_setup_dfa_engine(); diff --git a/security/security.c b/security/security.c index 0688dfd57e95..7562da854b62 100644 --- a/security/security.c +++ b/security/security.c @@ -52,33 +52,96 @@ static __initdata bool debug; pr_info(__VA_ARGS__); \ } while (0) +static bool __init is_enabled(struct lsm_info *lsm) +{ + if (!lsm->enabled || *lsm->enabled) + return true; + + return false; +} + +/* Mark an LSM's enabled flag. */ +static int lsm_enabled_true __initdata = 1; +static int lsm_enabled_false __initdata = 0; +static void __init set_enabled(struct lsm_info *lsm, bool enabled) +{ + /* + * When an LSM hasn't configured an enable variable, we can use + * a hard-coded location for storing the default enabled state. + */ + if (!lsm->enabled) { + if (enabled) + lsm->enabled = &lsm_enabled_true; + else + lsm->enabled = &lsm_enabled_false; + } else if (lsm->enabled == &lsm_enabled_true) { + if (!enabled) + lsm->enabled = &lsm_enabled_false; + } else if (lsm->enabled == &lsm_enabled_false) { + if (enabled) + lsm->enabled = &lsm_enabled_true; + } else { + *lsm->enabled = enabled; + } +} + +/* Is an LSM allowed to be initialized? */ +static bool __init lsm_allowed(struct lsm_info *lsm) +{ + /* Skip if the LSM is disabled. */ + if (!is_enabled(lsm)) + return false; + + /* Skip major-specific checks if not a major LSM. */ + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) + return true; + + /* Disabled if this LSM isn't the chosen one. */ + if (strcmp(lsm->name, chosen_lsm) != 0) + return false; + + return true; +} + +/* Check if LSM should be initialized. */ +static void __init maybe_initialize_lsm(struct lsm_info *lsm) +{ + int enabled = lsm_allowed(lsm); + + /* Record enablement (to handle any following exclusive LSMs). */ + set_enabled(lsm, enabled); + + /* If selected, initialize the LSM. */ + if (enabled) { + int ret; + + init_debug("initializing %s\n", lsm->name); + ret = lsm->init(); + WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); + } +} + static void __init ordered_lsm_init(void) { struct lsm_info *lsm; - int ret; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) != 0) continue; - init_debug("initializing %s\n", lsm->name); - ret = lsm->init(); - WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); + maybe_initialize_lsm(lsm); } } static void __init major_lsm_init(void) { struct lsm_info *lsm; - int ret; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) continue; - init_debug("initializing %s\n", lsm->name); - ret = lsm->init(); - WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); + maybe_initialize_lsm(lsm); } } @@ -168,29 +231,6 @@ static int lsm_append(char *new, char **result) return 0; } -/** - * security_module_enable - Load given security module on boot ? - * @module: the name of the module - * - * Each LSM must pass this method before registering its own operations - * to avoid security registration races. This method may also be used - * to check if your LSM is currently loaded during kernel initialization. - * - * Returns: - * - * true if: - * - * - The passed LSM is the one chosen by user at boot time, - * - or the passed LSM is configured as the default and the user did not - * choose an alternate LSM at boot time. - * - * Otherwise, return false. - */ -int __init security_module_enable(const char *module) -{ - return !strcmp(module, chosen_lsm); -} - /** * security_add_hooks - Add a modules hooks to the hook lists. * @hooks: the hooks to add diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index efc0ac1b5019..b81239a09dbb 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7138,16 +7138,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { static __init int selinux_init(void) { - if (!security_module_enable("selinux")) { - selinux_enabled = 0; - return 0; - } - - if (!selinux_enabled) { - pr_info("SELinux: Disabled at boot.\n"); - return 0; - } - pr_info("SELinux: Initializing.\n"); memset(&selinux_state, 0, sizeof(selinux_state)); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 3639e55b1f4b..56a114c1d750 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4841,9 +4841,6 @@ static __init int smack_init(void) struct cred *cred; struct task_smack *tsp; - if (!security_module_enable("smack")) - return 0; - smack_inode_cache = KMEM_CACHE(inode_smack, 0); if (!smack_inode_cache) return -ENOMEM; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 09f7af130d3a..a46f6bc1e97c 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -540,8 +540,6 @@ static int __init tomoyo_init(void) { struct cred *cred = (struct cred *) current_cred(); - if (!security_module_enable("tomoyo")) - return 0; /* register ourselves with the security framework */ security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); printk(KERN_INFO "TOMOYO Linux initialized\n"); From patchwork Mon Nov 26 23:30:24 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699361 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C435813BF for ; Mon, 26 Nov 2018 23:30:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B46A52A640 for ; Mon, 26 Nov 2018 23:30:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A8B0B2A644; Mon, 26 Nov 2018 23:30:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3A2162A640 for ; Mon, 26 Nov 2018 23:30:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727621AbeK0K0R (ORCPT ); Tue, 27 Nov 2018 05:26:17 -0500 Received: from sonic302-28.consmr.mail.ne1.yahoo.com ([66.163.186.154]:43958 "EHLO sonic302-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727724AbeK0K0Q (ORCPT ); Tue, 27 Nov 2018 05:26:16 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275029; bh=fMPrSb+dmaLWXhRA4kL8eUvonseX5wD/nHNn/Azz/o8=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=i4KRo80PEW+S0nkB0oAcXA96KqkgwJmwcRN2Q36g2taRGDNW969JMkm0qIQ76VT1PqrcZhvZ7j/ExxEovZDP9YzFaK3anc5hUviwaYGNBK+vPVx3oZjZUOQ4HsT71kAiQx5eOLbaBOFMSujocjTvDQwnhJmHFQLt/krHgUi16GAY+xE8PaPfdfz8hg9LDOFraGqgYYs4ka5l1sar8XXxkVZGCOOJ1dkfxrZZooKXpRWkvbdAiblInLn5nPrpWVxMoDWeIRPYQVADYTXMP+dSvj8DnST7l1pev6xXjlgdZ57Q0SVD6F5TsQ884w+gA3ENFPsE8aib/nNtpD1V1g+VZQ== X-YMail-OSG: pp_tp90VM1lLcxIBuf3SFUuPLwEFHoPilSxtljIDB04Nr5S16VXP7NYDCWeqa5N n8IW3DAdxtRXGz5L8kIiLgrX9yZdUpDNDzL8cT3R3YU407eep2jGC6EMJdUa4vMv.2Y9nlHzao.W _JIhrjtv61wSRH6OonKPPuTUS6qpAYBfj16G46.t2zdA.VKoCfq6W4QXBfXEY_mhChGSp8n.pGjc lhAir68mDEEU2LWKcAogv7KttKpYvHrNjG16Q5CUll75Izl3U6CCtn613DpnyuaO5ktrObwI.88W 4AKQzRUjS2USFYWZDNVjsK0nlGRZtE.QU0MWyOK.iWPleCFCT_U.czwckNOGnzAy6zh_EFh9hI8E dk7STUjOtWbqAXiB8Nj7ruWOOD9gnqPqZx_3lmVlFIMbaQNm_qZiNfXzHrACc.6rH_8KXeQvEIpr ivLVojfYNT5azNaeoIDyBwjfRXsSJkxJqJwsXrxxeF_vNlJ5P1j0WQdeis0diVq44J._WZso3JlQ OPJ7XZvCCFxjWHtrUvgQFOXNJtq49XPW7SPuJ.yvFA48ogXV1RqeMJN_XKY9eHIsgqGQAxtBIFn4 QETwphZ5o9xMukpImvROBa8SoNQ7h0HLFLQEUaYqYkCsxB9S9RogDiHaiJIq151hvgFj7Uimsh7f vvjudAciLdJAC6YBrR.VPktty9WkTeNYT9Rn2Wure1lNTRspOfgpHb2KLI3ceiB9cUCtSlUEdPMd NMWJU0gYPifaYkvX_7ZWr.ncdfpwOEzgFzz97bT_Ai3pXpDX_tplvSkLOqMSsnvltkKeXGlNAJtA 4X43w_e08SqKgN0QrHLgf1EbC.wdyDdM0bQ7MbLlU8h3kwaekTkNBb2D562Wwgh1Aij_x3D2_hQa 5H6piJtCfajphb0YgiD7DACoJcyJAoxOTRv3..nmIpnfW0P37BOwDMgekJYNBFhkzOxjeEcGIfs. MJrhrSb9l.OPaEhzdbMks3x.59MWaTjzmSSItFkhtzdkcGPyNEigvZ_Y5RWej5xvgOxwtIhOKj6W i5XVFkD7ihWoa4HLJjEKRHXHwhrFPmaLOnLA_B6Bw.KmxSSj73ueT8DvsmEEzneOYHgp2Mopd9NH d7a9_KKC9oudn_H2EI9y6pbm_E8Wz Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:30:29 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp418.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 8b6410a7d9dc669a9c778bff1b9412de; Mon, 26 Nov 2018 23:30:26 +0000 (UTC) Subject: [PATCH v5 05/38] LSM: Build ordered list of LSMs to initialize To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: Date: Mon, 26 Nov 2018 15:30:24 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This constructs an ordered list of LSMs to initialize, using a hard-coded list of only "integrity": minor LSMs continue to have direct hook calls, and major LSMs continue to initialize separately. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- security/security.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 53 insertions(+), 5 deletions(-) diff --git a/security/security.c b/security/security.c index 7562da854b62..4c193aba4531 100644 --- a/security/security.c +++ b/security/security.c @@ -37,6 +37,9 @@ /* Maximum number of letters for an LSM name string */ #define SECURITY_NAME_MAX 10 +/* How many LSMs were built into the kernel? */ +#define LSM_COUNT (__end_lsm_info - __start_lsm_info) + struct security_hook_heads security_hook_heads __lsm_ro_after_init; static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); @@ -45,6 +48,9 @@ char *lsm_names; static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; +/* Ordered list of LSMs to initialize. */ +static __initdata struct lsm_info **ordered_lsms; + static __initdata bool debug; #define init_debug(...) \ do { \ @@ -85,6 +91,34 @@ static void __init set_enabled(struct lsm_info *lsm, bool enabled) } } +/* Is an LSM already listed in the ordered LSMs list? */ +static bool __init exists_ordered_lsm(struct lsm_info *lsm) +{ + struct lsm_info **check; + + for (check = ordered_lsms; *check; check++) + if (*check == lsm) + return true; + + return false; +} + +/* Append an LSM to the list of ordered LSMs to initialize. */ +static int last_lsm __initdata; +static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from) +{ + /* Ignore duplicate selections. */ + if (exists_ordered_lsm(lsm)) + return; + + if (WARN(last_lsm == LSM_COUNT, "%s: out of LSM slots!?\n", from)) + return; + + ordered_lsms[last_lsm++] = lsm; + init_debug("%s ordering: %s (%sabled)\n", from, lsm->name, + is_enabled(lsm) ? "en" : "dis"); +} + /* Is an LSM allowed to be initialized? */ static bool __init lsm_allowed(struct lsm_info *lsm) { @@ -121,18 +155,32 @@ static void __init maybe_initialize_lsm(struct lsm_info *lsm) } } -static void __init ordered_lsm_init(void) +/* Populate ordered LSMs list from single LSM name. */ +static void __init ordered_lsm_parse(const char *order, const char *origin) { struct lsm_info *lsm; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) != 0) - continue; - - maybe_initialize_lsm(lsm); + if (strcmp(lsm->name, order) == 0) + append_ordered_lsm(lsm, origin); } } +static void __init ordered_lsm_init(void) +{ + struct lsm_info **lsm; + + ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms), + GFP_KERNEL); + + ordered_lsm_parse("integrity", "builtin"); + + for (lsm = ordered_lsms; *lsm; lsm++) + maybe_initialize_lsm(*lsm); + + kfree(ordered_lsms); +} + static void __init major_lsm_init(void) { struct lsm_info *lsm; From patchwork Mon Nov 26 23:31:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699367 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D8AD413BF for ; Mon, 26 Nov 2018 23:31:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C96CE2A63F for ; Mon, 26 Nov 2018 23:31:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BD63E2A642; Mon, 26 Nov 2018 23:31:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5E6182A63F for ; Mon, 26 Nov 2018 23:31:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727456AbeK0K05 (ORCPT ); Tue, 27 Nov 2018 05:26:57 -0500 Received: from sonic304-28.consmr.mail.ne1.yahoo.com ([66.163.191.154]:45757 "EHLO sonic304-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727580AbeK0K04 (ORCPT ); Tue, 27 Nov 2018 05:26:56 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275068; bh=TGi2qrqGS1NpUSr2tXr7yuOrqhaa8jqVNl/N6nC/ayc=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=gf3FDKgH9QW9LNUOfAmG1iWPvkTKKpO9jae9LDW6LSpRDazVcYpn+qQuW4Z9LrI/ftyXO0VLGyswvfByB7UBCQcpnWE/7rAhOdZUBwO6hGoSpGDP6Kc2l2Wi9uueoFcOuriOyk2dtoJPLLstAFp3scK36/s+ftcXZS+2P6txu091Cw5J8+h+aGNBf6gjWYXP6cOwwA06NF5aqPse8XFqmCbGKzQrcgeWsA/voxhAGSHx4giH+G69Mau51IJKObxOAXpc85fsQsdIVpQXja5owQVRhQuod0cvMwyOImsYDakoR6VUc3qBoCbjin/ZpaT9qLkKV/GDTa2L1C9mmkr04A== X-YMail-OSG: EuiNDlEVM1kF4StpJG8wkuMG1zNCmooD5wp.b_PqDyjEvf.xxW7utBBfkbkHbLM 2cOUMFjqnj_oaE9T1fWNyOuSEZO6KIDNFF.ccUFAIc_00ArfbRjL8x5nY1NfKNJy1BAGkHLW3phc xc4Iv78B0kirFQq2iLLMyF9oPGtpXe75Q9tQ_FO03XtW_p.3vWMu9Qss62qktxZ11ZQ44h1us3jn K4vPL1409th7NzLRG8LRDpRlv__ryPwbolYpQQVRB6aMl0L5pDavVB0JDGeIQXmIJLCdaUZipukR QCOGV11FfHUkT7GQQphY45QUUkgZIw8.E3MxZRnnOG0IuXwnZ3UWjxlyZ2J93TwNlQ7tlyUybQdj gaflZTW2ZppHIbicZm2D7X4KRgPgU6Rovp4_fK0ACAd1HjyRWtu.g6rHb3qQzIz2Xe5wBGlMwq3f IPKsgNFhaKxzUdpy7uXwfTIAu22hUFddI6_Dku_L8c7ucWHTgY5KKgpdZMilATPnSJVF9hY.c9DC ELKw2CeKxm31OsCf5doEUSKLCHtcZI0cLxflwLfbVN6XG00qOoAd1vr6p26VlKZdMeUWGQ8sk0F4 ..mNxOyWAPgU1hBMbbMqvx4QfbKA5_nHjq_SrlUGaBY7icqlAzKSFq5tTWf..fbT244UUgj1v6BN oHBLj8N076DwzbuLVgCMlai5ssXM2fj.9l2n2sllZS7.e.mWvDn6oQH27eSm3delajps.iYjxrWD RCdLpCLClJiYytfQwU45wn6z.AJturjOpWVE0v.UEYMwEotyihY9tkR.68qayDddi_1rmfaTr9wV 93mZkWo270zD8oGf5IY3hXa4NAaw0g8teYcIDXRm36f5tmrZcNjOX2JHzDgyYBM7HgMIpFe8OpMG Y2eRIcG9RgCiOEq4LUZ9mUUjOru_QE774Bo32UKLZzYi5uJ57rlVjQjOJg56sxEAHzL5mkdzfqPT yHBPEJYxH3nQhmPbKc5Y8vyUPlTWb.VCsN86mCsU5mGn4johEVpmaUMstjk3p29arkJ.aFVaUQEB CiHM5HfiLe5Tq2YYi8NZVVgAZYFDvf3RkmZaW2p.kx7z421Li7oRDH0b6UK8A.gct2kxOl.Ug0Uk PLT2kmFrAqv0EoISHr4UAKaydar89Qd.95P4- Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:31:08 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp406.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 51780166ccef8dfc214316ac59562bc0; Mon, 26 Nov 2018 23:31:06 +0000 (UTC) Subject: [PATCH v5 06/38] LSM: Introduce CONFIG_LSM To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: Date: Mon, 26 Nov 2018 15:31:04 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This provides a way to declare LSM initialization order via the new CONFIG_LSM. Currently only non-major LSMs are recognized. This will be expanded in future patches. Signed-off-by: Kees Cook --- security/Kconfig | 9 +++++++++ security/security.c | 27 ++++++++++++++++++++++----- 2 files changed, 31 insertions(+), 5 deletions(-) diff --git a/security/Kconfig b/security/Kconfig index d9aa521b5206..7de42bbacc28 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -276,5 +276,14 @@ config DEFAULT_SECURITY default "apparmor" if DEFAULT_SECURITY_APPARMOR default "" if DEFAULT_SECURITY_DAC +config LSM + string "Ordered list of enabled LSMs" + default "integrity" + help + A comma-separated list of LSMs, in initialization order. + Any LSMs left off this list will be ignored. + + If unsure, leave this as the default. + endmenu diff --git a/security/security.c b/security/security.c index 4c193aba4531..96e0b7d057b0 100644 --- a/security/security.c +++ b/security/security.c @@ -48,6 +48,8 @@ char *lsm_names; static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; +static __initconst const char * const builtin_lsm_order = CONFIG_LSM; + /* Ordered list of LSMs to initialize. */ static __initdata struct lsm_info **ordered_lsms; @@ -155,15 +157,30 @@ static void __init maybe_initialize_lsm(struct lsm_info *lsm) } } -/* Populate ordered LSMs list from single LSM name. */ +/* Populate ordered LSMs list from comma-separated LSM name list. */ static void __init ordered_lsm_parse(const char *order, const char *origin) { struct lsm_info *lsm; + char *sep, *name, *next; + + sep = kstrdup(order, GFP_KERNEL); + next = sep; + /* Walk the list, looking for matching LSMs. */ + while ((name = strsep(&next, ",")) != NULL) { + bool found = false; + + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 && + strcmp(lsm->name, name) == 0) { + append_ordered_lsm(lsm, origin); + found = true; + } + } - for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if (strcmp(lsm->name, order) == 0) - append_ordered_lsm(lsm, origin); + if (!found) + init_debug("%s ignored: %s\n", origin, name); } + kfree(sep); } static void __init ordered_lsm_init(void) @@ -173,7 +190,7 @@ static void __init ordered_lsm_init(void) ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms), GFP_KERNEL); - ordered_lsm_parse("integrity", "builtin"); + ordered_lsm_parse(builtin_lsm_order, "builtin"); for (lsm = ordered_lsms; *lsm; lsm++) maybe_initialize_lsm(*lsm); From patchwork Mon Nov 26 23:31:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699395 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 87F3813BF for ; Mon, 26 Nov 2018 23:36:08 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 78A362A469 for ; Mon, 26 Nov 2018 23:36:08 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6D1BA2A645; Mon, 26 Nov 2018 23:36:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1901C2A469 for ; Mon, 26 Nov 2018 23:36:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727829AbeK0Kbi (ORCPT ); Tue, 27 Nov 2018 05:31:38 -0500 Received: from sonic309-48.consmr.mail.ne1.yahoo.com ([66.163.184.174]:43865 "EHLO sonic309-48.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727542AbeK0Kbi (ORCPT ); Tue, 27 Nov 2018 05:31:38 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275349; bh=HQoavzPoUgtaN9gOCWKpLaU9vTUnkapJ2x/zqvAbtZs=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=U8nMJ3bkt4M2GxgbIS4IJT1IOq/V9xh2RpEyQ9xpCJz9MhAgOFNVTku8/nzza2n+J2GU9EZe+DXNhPECZz4slfugYt9F4RU3wWjpT+XcycFNFNSX170Z5o1wd4PvJ7BBdkQkQyePL8TO3ctj1KwvLRXeOKw4/30t/ijKHxh7QXRlDGwLsEcXS2EHiwtYuxQvp3a56Uwsb/g1DQ7IMDAoZn5UedOsPSw7R26kV0Up2+/DbXQEbn1Brs+ckkBTFwGR6bv/Dk9nNO7RH4sLPHFibwn3WHYBsLlBvC7YZv4W+JOSKA77vnRJoBX0rDBTblvZHYhTi8IMSWkcPfZJDQ+Khg== X-YMail-OSG: UKSUkGAVM1l9sRpN7q3tqu_Y4K48kAK8mvREIdnDAoQqTDQwAAbkGtOsjTuM_3_ krv8x0a9OKg-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:35:49 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp420.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 3f9402b8f658487cba525e8eec926514; Mon, 26 Nov 2018 23:31:47 +0000 (UTC) Subject: [PATCH v5 07/38] LSM: Introduce "lsm=" for boottime LSM selection To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <3003d07a-61dc-e997-2814-50ad27930b9d@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:31:44 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Provide a way to explicitly choose LSM initialization order via the new "lsm=" comma-separated list of LSMs. Signed-off-by: Kees Cook --- Documentation/admin-guide/kernel-parameters.txt | 4 ++++ security/Kconfig | 3 ++- security/security.c | 14 +++++++++++++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 81d1d5a74728..ea33bcbaecb2 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2302,6 +2302,10 @@ lsm.debug [SECURITY] Enable LSM initialization debugging output. + lsm=lsm1,...,lsmN + [SECURITY] Choose order of LSM initialization. This + overrides CONFIG_LSM. + machvec= [IA-64] Force the use of a particular machine-vector (machvec) in a generic kernel. Example: machvec=hpzx1_swiotlb diff --git a/security/Kconfig b/security/Kconfig index 7de42bbacc28..41aa0be6142f 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -281,7 +281,8 @@ config LSM default "integrity" help A comma-separated list of LSMs, in initialization order. - Any LSMs left off this list will be ignored. + Any LSMs left off this list will be ignored. This can be + controlled at boot with the "lsm=" parameter. If unsure, leave this as the default. diff --git a/security/security.c b/security/security.c index 96e0b7d057b0..38fc436e8b4b 100644 --- a/security/security.c +++ b/security/security.c @@ -47,6 +47,7 @@ char *lsm_names; /* Boot-time LSM user choice */ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; +static __initdata const char *chosen_lsm_order; static __initconst const char * const builtin_lsm_order = CONFIG_LSM; @@ -190,7 +191,10 @@ static void __init ordered_lsm_init(void) ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms), GFP_KERNEL); - ordered_lsm_parse(builtin_lsm_order, "builtin"); + if (chosen_lsm_order) + ordered_lsm_parse(chosen_lsm_order, "cmdline"); + else + ordered_lsm_parse(builtin_lsm_order, "builtin"); for (lsm = ordered_lsms; *lsm; lsm++) maybe_initialize_lsm(*lsm); @@ -252,6 +256,14 @@ static int __init choose_lsm(char *str) } __setup("security=", choose_lsm); +/* Explicitly choose LSM initialization order. */ +static int __init choose_lsm_order(char *str) +{ + chosen_lsm_order = str; + return 1; +} +__setup("lsm=", choose_lsm_order); + /* Enable LSM order debugging. */ static int __init enable_debug(char *str) { From patchwork Mon Nov 26 23:32:40 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699373 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 790A11803 for ; Mon, 26 Nov 2018 23:32:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6A7702A63F for ; Mon, 26 Nov 2018 23:32:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5EBF12A644; Mon, 26 Nov 2018 23:32:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 08C8D2A63F for ; Mon, 26 Nov 2018 23:32:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726888AbeK0K2f (ORCPT ); Tue, 27 Nov 2018 05:28:35 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:45594 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727244AbeK0K2f (ORCPT ); Tue, 27 Nov 2018 05:28:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275166; bh=f/TY9l73GMshFbCbwrpBRqM3LiA17i42/3X1M8hx5cI=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=SVWDfHQlnCDX1GeaY9n/EcjgYFZMikp7Lnlz19S3wyDzFl007uknMXbWv6dleYJqh3PkJXYcFceybLQH3ksAOOJS/4x5tvudx04hYzALFQFfy4xJRu2zXTKtMINPlO+RhjVlbrP/7HrlqWtpwUQ3It1cpeyBmOicLnEal+6K1HYa0lfOjHPJfeZOKLrrY8kQZklap8ivj5vJgFdEGB4vrNh+g3jgX49FUOPkSsb5kOGTb6hI6DmOzp4AgU+Y1tZokL2rlkCmW5QVhqk100USukWTCwBnxSONJPuOJQLVAz5oHrD242YMl9X/WfS11WY5bU172IxgoJRt5HBLCSx2Aw== X-YMail-OSG: wesRcy8VM1kpWAP8HLRBHe1xbr39ZevlcgKFQqQvwqoii5CH2HOSzXJeyBC.yOo fP1xr6DYp2yqJDEBTxxqzvoUSAbXgETvysQ1BT2z9RcUpqF.1O3xz2Ty39xvCcXCuheaM5ccweJX K8kBmDExRTEeM_T2pFcBAPC9.rL03utEcPCDm69m6L_KrtLDj0SYphLpjhu692TiRdqm4D3vivPQ juWTRrxALxfLAW8.gw7TaiBXHiVBz.18xa5irf0v9taNEsihf.NU9eg_38jTbuE_BgBx4sWGMxOy 5yxFSpv6MVoRHgocDhiV5P0doyocHAR91aZ2Sd.2izcpmtVZSESVgrwA3QB8lJYE1hSHeja3HbSG gehC6PyfXYsObyw_epvPZJf7EsErgOpPw7oCJl.pxSVOcOSilMQ6j8T9rsmhVocB6X2Ru2TyeMKq cUwzcCsZBqsQ9yK0GJZnOjg31vSFxNd17EklFSELydP6AiHC7JijHKOkWScXM1OWg50SFZxa.TkK UfZl.ytjlfNLBeB2uEX_tPq00pZBNp6YDXHI_w0RJy.T5tWzqycpebXtph1h_1YMDGS0GNN3dB8u 60SZVEzC_wrTW8Sva.zeSaP7cvfaJJ28Vd3ar4X15uKRZxq82qfivOGthvHfZsVKIAEiURi5LtUU Ii9Mbda7eAlElQI9baO.dpw.XaF0lng0Lw2IlsVelaqK1HC0htNAMVrZqk3gidvOTtGRPY0BKODm WcMy6mOnMrpV9hrHP0wFsPtS2bYdgT5Kc_pjY9Z4rq4vwMcWZPhOPUoig5FeiRtkVROiHHFsLTQp PGdwbTA9jNvGPLngAjeMgKsJsgcos2qRiD7hVY4Aeb2OdznWE59resHtLk3b8XUnicdrr1wC42qc F8jFmzTkGUT6WqfFpUo1Hfc2zivEKMGsoQMtcmi62HnjvuCesbQ30FSBWMyxxzckQm2ickZStRo4 wrRXOwouMUCG1xT9z9KbE_O.6GhmNKwDUXQema1Rs4KcUndLLv.vQJzbonh3zcVJ6HmzwnCgxdSj oOK0ZcAJboA8imYcRqR88AbUy0TzP8uwi1jsVFkx9W7mmEYlZsjA6SKbPIsbxxF5gQmApw6ZRN4C rLnj10d6z_gk391PL.oFCcNzntVOY8bprp3PfiuMe Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:32:46 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp407.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 111f5b9d597319e49534bdc80c98b414; Mon, 26 Nov 2018 23:32:42 +0000 (UTC) Subject: [PATCH v5 08/38] LSM: Tie enabling logic to presence in ordered list To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <602079a2-b7f8-4c8d-8fd7-fc6e90095335@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:32:40 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Until now, any LSM without an enable storage variable was considered enabled. This inverts the logic and sets defaults to true only if the LSM gets added to the ordered initialization list. (And an exception continues for the major LSMs until they are integrated into the ordered initialization in a later patch.) Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 2 +- security/security.c | 14 +++++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index dabd2761acfc..272791fdd26e 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2044,7 +2044,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, struct lsm_info { const char *name; /* Required. */ unsigned long flags; /* Optional: flags describing LSM */ - int *enabled; /* Optional: NULL means enabled. */ + int *enabled; /* Optional: controlled by CONFIG_LSM */ int (*init)(void); /* Required. */ }; diff --git a/security/security.c b/security/security.c index 38fc436e8b4b..ea760d625af6 100644 --- a/security/security.c +++ b/security/security.c @@ -63,10 +63,10 @@ static __initdata bool debug; static bool __init is_enabled(struct lsm_info *lsm) { - if (!lsm->enabled || *lsm->enabled) - return true; + if (!lsm->enabled) + return false; - return false; + return *lsm->enabled; } /* Mark an LSM's enabled flag. */ @@ -117,7 +117,11 @@ static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from) if (WARN(last_lsm == LSM_COUNT, "%s: out of LSM slots!?\n", from)) return; + /* Enable this LSM, if it is not already set. */ + if (!lsm->enabled) + lsm->enabled = &lsm_enabled_true; ordered_lsms[last_lsm++] = lsm; + init_debug("%s ordering: %s (%sabled)\n", from, lsm->name, is_enabled(lsm) ? "en" : "dis"); } @@ -210,6 +214,10 @@ static void __init major_lsm_init(void) if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) continue; + /* Enable this LSM, if it is not already set. */ + if (!lsm->enabled) + lsm->enabled = &lsm_enabled_true; + maybe_initialize_lsm(lsm); } } From patchwork Mon Nov 26 23:33:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699379 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9011E13BF for ; Mon, 26 Nov 2018 23:33:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 819FF285D9 for ; Mon, 26 Nov 2018 23:33:46 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 75FB128763; Mon, 26 Nov 2018 23:33:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 20DAB285D9 for ; Mon, 26 Nov 2018 23:33:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727725AbeK0K3a (ORCPT ); Tue, 27 Nov 2018 05:29:30 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:40220 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727683AbeK0K33 (ORCPT ); Tue, 27 Nov 2018 05:29:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275221; bh=ujgfotxrQ01hsR5Dk4QiWiX3I+MyR/d1upQJsg3YCs8=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=NSvzzqnH4M8ixMRthcT6nGUkN/uZMR4JJmYFNfmiYXPCFzI3QOF6IU8f3zKpvWxa8x4rxQhp7E88dSOfI2+EO8E3DJ05xLMq24IdYDNp+TGSUy3adEO/pSmH4lMI8GO2yoKOtlD8UEZIQSpJEqMb8XYWB3iTHz2fJO6u3n/RQQkiX5VwYsa630DiUC8HE7nTj1gbJQDBnETkjLXXJNQhJp7pDCe2qBNjBVDgYvrCIxnlNEomy+iRyJd9VPtMoMyil3tnjY8xHNoKu5decoLDrDtMFPAwGtqrkZQtHBxpePKb3zph5KfOurEGhfEHlE4CaV4/9hpOLJd8Pg/uzxSLmg== X-YMail-OSG: ahdH9VMVM1kyaHnREsD6uRZbM_.xtRqT75871fF7Ffs7ymXgIWMw3Wm2QoT4rjq etJZqdjUUpy_G9rIllFBQ10sSz3vRIJzg2HjT7RmLORPJySPPRWNlSsT0WS256EYBGAWYpDOcgqK gb43Jqf2WumYcafMTMYAF59LqDVltwPlk1hsBuj9L6HnNTE9gPsB5jRKv5LOZBuCb3tPVpKwul1F gKkN2Fuj7fGeePt109ODxvpD2DiDqm20VLTG5j_RQ9xfcInkqIqLXsNRnhWEwl5d3R4uGPyUhbKe hZd9A92pLCy1KsCRdXQN3k83u918_IUS8AmMWyVKousUREU3.HahrStOTbA2L.uB.sHgs_JTQfrg 9bSJXuvA71qW0f3cSx_C9K2T4x6HnNy91fiG2K7uuILt_XlddXLTMInwaSRyqTPoOZwG0rJ9clxV fSLsE3G5Yuy0VaxdCoQ4v2.5rXCQEZ_EdXm9T8h2vNHmnCiG8UsiAL4wknfqe7w7AgdvHEyN2Er1 zxQEW5qn9upZUxI4AJbzIgS7HCkcSILr30HJPa.S_f223PLMGSOqbQPmZjYHF7jUfXcJV6hylL_k .XSST60wgZkIntUUM76SwORFBlXn8mhk4zhO445Jss0.iDUre_pC0pEhP7kfX8D_NYawe6X10eDb B0BW5Wu6XfdAh6dbid9q_tKiJHReD_VHnKCtyYLQ5if7i1vNmhbKDWzK8OxBXNqqJkkXZLjUaC_v S37xrR3cDIzzcEN3ngLwCgBucad8nFHiJaZ0ZxYoAATLdB8Y48KXcT7ZrEPcZCvrZR.L.wYtEp8e s7vanrJjDQ93cBuO410PL0eLlJ1YD5b4fXTCwNs5ZlYGF9hxubwgNLCuDuyM7F5s_b0iIOb_D9PA jjA_8lKlKG2uM37JlMB5iVS0YjXoCdgzmftTYfmG2JS7j6KbkQslsjaE3FYrEO3t041T7q_S4CUv 2ENsUABsYf7LQfE7oBXEehTAy0G.fqEHfawz4BZY1A.XT4YW0Zt9uMuP2W6NEHL7kp.FRWpHCuML IYfiA5etyCCNjQxfzK4H.rP5L6QZmg72_NLliwoLcX9YMd2iuJLCFzVu.aIC2k_X2yFT3KpW4wu7 rGHb0nSTDjsk9NJBB4Au20tQ0FugpK2XCY.d3gx.beJ4p Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:33:41 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp429.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID f7adb105e9d2d5472fff1733906b2c81; Mon, 26 Nov 2018 23:33:40 +0000 (UTC) Subject: [PATCH v5 09/38] LSM: Prepare for reorganizing "security=" logic To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <26e368e6-fe18-c408-e4a9-915e87a4adc9@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:33:37 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This moves the string handling for "security=" boot parameter into a stored pointer instead of a string duplicate. This will allow easier handling of the string when switching logic to use the coming enable/disable infrastructure. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen --- security/security.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/security/security.c b/security/security.c index ea760d625af6..f4a7b7d52d71 100644 --- a/security/security.c +++ b/security/security.c @@ -34,9 +34,6 @@ #define MAX_LSM_EVM_XATTR 2 -/* Maximum number of letters for an LSM name string */ -#define SECURITY_NAME_MAX 10 - /* How many LSMs were built into the kernel? */ #define LSM_COUNT (__end_lsm_info - __start_lsm_info) @@ -45,9 +42,8 @@ static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); char *lsm_names; /* Boot-time LSM user choice */ -static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = - CONFIG_DEFAULT_SECURITY; static __initdata const char *chosen_lsm_order; +static __initdata const char *chosen_major_lsm; static __initconst const char * const builtin_lsm_order = CONFIG_LSM; @@ -138,7 +134,7 @@ static bool __init lsm_allowed(struct lsm_info *lsm) return true; /* Disabled if this LSM isn't the chosen one. */ - if (strcmp(lsm->name, chosen_lsm) != 0) + if (strcmp(lsm->name, chosen_major_lsm) != 0) return false; return true; @@ -168,6 +164,9 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) struct lsm_info *lsm; char *sep, *name, *next; + if (!chosen_major_lsm) + chosen_major_lsm = CONFIG_DEFAULT_SECURITY; + sep = kstrdup(order, GFP_KERNEL); next = sep; /* Walk the list, looking for matching LSMs. */ @@ -257,12 +256,12 @@ int __init security_init(void) } /* Save user chosen LSM */ -static int __init choose_lsm(char *str) +static int __init choose_major_lsm(char *str) { - strncpy(chosen_lsm, str, SECURITY_NAME_MAX); + chosen_major_lsm = str; return 1; } -__setup("security=", choose_lsm); +__setup("security=", choose_major_lsm); /* Explicitly choose LSM initialization order. */ static int __init choose_lsm_order(char *str) From patchwork Mon Nov 26 23:34:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699381 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 73BC01803 for ; Mon, 26 Nov 2018 23:34:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 629FF2A469 for ; Mon, 26 Nov 2018 23:34:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 56C0F2A5BC; Mon, 26 Nov 2018 23:34:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E87B22A57F for ; Mon, 26 Nov 2018 23:34:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727668AbeK0KaK (ORCPT ); Tue, 27 Nov 2018 05:30:10 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:33146 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727415AbeK0KaJ (ORCPT ); Tue, 27 Nov 2018 05:30:09 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275261; bh=JESyzlEmAuMKC2MyqRiFUQ6TTYRfwx7Dj+XqdsOoILQ=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=ZFu7Owfcd2Os4HBSe0CXkqcXFfGreYQYM+u7rgIMxeCcjRTuF+xMVLjzgkN1wyLwIV5qyZqmRKL9mvbAmhqgdxcqOXrJKpCLp9oB6pvFVj7QQkBGd4CNf07ikVC8lHerWyKKVw5qOYaLf/2zh6NPZJgxwft/upzlP0R8J/7m0JU7X82VJ4TPrpQfbomsxu5s+L8H87e3eynHZdsZI+TbYgmj3O7L0Y3hlymfc7pb3nrSPqFkT1/uua/QbP/Mt1o2tMFJ/j7oFiY3q+NU+OxmtGdi6i3QStjD0A/KozrA+HL+H5hXaRtm7ggPi5qcQCIlFkAzvDJPhhlKCGbjt+imFg== X-YMail-OSG: PXkK3sAVM1lqOBToQKU08pPKpcSixDim7PTaNa8tdg11E9V9Ab3YZ6J2wetjrtR sVEsDDJ2yKQiHZI4sKRNCf3hEpvPhfGDozlbD_OP1sfdrkj1s7flfF.IOfd4CaemaxckjVKrtUCJ Fdx2o8lM7_f4PlLIkaOvCZOuhiFMchQOwnvjYiKkBlcSh.5Z6oCfr.ihQK1bLdhy.IktDqfzcmln H4CeZQ7gGpJKHuleYj0eEHDcQ0zeNnjh5tFLazorw0KyhPSUvhnLhbmxb5tBbRvboVlOR11Md5T0 RbPRb6JepsVCdNx7ekyBIC_CoIVlYXqxqwn5MKEwtlKMUbrFsRBLtnlurfo3hqFGMHKWGoOYYxQD kEzuqevv9OZhPZZiOWUIwndwqHfYztuBLx7km5hOxZOGkZTUJvuQYhO76RmrBivYBRLcpzzkbOKF _JCpS5IqC6IYrFUNy6w5EndMBHt8BY3VBXz_TY8xrgv4ekTSBbUGR3eO2cVcNoRGKJ4a5hCIyH_9 wwM4R3hzk.a6zJFc2uGI9Pbx3PZOuBgXf_zFRTvZudYKz9BpVmkSChZcEU9ccWGIGOeLs1p3eK1O s16OgBn2ifjIC0aOAdn3QHMA8v4vITaj.IZwztXn3j.Uc0F2cIdvT3AepjZIDctXGOmu625m.Gcj LT8K.BE3.77GD7psKGph.pMaK4LXTsnGJN3f5DOkya23AgECig6K5chqLdv0zCaz8IUl21xOpDNX mmyDVva07F1j0Ob5GEPV2zK.HLZexvxRKiBMQThL3gOI3Fu5rgRAIiIP1yANZx70QZgiO0iydTT4 2E2DBTEAIotdEb1b2mRcsrBiOZeqoiifva.tvM6gcJS3q2ZfKKc7x3HE1YBS6_f_KJ43yTqVn63D jxZoMdEK5Jbe7L98.q07YcrZTOKOJAZD.Hn2bIjIWz_pDKmhiA4tKhQPn86CV9vQoDHAsTgS9heP amrHgbeg9bwYu5L1PH.DX7pkS2y9lEOF4pPBAij6af78XtH.Nq0KGxUEavGjd5sQiMBKYQ3Z3jlG rydcdrTWNTuscvr5NUhCmFL_oGaask_uYXwMFFXZ3L7X_Sah3jBjCWG_UAcLay6lNEJki9uCIHoW zfLQqNS2KyhQH7n8I.FpDVXfBPbrMtWAbZZP650bRsOI- Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:34:21 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp409.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 6719886c9db44dc80f25d476093b10cb; Mon, 26 Nov 2018 23:34:18 +0000 (UTC) Subject: [PATCH v5 10/38] LSM: Refactor "security=" in terms of enable/disable To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <2b7a343c-c433-6a87-84ee-5b69e966a908@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:34:15 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP For what are marked as the Legacy Major LSMs, make them effectively exclusive when selected on the "security=" boot parameter, to handle the future case of when a previously major LSMs become non-exclusive (e.g. when TOMOYO starts blob-sharing). Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- security/security.c | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/security/security.c b/security/security.c index f4a7b7d52d71..a7889885585e 100644 --- a/security/security.c +++ b/security/security.c @@ -129,14 +129,6 @@ static bool __init lsm_allowed(struct lsm_info *lsm) if (!is_enabled(lsm)) return false; - /* Skip major-specific checks if not a major LSM. */ - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) - return true; - - /* Disabled if this LSM isn't the chosen one. */ - if (strcmp(lsm->name, chosen_major_lsm) != 0) - return false; - return true; } @@ -164,8 +156,28 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) struct lsm_info *lsm; char *sep, *name, *next; + /* Process "security=", if given. */ if (!chosen_major_lsm) chosen_major_lsm = CONFIG_DEFAULT_SECURITY; + if (chosen_major_lsm) { + struct lsm_info *major; + + /* + * To match the original "security=" behavior, this + * explicitly does NOT fallback to another Legacy Major + * if the selected one was separately disabled: disable + * all non-matching Legacy Major LSMs. + */ + for (major = __start_lsm_info; major < __end_lsm_info; + major++) { + if ((major->flags & LSM_FLAG_LEGACY_MAJOR) && + strcmp(major->name, chosen_major_lsm) != 0) { + set_enabled(major, false); + init_debug("security=%s disabled: %s\n", + chosen_major_lsm, major->name); + } + } + } sep = kstrdup(order, GFP_KERNEL); next = sep; From patchwork Mon Nov 26 23:34:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699385 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9F7F713BB for ; Mon, 26 Nov 2018 23:35:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8C6402A63F for ; Mon, 26 Nov 2018 23:35:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7E8462A646; Mon, 26 Nov 2018 23:35:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D84842A63F for ; Mon, 26 Nov 2018 23:35:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727793AbeK0Kax (ORCPT ); Tue, 27 Nov 2018 05:30:53 -0500 Received: from sonic304-28.consmr.mail.ne1.yahoo.com ([66.163.191.154]:36753 "EHLO sonic304-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727661AbeK0Kax (ORCPT ); Tue, 27 Nov 2018 05:30:53 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275304; bh=gmxgmI0e0SUx/xHFAFEiz1hpEu9sU384sPzkIMx2nJQ=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=mnZHyH6lvuY51Vjta5kD7nmPA/UhZmoDFBXu6/kurgzz2B8WTZ77tW9MI8mSqlSJLliMy5yVAAjf/TO3G/TIk0dCjrfm7VIdMQPniNXruX6E2/4ye9oMQ3JWyaQGNhmfXRawNBGRhnfuXqeJAlHiTKrSGzOijYSRHzZgzTTnDieTbVqpJiWMrkl4dZFO1NL3DuXjn6uASzaMSpKG8GcpwQjp3hiSOcE/iWNzLMpGyCovtGdpCQ/iLzmJSFdoloB7R9FZ33BeDZiEl9FofZ9+LylGYzXgLuwLUvOwfm3UhBhAAnZ/s/yvd478CW06kH39bx38po2Dq/aKS9qTkLr9kg== X-YMail-OSG: V2zdBukVM1mSXZpKVCw6XVdbAphU8gve3ir8r2TSzEOSHmqPyHdk9YpDxoybzjd GwU1sHKGP8AYPjxBCpzZoZq_vduaPSNpM.GAv0BJXR5MQ9FN35kRK.OkCrScaGu1Ga4xfZF_FEXm H4ku5QhFDwJN74OuYkRAGZHe_jD97NA..fFE3O_ixIwOs1I5xRjqSmTcSufPojwPoY1xsSdwAUjB kZi8AkZ8iaNfJVyLdstWv0ik5YkpYTQwdGNKeoC8cfU2BO1N4SP8o82IFBKHaMkgKqGGUV2_l8hN huaMJHLFqQACzfCceqj7woVpFlheVItdc5hQW517AiP9FtQ8oFMij04_Meu.MAZCYG7_oFfRkQRt HhUry7GOr5.iVydkUfS2Smexc8S3YgAk7xZeAiBu37l0q9G0wi8ATcpAxPP.cybVUFR6zCudBN9y IYalmjQZAUtNFMmGPX5CyyxE3joF55kZHijj_TSgsdCS5xudZG7laiLentSC0R4hyhIAsSCO.0l4 Zgn_MDvoDjvkbO6yjdAOnNqL5jKQrId.ML9kCAIetqAHyHYUZzRJy2PjifBz3R_PtL6K10_xbxfQ 8By0Mt_OYf95DVsXleatQR8hBhCC3yEbDa9VtNttgIfNblSEA5dyfj60LdN.nHMdK0yLNMLGX9I0 c5wV3MGoBWEHREE0zkdIM2zF1_c485Wgr28YdaAobRuxAw2buAfb1r.NUO0y8.fApdHAERHQE5lK 7GK73zG7uhwU82wkrGD6dCcLS6fqPkqGqtemucmDGmvdzlFLgl3geFyMGm94F8yKPToaLrEtYw9U rNOGbxdf91MjnMAU3Se_OSWH.TqXqs5I_HCCem2HEgTAqaJZ3GlGu_9KvMGv7F.tB0wL7RkR5zFG DAQHrY9EiNFpxUBdRMaOe4J8DK3Dnu9mJHx3e4F69FIjl9C7sGLGFnRrB7Cf0INfMCcl.EvWGbuP 9pQkQKrtAuE9LYof3pZbkT2.ObuBq78Zms0QhQmFjoviOxGLy0IxLUB13a47UVybNZ3WPp5mrM01 s3ESwE57ddChuXYuPnpyiAhoinRZEkcrrhF2.SYItcS3S2AL05BeaoN91aETGMk.SeMUlsk4iAIF SpGzTSQO.Ff_RAh49CmRcYkkwbwuBM9HXcR6L9HeNdRc- Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:35:04 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp430.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID e1c59684d0d44c1862b255bd32e36fc3; Mon, 26 Nov 2018 23:35:01 +0000 (UTC) Subject: [PATCH v5 11/38] LSM: Separate idea of "major" LSM from "exclusive" LSM To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <66ac31c3-ebfd-2b04-57a7-2361fd2005d8@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:34:56 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In order to both support old "security=" Legacy Major LSM selection, and handling real exclusivity, this creates LSM_FLAG_EXCLUSIVE and updates the selection logic to handle them. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/apparmor/lsm.c | 2 +- security/security.c | 12 ++++++++++++ security/selinux/hooks.c | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- 6 files changed, 17 insertions(+), 4 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 272791fdd26e..7d04a0c32011 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2040,6 +2040,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, char *lsm); #define LSM_FLAG_LEGACY_MAJOR BIT(0) +#define LSM_FLAG_EXCLUSIVE BIT(1) struct lsm_info { const char *name; /* Required. */ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index d840c1ef3e4d..37dafab649b1 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1722,7 +1722,7 @@ static int __init apparmor_init(void) DEFINE_LSM(apparmor) = { .name = "apparmor", - .flags = LSM_FLAG_LEGACY_MAJOR, + .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .enabled = &apparmor_enabled, .init = apparmor_init, }; diff --git a/security/security.c b/security/security.c index a7889885585e..0009ef6c83fa 100644 --- a/security/security.c +++ b/security/security.c @@ -49,6 +49,7 @@ static __initconst const char * const builtin_lsm_order = CONFIG_LSM; /* Ordered list of LSMs to initialize. */ static __initdata struct lsm_info **ordered_lsms; +static __initdata struct lsm_info *exclusive; static __initdata bool debug; #define init_debug(...) \ @@ -129,6 +130,12 @@ static bool __init lsm_allowed(struct lsm_info *lsm) if (!is_enabled(lsm)) return false; + /* Not allowed if another exclusive LSM already initialized. */ + if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && exclusive) { + init_debug("exclusive disabled: %s\n", lsm->name); + return false; + } + return true; } @@ -144,6 +151,11 @@ static void __init maybe_initialize_lsm(struct lsm_info *lsm) if (enabled) { int ret; + if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) { + exclusive = lsm; + init_debug("exclusive chosen: %s\n", lsm->name); + } + init_debug("initializing %s\n", lsm->name); ret = lsm->init(); WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b81239a09dbb..3687599d9d16 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7199,7 +7199,7 @@ void selinux_complete_init(void) all processes and objects when they are created. */ DEFINE_LSM(selinux) = { .name = "selinux", - .flags = LSM_FLAG_LEGACY_MAJOR, + .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .enabled = &selinux_enabled, .init = selinux_init, }; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 56a114c1d750..849426ac6a6c 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4888,6 +4888,6 @@ static __init int smack_init(void) */ DEFINE_LSM(smack) = { .name = "smack", - .flags = LSM_FLAG_LEGACY_MAJOR, + .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .init = smack_init, }; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index a46f6bc1e97c..daff7d7897ad 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -550,6 +550,6 @@ static int __init tomoyo_init(void) DEFINE_LSM(tomoyo) = { .name = "tomoyo", - .flags = LSM_FLAG_LEGACY_MAJOR, + .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .init = tomoyo_init, }; From patchwork Mon Nov 26 23:35:49 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699391 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DC8BD13BF for ; Mon, 26 Nov 2018 23:36:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C78462A469 for ; Mon, 26 Nov 2018 23:36:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BAED22A645; Mon, 26 Nov 2018 23:36:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 60B2A2A469 for ; Mon, 26 Nov 2018 23:36:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727842AbeK0Kbn (ORCPT ); Tue, 27 Nov 2018 05:31:43 -0500 Received: from sonic304-28.consmr.mail.ne1.yahoo.com ([66.163.191.154]:40640 "EHLO sonic304-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727456AbeK0Kbm (ORCPT ); Tue, 27 Nov 2018 05:31:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275354; bh=ym3f469puDtt39uIiVW6xTc7wt1MEzqcALg9oKeNFac=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=PBzgCU0miyUMq9niEBB2HiyrSCI7kj/xxR3NjfgSaGNOJERb9u9izjO8z9pMnLlvZQRwSbtdWpd8Fd4YfcLBVQtuEXdj9bBF2u3+eYwjgtD+h4oivFqwbuO9Mq6naUyNTpce3LGan3JcbqDeu+HhV99N4FkcVGbmbck9RjALbcYMyRfYtxJn/25yiwKnEyFuFpdMstf7kZK7MQ1qQL4M3oIpEN2Vdq8+iqMuoHoo9fhaBttW+r7pkzfr0tYfL98TO9BwdZeXBN+k+xwevMQYZJikadCZSvJk/GzTC4cxYqmFKuqARzBSYzVhOIeRrxUHGuHAspCh7ryEJRgAlMnUKQ== X-YMail-OSG: Px.HeuoVM1n4DNnLlIpkF2q10jusmo7ASmK.1PQMG4IF3U2y0IFft5c.5WR1d2M IxoRty2FPZNvjP4wBgAUY02xDJ4JvEUG_rG9vV_xWnLWEm3Acu8cwbf87c7gxO92KOqqV2ow4feK VDTsVYSca5G4ouk_WY.DmLwhKhonMbTBQ.7jLQDlA9QDvwYk2LBXKnLZr6uZkn5bmcYHuy1XTUJ7 8s6zz9sZ5WZWqvtwCe_a9VMn4XR13k89eAEOb1PC3tzjkITAWp4yJwZ_t21gX7wPnAU2fHLoB7d9 ykZ8Pj585Hq5BhWtYah.1d9AqiUx6Wkrq1y6UGXVJkZ6AFfQaw52Jz2DGIYgLunzSWTObPab4R5F F_kypCTxq4gcd6hyHz.byfMlRrW.GeJsnVHbSh4QlWtF9sR3Qx02aJ8awWKlaaQ1fgwRuh6XKz8B RuRJanArzWIZ5etw2I2I3vACpyISpRO8Yxa8_ZxCOeSZ9v7hFW_aCrgpvUVPgwvuZEKVRtqDwaFm VNMa_09BEkk97KUKlqVZwco1sH3aglnw.6xHliJqiVnqHnhPpLqWZnHOKIcLLQ9jvrXKOJmblNiO Wgzu_AfycdKciQw4P0288uMF33cgPIr8ovgl9NHIWfsbonjjDkl3peTt3qvwSA1HdjPTUBweErt3 lzz.AVwXSnOd6rN48fckcOG.IV.JCDiJL5IDelcPbQLvFs.pk3P9U4qEe2oqP0VuPZNpa0BYEFiK eKcpbmwmKDllNwT_qbRctW7NrQ8NzoQ3Q8hgIPUa61aBjdBBN6Lksqlm4ajedtKsNVauvz4Hi6jr vczzfhppI64WxiIrRUBjHVkZ.oCKhl2hk6d2NhZfmOnDs6ZWY4QvvPMe4BYRPu41pB0hKrknncg9 lXcI5QTQ..hErm.BxIS9Go4C.KfQ3TmVga8Gxvc._Fj_10RM7sIAeqpmH7kzvdtD20UDJZVVzOtY jQ4zJg4yIBi9ybEGgkFpsf1gsn9kpNWecBdOS8ogQU5E0lCS.zuWAmFaHyfvUb0d0xLR3051P9VC qYcLZml40TRpz4DCuD7XmGDlh3LnGw9pCLI5T01UgXFwrMKoMrwBQpTJ4jVmFSlcB.H0JClLn1aD Y.k6Ye4WULwSoeG56x_wNWCETToN1A0SEQ1WeoT._8GI- Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:35:54 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp408.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 74fbe16db5e95d37f35c3405e5eb1c61; Mon, 26 Nov 2018 23:35:52 +0000 (UTC) Subject: [PATCH v5 12/38] apparmor: Remove SECURITY_APPARMOR_BOOTPARAM_VALUE To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <5f331e9e-f8c2-4e8a-6a30-af93fbf602db@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:35:49 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In preparation for removing CONFIG_DEFAULT_SECURITY, this removes the soon-to-be redundant SECURITY_APPARMOR_BOOTPARAM_VALUE. Since explicit ordering via CONFIG_LSM or "lsm=" will define whether an LSM is enabled or not, this CONFIG will become effectively ignored, so remove it. However, in order to stay backward-compatible with "security=apparmor", the enable variable defaults to true. Signed-off-by: Kees Cook --- security/apparmor/Kconfig | 16 ---------------- security/apparmor/lsm.c | 2 +- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig index b6b68a7750ce..3de21f46c82a 100644 --- a/security/apparmor/Kconfig +++ b/security/apparmor/Kconfig @@ -14,22 +14,6 @@ config SECURITY_APPARMOR If you are unsure how to answer this question, answer N. -config SECURITY_APPARMOR_BOOTPARAM_VALUE - int "AppArmor boot parameter default value" - depends on SECURITY_APPARMOR - range 0 1 - default 1 - help - This option sets the default value for the kernel parameter - 'apparmor', which allows AppArmor to be enabled or disabled - at boot. If this option is set to 0 (zero), the AppArmor - kernel parameter will default to 0, disabling AppArmor at - boot. If this option is set to 1 (one), the AppArmor - kernel parameter will default to 1, enabling AppArmor at - boot. - - If you are unsure how to answer this question, answer 1. - config SECURITY_APPARMOR_HASH bool "Enable introspection of sha1 hashes for loaded profiles" depends on SECURITY_APPARMOR diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 37dafab649b1..e8b40008d58c 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1332,7 +1332,7 @@ bool aa_g_paranoid_load = true; module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); /* Boot time disable flag */ -static int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; +static int apparmor_enabled __lsm_ro_after_init = 1; module_param_named(enabled, apparmor_enabled, int, 0444); static int __init apparmor_enabled_setup(char *str) From patchwork Mon Nov 26 23:36:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699397 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1252F13BB for ; Mon, 26 Nov 2018 23:36:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0006F2A63F for ; Mon, 26 Nov 2018 23:36:41 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E5FA72A646; Mon, 26 Nov 2018 23:36:41 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 818292A63F for ; Mon, 26 Nov 2018 23:36:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727415AbeK0Kc2 (ORCPT ); Tue, 27 Nov 2018 05:32:28 -0500 Received: from sonic304-28.consmr.mail.ne1.yahoo.com ([66.163.191.154]:36056 "EHLO sonic304-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727580AbeK0Kc2 (ORCPT ); Tue, 27 Nov 2018 05:32:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275399; bh=B7bxOfpQI1kzSPjOBDZSM+OSrBcvf30xxjpv6gdsFtY=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=MGJ3DdiSo+yGlruHPTkyhsfkFbFww1GQMhfTKL5zCeDCh149v/9VbvTX2Qltl1HZjpCu//ugcO5aCaAnR8jVxhIFXU3Y3uor3Oq7NSptOnZE1QCkrSIrflucJE47bLXoxMbJEXwYNmT2Wx1hchLpCDfqpAFkrflrLlMTPDx6ZEMBKGYw5bw4thoiXEWRxA3czXMpzX09NtXTIP9WZRQXHntk/0QiNpgNSM3GjmWw7rSMwblXnZ5CeOOIWZcNVY/Uk2XNoEU5/MnVhaLiUL1pN0p+b/2MMdBEnbMi0qhWqTfAOKo6XeBIMP28Tvd64UduDNo/GDVE4tGyR10j2ugTrg== X-YMail-OSG: bm6jbHkVM1l6zujn9CEOJnFeUTm5pLMqUN5TdUz6sFEfAh.yBhogAp.UAgxGg01 fas7Js9CWdRoCkXeVG0GL1RSKpRc0hbWnuxaVVLDQNERdWKjfvhbiOiVHVF3BH6mL5V0Bzz6WYRP Cd79kXzqBxkrR2cu3bME8HDcqA2xCHr.CcJ4G8d2tH6caRe60kfCm2A2hTxCn9ccwt2jw77gLt5h c.IOXRXw_tqWUYCcarF5INrg4dHPcabDPdruHpA9AjvW46glEMBZ0oe4sVQzLy5A2DrXSCUYEu9c u8VBtgRqeckZ3QlWbFkswEuHdAjiCHXrnXeFnAToP8ErePlsxiyNvAxU31Fbd93E9l8yIfVdAyXg oVCbGTkgq2eaflMA1Zpmg5PrYR404u.aQco6ZdVywJoL7uoFupp20s_IZ5cCD0QY03uXHiXVVyk7 V5arvoYbrYDBFtUHiV8Lazls3a1N2Rpan1cO3NV9bkcCmmnKBNluYdfx5WyBWfThL9oILs8Vjn9f epB2bbFbXc0u1L_nugPP3mzGP4B1N_3uy_BZokUsKNVSTAqRVY5UFqo5UeMR1RNE57uOla1GKB_O OXNrYLoFUTPIAiQH03dNWiWPCQbkVUGyvQ4a1W7mkEyx9krG6IIbJVVo2DC7taAQvEpk6L8dDH.J yF0C2iW_v7wC17GZ9McPI.c9CZ2ojzPjOAI9FwUBXZ6gRHzNMWTP.tVc.qeZJKSvJy4WdfBC99Yr wDgqw7jZLA9wGKj86hgUfV7ryaiYGgGjL_qlO60Qi8cQDgCpQcuxO0oDPAFOMKmo0.SJzlj6djPD R1S5dIu1zSuID1cR50berltLQeLt4.qIU5MBq6i6RuPJxb9VwqNzFUhXp.oMvTR94RYrjFWl98zl QXLbDi3NQ_qx6MSkS6f_d0TSW2kch93LjsBSMqKYQtyNXVTgJqeG.S0gASatBdm.LpAyb3I1KYWA I.u5.nDwZOsqzP9FQqeh91iGRH1m04x4TGmDDxkjnLlNzL0WoJAAM.xMguW.2k37RCCHWg98pyTT fQBLtA92TP.y1JeP3n3HcQUp0JKYnfSQMHk.PTiCzc1.wMZzAyfCbVBzurcEogismwttYqGd8e0p LGrC_hZQ.OX_xiiJDKX5gtaXesjuPtZQveYZlSdaIRSg- Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:36:39 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp422.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 5a854c24c8b472307d347f0b8eba087a; Mon, 26 Nov 2018 23:36:39 +0000 (UTC) Subject: [PATCH v5 13/38] selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <5ea7cc62-94f0-0496-b39c-e6aff4cd9e9e@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:36:36 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In preparation for removing CONFIG_DEFAULT_SECURITY, this removes the soon-to-be redundant SECURITY_SELINUX_BOOTPARAM_VALUE. Since explicit ordering via CONFIG_LSM or "lsm=" will define whether an LSM is enabled or not, this CONFIG will become effectively ignored, so remove it. However, in order to stay backward-compatible with "security=selinux", the enable variable defaults to true. Signed-off-by: Kees Cook --- security/selinux/Kconfig | 15 --------------- security/selinux/hooks.c | 5 +---- 2 files changed, 1 insertion(+), 19 deletions(-) diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 8af7a690eb40..55f032f1fc2d 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -22,21 +22,6 @@ config SECURITY_SELINUX_BOOTPARAM If you are unsure how to answer this question, answer N. -config SECURITY_SELINUX_BOOTPARAM_VALUE - int "NSA SELinux boot parameter default value" - depends on SECURITY_SELINUX_BOOTPARAM - range 0 1 - default 1 - help - This option sets the default value for the kernel parameter - 'selinux', which allows SELinux to be disabled at boot. If this - option is set to 0 (zero), the SELinux kernel parameter will - default to 0, disabling SELinux at bootup. If this option is - set to 1 (one), the SELinux kernel parameter will default to 1, - enabling SELinux at bootup. - - If you are unsure how to answer this question, answer 1. - config SECURITY_SELINUX_DISABLE bool "NSA SELinux runtime disable" depends on SECURITY_SELINUX diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3687599d9d16..edd5b8dd3e56 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -120,9 +120,8 @@ __setup("enforcing=", enforcing_setup); #define selinux_enforcing_boot 1 #endif +int selinux_enabled __lsm_ro_after_init = 1; #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM -int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; - static int __init selinux_enabled_setup(char *str) { unsigned long enabled; @@ -131,8 +130,6 @@ static int __init selinux_enabled_setup(char *str) return 1; } __setup("selinux=", selinux_enabled_setup); -#else -int selinux_enabled = 1; #endif static unsigned int selinux_checkreqprot_boot = From patchwork Mon Nov 26 23:37:24 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699403 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DE81D13BB for ; Mon, 26 Nov 2018 23:37:39 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CF45D2A645 for ; Mon, 26 Nov 2018 23:37:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C3C1B2A64B; Mon, 26 Nov 2018 23:37:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 623A82A645 for ; Mon, 26 Nov 2018 23:37:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727542AbeK0Kd0 (ORCPT ); Tue, 27 Nov 2018 05:33:26 -0500 Received: from sonic302-28.consmr.mail.ne1.yahoo.com ([66.163.186.154]:36920 "EHLO sonic302-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726516AbeK0KdV (ORCPT ); Tue, 27 Nov 2018 05:33:21 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275451; bh=aA9ToBwx7EdAqaJKoH0MpMTFJSSXKnw022+5umTtX5A=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=n7tCOI8prznrulx6BRLKMDa5wH3ZqwvaWC2OUwfHgakiema+/ZThr/C7zyGe5cHD+r065fiGYS238XYVqk4vuyhFSsHvQi9LAqYbWOhrmkqavy6mo8eVzurNgFYZUCg23ZxrKLCJaHsFVlJeZMlQHR+UNWRvgak1QYA2ULOcjBAqysiNf5V2ZHoAcFL7+vpfeUVrfgctzr7nt6nyn27VLIApouTT7l6YCMxSNsmEzsPOx+uKNjl/SlhdSra2t6AA7tGzFkm/Ja8i0FRcWqlQthY4gd5qYyG7UZfS4unsr7ZrRgPDbAfi7SdTRkIVNOWvJMSaSUqD5zR78BGaf2gOcA== X-YMail-OSG: SblRcHkVM1kRMyghCdep7JgiTN6vuEae.WZ0G1dfbYVOYLrDEyyleFmSzP9FhDl .DKKzg7Fjt_7da1xuImkxIBsSOZdfZ.fLC9GUJ0OuZGMD483KxS2ZY3sn5JGKJXj_xNEaNLVcuCG 3lcG.XT1B8KrvHEPwCClz7OCC7t7uMj5T_YWqEjNg4CVSDx9MBGrmQeKQ3YCh9qwNA4y3e_exyX0 Jh.QfSlhtvL8qiWN3NHz_xhVkxj7kaYxdj7YWmtVrCHW.yURL3dKu1FhBoJnfQb4nDlzXtOzMSn5 IOMYhTmjSN3ovdDXT998F0VswHpgakmiPX7RkOoqUJlkKefnui4M5.Dw_BvAPZXgyC7ziXesdvM6 OvM0AMW5xqUESbqPi5gD4GSFX1NR4mVbyWxoL7eddyL31XXFnJcARvt3_t0k_J3NTYgN_Ayt_A2n o2KoQE6cyGGK1Xv2jtwF.rcIE8R0zqIE564zgb.ny9y6OncVEaFKuu7YjfpUxW2Xslrty8FRzh2X __3myY6MZ2Lu3Al1_PEIW8a_ea54WH9cuUpI.VQA1dd3meawQZ4kfyGFaaEOkbI.HejfxI.XFFOj Tk2isO6bB1qop36Z9lJGTmO_0PfuXLbq0pQWsiAUqN6TGn7pachPSpI_v5aIzz3mWia4IEOQS0xt pt3YbvIKN6AOeF0_BUOxg561UZq4dqb6jzpmZSQyNM4ZUN9ZC.EbzkV2n7HsINNgyNgbsVWl8mlT 7lF6fWhTWboVzTO_vQvD.oLE0IzNsq1OqaPAaWhvU0LqRLI24AwuStSX4opLykWxS03UqyReH1VO z_R6qt.GCUdogbGMwLuWQQdVJGnEv9Vd5l1eJguhN9ibEeTuYY9J5LKLhtbE4j2608XyfnilNmOf wWRo3B_njm35i..qQp6NPWeitCv46BT_V9lJ2rQHL8NVmZHLWui40bb7qiwkLIHRmeLAC9AoVAcu XhTH7SNiAZRytZvAHtNuRABF8HqdcMwTO4gTymrny8Nts.nXqTfn67gUctW0zmlyk526WavHme8Z 2Z_5xbC0F7.jPWGl97_E6fn72iug2XhaY5lDoNl9iv33wTI__zjE3nq0HdN8vryH0Z0R1JvXFF.W ayk0sfSU28_iiB0ASG3Tpu3saxEaqziblc4No9Q-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:37:31 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp431.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 7e91d840eaa9a6d0b28dfe698df4a23e; Mon, 26 Nov 2018 23:37:27 +0000 (UTC) Subject: [PATCH v5 14/38] LSM: Add all exclusive LSMs to ordered initialization To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: Date: Mon, 26 Nov 2018 15:37:24 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This removes CONFIG_DEFAULT_SECURITY in favor of the explicit ordering offered by CONFIG_LSM and adds all the exclusive LSMs to the ordered LSM initialization. The old meaning of CONFIG_DEFAULT_SECURITY is now captured by which exclusive LSM is listed first in the LSM order. All LSMs not added to the ordered list are explicitly disabled. Signed-off-by: Kees Cook Signed-off-by: Casey Schaufler --- security/security.c | 45 ++++++++++++++++++++------------------------- 1 file changed, 20 insertions(+), 25 deletions(-) diff --git a/security/security.c b/security/security.c index 0009ef6c83fa..df71b54c1ba4 100644 --- a/security/security.c +++ b/security/security.c @@ -169,8 +169,6 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) char *sep, *name, *next; /* Process "security=", if given. */ - if (!chosen_major_lsm) - chosen_major_lsm = CONFIG_DEFAULT_SECURITY; if (chosen_major_lsm) { struct lsm_info *major; @@ -198,8 +196,7 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) bool found = false; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 && - strcmp(lsm->name, name) == 0) { + if (strcmp(lsm->name, name) == 0) { append_ordered_lsm(lsm, origin); found = true; } @@ -208,6 +205,25 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) if (!found) init_debug("%s ignored: %s\n", origin, name); } + + /* Process "security=", if given. */ + if (chosen_major_lsm) { + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if (exists_ordered_lsm(lsm)) + continue; + if (strcmp(lsm->name, chosen_major_lsm) == 0) + append_ordered_lsm(lsm, "security="); + } + } + + /* Disable all LSMs not in the ordered list. */ + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if (exists_ordered_lsm(lsm)) + continue; + set_enabled(lsm, false); + init_debug("%s disabled: %s\n", origin, lsm->name); + } + kfree(sep); } @@ -229,22 +245,6 @@ static void __init ordered_lsm_init(void) kfree(ordered_lsms); } -static void __init major_lsm_init(void) -{ - struct lsm_info *lsm; - - for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) - continue; - - /* Enable this LSM, if it is not already set. */ - if (!lsm->enabled) - lsm->enabled = &lsm_enabled_true; - - maybe_initialize_lsm(lsm); - } -} - /** * security_init - initializes the security framework * @@ -271,11 +271,6 @@ int __init security_init(void) /* Load LSMs in specified order. */ ordered_lsm_init(); - /* - * Load all the remaining security modules. - */ - major_lsm_init(); - return 0; } From patchwork Mon Nov 26 23:38:20 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699405 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D5A3413BF for ; Mon, 26 Nov 2018 23:38:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C4CF02A626 for ; Mon, 26 Nov 2018 23:38:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B90EC2A64B; Mon, 26 Nov 2018 23:38:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 53BD62A626 for ; Mon, 26 Nov 2018 23:38:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726516AbeK0KeR (ORCPT ); Tue, 27 Nov 2018 05:34:17 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:34968 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727656AbeK0KeR (ORCPT ); Tue, 27 Nov 2018 05:34:17 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275507; bh=jV11Dho+W8jm+OTKCjoUEiJ1PzwrfCLcMmvEuAbflbk=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=Q4nK2J9KPexbdiAxFNCpJbLhYux6mtOzZBYhpYerRgCIT4T9lcs3efTtp+3xx2F4Y/ZLc1kWXFmP4f6hnfo52WVlGsHnUMEZmj1mlOiTJPkDKX2YH41ubKpc+IhcBS7fwDL63ooeBF8DsHMp1FpuBlXvnRhNcZYYfodgYKRopucujHdlEtnEznv8Z0vL4b7TpsohwVnpqR8QYtoOQ9c68j9HL4uljrJN8ogwJv/Q9MJmJRyotYTKidw/RrKpce3TjI8STRXdS6oyp692uf9Rp3TP4tlPVgldKX4YH8hynQRy/fXeebTz5dv/mFfEL3kK8HyeVI6c94fiDSUR3mWj2g== X-YMail-OSG: jFRivIQVM1ngjnr4QdwflB1dsQegw.b6uPut84.dlAyrgrpmW3JCDFqY0hokOM_ SsDeaCCt6MFl0GZY01K3stMOV_P9Gr8H9RDAH1KrD0oEG_P64zkL9LN7iH4TabnlkwDHeeCX.W6d T7C2UF37eEtbVRJ886M6xwPoTn2Vyfv_.PbhHcsABcj5vK.5.nItivY4jxK1m9jsALlUl7IH3emj XOGj.eS125E2xeYODtiD11zIAg3rp.dz4osmXzmEk6bKNq0SYGY0zEjbkFPtFmLAWhsGK5_BuA17 71UEjaYEp7P512UPuFoyO._zqGvaEkVcBZqrQCOMdrG2cU.rpbsW5f18IXSK79ilRhsuZ8o8OwAQ b6ozR8A0akszzvHTdt_vFGxrazEetKwGISkckxkR.BcMuctm9Dho3O282EWx1xUpQRaMekhixfP8 F0D3hOm8ZAeS7cy80nsE5coSyfqJ9y5K7_G0gEpanxXi76D0q1IHTLursuZuUJAqXDcSCldGc80U Rv3WUHjRqCzb.u04iDdvA2yIWF2RbQPZUJLMoLMv_b3_GrAZtoKwnt0jljp_7IeHitYxfrQdWsUO CEDGV_MWJR1ufKlXqem.7lnQMBDNQiQFem_c0RC.z0OzYCuene8T7Ni9Cs_6y73aQZfpQVchrGas IDJ1LRsKCTVvr1DwqPR3s8gnF6uz2_3sxh8LtFEv_2JV4B0kWKMv6L3y7oUY5IwfDo1j6vXJEpsa UMZTfFymHyxXZL3k2ZqvvodQDT.1iTDTRikhUHTphrQf.78Ao5ilsW5drWv1u7pXtkeKjNmzv6CQ .p21Nl6khkFqrVasqy4CN09k_jWjIJvl5_hXfxF4IGPF.U5oIXwMuJ47nrGTcmXihQt5sMWam3kz XRGHRtgKo61T13xvkiAvfO_R_7vgydFDTLSjHydf3K6.J6U030QysttTRc47UJzULA.yo7YoUUHV Yv7u9lwbThpYEYLF7CplCTBN9vUBWkwvd6OJCCCVK0bNCGxaiwoQVwco4W3IKpnokZv578EvJckM agJsyJyuVD5vZhXmGHCIZ7Hahh_Lc7zgOGUM3atgw4tsDb4ef4yGu10ZoLMwVlEcfmc7LkOpCUjX LJgAC6oAvYv4M.a8chUUMf4Rl.xOPfWqNpBP.Fw-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:38:27 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp417.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 453e085596c4061cfe71d166fcd08f8b; Mon, 26 Nov 2018 23:38:23 +0000 (UTC) Subject: [PATCH v5 15/38] LSM: Split LSM preparation from initialization To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: Date: Mon, 26 Nov 2018 15:38:20 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Since we already have to do a pass through the LSMs to figure out if exclusive LSMs should be disabled after the first one is seen as enabled, this splits the logic up a bit more cleanly. Now we do a full "prepare" pass through the LSMs (which also allows for later use by the blob-sharing code), before starting the LSM initialization pass. Signed-off-by: Kees Cook --- security/security.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/security/security.c b/security/security.c index df71b54c1ba4..3fac0ff39944 100644 --- a/security/security.c +++ b/security/security.c @@ -139,22 +139,28 @@ static bool __init lsm_allowed(struct lsm_info *lsm) return true; } -/* Check if LSM should be initialized. */ -static void __init maybe_initialize_lsm(struct lsm_info *lsm) +/* Prepare LSM for initialization. */ +static void __init prepare_lsm(struct lsm_info *lsm) { int enabled = lsm_allowed(lsm); /* Record enablement (to handle any following exclusive LSMs). */ set_enabled(lsm, enabled); - /* If selected, initialize the LSM. */ + /* If enabled, do pre-initialization work. */ if (enabled) { - int ret; - if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) { exclusive = lsm; init_debug("exclusive chosen: %s\n", lsm->name); } + } +} + +/* Initialize a given LSM, if it is enabled. */ +static void __init initialize_lsm(struct lsm_info *lsm) +{ + if (is_enabled(lsm)) { + int ret; init_debug("initializing %s\n", lsm->name); ret = lsm->init(); @@ -240,7 +246,10 @@ static void __init ordered_lsm_init(void) ordered_lsm_parse(builtin_lsm_order, "builtin"); for (lsm = ordered_lsms; *lsm; lsm++) - maybe_initialize_lsm(*lsm); + prepare_lsm(*lsm); + + for (lsm = ordered_lsms; *lsm; lsm++) + initialize_lsm(*lsm); kfree(ordered_lsms); } From patchwork Mon Nov 26 23:39:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699411 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AE5A01803 for ; Mon, 26 Nov 2018 23:39:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9EF8A290D8 for ; Mon, 26 Nov 2018 23:39:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 936C02A661; Mon, 26 Nov 2018 23:39:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 30D452A660 for ; Mon, 26 Nov 2018 23:39:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727735AbeK0Ke6 (ORCPT ); Tue, 27 Nov 2018 05:34:58 -0500 Received: from sonic302-28.consmr.mail.ne1.yahoo.com ([66.163.186.154]:46088 "EHLO sonic302-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727740AbeK0Ke5 (ORCPT ); Tue, 27 Nov 2018 05:34:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275547; bh=t2Ye1hoXiTqxsi4YrwjYTdnEc0e7oHqLwJe19sMMBHw=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=qTE8CfJuH+kP14v8p7Nlj6QrARjJ6w0UwbhzAa7a9FYtw/16XK8yZ3Sc1jeT6TbudFVDDwp5oTGca3FebvqHkdSUSWNAjtFHV0hw1Yn4+nwpSF/MYeHsHN1CXuvk0oOSiAO3bsQBhONSZWuqHH7YHJF4v7it7BNc7OMPyHjSi7dqxdMFvj8AzeZPMSyYGvNP32xjUw01rdR/+xEHe3ElqWOue0klFgbHZfLQ8jtACD+hAvxMNHA7SBugNAStoAfhpiPU5xva1YzF6+Aaq0ool1QIPh+fAuKckAj16XDGb/s8HvqxLQDLDLSP+9fCvMoBq8Hl0F11N6BW1YYufbxTnQ== X-YMail-OSG: WXzSSrUVM1mx_n3Z8D4O_UgaLH3As1mbgq_hTyb3e.FcSfua2dYCfpTdZZGI69e JXGkAZScLRzEbvZSiDlZPII9JlzNrdcgqljjc_VV6raT9PsTvOdooE984RwwFMwpjLVyteOanoEb 6JxeHBXjq5dQmvL.yiYsOeh5M5__.dVwLadbnXI6YQUziW4cueIoqyZQw_S2htQhoxu3VXzx_ksL WT55wGyCAnIydV5l0YsCRUGyXan_.hI2gYzwlKHO2DiWjDzkRRn4pf.mVYURitxdwpouoA7wD9Tp MVEFclt5cXVlkAIye2Jtu63hz1IASMub1SH_419I48doq1CRuiHYf6574qt8Mpg2Y.foLH3bimXe 8qQQcMypTqlghDrztLuOS05Mwkia76dOVohOpo0h.hm0DhRVuVV9UN13tVhDMzvCgmjbZkhwlPyx Tpvizz.uKitbXleJnU_HlQR8u6pT4rkSHNI5fOrZSZVfs1DKeh8LAF3N3pSOzIbLKI4h7Srp6I1I bsqjWhMv0Q9bv6edzFDZ71fKJiUKqmx0LiqudO5rMUZaScDbCIzOrvTj328TB08diG1UTqZjELei P83naEAukBA1x6.Qpg10g.WYCUMlUqw85jxNqTYFLUG52021FTBEcYiAQiKvMkzKo3Gof.HCP0OM BjRcXRxjAO5IF.r4Gp6vt3d29ztUsPMBDIr.neXQWIOXelw2nVrIQFBjllveJwUGQF8Rp2IrWSxK SQXQHZBOFXQcwlUmCZ.QIFST4vWl2RBKBGYIyq.vsIcgSdTtjL3Ef5OVTLhB.ZO9h8jhC9tFhEcs BpU9nIk2ItDfBeiuqUBWeiJYjsCD03CGOlBv67LMIz8Rk40CJNKrNiADcGPsBoN.Qf0YumqS6wXm 9eW_RSwH_LXBypr02hrsyPHTGrRAOB5yczGSYH_ej3aSSvan5CyL2s_jZPtd.T1sSkGDP2i.jTBG s5xLZcK_FsyZD31TXK33jkSnZ89IyViHXvR9T34ioBZNRn6aK_X.fJUb0MsVyA8XEztoln5n7kF7 gFJE9L7otelgVejqlkTNwE7fReyZta2NQURq0.g.RkfsS_F1GyY.jTWftKqt_AlVjSp6cUwRvKc8 FaavNAEGqnGJ3gHc8Ggm1M0vIzcdDKB.GNo4zmQ-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:39:07 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp416.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 263d3cb4d592cdb7baf8d5e402c0ea4b; Mon, 26 Nov 2018 23:39:07 +0000 (UTC) Subject: [PATCH v5 16/38] LoadPin: Initialize as ordered LSM To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <4145222c-9ae7-4d97-32c3-f0f860a1f401@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:39:04 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This converts LoadPin from being a direct "minor" LSM into an ordered LSM. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- include/linux/lsm_hooks.h | 5 ----- security/Kconfig | 39 +-------------------------------------- security/loadpin/loadpin.c | 8 +++++++- security/security.c | 1 - 4 files changed, 8 insertions(+), 45 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 7d04a0c32011..b565c0c10269 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2092,10 +2092,5 @@ extern void __init yama_add_hooks(void); #else static inline void __init yama_add_hooks(void) { } #endif -#ifdef CONFIG_SECURITY_LOADPIN -void __init loadpin_add_hooks(void); -#else -static inline void loadpin_add_hooks(void) { }; -#endif #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/Kconfig b/security/Kconfig index 41aa0be6142f..566d54215cbe 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -239,46 +239,9 @@ source security/yama/Kconfig source security/integrity/Kconfig -choice - prompt "Default security module" - default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX - default DEFAULT_SECURITY_SMACK if SECURITY_SMACK - default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO - default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR - default DEFAULT_SECURITY_DAC - - help - Select the security module that will be used by default if the - kernel parameter security= is not specified. - - config DEFAULT_SECURITY_SELINUX - bool "SELinux" if SECURITY_SELINUX=y - - config DEFAULT_SECURITY_SMACK - bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y - - config DEFAULT_SECURITY_TOMOYO - bool "TOMOYO" if SECURITY_TOMOYO=y - - config DEFAULT_SECURITY_APPARMOR - bool "AppArmor" if SECURITY_APPARMOR=y - - config DEFAULT_SECURITY_DAC - bool "Unix Discretionary Access Controls" - -endchoice - -config DEFAULT_SECURITY - string - default "selinux" if DEFAULT_SECURITY_SELINUX - default "smack" if DEFAULT_SECURITY_SMACK - default "tomoyo" if DEFAULT_SECURITY_TOMOYO - default "apparmor" if DEFAULT_SECURITY_APPARMOR - default "" if DEFAULT_SECURITY_DAC - config LSM string "Ordered list of enabled LSMs" - default "integrity" + default "loadpin,integrity,selinux,smack,tomoyo,apparmor" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be ignored. This can be diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index 48f39631b370..055fb0a64169 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -187,13 +187,19 @@ static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(kernel_load_data, loadpin_load_data), }; -void __init loadpin_add_hooks(void) +static int __init loadpin_init(void) { pr_info("ready to pin (currently %senforcing)\n", enforce ? "" : "not "); security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin"); + return 0; } +DEFINE_LSM(loadpin) = { + .name = "loadpin", + .init = loadpin_init, +}; + /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */ module_param(enforce, int, 0); MODULE_PARM_DESC(enforce, "Enforce module/firmware pinning"); diff --git a/security/security.c b/security/security.c index 3fac0ff39944..0c092d62cc47 100644 --- a/security/security.c +++ b/security/security.c @@ -275,7 +275,6 @@ int __init security_init(void) */ capability_add_hooks(); yama_add_hooks(); - loadpin_add_hooks(); /* Load LSMs in specified order. */ ordered_lsm_init(); From patchwork Mon Nov 26 23:39:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699413 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DB7EB13BB for ; Mon, 26 Nov 2018 23:39:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CA769290D8 for ; Mon, 26 Nov 2018 23:39:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BC24E2A660; Mon, 26 Nov 2018 23:39:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3A890290D8 for ; Mon, 26 Nov 2018 23:39:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727580AbeK0Kfm (ORCPT ); Tue, 27 Nov 2018 05:35:42 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:42647 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727536AbeK0Kfm (ORCPT ); Tue, 27 Nov 2018 05:35:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275593; bh=9sjMSXF/Q8aciNYYUwWXS/TtIz39HJVSzkpXcl3Y2K4=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=a165ELMkQDT6aRadPiTh839vqQ3XE0l4syX8GsHaF0Ayzl73mUoJYlc6ZUCt9LNS3gF5ACavPbiCH2JgnHWBg/ysenm1eqQFfn8b/ZJ7RFBhpMs6cJQsrTO6/BVyQMPwlsWng/5daWbunVhy6uZCDAIKWaXiG+HZC3O0kOf+Ib3MNjcd9HqhKMiibtkxKjULO0R4B5sHZd4oIsOsI8fhZ6GMEeG1GK6vhfZKm8d5LVK8nYWuI4obbmr3jsX5rtc7OQdWXkcSpi8R5GRQ1ds/buBgn7JXcmF2ZT2Nx6IBP3lEc4Rax+TAc9EHJQUznPXqr7uPL4BOJR/oQGeHCYYYVA== X-YMail-OSG: inKkXdQVM1mA9w5UvB1feFSFI19Te9Jhbt1JWAbwlWLWrSUt3q36IP84CJ2Zh6s xU8wEHCg3Z_OG3guoW8d9it2r9Ydu54ROtYNMzW9GEVv5JfAT9GkFqxiM2cP6uw_Tmal.jzh_clW YqczbyKAlkf94PYxF9TbhpbXzbafD1TMMUspqZ7_PwY..EGwPXFPh_MuNheYGwiv_GREwZaVPH_Y YJLljgxHaXSQHvi0pyS3y5fQlZHLXsB7o.Dmx0BcDN0TN2VHIi0Q7rRQBlPLZV390533Ho4Axs_x VCdMyy5VRlgCJ6AcoZy8ZoFzRvEAsnlL6Mx.mqEfdTxbNG3uMWzNjEhPQsajRmxuaoMijYQ78Qiz b_mtHcivFNY4v91Qh6kdBKbwI290SPjWalPNhiJoDF6vPCc5KdwRbrov9LAg59yZvtrUz0KAu3bT Yn4YnQXy6f59HDQCqobycOwPQf0UFQHvyyKRulVgfQmns9b0SYoX1gs8fW38KvaVBo7QGNO093YL 8kUIGLclFvsgonZ78sM9EDOBmjNlCJOZX4r8XHRgnHXsFbCUbSor3h2XFaJomAxm_gaAxzfDDvcq zLOAVXBJ48Y7_.4iVqVItIfy5ZMAiDceNYDIlOmyDHrtLbe1DWWIjlTgmZSoUD96QAf3rjhfLki5 kc1W28IS7okIssodfI8yXgAznMZAVsFfyGcdpYqg_p5XNsL0CBhX2yQlZl12ZwSu9QsKDNE2DPhy hNCzaBacG1uP7QZZawrCI5NRIqJeG4I4vLVWPs40J61bf4gkRLOyjab_qRigYZ3DBl8RYqMwuYbH O1ysQR.RohtxpVF.Rw4Oa.vz.hR7_C8dsKPfbANM41nVOL.hSLk8JuYSo6l5b0A9UFVqXnMfWjDc u1o.RvHa4Z6TmqEWSwfipRyzZiqXEMkyqRdkWvYtAYsQk9dFF2UU_X2j5EK.UUUcDkQL.gA5vlPy efATQm68LsG.R5lvxXT.2JusKKUSVSFqFHCtaUb2uFwiJWg1ucmaODXiwLYm8i5H4rSlEdaIFzc9 p.bDGbjJizdq2zJeCrpnncRzLS5kAk4WW3wbX3qe2hYxIdSBKp0_YWhH8eX3HrXOYmAJ5eSOybyb mewaTRsDkhXLzUY574xNbtwMEmk3G9ZwhwuqUKKJW3OI- Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:39:53 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp422.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 4ba474287b3debb52399a04543db9a59; Mon, 26 Nov 2018 23:39:48 +0000 (UTC) Subject: [PATCH v5 17/38] Yama: Initialize as ordered LSM To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: Date: Mon, 26 Nov 2018 15:39:45 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This converts Yama from being a direct "minor" LSM into an ordered LSM. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- include/linux/lsm_hooks.h | 5 ----- security/Kconfig | 2 +- security/security.c | 1 - security/yama/yama_lsm.c | 8 +++++++- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index b565c0c10269..6cfbd7d78a89 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2087,10 +2087,5 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, #endif /* CONFIG_SECURITY_WRITABLE_HOOKS */ extern void __init capability_add_hooks(void); -#ifdef CONFIG_SECURITY_YAMA -extern void __init yama_add_hooks(void); -#else -static inline void __init yama_add_hooks(void) { } -#endif #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/Kconfig b/security/Kconfig index 566d54215cbe..94a71e022b79 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -241,7 +241,7 @@ source security/integrity/Kconfig config LSM string "Ordered list of enabled LSMs" - default "loadpin,integrity,selinux,smack,tomoyo,apparmor" + default "yama,loadpin,integrity,selinux,smack,tomoyo,apparmor" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be ignored. This can be diff --git a/security/security.c b/security/security.c index 0c092d62cc47..0c3c66dbf51c 100644 --- a/security/security.c +++ b/security/security.c @@ -274,7 +274,6 @@ int __init security_init(void) * Load minor LSMs, with the capability module always first. */ capability_add_hooks(); - yama_add_hooks(); /* Load LSMs in specified order. */ ordered_lsm_init(); diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index ffda91a4a1aa..eb1da1303d2e 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -477,9 +477,15 @@ static void __init yama_init_sysctl(void) static inline void yama_init_sysctl(void) { } #endif /* CONFIG_SYSCTL */ -void __init yama_add_hooks(void) +static int __init yama_init(void) { pr_info("Yama: becoming mindful.\n"); security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama"); yama_init_sysctl(); + return 0; } + +DEFINE_LSM(yama) = { + .name = "yama", + .init = yama_init, +}; From patchwork Mon Nov 26 23:40:29 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699419 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AB4161869 for ; Mon, 26 Nov 2018 23:40:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9CFE7290D8 for ; Mon, 26 Nov 2018 23:40:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 90FD82A665; Mon, 26 Nov 2018 23:40:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3EB7A2A5D3 for ; Mon, 26 Nov 2018 23:40:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727445AbeK0KgY (ORCPT ); Tue, 27 Nov 2018 05:36:24 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:41849 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727647AbeK0KgX (ORCPT ); Tue, 27 Nov 2018 05:36:23 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275633; bh=8TjNx2g1chY4n2IW/puLwgiMqt54Rjm+/U9l+waY/Xs=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=jKFj2j5896laizVIi+a61tK4n/eScgFDr4YyxsQ1YVI4RDnDpdlQf2JvnSbnbw7FVmkagobLZunD+SMjmmT/q8LrJEfJWGvWlghmJAk9goaiQ9LJFuEu2JYX3QjK9DnzSXiEAMWXX3NZ1XPlS3kJ6u2ywIgV8ttQe1+htNgxd0cOqh6IksIQwgLnG663+uMiPGRfDjV1BVhubxHRFb+O1bm3crRcU2Gnkq9nFRjNPzDnpEWbog5Txz5b2l9CePvTnGn7JqIoB/mKOgfiYQnNSz0tkhblQQvZS1gBJHexL1rLmXUHq/MTkYZjvbFhA6BBL7nDnRSZ2ZjskF78rU4bNg== X-YMail-OSG: E2w_pKYVM1nkY5qjpCQpRT7.o1ezIWxHCAORLUpk4Z_RTxX.51etOARD4LxG2wM vnfYrLW5BOUdKDV_aY.T1TT537f1rXmRT6TtQVdivE2pWGnUQRJWXHEY2QdT3aGkOL.xD.fMlp.I NyLY82D.Ks6bd8prCHirMVhmfLfPfsNdkQEcKvFfxNgIggnYJmqC0LycJXYs7rhIOVRQHcakSWkG MB4eO5mrMhmf8AXl48_VsLrWhRt8_UQvJnRQ9lzDVPKnbyWdzdnQ545U9mt6nsszqMonJkmofMuS srf4XTYFSBgfTbpyvgFs9H5eqHZX3PTXYt3RszKnlabec07IJ.oPJqE0dEqev.5ZLCm1xK6Xbk2T 0E.23OWs_7Z0wcxG4GkAZQids27_e_1CWta1PJhSltZ8FGs.jygZDS6jxdalvIDrOO3t0.9uzW3B 26VF8l7ktjYkWKsFyA8oanRTORhi7qZagY82WSA2vrNAIb96sPSONRA0xiXjfSPurA2OhT9OwHMb CAvxpT1cxYAEjEmtibRgJQarn3BYwH8E78U3lP7EwNoRrYYYYvUn3_LfSUPNg2.yGvWfsB4mRhio ABSY9XjzeaKyhb89BPpFn8_Aq3uWyYNF91k6DFBf3n4hiZDI8LLBTTpnZif27mYV0wINhlmHyR65 nw39BZtITd3KUiVADIa6sRxvL8QWC0zHVBwtO21wYGo9tEDy1iv_SjnBKmpEZLBSnA8B29FTNV4V .tPsEMq1Z4PyHoGpOI18rK0M9wxghT8yRGRxaP5P1X5xHAcQbgW7XR3lSw2DgNfJM.kLheuj7W78 g8TfHT..w9BVlY0FRAG9IhWAWOwPOrJrZ1CkDk.5mX75diSqkpSmlHJ2CaGc7PlITjaqyyhTIUoz T7we5ZvTgiDRi1kJS53731lRSmBFAccL4u1n23fR_.KjgUN2W_4_trGaoDH2573YUDRs6jmsXxtR ewT5yQ79GLCR.8RbJgKAcYHyRt1TSH_DM77IQOGMfpACiIsizwkaEJrqM2mLIaWpnBkr8X1mrNMI ADn1QqfD0YZPtN7BqtdpnH07BGLHBV8RORdoa5ii80TMGI1AJ.7wvJRCZbFCOCaWPvamc_rCKHbk 09zlykYP3qQZ942ZAKHfEVUfJ0bziVqPrgxcIdQ-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:40:33 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp417.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 9f29ed8b68840928352cac47bd91d1b1; Mon, 26 Nov 2018 23:40:32 +0000 (UTC) Subject: [PATCH v5 18/38] LSM: Introduce enum lsm_order To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <630a8aa4-67b3-4b83-7feb-ca0cbd15b3ac@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:40:29 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In preparation for distinguishing the "capability" LSM from other LSMs, it must be ordered first. This introduces LSM_ORDER_MUTABLE for the general LSMs and LSM_ORDER_FIRST for capability. In the future LSM_ORDER_LAST for could be added for anything that must run last (e.g. Landlock may use this). Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 6 ++++++ security/security.c | 9 ++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 6cfbd7d78a89..83858e3df9e5 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2042,8 +2042,14 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, #define LSM_FLAG_LEGACY_MAJOR BIT(0) #define LSM_FLAG_EXCLUSIVE BIT(1) +enum lsm_order { + LSM_ORDER_FIRST = -1, /* This is only for capabilities. */ + LSM_ORDER_MUTABLE = 0, +}; + struct lsm_info { const char *name; /* Required. */ + enum lsm_order order; /* Optional: default is LSM_ORDER_MUTABLE */ unsigned long flags; /* Optional: flags describing LSM */ int *enabled; /* Optional: controlled by CONFIG_LSM */ int (*init)(void); /* Required. */ diff --git a/security/security.c b/security/security.c index 0c3c66dbf51c..701507174f40 100644 --- a/security/security.c +++ b/security/security.c @@ -174,6 +174,12 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) struct lsm_info *lsm; char *sep, *name, *next; + /* LSM_ORDER_FIRST is always first. */ + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if (lsm->order == LSM_ORDER_FIRST) + append_ordered_lsm(lsm, "first"); + } + /* Process "security=", if given. */ if (chosen_major_lsm) { struct lsm_info *major; @@ -202,7 +208,8 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) bool found = false; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if (strcmp(lsm->name, name) == 0) { + if (lsm->order == LSM_ORDER_MUTABLE && + strcmp(lsm->name, name) == 0) { append_ordered_lsm(lsm, origin); found = true; } From patchwork Mon Nov 26 23:41:11 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699421 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 84C5C109C for ; Mon, 26 Nov 2018 23:41:21 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6EDB8290D8 for ; Mon, 26 Nov 2018 23:41:21 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5F5642A660; Mon, 26 Nov 2018 23:41:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 06030290D8 for ; Mon, 26 Nov 2018 23:41:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727552AbeK0KhI (ORCPT ); Tue, 27 Nov 2018 05:37:08 -0500 Received: from sonic304-28.consmr.mail.ne1.yahoo.com ([66.163.191.154]:43089 "EHLO sonic304-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727655AbeK0KhI (ORCPT ); Tue, 27 Nov 2018 05:37:08 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275679; bh=fVRVzoVAGOfByb/OFixOZSHvg+YGRncLAzZbI7X+PB4=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=aHaG5NTite4g0yXIUuftVxSoRcpRH/V1A84lIWUk9Abtr3jaVXKzdV6lrzQemwLD5ktJwzEg51eYIFQ8iIkaZ+lKcf0ifhu/cctXUCFUEo+WYXi8/vMwwxCGD4k5Ny/g0s0abENPO+YByYGz1CLQcgfxFEgdU6cjJjAEcfyh583cgVkwJC+HDDbN6/tTxnZVCE63MhewshIySv7P3pIZAeAIY87EoZiH1rBzUcJtDnUTR1V5Qf36PalXd/q6HeWZqIvf5TvlK1M761Z+OeKBBHPCh+1eZO/zHEVfs6bK280A8dZd+IL5Y5FVWSz+7j2UJLKeSvsQ1uUh1lmG9HMOCQ== X-YMail-OSG: aCn9FCgVM1l9DwgaAq62waoREZGjbj8wRXb0C4bj459iqdlzLnJ0BsFiIPC77m7 sw73Zu2X8PzyYWtF4cTj7burWPhFicPYnwMLtd2sT1ft2dDTnhVWLd1dGgCAboaOLWFqOsdehAQu ZhCiOhX7g5R945ZwHRr1yHjO2SKCOKnovZkrxRx06A9PunqtSFb79MEGFi01woPTjR5Kivg75wHp ZZ66Q.WyUAuZCz.08YtgKfrzpEfgPmCVIo_TN4BtWySiJml9Azx.EmrY9lHPshwn97wNzxbinpwn 5_fwS.WhkTJpeNIPhB56QPdg2ySPDLQRgLOazfpvyDFjfnOHrJj4LJh.2KItSCuY85CHcjdFhwd. P6lN7gKy7Tw0eM9koPuEiUHQGaVmYcLRQiAWtczYRdUrisq45HpjtxslRT.xWg8CJxJzSfH8p3lC Ae9ZjI3KTEuqbiG466mKGoYkPZjHXeAM_6GbFF24bxTgM.WaESIkQwWB5_cTExg_FoX90oXZIeI. YFSC7zPQ45aMsIHu5wSpX5yympGeFn3HlkRj6.SXgCpqnmIGvFm5tvdEtVRlS2iO_YFCCL1ZxVY. EemsoH30dX8AGvOcXPfUApKi7BheyfEPUE_qfTYwDqGEgolg0A6IkWepZoA3riaffdAxWKuC8xx5 dawrYkHcu3arOVjVrgHuHXOj06ADzG_.8XI3qnkTeBJyk4Luz3.DH3Bv.K8MKq.BB6WWdyRoPVyE I9.SBZ1B_JDf2ajjz4YGmwqB0fK_b6OPu680CxEcQ3hQWU0HwMlXaFADbsqHC.ypcu24V8dc6Zl1 ecSlYpfZcFwV9Fo1V2aroNnTzGiuBsdNhL.Cvz7CMxATypjhaaMkNC692QdmCuVnZ2xZ.bRYrWo1 wfPHxlojYfbwqBTxD_GsAti.SUaWI1z7i2X6b.XD9nAM6fCyRO60bHAhOP2IifK9166vg1CtlCUz IBxT5JC35K5jQJI4gJsbruCkOCldXbSShRlmtksHv1hXJpicbRuL9MFEqDEI5muAdVakZ_00ndpf dP9rZ2g29IFjAsY7pHxrRIIuZVJGf0RlTozfyuK0uJZx1IwFQ2TstOUx_3C_mWuzbw7lcehwdJxm 85upxH55gnTSpz7R25.9uldv0pG_CyEHDACza4n.MA3A- Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:41:19 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp417.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 3591437ae6288a942f86718ae111444e; Mon, 26 Nov 2018 23:41:14 +0000 (UTC) Subject: [PATCH v5 19/38] capability: Initialize as LSM_ORDER_FIRST To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <147e1a0c-3d18-c467-8f5a-6559cfcf818c@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:41:11 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This converts capabilities to use the new LSM_ORDER_FIRST position. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- include/linux/lsm_hooks.h | 2 -- security/commoncap.c | 9 ++++++++- security/security.c | 5 ----- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 83858e3df9e5..15fc49ee41a1 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2092,6 +2092,4 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, #define __lsm_ro_after_init __ro_after_init #endif /* CONFIG_SECURITY_WRITABLE_HOOKS */ -extern void __init capability_add_hooks(void); - #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/commoncap.c b/security/commoncap.c index 18a4fdf6f6eb..ec387535e597 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -1363,10 +1363,17 @@ struct security_hook_list capability_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(vm_enough_memory, cap_vm_enough_memory), }; -void __init capability_add_hooks(void) +static int __init capability_init(void) { security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks), "capability"); + return 0; } +DEFINE_LSM(capability) = { + .name = "capability", + .order = LSM_ORDER_FIRST, + .init = capability_init, +}; + #endif /* CONFIG_SECURITY */ diff --git a/security/security.c b/security/security.c index 701507174f40..eab64bdc60fb 100644 --- a/security/security.c +++ b/security/security.c @@ -277,11 +277,6 @@ int __init security_init(void) i++) INIT_HLIST_HEAD(&list[i]); - /* - * Load minor LSMs, with the capability module always first. - */ - capability_add_hooks(); - /* Load LSMs in specified order. */ ordered_lsm_init(); From patchwork Mon Nov 26 23:41:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699427 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 15222181D for ; Mon, 26 Nov 2018 23:42:10 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 049A12A661 for ; Mon, 26 Nov 2018 23:42:10 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E96C22A5D3; Mon, 26 Nov 2018 23:42:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 272CE2A5D3 for ; Mon, 26 Nov 2018 23:42:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727689AbeK0Kh4 (ORCPT ); Tue, 27 Nov 2018 05:37:56 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:46397 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727707AbeK0Kh4 (ORCPT ); Tue, 27 Nov 2018 05:37:56 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275723; bh=PBT9NIfIFWqve0jgHQc8SqCsASaMC4tLfOD1iemFqzE=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=bc1GNyWAZhbd47rY8amCXU97aHDSJdnMmll9z13Dev6bWz/Sw+RlE11z+FOgOFygL7pbQ+SCYjKr0SJeEWLm+sdyTNDlXum6GH7UBWL9FWCj2KLaRmM2fZmt3vztAd+r/9qlC0jZJmQ1yoJ2qxkTAqCyz90IKyQQMGB0HnmuEflLrrDERZ5e7xqW7ClAc/0BWtugTeQZJieL+syAfWnoxXfgzBnqc66LTdPiSdhSEOPzTobwvzYN9tvVzzLF06Q7fXMU7GddkhXdoxZrhU8yOlXkO1KvfSV13yrjSgwu2q6zwQoYzO8dM4ctaoyQwcqYwMMgX012tvQnSOYiE43agw== X-YMail-OSG: jHQ5y9gVM1lMq359mOf9kWSDWqtHxABXzwOonJH7uuDO0udN1vpvDYhaXD1pvFE BQF4gGgNqpuJWd4VbccbqIMrTh3gGxi.lQyXhP8xQGz5EnfVpHI.HcznAcHyHum0OOWQUYYjM_56 6lySS_aVE1fCQIDLjuhtc6KnTCcJZ4e47YaSdaVc73e1UwqkWZtLmIM_a1GVK3u.5BhkDgUeg33S yUE8ESg4.cCDkxJFYLlHrUy_oqhNAHtdMq8.NgkSg4rbqtSW.2PrzelyojzWXKDSAxyE.mxXqZhz .s1p95Os6kRio7BFH9iij1xVeqZIf05GtMpq74tHNlT1NDl7SbN2PxnXdx31v4BblwKCZXreLRRZ nZFU6O6EEhtsYj3y50U9qwpIAPHto_5N1Jq.UcmXNNZjxX7I2SBZYQr6Psu90P5JEl6W5dJFZnGD l06WXW7GAc4ku7w7N4xAlgARyr7IA0OzalNLoDon_WPclWR3ADU2tmRO5Np5w9Polp_528FsZm_z DfO.FVEPFSIDIf_Qr8aF_16heF.hPBdYUskMxNYFrC8EhmojFANOHNzUABNkcfhCnISOjXkd1ICq uUyPZkY4dle024fO.tc6epLtJg6gkvn8WKz8WPy58nqwYgvBVGCOEfQSij0LxVInFldi6jjGG93E VQOv3TzLYvBu6A1beMxyPMx9FBQnLrnyBENEsp_DjUNuUOcwiJ1Yyt2m23z1ug_4_NrONsFGRxLH a3DOhQLKUfQ9mYkdxmmiz_uoTibTnRPHg6837JFGbz7nytmPODnciIB9xobO6fplNqVVd1c69T4w 3q5HSYhdZmw5J6F.8cIKPNDOs1aRujtMrccbRSI.TC.SAgurRjNKQbgu1glAFjQsFcRTd1ysJZ9Z 84SIq77BnFZCiCUy9LdlZ7fX815J2yjJnFRrsAyX9n5k3RJYR5cPkM36hu6hCK0LhdBcfyohT3LH kUgnDvJh3.J4mk0LLZe_pUSfXFxSmlyu3GDo_xjuxGqIhNRxzAeBAdGwjOyJuHX3R8E.b.CO5vFz n.Ym03WzdFzx_TfuMLgpnqVSUvHIkkiVrS.M51Jmvmg8RGonQhoTQK369SKTzLPZJ0HSbA7wxcHd YB0SFFNlktOq8jjxc0la7H75NtvDn6_VYtZYPXg-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:42:03 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp426.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 8d8cc73ed08030887d0e6a0460ee54dd; Mon, 26 Nov 2018 23:42:00 +0000 (UTC) Subject: [PATCH v5 20/38] procfs: add smack subdir to attrs To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <996e967a-5b42-8441-d3b9-b82efe6809f8@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:41:57 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Back in 2007 I made what turned out to be a rather serious mistake in the implementation of the Smack security module. The SELinux module used an interface in /proc to manipulate the security context on processes. Rather than use a similar interface, I used the same interface. The AppArmor team did likewise. Now /proc/.../attr/current will tell you the security "context" of the process, but it will be different depending on the security module you're using. This patch provides a subdirectory in /proc/.../attr for Smack. Smack user space can use the "current" file in this subdirectory and never have to worry about getting SELinux attributes by mistake. Programs that use the old interface will continue to work (or fail, as the case may be) as before. The proposed S.A.R.A security module is dependent on the mechanism to create its own attr subdirectory. The original implementation is by Kees Cook. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook Signed-off-by: Kees Cook --- Documentation/admin-guide/LSM/index.rst | 13 +++++-- fs/proc/base.c | 64 ++++++++++++++++++++++++++++----- fs/proc/internal.h | 1 + include/linux/security.h | 15 +++++--- security/security.c | 24 ++++++++++--- 5 files changed, 96 insertions(+), 21 deletions(-) diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst index c980dfe9abf1..9842e21afd4a 100644 --- a/Documentation/admin-guide/LSM/index.rst +++ b/Documentation/admin-guide/LSM/index.rst @@ -17,9 +17,8 @@ MAC extensions, other extensions can be built using the LSM to provide specific changes to system operation when these tweaks are not available in the core functionality of Linux itself. -Without a specific LSM built into the kernel, the default LSM will be the -Linux capabilities system. Most LSMs choose to extend the capabilities -system, building their checks on top of the defined capability hooks. +The Linux capabilities modules will always be included. This may be +followed by any number of "minor" modules and at most one "major" module. For more details on capabilities, see ``capabilities(7)`` in the Linux man-pages project. @@ -30,6 +29,14 @@ order in which checks are made. The capability module will always be first, followed by any "minor" modules (e.g. Yama) and then the one "major" module (e.g. SELinux) if there is one configured. +Process attributes associated with "major" security modules should +be accessed and maintained using the special files in ``/proc/.../attr``. +A security module may maintain a module specific subdirectory there, +named after the module. ``/proc/.../attr/smack`` is provided by the Smack +security module and contains all its special files. The files directly +in ``/proc/.../attr`` remain as legacy interfaces for modules that provide +subdirectories. + .. toctree:: :maxdepth: 1 diff --git a/fs/proc/base.c b/fs/proc/base.c index ce3465479447..e133de4897df 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -140,9 +140,13 @@ struct pid_entry { #define REG(NAME, MODE, fops) \ NOD(NAME, (S_IFREG|(MODE)), NULL, &fops, {}) #define ONE(NAME, MODE, show) \ - NOD(NAME, (S_IFREG|(MODE)), \ + NOD(NAME, (S_IFREG|(MODE)), \ NULL, &proc_single_file_operations, \ { .proc_show = show } ) +#define ATTR(LSM, NAME, MODE) \ + NOD(NAME, (S_IFREG|(MODE)), \ + NULL, &proc_pid_attr_operations, \ + { .lsm = LSM }) /* * Count the number of hardlinks for the pid_entry table, excluding the . @@ -2517,7 +2521,7 @@ static ssize_t proc_pid_attr_read(struct file * file, char __user * buf, if (!task) return -ESRCH; - length = security_getprocattr(task, + length = security_getprocattr(task, PROC_I(inode)->op.lsm, (char*)file->f_path.dentry->d_name.name, &p); put_task_struct(task); @@ -2566,7 +2570,9 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, if (rv < 0) goto out_free; - rv = security_setprocattr(file->f_path.dentry->d_name.name, page, count); + rv = security_setprocattr(PROC_I(inode)->op.lsm, + file->f_path.dentry->d_name.name, page, + count); mutex_unlock(¤t->signal->cred_guard_mutex); out_free: kfree(page); @@ -2580,13 +2586,53 @@ static const struct file_operations proc_pid_attr_operations = { .llseek = generic_file_llseek, }; +#define LSM_DIR_OPS(LSM) \ +static int proc_##LSM##_attr_dir_iterate(struct file *filp, \ + struct dir_context *ctx) \ +{ \ + return proc_pident_readdir(filp, ctx, \ + LSM##_attr_dir_stuff, \ + ARRAY_SIZE(LSM##_attr_dir_stuff)); \ +} \ +\ +static const struct file_operations proc_##LSM##_attr_dir_ops = { \ + .read = generic_read_dir, \ + .iterate = proc_##LSM##_attr_dir_iterate, \ + .llseek = default_llseek, \ +}; \ +\ +static struct dentry *proc_##LSM##_attr_dir_lookup(struct inode *dir, \ + struct dentry *dentry, unsigned int flags) \ +{ \ + return proc_pident_lookup(dir, dentry, \ + LSM##_attr_dir_stuff, \ + ARRAY_SIZE(LSM##_attr_dir_stuff)); \ +} \ +\ +static const struct inode_operations proc_##LSM##_attr_dir_inode_ops = { \ + .lookup = proc_##LSM##_attr_dir_lookup, \ + .getattr = pid_getattr, \ + .setattr = proc_setattr, \ +} + +#ifdef CONFIG_SECURITY_SMACK +static const struct pid_entry smack_attr_dir_stuff[] = { + ATTR("smack", "current", 0666), +}; +LSM_DIR_OPS(smack); +#endif + static const struct pid_entry attr_dir_stuff[] = { - REG("current", S_IRUGO|S_IWUGO, proc_pid_attr_operations), - REG("prev", S_IRUGO, proc_pid_attr_operations), - REG("exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations), - REG("fscreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations), - REG("keycreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations), - REG("sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations), + ATTR(NULL, "current", 0666), + ATTR(NULL, "prev", 0444), + ATTR(NULL, "exec", 0666), + ATTR(NULL, "fscreate", 0666), + ATTR(NULL, "keycreate", 0666), + ATTR(NULL, "sockcreate", 0666), +#ifdef CONFIG_SECURITY_SMACK + DIR("smack", 0555, + proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops), +#endif }; static int proc_attr_dir_readdir(struct file *file, struct dir_context *ctx) diff --git a/fs/proc/internal.h b/fs/proc/internal.h index 5185d7f6a51e..d4f9989063d0 100644 --- a/fs/proc/internal.h +++ b/fs/proc/internal.h @@ -81,6 +81,7 @@ union proc_op { int (*proc_show)(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task); + const char *lsm; }; struct proc_inode { diff --git a/include/linux/security.h b/include/linux/security.h index d170a5b031f3..35691877c3e1 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -390,8 +390,10 @@ int security_sem_semctl(struct kern_ipc_perm *sma, int cmd); int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops, unsigned nsops, int alter); void security_d_instantiate(struct dentry *dentry, struct inode *inode); -int security_getprocattr(struct task_struct *p, char *name, char **value); -int security_setprocattr(const char *name, void *value, size_t size); +int security_getprocattr(struct task_struct *p, const char *lsm, char *name, + char **value); +int security_setprocattr(const char *lsm, const char *name, void *value, + size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); @@ -1139,15 +1141,18 @@ static inline int security_sem_semop(struct kern_ipc_perm *sma, return 0; } -static inline void security_d_instantiate(struct dentry *dentry, struct inode *inode) +static inline void security_d_instantiate(struct dentry *dentry, + struct inode *inode) { } -static inline int security_getprocattr(struct task_struct *p, char *name, char **value) +static inline int security_getprocattr(struct task_struct *p, const char *lsm, + char *name, char **value) { return -EINVAL; } -static inline int security_setprocattr(char *name, void *value, size_t size) +static inline int security_setprocattr(const char *lsm, char *name, + void *value, size_t size) { return -EINVAL; } diff --git a/security/security.c b/security/security.c index eab64bdc60fb..81ff6a71e78e 100644 --- a/security/security.c +++ b/security/security.c @@ -1472,14 +1472,30 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode) } EXPORT_SYMBOL(security_d_instantiate); -int security_getprocattr(struct task_struct *p, char *name, char **value) +int security_getprocattr(struct task_struct *p, const char *lsm, char *name, + char **value) { - return call_int_hook(getprocattr, -EINVAL, p, name, value); + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) { + if (lsm != NULL && strcmp(lsm, hp->lsm)) + continue; + return hp->hook.getprocattr(p, name, value); + } + return -EINVAL; } -int security_setprocattr(const char *name, void *value, size_t size) +int security_setprocattr(const char *lsm, const char *name, void *value, + size_t size) { - return call_int_hook(setprocattr, -EINVAL, name, value, size); + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) { + if (lsm != NULL && strcmp(lsm, hp->lsm)) + continue; + return hp->hook.setprocattr(name, value, size); + } + return -EINVAL; } int security_netlink_send(struct sock *sk, struct sk_buff *skb) From patchwork Mon Nov 26 23:42:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699433 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BDF77109C for ; Mon, 26 Nov 2018 23:42:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AECAE2A5D3 for ; Mon, 26 Nov 2018 23:42:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A31CC2A66B; Mon, 26 Nov 2018 23:42:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BE0CF2A660 for ; Mon, 26 Nov 2018 23:42:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727646AbeK0Kim (ORCPT ); Tue, 27 Nov 2018 05:38:42 -0500 Received: from sonic302-28.consmr.mail.ne1.yahoo.com ([66.163.186.154]:39292 "EHLO sonic302-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727725AbeK0Kil (ORCPT ); Tue, 27 Nov 2018 05:38:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275768; bh=ynlFBU/OJkeApIeJxkFCkcN4bhspcm3eSha5ckjlfaw=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=M+Z5gy55rgcpbGfaOvu3J48UwHrUNFAli5LEhUx082CiylHkFeivwg8eyoPE30kRcOGqv7hr5GlC/Ok60NrOfGjQ7RlVN+GWJedZJAKbwNQ9lkwNRvhIFkF7sp7i6vCyYRDXqYkBPXXWegrGEZpVht31Zu5H4t5D6n3x9wTnmtPCSevHjgMeeiQmAHnm9SgwjHHHYoaCat0yU+SvAXSQoqMfAdC2bI51uu/a/OVdj7amZhf7DWBh4/Qeeg5Q25qGZHEdnpgw4DG0BWk5Xld51vdyxSxitVcErHzeLyX66akUEL05aKHHRy2Aq2+LgzQVuxmdhCZYJetCGe9Vysa+iw== X-YMail-OSG: f7j3oaAVM1kJAUnB9kwmOBEXQksyHXkmtHrlY3AyWaBE0vpSMJyE9XDUiflzycf JZ.lTrosQoZxaOq8C_WAz3LyfMY8NBmd3M45AAC53QIomZ8vX0Rzz3kn8OPKD0Ix5kCkDSeSXgB7 f2MO29VVL_cucIXzHEjjLLSE2b8kUts9Ys2T1Hx9SxyQXGGFwPd.zOD06J29eL4oQn0ytdd0Y8g7 EmfN.WlOxsGExCCk9fIs_s2Xsn0npweGG.Vc_GMdS.Bm5EM7R20QE2gX0gmgAT575Vq9xxJmx1Oi YUGP1BBGCDAvFF2J7firynlk56v7CDo..oY9Woc0q_2dw0BycHAzi6MjlsvZj3T1R3rotM51WAQB vtu169hOzxVnhgLO7pnFs3LXZYPbx73tst9ucnRb5bwRUp4yejHToJZSulZxTR5Is_fkZGTKF1jD .gDGkupix18qVAvMDgrhjdz1g5wTa75lF8.OgS.9LrMiYahdaje33MgpGuoIc9q_JjpMmsV6TKVe h5dHglGzr7.jXp0UB7tq7ZdZ4oBxwWzNk8wuKflr.t7vCofhYR2y2ImRDOCyHt0l99tttO0wUCDT u1MLSTvPJ1W_4fgAyw1u0WbN76a9aa3eFjBdxcP3ld89J8489ovMmehiUaS88Dk.G.1m4191_3YT t3qJTspX7IL7oB.qZEz0Lzo_U5Ua8huXsw07B0pzpanbTqs6LrOhgpPLBwMsk16ChD2Hh2UMPBzb bDxT158EHXu0zUYgWqwfOAK.ULMA_F8HNAB0X3bWl06ByitssH5gghnS0Ya981xLolJTBiWMjdxc sg1Y1R3HLtHOFXqNWCsJqb0kDuhh.uk7pu51Ku3p0IwYppCrYtF52b1B_XQd8lmXtXpdnwktpMnn jHnc1WM9bNkt1A6ZkPcNSe7Q0zs7KsHOGKiwv9Wf22HaPewpChW2lee7nIYNMy2MCBv_RkGsGceb kQyX6XFBwIlYQYhi9oBK_KCpwocgNUtxq9GYPDOkDvfrrU03xWBvF.bAGPCBcrqXSPOiAMcgAkhF mijM3cARzMiCNpIA99lv1Q60cuNaO_ndGXQ1fC0IbtnAHfEZ8r4EuARtQBz2lokDIzR4BSI_m_hu D3TK_wIGbf.WhRsn2pdkaOSDCNdtqBWac0Ydto6uDTpA- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:42:48 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp405.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID af3255a040c4ce8a37c0a3ecf478d867; Mon, 26 Nov 2018 23:42:47 +0000 (UTC) Subject: [PATCH v5 21/38] Smack: Abstract use of cred security blob To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: Date: Mon, 26 Nov 2018 15:42:44 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Don't use the cred->security pointer directly. Provide a helper function that provides the security blob pointer. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook [kees: adjusted for ordered init series] Signed-off-by: Kees Cook --- security/smack/smack.h | 17 ++++++++++--- security/smack/smack_access.c | 4 +-- security/smack/smack_lsm.c | 57 +++++++++++++++++++++---------------------- security/smack/smackfs.c | 18 +++++++------- 4 files changed, 53 insertions(+), 43 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index f7db791fb566..01a922856eba 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -356,6 +356,11 @@ extern struct list_head smack_onlycap_list; #define SMACK_HASH_SLOTS 16 extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS]; +static inline struct task_smack *smack_cred(const struct cred *cred) +{ + return cred->security; +} + /* * Is the directory transmuting? */ @@ -382,13 +387,19 @@ static inline struct smack_known *smk_of_task(const struct task_smack *tsp) return tsp->smk_task; } -static inline struct smack_known *smk_of_task_struct(const struct task_struct *t) +static inline struct smack_known *smk_of_task_struct( + const struct task_struct *t) { struct smack_known *skp; + const struct cred *cred; rcu_read_lock(); - skp = smk_of_task(__task_cred(t)->security); + + cred = __task_cred(t); + skp = smk_of_task(smack_cred(cred)); + rcu_read_unlock(); + return skp; } @@ -405,7 +416,7 @@ static inline struct smack_known *smk_of_forked(const struct task_smack *tsp) */ static inline struct smack_known *smk_of_current(void) { - return smk_of_task(current_security()); + return smk_of_task(smack_cred(current_cred())); } /* diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 9a4c0ad46518..489d49a20b47 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -275,7 +275,7 @@ int smk_tskacc(struct task_smack *tsp, struct smack_known *obj_known, int smk_curacc(struct smack_known *obj_known, u32 mode, struct smk_audit_info *a) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_tskacc(tsp, obj_known, mode, a); } @@ -635,7 +635,7 @@ DEFINE_MUTEX(smack_onlycap_lock); */ bool smack_privileged_cred(int cap, const struct cred *cred) { - struct task_smack *tsp = cred->security; + struct task_smack *tsp = smack_cred(cred); struct smack_known *skp = tsp->smk_task; struct smack_known_list_elem *sklep; int rc; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 849426ac6a6c..f34117b8c3be 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -122,7 +122,7 @@ static int smk_bu_note(char *note, struct smack_known *sskp, static int smk_bu_current(char *note, struct smack_known *oskp, int mode, int rc) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); char acc[SMK_NUM_ACCESS_TYPE + 1]; if (rc <= 0) @@ -143,7 +143,7 @@ static int smk_bu_current(char *note, struct smack_known *oskp, #ifdef CONFIG_SECURITY_SMACK_BRINGUP static int smk_bu_task(struct task_struct *otp, int mode, int rc) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); struct smack_known *smk_task = smk_of_task_struct(otp); char acc[SMK_NUM_ACCESS_TYPE + 1]; @@ -165,7 +165,7 @@ static int smk_bu_task(struct task_struct *otp, int mode, int rc) #ifdef CONFIG_SECURITY_SMACK_BRINGUP static int smk_bu_inode(struct inode *inode, int mode, int rc) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); struct inode_smack *isp = inode->i_security; char acc[SMK_NUM_ACCESS_TYPE + 1]; @@ -195,7 +195,7 @@ static int smk_bu_inode(struct inode *inode, int mode, int rc) #ifdef CONFIG_SECURITY_SMACK_BRINGUP static int smk_bu_file(struct file *file, int mode, int rc) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); struct smack_known *sskp = tsp->smk_task; struct inode *inode = file_inode(file); struct inode_smack *isp = inode->i_security; @@ -225,7 +225,7 @@ static int smk_bu_file(struct file *file, int mode, int rc) static int smk_bu_credfile(const struct cred *cred, struct file *file, int mode, int rc) { - struct task_smack *tsp = cred->security; + struct task_smack *tsp = smack_cred(cred); struct smack_known *sskp = tsp->smk_task; struct inode *inode = file_inode(file); struct inode_smack *isp = inode->i_security; @@ -431,7 +431,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, rcu_read_lock(); tracercred = __task_cred(tracer); - tsp = tracercred->security; + tsp = smack_cred(tracercred); tracer_known = smk_of_task(tsp); if ((mode & PTRACE_MODE_ATTACH) && @@ -498,7 +498,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp) int rc; struct smack_known *skp; - skp = smk_of_task(current_security()); + skp = smk_of_task(smack_cred(current_cred())); rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); return rc; @@ -915,7 +915,7 @@ static int smack_sb_statfs(struct dentry *dentry) static int smack_bprm_set_creds(struct linux_binprm *bprm) { struct inode *inode = file_inode(bprm->file); - struct task_smack *bsp = bprm->cred->security; + struct task_smack *bsp = smack_cred(bprm->cred); struct inode_smack *isp; struct superblock_smack *sbsp; int rc; @@ -1746,7 +1746,7 @@ static int smack_mmap_file(struct file *file, return -EACCES; mkp = isp->smk_mmap; - tsp = current_security(); + tsp = smack_cred(current_cred()); skp = smk_of_current(); rc = 0; @@ -1842,7 +1842,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk, struct fown_struct *fown, int signum) { struct smack_known *skp; - struct smack_known *tkp = smk_of_task(tsk->cred->security); + struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); const struct cred *tcred; struct file *file; int rc; @@ -1895,7 +1895,7 @@ static int smack_file_receive(struct file *file) if (inode->i_sb->s_magic == SOCKFS_MAGIC) { sock = SOCKET_I(inode); ssp = sock->sk->sk_security; - tsp = current_security(); + tsp = smack_cred(current_cred()); /* * If the receiving process can't write to the * passed socket or if the passed socket can't @@ -1937,7 +1937,7 @@ static int smack_file_receive(struct file *file) */ static int smack_file_open(struct file *file) { - struct task_smack *tsp = file->f_cred->security; + struct task_smack *tsp = smack_cred(file->f_cred); struct inode *inode = file_inode(file); struct smk_audit_info ad; int rc; @@ -1984,7 +1984,7 @@ static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) */ static void smack_cred_free(struct cred *cred) { - struct task_smack *tsp = cred->security; + struct task_smack *tsp = smack_cred(cred); struct smack_rule *rp; struct list_head *l; struct list_head *n; @@ -2014,7 +2014,7 @@ static void smack_cred_free(struct cred *cred) static int smack_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp) { - struct task_smack *old_tsp = old->security; + struct task_smack *old_tsp = smack_cred(old); struct task_smack *new_tsp; int rc; @@ -2045,15 +2045,14 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old, */ static void smack_cred_transfer(struct cred *new, const struct cred *old) { - struct task_smack *old_tsp = old->security; - struct task_smack *new_tsp = new->security; + struct task_smack *old_tsp = smack_cred(old); + struct task_smack *new_tsp = smack_cred(new); new_tsp->smk_task = old_tsp->smk_task; new_tsp->smk_forked = old_tsp->smk_task; mutex_init(&new_tsp->smk_rules_lock); INIT_LIST_HEAD(&new_tsp->smk_rules); - /* cbs copy rule list */ } @@ -2064,12 +2063,12 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old) * * Sets the secid to contain a u32 version of the smack label. */ -static void smack_cred_getsecid(const struct cred *c, u32 *secid) +static void smack_cred_getsecid(const struct cred *cred, u32 *secid) { struct smack_known *skp; rcu_read_lock(); - skp = smk_of_task(c->security); + skp = smk_of_task(smack_cred(cred)); *secid = skp->smk_secid; rcu_read_unlock(); } @@ -2083,7 +2082,7 @@ static void smack_cred_getsecid(const struct cred *c, u32 *secid) */ static int smack_kernel_act_as(struct cred *new, u32 secid) { - struct task_smack *new_tsp = new->security; + struct task_smack *new_tsp = smack_cred(new); new_tsp->smk_task = smack_from_secid(secid); return 0; @@ -2101,7 +2100,7 @@ static int smack_kernel_create_files_as(struct cred *new, struct inode *inode) { struct inode_smack *isp = inode->i_security; - struct task_smack *tsp = new->security; + struct task_smack *tsp = smack_cred(new); tsp->smk_forked = isp->smk_inode; tsp->smk_task = tsp->smk_forked; @@ -2285,7 +2284,7 @@ static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, * specific behavior. This is not clean. For one thing * we can't take privilege into account. */ - skp = smk_of_task(cred->security); + skp = smk_of_task(smack_cred(cred)); rc = smk_access(skp, tkp, MAY_DELIVER, &ad); rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); return rc; @@ -3612,7 +3611,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value) */ static int smack_setprocattr(const char *name, void *value, size_t size) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); struct cred *new; struct smack_known *skp; struct smack_known_list_elem *sklep; @@ -3653,7 +3652,7 @@ static int smack_setprocattr(const char *name, void *value, size_t size) if (new == NULL) return -ENOMEM; - tsp = new->security; + tsp = smack_cred(new); tsp->smk_task = skp; /* * process can change its label only once @@ -4298,7 +4297,7 @@ static void smack_inet_csk_clone(struct sock *sk, static int smack_key_alloc(struct key *key, const struct cred *cred, unsigned long flags) { - struct smack_known *skp = smk_of_task(cred->security); + struct smack_known *skp = smk_of_task(smack_cred(cred)); key->security = skp; return 0; @@ -4329,7 +4328,7 @@ static int smack_key_permission(key_ref_t key_ref, { struct key *keyp; struct smk_audit_info ad; - struct smack_known *tkp = smk_of_task(cred->security); + struct smack_known *tkp = smk_of_task(smack_cred(cred)); int request = 0; int rc; @@ -4598,7 +4597,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) return -ENOMEM; } - tsp = new_creds->security; + tsp = smack_cred(new_creds); /* * Get label from overlay inode and set it in create_sid @@ -4626,8 +4625,8 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode, const struct cred *old, struct cred *new) { - struct task_smack *otsp = old->security; - struct task_smack *ntsp = new->security; + struct task_smack *otsp = smack_cred(old); + struct task_smack *ntsp = smack_cred(new); struct inode_smack *isp; int may; diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 06b517075ec0..faf2ea3968b3 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -2208,14 +2208,14 @@ static const struct file_operations smk_logging_ops = { static void *load_self_seq_start(struct seq_file *s, loff_t *pos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_seq_start(s, pos, &tsp->smk_rules); } static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_seq_next(s, v, pos, &tsp->smk_rules); } @@ -2262,7 +2262,7 @@ static int smk_open_load_self(struct inode *inode, struct file *file) static ssize_t smk_write_load_self(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules, &tsp->smk_rules_lock, SMK_FIXED24_FMT); @@ -2414,14 +2414,14 @@ static const struct file_operations smk_load2_ops = { static void *load_self2_seq_start(struct seq_file *s, loff_t *pos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_seq_start(s, pos, &tsp->smk_rules); } static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_seq_next(s, v, pos, &tsp->smk_rules); } @@ -2467,7 +2467,7 @@ static int smk_open_load_self2(struct inode *inode, struct file *file) static ssize_t smk_write_load_self2(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules, &tsp->smk_rules_lock, SMK_LONG_FMT); @@ -2681,14 +2681,14 @@ static const struct file_operations smk_syslog_ops = { static void *relabel_self_seq_start(struct seq_file *s, loff_t *pos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_seq_start(s, pos, &tsp->smk_relabel); } static void *relabel_self_seq_next(struct seq_file *s, void *v, loff_t *pos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); return smk_seq_next(s, v, pos, &tsp->smk_relabel); } @@ -2736,7 +2736,7 @@ static int smk_open_relabel_self(struct inode *inode, struct file *file) static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = smack_cred(current_cred()); char *data; int rc; LIST_HEAD(list_tmp); From patchwork Mon Nov 26 23:43:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699437 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 052FF1869 for ; Mon, 26 Nov 2018 23:43:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E53F9286AC for ; Mon, 26 Nov 2018 23:43:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D97A228711; Mon, 26 Nov 2018 23:43:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 28157286E2 for ; Mon, 26 Nov 2018 23:43:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727536AbeK0Kj1 (ORCPT ); Tue, 27 Nov 2018 05:39:27 -0500 Received: from sonic302-28.consmr.mail.ne1.yahoo.com ([66.163.186.154]:33953 "EHLO sonic302-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727725AbeK0Kj0 (ORCPT ); Tue, 27 Nov 2018 05:39:26 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275814; bh=2uARvLb1q2zznR0LcReH3B1TK7Gvxnoz0sP/IEti4Co=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=Y8OOtXNC9bhfhc+rJ0Jr8jQfXQJtm6gkgsfx4UrvMT8x8GTaThhAWiv+WCCdY5Bqh9ln/34LzeM1SGXiH9vdMsw/4ofdH8QpdKlRP9pQ1An9olDLpp8Vmo5+mXoYXWk7RXDbwbIWAzyEuZ6qp9qaVhLIllnjCQjVyauQEhasTLLlLPvhTaxA2RFbZNJ5JzjcGs+SPCZW01Pcgtoc2E6lic8ArO9hsm7EhGz1esHHulg/2skNALOhayIWu9UWEfpGrboMc7js8+y5KrhUH0Ni7d6SU+Sn61maYno1GlMn+ryspouVIar7B3kvhu1KWIl+S+8LwjIJTsS+hjwIrgFeAg== X-YMail-OSG: 1N_rOtYVM1ks0YG0kZQ8VfJoMqSmaJuytj76WlyydOosAEtUhvRYkuyj0NRs.HU Aksb6FI1knxLWDECuOVeJ6HynN16E.BloK02vdlMT79R7yiFOsiHK24CTHJXn9U.px21Rrzx_8la lsAyCIUTm2mtqJb.dMeEe1jCD3F7d9OMWOhG.1mzH2nrS11KFNQ.gPLwiF1zAOqTBdggX3doNjnb S2uboU7Rsumc.gS_U8qVXOJA1wMX58pL0lsPQ2aoWN9MXoYhxWg9v8aIjaqOlGk_VUyV.MTAJmUx pmxstQW4tyUyaJ_TOPB7p99UKForMOxttbaMrzfzIQOcczwnuk_vC4P_h5oiKDGtqKG5Yor1uVSa U0WpH3UJ2NBmUH8obiYiXVtlNAASj42Gx_KK4.3BnFWZzchH110j0I73oUPhrrf_GEi5nfPkAZor eDKSn4jP.I62WU.E8vIBv3nWSL0Zm8n1F3y6OKgF0GMQ6QJ3hg1QzRXM.h2kItzBgQ1v6zUuEFkW D0g6UkkZlvfdsZFyxrp8plUcRqNtS.sXHAlOQshXijQRiWPrpRFlr.q99m0G2IgxiwQ2cT23JjUA FrLgl75RPBu4cwzeVz9n1il0bqqnqgFV5V2W1kj9Y4kJCPM8vX7swgcaxAmns0ih5Th7Fu9FTABp BeYrmadSl5DNcmVyyr_dBUMgcYgBJp7Fv7uJKA5eV1_tnLIwAxygfAkdwUkHnNOpnRELlcYiR0Z1 TzAgWuo_S7BsvV_Zr7H75oMvto2Bc1n.IJPVB9jCE83QoqD_e8RcsbYXLiaXeTJAVktwa9J_RN9A EznfER5B02IXlC9zGXVCUDiIWNRA8wdGZ0zed4Eb9NIMptjz.B7btMCIvNciMt69iTqpcpuY7DlK HUJjmvjeZr__IFPc6ubeT1TGKw.8rXmECPOiWhULgxsQQElX1YGGRAmDyeTGnDm.cqGemBNSaRG2 iy8aK_Xu9bfQQfu_3oEuwpWaAHk8heUiGTujKoPwT10VTjORrDipPR8f41rRKqbRN9NpVWzuWg1X .ZY516_a2W9No4fMiwiZ.ErruBnxEVXRKZt0g3RKpeXamiUpWS4ZlgOMBO5LE4WWI_0F6dFQaVlY QrCn9ItPcBDcTOW4.NFL_pi3bBxSBLgEoSMfZhw-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:43:34 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp404.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 9e458e4f214f6e0156b0d8fc322fb9a6; Mon, 26 Nov 2018 23:43:33 +0000 (UTC) Subject: [PATCH v5 22/38] SELinux: Abstract use of cred security blob To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <01fc2b8c-d924-4752-9974-e08527e31b47@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:43:30 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Don't use the cred->security pointer directly. Provide a helper function that provides the security blob pointer. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook [kees: adjusted for ordered init series] Signed-off-by: Kees Cook --- security/selinux/hooks.c | 54 +++++++++++++++++++-------------------- security/selinux/include/objsec.h | 5 ++++ security/selinux/xfrm.c | 4 +-- 3 files changed, 34 insertions(+), 29 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index edd5b8dd3e56..24b6b459fa2a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -225,7 +225,7 @@ static inline u32 cred_sid(const struct cred *cred) { const struct task_security_struct *tsec; - tsec = cred->security; + tsec = selinux_cred(cred); return tsec->sid; } @@ -461,7 +461,7 @@ static int may_context_mount_sb_relabel(u32 sid, struct superblock_security_struct *sbsec, const struct cred *cred) { - const struct task_security_struct *tsec = cred->security; + const struct task_security_struct *tsec = selinux_cred(cred); int rc; rc = avc_has_perm(&selinux_state, @@ -480,7 +480,7 @@ static int may_context_mount_inode_relabel(u32 sid, struct superblock_security_struct *sbsec, const struct cred *cred) { - const struct task_security_struct *tsec = cred->security; + const struct task_security_struct *tsec = selinux_cred(cred); int rc; rc = avc_has_perm(&selinux_state, tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, @@ -1951,7 +1951,7 @@ static int may_create(struct inode *dir, struct dentry *dentry, u16 tclass) { - const struct task_security_struct *tsec = current_security(); + const struct task_security_struct *tsec = selinux_cred(current_cred()); struct inode_security_struct *dsec; struct superblock_security_struct *sbsec; u32 sid, newsid; @@ -1973,7 +1973,7 @@ static int may_create(struct inode *dir, if (rc) return rc; - rc = selinux_determine_inode_label(current_security(), dir, + rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir, &dentry->d_name, tclass, &newsid); if (rc) return rc; @@ -2480,8 +2480,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) if (bprm->called_set_creds) return 0; - old_tsec = current_security(); - new_tsec = bprm->cred->security; + old_tsec = selinux_cred(current_cred()); + new_tsec = selinux_cred(bprm->cred); isec = inode_security(inode); /* Default to the current task SID. */ @@ -2645,7 +2645,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm) struct rlimit *rlim, *initrlim; int rc, i; - new_tsec = bprm->cred->security; + new_tsec = selinux_cred(bprm->cred); if (new_tsec->sid == new_tsec->osid) return; @@ -2688,7 +2688,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm) */ static void selinux_bprm_committed_creds(struct linux_binprm *bprm) { - const struct task_security_struct *tsec = current_security(); + const struct task_security_struct *tsec = selinux_cred(current_cred()); struct itimerval itimer; u32 osid, sid; int rc, i; @@ -2991,7 +2991,7 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode, u32 newsid; int rc; - rc = selinux_determine_inode_label(current_security(), + rc = selinux_determine_inode_label(selinux_cred(current_cred()), d_inode(dentry->d_parent), name, inode_mode_to_security_class(mode), &newsid); @@ -3011,14 +3011,14 @@ static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, int rc; struct task_security_struct *tsec; - rc = selinux_determine_inode_label(old->security, + rc = selinux_determine_inode_label(selinux_cred(old), d_inode(dentry->d_parent), name, inode_mode_to_security_class(mode), &newsid); if (rc) return rc; - tsec = new->security; + tsec = selinux_cred(new); tsec->create_sid = newsid; return 0; } @@ -3028,7 +3028,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, const char **name, void **value, size_t *len) { - const struct task_security_struct *tsec = current_security(); + const struct task_security_struct *tsec = selinux_cred(current_cred()); struct superblock_security_struct *sbsec; u32 newsid, clen; int rc; @@ -3038,7 +3038,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, newsid = tsec->create_sid; - rc = selinux_determine_inode_label(current_security(), + rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir, qstr, inode_mode_to_security_class(inode->i_mode), &newsid); @@ -3500,7 +3500,7 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new) return -ENOMEM; } - tsec = new_creds->security; + tsec = selinux_cred(new_creds); /* Get label from overlay inode and set it in create_sid */ selinux_inode_getsecid(d_inode(src), &sid); tsec->create_sid = sid; @@ -3920,7 +3920,7 @@ static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) */ static void selinux_cred_free(struct cred *cred) { - struct task_security_struct *tsec = cred->security; + struct task_security_struct *tsec = selinux_cred(cred); /* * cred->security == NULL if security_cred_alloc_blank() or @@ -3940,7 +3940,7 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old, const struct task_security_struct *old_tsec; struct task_security_struct *tsec; - old_tsec = old->security; + old_tsec = selinux_cred(old); tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); if (!tsec) @@ -3955,8 +3955,8 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old, */ static void selinux_cred_transfer(struct cred *new, const struct cred *old) { - const struct task_security_struct *old_tsec = old->security; - struct task_security_struct *tsec = new->security; + const struct task_security_struct *old_tsec = selinux_cred(old); + struct task_security_struct *tsec = selinux_cred(new); *tsec = *old_tsec; } @@ -3972,7 +3972,7 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid) */ static int selinux_kernel_act_as(struct cred *new, u32 secid) { - struct task_security_struct *tsec = new->security; + struct task_security_struct *tsec = selinux_cred(new); u32 sid = current_sid(); int ret; @@ -3997,7 +3997,7 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid) static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) { struct inode_security_struct *isec = inode_security(inode); - struct task_security_struct *tsec = new->security; + struct task_security_struct *tsec = selinux_cred(new); u32 sid = current_sid(); int ret; @@ -4546,7 +4546,7 @@ static int sock_has_perm(struct sock *sk, u32 perms) static int selinux_socket_create(int family, int type, int protocol, int kern) { - const struct task_security_struct *tsec = current_security(); + const struct task_security_struct *tsec = selinux_cred(current_cred()); u32 newsid; u16 secclass; int rc; @@ -4566,7 +4566,7 @@ static int selinux_socket_create(int family, int type, static int selinux_socket_post_create(struct socket *sock, int family, int type, int protocol, int kern) { - const struct task_security_struct *tsec = current_security(); + const struct task_security_struct *tsec = selinux_cred(current_cred()); struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); struct sk_security_struct *sksec; u16 sclass = socket_type_to_security_class(family, type, protocol); @@ -5444,7 +5444,7 @@ static int selinux_secmark_relabel_packet(u32 sid) const struct task_security_struct *__tsec; u32 tsid; - __tsec = current_security(); + __tsec = selinux_cred(current_cred()); tsid = __tsec->sid; return avc_has_perm(&selinux_state, @@ -6381,7 +6381,7 @@ static int selinux_getprocattr(struct task_struct *p, unsigned len; rcu_read_lock(); - __tsec = __task_cred(p)->security; + __tsec = selinux_cred(__task_cred(p)); if (current != p) { error = avc_has_perm(&selinux_state, @@ -6504,7 +6504,7 @@ static int selinux_setprocattr(const char *name, void *value, size_t size) operation. See selinux_bprm_set_creds for the execve checks and may_create for the file creation checks. The operation will then fail if the context is not permitted. */ - tsec = new->security; + tsec = selinux_cred(new); if (!strcmp(name, "exec")) { tsec->exec_sid = sid; } else if (!strcmp(name, "fscreate")) { @@ -6633,7 +6633,7 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred, if (!ksec) return -ENOMEM; - tsec = cred->security; + tsec = selinux_cred(cred); if (tsec->keycreate_sid) ksec->sid = tsec->keycreate_sid; else diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index cc5e26b0161b..734b6833bdff 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -158,4 +158,9 @@ struct bpf_security_struct { u32 sid; /*SID of bpf obj creater*/ }; +static inline struct task_security_struct *selinux_cred(const struct cred *cred) +{ + return cred->security; +} + #endif /* _SELINUX_OBJSEC_H_ */ diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 91dc3783ed94..8ffe7e1053c4 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -79,7 +79,7 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp, gfp_t gfp) { int rc; - const struct task_security_struct *tsec = current_security(); + const struct task_security_struct *tsec = selinux_cred(current_cred()); struct xfrm_sec_ctx *ctx = NULL; u32 str_len; @@ -138,7 +138,7 @@ static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx) */ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx) { - const struct task_security_struct *tsec = current_security(); + const struct task_security_struct *tsec = selinux_cred(current_cred()); if (!ctx) return 0; From patchwork Mon Nov 26 23:44:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699441 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4B3A81869 for ; Mon, 26 Nov 2018 23:44:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 39A0829860 for ; Mon, 26 Nov 2018 23:44:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2D4512A1A4; Mon, 26 Nov 2018 23:44:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CABA22A660 for ; Mon, 26 Nov 2018 23:44:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726448AbeK0KkL (ORCPT ); Tue, 27 Nov 2018 05:40:11 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:38095 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726888AbeK0KkL (ORCPT ); Tue, 27 Nov 2018 05:40:11 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275860; bh=yzS41n1rCVRHChOBSSjNfES4FV7tKjQHrZu9+D9erQU=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=OhPKPqKyYgBsuAWX9RQsB0x9lSngT5tTyMx6j6bRU5yPG2GCt9sbbR+mn0bngaFsezZ7lkzVsU2EgtSj8PyWFO/+xpfCztFSRSkONgzmz3FsE+Azk/8XNKE/gRfngZIfg036JHNJm7b4inhY2+Ds+89SCCuDcM/fqoduZRnK8gk9UhYe6UnoP24it4YsU3SVYyRktBbzN8ZyiUs6GkFMVo39PxeU8KMu/lADqLoFjaGu9S1ieAi03HLxmuPT7rmP+ehJfX4oVwE3H7brwuga1zDCuQiHIXVCsQEJxgqp35GZaQj3cMtD1YSOHkdWtQUrYf6AMTVjiRiWlgl9xSx1tw== X-YMail-OSG: rcQMkEoVM1kK8eF0F0mhvNFVxw2ZBcOoRbTsOysxC6LJLj7uCaRHVQ0_EJnNKkG jjm3neZGIhjTEnVXzQNQ6t6jrNGGRmgmOUeh2.4cu48MLBOeIgjSNyzhAcRUfTBQqIVWfI.t2Alr 923pnbDSOKl.zu3FRRyKl8j2VJeh57lnX2vV.nbPi6nt1AVZNJMVLcpf5cwIZtVE.l9zLQNgNrNx xoDErRlgh2zZCigT4jvTKNFb81Q8WR_cTKX2eAvF.yUNpAaCvbi9bzjisRqWHSCG_3PVDKUl3Yo4 xtgpJtUyEw.iSGT.qBGt4IMi2WbOeXP6OApDJGYJrHopTR9y.KpUN3.SiZthGtO0CZYzVkeXr3PC 1w_leOrgKWGWCrPNgyUq74z7BaWNkmNGWG2yA1NGozmWP5u2M1Dv7jo7oDiN_H2_BaQoKJZi7Umw E8it6EP95U1Mg7VBL2e588z4mMwtERtPIK1U791jpfSicgsNt3OMqQNewVM9KAtf5kiMF2i93J_x .gUw2ctN.wY6ksPBxUO_rJnZuhmSkQCWsLbCEX3Z._OLRMO95UPckqO2VBgKHg.SUb6qYB67yiyL HihUznKLMtemYG8uksLl.G_NdIkIrVI3Oatlot1SU3Y57XyqdE.jJeO_08qEMUl39RDYmGZ0F5vJ h78Wxc8nNgXmzsCeyDDQCad0qFtDSTg7RjgS_rJmO8jrR7ULDjDG9tbKm90Xv5AXHZp5g_ufs6CZ GuN3r6RmCT_IOOMwYnKvEkEhO0MnAhSb9CconIi2JnCSZYqgFmlLd2DNkcoILZBYzhQm4PsbItL2 I4aqNLRrxfa41UdYTS3QQs_d06tR14a7DPXUCWqD1PF16mcrT1G5RgnSJQ4PWqm5OdMDkZ9p2mv4 PLqaoLhVPnL.FpGlXsVKL58s_pkWXXslDpWPq9IxpRDdm9JxayA2dh5XRUVAv2jSzV4gJ1p8Qv0Z rScnTJXPYpHmhk8Iz7LmJpBdpbRAaFi6QVP2.ewfVgNyQBUQZfVnqpXUQPcvnEcffwDXOoGyqru1 Ncz3NbgkGkSGBbWopCJwnJzgCxgzZES6ERx9IUzr6qGHsIJsoRnM7jq16wdH823i5aCn99cEOyDv Ye8YB9tjC5ufaw9uaFI5xqMlN2ew0W8dslwEfpw-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:44:20 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp402.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 20db7ce71dffaa24efe91d4689b48987; Mon, 26 Nov 2018 23:44:19 +0000 (UTC) Subject: [PATCH v5 23/38] SELinux: Remove cred security blob poisoning To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <80666d37-ea25-1b25-5108-426ebbc384ce@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:44:17 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP The SELinux specific credential poisioning only makes sense if SELinux is managing the credentials. As the intent of this patch set is to move the blob management out of the modules and into the infrastructure, the SELinux specific code has to go. The poisioning could be introduced into the infrastructure at some later date. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook Signed-off-by: Kees Cook --- kernel/cred.c | 13 ------------- security/selinux/hooks.c | 6 ------ 2 files changed, 19 deletions(-) diff --git a/kernel/cred.c b/kernel/cred.c index ecf03657e71c..fa2061ee4955 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -704,19 +704,6 @@ bool creds_are_invalid(const struct cred *cred) { if (cred->magic != CRED_MAGIC) return true; -#ifdef CONFIG_SECURITY_SELINUX - /* - * cred->security == NULL if security_cred_alloc_blank() or - * security_prepare_creds() returned an error. - */ - if (selinux_is_enabled() && cred->security) { - if ((unsigned long) cred->security < PAGE_SIZE) - return true; - if ((*(u32 *)cred->security & 0xffffff00) == - (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)) - return true; - } -#endif return false; } EXPORT_SYMBOL(creds_are_invalid); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 24b6b459fa2a..41b230d459a6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3922,12 +3922,6 @@ static void selinux_cred_free(struct cred *cred) { struct task_security_struct *tsec = selinux_cred(cred); - /* - * cred->security == NULL if security_cred_alloc_blank() or - * security_prepare_creds() returned an error. - */ - BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); - cred->security = (void *) 0x7UL; kfree(tsec); } From patchwork Mon Nov 26 23:45:05 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699463 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 744B01869 for ; Mon, 26 Nov 2018 23:49:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6516C2A579 for ; Mon, 26 Nov 2018 23:49:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 596012A66E; Mon, 26 Nov 2018 23:49:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CB1E02A667 for ; Mon, 26 Nov 2018 23:49:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727974AbeK0KpB (ORCPT ); Tue, 27 Nov 2018 05:45:01 -0500 Received: from sonic309-48.consmr.mail.ne1.yahoo.com ([66.163.184.174]:33705 "EHLO sonic309-48.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727958AbeK0KpB (ORCPT ); Tue, 27 Nov 2018 05:45:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276149; bh=mOH1jMGSjEQ/xFrT6GtLpC/r3huR+zGxEWp8FnuIDGw=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=skIuVzj6GesAhMBCuXNCurKLMmgw4kDrOdXkmSGufOMk+tgiE20NK6w3dvGRd/qDOOj3DxHP1xotD77hN2vYTC833ZV9j9isL5NiHGnG5+nhB/WgmpIUYb5Jo9WbrvkhsSQxDL0x3q+6FUTPI/na/xrHqiooY/CoBL0B8KA/8gUxzp0XzM5xQ9m839OIBCjq5XA6Nr7ghaYxJCQbjfcbuuIRZ40g4UdnH6sPg5rEnSEU1mH1vx7O+9UDCtIP+GrN19TCV1j0YbLWw3cuDGmdoeBSdToSzKyWKik1PlKaLzrvGTIoKqXxord/NSkH5fadeGHBDm6h9Nhg41X+TXjO8Q== X-YMail-OSG: d3pmbgEVM1llWOF2tZuzwc9V9jVaNTKNwr9e4YE8huehbYkgGKsge_S0oUfznnR lXhuy_6UO3A-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:49:09 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp405.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 5288dd96c25f63a0964f292e22c42e02; Mon, 26 Nov 2018 23:45:08 +0000 (UTC) Subject: [PATCH v5 24/38] SELinux: Remove unused selinux_is_enabled To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <8b7b3c7e-acd1-cd0f-95a3-02f09bfbfc96@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:45:05 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP There are no longer users of selinux_is_enabled(). Remove it. As selinux_is_enabled() is the only reason for include/linux/selinux.h remove that as well. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook Signed-off-by: Kees Cook --- include/linux/cred.h | 1 - include/linux/selinux.h | 35 ----------------------------------- security/selinux/Makefile | 2 +- security/selinux/exports.c | 23 ----------------------- security/selinux/hooks.c | 1 - security/selinux/include/audit.h | 3 --- security/selinux/ss/services.c | 1 - 7 files changed, 1 insertion(+), 65 deletions(-) delete mode 100644 include/linux/selinux.h delete mode 100644 security/selinux/exports.c diff --git a/include/linux/cred.h b/include/linux/cred.h index 7eed6101c791..2e715e202e6a 100644 --- a/include/linux/cred.h +++ b/include/linux/cred.h @@ -15,7 +15,6 @@ #include #include #include -#include #include #include #include diff --git a/include/linux/selinux.h b/include/linux/selinux.h deleted file mode 100644 index 44f459612690..000000000000 --- a/include/linux/selinux.h +++ /dev/null @@ -1,35 +0,0 @@ -/* - * SELinux services exported to the rest of the kernel. - * - * Author: James Morris - * - * Copyright (C) 2005 Red Hat, Inc., James Morris - * Copyright (C) 2006 Trusted Computer Solutions, Inc. - * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. - */ -#ifndef _LINUX_SELINUX_H -#define _LINUX_SELINUX_H - -struct selinux_audit_rule; -struct audit_context; -struct kern_ipc_perm; - -#ifdef CONFIG_SECURITY_SELINUX - -/** - * selinux_is_enabled - is SELinux enabled? - */ -bool selinux_is_enabled(void); -#else - -static inline bool selinux_is_enabled(void) -{ - return false; -} -#endif /* CONFIG_SECURITY_SELINUX */ - -#endif /* _LINUX_SELINUX_H */ diff --git a/security/selinux/Makefile b/security/selinux/Makefile index c7161f8792b2..ccf950409384 100644 --- a/security/selinux/Makefile +++ b/security/selinux/Makefile @@ -6,7 +6,7 @@ obj-$(CONFIG_SECURITY_SELINUX) := selinux.o selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \ - netnode.o netport.o ibpkey.o exports.o \ + netnode.o netport.o ibpkey.o \ ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \ ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/status.o diff --git a/security/selinux/exports.c b/security/selinux/exports.c deleted file mode 100644 index e75dd94e2d2b..000000000000 --- a/security/selinux/exports.c +++ /dev/null @@ -1,23 +0,0 @@ -/* - * SELinux services exported to the rest of the kernel. - * - * Author: James Morris - * - * Copyright (C) 2005 Red Hat, Inc., James Morris - * Copyright (C) 2006 Trusted Computer Solutions, Inc. - * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. - */ -#include -#include - -#include "security.h" - -bool selinux_is_enabled(void) -{ - return selinux_enabled; -} -EXPORT_SYMBOL_GPL(selinux_is_enabled); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 41b230d459a6..c82f11270de6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -79,7 +79,6 @@ #include #include #include -#include #include #include #include diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index 1bdf973433cc..36e1d44c0209 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -1,9 +1,6 @@ /* * SELinux support for the Audit LSM hooks * - * Most of below header was moved from include/linux/selinux.h which - * is released under below copyrights: - * * Author: James Morris * * Copyright (C) 2005 Red Hat, Inc., James Morris diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 12e414394530..1a745e2f49a9 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -49,7 +49,6 @@ #include #include #include -#include #include #include #include From patchwork Mon Nov 26 23:45:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699445 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 420411869 for ; Mon, 26 Nov 2018 23:46:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 32CAC2A660 for ; Mon, 26 Nov 2018 23:46:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 26E412A665; Mon, 26 Nov 2018 23:46:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A534C2A661 for ; Mon, 26 Nov 2018 23:45:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727637AbeK0Klr (ORCPT ); Tue, 27 Nov 2018 05:41:47 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:39412 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727647AbeK0Klq (ORCPT ); Tue, 27 Nov 2018 05:41:46 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275955; bh=OVmMPLMFIEQe7/xmXls0TKHgNoRAVpp7J85y53TwffI=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=tQYy9Nqrd3XCXRWAtVzd4xi0Otu8aF0zGYpBrgygWJp2Xs1zPaUtf1QoSxs3cm5nSVjec6GSh42/c4rcSGelbiaMAHOPcTbgrOkqW7X81IiIfVRunL9m6u3EHQhR8UYntcucAoSJuQKDGRH9XP2QF8i+LKZsj/seqfkLKjde/O7mcafdGNAoUZqP4PrT/okigMX4yxCplj9UmGte+D/yJsk1FVCNEIi99ykpiHVqDLS0U+AWvSnlnFJKKGQJX0w67E6IF2hkiKoCXHUQLuDKrSPqnOla356GTteD07kVTNIq5qbxCzF4MTYnMX30lA5sI0LZ4ci5Q40/4RVOK70HzQ== X-YMail-OSG: kzk2uRIVM1lSX98gpB866IqaqP5P1TNoSI7S_TGl4hM3PW7xPZLgRbMu2yuZClL tnIUzk4qj_sGDty2exaDsQR0E4sgT6aSH3iweaaVvkCDdKgYcsIZTYJ.NxVNSTNh0DW40Sj13buM n_AJ6LUeIJzVv_8Yp0ce4WDIsahSwEOUg06f_d5hnpJJWj_qZz0sJ6nY3HwH5WVbaL30WHBvJQ2N bhMafHri_PhD7bstJISYqnuA5OQJuJvQl9oejZIqhfa6ZbujGT_de_5CRkWGQMsvx5zDx.HnkzVa TW4xpxph_DJJuZrUfUBZwaSfpCT7gO.zkwL4Tf7Nm3D45BSz1KN9YfmgIq7F2VJ0H9LdD0oy.iJm Bnrt.zAmnc06IsASR8AEqPlrDWKadwosOk7Xdo3iEqmiaDmvEY.OiqSV0KxqkrfrCEpqLLbD5YEW ERBxt_EgO8Lc9ajNUXPUcl6f07w9c3GC5NMWvOutBdvm1HPcKIg6LM2WC_XGMfyuNp0NzEnXIRVI wGAuneXxerdWC80J8dsABMlYnpRHWzRcj.vMCphMiNDcwdA10UyXf1JOZrhTxZGBYhM73AWlwTlY BD2UyCtDdWtCktmZ7UblsO98x0McBWii8lTcvIFrXW9YXAWhGRZqyszQYYeUryXK9C0StDxFig9. V1l5UcIHdU8bD3g_YrUmDG9UrxoKI8wwjyObIucrx_zphDp4Iz7hiH7cgE_I3XYu0F_1oE_Hdl0S MkDUqyClAgIbOpKmF1wv1sDHssL3.PXGQ7mDTSyqMn4kmW0p9sz3_w0uOK7QylDMnxrWvWXE149y z3XHBKtRXjKyKaZKn8nl7jSNb.d5woMBzPWEBkUHL0_BSg8fjbm4S5hoO21s7.ybXxuYJuKgzWSo FHIoFS4yu0IJIg.9o4wES7G9iFgWiQ.kPBcY5ll6zBccqT_dSazklXI4Ev.XStX.A02zigqMWykL EnBHFe1BwRCT0QQB1Ys5KSJk48SkGrkr7Nft058g1eicd6J1Z9jAhshmAh8Gt4vX7wESJ5Oyemi_ tYTTKBFBgRg1J78HFhLeDhuGF7fKPXnYxp9IZN1Pu3.4hKfZzj8xF6sPlG_EswSlbj3lsydETgg_ pNbYasxYMoN408IXY5pJkf8.OkPcqUPTf8brahg-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:45:55 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp428.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 80261e733d22cdb6cef6e5fb85907676; Mon, 26 Nov 2018 23:45:53 +0000 (UTC) Subject: [PATCH v5 25/38] AppArmor: Abstract use of cred security blob To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <4292905c-9e49-adb7-9bda-4aa739163d7b@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:45:51 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Don't use the cred->security pointer directly. Provide a helper function that provides the security blob pointer. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook [kees: adjusted for ordered init series] Signed-off-by: Kees Cook --- security/apparmor/domain.c | 2 +- security/apparmor/include/cred.h | 16 +++++++++++++++- security/apparmor/lsm.c | 10 +++++----- security/apparmor/task.c | 6 +++--- 4 files changed, 24 insertions(+), 10 deletions(-) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 08c88de0ffda..726910bba84b 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -975,7 +975,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) } aa_put_label(cred_label(bprm->cred)); /* transfer reference, released when cred is freed */ - cred_label(bprm->cred) = new; + set_cred_label(bprm->cred, new); done: aa_put_label(label); diff --git a/security/apparmor/include/cred.h b/security/apparmor/include/cred.h index 265ae6641a06..a757370f2a0c 100644 --- a/security/apparmor/include/cred.h +++ b/security/apparmor/include/cred.h @@ -23,8 +23,22 @@ #include "policy_ns.h" #include "task.h" -#define cred_label(X) ((X)->security) +static inline struct aa_label *cred_label(const struct cred *cred) +{ + struct aa_label **blob = cred->security; + + AA_BUG(!blob); + return *blob; +} +static inline void set_cred_label(const struct cred *cred, + struct aa_label *label) +{ + struct aa_label **blob = cred->security; + + AA_BUG(!blob); + *blob = label; +} /** * aa_cred_raw_label - obtain cred's label diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index e8b40008d58c..803ec0a63d87 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -59,7 +59,7 @@ DEFINE_PER_CPU(struct aa_buffers, aa_buffers); static void apparmor_cred_free(struct cred *cred) { aa_put_label(cred_label(cred)); - cred_label(cred) = NULL; + set_cred_label(cred, NULL); } /* @@ -67,7 +67,7 @@ static void apparmor_cred_free(struct cred *cred) */ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) { - cred_label(cred) = NULL; + set_cred_label(cred, NULL); return 0; } @@ -77,7 +77,7 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) static int apparmor_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp) { - cred_label(new) = aa_get_newest_label(cred_label(old)); + set_cred_label(new, aa_get_newest_label(cred_label(old))); return 0; } @@ -86,7 +86,7 @@ static int apparmor_cred_prepare(struct cred *new, const struct cred *old, */ static void apparmor_cred_transfer(struct cred *new, const struct cred *old) { - cred_label(new) = aa_get_newest_label(cred_label(old)); + set_cred_label(new, aa_get_newest_label(cred_label(old))); } static void apparmor_task_free(struct task_struct *task) @@ -1484,7 +1484,7 @@ static int __init set_init_ctx(void) if (!ctx) return -ENOMEM; - cred_label(cred) = aa_get_label(ns_unconfined(root_ns)); + set_cred_label(cred, aa_get_label(ns_unconfined(root_ns))); task_ctx(current) = ctx; return 0; diff --git a/security/apparmor/task.c b/security/apparmor/task.c index c6b78a14da91..4551110f0496 100644 --- a/security/apparmor/task.c +++ b/security/apparmor/task.c @@ -81,7 +81,7 @@ int aa_replace_current_label(struct aa_label *label) */ aa_get_label(label); aa_put_label(cred_label(new)); - cred_label(new) = label; + set_cred_label(new, label); commit_creds(new); return 0; @@ -138,7 +138,7 @@ int aa_set_current_hat(struct aa_label *label, u64 token) return -EACCES; } - cred_label(new) = aa_get_newest_label(label); + set_cred_label(new, aa_get_newest_label(label)); /* clear exec on switching context */ aa_put_label(ctx->onexec); ctx->onexec = NULL; @@ -172,7 +172,7 @@ int aa_restore_previous_label(u64 token) return -ENOMEM; aa_put_label(cred_label(new)); - cred_label(new) = aa_get_newest_label(ctx->previous); + set_cred_label(new, aa_get_newest_label(ctx->previous)); AA_BUG(!cred_label(new)); /* clear exec && prev information when restoring to previous context */ aa_clear_task_ctx_trans(ctx); From patchwork Mon Nov 26 23:46:41 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699447 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 455EA17D5 for ; Mon, 26 Nov 2018 23:46:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 302CE2A660 for ; Mon, 26 Nov 2018 23:46:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2024C2A665; Mon, 26 Nov 2018 23:46:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 401052A660 for ; Mon, 26 Nov 2018 23:46:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727773AbeK0Kmh (ORCPT ); Tue, 27 Nov 2018 05:42:37 -0500 Received: from sonic304-28.consmr.mail.ne1.yahoo.com ([66.163.191.154]:35182 "EHLO sonic304-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727615AbeK0Kmh (ORCPT ); Tue, 27 Nov 2018 05:42:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276005; bh=qNf9MfBwO3Sxe+oX3dUWwfB5aAArEZsPKtpkBR2iPAk=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=o5vbZEQ3ZJzMjEooNHrp5yDU1fRpjk1MqXOq70td8Ekka84lmtsV6yUqePZGRu5R8lj7FfHYEhb1BXvhzQbep+BVDYqq1akol2pBFRd+kiW1WyZ7ZKdfX4/etOHhFFp4uerp8vxrHAx1iGm8qmdxLkNOOJGozcakAOp7VB4WNR4MvJajGUsqzFGCC7AVm+RjIX+CnsijUc06z3GkPoPVsdNdi0R4495D1QlDLDcXY738hXoF/k93rpFzkSBQnTV8zC+Hz4JRSTQ7PXO+m1pHy5aro0b4j8B12Car4z5ajMzfr3jroOGcK2cStS2T70TXBlqqGsSNj14eepIDiIIIzQ== X-YMail-OSG: KTgZLS4VM1nq_q_htNx7gmAs6LcpwaDuGIXWpTJqOPK0T5LVJPK_LHAyTk6qhUB kaUTdie07LylTmnBtHmxsLkEnxATJnbQQjHAInx0cV9J5KwWNh4R8F9scQqsuGqGFGvcpaq0J3BZ sf5Y07.uzZumShf2QaanVaqKb_fCC.diRdpdfE52KWsYOlpaRTzybQqfrN1rirKBLcvABClrNpkc Ux08xVJnOiaaFJn9GOlzXOBCwKIULFWslzOHE3T5KirCdBwuF8tlS6cEKi49T2_AaA9qJjogDp3K GNIROrmGGDTjCwcmK9BbySX8ANZylSEJIsgJSnl2wUKkSjpED2eAPURzBtelnRy_V9zuWnaEyIDS E6IrFiTDGJGf2f5MIgdVJXM_2VebkwSxn8JMz.KBBLrnEbzWfIlLYHD35vv7HnRDR8cWRZmX57uk 1tRfdu5nfabkU7fYDsfmGRSkgwEPPwYvCImf8KlOMpwKB6TTc1BiV6ku2unBW2rOw.Qvmk9K5jUq kzTr7IQ6t8HsPwl0UaamBXzkLUBy5.rq9OlZkkKXlXiGz6dHHm9cqkG0nKgvOmn.w_88UhQdr_gy 7UMrXJ2QXIV.FKs_jVn8AJY9c0e15E1tKCwg51PLHKUKwkrpsoxPRoCIe8hEkftwiXjgRpaEcn6h 4jEkqzkbs3G9CK7ceiPrd3D4h9WByeDbdrkUCOB78KmHerqGjqeOQfkRlC0JHtL504tdRbRuKcT1 IWGTWLos0XLg1qD6nzoM_twkseJZ_eeUxSlZ.WNj9oSnOzlUuVztX9b0M0e_8opHD4UbQinmkhY2 EiS3V4L2VKMbpJS8kyCip_k47oxIOVKp2XjY88309q1Ok2ODfo8wjEGCnuLSPM02v_cV1icWOAy1 _sPD9TyIrTNcEA_20UEDrnqv_MEX9X6kdfDWkKsHBZBR3ak6g4a_8ULtOzio22bsgWAwAmczWLHH foZYRsNHKtG.bhmvt3DoCZysCoteVEKi4nNTrSq2LQ2Ci4olLGZHlkvOltsMZFKzbMM8EEnyrNHs 0l_YfnE.nbUgYPx6QWV.EmAkbks7PMqtIq2LeHHCpmoO2tlSoPpgCMMWA1wtj3hr_M0OQjjQW6YH E2JFXjv8CW54_ULV.Mq9P2QazmCjU9S3JV2TxCg-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:46:45 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp404.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 5bad0e564cced4e88587d425b3fcea34; Mon, 26 Nov 2018 23:46:43 +0000 (UTC) Subject: [PATCH v5 26/38] TOMOYO: Abstract use of cred security blob To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <2ba69559-bb0a-a87a-d829-1e43012074b6@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:46:41 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Don't use the cred->security pointer directly. Provide helper functions that provide the security blob pointer. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook [kees: adjusted for ordered init series] Signed-off-by: Kees Cook --- security/tomoyo/common.h | 21 +++++++++++++++++++-- security/tomoyo/domain.c | 4 +++- security/tomoyo/securityfs_if.c | 15 +++++++++++---- security/tomoyo/tomoyo.c | 40 +++++++++++++++++++++++++++++++--------- 4 files changed, 64 insertions(+), 16 deletions(-) diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 539bcdd30bb8..41898613d93b 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -1062,6 +1063,7 @@ void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt, /********** External variable definitions. **********/ extern bool tomoyo_policy_loaded; +extern int tomoyo_enabled; extern const char * const tomoyo_condition_keyword [TOMOYO_MAX_CONDITION_KEYWORD]; extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS]; @@ -1196,6 +1198,17 @@ static inline void tomoyo_put_group(struct tomoyo_group *group) atomic_dec(&group->head.users); } +/** + * tomoyo_cred - Get a pointer to the tomoyo cred security blob + * @cred - the relevant cred + * + * Returns pointer to the tomoyo cred blob. + */ +static inline struct tomoyo_domain_info **tomoyo_cred(const struct cred *cred) +{ + return (struct tomoyo_domain_info **)&cred->security; +} + /** * tomoyo_domain - Get "struct tomoyo_domain_info" for current thread. * @@ -1203,7 +1216,9 @@ static inline void tomoyo_put_group(struct tomoyo_group *group) */ static inline struct tomoyo_domain_info *tomoyo_domain(void) { - return current_cred()->security; + struct tomoyo_domain_info **blob = tomoyo_cred(current_cred()); + + return *blob; } /** @@ -1216,7 +1231,9 @@ static inline struct tomoyo_domain_info *tomoyo_domain(void) static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct *task) { - return task_cred_xxx(task, security); + struct tomoyo_domain_info **blob = tomoyo_cred(get_task_cred(task)); + + return *blob; } /** diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index f6758dad981f..b7469fdbff01 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -678,6 +678,7 @@ static int tomoyo_environ(struct tomoyo_execve *ee) */ int tomoyo_find_next_domain(struct linux_binprm *bprm) { + struct tomoyo_domain_info **blob; struct tomoyo_domain_info *old_domain = tomoyo_domain(); struct tomoyo_domain_info *domain = NULL; const char *original_name = bprm->filename; @@ -843,7 +844,8 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) domain = old_domain; /* Update reference count on "struct tomoyo_domain_info". */ atomic_inc(&domain->users); - bprm->cred->security = domain; + blob = tomoyo_cred(bprm->cred); + *blob = domain; kfree(exename.name); if (!retval) { ee->r.domain = domain; diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c index 1d3d7e7a1f05..768dff9608b1 100644 --- a/security/tomoyo/securityfs_if.c +++ b/security/tomoyo/securityfs_if.c @@ -71,9 +71,12 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf, if (!cred) { error = -ENOMEM; } else { - struct tomoyo_domain_info *old_domain = - cred->security; - cred->security = new_domain; + struct tomoyo_domain_info **blob; + struct tomoyo_domain_info *old_domain; + + blob = tomoyo_cred(cred); + old_domain = *blob; + *blob = new_domain; atomic_inc(&new_domain->users); atomic_dec(&old_domain->users); commit_creds(cred); @@ -234,10 +237,14 @@ static void __init tomoyo_create_entry(const char *name, const umode_t mode, */ static int __init tomoyo_initerface_init(void) { + struct tomoyo_domain_info *domain; struct dentry *tomoyo_dir; + if (!tomoyo_enabled) + return 0; + domain = tomoyo_domain(); /* Don't create securityfs entries unless registered. */ - if (current_cred()->security != &tomoyo_kernel_domain) + if (domain != &tomoyo_kernel_domain) return 0; tomoyo_dir = securityfs_create_dir("tomoyo", NULL); diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index daff7d7897ad..15864307925d 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -18,7 +18,9 @@ */ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp) { - new->security = NULL; + struct tomoyo_domain_info **blob = tomoyo_cred(new); + + *blob = NULL; return 0; } @@ -34,8 +36,13 @@ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp) static int tomoyo_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp) { - struct tomoyo_domain_info *domain = old->security; - new->security = domain; + struct tomoyo_domain_info **old_blob = tomoyo_cred(old); + struct tomoyo_domain_info **new_blob = tomoyo_cred(new); + struct tomoyo_domain_info *domain; + + domain = *old_blob; + *new_blob = domain; + if (domain) atomic_inc(&domain->users); return 0; @@ -59,7 +66,9 @@ static void tomoyo_cred_transfer(struct cred *new, const struct cred *old) */ static void tomoyo_cred_free(struct cred *cred) { - struct tomoyo_domain_info *domain = cred->security; + struct tomoyo_domain_info **blob = tomoyo_cred(cred); + struct tomoyo_domain_info *domain = *blob; + if (domain) atomic_dec(&domain->users); } @@ -73,6 +82,9 @@ static void tomoyo_cred_free(struct cred *cred) */ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) { + struct tomoyo_domain_info **blob; + struct tomoyo_domain_info *domain; + /* * Do only if this function is called for the first time of an execve * operation. @@ -93,13 +105,14 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) * stored inside "bprm->cred->security" will be acquired later inside * tomoyo_find_next_domain(). */ - atomic_dec(&((struct tomoyo_domain_info *) - bprm->cred->security)->users); + blob = tomoyo_cred(bprm->cred); + domain = *blob; + atomic_dec(&domain->users); /* * Tell tomoyo_bprm_check_security() is called for the first time of an * execve operation. */ - bprm->cred->security = NULL; + *blob = NULL; return 0; } @@ -112,8 +125,11 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) */ static int tomoyo_bprm_check_security(struct linux_binprm *bprm) { - struct tomoyo_domain_info *domain = bprm->cred->security; + struct tomoyo_domain_info **blob; + struct tomoyo_domain_info *domain; + blob = tomoyo_cred(bprm->cred); + domain = *blob; /* * Execute permission is checked against pathname passed to do_execve() * using current domain. @@ -531,6 +547,8 @@ static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = { /* Lock for GC. */ DEFINE_SRCU(tomoyo_ss); +int tomoyo_enabled __lsm_ro_after_init = 1; + /** * tomoyo_init - Register TOMOYO Linux as a LSM module. * @@ -539,17 +557,21 @@ DEFINE_SRCU(tomoyo_ss); static int __init tomoyo_init(void) { struct cred *cred = (struct cred *) current_cred(); + struct tomoyo_domain_info **blob; /* register ourselves with the security framework */ security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); printk(KERN_INFO "TOMOYO Linux initialized\n"); - cred->security = &tomoyo_kernel_domain; + blob = tomoyo_cred(cred); + *blob = &tomoyo_kernel_domain; tomoyo_mm_init(); + return 0; } DEFINE_LSM(tomoyo) = { .name = "tomoyo", + .enabled = &tomoyo_enabled, .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .init = tomoyo_init, }; From patchwork Mon Nov 26 23:47:40 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699453 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B1D31181D for ; Mon, 26 Nov 2018 23:47:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9CC032A660 for ; Mon, 26 Nov 2018 23:47:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8FA152A667; Mon, 26 Nov 2018 23:47:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3C2DC2A660 for ; Mon, 26 Nov 2018 23:47:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728029AbeK0Kni (ORCPT ); Tue, 27 Nov 2018 05:43:38 -0500 Received: from sonic304-28.consmr.mail.ne1.yahoo.com ([66.163.191.154]:46339 "EHLO sonic304-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727834AbeK0Knh (ORCPT ); Tue, 27 Nov 2018 05:43:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276065; bh=E8dB7le//TQ04tA/XXun+XOH+E4VnMacimoj3DTyvwQ=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=hBquE3FFuOij6NBsiinJVMs5Qa3f+6qksNOAO2y6Im9XQAwjwjdrKj0ifmPpfqZoMgTPGdLff/5leV42XK1RwKCbqTYw6LGLXhrZSDItny0neuVzVWVVIaIKKsENDvrOSO+NzkUHFjAJGUbhyy889RM21TjKu6JtSHDxMHPjgeR90vFh6TPCxuTWXWL5Kt3TOymnH4y+bdxqDHG1jiNftqT9MWc5Y9k7pg8Kk9CqHjJcwhttmmwoKjXB1+AFYnU74Rdj0FBSwNHDTxm74ycDFqvmmdrwoktm15bMU0CkiocnIkPDctYKR34pXclH+KWYg8cRY2JmmhyYtAvvjO4kCQ== X-YMail-OSG: 9jF9B.0VM1lw2GSUAAm.KG9mFthLTrkENFhD5SW1n_iX9fUJkgx7ouMvQPyQxgM o25UBgMUAwRFMAvoM8.0k9mkIHco3Ywgah9mYW16W2umH60KwaBNnvAXLFwyf9xDfOqlTexlExkd fWNefPZKyz910NgMzBEUS.jAF.k98tnkUws8Ge6ufY2xqKc6nag5KGI.dy8fBOk1C_Ubl_aUVYgw 5ZcLJ94gkZuq9kKbNrrqeUuedAThMjrN9ydXfsAtkSc4L5OSOWDM4ZK89N4toW9zXcAWLKIKHbyX AsBidT55sDJiS8UNuZLKLBDRm3lSJ6Ew.kJFBVBYRy62SLXd9J7hKpoRr7uvrHJ6xR8oMQnv.VhD o34XfQNp5EP79S96zrN7uf0ktXwDJSt8Uq3PUWuXFUMHIQT9qUmHO1VZ4_QOU21YORe1qhstMbTN xnxQ2ZBSdy4i.CW2OXilJ.5bR2DpMahJo_DLkVtilblqAuQi8TVySW8QSSrJqatru97rK1DWP0uw JyV05qdmxywjE0D0ksYu.7xBStovCojQfJYrbkN7LgXZ.gLFqc9Hs0AOzY4M7TJo7_cQU00ntjAB 0b6l1uUgW.kmdZKKKPXAt0bSETQql5h27sHGEIBgKa8RpQsxgKozqiyA2G0kE6MvPMP13cxTiYQ9 3RrOFA.yGn4qVwP3MFAbv21dYka3goZ6DCt3vYgvw..LoVxeIDzbfbFeqj0M6twH2_e.2hvSJU0_ Tinyju5zl7Eo4SUb1Y_Wx2euaUCFdjfzKUbzxJ1siSKioZQP9qhjkIYT.dWxU.4y.oB23AS0m43P 82gRbFfAcWJ5stiiwrywG2R1loIV_.MUtXOHJIDyNhNXys3M8dLhe.p6QMrMqxxAnbu.x.e2pKY5 TibP8CMP..PPGRlR0sNmO27Sf1WiQwmh0s7aRxxAOQdtgf8lBXZRnBKMJ.cBgMlfigJJa5AT0N98 zluHZy2ZSxARFSS.GDR0uw3l6DyJfCH2MjhUi4scyaQDgDWTiLlY7DtDuYiXkxBG6yWKlMvQGjPl yw1DObN7ztYNygxRjalQhrb8En8_LLGufjYspWspXNKFE1TGscT3rzZuUXFoMpN3YSOr6S6a8LX9 FcGXEkMqMUCIOWGKPaa4.xc8EyEn3k.Uc8J5Png-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:47:45 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp412.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 93cf834a3d70aa0e70e26f9d4fe0aca4; Mon, 26 Nov 2018 23:47:43 +0000 (UTC) Subject: [PATCH v5 27/38] Infrastructure management of the cred security blob To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <87205fe6-18d2-a7ea-334f-24b7c27fcb42@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:47:40 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Move management of the cred security blob out of the security modules and into the security infrastructre. Instead of allocating and freeing space the security modules tell the infrastructure how much space they require. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook [kees: adjusted for ordered init series] Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 12 ++++++ security/apparmor/include/cred.h | 4 +- security/apparmor/include/lib.h | 4 ++ security/apparmor/lsm.c | 9 ++++ security/security.c | 89 ++++++++++++++++++++++++++++++++++++++- security/selinux/hooks.c | 51 +++++----------------- security/selinux/include/objsec.h | 4 +- security/smack/smack.h | 3 +- security/smack/smack_lsm.c | 79 +++++++++++----------------------- security/tomoyo/common.h | 3 +- security/tomoyo/tomoyo.c | 6 +++ 11 files changed, 162 insertions(+), 102 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 15fc49ee41a1..c9458280214e 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2024,6 +2024,13 @@ struct security_hook_list { char *lsm; } __randomize_layout; +/* + * Security blob size or offset data. + */ +struct lsm_blob_sizes { + int lbs_cred; +}; + /* * Initializing a security_hook_list structure takes * up a lot of space in a source file. This macro takes @@ -2053,6 +2060,7 @@ struct lsm_info { unsigned long flags; /* Optional: flags describing LSM */ int *enabled; /* Optional: controlled by CONFIG_LSM */ int (*init)(void); /* Required. */ + struct lsm_blob_sizes *blobs; /* Optional: for blob sharing. */ }; extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; @@ -2092,4 +2100,8 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, #define __lsm_ro_after_init __ro_after_init #endif /* CONFIG_SECURITY_WRITABLE_HOOKS */ +#ifdef CONFIG_SECURITY +void __init lsm_early_cred(struct cred *cred); +#endif + #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/apparmor/include/cred.h b/security/apparmor/include/cred.h index a757370f2a0c..b9504a05fddc 100644 --- a/security/apparmor/include/cred.h +++ b/security/apparmor/include/cred.h @@ -25,7 +25,7 @@ static inline struct aa_label *cred_label(const struct cred *cred) { - struct aa_label **blob = cred->security; + struct aa_label **blob = cred->security + apparmor_blob_sizes.lbs_cred; AA_BUG(!blob); return *blob; @@ -34,7 +34,7 @@ static inline struct aa_label *cred_label(const struct cred *cred) static inline void set_cred_label(const struct cred *cred, struct aa_label *label) { - struct aa_label **blob = cred->security; + struct aa_label **blob = cred->security + apparmor_blob_sizes.lbs_cred; AA_BUG(!blob); *blob = label; diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h index 6505e1ad9e23..bbe9b384d71d 100644 --- a/security/apparmor/include/lib.h +++ b/security/apparmor/include/lib.h @@ -16,6 +16,7 @@ #include #include +#include #include "match.h" @@ -55,6 +56,9 @@ const char *aa_splitn_fqname(const char *fqname, size_t n, const char **ns_name, size_t *ns_len); void aa_info_message(const char *str); +/* Security blob offsets */ +extern struct lsm_blob_sizes apparmor_blob_sizes; + /** * aa_strneq - compare null terminated @str to a non null terminated substring * @str: a null terminated string diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 803ec0a63d87..70669e676212 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1150,6 +1150,13 @@ static int apparmor_inet_conn_request(struct sock *sk, struct sk_buff *skb, } #endif +/* + * The cred blob is a pointer to, not an instance of, an aa_task_ctx. + */ +struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { + .lbs_cred = sizeof(struct aa_task_ctx *), +}; + static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), @@ -1484,6 +1491,7 @@ static int __init set_init_ctx(void) if (!ctx) return -ENOMEM; + lsm_early_cred(cred); set_cred_label(cred, aa_get_label(ns_unconfined(root_ns))); task_ctx(current) = ctx; @@ -1724,5 +1732,6 @@ DEFINE_LSM(apparmor) = { .name = "apparmor", .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .enabled = &apparmor_enabled, + .blobs = &apparmor_blob_sizes, .init = apparmor_init, }; diff --git a/security/security.c b/security/security.c index 81ff6a71e78e..c49d4a18c75f 100644 --- a/security/security.c +++ b/security/security.c @@ -41,6 +41,8 @@ struct security_hook_heads security_hook_heads __lsm_ro_after_init; static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); char *lsm_names; +static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init; + /* Boot-time LSM user choice */ static __initdata const char *chosen_lsm_order; static __initdata const char *chosen_major_lsm; @@ -139,6 +141,25 @@ static bool __init lsm_allowed(struct lsm_info *lsm) return true; } +static void __init lsm_set_blob_size(int *need, int *lbs) +{ + int offset; + + if (*need > 0) { + offset = *lbs; + *lbs += *need; + *need = offset; + } +} + +static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) +{ + if (!needed) + return; + + lsm_set_blob_size(&needed->lbs_cred, &blob_sizes.lbs_cred); +} + /* Prepare LSM for initialization. */ static void __init prepare_lsm(struct lsm_info *lsm) { @@ -153,6 +174,8 @@ static void __init prepare_lsm(struct lsm_info *lsm) exclusive = lsm; init_debug("exclusive chosen: %s\n", lsm->name); } + + lsm_set_blob_sizes(lsm->blobs); } } @@ -255,6 +278,8 @@ static void __init ordered_lsm_init(void) for (lsm = ordered_lsms; *lsm; lsm++) prepare_lsm(*lsm); + init_debug("cred blob size = %d\n", blob_sizes.lbs_cred); + for (lsm = ordered_lsms; *lsm; lsm++) initialize_lsm(*lsm); @@ -382,6 +407,47 @@ int unregister_lsm_notifier(struct notifier_block *nb) } EXPORT_SYMBOL(unregister_lsm_notifier); +/** + * lsm_cred_alloc - allocate a composite cred blob + * @cred: the cred that needs a blob + * @gfp: allocation type + * + * Allocate the cred blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +static int lsm_cred_alloc(struct cred *cred, gfp_t gfp) +{ + if (blob_sizes.lbs_cred == 0) { + cred->security = NULL; + return 0; + } + + cred->security = kzalloc(blob_sizes.lbs_cred, gfp); + if (cred->security == NULL) + return -ENOMEM; + return 0; +} + +/** + * lsm_early_cred - during initialization allocate a composite cred blob + * @cred: the cred that needs a blob + * + * Allocate the cred blob for all the modules if it's not already there + */ +void __init lsm_early_cred(struct cred *cred) +{ + int rc; + + if (cred == NULL) + panic("%s: NULL cred.\n", __func__); + if (cred->security != NULL) + return; + rc = lsm_cred_alloc(cred, GFP_KERNEL); + if (rc) + panic("%s: Early cred alloc failed.\n", __func__); +} + /* * Hook list operation macros. * @@ -1182,17 +1248,36 @@ void security_task_free(struct task_struct *task) int security_cred_alloc_blank(struct cred *cred, gfp_t gfp) { - return call_int_hook(cred_alloc_blank, 0, cred, gfp); + int rc = lsm_cred_alloc(cred, gfp); + + if (rc) + return rc; + + rc = call_int_hook(cred_alloc_blank, 0, cred, gfp); + if (rc) + security_cred_free(cred); + return rc; } void security_cred_free(struct cred *cred) { call_void_hook(cred_free, cred); + + kfree(cred->security); + cred->security = NULL; } int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp) { - return call_int_hook(cred_prepare, 0, new, old, gfp); + int rc = lsm_cred_alloc(new, gfp); + + if (rc) + return rc; + + rc = call_int_hook(cred_prepare, 0, new, old, gfp); + if (rc) + security_cred_free(new); + return rc; } void security_transfer_creds(struct cred *new, const struct cred *old) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c82f11270de6..ac6d8a2d00f1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -209,12 +209,9 @@ static void cred_init_security(void) struct cred *cred = (struct cred *) current->real_cred; struct task_security_struct *tsec; - tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); - if (!tsec) - panic("SELinux: Failed to initialize initial task.\n"); - + lsm_early_cred(cred); + tsec = selinux_cred(cred); tsec->osid = tsec->sid = SECINITSID_KERNEL; - cred->security = tsec; } /* @@ -3899,47 +3896,16 @@ static int selinux_task_alloc(struct task_struct *task, sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); } -/* - * allocate the SELinux part of blank credentials - */ -static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) -{ - struct task_security_struct *tsec; - - tsec = kzalloc(sizeof(struct task_security_struct), gfp); - if (!tsec) - return -ENOMEM; - - cred->security = tsec; - return 0; -} - -/* - * detach and free the LSM part of a set of credentials - */ -static void selinux_cred_free(struct cred *cred) -{ - struct task_security_struct *tsec = selinux_cred(cred); - - kfree(tsec); -} - /* * prepare a new set of credentials for modification */ static int selinux_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp) { - const struct task_security_struct *old_tsec; - struct task_security_struct *tsec; - - old_tsec = selinux_cred(old); - - tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); - if (!tsec) - return -ENOMEM; + const struct task_security_struct *old_tsec = selinux_cred(old); + struct task_security_struct *tsec = selinux_cred(new); - new->security = tsec; + *tsec = *old_tsec; return 0; } @@ -6889,6 +6855,10 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) } #endif +struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { + .lbs_cred = sizeof(struct task_security_struct), +}; + static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), @@ -6971,8 +6941,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(file_open, selinux_file_open), LSM_HOOK_INIT(task_alloc, selinux_task_alloc), - LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), - LSM_HOOK_INIT(cred_free, selinux_cred_free), LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), @@ -7191,6 +7159,7 @@ DEFINE_LSM(selinux) = { .name = "selinux", .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .enabled = &selinux_enabled, + .blobs = &selinux_blob_sizes, .init = selinux_init, }; diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 734b6833bdff..c2974b031d05 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -25,6 +25,7 @@ #include #include #include +#include #include #include "flask.h" #include "avc.h" @@ -158,9 +159,10 @@ struct bpf_security_struct { u32 sid; /*SID of bpf obj creater*/ }; +extern struct lsm_blob_sizes selinux_blob_sizes; static inline struct task_security_struct *selinux_cred(const struct cred *cred) { - return cred->security; + return cred->security + selinux_blob_sizes.lbs_cred; } #endif /* _SELINUX_OBJSEC_H_ */ diff --git a/security/smack/smack.h b/security/smack/smack.h index 01a922856eba..b27eb252e953 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -336,6 +336,7 @@ extern struct smack_known *smack_syslog_label; extern struct smack_known *smack_unconfined; #endif extern int smack_ptrace_rule; +extern struct lsm_blob_sizes smack_blob_sizes; extern struct smack_known smack_known_floor; extern struct smack_known smack_known_hat; @@ -358,7 +359,7 @@ extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS]; static inline struct task_smack *smack_cred(const struct cred *cred) { - return cred->security; + return cred->security + smack_blob_sizes.lbs_cred; } /* diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index f34117b8c3be..459f7d523ca6 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -309,29 +309,20 @@ static struct inode_smack *new_inode_smack(struct smack_known *skp) } /** - * new_task_smack - allocate a task security blob + * init_task_smack - initialize a task security blob + * @tsp: blob to initialize * @task: a pointer to the Smack label for the running task * @forked: a pointer to the Smack label for the forked task - * @gfp: type of the memory for the allocation * - * Returns the new blob or NULL if there's no memory available */ -static struct task_smack *new_task_smack(struct smack_known *task, - struct smack_known *forked, gfp_t gfp) +static void init_task_smack(struct task_smack *tsp, struct smack_known *task, + struct smack_known *forked) { - struct task_smack *tsp; - - tsp = kzalloc(sizeof(struct task_smack), gfp); - if (tsp == NULL) - return NULL; - tsp->smk_task = task; tsp->smk_forked = forked; INIT_LIST_HEAD(&tsp->smk_rules); INIT_LIST_HEAD(&tsp->smk_relabel); mutex_init(&tsp->smk_rules_lock); - - return tsp; } /** @@ -1965,14 +1956,7 @@ static int smack_file_open(struct file *file) */ static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) { - struct task_smack *tsp; - - tsp = new_task_smack(NULL, NULL, gfp); - if (tsp == NULL) - return -ENOMEM; - - cred->security = tsp; - + init_task_smack(smack_cred(cred), NULL, NULL); return 0; } @@ -1989,10 +1973,6 @@ static void smack_cred_free(struct cred *cred) struct list_head *l; struct list_head *n; - if (tsp == NULL) - return; - cred->security = NULL; - smk_destroy_label_list(&tsp->smk_relabel); list_for_each_safe(l, n, &tsp->smk_rules) { @@ -2000,7 +1980,6 @@ static void smack_cred_free(struct cred *cred) list_del(&rp->list); kfree(rp); } - kfree(tsp); } /** @@ -2015,14 +1994,10 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp) { struct task_smack *old_tsp = smack_cred(old); - struct task_smack *new_tsp; + struct task_smack *new_tsp = smack_cred(new); int rc; - new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp); - if (new_tsp == NULL) - return -ENOMEM; - - new->security = new_tsp; + init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); if (rc != 0) @@ -2030,10 +2005,7 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old, rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, gfp); - if (rc != 0) - return rc; - - return 0; + return rc; } /** @@ -4659,6 +4631,10 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode, return 0; } +struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { + .lbs_cred = sizeof(struct task_smack), +}; + static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), @@ -4837,20 +4813,25 @@ static __init void init_smack_known_list(void) */ static __init int smack_init(void) { - struct cred *cred; + struct cred *cred = (struct cred *) current->cred; struct task_smack *tsp; smack_inode_cache = KMEM_CACHE(inode_smack, 0); if (!smack_inode_cache) return -ENOMEM; - tsp = new_task_smack(&smack_known_floor, &smack_known_floor, - GFP_KERNEL); - if (tsp == NULL) { - kmem_cache_destroy(smack_inode_cache); - return -ENOMEM; - } + lsm_early_cred(cred); + /* + * Set the security state for the initial task. + */ + tsp = smack_cred(cred); + init_task_smack(tsp, &smack_known_floor, &smack_known_floor); + + /* + * Register with LSM + */ + security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); smack_enabled = 1; pr_info("Smack: Initializing.\n"); @@ -4864,20 +4845,9 @@ static __init int smack_init(void) pr_info("Smack: IPv6 Netfilter enabled.\n"); #endif - /* - * Set the security state for the initial task. - */ - cred = (struct cred *) current->cred; - cred->security = tsp; - /* initialize the smack_known_list */ init_smack_known_list(); - /* - * Register with LSM - */ - security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); - return 0; } @@ -4888,5 +4858,6 @@ static __init int smack_init(void) DEFINE_LSM(smack) = { .name = "smack", .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, + .blobs = &smack_blob_sizes, .init = smack_init, }; diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 41898613d93b..4fc17294a12d 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -1087,6 +1087,7 @@ extern struct tomoyo_domain_info tomoyo_kernel_domain; extern struct tomoyo_policy_namespace tomoyo_kernel_namespace; extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT]; extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT]; +extern struct lsm_blob_sizes tomoyo_blob_sizes; /********** Inlined functions. **********/ @@ -1206,7 +1207,7 @@ static inline void tomoyo_put_group(struct tomoyo_group *group) */ static inline struct tomoyo_domain_info **tomoyo_cred(const struct cred *cred) { - return (struct tomoyo_domain_info **)&cred->security; + return cred->security + tomoyo_blob_sizes.lbs_cred; } /** diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 15864307925d..9094cf41a247 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -509,6 +509,10 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg, return tomoyo_socket_sendmsg_permission(sock, msg, size); } +struct lsm_blob_sizes tomoyo_blob_sizes __lsm_ro_after_init = { + .lbs_cred = sizeof(struct tomoyo_domain_info *), +}; + /* * tomoyo_security_ops is a "struct security_operations" which is used for * registering TOMOYO. @@ -562,6 +566,7 @@ static int __init tomoyo_init(void) /* register ourselves with the security framework */ security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); printk(KERN_INFO "TOMOYO Linux initialized\n"); + lsm_early_cred(cred); blob = tomoyo_cred(cred); *blob = &tomoyo_kernel_domain; tomoyo_mm_init(); @@ -573,5 +578,6 @@ DEFINE_LSM(tomoyo) = { .name = "tomoyo", .enabled = &tomoyo_enabled, .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, + .blobs = &tomoyo_blob_sizes, .init = tomoyo_init, }; From patchwork Mon Nov 26 23:48:42 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699459 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 961FA1869 for ; Mon, 26 Nov 2018 23:48:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7E0492A01F for ; Mon, 26 Nov 2018 23:48:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 720532A3C5; Mon, 26 Nov 2018 23:48:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ECF062A1F4 for ; Mon, 26 Nov 2018 23:48:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727601AbeK0Koi (ORCPT ); Tue, 27 Nov 2018 05:44:38 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:36292 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727688AbeK0Koi (ORCPT ); Tue, 27 Nov 2018 05:44:38 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276126; bh=qbpXcajJrA98ZZWDlgqmt0cbStnF49zKm903egriuBg=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=KowtF5DMSc298/qt2gWvaYu22JFcylgEW2xik0Bl4lMS/P1BiJY4sQMza8STTf2Moe2g0C9R+nTASF7xpgrqB4JxSiCJvnG1qJX7omximaTs2pGYtixJbr2TRl9tHGiWfn2g8Z2oUyHtZNhgxV9yxSPhKNS+M2/+2eYujTvzp1o4nAe/WLjV6JJc2tnGooZ6ym0mE0/dyryAT23f/NuVuERxcSKw9ZFlvP9ZkCsfT7RblklvL2zCALlENMIRbkWB2PhPvvxjo/+LZj60lDvdW8NGbNF7sQR1kKGVRJgKfgkSkcVEMcs4cmcd7PTUYQfUbMgVt1hkLb/DF70K32QxFQ== X-YMail-OSG: JP5K1QAVM1nKa.vRMNBzjG0jIEuf9a_7fD.DXkm7j4GbvQjNE3Fv2.4.TyutJai XQtSm0Wpr.4LmroZBOagKW5hxY35UhFLi7ze5OsrGY7bXbqmWgz0sC._C7f8bxxPN4hRogIWW8vv 6xnXVHKqf3eqSMSjVnfITarNT7Br1Sezcu5ZkFrOXoT0C9A1kQ.cCocRcMTvIci0rbPJuYUUBoEl 4TiEuyVKa5gOLvSDsnsvGUdDFd99d6ssNVPiOcqt9Ztjq35nDY4xy6.rP8VdjQBQ5lt8Ehi21NjY cTaaj_uQXIV7qlw2uLRapG.ouXq1XakQzzFaCifjVGdRdtDWUO3_qpDOql3RAoaZRWW_WhBWbMBX QbPrlqnVeFu8xF38KnrFxEhSIvy1jO5scg8EEHufvvrkJO1ZxFMfUY020SBt7qeSRxnv2XydimUi i4S_kZztIvbRGq14xYQf0y7MSNFlHDMKgTyLkQNySLZyo30pGCesVKEGlvK5PoMqkEjYzsRuCRea ODbdzzm3oLDyhIvGDrh59nXsZixc3Go7FuLeMOHz9HikDokQDuZdl_mSjFAFBDhVPO4pZBzjTFxY piZn3A2lyHZ9bKnnROMjPG4xT6kOb_XF4t_gFZOJglJM6VABXmy1lZ10VsgpOvHv4jjppdSXj4i4 3bZQ70Q3h.yY08U_BC4MEeX.IjoVjoL24uOMyI7IoH73T4nlMyGclZn0skeBk6qswfdn0arCWkC7 V9OCfCPN7oYf_Y4T2tiDrw.K_RW_NgARPD3hfK8ZQawOgHrHsyjocfbYg.xxv_9386jGhQ85x_Qe dYSeMgGIx_P70a.X6BOxYiJDl32SvrtMkTwZCbGMJTf7uXK96AK5VZxELhJLyyVXNUz0AFBMalm1 3wll2aX_iQ62I9_4rkaTG2osn3chNZw8UPwJFYUx6HeCNUnq.LEaXoKSNC071KjiG6jimigyxPRt ZjWlo9HW2fl2kjCA9wl7D5a5yM7exx7TKGvBiTBl_v0QykoKWbQ.E0FpjbYRem80ecQHxoxOFA1u .t2fdQF1Et4_Zypmx..IJJDWoMfGMDEonSD.14YirWPzeGgT4K7Cy5hOiVRLQCZzFs3eUCA_DVXh zpe8MIqeWUdc2.qxZvyEXQLJYHHETGvDOHLUeug-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:48:46 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp425.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID f5346034b70e818e7690c08090f23b62; Mon, 26 Nov 2018 23:48:45 +0000 (UTC) Subject: [PATCH v5 28/38] SELinux: Abstract use of file security blob To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: Date: Mon, 26 Nov 2018 15:48:42 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Don't use the file->f_security pointer directly. Provide a helper function that provides the security blob pointer. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook Signed-off-by: Kees Cook --- security/selinux/hooks.c | 18 +++++++++--------- security/selinux/include/objsec.h | 5 +++++ 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ac6d8a2d00f1..ce1d37378eb5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -393,7 +393,7 @@ static int file_alloc_security(struct file *file) static void file_free_security(struct file *file) { - struct file_security_struct *fsec = file->f_security; + struct file_security_struct *fsec = selinux_file(file); file->f_security = NULL; kmem_cache_free(file_security_cache, fsec); } @@ -1881,7 +1881,7 @@ static int file_has_perm(const struct cred *cred, struct file *file, u32 av) { - struct file_security_struct *fsec = file->f_security; + struct file_security_struct *fsec = selinux_file(file); struct inode *inode = file_inode(file); struct common_audit_data ad; u32 sid = cred_sid(cred); @@ -2225,7 +2225,7 @@ static int selinux_binder_transfer_file(struct task_struct *from, struct file *file) { u32 sid = task_sid(to); - struct file_security_struct *fsec = file->f_security; + struct file_security_struct *fsec = selinux_file(file); struct dentry *dentry = file->f_path.dentry; struct inode_security_struct *isec; struct common_audit_data ad; @@ -3537,7 +3537,7 @@ static int selinux_revalidate_file_permission(struct file *file, int mask) static int selinux_file_permission(struct file *file, int mask) { struct inode *inode = file_inode(file); - struct file_security_struct *fsec = file->f_security; + struct file_security_struct *fsec = selinux_file(file); struct inode_security_struct *isec; u32 sid = current_sid(); @@ -3572,7 +3572,7 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file, u32 requested, u16 cmd) { struct common_audit_data ad; - struct file_security_struct *fsec = file->f_security; + struct file_security_struct *fsec = selinux_file(file); struct inode *inode = file_inode(file); struct inode_security_struct *isec; struct lsm_ioctlop_audit ioctl; @@ -3824,7 +3824,7 @@ static void selinux_file_set_fowner(struct file *file) { struct file_security_struct *fsec; - fsec = file->f_security; + fsec = selinux_file(file); fsec->fown_sid = current_sid(); } @@ -3839,7 +3839,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk, /* struct fown_struct is never outside the context of a struct file */ file = container_of(fown, struct file, f_owner); - fsec = file->f_security; + fsec = selinux_file(file); if (!signum) perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ @@ -3863,7 +3863,7 @@ static int selinux_file_open(struct file *file) struct file_security_struct *fsec; struct inode_security_struct *isec; - fsec = file->f_security; + fsec = selinux_file(file); isec = inode_security(file_inode(file)); /* * Save inode label and policy sequence number @@ -4002,7 +4002,7 @@ static int selinux_kernel_module_from_file(struct file *file) ad.type = LSM_AUDIT_DATA_FILE; ad.u.file = file; - fsec = file->f_security; + fsec = selinux_file(file); if (sid != fsec->sid) { rc = avc_has_perm(&selinux_state, sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index c2974b031d05..e0ac2992e059 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -165,4 +165,9 @@ static inline struct task_security_struct *selinux_cred(const struct cred *cred) return cred->security + selinux_blob_sizes.lbs_cred; } +static inline struct file_security_struct *selinux_file(const struct file *file) +{ + return file->f_security; +} + #endif /* _SELINUX_OBJSEC_H_ */ From patchwork Mon Nov 26 23:49:23 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699467 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BFE641869 for ; Mon, 26 Nov 2018 23:49:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B10DE2A50C for ; Mon, 26 Nov 2018 23:49:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A54362A579; Mon, 26 Nov 2018 23:49:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 53F242A66E for ; Mon, 26 Nov 2018 23:49:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727662AbeK0KpV (ORCPT ); Tue, 27 Nov 2018 05:45:21 -0500 Received: from sonic302-28.consmr.mail.ne1.yahoo.com ([66.163.186.154]:42460 "EHLO sonic302-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727750AbeK0KpU (ORCPT ); Tue, 27 Nov 2018 05:45:20 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276168; bh=lKw+YFFirAcuaGMfYgMV+U5QfYDFlilvNclUnUdmOyY=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=PUZWDRr8EYLlnKnekUjgioCnumfLXNQ04xw1cyuCNWpBgqAZ9garQJFPRpjnjN2VEAPi+2fpWgFKHRs765YX9T4VC22Eb6PNo8fMAUFZ+jbZoWNP0PDsAoz9VCAuGcZ3+hztA3QiPiFp96sFh73ft/VE00jhCc56OIcNOBkLuJ8izANWPbBdts+oKKnlBqm6xtkJSlslXcTbAtJYRB3gAs07gl2tvzLGnPOWNeSjHiu4wr2igUVJDzEPfglk5vEncO1Wr2vsbw2Eknc1sfnYmB757/h/zD3VoV3aSmZWuJ/o6vYrOnQaRe1K9kyg1fQR0sbmkBar5fjnPxK2hRTm9w== X-YMail-OSG: gS.HxdUVM1nlXMw0xCjA21XvdNUX6gCb8SJkztD8YX1gtO.B1dUDwLfwxAEqrW6 tjgGh3VTkaZgWci8UZSiu6DN1tMjQqGr5A6xkRNQWWFDIfK5H3Kt.lgjKgUNi__38mz5.d2EOODO fibOhFOF9q2HZq4HfTlAWGTYYAzEvbcJlJhjgsEmDRDghJUnJvBHTNw9h0NrxV.1R9xrB_jfg3wF PHu9SSzvsoOYFEuGAbZltoBYUBTL6K5kcNCYFmRBQcAHoO9hsHrGdl_4wtkD3iURa2RbKhMx96sT LV2z2Td59VxzSrhvO0LOtf3KOQ.neFyu2LyBge.kZ6Pb1vJJXttq3OOY01nxgUWBT2MOvPohaa7w tijrbUFZUNXT46dZyA53oVAiGEZvdI2GMfJJocF3xe5_g0q0qGSBPYML_g_oOfz.Wqi0KGQBv6Yx JQF9WTRHIZLErErRpzfC_79K3bGbaZh5YJQRcyby4nm8T_LpbYFQUR54gzSe6f0zRd08agDj2kAm zoOwUAC8JHKFrPo8xjCQLR_WhrfCY.UhjAuLPdXZbRPStVXCvy_IQpKhpww7yRUCA.hMNKfyFlTL UWyKvmQZWTOFqWCFjPvNGukOBIv8sssY23xpXzLuIyC5MlFmRnDzUZzfsPLCWGhwX5iiYq_TOn_b GNP0.0HoRB0ydcML6jk9BW0Dj8TRAISpsqZ_o8rXx6lx9R8XO261k8.m1cqRgsW2WaEaxnEMFlhx Pe.18b7KlhHvIZ66Ofe5psQ.GFDP4gkt6HtyIHHQaHJYMHSBoQs3kNF7kM6yVN97R9N9kQmLYK5X Y0LWf6d2k.lHIihuCuNxW5sizCsTLUt_2CoYKtXDCGghRkDqALuNu2jYoWVXfh0R2p0tK4WAK_In 5uN8ZGvq0xEg.XXTmM4lIWHC5D.s1ziyquI.2k08WJ92wURZluTJUtv0h5u0mRa6gjM4dtxCKKhT Auv4x4kY9bSY4CNbP8OUUzjDi3YKk9xFfdIuJnUeGOJpEVu7pcXCe.Un6qtu8GT3.Zj3mTli8NU5 2PTp1vYPFLrcx19hhKZH9T3TfHkkfdnO0n4VicCmw6J47Z3Q3l1rJMRQpueqRYJn50RiVFfV.N1L LUzJDNFFisUC9W9PNewBqrFtDjhTKVHVHWNA03w-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:49:28 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp429.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID d56dcb8ac3e69b0ed5e21632e555d156; Mon, 26 Nov 2018 23:49:26 +0000 (UTC) Subject: [PATCH v5 29/38] Smack: Abstract use of file security blob To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: Date: Mon, 26 Nov 2018 15:49:23 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Don't use the file->f_security pointer directly. Provide a helper function that provides the security blob pointer. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook Signed-off-by: Kees Cook --- security/smack/smack.h | 5 +++++ security/smack/smack_lsm.c | 12 ++++++++---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index b27eb252e953..50854969a391 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -362,6 +362,11 @@ static inline struct task_smack *smack_cred(const struct cred *cred) return cred->security + smack_blob_sizes.lbs_cred; } +static inline struct smack_known **smack_file(const struct file *file) +{ + return (struct smack_known **)&file->f_security; +} + /* * Is the directory transmuting? */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 459f7d523ca6..3e11be8cce7e 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1573,9 +1573,9 @@ static void smack_inode_getsecid(struct inode *inode, u32 *secid) */ static int smack_file_alloc_security(struct file *file) { - struct smack_known *skp = smk_of_current(); + struct smack_known **blob = smack_file(file); - file->f_security = skp; + *blob = smk_of_current(); return 0; } @@ -1815,7 +1815,9 @@ static int smack_mmap_file(struct file *file, */ static void smack_file_set_fowner(struct file *file) { - file->f_security = smk_of_current(); + struct smack_known **blob = smack_file(file); + + *blob = smk_of_current(); } /** @@ -1832,6 +1834,7 @@ static void smack_file_set_fowner(struct file *file) static int smack_file_send_sigiotask(struct task_struct *tsk, struct fown_struct *fown, int signum) { + struct smack_known **blob; struct smack_known *skp; struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); const struct cred *tcred; @@ -1845,7 +1848,8 @@ static int smack_file_send_sigiotask(struct task_struct *tsk, file = container_of(fown, struct file, f_owner); /* we don't log here as rc can be overriden */ - skp = file->f_security; + blob = smack_file(file); + skp = *blob; rc = smk_access(skp, tkp, MAY_DELIVER, NULL); rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); From patchwork Mon Nov 26 23:50:10 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699469 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 58C6F17D5 for ; Mon, 26 Nov 2018 23:50:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 465A72A50C for ; Mon, 26 Nov 2018 23:50:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3A9242A66E; Mon, 26 Nov 2018 23:50:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5E1552A50C for ; Mon, 26 Nov 2018 23:50:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727694AbeK0KqH (ORCPT ); Tue, 27 Nov 2018 05:46:07 -0500 Received: from sonic302-28.consmr.mail.ne1.yahoo.com ([66.163.186.154]:34115 "EHLO sonic302-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727596AbeK0KqG (ORCPT ); Tue, 27 Nov 2018 05:46:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276213; bh=LLC+kO5vVrGkpb8+XiusWEcN5YP2bfPWb69cQmSh7Xk=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=K7Su9VJL/2gHlH9njquniizsSHTh0h+GTxz+sgC02c/gfpbpuiV20WElXT0Q0ZbTgnq9/60qSgGOpPpuM7N7Re4JQ9dg19gyWyGOahggLHVulujcQruN+cpJyV4TUO9AG7JaU3W4mrAhNZS3So9G5O5djp7Q52h8QQ72xe4vQ+4eRDeTyGFalhIRJDckTCL+jtmty3U6sxxGcZsMYlPt/N5rjBOA6ix5hNG+2Aa5E9F+s03h0QU/hiwVdUEH4IWsVSaHQNuX3bVrcXdOX5bEHafG7vqyclTWTZmkrq7gZk2kneB5QEoZb0GnWWXZOJYiC2HyqeMxUil8vJXDKo1KwA== X-YMail-OSG: AASD4k4VM1mj98rcTkTv.Yj6joqAFAHLOwijaeFA_RoVxp7BQFk.2cQrke.L8G2 TIHzMeH0IsFDhJHM.G4j55Dbbviw4Xm7sHdXllVckqUwv0Tm3H2Im4o.5unx2ghbGMEL8TrBcrqr GGks9F5XiAx.y_65gg3JL37QtSutgmNc6S9ChV.bDwawkY4AYYWxw9OThnwLJ5Mz6mAe9jcXzSG2 sGaauLOYYxo.fauwMf4oJv97qsj2dlEQ.ETPEBO1W9D3NDea84Xq.OXCNP2CNG28h56b5lQ4qlsY k2p1j.8VudKuUgkBXHGb5A.3Ewrug1lL.qHsnGT4Z2re0j0wM8Iq9HNVNFoUJgg5ujwyRg30fN19 WO_n6g2v3xmgq_gJnaOSKm1nVjPW8W_BaM4dmAdTP3Y_yw4pi.KUIdWieliAMNPulGkdx64sL1Gd XZ_y9lMz81w_nGXTqxILb_iUn2eMJXctVS6GVqQJmCqh4Ylu5qmNrA2HfqARsT.Rj2_REMWrnGfS DZlrlVDGeP8sMvMHFUIQl5dFIjP7knsCrDSXdD1W6Ioz3twSZ6Da0Vs0EOp6XWEZVFhhD0_E4FYN vDUX4SRtxfN4E7F_C7V3jPH1GQIkAKq2C1gFVC6r6SW8vWDQ8fC4zsJisJBz1t9DX8FmDcRy.ikR 7dxwSbILfP9PuXWOt6BPKd0LGwfcSJUskpEhvpfuKGysQVVTcUC4Mx7ahqGg5bicsilQQer3iuw0 GohxZVBXi7f4F.jiSyh2FzLC52VTSNMtoWnEUA1XMcGxjlucMDoNwcfjRSjofwWCSv7d8xmtYfeC vUmlcJaNvtq7MxPnFZQofToa6hjt4DKyRxFYtMKTsHyVLV.utAX2L2jVqEzuY6uXuFcOi8wSoR2P rcnDWDPdFTmrjkiQEgZYIsWod3qt.fIFsJ6Q.DOExarVwl8rDZusCdO5UsridP.Oh0TZWDQStjXL rI8GElyvQ3I3vI_q3fqaUbNtFAtgTpHPynSi9xLPnbREFFBTkp7wg_Nf9Lk67_Xwf1xv2ivaTmIt HkPAe3Coel4xjW.sWUjt8p3buYQ4d_SmWWdkxaLioV4IX7GSkfC6pI0iNGa81jBAsBE9IE0Up9y. uc9c.BWYGVSCiPgNFAC743B3vyIUNZe4fmZAVKyg0Yy8- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:50:13 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp431.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID d4f539d08126b1dbcd7f23ac8540776c; Mon, 26 Nov 2018 23:50:13 +0000 (UTC) Subject: [PATCH v5 30/38] LSM: Infrastructure management of the file security To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <06c9ef23-2846-c588-2f0a-95c6d2613bd4@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:50:10 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Move management of the file->f_security blob out of the individual security modules and into the infrastructure. The modules no longer allocate or free the data, instead they tell the infrastructure how much space they require. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook [kees: adjusted for ordered init series] Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 1 + security/apparmor/include/file.h | 5 +++- security/apparmor/lsm.c | 19 +++++++------- security/security.c | 54 ++++++++++++++++++++++++++++++++++++--- security/selinux/hooks.c | 25 ++---------------- security/selinux/include/objsec.h | 2 +- security/smack/smack.h | 3 ++- security/smack/smack_lsm.c | 14 +--------- 8 files changed, 72 insertions(+), 51 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index c9458280214e..64499c2d44cd 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2029,6 +2029,7 @@ struct security_hook_list { */ struct lsm_blob_sizes { int lbs_cred; + int lbs_file; }; /* diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h index 4c2c8ac8842f..8be09208cf7c 100644 --- a/security/apparmor/include/file.h +++ b/security/apparmor/include/file.h @@ -32,7 +32,10 @@ struct path; AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_LOCK | \ AA_EXEC_MMAP | AA_MAY_LINK) -#define file_ctx(X) ((struct aa_file_ctx *)(X)->f_security) +static inline struct aa_file_ctx *file_ctx(struct file *file) +{ + return file->f_security + apparmor_blob_sizes.lbs_file; +} /* struct aa_file_ctx - the AppArmor context the file was opened in * @lock: lock to update the ctx diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 70669e676212..3ae8c902d740 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -433,21 +433,21 @@ static int apparmor_file_open(struct file *file) static int apparmor_file_alloc_security(struct file *file) { - int error = 0; - - /* freed by apparmor_file_free_security */ + struct aa_file_ctx *ctx = file_ctx(file); struct aa_label *label = begin_current_label_crit_section(); - file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL); - if (!file_ctx(file)) - error = -ENOMEM; - end_current_label_crit_section(label); - return error; + spin_lock_init(&ctx->lock); + rcu_assign_pointer(ctx->label, aa_get_label(label)); + end_current_label_crit_section(label); + return 0; } static void apparmor_file_free_security(struct file *file) { - aa_free_file_ctx(file_ctx(file)); + struct aa_file_ctx *ctx = file_ctx(file); + + if (ctx) + aa_put_label(rcu_access_pointer(ctx->label)); } static int common_file_perm(const char *op, struct file *file, u32 mask) @@ -1155,6 +1155,7 @@ static int apparmor_inet_conn_request(struct sock *sk, struct sk_buff *skb, */ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct aa_task_ctx *), + .lbs_file = sizeof(struct aa_file_ctx), }; static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { diff --git a/security/security.c b/security/security.c index c49d4a18c75f..499842ece0fb 100644 --- a/security/security.c +++ b/security/security.c @@ -40,6 +40,8 @@ struct security_hook_heads security_hook_heads __lsm_ro_after_init; static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); +static struct kmem_cache *lsm_file_cache; + char *lsm_names; static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init; @@ -158,6 +160,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) return; lsm_set_blob_size(&needed->lbs_cred, &blob_sizes.lbs_cred); + lsm_set_blob_size(&needed->lbs_file, &blob_sizes.lbs_file); } /* Prepare LSM for initialization. */ @@ -279,6 +282,15 @@ static void __init ordered_lsm_init(void) prepare_lsm(*lsm); init_debug("cred blob size = %d\n", blob_sizes.lbs_cred); + init_debug("file blob size = %d\n", blob_sizes.lbs_file); + + /* + * Create any kmem_caches needed for blobs + */ + if (blob_sizes.lbs_file) + lsm_file_cache = kmem_cache_create("lsm_file_cache", + blob_sizes.lbs_file, 0, + SLAB_PANIC, NULL); for (lsm = ordered_lsms; *lsm; lsm++) initialize_lsm(*lsm); @@ -448,6 +460,27 @@ void __init lsm_early_cred(struct cred *cred) panic("%s: Early cred alloc failed.\n", __func__); } +/** + * lsm_file_alloc - allocate a composite file blob + * @file: the file that needs a blob + * + * Allocate the file blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +static int lsm_file_alloc(struct file *file) +{ + if (!lsm_file_cache) { + file->f_security = NULL; + return 0; + } + + file->f_security = kmem_cache_zalloc(lsm_file_cache, GFP_KERNEL); + if (file->f_security == NULL) + return -ENOMEM; + return 0; +} + /* * Hook list operation macros. * @@ -1131,12 +1164,27 @@ int security_file_permission(struct file *file, int mask) int security_file_alloc(struct file *file) { - return call_int_hook(file_alloc_security, 0, file); + int rc = lsm_file_alloc(file); + + if (rc) + return rc; + rc = call_int_hook(file_alloc_security, 0, file); + if (unlikely(rc)) + security_file_free(file); + return rc; } void security_file_free(struct file *file) { + void *blob; + call_void_hook(file_free_security, file); + + blob = file->f_security; + if (blob) { + file->f_security = NULL; + kmem_cache_free(lsm_file_cache, blob); + } } int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) @@ -1254,7 +1302,7 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp) return rc; rc = call_int_hook(cred_alloc_blank, 0, cred, gfp); - if (rc) + if (unlikely(rc)) security_cred_free(cred); return rc; } @@ -1275,7 +1323,7 @@ int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp) return rc; rc = call_int_hook(cred_prepare, 0, new, old, gfp); - if (rc) + if (unlikely(rc)) security_cred_free(new); return rc; } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ce1d37378eb5..9669a059ce0f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -145,7 +145,6 @@ static int __init checkreqprot_setup(char *str) __setup("checkreqprot=", checkreqprot_setup); static struct kmem_cache *sel_inode_cache; -static struct kmem_cache *file_security_cache; /** * selinux_secmark_enabled - Check to see if SECMARK is currently enabled @@ -377,27 +376,15 @@ static void inode_free_security(struct inode *inode) static int file_alloc_security(struct file *file) { - struct file_security_struct *fsec; + struct file_security_struct *fsec = selinux_file(file); u32 sid = current_sid(); - fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); - if (!fsec) - return -ENOMEM; - fsec->sid = sid; fsec->fown_sid = sid; - file->f_security = fsec; return 0; } -static void file_free_security(struct file *file) -{ - struct file_security_struct *fsec = selinux_file(file); - file->f_security = NULL; - kmem_cache_free(file_security_cache, fsec); -} - static int superblock_alloc_security(struct super_block *sb) { struct superblock_security_struct *sbsec; @@ -3559,11 +3546,6 @@ static int selinux_file_alloc_security(struct file *file) return file_alloc_security(file); } -static void selinux_file_free_security(struct file *file) -{ - file_free_security(file); -} - /* * Check whether a task has the ioctl permission and cmd * operation to an inode. @@ -6857,6 +6839,7 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct task_security_struct), + .lbs_file = sizeof(struct file_security_struct), }; static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { @@ -6927,7 +6910,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(file_permission, selinux_file_permission), LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), - LSM_HOOK_INIT(file_free_security, selinux_file_free_security), LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), LSM_HOOK_INIT(mmap_file, selinux_mmap_file), LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), @@ -7112,9 +7094,6 @@ static __init int selinux_init(void) sel_inode_cache = kmem_cache_create("selinux_inode_security", sizeof(struct inode_security_struct), 0, SLAB_PANIC, NULL); - file_security_cache = kmem_cache_create("selinux_file_security", - sizeof(struct file_security_struct), - 0, SLAB_PANIC, NULL); avc_init(); avtab_cache_init(); diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index e0ac2992e059..96374dbf4ace 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -167,7 +167,7 @@ static inline struct task_security_struct *selinux_cred(const struct cred *cred) static inline struct file_security_struct *selinux_file(const struct file *file) { - return file->f_security; + return file->f_security + selinux_blob_sizes.lbs_file; } #endif /* _SELINUX_OBJSEC_H_ */ diff --git a/security/smack/smack.h b/security/smack/smack.h index 50854969a391..2007d38d0e46 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -364,7 +364,8 @@ static inline struct task_smack *smack_cred(const struct cred *cred) static inline struct smack_known **smack_file(const struct file *file) { - return (struct smack_known **)&file->f_security; + return (struct smack_known **)(file->f_security + + smack_blob_sizes.lbs_file); } /* diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 3e11be8cce7e..c560cb8e155c 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1579,18 +1579,6 @@ static int smack_file_alloc_security(struct file *file) return 0; } -/** - * smack_file_free_security - clear a file security blob - * @file: the object - * - * The security blob for a file is a pointer to the master - * label list, so no memory is freed. - */ -static void smack_file_free_security(struct file *file) -{ - file->f_security = NULL; -} - /** * smack_file_ioctl - Smack check on ioctls * @file: the object @@ -4637,6 +4625,7 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode, struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct task_smack), + .lbs_file = sizeof(struct smack_known *), }; static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { @@ -4674,7 +4663,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), - LSM_HOOK_INIT(file_free_security, smack_file_free_security), LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), LSM_HOOK_INIT(file_lock, smack_file_lock), LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), From patchwork Mon Nov 26 23:51:35 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699473 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 33E9B17D5 for ; Mon, 26 Nov 2018 23:51:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 227422A66E for ; Mon, 26 Nov 2018 23:51:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 13FF02A50C; Mon, 26 Nov 2018 23:51:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 580D02A50C for ; Mon, 26 Nov 2018 23:51:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727951AbeK0Kre (ORCPT ); Tue, 27 Nov 2018 05:47:34 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:42208 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727584AbeK0Kre (ORCPT ); Tue, 27 Nov 2018 05:47:34 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276301; bh=kRBO5gYSD2+Kt+mgu48Ix2zGEOe/PuFqithweguD1I4=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=A9cC061Gasia0s+FoR+xr/BJDJVstjDEi4qytsE0dlqkRv9y+3FO3LFigkKaGRCEMXXSF6YhfQ5Et3BOh33qXkR6OFl3xBfG/H1R0EyWPG+3FXrSYvIMuNpnAMQzsyYeo7tUKGAMDS5uVCqAUO2xo5y2FdwDfXfUn8fnwm69Qp3VZ+9WPlzfT2A6WnaLCVJxd4wC6JEZ0vL7wpWdUubiIS8pX1kBPBIZdavDR99dUMbRmJLXU556g+pmX7p95McpjK1YWI4nuBXsfIWT4Ajxn4I2YYf9vV3jBG6vvxOkNRw0y2fvdVUvxT86eVZq0dBIZdP8GOVim1uC0NNcdRS5Ag== X-YMail-OSG: mDgSz0EVM1lAm6wwmq8RZmIbMM__9Xekk7Q3RXNWdPg4MQ75AI0LLaK19u_mSM5 OsMygER_wwaf5XmOihdiOcHDoGvKljNiFGgdjicjJVG0CBtQWvy6x.XZnduVtc1n3zLDPmnLbZzs 7Xdn7NtDjoGj8roNxCVzS7._1fLdnkWF5uBH9bDmTHomijWhqY19KmcettDbTlVtUMfRwy9Fj3e5 FS9VvLXxf2DEVR2TgZNEuT9VPC.lfPIcDpJG9e05I3K6lT_fy7VCmyvlQEJnFwPkGMn8i.vb3NYw pZ4voOCHS6Ur_ypbR2xKYnQC2q1kcyDdI43uL0taKYwkcBWnhhd_F4MWIBoe3zWNR4mApK9pIaUy FTVUWE1m37mbstOhcIe9IltKRqVi8KTGbT5AHO_qDpaNhCrhoF7CtyGTC8hfHIPF.Fw0FPwv6qsL g8EEZdNmn6siQlxr0CvU2e_rCiCBCnPGLiAZfmJ_UVN2nBtmIcpOy9j.4rO_RohXaqUnGsYXpDx3 iLUU7xM1eFQ.iuHniiJN5Hw3qsXJFY56iDq6sJWobaUD3bFWPncF9rtOBZO9MIrpL4nIvNoJPVDt LEjXwmZWpYoIGt4NaanOYPDBGTZ.0CYgwBmvgTOtSn7xmhbick_oqrIx9747Kd91qakh4twgCiD9 CJK2OBH1itjkgnUtV1lG9bXTEsbQpPHx5penyAV1vkrBJ55BAFsjc9rTjvnDB7fs6k6hZfrizeq_ rgCLUU.zPKVPy2L5YmePiXfy2rwNICyWbTn37y3xbeisT5NZ588GBJDbLEt6bNNPNL8FPPfaaBwl 4RTOi3PIg3BLWE0vfjO2cnPeuWoo7kS43sLKYlYkIfB75.hgeuM4jXjW2DFdOmwJeMwtRtvmrhQk qWgPdmLtvDCbJnxlbUVtAvgrBrsCAfQM5fjFR7Or9nZnDYXOhvmWGXSJHk04B2qsXsXtxNX.ktjd TKce49PHL1fZonwK4hLxy61ZlXbhmv6X2YKFy0CFnDYPyOwiuqRPuz4GoRgthCfIE_zGmhqJXaEP fFtW86fuJVh0ue.EkPIPo_unB7PbXUySUDiBZFNJfSPeEQSF007lfDOK3woCbMW6axxosYbjdgWC f6.091XIintB6iuVMITLGOjZdLauBgpbmtrngkqiMMXI- Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:51:41 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp408.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID b2b76954c17c3ee032e6dcada42fe8ec; Mon, 26 Nov 2018 23:51:38 +0000 (UTC) Subject: [PATCH v5 31/38] SELinux: Abstract use of inode security blob To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <2a48377d-caeb-c126-3044-b74b58693185@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:51:35 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Don't use the inode->i_security pointer directly. Provide a helper function that provides the security blob pointer. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook Signed-off-by: Kees Cook --- security/selinux/hooks.c | 26 +++++++++++++------------- security/selinux/include/objsec.h | 6 ++++++ security/selinux/selinuxfs.c | 4 ++-- 3 files changed, 21 insertions(+), 15 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9669a059ce0f..3069e95d86e6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -272,7 +272,7 @@ static int __inode_security_revalidate(struct inode *inode, struct dentry *dentry, bool may_sleep) { - struct inode_security_struct *isec = inode->i_security; + struct inode_security_struct *isec = selinux_inode(inode); might_sleep_if(may_sleep); @@ -293,7 +293,7 @@ static int __inode_security_revalidate(struct inode *inode, static struct inode_security_struct *inode_security_novalidate(struct inode *inode) { - return inode->i_security; + return selinux_inode(inode); } static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) @@ -303,7 +303,7 @@ static struct inode_security_struct *inode_security_rcu(struct inode *inode, boo error = __inode_security_revalidate(inode, NULL, !rcu); if (error) return ERR_PTR(error); - return inode->i_security; + return selinux_inode(inode); } /* @@ -312,14 +312,14 @@ static struct inode_security_struct *inode_security_rcu(struct inode *inode, boo static struct inode_security_struct *inode_security(struct inode *inode) { __inode_security_revalidate(inode, NULL, true); - return inode->i_security; + return selinux_inode(inode); } static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) { struct inode *inode = d_backing_inode(dentry); - return inode->i_security; + return selinux_inode(inode); } /* @@ -330,7 +330,7 @@ static struct inode_security_struct *backing_inode_security(struct dentry *dentr struct inode *inode = d_backing_inode(dentry); __inode_security_revalidate(inode, dentry, true); - return inode->i_security; + return selinux_inode(inode); } static void inode_free_rcu(struct rcu_head *head) @@ -343,7 +343,7 @@ static void inode_free_rcu(struct rcu_head *head) static void inode_free_security(struct inode *inode) { - struct inode_security_struct *isec = inode->i_security; + struct inode_security_struct *isec = selinux_inode(inode); struct superblock_security_struct *sbsec = inode->i_sb->s_security; /* @@ -1502,7 +1502,7 @@ static int selinux_genfs_get_sid(struct dentry *dentry, static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) { struct superblock_security_struct *sbsec = NULL; - struct inode_security_struct *isec = inode->i_security; + struct inode_security_struct *isec = selinux_inode(inode); u32 task_sid, sid = 0; u16 sclass; struct dentry *dentry; @@ -1802,7 +1802,7 @@ static int inode_has_perm(const struct cred *cred, return 0; sid = cred_sid(cred); - isec = inode->i_security; + isec = selinux_inode(inode); return avc_has_perm(&selinux_state, sid, isec->sid, isec->sclass, perms, adp); @@ -3030,7 +3030,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, /* Possibly defer initialization to selinux_complete_init. */ if (sbsec->flags & SE_SBINITIALIZED) { - struct inode_security_struct *isec = inode->i_security; + struct inode_security_struct *isec = selinux_inode(inode); isec->sclass = inode_mode_to_security_class(inode->i_mode); isec->sid = newsid; isec->initialized = LABEL_INITIALIZED; @@ -3130,7 +3130,7 @@ static noinline int audit_inode_permission(struct inode *inode, unsigned flags) { struct common_audit_data ad; - struct inode_security_struct *isec = inode->i_security; + struct inode_security_struct *isec = selinux_inode(inode); int rc; ad.type = LSM_AUDIT_DATA_INODE; @@ -4150,7 +4150,7 @@ static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, static void selinux_task_to_inode(struct task_struct *p, struct inode *inode) { - struct inode_security_struct *isec = inode->i_security; + struct inode_security_struct *isec = selinux_inode(inode); u32 sid = task_sid(p); spin_lock(&isec->lock); @@ -6529,7 +6529,7 @@ static void selinux_release_secctx(char *secdata, u32 seclen) static void selinux_inode_invalidate_secctx(struct inode *inode) { - struct inode_security_struct *isec = inode->i_security; + struct inode_security_struct *isec = selinux_inode(inode); spin_lock(&isec->lock); isec->initialized = LABEL_INVALID; diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 96374dbf4ace..26b4ff6b4d81 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -170,4 +170,10 @@ static inline struct file_security_struct *selinux_file(const struct file *file) return file->f_security + selinux_blob_sizes.lbs_file; } +static inline struct inode_security_struct *selinux_inode( + const struct inode *inode) +{ + return inode->i_security; +} + #endif /* _SELINUX_OBJSEC_H_ */ diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index f3a5a138a096..145ee62f205a 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -1378,7 +1378,7 @@ static int sel_make_bools(struct selinux_fs_info *fsi) goto out; } - isec = (struct inode_security_struct *)inode->i_security; + isec = selinux_inode(inode); ret = security_genfs_sid(fsi->state, "selinuxfs", page, SECCLASS_FILE, &sid); if (ret) { @@ -1953,7 +1953,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent) } inode->i_ino = ++fsi->last_ino; - isec = (struct inode_security_struct *)inode->i_security; + isec = selinux_inode(inode); isec->sid = SECINITSID_DEVNULL; isec->sclass = SECCLASS_CHR_FILE; isec->initialized = LABEL_INITIALIZED; From patchwork Mon Nov 26 23:52:23 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699483 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 242211869 for ; Mon, 26 Nov 2018 23:52:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 124CD2A676 for ; Mon, 26 Nov 2018 23:52:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 061C62A67A; Mon, 26 Nov 2018 23:52:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 651FC2A677 for ; Mon, 26 Nov 2018 23:52:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727946AbeK0KsX (ORCPT ); Tue, 27 Nov 2018 05:48:23 -0500 Received: from sonic302-28.consmr.mail.ne1.yahoo.com ([66.163.186.154]:37047 "EHLO sonic302-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727783AbeK0KsX (ORCPT ); Tue, 27 Nov 2018 05:48:23 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276350; bh=yMQklFwhAM+SkyFA3GlpZ7nPGFc0LOqkP3jCwe0SRVI=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=Y5iap5htfMtPtVfffhjolKPpNnzPBx9+pRfCr1vUpOcBMPWrcsAFYcfFoBkiT+0FfQebdjXGtdczSpzNqzk8pL5bIeOd10lys4exDV2LCy6LQoGPvBChnWHaaFSZDvTZHDZ8ZGrwqBTq3gLmFlu1YLyVFGx+S+P/zUlGt9WB4vTfB4uaiDe9Dmdf63cevUwvTuUYWIhs5TaFoAdrdMkBmMv5ZH7PAhhDzajHxyW0V2tLDx2H1spbOrFMImeDK4TYZ2nIAh53GtdJSZBSucoOT23v9MJFlSuRbffhhRvj73W1pnWmOj87jxWiLIe1CKpNEIREQ3lfwyxxQMsJgyJ1vQ== X-YMail-OSG: 1hcRh0wVM1mgYj03iFZmXetXvVkpPH94vS1x8.chuTDq6Phuqci.Etmg_X2fcfn I4gZMSoPwr_wcm99HOplTdX5SQJg3627N9HnsRSofzTOj0ZJ7UK.A.2CZduL6h8.TsZgee7rxiNm 5oGwXJHUoDVLE.glnVt1ZYWEG.B8wvkda6mAMN47EEBdseSnG4tcP_uWSS1tvY6aiNX8UTGaeFdv f2nlDqfmsu7tWasmKw.yTFck206UmRuWUbImEYVk8_IlLFm1jmeuK6g5JHGLPcE1zNKx1k3_LBrC 1KSFRONQ0U0eRuwEx440TmKDb9r.hdRiGfFdvMbVhK6pnu7Xe7doK63S0nGJO_CLvlkQEHtfoTrZ QnOkoDmBn_pRFVK_8r6I_2.4WTVBoP0thIe20LYgRkQEfVE4yCTn3qYE5VkBykgtUolmMPcUtxHp mq4kF50HlPwkyz4WqaH3_GRewG68g.RumSFsMfJ6qlXPyLq4PC95jZXBGf92iLPAy7._UdHSHXFp gQ6p3jn7kkXwgClO5VX1_A7UPBDLeoJhxybHc5e2WT4ZGUXWprYpbeP.RSMtyrLeMuBfbgWqWpEN wcmDGXKBB29Rdih5hKZaLJOiUXz9ZRIDdnO7YgDlfKfFgmeMB3KRTrMEzhPHOyUeINdoivenF6e9 SQUWOZepnf5DAvbIxmIYvX66wXk8NC4Ew8D6Ji_i4MPMFere9Y6bbyi_CO.nCK21UbvwPwA4KTk_ v4QFXy3n_UmdYMSURpuvcJYg1VlFZppz1h080X3I8fSZiDzyyPzYEFueMxy44PPV6GaegiQPx3.D mXUxdZTnF0RYTcH8iXG.0TSiYZv2MMlu_ZpE6h_te_YUVh35HoSd0YlJw4sZenM8NA26T47GzTkN G1Gs_V1BiHkF8nq7_dP0HnlM7cQNWSgEiCRv4cJobtcOM.5ZrMgRhA4CEwdiZyxKA0cTiZqMvRhX 8.LbcAKEJBvl0qZitxggYefVafIjUtNMRW5NdA2acaX0wudggAmOi1tTRp_rOboSYMk91mAJNFDp k.KcMzFvbLdDoN2kwEDjhOa3c3osB6TQjaHFrgVKJb2deRItbY8fTbau5fsREfyt9yfJph1cFWDW _lxM_pO2ahRWOhadIMoT1QO7DJshzfvaZCTxHvQ-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:52:30 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp410.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID a39d4583bbf572aff6c650070309ce87; Mon, 26 Nov 2018 23:52:27 +0000 (UTC) Subject: [PATCH v5 32/38] Smack: Abstract use of inode security blob To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <1195d035-fc2d-487b-148c-218716f9507d@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:52:23 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Don't use the inode->i_security pointer directly. Provide a helper function that provides the security blob pointer. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook Signed-off-by: Kees Cook --- security/smack/smack.h | 9 +++++++-- security/smack/smack_lsm.c | 32 ++++++++++++++++---------------- 2 files changed, 23 insertions(+), 18 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index 2007d38d0e46..436231dfae33 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -368,12 +368,17 @@ static inline struct smack_known **smack_file(const struct file *file) smack_blob_sizes.lbs_file); } +static inline struct inode_smack *smack_inode(const struct inode *inode) +{ + return inode->i_security; +} + /* * Is the directory transmuting? */ static inline int smk_inode_transmutable(const struct inode *isp) { - struct inode_smack *sip = isp->i_security; + struct inode_smack *sip = smack_inode(isp); return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0; } @@ -382,7 +387,7 @@ static inline int smk_inode_transmutable(const struct inode *isp) */ static inline struct smack_known *smk_of_inode(const struct inode *isp) { - struct inode_smack *sip = isp->i_security; + struct inode_smack *sip = smack_inode(isp); return sip->smk_inode; } diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index c560cb8e155c..c086110cba80 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -166,7 +166,7 @@ static int smk_bu_task(struct task_struct *otp, int mode, int rc) static int smk_bu_inode(struct inode *inode, int mode, int rc) { struct task_smack *tsp = smack_cred(current_cred()); - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); char acc[SMK_NUM_ACCESS_TYPE + 1]; if (isp->smk_flags & SMK_INODE_IMPURE) @@ -198,7 +198,7 @@ static int smk_bu_file(struct file *file, int mode, int rc) struct task_smack *tsp = smack_cred(current_cred()); struct smack_known *sskp = tsp->smk_task; struct inode *inode = file_inode(file); - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); char acc[SMK_NUM_ACCESS_TYPE + 1]; if (isp->smk_flags & SMK_INODE_IMPURE) @@ -228,7 +228,7 @@ static int smk_bu_credfile(const struct cred *cred, struct file *file, struct task_smack *tsp = smack_cred(cred); struct smack_known *sskp = tsp->smk_task; struct inode *inode = file_inode(file); - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); char acc[SMK_NUM_ACCESS_TYPE + 1]; if (isp->smk_flags & SMK_INODE_IMPURE) @@ -826,7 +826,7 @@ static int smack_set_mnt_opts(struct super_block *sb, /* * Initialize the root inode. */ - isp = inode->i_security; + isp = smack_inode(inode); if (isp == NULL) { isp = new_inode_smack(sp->smk_root); if (isp == NULL) @@ -914,7 +914,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm) if (bprm->called_set_creds) return 0; - isp = inode->i_security; + isp = smack_inode(inode); if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) return 0; @@ -994,7 +994,7 @@ static void smack_inode_free_rcu(struct rcu_head *head) */ static void smack_inode_free_security(struct inode *inode) { - struct inode_smack *issp = inode->i_security; + struct inode_smack *issp = smack_inode(inode); /* * The inode may still be referenced in a path walk and @@ -1022,7 +1022,7 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir, const struct qstr *qstr, const char **name, void **value, size_t *len) { - struct inode_smack *issp = inode->i_security; + struct inode_smack *issp = smack_inode(inode); struct smack_known *skp = smk_of_current(); struct smack_known *isp = smk_of_inode(inode); struct smack_known *dsp = smk_of_inode(dir); @@ -1360,7 +1360,7 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { struct smack_known *skp; - struct inode_smack *isp = d_backing_inode(dentry)->i_security; + struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { isp->smk_flags |= SMK_INODE_TRANSMUTE; @@ -1441,7 +1441,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name) if (rc != 0) return rc; - isp = d_backing_inode(dentry)->i_security; + isp = smack_inode(d_backing_inode(dentry)); /* * Don't do anything special for these. * XATTR_NAME_SMACKIPIN @@ -1716,7 +1716,7 @@ static int smack_mmap_file(struct file *file, if (unlikely(IS_PRIVATE(file_inode(file)))) return 0; - isp = file_inode(file)->i_security; + isp = smack_inode(file_inode(file)); if (isp->smk_mmap == NULL) return 0; sbsp = file_inode(file)->i_sb->s_security; @@ -2063,7 +2063,7 @@ static int smack_kernel_act_as(struct cred *new, u32 secid) static int smack_kernel_create_files_as(struct cred *new, struct inode *inode) { - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); struct task_smack *tsp = smack_cred(new); tsp->smk_forked = isp->smk_inode; @@ -2263,7 +2263,7 @@ static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, */ static void smack_task_to_inode(struct task_struct *p, struct inode *inode) { - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); struct smack_known *skp = smk_of_task_struct(p); isp->smk_inode = skp; @@ -2726,7 +2726,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) { struct smack_known *skp; - struct inode_smack *nsp = inode->i_security; + struct inode_smack *nsp = smack_inode(inode); struct socket_smack *ssp; struct socket *sock; int rc = 0; @@ -3334,7 +3334,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) if (inode == NULL) return; - isp = inode->i_security; + isp = smack_inode(inode); mutex_lock(&isp->smk_lock); /* @@ -4566,7 +4566,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) /* * Get label from overlay inode and set it in create_sid */ - isp = d_inode(dentry->d_parent)->i_security; + isp = smack_inode(d_inode(dentry->d_parent)); skp = isp->smk_inode; tsp->smk_task = skp; *new = new_creds; @@ -4603,7 +4603,7 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode, /* * the attribute of the containing directory */ - isp = d_inode(dentry->d_parent)->i_security; + isp = smack_inode(d_inode(dentry->d_parent)); if (isp->smk_flags & SMK_INODE_TRANSMUTE) { rcu_read_lock(); From patchwork Mon Nov 26 23:53:09 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699487 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B701F17D5 for ; Mon, 26 Nov 2018 23:53:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A83B32A4FC for ; Mon, 26 Nov 2018 23:53:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9C3ED2A67C; Mon, 26 Nov 2018 23:53:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9BA6F2A4FC for ; Mon, 26 Nov 2018 23:53:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728013AbeK0KtH (ORCPT ); Tue, 27 Nov 2018 05:49:07 -0500 Received: from sonic304-28.consmr.mail.ne1.yahoo.com ([66.163.191.154]:39828 "EHLO sonic304-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727778AbeK0KtH (ORCPT ); Tue, 27 Nov 2018 05:49:07 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276392; bh=MiP39d63uWalPr3Rc655IR8mZb4u4EGEgth5ub7YGA4=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=mHqLr++Eab5CxTSNNgMe9ZZnkuTjv9dADSoX4qyFq7hBtJnrA9rUlmx8GJxmqD6LO019DRhhaOtKCc3/WFBgfc4OmMV17FK/60NpuN0UsTQJ+ip1iHA00Rh5DVCh0N6zVZ4nIAll/0Wr4MJFD2O/4fZ+Ktse8JlxotmpNWtTloqm5XJfhIn+UASa6O617r/xwmiBTUjQF496Bq30CfGfjnwPM8fTC/tjaNV45N93Wz7VY3NS/kx1D1fqT7e1BjUenhAyPGULzVYthzZhUe50iiwCmCRG01i4JzJaKOiQ4cnmvtnU9qKF8WD23ehZYZkkwbA4MEInTXf9K4yMtokAbA== X-YMail-OSG: pMKj5_YVM1mEDXcp_RFf64CkvW_e3EM_4AyPPD6WXsmxjJfAdvXI4tDzoc4R0Cq yjghiKN4Ph2iveuYZh5PFBOyOJ976ajFmEDn3sAbzZ9a31cbjZRoDjsb1QiZZoUiSMUjwYVXhIpy BSdLRNaDSq2YXLiKSKKNzmSJzT3UL80dpecjA.17izey2EN.y_MIBVlYWUzfeuAFCUsdW63N7Nz4 6LfUkuO8dHfAfuadk9DMgOhFyaj3yYIOa4vXukTLkcf3IVmO_2U.Gwzmdx1DNqZyXpkK.W2c2k0D uln9ie6JQdsz0bxZHjOub3t1tC_cx6D28KwEgdctqSzx5g.WJXWwkYjSNXcTWiQYdZ6JCGaqVOWE Jq.NLznv7DMzM3hwROmm1Vg_mkRXiAmpwMMlXvatzS9Z81qqwzwPydZynmxFPLPXIiAT_MgeV_ya Bofj9KKeC84fpmsPDiGVphfR_p61BL5C4.Jr9gGs.3cS4FqSHBqBDw69err1q8k3hxNPH_.6hCuE Q_VYXllIr85Eob4dhkibL6cdOE4y.F6.TedvGL6cVMU16SElfF1rD89ltABlDN_0O_V__ORXAvSL lQh1ukuPEaXEVTR297q2IpbwDxoELGrcrFEHzvbmL5oVyAwydK6H2ODpf1Hpc9GZbZXUkRvW7o23 jFdmqG9RygU8mIw4.wQyzLNAOiW6zp2r_ezCs2JrwxxbwC6kUEb8ORqMjczzTvT7ozLWt2ChWhE4 MasCfn9.ugo5SMJpWvSmWHy.3nRpZnKMRm8WCg2foJahfeRgsqE1Arw.ITvCMOz7_h4ssgCa_yuf AbtOAevrvJH4d9XKpF5n9ndiVPY7E7UkKXvCTl7Mg3oo.UP8aWA8Y2eP3vyaeYDvvWIMClCJA.lh NGTJwD9nmG4jQ2AAYA78csFJyhx7OcJ0mbRC_NfjjN9Y_ZHse_qXH98MwIK66L.99zrDipvvGFag tne.rurJgMpfUfiFCLG7nQZ494AYdNsnsnxDL04H8TuahlcoCzUMoNOeotPpEkCKzXtoaoKja1Fu mcTiwJgPbRbzqjcVxcxn5aAwpzQx5h24hMJxyGUlVQnNQHP4QNuS794Zl9q10RXLAu3ZAxMALOcf tIb7cUsb9du8bkL3KtBu7kjAKbgiMIOkKwqRT8A-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:53:12 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp424.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 4d35a90b1f41b40277f3334ac2d31cdb; Mon, 26 Nov 2018 23:53:11 +0000 (UTC) Subject: [PATCH v5 33/38] LSM: Infrastructure management of the inode security To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <8e99bbd6-6bea-2323-df1d-64e97c85d87e@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:53:09 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Move management of the inode->i_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook [kees: adjusted for ordered init series] Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 3 ++ security/security.c | 64 +++++++++++++++++++++++++++++++-- security/selinux/hooks.c | 37 ++++--------------- security/selinux/include/objsec.h | 9 +++-- security/smack/smack.h | 2 +- security/smack/smack_lsm.c | 76 +++++++++------------------------------ 6 files changed, 93 insertions(+), 98 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 64499c2d44cd..65440005ec92 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2030,6 +2030,7 @@ struct security_hook_list { struct lsm_blob_sizes { int lbs_cred; int lbs_file; + int lbs_inode; }; /* @@ -2101,6 +2102,8 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, #define __lsm_ro_after_init __ro_after_init #endif /* CONFIG_SECURITY_WRITABLE_HOOKS */ +extern int lsm_inode_alloc(struct inode *inode); + #ifdef CONFIG_SECURITY void __init lsm_early_cred(struct cred *cred); #endif diff --git a/security/security.c b/security/security.c index 499842ece0fb..0cc48072eb3b 100644 --- a/security/security.c +++ b/security/security.c @@ -41,6 +41,7 @@ struct security_hook_heads security_hook_heads __lsm_ro_after_init; static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); static struct kmem_cache *lsm_file_cache; +static struct kmem_cache *lsm_inode_cache; char *lsm_names; static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init; @@ -161,6 +162,13 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) lsm_set_blob_size(&needed->lbs_cred, &blob_sizes.lbs_cred); lsm_set_blob_size(&needed->lbs_file, &blob_sizes.lbs_file); + /* + * The inode blob gets an rcu_head in addition to + * what the modules might need. + */ + if (needed->lbs_inode && blob_sizes.lbs_inode == 0) + blob_sizes.lbs_inode = sizeof(struct rcu_head); + lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); } /* Prepare LSM for initialization. */ @@ -283,6 +291,7 @@ static void __init ordered_lsm_init(void) init_debug("cred blob size = %d\n", blob_sizes.lbs_cred); init_debug("file blob size = %d\n", blob_sizes.lbs_file); + init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); /* * Create any kmem_caches needed for blobs @@ -291,6 +300,10 @@ static void __init ordered_lsm_init(void) lsm_file_cache = kmem_cache_create("lsm_file_cache", blob_sizes.lbs_file, 0, SLAB_PANIC, NULL); + if (blob_sizes.lbs_inode) + lsm_inode_cache = kmem_cache_create("lsm_inode_cache", + blob_sizes.lbs_inode, 0, + SLAB_PANIC, NULL); for (lsm = ordered_lsms; *lsm; lsm++) initialize_lsm(*lsm); @@ -481,6 +494,27 @@ static int lsm_file_alloc(struct file *file) return 0; } +/** + * lsm_inode_alloc - allocate a composite inode blob + * @inode: the inode that needs a blob + * + * Allocate the inode blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +int lsm_inode_alloc(struct inode *inode) +{ + if (!lsm_inode_cache) { + inode->i_security = NULL; + return 0; + } + + inode->i_security = kmem_cache_zalloc(lsm_inode_cache, GFP_NOFS); + if (inode->i_security == NULL) + return -ENOMEM; + return 0; +} + /* * Hook list operation macros. * @@ -727,14 +761,40 @@ EXPORT_SYMBOL(security_sb_parse_opts_str); int security_inode_alloc(struct inode *inode) { - inode->i_security = NULL; - return call_int_hook(inode_alloc_security, 0, inode); + int rc = lsm_inode_alloc(inode); + + if (unlikely(rc)) + return rc; + rc = call_int_hook(inode_alloc_security, 0, inode); + if (unlikely(rc)) + security_inode_free(inode); + return rc; +} + +static void inode_free_by_rcu(struct rcu_head *head) +{ + /* + * The rcu head is at the start of the inode blob + */ + kmem_cache_free(lsm_inode_cache, head); } void security_inode_free(struct inode *inode) { integrity_inode_free(inode); call_void_hook(inode_free_security, inode); + /* + * The inode may still be referenced in a path walk and + * a call to security_inode_permission() can be made + * after inode_free_security() is called. Ideally, the VFS + * wouldn't do this, but fixing that is a much harder + * job. For now, simply free the i_security via RCU, and + * leave the current inode->i_security pointer intact. + * The inode will be freed after the RCU grace period too. + */ + if (inode->i_security) + call_rcu((struct rcu_head *)inode->i_security, + inode_free_by_rcu); } int security_dentry_init_security(struct dentry *dentry, int mode, diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3069e95d86e6..f0e7ac26f3a9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -144,8 +144,6 @@ static int __init checkreqprot_setup(char *str) } __setup("checkreqprot=", checkreqprot_setup); -static struct kmem_cache *sel_inode_cache; - /** * selinux_secmark_enabled - Check to see if SECMARK is currently enabled * @@ -241,13 +239,9 @@ static inline u32 task_sid(const struct task_struct *task) static int inode_alloc_security(struct inode *inode) { - struct inode_security_struct *isec; + struct inode_security_struct *isec = selinux_inode(inode); u32 sid = current_sid(); - isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); - if (!isec) - return -ENOMEM; - spin_lock_init(&isec->lock); INIT_LIST_HEAD(&isec->list); isec->inode = inode; @@ -255,7 +249,6 @@ static int inode_alloc_security(struct inode *inode) isec->sclass = SECCLASS_FILE; isec->task_sid = sid; isec->initialized = LABEL_INVALID; - inode->i_security = isec; return 0; } @@ -333,19 +326,14 @@ static struct inode_security_struct *backing_inode_security(struct dentry *dentr return selinux_inode(inode); } -static void inode_free_rcu(struct rcu_head *head) -{ - struct inode_security_struct *isec; - - isec = container_of(head, struct inode_security_struct, rcu); - kmem_cache_free(sel_inode_cache, isec); -} - static void inode_free_security(struct inode *inode) { struct inode_security_struct *isec = selinux_inode(inode); - struct superblock_security_struct *sbsec = inode->i_sb->s_security; + struct superblock_security_struct *sbsec; + if (!isec) + return; + sbsec = inode->i_sb->s_security; /* * As not all inode security structures are in a list, we check for * empty list outside of the lock to make sure that we won't waste @@ -361,17 +349,6 @@ static void inode_free_security(struct inode *inode) list_del_init(&isec->list); spin_unlock(&sbsec->isec_lock); } - - /* - * The inode may still be referenced in a path walk and - * a call to selinux_inode_permission() can be made - * after inode_free_security() is called. Ideally, the VFS - * wouldn't do this, but fixing that is a much harder - * job. For now, simply free the i_security via RCU, and - * leave the current inode->i_security pointer intact. - * The inode will be freed after the RCU grace period too. - */ - call_rcu(&isec->rcu, inode_free_rcu); } static int file_alloc_security(struct file *file) @@ -6840,6 +6817,7 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct task_security_struct), .lbs_file = sizeof(struct file_security_struct), + .lbs_inode = sizeof(struct inode_security_struct), }; static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { @@ -7091,9 +7069,6 @@ static __init int selinux_init(void) default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); - sel_inode_cache = kmem_cache_create("selinux_inode_security", - sizeof(struct inode_security_struct), - 0, SLAB_PANIC, NULL); avc_init(); avtab_cache_init(); diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 26b4ff6b4d81..562fad58c56b 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -57,10 +57,7 @@ enum label_initialized { struct inode_security_struct { struct inode *inode; /* back pointer to inode object */ - union { - struct list_head list; /* list of inode_security_struct */ - struct rcu_head rcu; /* for freeing the inode_security_struct */ - }; + struct list_head list; /* list of inode_security_struct */ u32 task_sid; /* SID of creating task */ u32 sid; /* SID of this object */ u16 sclass; /* security class of this object */ @@ -173,7 +170,9 @@ static inline struct file_security_struct *selinux_file(const struct file *file) static inline struct inode_security_struct *selinux_inode( const struct inode *inode) { - return inode->i_security; + if (unlikely(!inode->i_security)) + return NULL; + return inode->i_security + selinux_blob_sizes.lbs_inode; } #endif /* _SELINUX_OBJSEC_H_ */ diff --git a/security/smack/smack.h b/security/smack/smack.h index 436231dfae33..bf0abc35ca1c 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -370,7 +370,7 @@ static inline struct smack_known **smack_file(const struct file *file) static inline struct inode_smack *smack_inode(const struct inode *inode) { - return inode->i_security; + return inode->i_security + smack_blob_sizes.lbs_inode; } /* diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index c086110cba80..9ff185af378a 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -288,24 +288,18 @@ static struct smack_known *smk_fetch(const char *name, struct inode *ip, } /** - * new_inode_smack - allocate an inode security blob + * init_inode_smack - initialize an inode security blob + * @isp: the blob to initialize * @skp: a pointer to the Smack label entry to use in the blob * - * Returns the new blob or NULL if there's no memory available */ -static struct inode_smack *new_inode_smack(struct smack_known *skp) +static void init_inode_smack(struct inode *inode, struct smack_known *skp) { - struct inode_smack *isp; - - isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS); - if (isp == NULL) - return NULL; + struct inode_smack *isp = smack_inode(inode); isp->smk_inode = skp; isp->smk_flags = 0; mutex_init(&isp->smk_lock); - - return isp; } /** @@ -758,6 +752,13 @@ static int smack_set_mnt_opts(struct super_block *sb, if (sp->smk_flags & SMK_SB_INITIALIZED) return 0; + if (inode->i_security == NULL) { + int rc = lsm_inode_alloc(inode); + + if (rc) + return rc; + } + if (!smack_privileged(CAP_MAC_ADMIN)) { /* * Unprivileged mounts don't get to specify Smack values. @@ -826,17 +827,12 @@ static int smack_set_mnt_opts(struct super_block *sb, /* * Initialize the root inode. */ - isp = smack_inode(inode); - if (isp == NULL) { - isp = new_inode_smack(sp->smk_root); - if (isp == NULL) - return -ENOMEM; - inode->i_security = isp; - } else - isp->smk_inode = sp->smk_root; + init_inode_smack(inode, sp->smk_root); - if (transmute) + if (transmute) { + isp = smack_inode(inode); isp->smk_flags |= SMK_INODE_TRANSMUTE; + } return 0; } @@ -965,48 +961,10 @@ static int smack_inode_alloc_security(struct inode *inode) { struct smack_known *skp = smk_of_current(); - inode->i_security = new_inode_smack(skp); - if (inode->i_security == NULL) - return -ENOMEM; + init_inode_smack(inode, skp); return 0; } -/** - * smack_inode_free_rcu - Free inode_smack blob from cache - * @head: the rcu_head for getting inode_smack pointer - * - * Call back function called from call_rcu() to free - * the i_security blob pointer in inode - */ -static void smack_inode_free_rcu(struct rcu_head *head) -{ - struct inode_smack *issp; - - issp = container_of(head, struct inode_smack, smk_rcu); - kmem_cache_free(smack_inode_cache, issp); -} - -/** - * smack_inode_free_security - free an inode blob using call_rcu() - * @inode: the inode with a blob - * - * Clears the blob pointer in inode using RCU - */ -static void smack_inode_free_security(struct inode *inode) -{ - struct inode_smack *issp = smack_inode(inode); - - /* - * The inode may still be referenced in a path walk and - * a call to smack_inode_permission() can be made - * after smack_inode_free_security() is called. - * To avoid race condition free the i_security via RCU - * and leave the current inode->i_security pointer intact. - * The inode will be freed after the RCU grace period too. - */ - call_rcu(&issp->smk_rcu, smack_inode_free_rcu); -} - /** * smack_inode_init_security - copy out the smack from an inode * @inode: the newly created inode @@ -4626,6 +4584,7 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode, struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct task_smack), .lbs_file = sizeof(struct smack_known *), + .lbs_inode = sizeof(struct inode_smack), }; static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { @@ -4644,7 +4603,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), - LSM_HOOK_INIT(inode_free_security, smack_inode_free_security), LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), LSM_HOOK_INIT(inode_link, smack_inode_link), LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), From patchwork Mon Nov 26 23:53:50 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699491 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 28D93181D for ; Mon, 26 Nov 2018 23:54:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1A8D42849B for ; Mon, 26 Nov 2018 23:54:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0E6CC2A4FC; Mon, 26 Nov 2018 23:54:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 737A22849B for ; Mon, 26 Nov 2018 23:54:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727649AbeK0Ktx (ORCPT ); Tue, 27 Nov 2018 05:49:53 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:46133 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727688AbeK0Ktu (ORCPT ); Tue, 27 Nov 2018 05:49:50 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276437; bh=rtgbAY8v8bf2tMWocN4/v1BHGqtzr15pWf8snPHIIn8=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=hiL8M9pp7QGkNkzmk1PczUQsGzwTkMSO7mAJE54hVfkbFz8rzg0czoE7nDqV7fhOVxTfqX5MUYkfqtKDctnSMIZsi3PiET0GEROo0AcBS/b1JkhvVUQR2GeHkO4UlEPTegwzWuKZXmJwCcWsUZFfVXkFbPAP5hdy47ZmHzN6J0Q9l3ypuiQEuUqdXY6l2dYK4k/7cjRbqqpeeUM0zll+joOzYQl6X2begBidsI0paI0y1/7X0UmI4fF4h+dlWETOdpwbK1h2NYnSuXT85rAojM1h94ArKUUnrpzrBFUaa9TL/JOZYu9sBiDQ0H7wLclozM4af+ceMMM0kAirBtOamw== X-YMail-OSG: cpimlAgVM1kM37etYfkTzuwjiLrGfwo1pTY0AeY5tQTZDvTBTDAJFtqXUNQ68W4 NXjIPq2i_dQ9xPw7kucBInWGOm66bf2V18zUylwQ_Hmkz0PGth7OjuUwU6yasKeJl1v5zr0DW3Qq bRuPE6PAdureogjFY5_zSM285ifPv.oHnz.8h5rmL1XVUiwKRT2e9BXQweoDwNUqc0TQ7d9tLbjV jPZT5Q2Bsz0R86spJkM9LizQ_irsSqWR0sAJY1IcZBuYIqBycTU8sCp.7Tb4v0PRhKxp1Q_qSjDY HqsvDXcLyRYf29Q8qGwQ7zngbcS0NCUhSt5pzc2L6A95XlK6Gsb7xrKeyGepgQzj73Qlgj8Y2Bvh agdO_NGnBVuOC_dtNHyGE_DlB08PFfykOGp3Wwc9IZO8.jhQzzmnjTQE3QwFw7LF_emmpkkdtjA8 AeD5jcxk.10mE2kzwcKlIlmlfBCFNvLUTbx7BhMkgylKnUI4mkvejOfhDEwBQLNOWDr70_8SEs9I cgVLmhHuB5JscooTfEXLLfvvOdsKxsAup6B4f9RSVb5WDMBUK8ql7uHzuVyTN92TSMAxZA50yvd1 40LE5VjtEVP6K0PDukNkZ_FK0qsecuOkjTx50fChfewHRWN6W21lOlP3LBpjiWwjbieUL_wONfdf Uuq1muHMVqYdKYhVVydZ4aTdVvAqwAEBha42IJqTn6kPSAHetdJT6u4hR2EonyfaqAMqFiPnoPmL t3m5R5FeCa.Jy8EcdO3Mc4AE3UShVoLFcjp2_hZZbdBuxE6UPSflBCs_tGkiyu_UgiL8PiFDJFPe PL3BUeDMMy3yzfQ22aW0HuEaZAdxnu0l0AMPR7H310w4Y7dnT3Vsk2wC6CXokHsUstTHgIqVyhnq OY.3x_1FjR8lwLPWRSGqf2tA9.5xN.1XtFFG7fPCH6EKCl_2ypIpLMvrxKoRcYD0QcO9BAlR.fcx b49NBZm43UXx1whNiM3aH8R5G7LVsyvFqz.eWofGrirSMJ0XofFoJteAXbA5LNJooo9Er9fHrENV OQAPPRmQpK1h7_MKRFT03UA8.O1_mf74mS.NwhUJq_BY8oJ_7tMLYVFg0JFIvgwKnJ3WiO6TaC42 TsiKvKEbpE9pjxgO407eU8mmCZBL5JXc76yMTOrofhKw- Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:53:57 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp418.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID ba0d3aeea1fafd7a99a705ec020acc4e; Mon, 26 Nov 2018 23:53:53 +0000 (UTC) Subject: [PATCH v5 34/38] LSM: Infrastructure management of the task security To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: Date: Mon, 26 Nov 2018 15:53:50 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Move management of the task_struct->security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. The only user of this blob is AppArmor. The AppArmor use is abstracted to avoid future conflict. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook [kees: adjusted for ordered init series] Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 2 ++ security/apparmor/include/task.h | 18 +++----------- security/apparmor/lsm.c | 15 +++-------- security/security.c | 54 +++++++++++++++++++++++++++++++++++++++- 4 files changed, 62 insertions(+), 27 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 65440005ec92..243c7c6e181d 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2031,6 +2031,7 @@ struct lsm_blob_sizes { int lbs_cred; int lbs_file; int lbs_inode; + int lbs_task; }; /* @@ -2106,6 +2107,7 @@ extern int lsm_inode_alloc(struct inode *inode); #ifdef CONFIG_SECURITY void __init lsm_early_cred(struct cred *cred); +void __init lsm_early_task(struct task_struct *task); #endif #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/apparmor/include/task.h b/security/apparmor/include/task.h index 55edaa1d83f8..039c1e60887a 100644 --- a/security/apparmor/include/task.h +++ b/security/apparmor/include/task.h @@ -14,7 +14,10 @@ #ifndef __AA_TASK_H #define __AA_TASK_H -#define task_ctx(X) ((X)->security) +static inline struct aa_task_ctx *task_ctx(struct task_struct *task) +{ + return task->security; +} /* * struct aa_task_ctx - information for current task label change @@ -36,17 +39,6 @@ int aa_set_current_hat(struct aa_label *label, u64 token); int aa_restore_previous_label(u64 cookie); struct aa_label *aa_get_task_label(struct task_struct *task); -/** - * aa_alloc_task_ctx - allocate a new task_ctx - * @flags: gfp flags for allocation - * - * Returns: allocated buffer or NULL on failure - */ -static inline struct aa_task_ctx *aa_alloc_task_ctx(gfp_t flags) -{ - return kzalloc(sizeof(struct aa_task_ctx), flags); -} - /** * aa_free_task_ctx - free a task_ctx * @ctx: task_ctx to free (MAYBE NULL) @@ -57,8 +49,6 @@ static inline void aa_free_task_ctx(struct aa_task_ctx *ctx) aa_put_label(ctx->nnp); aa_put_label(ctx->previous); aa_put_label(ctx->onexec); - - kzfree(ctx); } } diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 3ae8c902d740..83dc23f33a29 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -93,19 +93,14 @@ static void apparmor_task_free(struct task_struct *task) { aa_free_task_ctx(task_ctx(task)); - task_ctx(task) = NULL; } static int apparmor_task_alloc(struct task_struct *task, unsigned long clone_flags) { - struct aa_task_ctx *new = aa_alloc_task_ctx(GFP_KERNEL); - - if (!new) - return -ENOMEM; + struct aa_task_ctx *new = task_ctx(task); aa_dup_task_ctx(new, task_ctx(current)); - task_ctx(task) = new; return 0; } @@ -1156,6 +1151,7 @@ static int apparmor_inet_conn_request(struct sock *sk, struct sk_buff *skb, struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct aa_task_ctx *), .lbs_file = sizeof(struct aa_file_ctx), + .lbs_task = sizeof(struct aa_task_ctx), }; static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { @@ -1486,15 +1482,10 @@ static int param_set_mode(const char *val, const struct kernel_param *kp) static int __init set_init_ctx(void) { struct cred *cred = (struct cred *)current->real_cred; - struct aa_task_ctx *ctx; - - ctx = aa_alloc_task_ctx(GFP_KERNEL); - if (!ctx) - return -ENOMEM; lsm_early_cred(cred); + lsm_early_task(current); set_cred_label(cred, aa_get_label(ns_unconfined(root_ns))); - task_ctx(current) = ctx; return 0; } diff --git a/security/security.c b/security/security.c index 0cc48072eb3b..d3d3963d7914 100644 --- a/security/security.c +++ b/security/security.c @@ -169,6 +169,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) if (needed->lbs_inode && blob_sizes.lbs_inode == 0) blob_sizes.lbs_inode = sizeof(struct rcu_head); lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); + lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); } /* Prepare LSM for initialization. */ @@ -292,6 +293,7 @@ static void __init ordered_lsm_init(void) init_debug("cred blob size = %d\n", blob_sizes.lbs_cred); init_debug("file blob size = %d\n", blob_sizes.lbs_file); init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); + init_debug("task blob size = %d\n", blob_sizes.lbs_task); /* * Create any kmem_caches needed for blobs @@ -515,6 +517,46 @@ int lsm_inode_alloc(struct inode *inode) return 0; } +/** + * lsm_task_alloc - allocate a composite task blob + * @task: the task that needs a blob + * + * Allocate the task blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +int lsm_task_alloc(struct task_struct *task) +{ + if (blob_sizes.lbs_task == 0) { + task->security = NULL; + return 0; + } + + task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL); + if (task->security == NULL) + return -ENOMEM; + return 0; +} + +/** + * lsm_early_task - during initialization allocate a composite task blob + * @task: the task that needs a blob + * + * Allocate the task blob for all the modules if it's not already there + */ +void __init lsm_early_task(struct task_struct *task) +{ + int rc; + + if (task == NULL) + panic("%s: task cred.\n", __func__); + if (task->security != NULL) + return; + rc = lsm_task_alloc(task); + if (rc) + panic("%s: Early task alloc failed.\n", __func__); +} + /* * Hook list operation macros. * @@ -1346,12 +1388,22 @@ int security_file_open(struct file *file) int security_task_alloc(struct task_struct *task, unsigned long clone_flags) { - return call_int_hook(task_alloc, 0, task, clone_flags); + int rc = lsm_task_alloc(task); + + if (rc) + return rc; + rc = call_int_hook(task_alloc, 0, task, clone_flags); + if (unlikely(rc)) + security_task_free(task); + return rc; } void security_task_free(struct task_struct *task) { call_void_hook(task_free, task); + + kfree(task->security); + task->security = NULL; } int security_cred_alloc_blank(struct cred *cred, gfp_t gfp) From patchwork Mon Nov 26 23:54:31 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699493 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 23EFE17D5 for ; Mon, 26 Nov 2018 23:54:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 133002849B for ; Mon, 26 Nov 2018 23:54:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 06C932A4FC; Mon, 26 Nov 2018 23:54:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8681E2849B for ; Mon, 26 Nov 2018 23:54:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728080AbeK0Kub (ORCPT ); Tue, 27 Nov 2018 05:50:31 -0500 Received: from sonic304-28.consmr.mail.ne1.yahoo.com ([66.163.191.154]:36328 "EHLO sonic304-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727630AbeK0Kua (ORCPT ); Tue, 27 Nov 2018 05:50:30 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276478; bh=q3ZwNVKWIQFkGRgaOEndkUgGeJo8IZZCX1iJ8ynimVY=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=LktRq5oHeLoROVC93cWVRk/4AdXOQEGy7vMXD8pdJeqv8GuxzDPvGRGbraCwqoiHZFjkaBFRS85GIA9buy5vVXdIVJ/Z7Kev1JHS3rEGqLVch/HvKxSEqloXic8ppP8bf3Fmp6Kwgesuf6BStgrAn5rnJ4ZKWA9qSiBHrL9bIhbaF8brncmqIS3pwnuJ/FiTI+lgRbQ2FODngUaGOO6n37jNUseBneHgwF8m1Y8U5Nsh/AzFUbz25Lwaw6sQAy21EHcGfJomiSODg5fdvisTf48TtmCWAxgW8PnU5bPlGrxlp4tKjrqp5Yw2scVYDgazWsdhHMfdbYlSe+7Rqp/JTw== X-YMail-OSG: 6jbfc.YVM1k59bAQ79GuJKFoPYDPbFypNl6k.1npMFvGbDEP0o4yfvKlfkyETgX 8F8oo1QWJNEXXNbS2iLvlIRJwRHw3EN9SalWxv78X0nDbm41n.1D2XtA3UGDyk9eNW_xDAfcD8lu dtHRFZVHeOSsaSmuoJrGiat0RUk8swy_3yP3CpkNltDYdVwu31pOslGEDZQmnl9YwbXRuMtQyNqN bqHLsmKsRULAhD21hK22eFXs9tIImhDUywSjVQ_qIfR7GeD31aCliIwovzr4o59SrIsWye8fDLQf r0oDy2rZmdZo64T0aFKpxVQ5gyIRRWCErUaBZxL8qAEPqixJ6GqS_4dO2O0x585PZaUO3O_zo8RB d0_Cq_q7mydCFlPio5MlQDMRDFyzjetTjegVgwUx01yS6tt9e9s8BlqJwFCStQ.N.e6O42rKnw10 1mzyMRZatLlhz2jkPlyUm5o2hiSKbFyaVE.vUC8pxb5_rWWhHnJ0s7auNlxIX6q3t1Sbb70DCV0b u0DbBhzmRS13DF8_51UEmRvHeoBdFRraiXAlKm73lP8y8QP7pLpnDt4.4XqjjESAuzB6yX7RPieT MB54y4krgYW8GtGuQ.ObIHa26GGGNpRmhlnEPdVElXhulA7w11MaiRMqS2ijol6.UzfRhFqhuZDj 7UsVQNxPwP_m1xRQnz0PiFXYtltB.ZQGs8v3WRoTIn1_fCPzppM_lvk35e5DHGAUQ18HIscAPo8U jYXB9gEI4Xpb2oByBjTUGmcAQVZCBfe2TH36b7tUmvmLPKJH9kHNO7waqIaWOnQFs4oQdaOeU2wd vBJhdl.kNXWjPQG_pyrctDeJMfsjBy6shQEEyUiMwqqYnOeCPFG_tUNSE9Z_XTprX1A9IpnssImg PdqWXroigyXPJPHSCRw8hy05ok73Zra6yjL9DBoqZNxJycNjfEt.COGf6nVb7hCvUh.NQH6WyqUm 3ztAFQzqFqCBb0cJBX_bJci7mBOivfyiEX58tgs2j4V70yIXdcrj3kSiEdxgv5oN5NFoevrU.S58 pdZUhxsXWizUaUDs7xPJRJMG_PPbzAMHnO4vr6_ylwXTbIrJH1E_vJWANEr_WJ10brsyULD5NyPE 2uQ2xMQpm1xWZtUXY_jD5qav98LsqwioKpe5uhw-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:54:38 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp432.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 9072484bf06eed14b19ec38255730e47; Mon, 26 Nov 2018 23:54:34 +0000 (UTC) Subject: [PATCH v5 35/38] SELinux: Abstract use of ipc security blobs To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <2b9fa6ed-c7b9-49a3-c4e2-957ef1d31243@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:54:31 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Don't use the ipc->security pointer directly. Don't use the msg_msg->security pointer directly. Provide helper functions that provides the security blob pointers. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook Signed-off-by: Kees Cook --- security/selinux/hooks.c | 18 +++++++++--------- security/selinux/include/objsec.h | 13 +++++++++++++ 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f0e7ac26f3a9..1e56b036018a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5889,7 +5889,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, struct common_audit_data ad; u32 sid = current_sid(); - isec = ipc_perms->security; + isec = selinux_ipc(ipc_perms); ad.type = LSM_AUDIT_DATA_IPC; ad.u.ipc_id = ipc_perms->key; @@ -5946,7 +5946,7 @@ static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) struct common_audit_data ad; u32 sid = current_sid(); - isec = msq->security; + isec = selinux_ipc(msq); ad.type = LSM_AUDIT_DATA_IPC; ad.u.ipc_id = msq->key; @@ -5995,8 +5995,8 @@ static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *m u32 sid = current_sid(); int rc; - isec = msq->security; - msec = msg->security; + isec = selinux_ipc(msq); + msec = selinux_msg_msg(msg); /* * First time through, need to assign label to the message @@ -6043,8 +6043,8 @@ static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *m u32 sid = task_sid(target); int rc; - isec = msq->security; - msec = msg->security; + isec = selinux_ipc(msq); + msec = selinux_msg_msg(msg); ad.type = LSM_AUDIT_DATA_IPC; ad.u.ipc_id = msq->key; @@ -6097,7 +6097,7 @@ static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) struct common_audit_data ad; u32 sid = current_sid(); - isec = shp->security; + isec = selinux_ipc(shp); ad.type = LSM_AUDIT_DATA_IPC; ad.u.ipc_id = shp->key; @@ -6194,7 +6194,7 @@ static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) struct common_audit_data ad; u32 sid = current_sid(); - isec = sma->security; + isec = selinux_ipc(sma); ad.type = LSM_AUDIT_DATA_IPC; ad.u.ipc_id = sma->key; @@ -6280,7 +6280,7 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) { - struct ipc_security_struct *isec = ipcp->security; + struct ipc_security_struct *isec = selinux_ipc(ipcp); *secid = isec->sid; } diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 562fad58c56b..539cacf4a572 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -26,6 +26,7 @@ #include #include #include +#include #include #include "flask.h" #include "avc.h" @@ -175,4 +176,16 @@ static inline struct inode_security_struct *selinux_inode( return inode->i_security + selinux_blob_sizes.lbs_inode; } +static inline struct msg_security_struct *selinux_msg_msg( + const struct msg_msg *msg_msg) +{ + return msg_msg->security; +} + +static inline struct ipc_security_struct *selinux_ipc( + const struct kern_ipc_perm *ipc) +{ + return ipc->security; +} + #endif /* _SELINUX_OBJSEC_H_ */ From patchwork Mon Nov 26 23:55:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699497 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4742817D5 for ; Mon, 26 Nov 2018 23:55:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 363E32A4FC for ; Mon, 26 Nov 2018 23:55:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2A8FC2A629; Mon, 26 Nov 2018 23:55:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BCFCA2A4FC for ; Mon, 26 Nov 2018 23:55:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727656AbeK0KvQ (ORCPT ); Tue, 27 Nov 2018 05:51:16 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:35984 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727950AbeK0KvQ (ORCPT ); Tue, 27 Nov 2018 05:51:16 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276522; bh=Il9GpnbV91+fys2zxOGbpdhryeWPuMQjgXeEO7Bfh2k=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=ZWxVekW7QEQTPeCM3ZCjhSUGQhDoUnXSC+L0oavrboqnYU8cLzrJ6EE239yTD+w9Dk4cOvwDzUcH8v6JSZ9LUOlsfL50Q9s3PePcuZkcx9hmDu+qWoluXQn6iJUwscOVuxaTBPss6Gi+PAPwZVJNeWgg888zK9gddaVXR1m5FCwAYJSs8jfmXiWa5LeypW/QF0XHkV9/FSd8eD+V2dDCQocpnlDVLfzP6iSs1pE5wSO9Cf+dEG6NW+M+Wg13SXQ7NMqlmXZu2iKPiFYFNMmqhH+HYOjZsT8OVA0xR3HBBRdS0rBBNoh9+ytf/18qpQdLeszwB9mTMCxko5keNX8InA== X-YMail-OSG: KAZ_tZ8VM1llt0ISCXyAp.AbJ.7sZc.hlfCIXxtKub5HTFXcv0xNt8X96uJVt6d _8hFGiIL0qouhoogkuKm_CIk3vfan3edUPPuQKibDI6eiT20VUhMxBtWCAgDcDZWBIZq1vlooQFB 2trPJH5zrJv71n8mCF49DeJ_RpMnVgDPxPlIWazb5_eK9Gj8T7igaKOp8LBugUINFf2Ogr5IwSz. p5TO6k6gNeiXAUJ.2Q_KrzOPsZ7wcbj5UQ8ROqWNsO7viWg1DLYDZw3bWoWD3ek5NtX9m73OdzdE IU83BzZy6xA29hOi0J8yJwmpaxEQflywuI3yd1s2XziUnedKjqjvVOfWP8Vj__laofyrWLJ1N0Zr vfQy7TqAJ.SIhBovFFxSDRhz2FfovM.Y0sSpIPa4bSTul1Q5l3q0Wwr4eedFeAs1xNMUI0A2VyC1 KOt24OrZFZRSqYUSv0RRAmkroH7CA0jpX2lyrmRvfdA1g4YD5tccgzSER.ZVHsXgG4vHywi.VEhB vUrnR0NvFNakZYv9GJZkIPWWUAtLdA9jIPX1pQX.ekfxZXgAy8FLEDQTbjHrImnif9HxDol1yCzo Jb82AFHT17lEMV55lwu3HnF9KGBFSi.tdz3Yh5JsGd7bgDHsiQUUp3GbsOsGmvNFz6iC4PuiysLY DERHK0NEqRZouXZhjg8ayDutD2Rh1fUdb7yfaTjQu6SROvdUlx2iImmKqa8qOv.ZGeqQRiQh2lIQ F5kvTSR2utJ_BGKTvRpzwRIUZUNH3.4XTtPJg_nBUZq.T5s0M2E4gwQ_GsRp2stdoCAOqu8.rY2n x82TAlMbgsqCfPh0WwnT0WR8JKT6Yc.dPG.87yGKcPhJjlqt2JNLSiGXCZuxsI6y2q6hY3tocw7. nO_1RaZuSzzhGZrf2UN.fwI.aYbX2SvS2AcPB1HlffG223wyLFzeoostcTW0vCro9E6zMmFsaxxZ gGFF_wNXPM_HP.VlnPdn8rYKsXNM2DjUVLx3fRJ4bNk5XJB55M8fd6WxLJuw51kT8pxk2GW9unEv tGvZAE8wRxKKt7.cA9244vjNLIj0fdbzpqf3eSx8p1CFgUMTiue9hHOY.eTyqmskFkvyhXL7FbFf UaGxvh3TFaDQf9dPdSfm6N9jyzSg85uZX17av52ZgQ7g- Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:55:22 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp417.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 7e67d836b7a9d318158d6e4814839b1d; Mon, 26 Nov 2018 23:55:20 +0000 (UTC) Subject: [PATCH v5 36/38] Smack: Abstract use of ipc security blobs To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <36cc3a88-0982-2b42-be5d-1944fe954c30@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:55:17 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Don't use the ipc->security pointer directly. Don't use the msg_msg->security pointer directly. Provide helper functions that provides the security blob pointers. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook Signed-off-by: Kees Cook --- security/smack/smack.h | 11 +++++++++++ security/smack/smack_lsm.c | 14 +++++++++----- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index bf0abc35ca1c..0adddbeecc62 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -24,6 +24,7 @@ #include #include #include +#include /* * Use IPv6 port labeling if IPv6 is enabled and secmarks @@ -373,6 +374,16 @@ static inline struct inode_smack *smack_inode(const struct inode *inode) return inode->i_security + smack_blob_sizes.lbs_inode; } +static inline struct smack_known **smack_msg_msg(const struct msg_msg *msg) +{ + return (struct smack_known **)&msg->security; +} + +static inline struct smack_known **smack_ipc(const struct kern_ipc_perm *ipc) +{ + return (struct smack_known **)&ipc->security; +} + /* * Is the directory transmuting? */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 9ff185af378a..ceda326a6e47 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2918,7 +2918,9 @@ static void smack_msg_msg_free_security(struct msg_msg *msg) */ static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) { - return (struct smack_known *)isp->security; + struct smack_known **blob = smack_ipc(isp); + + return *blob; } /** @@ -2929,9 +2931,9 @@ static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) */ static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) { - struct smack_known *skp = smk_of_current(); + struct smack_known **blob = smack_ipc(isp); - isp->security = skp; + *blob = smk_of_current(); return 0; } @@ -3243,7 +3245,8 @@ static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, struct msg_msg *msg */ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) { - struct smack_known *iskp = ipp->security; + struct smack_known **blob = smack_ipc(ipp); + struct smack_known *iskp = *blob; int may = smack_flags_to_may(flag); struct smk_audit_info ad; int rc; @@ -3264,7 +3267,8 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) */ static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) { - struct smack_known *iskp = ipp->security; + struct smack_known **blob = smack_ipc(ipp); + struct smack_known *iskp = *blob; *secid = iskp->smk_secid; } From patchwork Mon Nov 26 23:56:02 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699503 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 676B41869 for ; Mon, 26 Nov 2018 23:56:15 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5725C2A4FC for ; Mon, 26 Nov 2018 23:56:15 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4B20A2A629; Mon, 26 Nov 2018 23:56:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 552D52A563 for ; Mon, 26 Nov 2018 23:56:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727647AbeK0KwD (ORCPT ); Tue, 27 Nov 2018 05:52:03 -0500 Received: from sonic304-28.consmr.mail.ne1.yahoo.com ([66.163.191.154]:42288 "EHLO sonic304-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727690AbeK0KwD (ORCPT ); Tue, 27 Nov 2018 05:52:03 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276568; bh=NEVQq6fYLlth36xT/2dWjaLbh9KjtCaEpz5d/7QnsZU=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=rPWebpJJImy8jpTqHF4PrdOrW7gocsi7A5HAYGEzE7u+Ti4SnAm6w1/YeiFVgv1Dm959wwROFYbgowVUMnBb8VwygwsxSnGkLNc0zv2OAxeTTTDQ4yWrEPWGJ4GW9lShpHaQPzJupBlwukrm1P4Jsvdb/o7pXVhgdPgzPDUneCP3gHZ/FYIs4k2+qSyo7Q8xCdeCUywyeazzDKjTT05W0tqsKeMf09ViNkh8dIe4ZQ1jdz2tqDAb3XnG1DJgJYllvMg+NrnNKRfD7YlMehxi2DFWPQvyAQiZDHVNrAT07/WpHoVzGFCY6trbNZkwOTiBSemSFhQ9FkjapleA8t8yHA== X-YMail-OSG: phw6D.8VM1l1lJFbAE270cfDqn57FYt.9v7by7pqjv4h1OOXj4JGVJDgz1itbyC xHD3TnS0fThH32fHFDRgwJ3EQdxFgsEpUzgoBA5RsYNKLa_3j5cXub9IuimP3afYxytY49EYLkSr xY5HU1hqqx5hNzShlixi7hC5vFXGtV3xDSIJwCRpqrjCUNJFbVjOvMDgpIgLulfqKCBfa8GWk6sA 6UtbrX5HR0b8qz3ANj07aSV0hXhsTj2kMTKRRUEPdm5pqq3AFTj62PSVo_rG_is6BDyZUTekyMjK PIjWFas.yJQO.jz3mX1UPtc78XLMaq9W5AMjpj_mCC52fz3Ek5HNw4frEtFN8.8Fz92BeXeStjbL 4PvNEgaPpwnmZWCZwZF5UG4K1Dk..x8gDgB2EN54wZ8AvVDUV2BxNx84QL_.a3ep8_iq6Vjf6jWZ 0zgzGG8dMQ0mVa62bbhy9xJt7A6rpdnc3WEydfhr6V0v_xEA_uAviT5iWStKheWITyW2.FIy6xiI l.m..T.Enwm92m8IQSoh1uGbTq78OaI7M2KKleVv2BlLL9Rj2NFolPlZMSgXXg9a4JqFTZ0o1GMA c85P5KyumT5Mg5uhOPRCaIuA63ovEL_O1d5efk.HnQU6C5_YFsTPmqUWn8yx._4CgPqKbJs511F. p7Y0JTjPp3_OUqQxc4AziMsdi6TwX9yiTsPkAhFCHhuF0quKorhkFfjPxQ4A4ja7R16Q5fC7Dpq_ 4wCeJVfzw5S45EqRPDnRu5heRyZGM0AWkvu_np.N5mMCEHw2ZEPWF_56vg1BU.OEwWjPGL5HLmuB XiSeXV4qnhAHlOnoSMrorCZax9kg0ChJyFTLcuj2oIdKljzL51GIc7JCZvQ8pBtVOOBtcrbuAf89 hSJWCk.RifpNoGB0EBHKM7cO_5NQ1WZigr3GLBLYVPwajlEkd7ihBvM9J8Rx6umOLHBMIoqJXqpe 7drUYX11AzV5Z6qv5_QGW0EXO80BMzUurcGd.2kEjTxS_7tS5QaMvEeBEfhxGVQDQb87BUwSmV3M 9uhCtvS8w9ND901d1.VArGjuxbH0hyPQAmqRfq3asv3iEmwQwOKTCTnaLfIb0PFmuoPWOCC.8aQ4 AX3YezrHUAP7QRZsQruRAIyvV4NDgvc0LI8z5JjtbT2s- Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:56:08 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp430.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 3abe28b9fe090cb57724518ae24986af; Mon, 26 Nov 2018 23:56:05 +0000 (UTC) Subject: [PATCH v5 37/38] LSM: Infrastructure management of the ipc security blob To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: Date: Mon, 26 Nov 2018 15:56:02 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Move management of the kern_ipc_perm->security and msg_msg->security blobs out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook [kees: adjusted for ordered init series] Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 2 + security/security.c | 91 ++++++++++++++++++++++++++++++++++-- security/selinux/hooks.c | 98 ++++++--------------------------------- security/selinux/include/objsec.h | 4 +- security/smack/smack.h | 4 +- security/smack/smack_lsm.c | 32 ++----------- 6 files changed, 110 insertions(+), 121 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 243c7c6e181d..f2cc950e6172 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2031,6 +2031,8 @@ struct lsm_blob_sizes { int lbs_cred; int lbs_file; int lbs_inode; + int lbs_ipc; + int lbs_msg_msg; int lbs_task; }; diff --git a/security/security.c b/security/security.c index d3d3963d7914..60ae6b470a0b 100644 --- a/security/security.c +++ b/security/security.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #define MAX_LSM_EVM_XATTR 2 @@ -169,6 +170,8 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) if (needed->lbs_inode && blob_sizes.lbs_inode == 0) blob_sizes.lbs_inode = sizeof(struct rcu_head); lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); + lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); + lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); } @@ -293,6 +296,8 @@ static void __init ordered_lsm_init(void) init_debug("cred blob size = %d\n", blob_sizes.lbs_cred); init_debug("file blob size = %d\n", blob_sizes.lbs_file); init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); + init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); + init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); init_debug("task blob size = %d\n", blob_sizes.lbs_task); /* @@ -538,6 +543,48 @@ int lsm_task_alloc(struct task_struct *task) return 0; } +/** + * lsm_ipc_alloc - allocate a composite ipc blob + * @kip: the ipc that needs a blob + * + * Allocate the ipc blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +int lsm_ipc_alloc(struct kern_ipc_perm *kip) +{ + if (blob_sizes.lbs_ipc == 0) { + kip->security = NULL; + return 0; + } + + kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL); + if (kip->security == NULL) + return -ENOMEM; + return 0; +} + +/** + * lsm_msg_msg_alloc - allocate a composite msg_msg blob + * @mp: the msg_msg that needs a blob + * + * Allocate the ipc blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +int lsm_msg_msg_alloc(struct msg_msg *mp) +{ + if (blob_sizes.lbs_msg_msg == 0) { + mp->security = NULL; + return 0; + } + + mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL); + if (mp->security == NULL) + return -ENOMEM; + return 0; +} + /** * lsm_early_task - during initialization allocate a composite task blob * @task: the task that needs a blob @@ -1618,22 +1665,40 @@ void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) int security_msg_msg_alloc(struct msg_msg *msg) { - return call_int_hook(msg_msg_alloc_security, 0, msg); + int rc = lsm_msg_msg_alloc(msg); + + if (unlikely(rc)) + return rc; + rc = call_int_hook(msg_msg_alloc_security, 0, msg); + if (unlikely(rc)) + security_msg_msg_free(msg); + return rc; } void security_msg_msg_free(struct msg_msg *msg) { call_void_hook(msg_msg_free_security, msg); + kfree(msg->security); + msg->security = NULL; } int security_msg_queue_alloc(struct kern_ipc_perm *msq) { - return call_int_hook(msg_queue_alloc_security, 0, msq); + int rc = lsm_ipc_alloc(msq); + + if (unlikely(rc)) + return rc; + rc = call_int_hook(msg_queue_alloc_security, 0, msq); + if (unlikely(rc)) + security_msg_queue_free(msq); + return rc; } void security_msg_queue_free(struct kern_ipc_perm *msq) { call_void_hook(msg_queue_free_security, msq); + kfree(msq->security); + msq->security = NULL; } int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) @@ -1660,12 +1725,21 @@ int security_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, int security_shm_alloc(struct kern_ipc_perm *shp) { - return call_int_hook(shm_alloc_security, 0, shp); + int rc = lsm_ipc_alloc(shp); + + if (unlikely(rc)) + return rc; + rc = call_int_hook(shm_alloc_security, 0, shp); + if (unlikely(rc)) + security_shm_free(shp); + return rc; } void security_shm_free(struct kern_ipc_perm *shp) { call_void_hook(shm_free_security, shp); + kfree(shp->security); + shp->security = NULL; } int security_shm_associate(struct kern_ipc_perm *shp, int shmflg) @@ -1685,12 +1759,21 @@ int security_shm_shmat(struct kern_ipc_perm *shp, char __user *shmaddr, int shmf int security_sem_alloc(struct kern_ipc_perm *sma) { - return call_int_hook(sem_alloc_security, 0, sma); + int rc = lsm_ipc_alloc(sma); + + if (unlikely(rc)) + return rc; + rc = call_int_hook(sem_alloc_security, 0, sma); + if (unlikely(rc)) + security_sem_free(sma); + return rc; } void security_sem_free(struct kern_ipc_perm *sma) { call_void_hook(sem_free_security, sma); + kfree(sma->security); + sma->security = NULL; } int security_sem_associate(struct kern_ipc_perm *sma, int semflg) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1e56b036018a..d4337aa7bb59 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5837,51 +5837,22 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) return selinux_nlmsg_perm(sk, skb); } -static int ipc_alloc_security(struct kern_ipc_perm *perm, - u16 sclass) +static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) { - struct ipc_security_struct *isec; - - isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); - if (!isec) - return -ENOMEM; - isec->sclass = sclass; isec->sid = current_sid(); - perm->security = isec; - - return 0; -} - -static void ipc_free_security(struct kern_ipc_perm *perm) -{ - struct ipc_security_struct *isec = perm->security; - perm->security = NULL; - kfree(isec); } static int msg_msg_alloc_security(struct msg_msg *msg) { struct msg_security_struct *msec; - msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); - if (!msec) - return -ENOMEM; - + msec = selinux_msg_msg(msg); msec->sid = SECINITSID_UNLABELED; - msg->security = msec; return 0; } -static void msg_msg_free_security(struct msg_msg *msg) -{ - struct msg_security_struct *msec = msg->security; - - msg->security = NULL; - kfree(msec); -} - static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, u32 perms) { @@ -5903,11 +5874,6 @@ static int selinux_msg_msg_alloc_security(struct msg_msg *msg) return msg_msg_alloc_security(msg); } -static void selinux_msg_msg_free_security(struct msg_msg *msg) -{ - msg_msg_free_security(msg); -} - /* message queue security operations */ static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) { @@ -5916,11 +5882,8 @@ static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) u32 sid = current_sid(); int rc; - rc = ipc_alloc_security(msq, SECCLASS_MSGQ); - if (rc) - return rc; - - isec = msq->security; + isec = selinux_ipc(msq); + ipc_init_security(isec, SECCLASS_MSGQ); ad.type = LSM_AUDIT_DATA_IPC; ad.u.ipc_id = msq->key; @@ -5928,16 +5891,7 @@ static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) rc = avc_has_perm(&selinux_state, sid, isec->sid, SECCLASS_MSGQ, MSGQ__CREATE, &ad); - if (rc) { - ipc_free_security(msq); - return rc; - } - return 0; -} - -static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq) -{ - ipc_free_security(msq); + return rc; } static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) @@ -6067,11 +6021,8 @@ static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) u32 sid = current_sid(); int rc; - rc = ipc_alloc_security(shp, SECCLASS_SHM); - if (rc) - return rc; - - isec = shp->security; + isec = selinux_ipc(shp); + ipc_init_security(isec, SECCLASS_SHM); ad.type = LSM_AUDIT_DATA_IPC; ad.u.ipc_id = shp->key; @@ -6079,16 +6030,7 @@ static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) rc = avc_has_perm(&selinux_state, sid, isec->sid, SECCLASS_SHM, SHM__CREATE, &ad); - if (rc) { - ipc_free_security(shp); - return rc; - } - return 0; -} - -static void selinux_shm_free_security(struct kern_ipc_perm *shp) -{ - ipc_free_security(shp); + return rc; } static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) @@ -6164,11 +6106,8 @@ static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) u32 sid = current_sid(); int rc; - rc = ipc_alloc_security(sma, SECCLASS_SEM); - if (rc) - return rc; - - isec = sma->security; + isec = selinux_ipc(sma); + ipc_init_security(isec, SECCLASS_SEM); ad.type = LSM_AUDIT_DATA_IPC; ad.u.ipc_id = sma->key; @@ -6176,16 +6115,7 @@ static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) rc = avc_has_perm(&selinux_state, sid, isec->sid, SECCLASS_SEM, SEM__CREATE, &ad); - if (rc) { - ipc_free_security(sma); - return rc; - } - return 0; -} - -static void selinux_sem_free_security(struct kern_ipc_perm *sma) -{ - ipc_free_security(sma); + return rc; } static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) @@ -6818,6 +6748,8 @@ struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct task_security_struct), .lbs_file = sizeof(struct file_security_struct), .lbs_inode = sizeof(struct inode_security_struct), + .lbs_ipc = sizeof(struct ipc_security_struct), + .lbs_msg_msg = sizeof(struct msg_security_struct), }; static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { @@ -6928,24 +6860,20 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), - LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), LSM_HOOK_INIT(msg_queue_alloc_security, selinux_msg_queue_alloc_security), - LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), - LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), LSM_HOOK_INIT(shm_associate, selinux_shm_associate), LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), - LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), LSM_HOOK_INIT(sem_associate, selinux_sem_associate), LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), LSM_HOOK_INIT(sem_semop, selinux_sem_semop), diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 539cacf4a572..231262d8eac9 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -179,13 +179,13 @@ static inline struct inode_security_struct *selinux_inode( static inline struct msg_security_struct *selinux_msg_msg( const struct msg_msg *msg_msg) { - return msg_msg->security; + return msg_msg->security + selinux_blob_sizes.lbs_msg_msg; } static inline struct ipc_security_struct *selinux_ipc( const struct kern_ipc_perm *ipc) { - return ipc->security; + return ipc->security + selinux_blob_sizes.lbs_ipc; } #endif /* _SELINUX_OBJSEC_H_ */ diff --git a/security/smack/smack.h b/security/smack/smack.h index 0adddbeecc62..9c7c95a5c497 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -376,12 +376,12 @@ static inline struct inode_smack *smack_inode(const struct inode *inode) static inline struct smack_known **smack_msg_msg(const struct msg_msg *msg) { - return (struct smack_known **)&msg->security; + return msg->security + smack_blob_sizes.lbs_msg_msg; } static inline struct smack_known **smack_ipc(const struct kern_ipc_perm *ipc) { - return (struct smack_known **)&ipc->security; + return ipc->security + smack_blob_sizes.lbs_ipc; } /* diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index ceda326a6e47..4dcdea45e785 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2893,23 +2893,12 @@ static int smack_flags_to_may(int flags) */ static int smack_msg_msg_alloc_security(struct msg_msg *msg) { - struct smack_known *skp = smk_of_current(); + struct smack_known **blob = smack_msg_msg(msg); - msg->security = skp; + *blob = smk_of_current(); return 0; } -/** - * smack_msg_msg_free_security - Clear the security blob for msg_msg - * @msg: the object - * - * Clears the blob pointer - */ -static void smack_msg_msg_free_security(struct msg_msg *msg) -{ - msg->security = NULL; -} - /** * smack_of_ipc - the smack pointer for the ipc * @isp: the object @@ -2937,17 +2926,6 @@ static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) return 0; } -/** - * smack_ipc_free_security - Clear the security blob for ipc - * @isp: the object - * - * Clears the blob pointer - */ -static void smack_ipc_free_security(struct kern_ipc_perm *isp) -{ - isp->security = NULL; -} - /** * smk_curacc_shm : check if current has access on shm * @isp : the object @@ -4589,6 +4567,8 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct task_smack), .lbs_file = sizeof(struct smack_known *), .lbs_inode = sizeof(struct inode_smack), + .lbs_ipc = sizeof(struct smack_known *), + .lbs_msg_msg = sizeof(struct smack_known *), }; static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { @@ -4660,23 +4640,19 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), - LSM_HOOK_INIT(msg_msg_free_security, smack_msg_msg_free_security), LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), - LSM_HOOK_INIT(msg_queue_free_security, smack_ipc_free_security), LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), - LSM_HOOK_INIT(shm_free_security, smack_ipc_free_security), LSM_HOOK_INIT(shm_associate, smack_shm_associate), LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), - LSM_HOOK_INIT(sem_free_security, smack_ipc_free_security), LSM_HOOK_INIT(sem_associate, smack_sem_associate), LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), LSM_HOOK_INIT(sem_semop, smack_sem_semop), From patchwork Mon Nov 26 23:57:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699507 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5E8D813AD for ; Mon, 26 Nov 2018 23:57:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 504D52A4FC for ; Mon, 26 Nov 2018 23:57:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 448F02A629; Mon, 26 Nov 2018 23:57:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 019D82A4FC for ; Mon, 26 Nov 2018 23:57:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728002AbeK0KxA (ORCPT ); Tue, 27 Nov 2018 05:53:00 -0500 Received: from sonic302-28.consmr.mail.ne1.yahoo.com ([66.163.186.154]:45423 "EHLO sonic302-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727778AbeK0Kw7 (ORCPT ); Tue, 27 Nov 2018 05:52:59 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276626; bh=3u9R9GyCFBDGOshX42y2/d53w6/c/YWPzQ9YJX8JK0o=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=beqR9sWYG4P40la0QKd9DjfrtbGL2ravnp98JKuw+KDujbTyZjYpTRvXfGGbXdWuuiDvObjUBMIzs/f1vmDEThCbOqCF7MVNQLR71wpBZGUmkyjVR67TdR2xeXIXZJQU08HZ3d6+UaVbX4Qs35fTpRGsETnJTKcTluDVYWQ7IDBzbWNlz5/LpgM1y3JNng1FLoFqzyLzjSiwR/ifonQeCrPS5lPEsKA9Lg9PmGPQk5DgTOhUj0t8TAerJOl7CNtq0wJQEKd3BrjY2Pt5DiczbwJsxoaArbin/26chvnB1GjxDBXj7in9jD/uOr1Nj/f15yCByP0JM9uovEgrdhwuJA== X-YMail-OSG: wV_VxM4VM1mFVFV3WCrVT84wyUbUP3QxBitvUllHLQeqeglqbDAdsdE_kBk3XN7 vRiMFuTDe.lMZCuYgYewvLVPzaCXuDrZ0cComlfVOomsMn7J6uCDPSLmQl5w6JtwmfiyS7OTn8yx j7hLAtxAgNiKa2fEDOp74hOoErWbELRBHFeNmnLIqCtfV4S.enBK851rAtwVkRP1iy_Oi7Daxz9l 6a9EqIXddwXM1JdUUQlDh9srV0peFhowR0aCq6OmEBXord7kMHH02lDPrPmi_7qKAt1gkQrtChN7 voxu435cnpaexO01kSt40MeYZeKz4bTadP5kDdqQY2beB_r07LzqpKON4ItvWF_m018bD5vbn_mM f1BuIXJKekypSqPxXaMPWDY49aokcztTwi1W6F_ZHtWW7fqjI6x3XGYVgUN2PbQCqM1e5Int3W5U GTQ_RONiLlMdvOiiKgUl_RROeG9irn7USBn5O5MHdQ108inx43z5.t4srrGRW1XYB_Ff3npE5KrD lSp0ruOHoYH9N68QTNi3h4Cp5pSz9wIag1Goa5CAptG_ctvAvSsk.QpdfAGn_45O_hWDuZWlh9Pk cquWDNc8apC5fOStw1Uni1BYphnTOJ6aGi9n4RDUmDz4yZ775a7Zs3NXJK03wTfPVyNfbYQlOhbt Huc6hzEwFQzS3gBXsZh.VgEm0w2mEp8enmFLrvhLkPRikMdYEnY9Qr5NkbVZVuHHWvRVL8rAzAcx lGHX9jVmBjHnpw.h3sgd3i3hF9HVL4T51LPSkiv7y88lm_mBFGXI7xBVLDSduVbW3sodG9PtLbg1 0jnA7cpQFDZfI3uXKR1ruqaIRjlXI1sNEjrVwTpAV7CvQhoq7dNC6RClY3un4aVvDS_Ugv9H0Y5T MUW65_lWOMCLN_sacRbHmZ1L9xpitC7R9xfE0JrLgnciEM8PemIbRzir9HwLJkqpC6lf9W6GtODK aVjOS34jrWbt_B1h2.Ors.F77CBWihh7LTt1ZSZvapacuqDsOB9FHftmHCA2_d_Bzi.mZJKLjUt4 Vkxxo34YRBnvPTDUJhYhN2FjDgH9FoEs3Ho4_Q95KoR8_VFmrMzbNmXN3mQP59jX3HNzYZGQ2yle RWfsq00BZyxPg96AfQEkSpLTrrs3dfmetl9htXw-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:57:06 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp422.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 4ab9a22a8175d9218d86768033f8d9bd; Mon, 26 Nov 2018 23:57:04 +0000 (UTC) Subject: [PATCH v5 38/38] TOMOYO: Update LSM flags to no longer be exclusive To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <02dd3038-09e8-34e8-ed57-8888788d17d2@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:57:01 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP With blob sharing in place, TOMOYO is no longer an exclusive LSM, so it can operate separately now. Mark it as such. Signed-off-by: Kees Cook --- security/tomoyo/tomoyo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 9094cf41a247..066c0daf0efc 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -577,7 +577,7 @@ static int __init tomoyo_init(void) DEFINE_LSM(tomoyo) = { .name = "tomoyo", .enabled = &tomoyo_enabled, - .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, + .flags = LSM_FLAG_LEGACY_MAJOR, .blobs = &tomoyo_blob_sizes, .init = tomoyo_init, };