From patchwork Thu Jul 22 00:47:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392581 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F6BDC6377C for ; Thu, 22 Jul 2021 00:49:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6987561249 for ; Thu, 22 Jul 2021 00:49:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229879AbhGVAIi (ORCPT ); Wed, 21 Jul 2021 20:08:38 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:39901 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229764AbhGVAIi (ORCPT ); Wed, 21 Jul 2021 20:08:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626914953; bh=4fshQHJ5kC3OPeswam2DJW+NIoB6Qy+E+ovoKiGLZd0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=Bix8VJFAcGsqTkPkBBPXRi3Ku0JYIOTh4UVuZJz0nupwvHPztcyGt3McSsK7ihWfjZfQc5dBD7BEOPLVz4tPJ4W6Nnj0P/tLp+n9cFcfwhyXsOQiY1U61BfCzNPhLZ2MEr1kTwjqKeF0jA6el17au+9BiKWSQvv0Q2HRay7QKhgQJ8f3r1KKv5xlliN5f+paslTVtreqGZIbOw/g/pnDJIHmfOVmWm6vqWOjDF6R1Qx6iNE4f6JP0qUjbklyof9cfSdbvF/lBI3NMLj0oyX0Un7++Z2FJrZsJJwr+a83CQdI0tP7OMyWWGeyfDHzaPIHgJ9yIz13Sx6k37kDj6wBZA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626914953; bh=a1+gBF90FAKIGQjngXrA5oE2v4jnQhGIwcziDOgT4M8=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=M38pHl0cXywBQKuXSAPAiXoCk9vr+c7HhFaXx1LLE8Wb4UjkF5aKEwZf1e5lp7aQofDPtpPbQXAa1tCKTgPeC4AavxGRB+KwLVi6DEGckM4mb7NI2LAWHP1xXOhZxrNreGIJ8U8gzlsWTmgpYgVCajevUJJqexsU7T/ej1rztPmhjomD0BHABUKOxLSLVFxyWNO55/4CAgBUP//S6w4FefLimjm61yxXh9gRc6rD6Ek2MwGSA3X9S8/2RZYtwQjP3Vj6K7Us0JoMnq552hph474yWKF7VFWU/TpIvJa490+drSgRIxFhLdmLMrWpssF5f82wlzzi9G7TRHLaidAh8g== X-YMail-OSG: n3QkoFMVM1nxi3DJXb9UZAAUiKoVKfmeIT05L2iXWdGlHk4KFvB7rc44V8TPElQ 5HWKZtaq11.9BzuszTprvd3.8BU_9iB0rzrfuv.36RQb4Lp_FnxRJW3jD_bT72tCFjDUyXTvp.3Q gslGZzM4BcMG0GCXnHdsTopprcMvU_D5uIoH13MV9_kJ_awOdDbSJ_UX4Ll.6LZMMCGiXmcl7iFD glR.PfqZEFaQM2i.dEtkM_C3M_eKKHRPmn0A8lc48xGwDRlLsiiEvaB5DDPKOKPo.3zO_MJINgDM LjZscJ9uPcwklkMGfA.T1ygIf.4YCpQkWkj1Z3Oq4B06waIp78.xs8r7nRYXIrdZaDaCNBKXcwFn 4XeTpGBslS8MaFz0ZjmGNlsXb3gAW1lxHR1TkKRGRuc9rDLO2uR8l2yL2Rsg.XpyKrGOLsEsY70l 6rSqQa5GMgmSOFfAkzHQ032ymKAmoK1.Yt_Q5i1dztGf1NRzeIAs3UPk46Q717eP56JzlV6TszlZ DlMwV_MLebKFlhDNqw1PdnRtgAckEUkfu29mRmX4edxqbcYhaaKex9rhALKbs6y90.6IrFGgJ2mq sMHv5KT7lfO75FzSRiP.CABmPWk_f6AXc3tC3Qw1WzWAJvL6n.TsfMB8gr2YtFApPKVSR0svfHfv aH4fcrKUzajf9SrEE6NGbl.tvEiz7Z9MaeOMrCGGQz4K5vGI_m65OP8.F3trn8UWSXTLpZdu4b_b 5bWxsfpCcWinCSNow5uf5Jdu3R_Sv1HYmKct4xJp4MZmhpgZY6A4._n6RH6KnR.A8uTsR3qyTSu2 zr7cFygRqeVIp0psyaJGPsNdnT7j9kivE8ah9oTjHdNR9JuLH1BGZW9a.SBXdzPd20C92wvmSNJj G8W9lu.vw0vh5IbU6FwTK3skgPxb5YfA5mM5TLbPCKV_i_RvpyL8UgDihb21JyKDJTbp_zgFVKwN lbJFr2y_w_BZWLvrgHFDf.yW.OU_KjsAb1YhMHctbe8ks7VtpGVFXmLB2XrAra5gc4Qsohn2TfB2 vnHmDqp0mrpBkVp6dWGxSb4evpW1A02YAKTbvQkPCg6VS3B8DwLFyoTBGlQ1FLQK.hv3WFn6t3D1 dzZpLsNUddjmByH3t3pb1VyV2M7GMuWBbjC1B32MbKKkb7Qq5yYLBMfJvieJiBUyQ.IcM0rB.EJ9 pyLCKqio_SSr7VqTfJQDnGjbdaFNxTph8wAtL5a7wf25yn4dZiyw1I64JliOQNGkg7DV84nbOe2_ c7F0.0sbomN8T0egcUojUzjuEys6eROT4A0MhWu0WEtXM9FfamIMit08WP92uTZSnOTPCWQUFp4w PeN6w3UCg14CUm3ovHFYYE9d3q2cY_aK6dBCJk4peH4u.HFfo95zTAYNeu67wz7_3k1BQbIcD1Du TacHVEGsWlBakJ0r0L_Qq5dHNOr9SIGpmUfPQ_ImJ.XdUW1LPvOw6vFo1F_lzdYfgJzUfWC_n45i Fnx7vjjYnCZRHLZ2jxpNIPFZQkaZQGIEkEx1aug8bFvnO3f2ecoymCeZIxSW13YjueDE18u2T3zz RZxZ5jM2FH3e4ev_4i70RC2EggxWeQRfnjVc9HyjvihpwyZGytSdQdBBcYz4riRICMAim2e21F7J YUzGRdlCugjXIap5S.dqZvaPVf67A9.0p5iAQGZF7LJIVMHwYBD0IF2Uh6ouS9mzKzmZmXnebISP CdK2dbZjD9xio4XcGPQZ14VUIi8NGKuhOYT58vGF0KpHfNtCTlOkeLqHLZQTUySoqYKLfX7QXuf1 nE0I.4AzLUTEiPSjfDlfpE87LNbwyfwVjoRaYKkEFDwKopLwPTYpKZlShx5v8KxqaNN5Cvt6DfmG iL.Fczll24EnHW2MgpUfvi9pNxOnKNfMahSyiRy721ZAUhOOJPdJEH5NCqfpurI6W_RG6a37O1Oy CFCAO4tH.GESwiKaWaEn5d9PRKQu9mfXalFvLCQWgSePuf9SEbi7G19.pYZdHOiDSILnSSt0PWFP W1u9uus8HvSRuzvWTcG1zAHQjQRf7ZKXtrmCRu9MfKHHgZoBc_G.UB5oxKTifHdgWAK_3gC58QCp JZy5eva1OdFapTV9LF2twg.eHFGn1I8qB6NXOJHZTeSiOqQXR7QbIqyB19tP6w.7V2TDkEVInLOW Xru953SJJygwierAnjzzxHlEVSPbw0K7tBsDb.H__3Z68MwPQqMNxiJRXfuEsi1g7q3vKmkhEL1j 0amqw1GxIX2TyLTLBydY1BbX3Lk18NRFw2WUKOPbbwaDQ30TTC1fcJfLezDFXRlarARnVADBJHpo nAB_KYL9snHzZzHShq_ZlpA93_2ZP4mp_ulPMHtvICIUPNebIJBkFYI5st1SfcgwdP8IRWOfrvu6 NxnYLfHaqB5id3sFtRt0OxoihGWZU4VRKDfASJ99bM4z8pJ_Xc0kvVxFcIgMP8axcfQP1hh9E7.Y ST2zG5GjiBfVlTN6y1nJTi_ecQTHr2EJVm3cRMNCs1y.6E4Wut_Gg3uxGC8OU1Htj_zQ1P1oogWV PsMG8QhOvYq8VS6BT2WHphUvFf1FGFecIJ.B2FO0l5iE4aM823k9FG5vl5j9haOj1lxEyonutyRm Vjy7u4OEDFH3l_0DtDWoArKuCbT0.TcHOI1IGdmUwrTkqeUUDkregQLcK4biVYjyPio6BBNwUjV1 t8YZIzrKcfy0XxNL6jsIikEAKlnEGSvo9t9Cb3IMrBiWUtv6hyfvIwtpZORxIkWQMbcx8g40EoIX RyCEOnUyx9_.Bgy1.qAp4DZICCuWIau69p2qVEdyQxqxVZH3t49gBKxmAYxtO83KHKUx.p9GpzC5 6A6xjTEcj7rOj8Hbsysgw.T2vRZVdfbSydW32vaWnKuNEC2VtKrnd4kzmy8qkd3gC315Kj4GY1Ao J6cBtmXMQvEfpIYiL6UfnT7ad7iKtO6Gc.5LNoY.gSIEyr2X.0fSiSt9i6XPX4_iHH4tncs2N26u CPvUkKKkmMr2mMG67qm_s45kfR3ivO_wBL90LMwNuW4FfsKe5txegUp6T.Jae9Aqsox9VKADyswH 4IdnMH1JcpzcCYW.DVhf2ZRWrf16lBQguKSuUe_EugkY6BDGKXSnRFa.LowpjeBbkDls- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 00:49:13 +0000 Received: by kubenode531.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID c46fe65081c9d20e9b109c1b17f2a7f5; Thu, 22 Jul 2021 00:49:08 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v28 01/25] LSM: Infrastructure management of the sock security Date: Wed, 21 Jul 2021 17:47:34 -0700 Message-Id: <20210722004758.12371-2-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Move management of the sock->sk_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Acked-by: Paul Moore Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/apparmor/include/net.h | 6 ++- security/apparmor/lsm.c | 38 ++++----------- security/security.c | 36 +++++++++++++- security/selinux/hooks.c | 78 +++++++++++++++---------------- security/selinux/include/objsec.h | 5 ++ security/selinux/netlabel.c | 23 ++++----- security/smack/smack.h | 5 ++ security/smack/smack_lsm.c | 66 ++++++++++++-------------- security/smack/smack_netfilter.c | 8 ++-- 10 files changed, 145 insertions(+), 121 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 5c4c5c0602cb..afd3b16875b0 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1588,6 +1588,7 @@ struct lsm_blob_sizes { int lbs_cred; int lbs_file; int lbs_inode; + int lbs_sock; int lbs_superblock; int lbs_ipc; int lbs_msg_msg; diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h index aadb4b29fb66..fac8999ba7a3 100644 --- a/security/apparmor/include/net.h +++ b/security/apparmor/include/net.h @@ -51,7 +51,11 @@ struct aa_sk_ctx { struct aa_label *peer; }; -#define SK_CTX(X) ((X)->sk_security) +static inline struct aa_sk_ctx *aa_sock(const struct sock *sk) +{ + return sk->sk_security + apparmor_blob_sizes.lbs_sock; +} + #define SOCK_ctx(X) SOCK_INODE(X)->i_security #define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \ struct lsm_network_audit NAME ## _net = { .sk = (SK), \ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index f72406fe1bf2..4113516fb62e 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -775,33 +775,15 @@ static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo return error; } -/** - * apparmor_sk_alloc_security - allocate and attach the sk_security field - */ -static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) -{ - struct aa_sk_ctx *ctx; - - ctx = kzalloc(sizeof(*ctx), flags); - if (!ctx) - return -ENOMEM; - - SK_CTX(sk) = ctx; - - return 0; -} - /** * apparmor_sk_free_security - free the sk_security field */ static void apparmor_sk_free_security(struct sock *sk) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); - SK_CTX(sk) = NULL; aa_put_label(ctx->label); aa_put_label(ctx->peer); - kfree(ctx); } /** @@ -810,8 +792,8 @@ static void apparmor_sk_free_security(struct sock *sk) static void apparmor_sk_clone_security(const struct sock *sk, struct sock *newsk) { - struct aa_sk_ctx *ctx = SK_CTX(sk); - struct aa_sk_ctx *new = SK_CTX(newsk); + struct aa_sk_ctx *ctx = aa_sock(sk); + struct aa_sk_ctx *new = aa_sock(newsk); if (new->label) aa_put_label(new->label); @@ -867,7 +849,7 @@ static int apparmor_socket_post_create(struct socket *sock, int family, label = aa_get_current_label(); if (sock->sk) { - struct aa_sk_ctx *ctx = SK_CTX(sock->sk); + struct aa_sk_ctx *ctx = aa_sock(sock->sk); aa_put_label(ctx->label); ctx->label = aa_get_label(label); @@ -1052,7 +1034,7 @@ static int apparmor_socket_shutdown(struct socket *sock, int how) */ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); if (!skb->secmark) return 0; @@ -1065,7 +1047,7 @@ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) static struct aa_label *sk_peer_label(struct sock *sk) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); if (ctx->peer) return ctx->peer; @@ -1149,7 +1131,7 @@ static int apparmor_socket_getpeersec_dgram(struct socket *sock, */ static void apparmor_sock_graft(struct sock *sk, struct socket *parent) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); if (!ctx->label) ctx->label = aa_get_current_label(); @@ -1159,7 +1141,7 @@ static void apparmor_sock_graft(struct sock *sk, struct socket *parent) static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb, struct request_sock *req) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); if (!skb->secmark) return 0; @@ -1176,6 +1158,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct aa_task_ctx *), .lbs_file = sizeof(struct aa_file_ctx), .lbs_task = sizeof(struct aa_task_ctx), + .lbs_sock = sizeof(struct aa_sk_ctx), }; static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { @@ -1212,7 +1195,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), - LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), @@ -1764,7 +1746,7 @@ static unsigned int apparmor_ip_postroute(void *priv, if (sk == NULL) return NF_ACCEPT; - ctx = SK_CTX(sk); + ctx = aa_sock(sk); if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND, skb->secmark, sk)) return NF_ACCEPT; diff --git a/security/security.c b/security/security.c index 09533cbb7221..335c313a668d 100644 --- a/security/security.c +++ b/security/security.c @@ -29,6 +29,7 @@ #include #include #include +#include #define MAX_LSM_EVM_XATTR 2 @@ -203,6 +204,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); + lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock); lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); } @@ -339,6 +341,7 @@ static void __init ordered_lsm_init(void) init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); + init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); init_debug("task blob size = %d\n", blob_sizes.lbs_task); @@ -658,6 +661,28 @@ static int lsm_msg_msg_alloc(struct msg_msg *mp) return 0; } +/** + * lsm_sock_alloc - allocate a composite sock blob + * @sock: the sock that needs a blob + * @priority: allocation mode + * + * Allocate the sock blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +static int lsm_sock_alloc(struct sock *sock, gfp_t priority) +{ + if (blob_sizes.lbs_sock == 0) { + sock->sk_security = NULL; + return 0; + } + + sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority); + if (sock->sk_security == NULL) + return -ENOMEM; + return 0; +} + /** * lsm_early_task - during initialization allocate a composite task blob * @task: the task that needs a blob @@ -2258,12 +2283,21 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram); int security_sk_alloc(struct sock *sk, int family, gfp_t priority) { - return call_int_hook(sk_alloc_security, 0, sk, family, priority); + int rc = lsm_sock_alloc(sk, priority); + + if (unlikely(rc)) + return rc; + rc = call_int_hook(sk_alloc_security, 0, sk, family, priority); + if (unlikely(rc)) + security_sk_free(sk); + return rc; } void security_sk_free(struct sock *sk) { call_void_hook(sk_free_security, sk); + kfree(sk->sk_security); + sk->sk_security = NULL; } void security_sk_clone(const struct sock *sk, struct sock *newsk) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b0032c42333e..e2c4a1fd952f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4642,7 +4642,7 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec, static int sock_has_perm(struct sock *sk, u32 perms) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; struct lsm_network_audit net = {0,}; @@ -4699,7 +4699,7 @@ static int selinux_socket_post_create(struct socket *sock, int family, isec->initialized = LABEL_INITIALIZED; if (sock->sk) { - sksec = sock->sk->sk_security; + sksec = selinux_sock(sock->sk); sksec->sclass = sclass; sksec->sid = sid; /* Allows detection of the first association on this socket */ @@ -4715,8 +4715,8 @@ static int selinux_socket_post_create(struct socket *sock, int family, static int selinux_socket_socketpair(struct socket *socka, struct socket *sockb) { - struct sk_security_struct *sksec_a = socka->sk->sk_security; - struct sk_security_struct *sksec_b = sockb->sk->sk_security; + struct sk_security_struct *sksec_a = selinux_sock(socka->sk); + struct sk_security_struct *sksec_b = selinux_sock(sockb->sk); sksec_a->peer_sid = sksec_b->sid; sksec_b->peer_sid = sksec_a->sid; @@ -4731,7 +4731,7 @@ static int selinux_socket_socketpair(struct socket *socka, static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) { struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u16 family; int err; @@ -4866,7 +4866,7 @@ static int selinux_socket_connect_helper(struct socket *sock, struct sockaddr *address, int addrlen) { struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); int err; err = sock_has_perm(sk, SOCKET__CONNECT); @@ -5045,9 +5045,9 @@ static int selinux_socket_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk) { - struct sk_security_struct *sksec_sock = sock->sk_security; - struct sk_security_struct *sksec_other = other->sk_security; - struct sk_security_struct *sksec_new = newsk->sk_security; + struct sk_security_struct *sksec_sock = selinux_sock(sock); + struct sk_security_struct *sksec_other = selinux_sock(other); + struct sk_security_struct *sksec_new = selinux_sock(newsk); struct common_audit_data ad; struct lsm_network_audit net = {0,}; int err; @@ -5079,8 +5079,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock, static int selinux_socket_unix_may_send(struct socket *sock, struct socket *other) { - struct sk_security_struct *ssec = sock->sk->sk_security; - struct sk_security_struct *osec = other->sk->sk_security; + struct sk_security_struct *ssec = selinux_sock(sock->sk); + struct sk_security_struct *osec = selinux_sock(other->sk); struct common_audit_data ad; struct lsm_network_audit net = {0,}; @@ -5122,7 +5122,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, u16 family) { int err = 0; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u32 sk_sid = sksec->sid; struct common_audit_data ad; struct lsm_network_audit net = {0,}; @@ -5155,7 +5155,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { int err; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u16 family = sk->sk_family; u32 sk_sid = sksec->sid; struct common_audit_data ad; @@ -5223,13 +5223,15 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) return err; } -static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, - int __user *optlen, unsigned len) +static int selinux_socket_getpeersec_stream(struct socket *sock, + char __user *optval, + int __user *optlen, + unsigned int len) { int err = 0; char *scontext; u32 scontext_len; - struct sk_security_struct *sksec = sock->sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sock->sk); u32 peer_sid = SECSID_NULL; if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || @@ -5289,34 +5291,27 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) { - struct sk_security_struct *sksec; - - sksec = kzalloc(sizeof(*sksec), priority); - if (!sksec) - return -ENOMEM; + struct sk_security_struct *sksec = selinux_sock(sk); sksec->peer_sid = SECINITSID_UNLABELED; sksec->sid = SECINITSID_UNLABELED; sksec->sclass = SECCLASS_SOCKET; selinux_netlbl_sk_security_reset(sksec); - sk->sk_security = sksec; return 0; } static void selinux_sk_free_security(struct sock *sk) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); - sk->sk_security = NULL; selinux_netlbl_sk_security_free(sksec); - kfree(sksec); } static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) { - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); + struct sk_security_struct *newsksec = selinux_sock(newsk); newsksec->sid = sksec->sid; newsksec->peer_sid = sksec->peer_sid; @@ -5330,7 +5325,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid) if (!sk) *secid = SECINITSID_ANY_SOCKET; else { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); *secid = sksec->sid; } @@ -5340,7 +5335,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent) { struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(parent)); - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || sk->sk_family == PF_UNIX) @@ -5355,7 +5350,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent) static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, struct sk_buff *skb) { - struct sk_security_struct *sksec = ep->base.sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(ep->base.sk); struct common_audit_data ad; struct lsm_network_audit net = {0,}; u8 peerlbl_active; @@ -5506,8 +5501,8 @@ static int selinux_sctp_bind_connect(struct sock *sk, int optname, static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, struct sock *newsk) { - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); + struct sk_security_struct *newsksec = selinux_sock(newsk); /* If policy does not support SECCLASS_SCTP_SOCKET then call * the non-sctp clone version. @@ -5524,7 +5519,7 @@ static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, struct request_sock *req) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); int err; u16 family = req->rsk_ops->family; u32 connsid; @@ -5545,7 +5540,7 @@ static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, static void selinux_inet_csk_clone(struct sock *newsk, const struct request_sock *req) { - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *newsksec = selinux_sock(newsk); newsksec->sid = req->secid; newsksec->peer_sid = req->peer_secid; @@ -5562,7 +5557,7 @@ static void selinux_inet_csk_clone(struct sock *newsk, static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) { u16 family = sk->sk_family; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); /* handle mapped IPv4 packets arriving via IPv6 sockets */ if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) @@ -5646,7 +5641,7 @@ static int selinux_tun_dev_attach_queue(void *security) static int selinux_tun_dev_attach(struct sock *sk, void *security) { struct tun_security_struct *tunsec = security; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); /* we don't currently perform any NetLabel based labeling here and it * isn't clear that we would want to do so anyway; while we could apply @@ -5790,7 +5785,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb, return NF_ACCEPT; /* standard practice, label using the parent socket */ - sksec = sk->sk_security; + sksec = selinux_sock(sk); sid = sksec->sid; } else sid = SECINITSID_KERNEL; @@ -5829,7 +5824,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, if (sk == NULL) return NF_ACCEPT; - sksec = sk->sk_security; + sksec = selinux_sock(sk); ad.type = LSM_AUDIT_DATA_NET; ad.u.net = &net; @@ -5921,7 +5916,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, u32 skb_sid; struct sk_security_struct *sksec; - sksec = sk->sk_security; + sksec = selinux_sock(sk); if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) return NF_DROP; /* At this point, if the returned skb peerlbl is SECSID_NULL @@ -5950,7 +5945,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, } else { /* Locally generated packet, fetch the security label from the * associated socket. */ - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); peer_sid = sksec->sid; secmark_perm = PACKET__SEND; } @@ -6015,7 +6010,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) unsigned int data_len = skb->len; unsigned char *data = skb->data; struct nlmsghdr *nlh; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u16 sclass = sksec->sclass; u32 perm; @@ -7041,6 +7036,7 @@ struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { .lbs_inode = sizeof(struct inode_security_struct), .lbs_ipc = sizeof(struct ipc_security_struct), .lbs_msg_msg = sizeof(struct msg_security_struct), + .lbs_sock = sizeof(struct sk_security_struct), .lbs_superblock = sizeof(struct superblock_security_struct), }; diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 2953132408bf..007d1ae7ee27 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -194,4 +194,9 @@ static inline struct superblock_security_struct *selinux_superblock( return superblock->s_security + selinux_blob_sizes.lbs_superblock; } +static inline struct sk_security_struct *selinux_sock(const struct sock *sock) +{ + return sock->sk_security + selinux_blob_sizes.lbs_sock; +} + #endif /* _SELINUX_OBJSEC_H_ */ diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index abaab7683840..6a94b31b5472 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -67,7 +68,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk) { int rc; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr; if (sksec->nlbl_secattr != NULL) @@ -100,7 +101,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr( const struct sock *sk, u32 sid) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr = sksec->nlbl_secattr; if (secattr == NULL) @@ -235,7 +236,7 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, * being labeled by it's parent socket, if it is just exit */ sk = skb_to_full_sk(skb); if (sk != NULL) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (sksec->nlbl_state != NLBL_REQSKB) return 0; @@ -273,7 +274,7 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep, { int rc; struct netlbl_lsm_secattr secattr; - struct sk_security_struct *sksec = ep->base.sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(ep->base.sk); struct sockaddr_in addr4; struct sockaddr_in6 addr6; @@ -352,7 +353,7 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family) */ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (family == PF_INET) sksec->nlbl_state = NLBL_LABELED; @@ -370,8 +371,8 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) */ void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk) { - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); + struct sk_security_struct *newsksec = selinux_sock(newsk); newsksec->nlbl_state = sksec->nlbl_state; } @@ -389,7 +390,7 @@ void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk) int selinux_netlbl_socket_post_create(struct sock *sk, u16 family) { int rc; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr; if (family != PF_INET && family != PF_INET6) @@ -504,7 +505,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock, { int rc = 0; struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr secattr; if (selinux_netlbl_option(level, optname) && @@ -542,7 +543,7 @@ static int selinux_netlbl_socket_connect_helper(struct sock *sk, struct sockaddr *addr) { int rc; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr; /* connected sockets are allowed to disconnect when the address family @@ -581,7 +582,7 @@ static int selinux_netlbl_socket_connect_helper(struct sock *sk, int selinux_netlbl_socket_connect_locked(struct sock *sk, struct sockaddr *addr) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (sksec->nlbl_state != NLBL_REQSKB && sksec->nlbl_state != NLBL_CONNLABELED) diff --git a/security/smack/smack.h b/security/smack/smack.h index c3cfbdf4944a..b5bdf947792f 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -363,6 +363,11 @@ static inline struct superblock_smack *smack_superblock( return superblock->s_security + smack_blob_sizes.lbs_superblock; } +static inline struct socket_smack *smack_sock(const struct sock *sock) +{ + return sock->sk_security + smack_blob_sizes.lbs_sock; +} + /* * Is the directory transmuting? */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 223a6da0e6dc..1ee0bf1493f6 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1429,7 +1429,7 @@ static int smack_inode_getsecurity(struct user_namespace *mnt_userns, if (sock == NULL || sock->sk == NULL) return -EOPNOTSUPP; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (strcmp(name, XATTR_SMACK_IPIN) == 0) isp = ssp->smk_in; @@ -1811,7 +1811,7 @@ static int smack_file_receive(struct file *file) if (inode->i_sb->s_magic == SOCKFS_MAGIC) { sock = SOCKET_I(inode); - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); tsp = smack_cred(current_cred()); /* * If the receiving process can't write to the @@ -2232,11 +2232,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode) static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) { struct smack_known *skp = smk_of_current(); - struct socket_smack *ssp; - - ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); - if (ssp == NULL) - return -ENOMEM; + struct socket_smack *ssp = smack_sock(sk); /* * Sockets created by kernel threads receive web label. @@ -2250,11 +2246,10 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) } ssp->smk_packet = NULL; - sk->sk_security = ssp; - return 0; } +#ifdef SMACK_IPV6_PORT_LABELING /** * smack_sk_free_security - Free a socket blob * @sk: the socket @@ -2263,7 +2258,6 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) */ static void smack_sk_free_security(struct sock *sk) { -#ifdef SMACK_IPV6_PORT_LABELING struct smk_port_label *spp; if (sk->sk_family == PF_INET6) { @@ -2276,9 +2270,8 @@ static void smack_sk_free_security(struct sock *sk) } rcu_read_unlock(); } -#endif - kfree(sk->sk_security); } +#endif /** * smack_ipv4host_label - check host based restrictions @@ -2391,7 +2384,7 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) */ static int smack_netlbl_add(struct sock *sk) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = ssp->smk_out; int rc; @@ -2423,7 +2416,7 @@ static int smack_netlbl_add(struct sock *sk) */ static void smack_netlbl_delete(struct sock *sk) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); /* * Take the label off the socket if one is set. @@ -2455,7 +2448,7 @@ static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) struct smack_known *skp; int rc = 0; struct smack_known *hkp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smk_audit_info ad; rcu_read_lock(); @@ -2528,7 +2521,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) { struct sock *sk = sock->sk; struct sockaddr_in6 *addr6; - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); struct smk_port_label *spp; unsigned short port = 0; @@ -2617,7 +2610,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, int act) { struct smk_port_label *spp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = NULL; unsigned short port; struct smack_known *object; @@ -2710,7 +2703,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, if (sock == NULL || sock->sk == NULL) return -EOPNOTSUPP; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (strcmp(name, XATTR_SMACK_IPIN) == 0) ssp->smk_in = skp; @@ -2758,7 +2751,7 @@ static int smack_socket_post_create(struct socket *sock, int family, * Sockets created by kernel threads receive web label. */ if (unlikely(current->flags & PF_KTHREAD)) { - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); ssp->smk_in = &smack_known_web; ssp->smk_out = &smack_known_web; } @@ -2783,8 +2776,8 @@ static int smack_socket_post_create(struct socket *sock, int family, static int smack_socket_socketpair(struct socket *socka, struct socket *sockb) { - struct socket_smack *asp = socka->sk->sk_security; - struct socket_smack *bsp = sockb->sk->sk_security; + struct socket_smack *asp = smack_sock(socka->sk); + struct socket_smack *bsp = smack_sock(sockb->sk); asp->smk_packet = bsp->smk_out; bsp->smk_packet = asp->smk_out; @@ -2847,7 +2840,7 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) rsp = smack_ipv6host_label(sip); if (rsp != NULL) { - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); rc = smk_ipv6_check(ssp->smk_out, rsp, sip, SMK_CONNECTING); @@ -3575,9 +3568,9 @@ static int smack_unix_stream_connect(struct sock *sock, { struct smack_known *skp; struct smack_known *okp; - struct socket_smack *ssp = sock->sk_security; - struct socket_smack *osp = other->sk_security; - struct socket_smack *nsp = newsk->sk_security; + struct socket_smack *ssp = smack_sock(sock); + struct socket_smack *osp = smack_sock(other); + struct socket_smack *nsp = smack_sock(newsk); struct smk_audit_info ad; int rc = 0; #ifdef CONFIG_AUDIT @@ -3623,8 +3616,8 @@ static int smack_unix_stream_connect(struct sock *sock, */ static int smack_unix_may_send(struct socket *sock, struct socket *other) { - struct socket_smack *ssp = sock->sk->sk_security; - struct socket_smack *osp = other->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); + struct socket_smack *osp = smack_sock(other->sk); struct smk_audit_info ad; int rc; @@ -3661,7 +3654,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; #endif #ifdef SMACK_IPV6_SECMARK_LABELING - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); struct smack_known *rsp; #endif int rc = 0; @@ -3873,7 +3866,7 @@ static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, netlbl_secattr_init(&secattr); if (sk) - ssp = sk->sk_security; + ssp = smack_sock(sk); if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { skp = smack_from_secattr(&secattr, ssp); @@ -3895,7 +3888,7 @@ static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, */ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = NULL; int rc = 0; struct smk_audit_info ad; @@ -3999,7 +3992,7 @@ static int smack_socket_getpeersec_stream(struct socket *sock, int slen = 1; int rc = 0; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (ssp->smk_packet != NULL) { rcp = ssp->smk_packet->smk_known; slen = strlen(rcp) + 1; @@ -4048,7 +4041,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock, switch (family) { case PF_UNIX: - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); s = ssp->smk_out->smk_secid; break; case PF_INET: @@ -4097,7 +4090,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent) (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) return; - ssp = sk->sk_security; + ssp = smack_sock(sk); ssp->smk_in = skp; ssp->smk_out = skp; /* cssp->smk_packet is already set in smack_inet_csk_clone() */ @@ -4117,7 +4110,7 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, { u16 family = sk->sk_family; struct smack_known *skp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct sockaddr_in addr; struct iphdr *hdr; struct smack_known *hskp; @@ -4203,7 +4196,7 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, static void smack_inet_csk_clone(struct sock *sk, const struct request_sock *req) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp; if (req->peer_secid != 0) { @@ -4697,6 +4690,7 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_inode = sizeof(struct inode_smack), .lbs_ipc = sizeof(struct smack_known *), .lbs_msg_msg = sizeof(struct smack_known *), + .lbs_sock = sizeof(struct socket_smack), .lbs_superblock = sizeof(struct superblock_smack), }; @@ -4807,7 +4801,9 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), +#ifdef SMACK_IPV6_PORT_LABELING LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), +#endif LSM_HOOK_INIT(sock_graft, smack_sock_graft), LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c index fc7399b45373..635e2339579e 100644 --- a/security/smack/smack_netfilter.c +++ b/security/smack/smack_netfilter.c @@ -28,8 +28,8 @@ static unsigned int smack_ipv6_output(void *priv, struct socket_smack *ssp; struct smack_known *skp; - if (sk && sk->sk_security) { - ssp = sk->sk_security; + if (sk && smack_sock(sk)) { + ssp = smack_sock(sk); skp = ssp->smk_out; skb->secmark = skp->smk_secid; } @@ -46,8 +46,8 @@ static unsigned int smack_ipv4_output(void *priv, struct socket_smack *ssp; struct smack_known *skp; - if (sk && sk->sk_security) { - ssp = sk->sk_security; + if (sk && smack_sock(sk)) { + ssp = smack_sock(sk); skp = ssp->smk_out; skb->secmark = skp->smk_secid; } From patchwork Thu Jul 22 00:47:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392583 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B477C6377A for ; Thu, 22 Jul 2021 00:50:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1243E61263 for ; Thu, 22 Jul 2021 00:50:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229984AbhGVAJo (ORCPT ); Wed, 21 Jul 2021 20:09:44 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:46013 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229817AbhGVAJn (ORCPT ); Wed, 21 Jul 2021 20:09:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915018; bh=xOLQEX3NjYP3s3amYow2zmZWMivOg+cKGCZNoXSHOdA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=bz3c1Fsd9nnYov85ddBngTGQovvzUz9qjEfZe6Nw5Db7G8Eiymrxezq1tz9OKkrs2m7+Vi/3veN4iFAlD9ttWsH7qlHERrDr5pAQh68P4KabLKxSxpXyzTwzsSOV2jxjaS6UfowIHdO6n8D+FFr5WKm5ihd2jB3IINANasfdgPo1aP/TEWhqrKN1Mw8UHpjy/HEoA30xQK9OMV/8zhGycxro7Y41qWiMW9/wZZ6ZNslGdmho4nDP0Vsv+s8fmbq12gfn9WmiIhqkmrEoN/tZSjdf/2rKBmGN/fdwAydqolN8+tdWhJQ7pQ8G4MkE8JzFrYNGDIm0ahd7lcelF4I+WA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915018; bh=sAOMe9wM+1+bMpOS8BTKfHwYYeocLZjm50CvDPK8mFc=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=awXbOygnF5DLfw687KPjWsWg1742/MCklBQG7wwtHxsA3xV7yD7zjEqkTT4/RnERejHZ1PBnJftoqCgnki4jhPoOyKism7WwmS7eTqqMtlQQH3zxnA5PR0UnPAK7j0WohZ0Odc2vB2ar2cZk56iZZthsVWLkp1rOKi0YPJ0WK8Ja+jFR5Kod9983De4v1eJ44AYusrYa3/MB9mlSZEnL7qDVMawFoypL/Rbgvn3J3mM12Sqi5T4hZODoPYsiy1NFu2G+QeyvcpRl1rlGK4Nlq0HbmLHF+fiB0n3cPEc8UF02DGWlTLqMe+U7d2RglS9/8WlWc8kWY3Qg5+omC17PQg== X-YMail-OSG: IwDiT3wVM1lvPpAf4unBswV2HAB.Q7hdzmqVeE9S_LGQ3dxXe6vsocxegc3Wita QiJuUnYpUrvACyp80u3mzCZFX2hKGxoGrW1J6Hc8wAyaUDpqvuhXwhOck4XG1e3Gt6BZHEBmQ4hR vX07lzcCoA79obn5ibjVhMQ6QALoyQ4PWRsVAgR6tKotdqUWd9BAbTYhO4pdXZIW2zzapdO2hHkp fPTN4Al_XgD5ufEvBiqnXpOqKwYjGmLR0yOFuu_O_kDiWjOqA4RBxGU9n1dw5skDq9eph7fs_ZBk pGQohyhKfdQFO420NcFcgU1UsFwl3pTmAptVVSJU0woGI5D8D5MuehgUMhPwRlt4GpdcyIn622MG A1PQFIcfTuj7qWDPOJRnDGFW8jZoiuh__EPDKZDCcMyjMgzjGi1ns0KmuGorPeFVq1y2R.grkmy4 DKpAsrokPrPeMKcTixQsti7tevpJg9An_LpMJKPQ0AnilthEpTaedsEP2NTByVu1jE.AEhNfq4sV BxOMB8HHTSHKq9ORscjUu_hG7abo317sXe3f6y1G70KGF5EBUQMP0aGtZRmz7FKhD5VGXqmk4_ia LqOadHg3fvn1xCuLf4Rc4qoli575Yn9gnRSLpaIPVvz7tt.9x.yWgImNvg0UqAiu6HRCpIlYwyjR qP5n0li2PRVdHzLkCY59WN9qMw4uyat5Ms0nSHXOkQnm9Z8gNTalISn57jL62EFKdhbMd4gZd5IL HgAkN_aT01nIsmb4LwrHmaSgBiYjH_zEsM2LojRfTSQDcLXlncR_Qqu70PLQaJ8awjPVNL5SjZvy aDmN6ryXom5QniMZ5vSNk3zlyCy1bLKHiCWXo9v0go9w0D3hx2CqQ6Y3MjjOLn8oJdT6QnMRwrVV E56tLuicBhqFXPcc7fL1OhNDULROiSK9qdf4Nk2Xedo2Eju8mUZtAUkji6nIf3DRAJsKMt8pXrG4 e9d3FqHHGNJnXHFRIepV4PcBsnsYh95Uhl2a58A5pBggyakYVzPOe0w32X93qco1UN9lkxvDr9kx 4yhPRwZChSecmfERmkr5WNVFHsyrBxPKpFf8luJoBMZZe29rjoc0I_.F.DVX.ZHM.sZcPggWKxly icsWxOuTuZNs8ykjF6meP_yoQcZNRm2E2uoXFT8kuYJuM.b4ZrqoOY4V1P6Y3dXUftzEPVVSecO7 7kH095UEevbjtKBO7rpmVeKYG2ZZwC1D.io5OQR1fnMO0GHSBNANPfHOXTtYhWlLWO4GX5WPf.Ek ZeyjeP._fNVAmQYWiWhg2PzCdj3ntbLWP7smu8Ou2VV8vlfATn1T0D8XhW.YUr2M6p.sylOA4L9i 9s6UUZqCyqxOr9dCU332FIfpwixKVmLj5VambI77auvLrRHaOQOMQnU0NNqb32E8uw53S56bizW2 ZTAixyIdZYU0w5g2zjHEdLyq.y1u46CMYdRIt0UMCDs7PKFmzHsrLpQb40y8GvW8RrS5g7gdrSxy NK2_Duw98tScjPZNT0CHJcork5oJNYsOSMDXkueUY_ABXLFYgUQ5FjFSA8qFOHoP2RPk84uzphEm 004whjh4YM3R5e0qru3TkwDpw2Ajnfa_DT1jZYujSduFm3Bsfauk6_6tq39uSuraqQ8iIfvv5zY0 m8wZVcRkc09V_vRu5jeAZUPRtPx3W4oSMJ9oT3cjJ2L_TBf7OObZ7Zasr7HJWbLjRYLbi1juDQgV aUaDoWP.2UV6jGUDO_8cYxdQKYE7uWUiDCX8vDfbNgpip9rX6lLcnmpbBsHbtusMr2qzWnzl_270 wFMZfLzUQEFF4zK8CKwiNtF2y87EJV14k_mNgOyfBJ5t.TM6J9CLmJ4IpEK01mKIoqz3qG3oM3fL oXaxL7Y_eG10qAZc7at9cvYEsKVj1KGdxLSGPLikqbevD0JNdFeYQuz09XsqN_bWiniklcJYR4Tb HUPL9totlejy4hByFGdAatmJ20FgpcBXwBHaTway2SaPLJ5I5Btexz3sJZ8orLcunzomkjew3de0 MstYSELc8emXrfq45Thq.a1oe2HDhlXL7n1rSiPJ3DRzt6zlIJDVFz8NvTLNbiWx2qnRLp79w0TF Kr_hnzA6R56ibBeSWL_Yty85Z1demnd5cL9IR86pMdJNULL1O_QpMV1c7AZ9lVkQsLgTRML2_BOf 8HKAyExa3Zx6ZUOjAo6r6NvIUutQg3ETFsOVWbnfSGBDeWf9CbeV0qKLkFwgb.R23OIOwyUVOJOk Zifc4mdcp0q3rSvG7Z8kRNz1X1PoTAxQ2pebiX2ogSwJbWbnESlFJPmmK2niM3Elx5Xtxco.RTci O72mZnBGJ_9ZpV.fZGzadSzP7t2UYaV0aiHZc1iJ0k.5STGFKRYBu35yD9XyHxzppIPZ5l4pwmsg L2gJ6_EFIDWmRjMmcr9FUgfm_ni3afwnzn7794H9izghSczZ9zdJEXndNxg47gCA4E2NNOb2VgFM vzm8ruh0NHZMbcDi3m1mQl0FjGm_fNgDIEdIlux8oamXqH7EynZsvDMoUNMCj9ChyhL0KFvUN3_g epjSQ9EYByWdkXvm5_I3Ga8A3SWRqDldjottRfaWhFO58N0SwBh.WVGD_mUJcs.nLXa2XHvhHzL5 NM7TAruTJ5u2HyTBb26013EyCrS653cUiR.toTcgkFbON7WmbEkg31PI.VF.bX0WsPv_wnZbiJUc BvvMUyAOUdowebtkAfY6MLQCJ5.C81W1bG7Ty4AWTnvqih1.KOuOnK.DBoBP4vYvmAxIog0pXLq_ PzIZFgFFZYohaBMW_tgESsbhtYdy_X4TzaSqp6Yz_oCR2Uyhu5ODZiDkwUVESNVwYfBnU20dTMKX eS5Wi1b12L5CFjHms8QS9Mc4Y6w2GR.Un7QILptXvqht7ZrTyrIHB2XWMY3uYXwU.Zv7yuTQ_.1b 98p2izaxHo3Dy1nGMeLYNI1D4apWmLcDctRBDUlLWeERdHoUQRq23vGvT64xOhxpynN6HCrausVG Csgmju2128pZbgxFjqMp8KfcdsO2xhgnBIN6gq3P1bLzbnRw.6DF.ykJgrG7ayrSHh1aB4gdMq1S UecakbMTvi8rwxsbWeUo0RQ.6TLqyk.wMuo_1uv0ESmPqdJies64Aj3lPWOgeHXdp2nw97DV0SLV R1uwGlLS7Xi7vQDtrkdA5 X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 00:50:18 +0000 Received: by kubenode545.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 7c89054946e55b73688614d07a236aa6; Thu, 22 Jul 2021 00:50:14 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, bpf@vger.kernel.org Subject: [PATCH v28 02/25] LSM: Add the lsmblob data structure. Date: Wed, 21 Jul 2021 17:47:35 -0700 Message-Id: <20210722004758.12371-3-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: When more than one security module is exporting data to audit and networking sub-systems a single 32 bit integer is no longer sufficient to represent the data. Add a structure to be used instead. The lsmblob structure is currently an array of u32 "secids". There is an entry for each of the security modules built into the system that would use secids if active. The system assigns the module a "slot" when it registers hooks. If modules are compiled in but not registered there will be unused slots. A new lsm_id structure, which contains the name of the LSM and its slot number, is created. There is an instance for each LSM, which assigns the name and passes it to the infrastructure to set the slot. The audit rules data is expanded to use an array of security module data rather than a single instance. Because IMA uses the audit rule functions it is affected as well. Acked-by: Stephen Smalley Acked-by: Paul Moore Acked-by: John Johansen Signed-off-by: Casey Schaufler Cc: Cc: linux-audit@redhat.com Cc: linux-security-module@vger.kernel.org Cc: selinux@vger.kernel.org To: Mimi Zohar To: Mickaël Salaün --- include/linux/audit.h | 4 +- include/linux/lsm_hooks.h | 12 ++++- include/linux/security.h | 67 ++++++++++++++++++++++++-- kernel/auditfilter.c | 24 +++++----- kernel/auditsc.c | 13 +++-- security/apparmor/lsm.c | 7 ++- security/bpf/hooks.c | 12 ++++- security/commoncap.c | 7 ++- security/integrity/ima/ima_policy.c | 40 +++++++++++----- security/landlock/cred.c | 2 +- security/landlock/fs.c | 2 +- security/landlock/ptrace.c | 2 +- security/landlock/setup.c | 5 ++ security/landlock/setup.h | 1 + security/loadpin/loadpin.c | 8 +++- security/lockdown/lockdown.c | 7 ++- security/safesetid/lsm.c | 8 +++- security/security.c | 74 ++++++++++++++++++++++++----- security/selinux/hooks.c | 8 +++- security/smack/smack_lsm.c | 7 ++- security/tomoyo/tomoyo.c | 8 +++- security/yama/yama_lsm.c | 7 ++- 22 files changed, 265 insertions(+), 60 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 82b7c1116a85..418a485af114 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -11,6 +11,7 @@ #include #include +#include #include #include @@ -65,8 +66,9 @@ struct audit_field { kuid_t uid; kgid_t gid; struct { + bool lsm_isset; char *lsm_str; - void *lsm_rule; + void *lsm_rules[LSMBLOB_ENTRIES]; }; }; u32 op; diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index afd3b16875b0..c61a16f0a5bc 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1570,6 +1570,14 @@ struct security_hook_heads { #undef LSM_HOOK } __randomize_layout; +/* + * Information that identifies a security module. + */ +struct lsm_id { + const char *lsm; /* Name of the LSM */ + int slot; /* Slot in lsmblob if one is allocated */ +}; + /* * Security module hook list structure. * For use with generic list macros for common operations. @@ -1578,7 +1586,7 @@ struct security_hook_list { struct hlist_node list; struct hlist_head *head; union security_list_options hook; - char *lsm; + struct lsm_id *lsmid; } __randomize_layout; /* @@ -1614,7 +1622,7 @@ extern struct security_hook_heads security_hook_heads; extern char *lsm_names; extern void security_add_hooks(struct security_hook_list *hooks, int count, - char *lsm); + struct lsm_id *lsmid); #define LSM_FLAG_LEGACY_MAJOR BIT(0) #define LSM_FLAG_EXCLUSIVE BIT(1) diff --git a/include/linux/security.h b/include/linux/security.h index 24eda04221e9..7655bfce4b96 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -133,6 +133,65 @@ enum lockdown_reason { extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; +/* + * Data exported by the security modules + * + * Any LSM that provides secid or secctx based hooks must be included. + */ +#define LSMBLOB_ENTRIES ( \ + (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0)) + +struct lsmblob { + u32 secid[LSMBLOB_ENTRIES]; +}; + +#define LSMBLOB_INVALID -1 /* Not a valid LSM slot number */ +#define LSMBLOB_NEEDED -2 /* Slot requested on initialization */ +#define LSMBLOB_NOT_NEEDED -3 /* Slot not requested */ + +/** + * lsmblob_init - initialize an lsmblob structure + * @blob: Pointer to the data to initialize + * @secid: The initial secid value + * + * Set all secid for all modules to the specified value. + */ +static inline void lsmblob_init(struct lsmblob *blob, u32 secid) +{ + int i; + + for (i = 0; i < LSMBLOB_ENTRIES; i++) + blob->secid[i] = secid; +} + +/** + * lsmblob_is_set - report if there is an value in the lsmblob + * @blob: Pointer to the exported LSM data + * + * Returns true if there is a secid set, false otherwise + */ +static inline bool lsmblob_is_set(struct lsmblob *blob) +{ + struct lsmblob empty = {}; + + return !!memcmp(blob, &empty, sizeof(*blob)); +} + +/** + * lsmblob_equal - report if the two lsmblob's are equal + * @bloba: Pointer to one LSM data + * @blobb: Pointer to the other LSM data + * + * Returns true if all entries in the two are equal, false otherwise + */ +static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb) +{ + return !memcmp(bloba, blobb, sizeof(*bloba)); +} + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); @@ -1881,8 +1940,8 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer) #ifdef CONFIG_SECURITY int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); int security_audit_rule_known(struct audit_krule *krule); -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); -void security_audit_rule_free(void *lsmrule); +int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule); +void security_audit_rule_free(void **lsmrule); #else @@ -1898,12 +1957,12 @@ static inline int security_audit_rule_known(struct audit_krule *krule) } static inline int security_audit_rule_match(u32 secid, u32 field, u32 op, - void *lsmrule) + void **lsmrule) { return 0; } -static inline void security_audit_rule_free(void *lsmrule) +static inline void security_audit_rule_free(void **lsmrule) { } #endif /* CONFIG_SECURITY */ diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index db2c6b59dfc3..a2340e81cfa7 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -74,7 +74,7 @@ static void audit_free_lsm_field(struct audit_field *f) case AUDIT_OBJ_LEV_LOW: case AUDIT_OBJ_LEV_HIGH: kfree(f->lsm_str); - security_audit_rule_free(f->lsm_rule); + security_audit_rule_free(f->lsm_rules); } } @@ -519,9 +519,10 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, goto exit_free; } entry->rule.buflen += f_val; + f->lsm_isset = true; f->lsm_str = str; err = security_audit_rule_init(f->type, f->op, str, - (void **)&f->lsm_rule); + f->lsm_rules); /* Keep currently invalid fields around in case they * become valid after a policy reload. */ if (err == -EINVAL) { @@ -774,7 +775,7 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) return 0; } -/* Duplicate LSM field information. The lsm_rule is opaque, so must be +/* Duplicate LSM field information. The lsm_rules is opaque, so must be * re-initialized. */ static inline int audit_dupe_lsm_field(struct audit_field *df, struct audit_field *sf) @@ -788,9 +789,9 @@ static inline int audit_dupe_lsm_field(struct audit_field *df, return -ENOMEM; df->lsm_str = lsm_str; - /* our own (refreshed) copy of lsm_rule */ + /* our own (refreshed) copy of lsm_rules */ ret = security_audit_rule_init(df->type, df->op, df->lsm_str, - (void **)&df->lsm_rule); + df->lsm_rules); /* Keep currently invalid fields around in case they * become valid after a policy reload. */ if (ret == -EINVAL) { @@ -842,7 +843,7 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old) new->tree = old->tree; memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); - /* deep copy this information, updating the lsm_rule fields, because + /* deep copy this information, updating the lsm_rules fields, because * the originals will all be freed when the old rule is freed. */ for (i = 0; i < fcount; i++) { switch (new->fields[i].type) { @@ -1358,11 +1359,12 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_TYPE: case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: - if (f->lsm_rule) { + if (f->lsm_isset) { security_task_getsecid_subj(current, &sid); result = security_audit_rule_match(sid, - f->type, f->op, f->lsm_rule); + f->type, f->op, + f->lsm_rules); } break; case AUDIT_EXE: @@ -1389,7 +1391,7 @@ int audit_filter(int msgtype, unsigned int listtype) return ret; } -static int update_lsm_rule(struct audit_krule *r) +static int update_lsm_rules(struct audit_krule *r) { struct audit_entry *entry = container_of(r, struct audit_entry, rule); struct audit_entry *nentry; @@ -1421,7 +1423,7 @@ static int update_lsm_rule(struct audit_krule *r) return err; } -/* This function will re-initialize the lsm_rule field of all applicable rules. +/* This function will re-initialize the lsm_rules field of all applicable rules. * It will traverse the filter lists serarching for rules that contain LSM * specific filter fields. When such a rule is found, it is copied, the * LSM field is re-initialized, and the old rule is replaced with the @@ -1436,7 +1438,7 @@ int audit_update_lsm_rules(void) for (i = 0; i < AUDIT_NR_FILTERS; i++) { list_for_each_entry_safe(r, n, &audit_rules_list[i], list) { - int res = update_lsm_rule(r); + int res = update_lsm_rules(r); if (!err) err = res; } diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 8dd73a64f921..acbd896f54a5 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -671,14 +671,13 @@ static int audit_filter_rules(struct task_struct *tsk, match for now to avoid losing information that may be wanted. An error message will also be logged upon error */ - if (f->lsm_rule) { + if (f->lsm_isset) { if (need_sid) { security_task_getsecid_subj(tsk, &sid); need_sid = 0; } result = security_audit_rule_match(sid, f->type, - f->op, - f->lsm_rule); + f->op, f->lsm_rules); } break; case AUDIT_OBJ_USER: @@ -688,21 +687,21 @@ static int audit_filter_rules(struct task_struct *tsk, case AUDIT_OBJ_LEV_HIGH: /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR also applies here */ - if (f->lsm_rule) { + if (f->lsm_isset) { /* Find files that match */ if (name) { result = security_audit_rule_match( name->osid, f->type, f->op, - f->lsm_rule); + f->lsm_rules); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { if (security_audit_rule_match( n->osid, f->type, f->op, - f->lsm_rule)) { + f->lsm_rules)) { ++result; break; } @@ -713,7 +712,7 @@ static int audit_filter_rules(struct task_struct *tsk, break; if (security_audit_rule_match(ctx->ipc.osid, f->type, f->op, - f->lsm_rule)) + f->lsm_rules)) ++result; } break; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 4113516fb62e..392e25940d1f 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1161,6 +1161,11 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { .lbs_sock = sizeof(struct aa_sk_ctx), }; +static struct lsm_id apparmor_lsmid __lsm_ro_after_init = { + .lsm = "apparmor", + .slot = LSMBLOB_NEEDED +}; + static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), @@ -1862,7 +1867,7 @@ static int __init apparmor_init(void) goto buffers_out; } security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), - "apparmor"); + &apparmor_lsmid); /* Report that AppArmor successfully initialized */ apparmor_initialized = 1; diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c index e5971fa74fd7..7a58fe9ab8c4 100644 --- a/security/bpf/hooks.c +++ b/security/bpf/hooks.c @@ -15,9 +15,19 @@ static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(task_free, bpf_task_storage_free), }; +/* + * slot has to be LSMBLOB_NEEDED because some of the hooks + * supplied by this module require a slot. + */ +struct lsm_id bpf_lsmid __lsm_ro_after_init = { + .lsm = "bpf", + .slot = LSMBLOB_NEEDED +}; + static int __init bpf_lsm_init(void) { - security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks), "bpf"); + security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks), + &bpf_lsmid); pr_info("LSM support for eBPF active\n"); return 0; } diff --git a/security/commoncap.c b/security/commoncap.c index 3f810d37b71b..628685cf20e3 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -1443,6 +1443,11 @@ int cap_mmap_file(struct file *file, unsigned long reqprot, #ifdef CONFIG_SECURITY +static struct lsm_id capability_lsmid __lsm_ro_after_init = { + .lsm = "capability", + .slot = LSMBLOB_NOT_NEEDED +}; + static struct security_hook_list capability_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(capable, cap_capable), LSM_HOOK_INIT(settime, cap_settime), @@ -1467,7 +1472,7 @@ static struct security_hook_list capability_hooks[] __lsm_ro_after_init = { static int __init capability_init(void) { security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks), - "capability"); + &capability_lsmid); return 0; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index fd5d46e511f1..5c40677e881c 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -80,7 +80,7 @@ struct ima_rule_entry { bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ int pcr; struct { - void *rule; /* LSM file metadata specific */ + void *rules[LSMBLOB_ENTRIES]; /* LSM file metadata specific */ char *args_p; /* audit value */ int type; /* audit type */ } lsm[MAX_LSM_RULES]; @@ -90,6 +90,22 @@ struct ima_rule_entry { struct ima_template_desc *template; }; +/** + * ima_lsm_isset - Is a rule set for any of the active security modules + * @rules: The set of IMA rules to check + * + * If a rule is set for any LSM return true, otherwise return false. + */ +static inline bool ima_lsm_isset(void *rules[]) +{ + int i; + + for (i = 0; i < LSMBLOB_ENTRIES; i++) + if (rules[i]) + return true; + return false; +} + /* * Without LSM specific knowledge, the default policy can only be * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner @@ -335,9 +351,11 @@ static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) static void ima_lsm_free_rule(struct ima_rule_entry *entry) { int i; + int r; for (i = 0; i < MAX_LSM_RULES; i++) { - ima_filter_rule_free(entry->lsm[i].rule); + for (r = 0; r < LSMBLOB_ENTRIES; r++) + ima_filter_rule_free(entry->lsm[i].rules[r]); kfree(entry->lsm[i].args_p); } } @@ -388,8 +406,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, nentry->lsm[i].args_p, - &nentry->lsm[i].rule); - if (!nentry->lsm[i].rule) + &nentry->lsm[i].rules[0]); + if (!ima_lsm_isset(nentry->lsm[i].rules)) pr_warn("rule for LSM \'%s\' is undefined\n", nentry->lsm[i].args_p); } @@ -578,7 +596,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, int rc = 0; u32 osid; - if (!rule->lsm[i].rule) { + if (!ima_lsm_isset(rule->lsm[i].rules)) { if (!rule->lsm[i].args_p) continue; else @@ -591,14 +609,14 @@ static bool ima_match_rules(struct ima_rule_entry *rule, security_inode_getsecid(inode, &osid); rc = ima_filter_rule_match(osid, rule->lsm[i].type, Audit_equal, - rule->lsm[i].rule); + rule->lsm[i].rules); break; case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: rc = ima_filter_rule_match(secid, rule->lsm[i].type, Audit_equal, - rule->lsm[i].rule); + rule->lsm[i].rules); break; default: break; @@ -994,7 +1012,7 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, { int result; - if (entry->lsm[lsm_rule].rule) + if (ima_lsm_isset(entry->lsm[lsm_rule].rules)) return -EINVAL; entry->lsm[lsm_rule].args_p = match_strdup(args); @@ -1004,8 +1022,8 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, entry->lsm[lsm_rule].type = audit_type; result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, entry->lsm[lsm_rule].args_p, - &entry->lsm[lsm_rule].rule); - if (!entry->lsm[lsm_rule].rule) { + &entry->lsm[lsm_rule].rules[0]); + if (!ima_lsm_isset(entry->lsm[lsm_rule].rules)) { pr_warn("rule for LSM \'%s\' is undefined\n", entry->lsm[lsm_rule].args_p); @@ -1812,7 +1830,7 @@ int ima_policy_show(struct seq_file *m, void *v) } for (i = 0; i < MAX_LSM_RULES; i++) { - if (entry->lsm[i].rule) { + if (ima_lsm_isset(entry->lsm[i].rules)) { switch (i) { case LSM_OBJ_USER: seq_printf(m, pt(Opt_obj_user), diff --git a/security/landlock/cred.c b/security/landlock/cred.c index 6725af24c684..56b121d65436 100644 --- a/security/landlock/cred.c +++ b/security/landlock/cred.c @@ -42,5 +42,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { __init void landlock_add_cred_hooks(void) { security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), - LANDLOCK_NAME); + &landlock_lsmid); } diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 97b8e421f617..319e90e9290c 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -688,5 +688,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { __init void landlock_add_fs_hooks(void) { security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), - LANDLOCK_NAME); + &landlock_lsmid); } diff --git a/security/landlock/ptrace.c b/security/landlock/ptrace.c index f55b82446de2..54ccf55a077a 100644 --- a/security/landlock/ptrace.c +++ b/security/landlock/ptrace.c @@ -116,5 +116,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { __init void landlock_add_ptrace_hooks(void) { security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), - LANDLOCK_NAME); + &landlock_lsmid); } diff --git a/security/landlock/setup.c b/security/landlock/setup.c index f8e8e980454c..759e00b9436c 100644 --- a/security/landlock/setup.c +++ b/security/landlock/setup.c @@ -23,6 +23,11 @@ struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = { .lbs_superblock = sizeof(struct landlock_superblock_security), }; +struct lsm_id landlock_lsmid __lsm_ro_after_init = { + .lsm = LANDLOCK_NAME, + .slot = LSMBLOB_NOT_NEEDED, +}; + static int __init landlock_init(void) { landlock_add_cred_hooks(); diff --git a/security/landlock/setup.h b/security/landlock/setup.h index 1daffab1ab4b..38bce5b172dc 100644 --- a/security/landlock/setup.h +++ b/security/landlock/setup.h @@ -14,5 +14,6 @@ extern bool landlock_initialized; extern struct lsm_blob_sizes landlock_blob_sizes; +extern struct lsm_id landlock_lsmid; #endif /* _SECURITY_LANDLOCK_SETUP_H */ diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index b12f7d986b1e..b569f3bc170b 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -192,6 +192,11 @@ static int loadpin_load_data(enum kernel_load_data_id id, bool contents) return loadpin_read_file(NULL, (enum kernel_read_file_id) id, contents); } +static struct lsm_id loadpin_lsmid __lsm_ro_after_init = { + .lsm = "loadpin", + .slot = LSMBLOB_NOT_NEEDED +}; + static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security), LSM_HOOK_INIT(kernel_read_file, loadpin_read_file), @@ -239,7 +244,8 @@ static int __init loadpin_init(void) pr_info("ready to pin (currently %senforcing)\n", enforce ? "" : "not "); parse_exclude(); - security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin"); + security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), + &loadpin_lsmid); return 0; } diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 87cbdc64d272..4e24ea3f7b7e 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -75,6 +75,11 @@ static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), }; +static struct lsm_id lockdown_lsmid __lsm_ro_after_init = { + .lsm = "lockdown", + .slot = LSMBLOB_NOT_NEEDED +}; + static int __init lockdown_lsm_init(void) { #if defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY) @@ -83,7 +88,7 @@ static int __init lockdown_lsm_init(void) lock_kernel_down("Kernel configuration", LOCKDOWN_CONFIDENTIALITY_MAX); #endif security_add_hooks(lockdown_hooks, ARRAY_SIZE(lockdown_hooks), - "lockdown"); + &lockdown_lsmid); return 0; } diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c index 963f4ad9cb66..0c368950dc14 100644 --- a/security/safesetid/lsm.c +++ b/security/safesetid/lsm.c @@ -241,6 +241,11 @@ static int safesetid_task_fix_setgid(struct cred *new, return -EACCES; } +static struct lsm_id safesetid_lsmid __lsm_ro_after_init = { + .lsm = "safesetid", + .slot = LSMBLOB_NOT_NEEDED +}; + static struct security_hook_list safesetid_security_hooks[] = { LSM_HOOK_INIT(task_fix_setuid, safesetid_task_fix_setuid), LSM_HOOK_INIT(task_fix_setgid, safesetid_task_fix_setgid), @@ -250,7 +255,8 @@ static struct security_hook_list safesetid_security_hooks[] = { static int __init safesetid_security_init(void) { security_add_hooks(safesetid_security_hooks, - ARRAY_SIZE(safesetid_security_hooks), "safesetid"); + ARRAY_SIZE(safesetid_security_hooks), + &safesetid_lsmid); /* Report that SafeSetID successfully initialized */ safesetid_initialized = 1; diff --git a/security/security.c b/security/security.c index 335c313a668d..5f1b281511f2 100644 --- a/security/security.c +++ b/security/security.c @@ -344,6 +344,7 @@ static void __init ordered_lsm_init(void) init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); init_debug("task blob size = %d\n", blob_sizes.lbs_task); + init_debug("lsmblob size = %zu\n", sizeof(struct lsmblob)); /* * Create any kmem_caches needed for blobs @@ -471,21 +472,38 @@ static int lsm_append(const char *new, char **result) return 0; } +/* + * Current index to use while initializing the lsmblob secid list. + */ +static int lsm_slot __lsm_ro_after_init; + /** * security_add_hooks - Add a modules hooks to the hook lists. * @hooks: the hooks to add * @count: the number of hooks to add - * @lsm: the name of the security module + * @lsmid: the identification information for the security module * * Each LSM has to register its hooks with the infrastructure. + * If the LSM is using hooks that export secids allocate a slot + * for it in the lsmblob. */ void __init security_add_hooks(struct security_hook_list *hooks, int count, - char *lsm) + struct lsm_id *lsmid) { int i; + WARN_ON(!lsmid->slot || !lsmid->lsm); + + if (lsmid->slot == LSMBLOB_NEEDED) { + if (lsm_slot >= LSMBLOB_ENTRIES) + panic("%s Too many LSMs registered.\n", __func__); + lsmid->slot = lsm_slot++; + init_debug("%s assigned lsmblob slot %d\n", lsmid->lsm, + lsmid->slot); + } + for (i = 0; i < count; i++) { - hooks[i].lsm = lsm; + hooks[i].lsmid = lsmid; hlist_add_tail_rcu(&hooks[i].list, hooks[i].head); } @@ -494,7 +512,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, * and fix this up afterwards. */ if (slab_is_available()) { - if (lsm_append(lsm, &lsm_names) < 0) + if (lsm_append(lsmid->lsm, &lsm_names) < 0) panic("%s - Cannot get early memory.\n", __func__); } } @@ -2070,7 +2088,7 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name, struct security_hook_list *hp; hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) { - if (lsm != NULL && strcmp(lsm, hp->lsm)) + if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; return hp->hook.getprocattr(p, name, value); } @@ -2083,7 +2101,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, struct security_hook_list *hp; hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) { - if (lsm != NULL && strcmp(lsm, hp->lsm)) + if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; return hp->hook.setprocattr(name, value, size); } @@ -2576,7 +2594,24 @@ int security_key_getsecurity(struct key *key, char **_buffer) int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) { - return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule); + struct security_hook_list *hp; + bool one_is_good = false; + int rc = 0; + int trc; + + hlist_for_each_entry(hp, &security_hook_heads.audit_rule_init, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + trc = hp->hook.audit_rule_init(field, op, rulestr, + &lsmrule[hp->lsmid->slot]); + if (trc == 0) + one_is_good = true; + else + rc = trc; + } + if (one_is_good) + return 0; + return rc; } int security_audit_rule_known(struct audit_krule *krule) @@ -2584,14 +2619,31 @@ int security_audit_rule_known(struct audit_krule *krule) return call_int_hook(audit_rule_known, 0, krule); } -void security_audit_rule_free(void *lsmrule) +void security_audit_rule_free(void **lsmrule) { - call_void_hook(audit_rule_free, lsmrule); + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &security_hook_heads.audit_rule_free, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.audit_rule_free(lsmrule[hp->lsmid->slot]); + } } -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) +int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule) { - return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule); + struct security_hook_list *hp; + int rc; + + hlist_for_each_entry(hp, &security_hook_heads.audit_rule_match, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.audit_rule_match(secid, field, op, + &lsmrule[hp->lsmid->slot]); + if (rc) + return rc; + } + return 0; } #endif /* CONFIG_AUDIT */ diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e2c4a1fd952f..f84b6c274a10 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7101,6 +7101,11 @@ static int selinux_perf_event_write(struct perf_event *event) } #endif +static struct lsm_id selinux_lsmid __lsm_ro_after_init = { + .lsm = "selinux", + .slot = LSMBLOB_NEEDED +}; + /* * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: * 1. any hooks that don't belong to (2.) or (3.) below, @@ -7414,7 +7419,8 @@ static __init int selinux_init(void) hashtab_cache_init(); - security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); + security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), + &selinux_lsmid); if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) panic("SELinux: Unable to register AVC netcache callback\n"); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 1ee0bf1493f6..5c10ad27be37 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4694,6 +4694,11 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_superblock = sizeof(struct superblock_smack), }; +static struct lsm_id smack_lsmid __lsm_ro_after_init = { + .lsm = "smack", + .slot = LSMBLOB_NEEDED +}; + static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), @@ -4893,7 +4898,7 @@ static __init int smack_init(void) /* * Register with LSM */ - security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); + security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid); smack_enabled = 1; pr_info("Smack: Initializing.\n"); diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index b6a31901f289..e8f6bb9782c1 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -521,6 +521,11 @@ static void tomoyo_task_free(struct task_struct *task) } } +static struct lsm_id tomoyo_lsmid __lsm_ro_after_init = { + .lsm = "tomoyo", + .slot = LSMBLOB_NOT_NEEDED +}; + /* * tomoyo_security_ops is a "struct security_operations" which is used for * registering TOMOYO. @@ -573,7 +578,8 @@ static int __init tomoyo_init(void) struct tomoyo_task *s = tomoyo_task(current); /* register ourselves with the security framework */ - security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); + security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), + &tomoyo_lsmid); pr_info("TOMOYO Linux initialized\n"); s->domain_info = &tomoyo_kernel_domain; atomic_inc(&tomoyo_kernel_domain.users); diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 06e226166aab..a9639ea541f7 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -421,6 +421,11 @@ static int yama_ptrace_traceme(struct task_struct *parent) return rc; } +static struct lsm_id yama_lsmid __lsm_ro_after_init = { + .lsm = "yama", + .slot = LSMBLOB_NOT_NEEDED +}; + static struct security_hook_list yama_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme), @@ -477,7 +482,7 @@ static inline void yama_init_sysctl(void) { } static int __init yama_init(void) { pr_info("Yama: becoming mindful.\n"); - security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama"); + security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), &yama_lsmid); yama_init_sysctl(); return 0; } From patchwork Thu Jul 22 00:47:36 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392585 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7A2FC6377A for ; Thu, 22 Jul 2021 00:51:25 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B4FEC61248 for ; Thu, 22 Jul 2021 00:51:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229953AbhGVAKs (ORCPT ); Wed, 21 Jul 2021 20:10:48 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:37647 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229818AbhGVAKs (ORCPT ); Wed, 21 Jul 2021 20:10:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915084; bh=NI6FKsUvIoDkXNNErtKrmSrGfiCcroRuNjTaXo2SEx4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=CNn5y3wvHvILivbqaVDXCbR/9IGwEG768l+5skJ8CZ4u0UGPLx6sJ5A35SQrjo711A8YdlRSeyjJzyOsCQdB6wipAc22DmzNIMrw+atccyH6SR5Pr+b6AQgCWBvfeUoNzuC85S1LrXeFSekv+F5hqX+JebW+kHTOvZ+uWndME7gGccY4Sor8paBA68B2qX63qtvlwFlfVf4nMsSGNuNVJHlw2nYpYv9YoqS+sFp9sHw9uZ93/v2UNRKUwgCGKpu8jTYHn9SU4+le4hKHSduyxTMJKnghQHCXC1sRgqJGeNeIXjh40M0gkCcugvdi8msJqjXJ7OIBTNQWPIcfNDSnJQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915084; bh=ZTaVt1xnzzLxUdSM9f4Tfa9H1L2wdMWaY1J9IIKZ1rE=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Qfxxg7lA6J8siKDk+5/zSRJc0N4H850XW34kYb+sTiIFhy/ZnIc1oje4eZ8meZ3OuP766hn3qCBuN2QFG8jwtmAGFEGUryTlpTTQDSpaptSQ5IZ+LRA2NyLaszAuPbJOEsdcgm4gULgOUm+ImsjUwVXqGwsKY6+D0p9qdrTtCwJdbLTtk7YXln2Rwd49SyoxylhbF/vDzr8zlOJ0zaaWECyQwe8+A1MHsPyD328oilyorFo4ori4gvqqOlI++OpyJGiVN+xxHnXUCcO1Or7L+sDCC9Dtq9H6rlfMakJQom54t5stNniEQCtYTISp35pbwB8AY31Lyak3obn+/I2h5w== X-YMail-OSG: zcE7ZYAVM1mqNG7tBtzfGW82kUp8tBh4v0t7h.A416uYi10dAyzv6Sov9s6WLIe 28y7GbKHgKq3HK2LEmuK6fXAZf2aZbB.vVk2Ful52Mth7e5Vhmk9KhmFdhrCLbYZ9iFMu6.hqPjC LzJWSqk38QyBcdiIgzZ6ApfLbG7WngiGCGQGZi9A9htVCOgA2ISIIA6D9xxrXdNSWFo4kb.P9sFw h7vp83bVyeAIDOD0n4GeyKRLxcnTfyusazO6yngP3Ndav_qwnvfLzStyI7SQJvO.mk1mqkeH18gW F5JxDdei.edBh9X6Adkra.7Sb96mo0xNdgPaaYQXH_8L0Qiln4HhBEUyhS.7AwYVy2b210g9Lldb Bw1QM..tq_q366yPM3u5ElUUbQGSqucU726_9AOOH_fW6XHou5oO9f6bSfD.jgy.qIGIc2qyhn2k hCyowrneD34dO7waRzAVgrqkA4_bOF_qciuzAp0n8ya8i9avUUleKibXWQXwM7SNNhxeVVpwp_1f Pa87T1GeEMUnSbmTO.nVe3C6voSLsDB6ANCptNl8Eu_nCxhUA1Plwn8dXS_m.UJ7LPs.6xBMEn4H kzth0hfB5XfMIM.YztUbK.9hPFJyNNUCB4kCeJaEKtaS27oLtFGsJ1LriR4dymwJoN.sCEsvBvD. _j7Z8zSmtrTeB2xwNWE2b5zvv5pmufMgtt2vvWGR2zcdjyLwcNBTNYh0quGC34Ql_yO8KGlLSPaX lHwKTCkI7KbUhv_4ZaQJsAHrwczuqviuDiTgmCMQXjCjtQknia.Y8VXSRlMrFQMNhNRRk8afUHsV _cWhSkSCah_zyYWoXGN0ZnczygH09VBcGY0HWGY687A8c1ph3YgXVH9kVVM9IzezV9774shS4DLb wmjf7.XcBXI1_hxpn6iVt7Wvw9Tk7XI2vZOkch6XFuPcuvav7GjlWgfSVOga92qFP0Tm0HynDT.B WhGURAFHtd9IxGAYIc5GM1hnsagSyT6z0wWZnTs4Z.aFScjSIB8aU5l6rhQOH.9AkDSoLENgZ_0V Hz1xkFh5fDaGu3VwMU8Ugv7az4zHtRPtXo2rKNN4SvEkxAzbiBopCGz.44CDziq88XbBYwK0jtCO cEQMqqNfYZNVBjBPq1ok_XCGyfQoOWI1BEvnB.xb2blCxcehXBVK.eVFWPA0VLGNlutvwGiNyHIH o6JGextiPzFWmd7K9aV3KSAYnVcI0D7D84ln4MjxDQgecU1SoG87NurIhfgCvRktYOwKdaIUPo0N vOLjlcFdWg9DpGxElmDhJ0wTqx7e0DFzMTLip8V3VzMGX26tryX3IvKMZTmIiHnSNDL84twrllHn _2spAfcsygKnUT3K72B8k2y.NbdMLZkoWyOfgKunduhnvHpxjaRCUqqNTcDQDPx0kKlV4fumoBPU kchi.I10d2Ktssnqtxxz4xzNegi9XaKV1bTzp09VXuSAuLvUj4sG2S1GlSGuvYvF3MBfGY2CDHVs 4BmD47CAb7_eYiptw4ll6JKLvSf8B2Efui7v7IjiEetQ83LRyMjPCidDpIN03.YvCfUOyMoRYslu B0AFCGb6sSCoKUrpEu.nARHOYAQl8hAXOxfpM_eXU6ur8ORw7hVmng5I3LQeYyPcnjv87Z_tyVxl W50QF2G2uaofhyxnDEyMAbh22LPFroCBUyS_DquPoxNZrUSS1lXZpqKMNxjIQse1yr8S0NaXwUhd vJs1KkSev7jWPZesAGPkHgxKPJ80qxmj9gWrJzgymvr7GyKSIU0MMdSWgEhB_F08R6ilYGB5C4Wc LdjX8Y9mFzh2SIaMTTIsqS26IcB0gpm.A4RqpYYeR3CyGyzCcIht9fIRTS0P6PyPk60Y6O1zg1U6 LkjgIgTDcxHi_YHetJdgknMu9V9x3OV5ZhypauDHYDAAEtEYUf8_ad3AgoRYwkezJ.M0hrZSW2ni 963rsHCgpymjyw4vxrR08MvswJvaXk7PpxajBf6SeuBXTeS2dTLfbpwLu7mshUQpB1miSMCLwzW. dnO9Bwxg36O6n8VcUIihWvz_Wq9NHUy3ye8wFZ4.0oVAyfDPDLQrFdK7sLs.AMARZYBQNwmnENX0 HxuJfjxuJRSWg8smO9HDVO91wpnpHZ6Jw_bNVs1ns92nTB7z4wkx82pvHjVm0x87Epq3TGQDliEU iCBGyR0IQCgS9g9kb0896zxgcpKs6JRLoUZQ0sFam4kA4ymF5hOeBf0lv.w2DX1Ngqwi3Lx7bRO9 EGoDSi49N2LLoX4OZFVsi_UzvzKPSXKITutHkeGuEJ3iEcjpC13Bh5LThHOy5nDhBjaP30L.TS2T 7HFoagdlZuBJc64b4iO4QjhedMtEsTx41UYnYhxFxm36de6cvRc5xu4udMW0nWBsrTBnz0aRUEEP OAGqdsVB7uJdNUmiijswQju1ANfYSZ_GXVqZNdsYFYMt3_XnuYzwyK3Bf_A7rx0Px71HigB9tdRn 1PyjhvpDWXWYxx_8Zi74Hz19LGiM5wE4X.LpP9yxDDjEPUaaeW.6peC6CtMc4r5mlNfohoDXDPbO 8a2UPjm_wqmLJCnMLXWWND..IJaq_nlFdTc2ZWvg8LA7AP9PZW1AtPeeOdAD_QmyOOec7hkbZSoF bU0OXlF1xc1PfPgtFDKvoJ5JttI8rsiT7qklsIpw0UwoDW8N4kwWfCXCv_NReSgjxJRsr7qKFclR h6wkopvRwUrnVv2BKhBDay86iTzjtUuQu4P.mOpolz9POW9YdepCPT6zzTzoFPEde2YFHmup4VtM MO0IBrZUqY4G.36N4CsG.dge5L6PVK2dth1VKT.dYYqse5yYWHY7QlOqylmlJ0trYRqNV4k.yVpe v_tzFwXu82wQj0UD4d.qsWiqVbV9rmXjo5PYGe0lU1lxHEfZn.2CLFsEQJDhWP9azQAObD2xMucW 0xxDDlgdsuEQA9cPj6VlkqENIZPgn6H.NTjR0C5Kt7M.KdKeyCVvNuR6rHSSaM.5KSyRVo_LVxm0 FaPrG4EUAqxspPUucYjeA_DObpQaF5BcyzqDWI.yjsBewloFp8PXhr.R4tAwTRMMxkRwEGqICLn0 xcL4JiTFJ9p9H7A2gwtnAsiRQSl_3_c1yMelJVuOSPACQ6Pnd5w-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 00:51:24 +0000 Received: by kubenode537.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID ec01d48876c35197f3e77f584a50e351; Thu, 22 Jul 2021 00:51:21 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v28 03/25] LSM: provide lsm name and id slot mappings Date: Wed, 21 Jul 2021 17:47:36 -0700 Message-Id: <20210722004758.12371-4-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Provide interfaces to map LSM slot numbers and LSM names. Update the LSM registration code to save this information. Acked-by: Paul Moore Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler --- include/linux/security.h | 4 ++++ security/security.c | 45 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 7655bfce4b96..b641b5b96860 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -192,6 +192,10 @@ static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb) return !memcmp(bloba, blobb, sizeof(*bloba)); } +/* Map lsm names to blob slot numbers */ +extern int lsm_name_to_slot(char *name); +extern const char *lsm_slot_to_name(int slot); + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); diff --git a/security/security.c b/security/security.c index 5f1b281511f2..3da6cb8f9d76 100644 --- a/security/security.c +++ b/security/security.c @@ -476,6 +476,50 @@ static int lsm_append(const char *new, char **result) * Current index to use while initializing the lsmblob secid list. */ static int lsm_slot __lsm_ro_after_init; +static struct lsm_id *lsm_slotlist[LSMBLOB_ENTRIES] __lsm_ro_after_init; + +/** + * lsm_name_to_slot - Report the slot number for a security module + * @name: name of the security module + * + * Look up the slot number for the named security module. + * Returns the slot number or LSMBLOB_INVALID if @name is not + * a registered security module name. + */ +int lsm_name_to_slot(char *name) +{ + int i; + + for (i = 0; i < lsm_slot; i++) + if (strcmp(lsm_slotlist[i]->lsm, name) == 0) + return i; + + return LSMBLOB_INVALID; +} + +/** + * lsm_slot_to_name - Get the name of the security module in a slot + * @slot: index into the interface LSM slot list. + * + * Provide the name of the security module associated with + * a interface LSM slot. + * + * If @slot is LSMBLOB_INVALID return the value + * for slot 0 if it has been set, otherwise NULL. + * + * Returns a pointer to the name string or NULL. + */ +const char *lsm_slot_to_name(int slot) +{ + if (slot == LSMBLOB_INVALID) + slot = 0; + else if (slot >= LSMBLOB_ENTRIES || slot < 0) + return NULL; + + if (lsm_slotlist[slot] == NULL) + return NULL; + return lsm_slotlist[slot]->lsm; +} /** * security_add_hooks - Add a modules hooks to the hook lists. @@ -497,6 +541,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, if (lsmid->slot == LSMBLOB_NEEDED) { if (lsm_slot >= LSMBLOB_ENTRIES) panic("%s Too many LSMs registered.\n", __func__); + lsm_slotlist[lsm_slot] = lsmid; lsmid->slot = lsm_slot++; init_debug("%s assigned lsmblob slot %d\n", lsmid->lsm, lsmid->slot); From patchwork Thu Jul 22 00:47:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392587 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 933F3C6377C for ; Thu, 22 Jul 2021 00:52:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6EAA561248 for ; Thu, 22 Jul 2021 00:52:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230017AbhGVALx (ORCPT ); Wed, 21 Jul 2021 20:11:53 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:37259 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230013AbhGVALx (ORCPT ); Wed, 21 Jul 2021 20:11:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915149; bh=GlrAXFGsg/Yt+KkWxSBPa/D/0T2x/zGQTm5oPPZ+1JE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=r18fIa/wldrDW+VlHS3ZeZrNjDk8RvCfHkRtFSX+vG/QOMV++k2SNc2om/nnITdjIwLdcQf+fi5SPmXqBI5ssfIY/OXBdzRkgskf6khieVdaPr2kDedELopbdks1LxrwOjZSYK3mkCKl0x6o9oBb+Ppt4G/NyTYavbYLsF9v+E+3NLC3l78WgB0UHKJnMopdjVYkY8xhhWRVn0YVmYXU3cUjAK4UGDVIxvdmqBIlC2poill6XLG1V4DjDQL7Obk7eDgBqXyFXoZobKJEQQdwCngPVVNFEpiO9+Q9NKU9FA1CUYXz/N2EbNoRR6Pke38Coy27InWmQUc8yJy5VWnI1w== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915149; bh=lzo7/qO6mPTyqKFhjEeGYh6Zt8dExGjftyk5iLwI9T/=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Xu4MlYIM8Us/P/km/7wgqVoST8BAqJXus6WdSA3xs/pDxLMLVxOb8IaDs99drAvBmc2xzMFv8Aa+d+K1eng+FeMPqabktQdePnBSgl665immSV7yUlnqH3kglh0YcDH8P3txUzPjgcqSlPJc0lL7RA+fPA7FPi+EAz/id8vwcEQLzhJfs18Ya6inCiErEB/KmI+b0DkRRG0VjE9plnCw+0Nlhx4QbJ53EGVJyZ43Wi20n5biciVf5P5deOU7X0YGqrt0YchTnGaWa9iW6tPhfG6YIadPUD60Xdp8A6xuOnlAQYvBIF/lTkKO7d9MCt3ZEJARal5rny/G9TJeGy8RQg== X-YMail-OSG: dAA5Sc4VM1kbTGcBR7tkjHGtcAQLNTBbjACN6ZG4VLJIFQe3ZHcsTSLT__7sLMx 6.mn4PZNLBxi7SnzwlPYMJJuClXFmWf91R2TJbwPfRFXZ.e_EJd8snUIxeV9nDwngS6HhI5u24Vn NEsFyW9RNDC0x68PQpvNC5BKG1z5RN0VELttfdx2XSrhsY31jh9eviVBZJpZ4zPtHegcLSOFh5Ld lXtK5Wzf1sIlWoABbCH_KGjD7f.4xsZx6lyXx99jW38KG37TTLgOmNV0C7afSYfiQZK74YGa.kTw djVpj2qC5QkTfZz5Ru8GXFiP8rPq9abV5WHkuFGRjzRHupxgPOnxhCvcLvZr9aK32zJkFepw3nFD WU108FolPfOc98ZJRstsTsYwCJ3Zd6t7v9T4PTGzrxuFSon_lW5ixG91FxEdTtx8OKMbyXTSm3Qg bDPgnKqwWNLssT_LWfduHjXDwG6w0Nkp1B.VMESU23554li9tqomxHosVmwdxNpZb4cMK1cPgCTj .gkhiDv3fXJSb5e5cP3gBcCTbSnfGRvTz5ILq1xjFUJs.G9r6IN1jM9jNej3z8WcmKdP0FRz2kq3 W9sS6rADOEyFMJyekA4RZJOMsO0XOeJfZRhFVdSXrD4q5LkyW3ubO.6szWko9AZ7gSGqNv0O81GZ 7nvLz3GciltmqpaBvcr05sy9hwYTER9KJvpZpP9iopf_AEkE6vW_u_IXfYVItwbwb5ukcpBqyH8l eWntE_Ex5HoGCztSU9ESl6dByDViErWvszJemZb391Gk3hoO2o8.T.wRzQOsGFPqpQg44Dq713zw jhnwG9oENq12128Ahi9HAFfPQg7WxKAWui_2m6HifKzPu.hH0MbtAVOs9cT2uDEr..FbXSXbRLti 9xztvcwd7HgcnY18T3yOjpsW4tBmUKOpvZ93bmcFdiK216AYMX52VkOiwMqPYZfNtmAPmvxPKYck rVv.I1F9q_8NA6K9IKzAjbk7jTsan7j9VlWVarRpDXFyQFmBe6edybuWiL_kaABIpDAoHtNJ9Yh4 iGw9q43fOwVMBtQalrydwiIvsPskeoUJGUVumo7LL.azXLu5zVbeTH2rNpLepASv5ADAFFuxXTrg Ut6GWsP8sVSiep_rEgWxrD9Hw8TR8JScCtFdZ.aElsVAB_8h8LmIczdM1tgXr3qZAeFOrlWDQ2BW t8IwOEAL_NpehXEKUD1mjzdyIfRW301OoQvQvTCJzcyikA324WfNTAK6e3iAY_6oblNfqCfJ.NhM bZ_rNUVRyo9m2H2Pz2N1ksJh6Yn9R0oUykIXX2SJvRosgQy3TyWMiCR4a3BLRlFUepG1CXzk.V9J 1Z6yiIqMWx1j49wACH4pZoAKFtQNZPGUzPCLAyZjiO5dLcO7aL92AZ1Iroc7rC.71G00eHQggbmN Ql80SArgShLo.EEUDPoJYBc7QcxMbei1dsTbq4d6UGZgE5FtpgAedzMs3X_UJfS685u8EyeYO3OA pr_kJozKr1lG4c9LFPIZS5jfUj0bpNwfggmnOtJRbpAUXC7NFaeV.ksOeXcpvmsc4bS065Yp3XY8 vXclb12i6YdY1fqtH65vSRxW3jyMYvG6MAK0Ixfk_alhOZHx2iyVa_XYY1Kwko898fbjSgyFQY2L p7Rf.QW_vHBhUgsls.3Ta__DvvOOI6qCHEjxr0IGAEijWPY5uqBT1.BY9PRDfrstz2iJ3cfRJoMe IGYpTF7aGMKYgK3aCe6.yeGuZ2VlIYyIwy3ZciX8t7qQ5zIm6DD7du4_zgJ8pnlQY_kfEMI45.Ur wgCvn2EFGdh7OburH9DCKWeT0.qv1IY0nIXTiwKAjMB3HojldRP9ZacPjc0AbxTahz6sLv4zRKj. 7UCQ4G9q8yrU.MnjDJwdGMBl9fSruaX5PT7p52ZrLBlmXUfKKJLtuvhus2rJvpL0GnUGe.HLYwKw HQkSmZdwubX9QMPUN9vPwHH_O5_GDBwvKGJPg93ReNkaPR7eUBl0ztcSS76Drzmy8vYt8kZS_YgI 4IT1FnWvefh4y8DHMfIMpPNkVlOVz_hISBb_GcF4o877MnHJmGfb7IuM8ABUyIM7AbLlq.k9YXjv TKM_sojIi7Efsczurikn59Rsn4XEAmgp4Q0Vpr.SoWbAN5X.SXyeKvXuphoyaB6_zQEJHCCKgAPf RTGzljMX2bUAZXRNU3LmXL_mn.x0A0LNqkFKoSIrT37XV9ivsckOOLRX8Ss553xzvclOMlBpvFXe oPMX0uoiTjdGCboB0sqdGETB9xIZlPlG1E0gQtg39wXn1JFhx1A7eX6wvUEm9MVYEJlsdMhDJC0z ZFUtVROcLKOVDtd2Tiq8p566ZkeRjfgzc7fyD7GGomzzeOxuyhKVZlVZd1MWIC6qEtZNYV2nxqg_ iVObc1WkTtNjoCiIhJ1S0QzKpCrtj2szXzqnkfayLd7aL.1qld.QK7Nj5vyqisWXVGUdoXbp_OqT TItKR5CAWv.fzreG.6IC7rj8UPwwKirS0aFBp7pZwxxPfNLmvferDke6EHahNMO5YGsfy5u.oWM5 DwEfM3AuVURhedpUuPQoQymOVnlPku5SJltG0qthLODxKxtou2sHzOmpbO7SitldIwpOf_IhUw_3 5TKoYy87X3O6YpUuSmPkphWl95W8TZgSuYB5SLIEbBIb7hFBOpmUFDFjzUvo7J0CC5sK1DbLmZtq THoAcS6v0KQP5fHemOBzr_EpS0ktvo5VrlijBPTYuIisoD3BzrPef9r7UsRHVotFj3nOoLJAgItK 6AvnViaujvgY21hAFc8OXQyUliC875pJ9Ah9DUKzp56Acj7uk_afOQxMDhAm3XXwN3DCmLq2NtvW Fbj22hIkVWi9CLCFTiriguyHoSJ3NI9szkzejLDhfGyh2TSG_w3KJlACO2jIgbnM7nYu3YSlALvo LUsuokDXd2HqllkmJgknH9qsrAIZH8gFWKXqbyv5MAG1mf7X713APInsTpgyb_.uI8AOhbeNO78e y20HUuIdllDm1VMgARI4FgfJsGMKfwsS1bccf3Zq8TLBkmzTaG9tMjPLrc8rTX1KyFwzhlcK9_Xi IPUCkAyDSdR59NfEfx_kN4N_uqVmZzLyk5TJmpzaKGhukCHS9O46LzwGFLaMwahI8p6sc27.qVJN 7aRtTWBE- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 00:52:29 +0000 Received: by kubenode532.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 5c8901e1e80da122a250c2c906f5e7d9; Thu, 22 Jul 2021 00:52:27 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v28 04/25] IMA: avoid label collisions with stacked LSMs Date: Wed, 21 Jul 2021 17:47:37 -0700 Message-Id: <20210722004758.12371-5-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Integrity measurement may filter on security module information and needs to be clear in the case of multiple active security modules which applies. Provide a boot option ima_rules_lsm= to allow the user to specify an active securty module to apply filters to. If not specified, use the first registered module that supports the audit_rule_match() LSM hook. Allow the user to specify in the IMA policy an lsm= option to specify the security module to use for a particular rule. Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler To: Mimi Zohar To: linux-integrity@vger.kernel.org --- Documentation/ABI/testing/ima_policy | 8 ++- security/integrity/ima/ima_policy.c | 79 ++++++++++++++++++++-------- 2 files changed, 64 insertions(+), 23 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 070779e8d836..84dd19bc4344 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -25,7 +25,7 @@ Description: base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] [euid=] [fowner=] [fsname=]] lsm: [[subj_user=] [subj_role=] [subj_type=] - [obj_user=] [obj_role=] [obj_type=]] + [obj_user=] [obj_role=] [obj_type=] [lsm=]] option: [[appraise_type=]] [template=] [permit_directio] [appraise_flag=] [keyrings=] base: @@ -117,6 +117,12 @@ Description: measure subj_user=_ func=FILE_CHECK mask=MAY_READ + It is possible to explicitly specify which security + module a rule applies to using lsm=. If the security + modules specified is not active on the system the rule + will be rejected. If lsm= is not specified the first + security module registered on the system will be assumed. + Example of measure rules using alternate PCRs:: measure func=KEXEC_KERNEL_CHECK pcr=4 diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 5c40677e881c..008a043335d4 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -79,8 +79,9 @@ struct ima_rule_entry { bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ int pcr; + int which_lsm; /* which of the rules to use */ struct { - void *rules[LSMBLOB_ENTRIES]; /* LSM file metadata specific */ + void *rule; /* LSM file metadata specific */ char *args_p; /* audit value */ int type; /* audit type */ } lsm[MAX_LSM_RULES]; @@ -92,17 +93,17 @@ struct ima_rule_entry { /** * ima_lsm_isset - Is a rule set for any of the active security modules - * @rules: The set of IMA rules to check + * @entry: the rule entry to examine + * @lsm_rule: the specific rule type in question * - * If a rule is set for any LSM return true, otherwise return false. + * If a rule is set return true, otherwise return false. */ -static inline bool ima_lsm_isset(void *rules[]) +static inline bool ima_lsm_isset(struct ima_rule_entry *entry, int lsm_rule) { - int i; - - for (i = 0; i < LSMBLOB_ENTRIES; i++) - if (rules[i]) - return true; + if (lsm_rule < 0 || lsm_rule > MAX_LSM_RULES) + return false; + if (entry->lsm[lsm_rule].rule) + return true; return false; } @@ -282,6 +283,20 @@ static int __init default_appraise_policy_setup(char *str) } __setup("ima_appraise_tcb", default_appraise_policy_setup); +static int ima_rules_lsm __ro_after_init; + +static int __init ima_rules_lsm_init(char *str) +{ + ima_rules_lsm = lsm_name_to_slot(str); + if (ima_rules_lsm < 0) { + ima_rules_lsm = 0; + pr_err("rule lsm \"%s\" not registered", str); + } + + return 1; +} +__setup("ima_rules_lsm=", ima_rules_lsm_init); + static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) { struct ima_rule_opt_list *opt_list; @@ -351,11 +366,10 @@ static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) static void ima_lsm_free_rule(struct ima_rule_entry *entry) { int i; - int r; for (i = 0; i < MAX_LSM_RULES; i++) { - for (r = 0; r < LSMBLOB_ENTRIES; r++) - ima_filter_rule_free(entry->lsm[i].rules[r]); + if (entry->lsm[i].rule) + ima_filter_rule_free(entry->lsm[i].rule); kfree(entry->lsm[i].args_p); } } @@ -406,8 +420,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, nentry->lsm[i].args_p, - &nentry->lsm[i].rules[0]); - if (!ima_lsm_isset(nentry->lsm[i].rules)) + &nentry->lsm[i].rule); + if (!ima_lsm_isset(nentry, i)) pr_warn("rule for LSM \'%s\' is undefined\n", nentry->lsm[i].args_p); } @@ -596,7 +610,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, int rc = 0; u32 osid; - if (!ima_lsm_isset(rule->lsm[i].rules)) { + if (!ima_lsm_isset(rule, i)) { if (!rule->lsm[i].args_p) continue; else @@ -609,14 +623,14 @@ static bool ima_match_rules(struct ima_rule_entry *rule, security_inode_getsecid(inode, &osid); rc = ima_filter_rule_match(osid, rule->lsm[i].type, Audit_equal, - rule->lsm[i].rules); + rule->lsm[i].rule); break; case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: rc = ima_filter_rule_match(secid, rule->lsm[i].type, Audit_equal, - rule->lsm[i].rules); + rule->lsm[i].rule); break; default: break; @@ -966,7 +980,7 @@ enum { Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, Opt_appraise_type, Opt_appraise_flag, Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, - Opt_label, Opt_err + Opt_lsm, Opt_label, Opt_err }; static const match_table_t policy_tokens = { @@ -1004,6 +1018,7 @@ static const match_table_t policy_tokens = { {Opt_template, "template=%s"}, {Opt_keyrings, "keyrings=%s"}, {Opt_label, "label=%s"}, + {Opt_lsm, "lsm=%s"}, {Opt_err, NULL} }; @@ -1012,7 +1027,7 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, { int result; - if (ima_lsm_isset(entry->lsm[lsm_rule].rules)) + if (ima_lsm_isset(entry, lsm_rule)) return -EINVAL; entry->lsm[lsm_rule].args_p = match_strdup(args); @@ -1022,8 +1037,8 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, entry->lsm[lsm_rule].type = audit_type; result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, entry->lsm[lsm_rule].args_p, - &entry->lsm[lsm_rule].rules[0]); - if (!ima_lsm_isset(entry->lsm[lsm_rule].rules)) { + &entry->lsm[lsm_rule].rule); + if (!ima_lsm_isset(entry, lsm_rule)) { pr_warn("rule for LSM \'%s\' is undefined\n", entry->lsm[lsm_rule].args_p); @@ -1561,6 +1576,19 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) &(template_desc->num_fields)); entry->template = template_desc; break; + case Opt_lsm: + result = lsm_name_to_slot(args[0].from); + if (result == LSMBLOB_INVALID) { + int i; + + for (i = 0; i < MAX_LSM_RULES; i++) + entry->lsm[i].args_p = NULL; + result = -EINVAL; + break; + } + entry->which_lsm = result; + result = 0; + break; case Opt_err: ima_log_string(ab, "UNKNOWN", p); result = -EINVAL; @@ -1597,6 +1625,7 @@ ssize_t ima_parse_add_rule(char *rule) struct ima_rule_entry *entry; ssize_t result, len; int audit_info = 0; + int i; p = strsep(&rule, "\n"); len = strlen(p) + 1; @@ -1614,6 +1643,9 @@ ssize_t ima_parse_add_rule(char *rule) INIT_LIST_HEAD(&entry->list); + for (i = 0; i < MAX_LSM_RULES; i++) + entry->which_lsm = ima_rules_lsm; + result = ima_parse_rule(p, entry); if (result) { ima_free_rule(entry); @@ -1830,7 +1862,7 @@ int ima_policy_show(struct seq_file *m, void *v) } for (i = 0; i < MAX_LSM_RULES; i++) { - if (ima_lsm_isset(entry->lsm[i].rules)) { + if (ima_lsm_isset(entry, i)) { switch (i) { case LSM_OBJ_USER: seq_printf(m, pt(Opt_obj_user), @@ -1872,6 +1904,9 @@ int ima_policy_show(struct seq_file *m, void *v) seq_puts(m, "appraise_flag=check_blacklist "); if (entry->flags & IMA_PERMIT_DIRECTIO) seq_puts(m, "permit_directio "); + if (entry->which_lsm >= 0) + seq_printf(m, pt(Opt_lsm), + lsm_slot_to_name(entry->which_lsm)); rcu_read_unlock(); seq_puts(m, "\n"); return 0; From patchwork Thu Jul 22 00:47:38 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392607 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A62C0C6377C for ; Thu, 22 Jul 2021 00:53:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 89AE16124B for ; Thu, 22 Jul 2021 00:53:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229990AbhGVANB (ORCPT ); Wed, 21 Jul 2021 20:13:01 -0400 Received: from sonic309-28.consmr.mail.ne1.yahoo.com ([66.163.184.154]:39102 "EHLO sonic309-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229886AbhGVANA (ORCPT ); Wed, 21 Jul 2021 20:13:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915216; bh=hDC9m3+/bDdSFD5OWPdwTetGf+O7t4ZTveDKcehK4qQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=iMY8G64zxJ3cJaqNxYrRpSkl0Xd6b4ZuVSFWAd29pF6enB+rrUCU2i9MkLGE0rSa9F9hhAgz43rYQ/Z1insw53v7m+OhDG3nnjgvlRjmGAlIfV77ai9Virq/U8jNUO6E4eWDvMtFLfhvSTQm9TasJxcl/oLBgJ+4nsw4ST87d6W96RrLC/rtcsJzqcBXD71pXT0h4jcpmp7wYYuTXgvQc1EdmjI5RvoXOkmRFlKEygQKnOKU7sTy2wXwrlDPjs3895Uz2DZfgeVTPvuUyEZVEOg3r6oe9q9o10ZX14XNxbqbr3gU+YNY1pfSQ+zpQOOYmbcGWkoBNyBHGe3dcbkvDg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915216; bh=pryNqsAvW+3CpkEpycFXY/oNVeys5llqtEDlxiNJ4Cg=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=NaJ5l5lVUn+C7PRzyB4QKUL2fRXGCduSQSHt91jhXs5c/tGo+vtJ6gyW7SkFBW8UeBbmzXYWcneFNr+jWCsuRBf+bkjqVX7WrKw/b39B7WLZppUBGrSoUjRE35jlgd2aAjJX/T+3YVpvW22l+u0+iru2KmJdTNM1quIX6gEfyND6/xeo5/gm6xFFIXxVTtZZMVONkHLM1EQxDtEOGx9+2X1mkuIVuAcco92v8XVSYXNql9fvEvTTyP3KKoKjLzeFxAxj9H5lb8nX0bcyLg+FVUX9rcRyusUq/66ei05huSrc0JxsnGMemhwUyK7Hp5FC0FBizwNeRLNxKnhmaT5GbQ== X-YMail-OSG: UCsr1fwVM1kJSEPk.NiKp8r9Jqw_zaPmtqYhAlj0.GszLkoKEry0aEBb6DVaqQ5 4AqDe_QP4b7S74vuc4JgJMXsXIvPXYHQ_JVF8UXkNo3GuqBdght35UxGzQjEERMtxaRItHNASpKK IR4GJJoB6b4pC0GG6VrDqGnol9N6XepulsC9MxkrIYF1QUHA32Mk9DnHAHglvmcI.qRuNvL1czsK 3SGwMeeG3etUTv0I1B.FyVtLUxQqGeo.HM2UrmkndyaCv50H2_roHvXt2O2TlawR8CZ45jB5SI_r YZs.SreZZkUO.BEuxQ5fPNiNlLGx3kbNRg2EwFcb0Yv1k0jAuj8CVlw9kPFpH7eTf9.8QKV7jb6y lLvIJSrnxn.fCEyMJGVZ1L3PRmpcYaB0ZabNL7IhJKRARKxUnJQSiAkPavc6Mj3Bpzr7neDHPCPC UApg1_kcJ2B5QQSwGnFLzncSzASIcgJKb8.ZBEYkPU_c_sCCDpWQiJT5ggt9wgW0JV6AxANUCBWn .S0kuU.Tp1eQXJCqnQGzPHz9B98pEFSTZozEAP8jgR6Gpjz81DR5.RmB2ysvSadnxFnGkS7k3Wx7 ze1BYC3wZmGmMBveKfOcrkFwVxV9qtdAfpODiVZwKbftUC7UQh8xA9776SF3_cKFXGuJPWMsZfCR 7YSecooI5r6LA7sVtoKf9tJzvDUfBWsp1v6Zq6CnhNuhZ7YmyqxTd8NKn_7sbEbvtOipdyVopgG9 DAFtqgOZctbnQlYNUh2Z2T.o6Oqa0LDgHO__fOo4RFhT4c5zqkw6ixLyu29JLnXN5lgc5GhsIj0C UqLFESRmYSJ88RNe3ylYWVtiWIWn_hwWNrfdiVjbDLBN_HJVDNnjCuExdhHruOLykwsCeiiGIm1u aHYK_w7DiI.B1hkw3uiU_sY_5bgmlktAc1bZoKPwM..1a0kObhAhLI0pgs8XjOo0fGisx_zpgQjz fvTEkk.EcJrd0dPe01YogP4j1B40kMoDfve8OOljr3j9ULhTtgPLZx1oIxgdnSMEANFViHfs5501 0sD0cyi8gIbY56MlwSRG7uso2DpTK6bn6OI8exnwUZU2BYwvpCtzBh7zUtyd3LhohZbXytqfdHVr BL7ns5UX8LdT7xGClPeYxOSEzfMjrdoFgE3p_xYdnCHpk1LWMBUvtQBF0zgrhhYWBUEXj.dADlcw RrXscVZ9DVv_soaH9NE8UkOah5GVm7VR09ivS0ipxyKzKaS_uwIEtO7OeGAJjuo_B0MwJX6Yi.NB K4qoBQ4x9t9jT7gOmWiVArpGYybwVwyef2X40W_q3EBaKQiQDWlr4EA6Uabp2.8FSK2rC4QUSTqN IITtfVyv7b0V8e0xI_DxalNa7SYMBeqfPBuA.MFsze9nE2bygKqOVAH5VMfMGUqOc3Qh8HCoKqor U_7xzDNvmkskdDVA5BsDgtNmjCvwCp0h4t1lJp_XPuZlO4sjJ8HupQ8FWuY2rHcpnnYWtIu7aEpR vvxH0tpWPJX86hXVU2_ADP864SS2H77eh69K52vO9EY5YQr1RQ_jTF1QxuIN5Z2OLT2hmW8s6ikt 3L0ATq7Kt8_hF0TTcVkG_Fs1wlwNrjWQDcQvjZJaeQqJ99Km.5iuPNrGp.72pXDjAjlHdnUoZKg3 U.Jbb11rjyqEW3o_QWhstIMqoI_qGU8xzSusS2td1ygX9F13lRAZrGYAopO7Qd3RHF_6q0FbF_JN IOBTqeDsGj6Tza1YBLWC39Q0Oc8Btyq0lQY8GEtHgyhMncem8fHCv02LB9I5k.V0B9fKEcxeJQh_ V2pjvfcZQumrea6JYE651jQJem74Jjz9V7f2cBOfNkFh687Qv6drCFc8WB.2wrDRFp1fzwu3bHCG tVqW3zUCYkWo0jH4b_23d1cnMj9i.w4ItrEkRkIJc4d3TS1FBZMVbrMijOVFwNVyiJ81pxyNs3dI lr2i3Sy2yMHiZxoyi3aWry7i_2MEKBuD8CAjidxOjz_q0Ow2akf2SQxafyGGEje.pJ7GkmtwyQGY Lzze8KUZQN5NbgtemUbFPWf6MIIhj.knZLzcdb7zFEal867O_m0kEwgPiOSwxCYGrb1z.3dJgNcx uaK_kR7gGntCqHSXAZfbuFwK4ix3nWJp32DS96JcYTsiSzgPAr5nubfgT3Foq5LSyKzYnM4r2uSD .atWD0UwvdV6GO7SSIZ5GKAtRkWHItfNj2QnfXu6bwji5zxf8p941PPXHjkDLDHiunCLavc5IPaf trr0H8sUSLHtulUZBRiehpj.tkEe.zSmkvk4mPOexOb6qqaXQ9xzXk_5CE2buAJIbiRSWE7C1Yit g6nxmnw3CAdnnGDkv05FwgTShJLSqtmaoT_vEgto568HZQWZalY80IkAs49n92gGyMAZnlwofI22 YGOWE54awkW6hlc42RPi2Rzxl1WXftJ3Bp9ywxvtLLZKMp3WL7z4sWN3Erfd7as5ABMAZj1rH1LI qI4RxEatfFwnzWx3RCbaitfh2juMoxea3CbtUPLXLrmI6kCUYrvUwvHA9enPaddmZft86OoYqIWU ZlA2XW7NBO.s4JC1Ujmo9hiVNy.yQbWDk7plBdzlgzJkuPJ1M9v0PQYahVA0RmBIStUGQpytqfPL vBszgeRJCLq0utUsS.HL_QZEkm54f09wBRhX6cww3ZmwoLHS9xey_samFcwHwpvrg9lZAqpns3fZ CLvLV0X3Ce5J.dg.3sepLW5_TVAWCnfcdHlEss_2irKzO_HatICWX2uZAcQEuASiD32jgdcAZ5D2 Rs.d0qHnRI9A9N.V6yJN9UpZ0AQmu.kGyTtpUnmg8chGZ0jeHAROfk3XzOmffOdvwQD.NMp1ah_z KPt1.livkAoQs3ggzMZ2wBQ6DtdSMdDq1XHQqxkncF6SHw31fLPmtRpMhO2cv3.alNUQN9mFPme6 4M9zDLqMWS29Io1uAAD38SXHQVIL5v98HT5Ck2St37SLZVevgsiMzMF5vo.ckpH93FkvRLsy72Y3 Ou9ZaLoTuqRLpFZ1Pw1ejfENaOa6Ijr47XZ8Pq7doegroc9y2lc9PFqHG_XCdfAcgKvvHEw6O9wx mwzt74lOz_sBYOz4T6wigU9eDaOy7PQG03vsUy1pgaJyTtDmTvMXFDRixiQWWU9BXsSAF2CTb9nM VXuNzM2S6WlZ7xqVJNklTywVuUWvsV9hzoyteg8qhSkCCbulnwpzD2ql8Ku9DWngL7mfevA1bMg- - X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 00:53:36 +0000 Received: by kubenode510.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 536d6598ee7cb958c41c6a3a8259eabe; Thu, 22 Jul 2021 00:53:34 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [PATCH v28 05/25] LSM: Use lsmblob in security_audit_rule_match Date: Wed, 21 Jul 2021 17:47:38 -0700 Message-Id: <20210722004758.12371-6-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change the secid parameter of security_audit_rule_match to a lsmblob structure pointer. Pass the entry from the lsmblob structure for the approprite slot to the LSM hook. Change the users of security_audit_rule_match to use the lsmblob instead of a u32. The scaffolding function lsmblob_init() fills the blob with the value of the old secid, ensuring that it is available to the appropriate module hook. The sources of the secid, security_task_getsecid() and security_inode_getsecid(), will be converted to use the blob structure later in the series. At the point the use of lsmblob_init() is dropped. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-audit@redhat.com Cc: linux-integrity@vger.kernel.org To: Mimi Zohar --- include/linux/security.h | 7 ++++--- kernel/auditfilter.c | 6 ++++-- kernel/auditsc.c | 16 +++++++++++----- security/integrity/ima/ima.h | 4 ++-- security/integrity/ima/ima_policy.c | 7 +++++-- security/security.c | 10 ++++++++-- 6 files changed, 34 insertions(+), 16 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index b641b5b96860..8290f6263b6d 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1944,7 +1944,8 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer) #ifdef CONFIG_SECURITY int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); int security_audit_rule_known(struct audit_krule *krule); -int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule); +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void **lsmrule); void security_audit_rule_free(void **lsmrule); #else @@ -1960,8 +1961,8 @@ static inline int security_audit_rule_known(struct audit_krule *krule) return 0; } -static inline int security_audit_rule_match(u32 secid, u32 field, u32 op, - void **lsmrule) +static inline int security_audit_rule_match(struct lsmblob *blob, u32 field, + u32 op, void **lsmrule) { return 0; } diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index a2340e81cfa7..6a04d762d272 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1331,6 +1331,7 @@ int audit_filter(int msgtype, unsigned int listtype) struct audit_field *f = &e->rule.fields[i]; pid_t pid; u32 sid; + struct lsmblob blob; switch (f->type) { case AUDIT_PID: @@ -1362,8 +1363,9 @@ int audit_filter(int msgtype, unsigned int listtype) if (f->lsm_isset) { security_task_getsecid_subj(current, &sid); - result = security_audit_rule_match(sid, - f->type, f->op, + lsmblob_init(&blob, sid); + result = security_audit_rule_match( + &blob, f->type, f->op, f->lsm_rules); } break; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index acbd896f54a5..447614b7a50b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -478,6 +478,7 @@ static int audit_filter_rules(struct task_struct *tsk, const struct cred *cred; int i, need_sid = 1; u32 sid; + struct lsmblob blob; unsigned int sessionid; cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); @@ -676,8 +677,10 @@ static int audit_filter_rules(struct task_struct *tsk, security_task_getsecid_subj(tsk, &sid); need_sid = 0; } - result = security_audit_rule_match(sid, f->type, - f->op, f->lsm_rules); + lsmblob_init(&blob, sid); + result = security_audit_rule_match(&blob, + f->type, f->op, + f->lsm_rules); } break; case AUDIT_OBJ_USER: @@ -690,15 +693,17 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_isset) { /* Find files that match */ if (name) { + lsmblob_init(&blob, name->osid); result = security_audit_rule_match( - name->osid, + &blob, f->type, f->op, f->lsm_rules); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { + lsmblob_init(&blob, name->osid); if (security_audit_rule_match( - n->osid, + &blob, f->type, f->op, f->lsm_rules)) { @@ -710,7 +715,8 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - if (security_audit_rule_match(ctx->ipc.osid, + lsmblob_init(&blob, ctx->ipc.osid); + if (security_audit_rule_match(&blob, f->type, f->op, f->lsm_rules)) ++result; diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index f0e448ed1f9f..55f3bd4f0b01 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -433,8 +433,8 @@ static inline void ima_filter_rule_free(void *lsmrule) { } -static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, - void *lsmrule) +static inline int ima_filter_rule_match(struct lsmblob *blob, u32 field, + u32 op, void *lsmrule) { return -EINVAL; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 008a043335d4..af612a42eebe 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -609,6 +609,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, for (i = 0; i < MAX_LSM_RULES; i++) { int rc = 0; u32 osid; + struct lsmblob lsmdata; if (!ima_lsm_isset(rule, i)) { if (!rule->lsm[i].args_p) @@ -621,14 +622,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: security_inode_getsecid(inode, &osid); - rc = ima_filter_rule_match(osid, rule->lsm[i].type, + lsmblob_init(&lsmdata, osid); + rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type, Audit_equal, rule->lsm[i].rule); break; case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - rc = ima_filter_rule_match(secid, rule->lsm[i].type, + lsmblob_init(&lsmdata, secid); + rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type, Audit_equal, rule->lsm[i].rule); break; diff --git a/security/security.c b/security/security.c index 3da6cb8f9d76..3c035faa2c37 100644 --- a/security/security.c +++ b/security/security.c @@ -2671,11 +2671,14 @@ void security_audit_rule_free(void **lsmrule) hlist_for_each_entry(hp, &security_hook_heads.audit_rule_free, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; + if (lsmrule[hp->lsmid->slot] == NULL) + continue; hp->hook.audit_rule_free(lsmrule[hp->lsmid->slot]); } } -int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule) +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void **lsmrule) { struct security_hook_list *hp; int rc; @@ -2683,7 +2686,10 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule) hlist_for_each_entry(hp, &security_hook_heads.audit_rule_match, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; - rc = hp->hook.audit_rule_match(secid, field, op, + if (lsmrule[hp->lsmid->slot] == NULL) + continue; + rc = hp->hook.audit_rule_match(blob->secid[hp->lsmid->slot], + field, op, &lsmrule[hp->lsmid->slot]); if (rc) return rc; From patchwork Thu Jul 22 00:47:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392609 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B2BCC6377A for ; Thu, 22 Jul 2021 00:54:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F331A60FDA for ; Thu, 22 Jul 2021 00:54:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229923AbhGVAOL (ORCPT ); Wed, 21 Jul 2021 20:14:11 -0400 Received: from sonic309-28.consmr.mail.ne1.yahoo.com ([66.163.184.154]:45090 "EHLO sonic309-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229764AbhGVAOK (ORCPT ); Wed, 21 Jul 2021 20:14:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915286; bh=C801dTzIhnDoBWWUmHprUDTM6VkmEQiqt6XqiHlC7oo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=IZn4bhbCHh197v2BuL5YT43AtPF4o2VZ4Ot0EDRUYDQ/vLPrOtuzj2yAzNU1VAHVhkHfw0yZ6Qltqeys4cJeUfwqftotY1uMoipWxXoPAgUuCM77gfoOyIa5OJEyrBz5fsGWO3asjrlWjISoZ2+X2u3WzUy/VcFEQUMp32w986BMBU26aaRgFLuOb+Bd1uHYbR9v5FvpaH8TaL6W+/AdA+Na/NbdszVV0ir+tNxKRoutsLTJ6r73Q0IfwK2NvXWxg+cOlGgB6MF/0P3qGW+BYrXnF80TPR6ffBT9GELve5dctKRbWw5I58KyNcxXnxg6DCrXjFbh2BNXyzhNYwkEQw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915286; bh=z3Wd6GxJNFfJNoDzKmWS3H4na/rvfWASlByQvt4EpIC=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=eiIzD5d4ouw9iEWPS3FS0vAEVg7MWs40FqSK4jyIg2gtZO5eMf+mES/rIZDj/AH+zMF7y4dBfXjDN1TRy0/HJzF0CNg4rzFhnyOANEaPxKA1TFI8G0YC3belXfUZnSIs0PTPW2TPFGFyJGKgjOoj8TS26iwwHDBDgjRapkfcguKgR2RynaLVxCHwkgSBi9+UMcIr0Kixe/Z8fUlNf05reWRlPC07ycA+W2QAXSOWYpTDhYxrEg/JjjZ1/FtL2G065YZqnJCok+hrwn3KM5eh7x8Zge+fLI25vJ5wlG1mqVTEK1IzZsCRVu4QY7i+YHVIYbQgVozY3c01khoeBg4fjA== X-YMail-OSG: 4cRZWC0VM1mAUJx.mN72Ta7wy3gU2x76OblnxoKi3pkWh0QrJZVm11oIRmRpiZR 8zQYBRt.NCygsyhqbMHPQ8tGqHWnahtuKBDze5tdVc8pJx8c6O0T6mCfjGt0Ws2t5z5sXBH_o..w vHNOwHH6.QS4mF6J5XvSUbjTZl5l1WqoDfIOzCoY4fdPXD_8cpWwJfmInEvKDISUi4Ww_lP.WPrI IEq7WRCOvpzGjfL7AxHHHZMXjvAm14QBZHDDjpDYxJ2rsZRe0b5s1grqx5y0QSkYwekHtpjJ67rw HrtRTkDSPI.9G5GabYDfBo5nh2Uo4q_ib9uwX6BsylVgd3bwaDbFmOHRz8fpUph7FeVDm9PFaYe6 sj4MdbOwYYsV_qQo0Wc_r7yBkbShuym0Ird3VnIbppOWnZ3KF66ldeGhpDswVVVKjzllWlcMc3tG ISR5YCG2HkefOKArPYXG40RtzSvdUxvK_4VMJ0Ic79YBMP76vIih8.z_oPKP3oesdpl.rI0YC9xj lh4z8013c7TrTLIBc8MD9yWmeR5aAg9YzZed5mWzyqzMYGJcXoN.n5DtALQbmUww_rudsc3yzlTb zFdgis7Lu5.7Cwpk2pWdivPOah9eUOGcqvVUuFreV5I8bI610TEzsz2SjaR4EQB5Zst6A_M27NN2 yDyqB82wUGmsh2D2zb5lyWSoos7ik5i.7HRsIMlSnk7L_MaOFpWedKD4ksC83l5VS2M.eT566Ovy z1frBqJNdJsJm5BJvKVUQ2uBEqmGYpn6ip8292bXf3hFv8zX5crnklk6xZyNl7PXVCeKntVKuO9q .YpsTSXIf25QiJne2tooIKfEZUyLnCWMoZe3DTu7UPXgfStOrtnDqOo.hl_IWU_bBN3Saue3qx36 leMFU4zK7WaM1Z.9CPLhHWkxrj_k0L1kLXT6bY9JKzK97hTSM7rqhhiPOtwujDOJa8K_iQVbdCfk VA7irrzG_yMsIJXz5QdFNyOZUoPvWHLTTLr8Gr5xMQ9VUIfAZoq0GcmbaAMBOciB26cSAjeIhFS8 5D966SzsMYJKF.A2b_Yn9xpa.UJ7lsWJHVqjgEDqCXsxiGzfiAoA4rs2c418pvmRAzs4EToDTTks 1ZfonwejgLmxUYfwSciPEI1QSyH1Zuzs294vXaMHxhI8Olk_NYYhVqEQcGymeChq56CwDmLTPOqR WgBkn2Q4UEVnw2NIF0dhvYZLqF7qZaLmIWBXUC1xBSUAfRT6ln9VhJLqso9VLxcP6OTFa6DygJEL PfwsFJjoTI2AkLZZ5eJxIxLS8krTJLRZ3gB.dbpLV4LqZ8aDenQh5Zu2aU7AoGTS7r4_xMiEelzD xgo5FgSQZhftQtUn8DhssDtRbGmC3tG06oexOHiGskxvqmACeqd6hoko8482sVjfU6gOK79eJy5W DP572jiZ5zR5KEGe0Mcan6KVvYSiaVBPGQE.Nc6taz0sCNXuaLbYG1hmH6d4An97TOxa1dkgkKIi TwT6OpWRWcTAup11gMEt_6Gb.Bx3b6b4k0AwJwNHI0ViR.Ah15wKuUfjqx2K.l21Ad7B32gqAUa3 IgM0WK6LBx0L2BrS67943jaOtnzQJfFHsgfnQMi..yp69dhC9TekwgECoyOGYbShqNjUZk8fTxNa GOTxb3jV3Em_mN5NrgTcRN.TDwofGUV7sjLPB1ydAQgOpiWOSvU.kmGLprUyp3Z05lV61M3OS4ET mxYjb.VoePJRKRGlUo3eHPEQ4Hyf.EJpYBryk0sag3m.fN0Nd154SZSEGB6Mu7VVgw9YzjQFTMVW 2837s8oHOiyTaQBHRrRHjGipTIHTouSicneKwHoZQa7ui8_5kaIp2wLfB7UTLk70I24Q_cz.QJ0X cTJBNRXEytyLZoxhuzTGqZU213UzKXpZSawE810Z9qHwsGoBDhv4lkokzukqNKoNroWiLdJEjeD3 R4djDE3_ahO6a_tqjzuYPkjS8LVM9qkzob2dNy3WTPVpVNPtnWMPy1Rro3Rbt.uRmFzObIfz9LyL tYtBNwSg5djPrDXVo9p6wi87RVdB5.uBq.ESfs1FXO3Mhnrc460RwxEKx5oSHg72SeGYSvjZHNwX MJpJHlZKc.hSyeIEjFUY_r75Lx6dtEvs_EOiZKX9vL6MR8w.zfo1Wpna1LxNWYGq.RNavvd_u0PH Vfx.Rm8HLelXjrV0NW39dhy8QPPTGHHMcyqVwlBXZcfQdONZ6tkvPq9VSvICtlPOsz5DUI9Hc8dJ BIDF6ZmcXpBTVaVdKF_wl06bzKRdRtaqKvJoOhjudZ3HOrUc4tBcH75.eJolpwXM_zRD4hSP0dCi TxmH5fFoe7M3I.rRw8z2Svucyka_Q0DzZTJh_Hp3GZXa2cBhlgqs_AnZ_AyhuHjLqAGQ8vHb5ZH5 7MwzXTpmDIgOtZiexnX0Y9D_BpVXecPPGfJhXHBEoavE41tyqkeKT36L0JskYbiTC_3XgWoZZCCh zWApM0q6x1mpjpi8E5hlj02ZivAXFiUxRdLyzxFrIVBHBQcWs7ZNWftd_PcO0D5l1SwdXsCb5QFG rXy8jHMv5Rb7Yh0mwo50B0xhcu4GuJUv7ibTpEqxCG0MLO_4dhVQjbTvUWk3LHz.E2yCsjGGmyx2 Tayy0IJf0hSJC5KpY.YxH64FnSobYJCRLgVQhs6sIMV4rn8G.jPeyMJi_B5FhNL_TPcX37VNUI4b 5mQfqNBitHc0fUaf0cXxWlaMUE8dzV.H8ZuL3dgfeQAI.aAAyy1DCYMv_JUEyjirziYD72G8QU68 7NFwIDGlRTAVifM8R4u161d_VCJ4wdATGI.f2kwBepKWjZP4dR.OfplC.kFXVPcqV2yvktvn.6Vs UqOrkkWdtbXW_9hHNyxv1do2qxKzzMSkDvoFQOGK.LNgktMEOFfKNUU7xP.iIBI8sKrbM6D9yUBp GYU5LSEQK9AHGaTGLvAB3ndijN3EgW5Oy_6JuKamFg1KFZ8lulF_82VyadiXpgU1BvM_0ua8I2e_ QLtr8fzdBIt9fNho3B5MdUrrLN7pZiB1U7tTUKM4sw1F55DhP1OZ8msu1B3NRX1a6mU4f4tzx8ap oZJsmZpj93P0wbhpAk1Ir0D_j1ezId3M0i1VbfjpRPHpUD.cGJHRY6Y0T6g-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 00:54:46 +0000 Received: by kubenode548.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID bbffecf312ba1b4a2b03f03dacb2a286; Thu, 22 Jul 2021 00:54:41 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v28 06/25] LSM: Use lsmblob in security_kernel_act_as Date: Wed, 21 Jul 2021 17:47:39 -0700 Message-Id: <20210722004758.12371-7-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change the security_kernel_act_as interface to use a lsmblob structure in place of the single u32 secid in support of module stacking. Change its only caller, set_security_override, to do the same. Change that one's only caller, set_security_override_from_ctx, to call it with the new parameter type. The security module hook is unchanged, still taking a secid. The infrastructure passes the correct entry from the lsmblob. lsmblob_init() is used to fill the lsmblob structure, however this will be removed later in the series when security_secctx_to_secid() is updated to provide a lsmblob instead of a secid. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler To: David Howells --- include/linux/cred.h | 3 ++- include/linux/security.h | 5 +++-- kernel/cred.c | 10 ++++++---- security/security.c | 14 ++++++++++++-- 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/include/linux/cred.h b/include/linux/cred.h index fcbc6885cc09..eb02e8514239 100644 --- a/include/linux/cred.h +++ b/include/linux/cred.h @@ -18,6 +18,7 @@ struct cred; struct inode; +struct lsmblob; /* * COW Supplementary groups list @@ -165,7 +166,7 @@ extern const struct cred *override_creds(const struct cred *); extern void revert_creds(const struct cred *); extern struct cred *prepare_kernel_cred(struct task_struct *); extern int change_create_files_as(struct cred *, struct inode *); -extern int set_security_override(struct cred *, u32); +extern int set_security_override(struct cred *, struct lsmblob *); extern int set_security_override_from_ctx(struct cred *, const char *); extern int set_create_files_as(struct cred *, struct inode *); extern int cred_fscmp(const struct cred *, const struct cred *); diff --git a/include/linux/security.h b/include/linux/security.h index 8290f6263b6d..332df8a1cd4d 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -461,7 +461,7 @@ void security_cred_free(struct cred *cred); int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); void security_transfer_creds(struct cred *new, const struct cred *old); void security_cred_getsecid(const struct cred *c, u32 *secid); -int security_kernel_act_as(struct cred *new, u32 secid); +int security_kernel_act_as(struct cred *new, struct lsmblob *blob); int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); int security_kernel_load_data(enum kernel_load_data_id id, bool contents); @@ -1103,7 +1103,8 @@ static inline void security_transfer_creds(struct cred *new, { } -static inline int security_kernel_act_as(struct cred *cred, u32 secid) +static inline int security_kernel_act_as(struct cred *cred, + struct lsmblob *blob) { return 0; } diff --git a/kernel/cred.c b/kernel/cred.c index e6fd2b3fc31f..ea36ec6e1ad8 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -774,14 +774,14 @@ EXPORT_SYMBOL(prepare_kernel_cred); /** * set_security_override - Set the security ID in a set of credentials * @new: The credentials to alter - * @secid: The LSM security ID to set + * @blob: The LSM security information to set * * Set the LSM security ID in a set of credentials so that the subjective * security is overridden when an alternative set of credentials is used. */ -int set_security_override(struct cred *new, u32 secid) +int set_security_override(struct cred *new, struct lsmblob *blob) { - return security_kernel_act_as(new, secid); + return security_kernel_act_as(new, blob); } EXPORT_SYMBOL(set_security_override); @@ -797,6 +797,7 @@ EXPORT_SYMBOL(set_security_override); */ int set_security_override_from_ctx(struct cred *new, const char *secctx) { + struct lsmblob blob; u32 secid; int ret; @@ -804,7 +805,8 @@ int set_security_override_from_ctx(struct cred *new, const char *secctx) if (ret < 0) return ret; - return set_security_override(new, secid); + lsmblob_init(&blob, secid); + return set_security_override(new, &blob); } EXPORT_SYMBOL(set_security_override_from_ctx); diff --git a/security/security.c b/security/security.c index 3c035faa2c37..69474918be8b 100644 --- a/security/security.c +++ b/security/security.c @@ -1798,9 +1798,19 @@ void security_cred_getsecid(const struct cred *c, u32 *secid) } EXPORT_SYMBOL(security_cred_getsecid); -int security_kernel_act_as(struct cred *new, u32 secid) +int security_kernel_act_as(struct cred *new, struct lsmblob *blob) { - return call_int_hook(kernel_act_as, 0, new, secid); + struct security_hook_list *hp; + int rc; + + hlist_for_each_entry(hp, &security_hook_heads.kernel_act_as, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.kernel_act_as(new, blob->secid[hp->lsmid->slot]); + if (rc != 0) + return rc; + } + return 0; } int security_kernel_create_files_as(struct cred *new, struct inode *inode) From patchwork Thu Jul 22 00:47:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392611 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EEC68C6377A for ; Thu, 22 Jul 2021 00:55:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CD71E61248 for ; Thu, 22 Jul 2021 00:55:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230031AbhGVAPT (ORCPT ); Wed, 21 Jul 2021 20:15:19 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:33417 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229879AbhGVAPS (ORCPT ); Wed, 21 Jul 2021 20:15:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915354; bh=B0E2mJi50VrupNDUfbc6O7BsZvL9dT3zvHnoCNS9qz8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=Hha/LrVo5WrtANYQiSZs7NsNjkZ3rfXgz0OQFzsi5PWYXLd8Ex53dnmzW6gmKLIzqu353ibLz68a4SJCyD4xnMZq6leG0vxR+yffxLk7zy+WHkc2dzhQZhoJpc0xl51NBQaTFhyx/dFMr3L2Yt/VnriHDEbzrZh8Hf3lGCwMFY2m/rV6Sm6vm6I2uG2WWCoIkOiW3nSQ6ny6G9DZnR9GzyBdHvqWwhUN4lHKQYDmfD1CBsJFyfbdskjPAOy552N6CyaxHGUrGui0yK4a3kdTvgavk3kFXo4jMc/lVVK5NV6ReVm90kxtqIl3EtLqWXxZaveIFcU3w4pesbhBu1RHFw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915354; bh=Lr8GxeVHv9fT+/A/P/OuUDvVRuowfjIYU6akGrFlPng=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=FjGECPLqlgy4lG0T+cCtxPExRU3EeyFLo9Q5AKLVFTLbBZ16G2LklwNDm6ItDJ0HJP2krr328yNDSmRArL+1L1yPxDZ9CVs2Q2p3mLNDcgmhBw3CDlHJ2kZbcYtckTeOtd75aoYCHfCX5PdN13Zk1qe/nsmM4I/I5oFkOLS+kVnV0O7bh6tPSIAVQsE9XMqYkbrDnuwgL13fgioVn22gfSXlJ2RMdxL/sXxdbhmshYKx3vI5+NBscbUxP9HOp6Pek0jdnjqPLjIdbmMFV3k0DHpsMYcSk+hz7hOGi0wGtAB1jmzE0ZRn83LovKTXL6vkl1uKoUnRV7ifA0mL+7vhQg== X-YMail-OSG: bXQnCT0VM1m41SDQ_psBSVOGibKMrEwP4whtOCxoZ_reQtMTN2KBTeOgH.ZVaRk hBDtu.ON1eyF8O2juOoTYQ8LhGU5I2fn8cbaY.2xHVZLASL22mja6N5mYffsN.PuaUpe8TfMQS0_ Ind6OAp69rvR_t.LGk2ZGN235XC5DJ7bDyNvy8Mg7fIaKbsAdcG57p.GMg9unOqQpF70NHNro_Nx jwMd61Z.ecVVshZSjXmvCbcC_xh5NznnhF.N8Z6TXTbkCcLmZeeBdEXyrbALYD_q9x0hj5JnbuKv Krrvzzk3VmwhQfi0bkNNlqYMYhs8yuKhDvwvDBlqUOAVigJsRoiWvoN.EEzKIP3qWd6yVYrs1bML plJ8RrCdEOfcOYBSKC_g.kuY4iIJsskAs6ewpXnDxBuoMEfCc70Pb6EFnFO0VDTK13hX8tHmnlrQ u05s.JCK096PRr8R.b5y7nB5e.NJwdzLlFuO9Xw__DlZlcMFaUvNeFdGVnFOksYeyKd2N2dnHqSK 6GOgHVe1ESwLKTXBRboVFQ16Co9kkZGFJZbD1uhxc7dBe9ifN9lfCJSLYkIfBO9TRmoJoeJnYTpS 1FP_OemwbeHiLXMcdFIybs2DUZ6h8DJpPSiDEFRPrFEYcTTTiD0.nKONawb8b4tS96SGdKFCt5K5 EF5F_uX6YDljDv0GS6LBY60BGseakKHVdrp5pGepDLzg9aM9p0eHE3RFuMMJOkG8g173yz8pc0no ilksz9QRxl6MPjE78c5I4fbTCWURrA28857ZlX3ydt7o6lM6zxF8rWgrzJw5B06TwPNoH9sXyB.Z 04ZqKPR1j_JR.GOPo1eDvFesX6Wm1tXTZ05GRyRO89qZ8IVcsbeOzB3iiCw8PfAo.be66W8vxiIv 5.DOIeD9e2YJ_Ud1KXPvMdBQIOYl3hwleEdAg3kuWwVhLIQeJLcFSxRQai1l0CZAEeWjdCsdy8oM FoyFZT6hi3Bo0rPyoeKK8kYWE.N42jccn7isIuCF524JPim6xHM8mC.AlyiDld3d87NN4J.rtvbl COZlQEyRXc79YQOx2OwbxNj3P.Z550A7AezOvvOz5LeKRlpR_tLQ0ocyti0a1nkksEEMq6eNVbPT sptuSexzmCoOvS.FLg7CGuRS2kh54FqIqy2DZKPlBMOuVzFNChuoyJStkuh98GFX_5vaC3CiTU4G u26I2cf_Qdr1OcEHviGRa4PcSKuAtss8xASYb984Kftn5D839jHCK9Rwkq1B1tiNmsO61drLOMj1 pftK23GJ0.hkJ3_Oa19DQ7O.J1cAo9hkGIar3HXLzsfXhkxAgeGwf2H23z7O06wNpVYXU7kG3JB5 Uv_kpqbnVytdcW2dKPFZsmA8H9El1ySjB.jq9HCO1I5LyTNxsBzMpEJ71eWBdiBuo0VH0xUCI_1l k.oDQC_Obp1KKMxplVmanrZtvMASY.bHQU0icPs0a7OLaIqlRfVtTKH655xS5wk3hQSK4VunGyYN SmdPoX7v09ba1rDV6x3m0.L5EGdeVeiOMlEnjvaX8ngrMdF9bClvZNX6AKIL6kST0YGUGQzryBg_ a_F1xIcM2.HOjkSsG09Sudid3Z7dfqBY6GFy9HBx.u2wQW1fXEN6eD84QfHtuelBWry9nUBm.oUX SCAQbuJSM5QB3C.UeQ.yUAZJK9JjuDiQa5MsCVltRRsWr2BJveSC3hT4KvHyynw.LA1T8Mh0Khwe JGHdaiWH.lHIFOhKu5UZZsABA.MPH27BYCvYw5ZXXX8ho._h7_dcy26nbwAjsP1ro.4oEtufh8DB 23R.ucIrpB4HLcw4OXPTtCNxitNXylQyxpaNqOiowpwgvKvWgqDd5CwUQHmhNAwpmFr1gWcPRg9i aon8FxYPO.GGU2DuZQ_NC8Fcj2BpqxJeYZYFgS_kXb3ShOYevtpFa1YIdxV4v655QaIhSMpIKwhd 5ufgI0ceFsqlIoUZtO2IWIu6oiF1F7YpBSe9TIIdxTsSsUNLfwF.VAVdqPdm8hepteUPg7kqirba IKEbxdGfKNshAzYalKiM710VDBfy.MHOH3C5LvkybWGWJB.n6fmh5VwcMZpwxyWvsXZ_7Yx1i1z9 iJwgfLBxn8XfeimpZBDgHOdFWVuMAgJ0YKBMCFOY5RiO6104dMbV._OnDZKTx3q431s2qIdFLOg. OJECLoEqfgeVBg8fnqpOP8f7QQl_1hwYrFNIkktRme.6bZskU_l7adR7HzlneOuh48CZGb3QaAnw h3eVNJGf6oS2TSI6ir4kaxqKaAIBfYm0grYUogPzjPqontKZ0QhotJxuq67WzjwoZUZfetHRZ.M1 wbUL.Qim4YjfgduRvZcjEhig91_227WlAxGI_5GUzUihm5BOgD0t7W_28BA4nol4lEE4YPulbAly hDynO5OUhK8zwag.4et4az9WSucMjczCHt9YdyFunPfkVlUUeVPWSq8BO8m0lOLFl_mdJctx9MUQ D1qAD_XIc0ruIVutnilWxFKAUlv6ddSCuKXCSt3fLp6ASBDZfQatKKCB2t51eVAZSil6qfhdzC54 GPb6hJmOTqIZlnmA_nSRbAG5OcqE_DarnpxubINif5fHrDI11C6RoT0tGTfp1x0vxaO4FcnFcyiV M8K_AmXMeC1RpnV4vanLQ1bSgILT7ZkC13WyqUQjoiMh6rSb.jLVvoLhc_wtRLsKX60dD6LgDnig A0O8g5nXl1Xynw7hjIceVXZ5XekhHz3s2SPrDHX0mZRYm4DwvnO3nQoT2vFLZ2mex503boWyV541 o4ycEoDhJvOoF0etvXfmit8a27BQhU.nriXcYwWp2gs2ELOHItNWQevOLbr8Wo0x4wNUFUkSrqTH LPPO98f73cPo7RI9HklHVdWZYv1h5sndVPR3uDHvU758VmnAsRMangMLNj.8_NamJBXHcQG7hyJF 2wx5n6RGRfgENfC5.g34N1VoyvKAzuSMDlzbGN8l34PIeCv2WKvwUOSQ1iBM9gcw9z.YAHU3HGT. CN9lmTuTn66s9f8OUTuSkkW916kv4tcUhxrh.rm7RtLyBqXBhu0jkawJxRVmRCeIX7QyY9Rs_p9y hfTjDQ_9Vlqy5lZ.DQ5BvVbP6C3xMA3r9E86VKARdJOW4U_EEkYPReR5.qJTEMDzsBj3apBl2zZo 8YafSh_4dnJr1nvdYkTDIxMG8q6O0QleR8FNUs28FMCqiSpHibWyupRrVRi3HMcjTsTLk7ICJk8P 4A3R2Z5KD9tF5yMModqm.EcQ2xHemfe4CBHuXAlIxvJXrfd2FSf7Ym9NWC28dx8rnpFEfTA-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 00:55:54 +0000 Received: by kubenode505.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 7f76660ca894cc8d842d2e9b1dc58c45; Thu, 22 Jul 2021 00:55:49 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v28 07/25] LSM: Use lsmblob in security_secctx_to_secid Date: Wed, 21 Jul 2021 17:47:40 -0700 Message-Id: <20210722004758.12371-8-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change the security_secctx_to_secid interface to use a lsmblob structure in place of the single u32 secid in support of module stacking. Change its callers to do the same. The security module hook is unchanged, still passing back a secid. The infrastructure passes the correct entry from the lsmblob. Acked-by: Paul Moore Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso --- include/linux/security.h | 26 ++++++++++++++++++-- kernel/cred.c | 4 +--- net/netfilter/nft_meta.c | 10 ++++---- net/netfilter/xt_SECMARK.c | 7 +++++- net/netlabel/netlabel_unlabeled.c | 23 +++++++++++------- security/security.c | 40 ++++++++++++++++++++++++++----- 6 files changed, 85 insertions(+), 25 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 332df8a1cd4d..986a8f4bcd54 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -196,6 +196,27 @@ static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb) extern int lsm_name_to_slot(char *name); extern const char *lsm_slot_to_name(int slot); +/** + * lsmblob_value - find the first non-zero value in an lsmblob structure. + * @blob: Pointer to the data + * + * This needs to be used with extreme caution, as the cases where + * it is appropriate are rare. + * + * Return the first secid value set in the lsmblob. + * There should only be one. + */ +static inline u32 lsmblob_value(const struct lsmblob *blob) +{ + int i; + + for (i = 0; i < LSMBLOB_ENTRIES; i++) + if (blob->secid[i]) + return blob->secid[i]; + + return 0; +} + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); @@ -527,7 +548,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value, int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); -int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); +int security_secctx_to_secid(const char *secdata, u32 seclen, + struct lsmblob *blob); void security_release_secctx(char *secdata, u32 seclen); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); @@ -1382,7 +1404,7 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle static inline int security_secctx_to_secid(const char *secdata, u32 seclen, - u32 *secid) + struct lsmblob *blob) { return -EOPNOTSUPP; } diff --git a/kernel/cred.c b/kernel/cred.c index ea36ec6e1ad8..38b00a1390f4 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -798,14 +798,12 @@ EXPORT_SYMBOL(set_security_override); int set_security_override_from_ctx(struct cred *new, const char *secctx) { struct lsmblob blob; - u32 secid; int ret; - ret = security_secctx_to_secid(secctx, strlen(secctx), &secid); + ret = security_secctx_to_secid(secctx, strlen(secctx), &blob); if (ret < 0) return ret; - lsmblob_init(&blob, secid); return set_security_override(new, &blob); } EXPORT_SYMBOL(set_security_override_from_ctx); diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index a7e01e9952f1..f9448e81798e 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -809,21 +809,21 @@ static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = { static int nft_secmark_compute_secid(struct nft_secmark *priv) { - u32 tmp_secid = 0; + struct lsmblob blob; int err; - err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid); + err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &blob); if (err) return err; - if (!tmp_secid) + if (!lsmblob_is_set(&blob)) return -ENOENT; - err = security_secmark_relabel_packet(tmp_secid); + err = security_secmark_relabel_packet(lsmblob_value(&blob)); if (err) return err; - priv->secid = tmp_secid; + priv->secid = lsmblob_value(&blob); return 0; } diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index 498a0bf6f044..87ca3a537d1c 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c @@ -42,13 +42,14 @@ secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info) static int checkentry_lsm(struct xt_secmark_target_info_v1 *info) { + struct lsmblob blob; int err; info->secctx[SECMARK_SECCTX_MAX - 1] = '\0'; info->secid = 0; err = security_secctx_to_secid(info->secctx, strlen(info->secctx), - &info->secid); + &blob); if (err) { if (err == -EINVAL) pr_info_ratelimited("invalid security context \'%s\'\n", @@ -56,6 +57,10 @@ static int checkentry_lsm(struct xt_secmark_target_info_v1 *info) return err; } + /* xt_secmark_target_info can't be changed to use lsmblobs because + * it is exposed as an API. Use lsmblob_value() to get the one + * value that got set by security_secctx_to_secid(). */ + info->secid = lsmblob_value(&blob); if (!info->secid) { pr_info_ratelimited("unable to map security context \'%s\'\n", info->secctx); diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 2483df0bbd7c..c29a8d7a7070 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -882,7 +882,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, void *addr; void *mask; u32 addr_len; - u32 secid; + struct lsmblob blob; struct netlbl_audit audit_info; /* Don't allow users to add both IPv4 and IPv6 addresses for a @@ -906,13 +906,18 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, ret_val = security_secctx_to_secid( nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), - &secid); + &blob); if (ret_val != 0) return ret_val; + /* netlbl_unlhsh_add will be changed to pass a struct lsmblob * + * instead of a u32 later in this patch set. security_secctx_to_secid() + * will only be setting one entry in the lsmblob struct, so it is + * safe to use lsmblob_value() to get that one value. */ + return netlbl_unlhsh_add(&init_net, - dev_name, addr, mask, addr_len, secid, - &audit_info); + dev_name, addr, mask, addr_len, + lsmblob_value(&blob), &audit_info); } /** @@ -933,7 +938,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, void *addr; void *mask; u32 addr_len; - u32 secid; + struct lsmblob blob; struct netlbl_audit audit_info; /* Don't allow users to add both IPv4 and IPv6 addresses for a @@ -955,13 +960,15 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, ret_val = security_secctx_to_secid( nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), - &secid); + &blob); if (ret_val != 0) return ret_val; + /* security_secctx_to_secid() will only put one secid into the lsmblob + * so it's safe to use lsmblob_value() to get the secid. */ return netlbl_unlhsh_add(&init_net, - NULL, addr, mask, addr_len, secid, - &audit_info); + NULL, addr, mask, addr_len, + lsmblob_value(&blob), &audit_info); } /** diff --git a/security/security.c b/security/security.c index 69474918be8b..1621a28bf9c4 100644 --- a/security/security.c +++ b/security/security.c @@ -2193,10 +2193,22 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) } EXPORT_SYMBOL(security_secid_to_secctx); -int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) +int security_secctx_to_secid(const char *secdata, u32 seclen, + struct lsmblob *blob) { - *secid = 0; - return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid); + struct security_hook_list *hp; + int rc; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.secctx_to_secid(secdata, seclen, + &blob->secid[hp->lsmid->slot]); + if (rc != 0) + return rc; + } + return 0; } EXPORT_SYMBOL(security_secctx_to_secid); @@ -2347,10 +2359,26 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, optval, optlen, len); } -int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, + u32 *secid) { - return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, - skb, secid); + struct security_hook_list *hp; + int rc = -ENOPROTOOPT; + + /* + * Only one security module should provide a real hook for + * this. A stub or bypass like is used in BPF should either + * (somehow) leave rc unaltered or return -ENOPROTOOPT. + */ + hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram, + list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.socket_getpeersec_dgram(sock, skb, secid); + if (rc != -ENOPROTOOPT) + break; + } + return rc; } EXPORT_SYMBOL(security_socket_getpeersec_dgram); From patchwork Thu Jul 22 00:47:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392613 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7936BC6377A for ; Thu, 22 Jul 2021 00:57:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 626D16124C for ; Thu, 22 Jul 2021 00:57:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230092AbhGVAQY (ORCPT ); Wed, 21 Jul 2021 20:16:24 -0400 Received: from sonic313-15.consmr.mail.ne1.yahoo.com ([66.163.185.38]:36501 "EHLO sonic313-15.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230021AbhGVAQX (ORCPT ); Wed, 21 Jul 2021 20:16:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915419; bh=ys40P6aOcVrtfywDOdMerV1YACq4nPW6NRWjsvTzIeg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=OMQn3H59bahAOdDjp7HUwLH77/hPWl9KFaWAA/D1pT0nAkFnSCAqxSKHRzObDbT+zTiy+T7p+5JLERA8lcCkO9GbRRZ+UMcGuqmbmYwrJYuz3wy6G/h24qkqBlm02F/IqELAuNsPxIS65Dndu8nfkZwyKdtYJBy+2a0TzW03cCOsu1gktG9CBqyFQSfGHJD7qmtn/pclklHEV3qtQ85dyALGIx4Nn+UHgUMmUsTKowhXr/C3J6hYUK1zNnY127V6UTjB4fR1CY3SUtN8MBQD3wyUiiNIterW6/hh4bSyLpGzfmHJn7sKLogBWTCUqwvzaouOY6rWXSrQ0MOyq7o2Gg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915419; bh=YjbHhfbHpVh6zmwRoBcMeTAGeIvvSs8ecq486s/KiCP=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Pu7aRIb2TpcMvQrBmEghcQ2ob9M4EGZHOi/NCm/bsK1JRFT2JJHtjKp9DzE82U3mKV2uF+TJ38vt0CkPuieaYlVs0pxEB75rE112Iuq4DWZo6FoagBcM8yOZUsJMrNrH9CqxNMbUOMs+ZxNKb67XneEkL+fRn1Fh3LTWm6DydvfiNjrxZsVSQ4MOo/ASzXtKN5S23S2e76RcOL6Ote9MdQOCAPlYgQELyG/7PxqtDvZptLpxPKj6N6SuKcghS+3VDEomXxONkkJMO6rS3WeqBFao0QPappStnUa1ReH2tnhPMyIZRhTTtFLakKPYz7WQh7+H0d5cFwY+0qD0ssg9kg== X-YMail-OSG: QXKlfe8VM1mJ93PjVqmh.L51oaJe64wwsGjT1qD2cyZaGcFIdeRJ40yQjsAUV1I 8IINO3uTc6KfCXvMXSbv1cvqYQc5iY9X7zodEbB3eIX5qhQvesSfkIbBnmCAFqWKKomJsDsSHj5A E41kB6SKBu6VK6UaSuszgANey53JGBJ052xF9rrbca2wj1hzSviU7VVCa2KN887hrLZ6C.WeZd_9 2Z2ImTjA907FAlA6vNGqM_XPDSzdUzquTD9cfVPMWIU67cSlfFWZYlZS6Hvibn6v4CnuliU_BbLZ qlv_sv92TiZbNsL8AqGyg0s5Yd2MWYUj9AZeoFBtVVADZ3FtevdZagfENr7S5vEf82nlI2sVSOdT XLy7n1EE2mQJtXn8.OJTiITXr7psWd8YtuU9.t.vBn7b6E1fi6yqYkgk5YUFWTcRzCjFWRx9ccq4 bDs6yhbYsGLDReDXWFOE.ZidDFebTxoq4hQCZJMYrQs4ML0n7u8169E8Ete.MBPVCROp2xoECZUz paGC.PDiPe2NuZ18MwrpLHTcDR5Rn93aHc5a_dGbHNJ5Nj3XLZ8M51nrNjrqAc0XmoccdNIyOs7P t15BbNwQmn47188uAS1Pwx1eFh1X5sVnXPZovoTInRDxpGv3s3hUwzlBomJbuRbx1vycRhRnVs4z wntjUrmA6QPnvDjCeK7Z0utM3KbSAaGHxSn5pEE2TjPmO6ULCEqBLfSIltf15_A12UK6q7zx8dX7 SoxX_EuStq37VXDQiJZaHzcrcPaT0UI8Rm_SKA0qNOt2X27icEkomB6Ee_BKdBDRdqHLZXs1WM0s oyHoUcL1ge0KlvKOSj1FXuI_tXURz7erGE6puXIiIF61Xofn.DAPrqgH4Ly6PqqG4WVMToiNg9PT bcIB6Rva5B6nTovtsVh8abz7yN51PbJb6MvZ5E1HjF3wrMuGU0NkOpWXADanY_d5hliphhLbEB.a PjBEmjlXASb2YW0tebKNb1n9DW8avCmwt3gbrV7THnaeyexfdBIGl46h.yAmqNkZHnke_45evojB xWZgO2stvRTcJumyPghCYiRYDzCOJWH.1VgcnH14EwGExqlct7T9j1UNONtS603iXQ6d7SoZQjPr U1BfEgVzz0Cq72HnbKtPjO_mbSvj5oai7uztC8FpBWAKi3UWN1_mkO73KQM3Cc0VubWe8S_nav8A Wewcfy80EQMRUOVNQKXrsJN8n.J5T2gqieY0z4UKonn17EQxbL9voFe3M8y0LrcRztejR1NCmv08 V2RdxCjx.Zb4_Bz0Xfw3WtyC4FgkS_fy7_K.Ha63aoXKzxLKAnJEJlbDcuPBHEbwakX2YYhtQ1_v 4C6rYGvYRg1Vh9AwvHRmdCWEEyWQ_MiAvloEDNPOnNUWP7B7uvaS1B4MGvhizdpMaeLSteyYiaSQ kzIiD6iSaJsdjy8d2r79NQpDFMg1bc.1rg3rzpXrtecMuXC6drrA1.fVKWs75VOmWFQJhF985mi7 xbmICtKYOMA1pavKGfw9x2E5Saz1cL8mcQ5.u9K8TyidAudlF496HeRbmxaj3qY6idLb5iF.P7fT Z6j6XhtHkKSgBYm7A_YXdpRjM4EhmOEYQQsnCmu0ZTyJ4a3kSJN139c3ESbBbDTkor0IO92Uywjf 2s84ln_SSuMKsJDmGWQhrchFLK7pq02uuj35JbF3yaFOiPmR1FWhuB4Iw1ueH2Uiv.7gGnX79eKD nrxrDhhQ2xeDsBcOGn0At8VNBpNFbT60OTtq4FdpFYrPxiV35CYY_gRB4MeXcXqQt65QPMQjRf9T dk7pQR0opflGzGEgqn72T8.9JePNy2Wf6b666Yz6x90CraKjk3v7CWNmfFgfpq4UFGEGcYCmu83f BgGVGFhUtD.nVvZd2KFh.ohaJusFYqfHY9WwV6QK7jiZBeEOpGgMZX9oxqSsvrmLSPjX4g.MjpJy KVX.DUt7IMkmakXfjn0ADGl3819v3E2TeH_wOt3nE.efynWCwDC1nnFLfLkqE9bwWxMxgshi_T5t kh2fLOV9eXO2d6e5K62SQRJ_zbdUnzn5k1VA8ltmJ7l0zi3FZH04lvpKtOfqOyvm93wstNk8OA1C z.ENh1z6ZaRzI5ndoCn.V.YtVY8KQgZvvvlUWZzwZUl3cs6stN8.81MwVVyjQ97KiYuq7fo06kRy Jl9Qi5MsRvtYFaUv6780dpX_j0WJ7xOYFKHEsICxVpwCGBfU355mQmWeMmEsRb1T4S5DPwUn29PR 6YZItd2lE3xaMLpjWXw_yYcYoMN.vZF8ga5y6xPG80VANcm2IyO7MblZ_2pGEdOw1DpUVICM4ZBp 9t1FgJJ7fat5UL2cFHF2_eFsWuKwInIGzEuIOcnyRgyb1johLTa9dj6ooeJ4x4oWCcxXhi4i1XZg m3dNgVRJJk_aal0GdDd8hYOFLWakBRPVfiK8lJg474R35nmKr8xliJCRlc2mTGdOL0EtmT_l42YL CNh9mjXQbv92S7hIvFksIRKV_PRJ7yxJnRsdm8ZUfUcjCyGse57rFehmQ6BLuRCwFe2311DZ3ZFI 93Bs6.5LlshBEXLEJ6SvL.81VQVSNf.bZZyzTBf8jkAtGRrymd4T1ljuepYZ9D.0nfJnDtrxgFCq fGb1uu9NZkeHdvs42DZsyuZIcbzsVqtqp2LerTeGBxt22Ydp5lCwPSe739K01l9AYkTz8MoiVIeH l9ByspCttNwlX.Lgt455vo4HvCaOKuqBo021hdDDlQh0wSahcFQYhv4Yt9CFhizfehkuNXCRT80h G1jr3Hn8QEroSy7oOV89aLs4lwUWyF9c6lBuYovqG.ptXIDxxbjUSJ3Nsx6KZoGfpkI_c878ZfOu of.Qj.iIEW0yahvPAaZsw_73Ui7ovQ5Pl_GdggomPbXUnQEyiwuuTajENy7ahpm3dlFyHqAzoFWa OYSdu5_lRv0AhA8wWUji60WwBIYQg9uZLlg9dn4tqeilh6UQAJOoqPSy4PKlp9F2XKJ0tG1rzyXd I9ySCPwdaMO4uRcicCLEvDClYs6skcab.IEhsO2bRJ5STQLZhnOwvyZ2ULtJDs6VaFvB8woPiZSE IwYHyYeKaufwY2c5EBmyxz3.lT9FQU9QGjcqFNc17SVQ63R24HG_LaDkSKGYkXmRsKFV5hQsiz0E iGTr1x7iQZZkJbSAcoGmPt0UeJD6tSiaH3scXHb06gBHfm9icg7hBAUKBYUW6Cf7iZVfKbMukxUu 0qv4MKQOGjg.EJThR1bVC1hbSI5hSLm2DoBb7qSCLO0v6txcJRcg04HcTVBb0AcqHH.Z3HsvMzyn _PkV9vAkDE1icvLPpCix16XAKAo6mgtnaDVSuMipxNdUXgl4s X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 00:56:59 +0000 Received: by kubenode520.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 92d5ed256cfca90298f7e22b0bfc2b3a; Thu, 22 Jul 2021 00:56:57 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v28 08/25] LSM: Use lsmblob in security_secid_to_secctx Date: Wed, 21 Jul 2021 17:47:41 -0700 Message-Id: <20210722004758.12371-9-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change security_secid_to_secctx() to take a lsmblob as input instead of a u32 secid. It will then call the LSM hooks using the lsmblob element allocated for that module. The callers have been updated as well. This allows for the possibility that more than one module may be called upon to translate a secid to a string, as can occur in the audit code. Acked-by: Paul Moore Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso --- drivers/android/binder.c | 12 +++++++++- include/linux/security.h | 5 +++-- include/net/scm.h | 7 +++++- kernel/audit.c | 20 +++++++++++++++-- kernel/auditsc.c | 27 ++++++++++++++++++---- net/ipv4/ip_sockglue.c | 4 +++- net/netfilter/nf_conntrack_netlink.c | 14 ++++++++++-- net/netfilter/nf_conntrack_standalone.c | 4 +++- net/netfilter/nfnetlink_queue.c | 11 +++++++-- net/netlabel/netlabel_unlabeled.c | 30 +++++++++++++++++++++---- net/netlabel/netlabel_user.c | 6 ++--- security/security.c | 11 +++++---- 12 files changed, 122 insertions(+), 29 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index bcec598b89f2..3e97a6de5e80 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2711,6 +2711,7 @@ static void binder_transaction(struct binder_proc *proc, if (target_node && target_node->txn_security_ctx) { u32 secid; + struct lsmblob blob; size_t added_size; /* @@ -2723,7 +2724,16 @@ static void binder_transaction(struct binder_proc *proc, * case well anyway. */ security_task_getsecid_obj(proc->tsk, &secid); - ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); + /* + * Later in this patch set security_task_getsecid() will + * provide a lsmblob instead of a secid. lsmblob_init + * is used to ensure that all the secids in the lsmblob + * get the value returned from security_task_getsecid(), + * which means that the one expected by + * security_secid_to_secctx() will be set. + */ + lsmblob_init(&blob, secid); + ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz); if (ret) { return_error = BR_FAILED_REPLY; return_error_param = ret; diff --git a/include/linux/security.h b/include/linux/security.h index 986a8f4bcd54..ef33be59998e 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -547,7 +547,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); +int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); void security_release_secctx(char *secdata, u32 seclen); @@ -1397,7 +1397,8 @@ static inline int security_ismaclabel(const char *name) return 0; } -static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +static inline int security_secid_to_secctx(struct lsmblob *blob, + char **secdata, u32 *seclen) { return -EOPNOTSUPP; } diff --git a/include/net/scm.h b/include/net/scm.h index 1ce365f4c256..23a35ff1b3f2 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -92,12 +92,17 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, #ifdef CONFIG_SECURITY_NETWORK static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { + struct lsmblob lb; char *secdata; u32 seclen; int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { - err = security_secid_to_secctx(scm->secid, &secdata, &seclen); + /* There can only be one security module using the secid, + * and the infrastructure will know which it is. + */ + lsmblob_init(&lb, scm->secid); + err = security_secid_to_secctx(&lb, &secdata, &seclen); if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); diff --git a/kernel/audit.c b/kernel/audit.c index 121d37e700a6..22286163e93e 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1442,7 +1442,16 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) case AUDIT_SIGNAL_INFO: len = 0; if (audit_sig_sid) { - err = security_secid_to_secctx(audit_sig_sid, &ctx, &len); + struct lsmblob blob; + + /* + * lsmblob_init sets all values in the lsmblob + * to audit_sig_sid. This is temporary until + * audit_sig_sid is converted to a lsmblob, which + * happens later in this patch set. + */ + lsmblob_init(&blob, audit_sig_sid); + err = security_secid_to_secctx(&blob, &ctx, &len); if (err) return err; } @@ -2131,12 +2140,19 @@ int audit_log_task_context(struct audit_buffer *ab) unsigned len; int error; u32 sid; + struct lsmblob blob; security_task_getsecid_subj(current, &sid); if (!sid) return 0; - error = security_secid_to_secctx(sid, &ctx, &len); + /* + * lsmblob_init sets all values in the lsmblob to sid. + * This is temporary until security_task_getsecid is converted + * to use a lsmblob, which happens later in this patch set. + */ + lsmblob_init(&blob, sid); + error = security_secid_to_secctx(&blob, &ctx, &len); if (error) { if (error != -EINVAL) goto error_path; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 447614b7a50b..df8a57c5355d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -677,6 +677,13 @@ static int audit_filter_rules(struct task_struct *tsk, security_task_getsecid_subj(tsk, &sid); need_sid = 0; } + /* + * lsmblob_init sets all values in the lsmblob + * to sid. This is temporary until + * security_task_getsecid() is converted to + * provide a lsmblob, which happens later in + * this patch set. + */ lsmblob_init(&blob, sid); result = security_audit_rule_match(&blob, f->type, f->op, @@ -693,6 +700,13 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_isset) { /* Find files that match */ if (name) { + /* + * lsmblob_init sets all values in the + * lsmblob to sid. This is temporary + * until name->osid is converted to a + * lsmblob, which happens later in + * this patch set. + */ lsmblob_init(&blob, name->osid); result = security_audit_rule_match( &blob, @@ -999,6 +1013,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, char *ctx = NULL; u32 len; int rc = 0; + struct lsmblob blob; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); if (!ab) @@ -1008,7 +1023,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (sid) { - if (security_secid_to_secctx(sid, &ctx, &len)) { + lsmblob_init(&blob, sid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1252,8 +1268,10 @@ static void show_special(struct audit_context *context, int *call_panic) if (osid) { char *ctx = NULL; u32 len; + struct lsmblob blob; - if (security_secid_to_secctx(osid, &ctx, &len)) { + lsmblob_init(&blob, osid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " osid=%u", osid); *call_panic = 1; } else { @@ -1408,9 +1426,10 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, if (n->osid != 0) { char *ctx = NULL; u32 len; + struct lsmblob blob; - if (security_secid_to_secctx( - n->osid, &ctx, &len)) { + lsmblob_init(&blob, n->osid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " osid=%u", n->osid); if (call_panic) *call_panic = 2; diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index ec6036713e2c..2f089733ada7 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { + struct lsmblob lb; char *secdata; u32 seclen, secid; int err; @@ -138,7 +139,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) if (err) return; - err = security_secid_to_secctx(secid, &secdata, &seclen); + lsmblob_init(&lb, secid); + err = security_secid_to_secctx(&lb, &secdata, &seclen); if (err) return; diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index e81af33b233b..9bf1f5460681 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -341,8 +341,13 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) struct nlattr *nest_secctx; int len, ret; char *secctx; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + /* lsmblob_init() puts ct->secmark into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, &secctx, &len); if (ret) return 0; @@ -650,8 +655,13 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct) { #ifdef CONFIG_NF_CONNTRACK_SECMARK int len, ret; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, NULL, &len); + /* lsmblob_init() puts ct->secmark into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, NULL, &len); if (ret) return 0; diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 214d9f9e499b..89b6f5ebcfc4 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -175,8 +175,10 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) int ret; u32 len; char *secctx; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, &secctx, &len); if (ret) return; diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index f774de0fc24f..a781e757d593 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -305,13 +305,20 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) { u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) + struct lsmblob blob; + if (!skb || !sk_fullsock(skb->sk)) return 0; read_lock_bh(&skb->sk->sk_callback_lock); - if (skb->secmark) - security_secid_to_secctx(skb->secmark, secdata, &seclen); + if (skb->secmark) { + /* lsmblob_init() puts ct->secmark into all of the secids in + * blob. security_secid_to_secctx() will know which security + * module to use to create the secctx. */ + lsmblob_init(&blob, skb->secmark); + security_secid_to_secctx(&blob, secdata, &seclen); + } read_unlock_bh(&skb->sk->sk_callback_lock); #endif diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index c29a8d7a7070..5cbbc469ac7c 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -376,6 +376,7 @@ int netlbl_unlhsh_add(struct net *net, struct audit_buffer *audit_buf = NULL; char *secctx = NULL; u32 secctx_len; + struct lsmblob blob; if (addr_len != sizeof(struct in_addr) && addr_len != sizeof(struct in6_addr)) @@ -438,7 +439,11 @@ int netlbl_unlhsh_add(struct net *net, unlhsh_add_return: rcu_read_unlock(); if (audit_buf != NULL) { - if (security_secid_to_secctx(secid, + /* lsmblob_init() puts secid into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, secid); + if (security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); @@ -475,6 +480,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct net_device *dev; char *secctx; u32 secctx_len; + struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr, @@ -494,8 +500,13 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, addr->s_addr, mask->s_addr); if (dev != NULL) dev_put(dev); + /* lsmblob_init() puts entry->secid into all of the secids + * in blob. security_secid_to_secctx() will know which + * security module to use to create the secctx. */ + if (entry != NULL) + lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(entry->secid, + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -537,6 +548,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct net_device *dev; char *secctx; u32 secctx_len; + struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list); @@ -555,8 +567,13 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, addr, mask); if (dev != NULL) dev_put(dev); + /* lsmblob_init() puts entry->secid into all of the secids + * in blob. security_secid_to_secctx() will know which + * security module to use to create the secctx. */ + if (entry != NULL) + lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(entry->secid, + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -1082,6 +1099,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, u32 secid; char *secctx; u32 secctx_len; + struct lsmblob blob; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, cb_arg->seq, &netlbl_unlabel_gnl_family, @@ -1136,7 +1154,11 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, secid = addr6->secid; } - ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len); + /* lsmblob_init() secid into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, secid); + ret_val = security_secid_to_secctx(&blob, &secctx, &secctx_len); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 3ed4fea2a2de..893301ae0131 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -86,6 +86,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct audit_buffer *audit_buf; char *secctx; u32 secctx_len; + struct lsmblob blob; if (audit_enabled == AUDIT_OFF) return NULL; @@ -98,10 +99,9 @@ struct audit_buffer *netlbl_audit_start_common(int type, from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); + lsmblob_init(&blob, audit_info->secid); if (audit_info->secid != 0 && - security_secid_to_secctx(audit_info->secid, - &secctx, - &secctx_len) == 0) { + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); security_release_secctx(secctx, secctx_len); } diff --git a/security/security.c b/security/security.c index 1621a28bf9c4..607e54a0e85f 100644 --- a/security/security.c +++ b/security/security.c @@ -2174,17 +2174,16 @@ int security_ismaclabel(const char *name) } EXPORT_SYMBOL(security_ismaclabel); -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) { struct security_hook_list *hp; int rc; - /* - * Currently, only one LSM can implement secid_to_secctx (i.e this - * LSM hook is not "stackable"). - */ hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { - rc = hp->hook.secid_to_secctx(secid, secdata, seclen); + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.secid_to_secctx(blob->secid[hp->lsmid->slot], + secdata, seclen); if (rc != LSM_RET_DEFAULT(secid_to_secctx)) return rc; } From patchwork Thu Jul 22 00:47:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392639 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E0C7C6377B for ; Thu, 22 Jul 2021 00:58:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E24136124B for ; Thu, 22 Jul 2021 00:58:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230117AbhGVAR2 (ORCPT ); Wed, 21 Jul 2021 20:17:28 -0400 Received: from sonic313-15.consmr.mail.ne1.yahoo.com ([66.163.185.38]:42508 "EHLO sonic313-15.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230079AbhGVAR2 (ORCPT ); Wed, 21 Jul 2021 20:17:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915484; bh=KIY5MODEqMix6NqMDjtf9M9zeiD1HjHaqgXFjbWFAZc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=fL4jxPfGDW6SLdazm/0NruGUXxNJQcOeF9JAJdsb3i7N0LSe4d98VuNN2yooI9KecA6LFXPAIm03IBn/+EEWGXDB9MdbFLp8MOKEOgKSG8xE4AoNKiYbgqcaaPJPz36Favo/m6QrluOv4Rl9fcLcpsNkoV0LFvyyNusKlZ1nLmyEaCyf7q59x8sePhx8miOVZkAF07W35kr6ix6q/w1gJvQQjgDR4vO6ITaW6ABR5PDcXVPBnqlaCWnFRMpzZpCh58S9LYkZuTHNzuCK7pwztY4n+XGGyVbm2PhXysvY2phd/HeZH3mWLYRaXZ0JxpJmqqjU1aVH1MOlLJwnd2QvvQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915484; bh=3IzidGq0+JvGd0No4GVr8vYwO5BfJlvyBS0pSjj89Cf=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=rkS0G2eX6MUMcvCeLm3xyqO1TxhUv4RDmbZMd9Gd+6fV4+5zi5MAOQL6HQL4ub/J+kBe+z0QKvL2O1TsC94240XM6+5desQtTKJ7zGuisr7cdVsKSb4wNYUNk3I6kADooKkTPRaiOMqJ7yCoQ54Ny/bs2YaHDEjVrA8XKqhvQryvJIzsyC/fDvY/2V5XpGNMfmW93WdHgzteupbT56dqU57WCSl5SITsSClbGDGlteYm/w026kiHQCF3ElEh+v8JIhe55vtUilpwjpTeIt+H+p8vqPS6GGPzpP5K3C7+gTtSyJWObxp41OdgEJxiPLLpA4jtPWhxeihECegEcUpeYg== X-YMail-OSG: _uCW9xUVM1lFKgm5tOOjdoM_AT.LKGnGyji2Yiug9SwxaMwH6gAlJuhy1s86qaY y5.Akwp35DnpfQ1xVmt446Zm3ZEFLmCS8vITqErewOnKS_4iuCBJ8.gM5EKHOOOBcOBATR1ufOBL 8DoUJNCwxIbnhWngqCbqhRE3RDjl49OidYLLiZJMqwG9l6unAteo3FfX7JUttygrleEMNOzwQILh 7Xee5jOoX6IBCaWOLDQ0xlV0.uU7hssmaqGjX0bTgm59UzOcdboHPXtTM0QL5N3yxd2HX2YkKJtO aEIAOtCnH49TvB.pECdf3cpFZVCn12e921EBxe6t6GIKSCJlgwanmGwGXgXtCc6u3Rfs6wF96ZfK L0z5eaVH00EecyvRKmcPukVkiZ6A5Ya6T0Ck7cOm6.H0MUg2Dox8_svLKbKv9e_ERP9wUCMjhnqF RxvdVyPEtwIxC78nOCtfkBi.nOoJI5gwGb0J2OkdZ3Nl3_9qYBmbQS6DET6B.9cWMJ7BvsapUmRC 7uwdrji9rLIgh7cntWP5YTYCszogkomTtC.r8yfoYcbx6HuqCZn33LKSMP1jPK8uRzLJhr_yvuil 0pConLKv83_8Y7tW1l5kfIQbghdG7qbE.Rv1rft.U3FnnlAGzXhb5oJOMfUsivn.Ts6PcBfEHVNq 9EU17j1Bol4PliqFHb7EZs2zdQmi4kL.uIkskCWp0Kn7Cj.GsYd3jqeXrqaCLcRwRCbwJmVCn5F4 QtbHNozYcIvrd5W0.KGdTkfC9Wdyd_d4y8ciPYxGJMNFqdEOBo3NuUsWSDjvZbsRtqCWJb1gy1Pz SIzBUKw61TGswMnQCcuWHZd_TlU3JUw1BSMrwDIrIAynbnMz.Pbk2KWaVf_C1vo3SCqZj7Zy4WkE y20EBQAuwwvh25lm1JhkVEEcFXaT0XIs9MIvDXYsE8mLa0QvkqZZ3PadUdDgaVpn2xLtabUgYvyc 2QdM4EZ_uOoNHIoJKPSagfcH9LCx4GZ5SYeTRGer38aCg9ChWEQysumI3QcrrimfGNFoNFbNLwh9 JAIbcxWzdwdiH71z8IG6l4uNut45kBdinKtIUv6rhVNd8MyQfRBVGbN6hYJVJ1VQ7Zjs9HrfGhjz SSo2FOjt.6XTv0au4PfWwblsOBmaCOHwa1_zYaXhyssEMJ7WCWVYcPD0avMpUJgiWm_mz7aYHdv5 S2PLhn6PHOAHLdZECXzlSUPg_tZfJyyFjKOkt6ONFC.Kmid1jC.DA9dXj.Lx0CqVBYNpGiW_XQP6 WDTbn2jv_47U67loW10hUZzqICLfX6ZM8iorg.ulSr2PJOBwT0G262NrYB_bBO71bAhpT3OOkM2b _Z2JhPyEy.qk3BpZZqhUaljDQZK0yA7cFXD4q.GKVvoNKca9QZDC5JW4TxVCmzxYImlioKmYfwNA e2YuyQJD_ENlfya5B3HNsVc6FP8K82t6Q3zHHABa0cxPt.jHhQpRlNWSuXAbUlwsZRDxEe.Ec2Z8 j8nvutQVdoyzgpi9NT8Y__Wq5h9W73mpuUJQn9gvkq0xguJA6.QXffetJ3LTKWRRRdJ7_taJ2cbx GJ.e2S8.DmLy6iGT6D5HZ9VII2KJIgcVZWwjSfKBVCQGjSIQ_XWTS_3AydDs5QaWy.DwWQGgVLBp lGSUDpJPAWztbg.fqAEjBBFO2ekoYhjXkdYf4J59zgt.AYx0FTZ4zYUfZJTFM5sCVpN50B2jI3t2 gvIm6Jaie0hDmuV2MWbDI09F8L0v3GXLeBL8EapRjFKw6ikrE7T_0UmHAUPjo1XF9yzWKIN6.H_B CEgFswu9OH7zkqc1PU6V0a1U0MpChfsV8R49cBgVMYno.MiXWYy3AHfKUgh9QEI._2GA44MW4.8h UfaacRyUa_lkCYD6LvBLFfCPmoUsKq.F.FI1RHet3CCxxdNdnUS7IVw2YjnuVQj33OqMNcfO7ITc 51Z5F20vHSGj9Fi9ili3eXfT73xsM4pAYBJss8.R8ZhLhS0S3mx9Ii2wvNCH_T.289eUnykF6X3E .71AppQ8dzs9S.ZhfZWQJI_a3hxDBvBpVBK0fXbtkdDJGpQzSkqWZnV_yHTgoUmjndb8SabCMyQy FRv.7BUcUJcrcz5IG5oEbebsl_QvlEpJkej70zEB3weXDvmPRvlz8dfEfemihxTmXlmL71FWpkuP efO8nMqPE1i_WwtPUsQeOoHSx99udUnDWZwmKfk7OFMwDz79gB1_jnDqMi2GYIHRI_SAd1KGzWAK uAM994eXAohbTPlRwSVHKPWAkBLULicgGo5cUM8ejjva.qhw1XD36VgG8JHNGmQu1MyCE.rZgkgW EXcs2REZfSVmpG1s_iHpSrpCckp9qLlcajLsb6dEe0g2PnbXsSzYqHWrMPtQr5BJS7kVhP_uyofl EsD627xUygnuXCX6nkY.cPXR05kV.n6.1X6.8ycY0Yd.8E_uF6lPQpjdVEE7mVUFPWT0MZg_956J xY6tR5S2pBhjtoym7Os452bdP6mSyJd2HH_1xTdWwwq59euh3RFnPx_9WXyEYe2nwT.kOc3UjRHB sHuSWKrV8wEfqcdoq5Il4rRnLEOj6ikLI1qLpSfvojoTHgWSHqK25Z1CATFn4ByTuX_a_2PPXv6q Vq9zFBJdmZr.YD57SimyyMBdQC2Z82w.AEINKmwdYUub1bbdQVyoM4bOKxgvfjehpyoE4cVid3w2 veb0MOAhFx90b4z486rpAV3AMJvzxU_9As9x5iqvPNkFpCBxmRBTu0K3duC6IGeIhQXBT9bkFGXU tq.9XAiI23X6rmkXjWDXPdCDK55GLMhr7D_CE7nogEPInCpAipdTqe2K_tRCrHR2t4lBHQTbguxA hQ4lq5YRj4ogE_yrIxJaLyoINU67QiA5RHBPg8YcTuuN2xJTuZdlJ8glnw1QJW0KNWz7V1YyY_DG RY0e90b0AXW0lrbNUEiAcoIaOdb7a4VNXl8sfT2DvKdNIxQ96BNjh170BJoCLJoBTeKilMfYUa4W mWBAo9BrPCUVv0JQaoV.1FIQUkW6QNPjalRxin3XeoX2jM3NEEHgjpLsd1VT24psuKohSXGlx0Td caTdUMB1OLkElrvVPoCEl5cxJhsN52H_JwNRdb5zc9R.IRUTCwve7iZNrjQd2L2Bq8n5F3kR8Hsf Poc8l9J4gOj8xh0xXpycw0y40Dzva X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 00:58:04 +0000 Received: by kubenode531.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID bfa1e919ff4b48ff1da916806d4cbb98; Thu, 22 Jul 2021 00:58:03 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v28 09/25] LSM: Use lsmblob in security_ipc_getsecid Date: Wed, 21 Jul 2021 17:47:42 -0700 Message-Id: <20210722004758.12371-10-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: There may be more than one LSM that provides IPC data for auditing. Change security_ipc_getsecid() to fill in a lsmblob structure instead of the u32 secid. The audit data structure containing the secid will be updated later, so there is a bit of scaffolding here. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-audit@redhat.com --- include/linux/security.h | 7 ++++--- kernel/auditsc.c | 7 ++++++- security/security.c | 12 +++++++++--- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index ef33be59998e..886128899d5f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -518,7 +518,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); void security_task_to_inode(struct task_struct *p, struct inode *inode); int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid); +void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct lsmblob *blob); int security_msg_msg_alloc(struct msg_msg *msg); void security_msg_msg_free(struct msg_msg *msg); int security_msg_queue_alloc(struct kern_ipc_perm *msq); @@ -1275,9 +1275,10 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp, return 0; } -static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } static inline int security_msg_msg_alloc(struct msg_msg *msg) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index df8a57c5355d..b4d214b21b97 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2337,12 +2337,17 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) void __audit_ipc_obj(struct kern_ipc_perm *ipcp) { struct audit_context *context = audit_context(); + struct lsmblob blob; context->ipc.uid = ipcp->uid; context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - security_ipc_getsecid(ipcp, &context->ipc.osid); + security_ipc_getsecid(ipcp, &blob); + /* context->ipc.osid will be changed to a lsmblob later in + * the patch series. This will allow auditing of all the object + * labels associated with the ipc object. */ + context->ipc.osid = lsmblob_value(&blob); context->type = AUDIT_IPC; } diff --git a/security/security.c b/security/security.c index 607e54a0e85f..c38816ef9778 100644 --- a/security/security.c +++ b/security/security.c @@ -1994,10 +1994,16 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) return call_int_hook(ipc_permission, 0, ipcp, flag); } -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct lsmblob *blob) { - *secid = 0; - call_void_hook(ipc_getsecid, ipcp, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.ipc_getsecid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.ipc_getsecid(ipcp, &blob->secid[hp->lsmid->slot]); + } } int security_msg_msg_alloc(struct msg_msg *msg) From patchwork Thu Jul 22 00:47:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392641 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7FC20C6377B for ; Thu, 22 Jul 2021 00:59:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 59E0D61261 for ; Thu, 22 Jul 2021 00:59:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230002AbhGVASn (ORCPT ); Wed, 21 Jul 2021 20:18:43 -0400 Received: from sonic309-28.consmr.mail.ne1.yahoo.com ([66.163.184.154]:43604 "EHLO sonic309-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229963AbhGVASn (ORCPT ); Wed, 21 Jul 2021 20:18:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915556; bh=x/G2+bynwaZNbQiuFoGGKAMFr1MM69h3zsoWrVOqtwg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=hekTGw5xpp346HKtAQQhdggdvzH033Cd35BsyGOGSJd3M/stzZDvsb2LtR+vbi7sy5H/qH0mQnU3iHJa6WjpN8kqIRwXVlNDH94/dBUF2gUAnBqW82XFBRRGtVWvgYCNEo4/PjY8HPmeQiRHcXtp6J5uiJmYVzS7f5XatU19NSbHvyFeLondt9nJTqlsOYGNF310jAKxYz1cdZXXGl5HsiUWvkJgmI9egRJ0c7XEpTJl9ja0yvf4vA7S0eShkhcDZPnXfxLq+qpdFPXL7sgoIjBbfsQOPmlvRhd9tG4KX0TzBQtp6m4y0cqFwSvPQCYJUA5Unck8BELvtd6VWYdFSw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915556; bh=gB+jCEF73i/QBH09UYV2mz7K4WNSOcfQv6YegsdefZ3=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=oYgFhfj+zV7Ym5CtuSBhcyGlInKXvnJinAyyProhTvCiFWC4KN+6Q82ja/zCu9WybrY9ym3yNjQfofF12xOj3xWQLeA861ZeSgIpJP4vKtCbCzI9ayxPUHse/w7JzlxzZWVqt2TTQYa0JU7PKv0MR05V7ECwO5pRque5Ro8Al6lKRlk2Gb4ZvOajDM6ZdOQQko18LU1nYMe2soblWLsEpByUAy3N0FM+ILJYC6SiBWHzAEwO69HRS2mf7ucL2sxkV++GFUCIoZ1E2C9rS0S2OHZc8xtZHE8FKdvNaGRuBZpYLkGyeTXKGlMfzCqIrSY5Hcite3gBz7dwoLfBq27O8g== X-YMail-OSG: nrGxb5AVM1ng3i.Q0J2OotrpuuotXfeeOthIL0L8fWYEPZcJ0extZRkRgSFArJv 7dmV4qezzOiTK.dxwLQXhhl_9eaVG9oavcDNSuPxj2TFxFbcCjVOW6W2US2TSAZ90swQbRSBvZOA hE97RSnP1cLUd9XFoeDiL8mXGCXvu16rqwS.LD46Yn.jzA6xOBlwm2o1_4_MBvniOpoCeiQc.NRQ bKPJRqMsNa_WsKH5yc2eb4irRm4GF4uR557lyc1E5gzfvx68lP9Gx3kg6FTj_hebGTyjzJO2PedH ciioKsfX.9Y9bhnbpDOpYQ__YVIMizxV6NfqS1NKur8QtJNoncbmPmepnIni6snWSBwdrhT5Ca9k oGl23aKZYvlw8gtQyfY4g_LvZe5CEoo8z6UABfIGRGOGM3g57fm0V0uwFCmiNHhoy8npBrXkTdVH 2Mz.C0FJX4dDHq6kSVPsj9WfS.qkjTVimEuJauk9qfOISgN7DyeX7C.6EmtZ.xuaOzJQj3lKQvvl XoCh6ULAi7cRztHbu8Ol4bAXBmN30aUWotSSsUMsEqoohy3VuU0ixQGn6.CKfmsumWqrNgeBySlw xFAdQOOxkTgnrToMKZf8PYrLRzK9JS6FWgYYHdGyaYt3U4XpFrGQCK3k.FhQPlRd_gopf5UWhnfE PNc1LITJcj.CVoQWtfvo5AJaSmRLX8ocFiY1LiPKz7h8PcC9GTkF4sB3U2WWoYUpWdY3Z5Y9ep.F 5DOe_cbrixGaeH9YAbf50euVBIjvTjOmwt1ugkbiNz6R6SOjN_IKms.GMaIz0hLb60o2bTWmqG0u sdIaOd37nHvpFRlMgxxxIHtQMzEWGalR_nRDgJYPZybxA6rN1B2tst3mvQwkH2DpuJaprdlIOF8b LxUSuOmsp13VBWT5k4wPAZ7J5k2cVYt2ZDsXS9NCCH0MVDQu1RKsJbhOkQW0.5gGm__dnIZcmqiE Dr.XbQ33KTvy_Uryog9bAzohcLtlVvW_1xnUtbvFj3ny9kM9ZB0.s84zpokbgQeXnObHY_AfC_Bq nXNcnVJkN5lPUZM95oJ2dSViIgrlO8DrM4MHg.T3oBJrzgy0dYDs0iOMP82B0zc3oMcSfH1wbuUm IznDAL7CxKyVGmTgYfIIUgoj28dsTmzpvUs6orl315HAuCSwagueeToWeILAw1AeC_vwKhu0TBAh YjjjSf5S115D9IIoO29f1BNVrrP19atn5xFmab6zXSLnw4XOE.gw2Hpt4YvTAcMbwdL_idQ5uyhD VKd_chOFW3lOy4NRFc1GoJVIwiVE9abeFBk8xQOjIofghuk6KvhKehu0s068lglpfAuhXDhpYqCH 1k_yus.enAz.3FREse2lgKUwjIt6qphGPuQOMrzb6wKSwgN0EqVLdTI.uW.zTUoP3mYBRwS7U6EY R3fye1IlYUV5JKnHG6V4Q08tcmpK2.eELrlY7gbM_5wcih0.MvmFpsFQptWvNvvoUzycuBlWBxDd dSTPozR5JxtqphvoxSP3NizLINDVxN.yejytyI.HUdhsMuAshonXyDQvEXV6rKp_xDwrDDYWx7v0 .cxUma7WYDkjweJYoXpOlRRc8EuyNCFpTgULVCW5uz6KUkC.4YYxqzZMYd4tqSBzQq2TQuEy_WQ5 VQk6xFyQdJRHBknCbyGo9XgXdAumvHck6v9nfhKMvDQ38BAsu0wD4dyvGEp94MjgOFI24RH2bYV6 gG8N1dPMRJYMBLM.rzwjfBRCCk3K3hyXXiykTpgwyuLEg006MTPPsgnTAHVcQ_xnXyLDFm.zZKBB uDz0ivc4sE2UfAhAFvi6lHalN._tSNhcpJNLpfP1._btfEwjH_GbM_qZrhg_7yeap4GjTOs1Gky1 uRpGKyQR7psryHrTv_WPD_y5POHSWsdW7o75cbdFg0riORYZ8DveucbcvRtDnfJSmuHUsEZOu5C8 PRrRvBjgsbMvYWUqjP_D1q0chjsjqsLuy5lXuNzpZAuD38.cZAXMhNekzC2baXErbZBHvkbNafAh gZlnKr.LJZNaXPMmVdaGYvgo.UOYvab19.ew9OHkrn3AdQ0eAYSKoLGqQdoBPZRcho8bYchMuG4j L50_KaZ3Dl4H7_LzvgSPTqvVuSJm9PQkT0zQvS9uT7BEmkAq_EzhFrxhDXh._8YN3xlnoteSoFIF g5s7wgu5NT7SskvfZexWkPimaXQX5mZlxJLq7aO5DKy9fH4ROq7w0BA.jIc7.6yze7fT5UnupDbm S7Jr5XCPIal_42ucm6vTFXc5Ik6_hs5skN4.Q16VpuYV4l4ALGMRcnsUVedNmexQJjixt162sjsB giL8mC.oR8og1dC8U4xi6GXJ_D8TjAbqo2R8jsF0_sGhDkYGrtctcZCd1ATyIKjP77xRK6HO1tAy catNwyjHgAlPEloyzQWofUXPnWTdWgdO7f6AJJJXDhZzpoXA2kjNwPAXqRLOWAvSZganJw3HopnO nrvJGPgzo85CrCd7TdWdZ039J3YXN7chqeWE64FSM774jxdcVED6Xoi2XmyN5rEWHDq_VZiyAa6N SdeAhYfUXGVdXxk493ENWcIC2FojrPvIA99oUfdzik.4ls25jUKVQtD1emMd26MS85bcQhXBPfPU N47XnswFEzDnY7siqe4mqKM43KpstwGoq9F6b3w0NOmTZ2CcidtefaUR294QO5_N9v7s7fRfi5Xi PswjCXBrlytN8iVmI9hURmkYtWWDARNEelg3OeTI9N.rc8HVw.wO53I_WMNMHHNwCUYyYrkXHYzd oHB.JXt0CvF1DM3LJtWO4z4dBKX2lx9Ug7f9k_1AlTDHIb5OX1IS.FurvLW61GQpvEArKgSfxQRr y4.jQNcfZ9DyFqMs1QGY5FlHkqvkdfLHqL9CyHRbucgsa7zyhLWIYD4f3AvQjX9DE0W7Y.Gxg1MU 9erbFQvMHfWC0jrVIWFFnznM4FnEPqMHzuNCG.5xLr69McQ33O9gRM0iykp4UzLmxzB2Oa9CANPN vD1tbGsFu6Ksy5II5PW_6THk.32KoZRXtrsb58fPWq8NrqGjOsXs6S_z6L6eLFozouovN9_cHuTi 9xLDsLMUU1DRqYPGaVcwQG6xDR8yMfkevqt0WHfoa6OJzXbCkMjmch1cZfqeEMJLG001OrUibhwO qV52cEkJWfF05Bkk5s5LMCo9I71Xf2hBPbjnIvfishQhDQbwAOMD6eiggaG0lccrkqsGBRVLdqKW uNxrMyTEwOxMUz.G5GXxeOUZjeyuRXsOLO.pYPA3XZq8iJks8IOwaO9LH8G7VX7OPlxgi1QDwk.t cxcnFDiQiYEF3UXwEnfxVT6a8Zo4- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 00:59:16 +0000 Received: by kubenode550.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 46534b0f2c1d69a6991f77e198249904; Thu, 22 Jul 2021 00:59:10 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH v28 10/25] LSM: Use lsmblob in security_task_getsecid Date: Wed, 21 Jul 2021 17:47:43 -0700 Message-Id: <20210722004758.12371-11-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change the security_task_getsecid_subj() and security_task_getsecid_obj() interfaces to fill in a lsmblob structure instead of a u32 secid in support of LSM stacking. Audit interfaces will need to collect all possible secids for possible reporting. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com Cc: netdev@vger.kernel.org --- drivers/android/binder.c | 12 +----- include/linux/security.h | 14 ++++--- kernel/audit.c | 16 +++----- kernel/auditfilter.c | 4 +- kernel/auditsc.c | 25 ++++++------ net/netlabel/netlabel_unlabeled.c | 5 ++- net/netlabel/netlabel_user.h | 6 ++- security/integrity/ima/ima_appraise.c | 10 +++-- security/integrity/ima/ima_main.c | 56 +++++++++++++++------------ security/security.c | 25 +++++++++--- 10 files changed, 94 insertions(+), 79 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 3e97a6de5e80..96dd728809ef 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2710,7 +2710,6 @@ static void binder_transaction(struct binder_proc *proc, t->priority = task_nice(current); if (target_node && target_node->txn_security_ctx) { - u32 secid; struct lsmblob blob; size_t added_size; @@ -2723,16 +2722,7 @@ static void binder_transaction(struct binder_proc *proc, * here; however, it isn't clear that binder would handle that * case well anyway. */ - security_task_getsecid_obj(proc->tsk, &secid); - /* - * Later in this patch set security_task_getsecid() will - * provide a lsmblob instead of a secid. lsmblob_init - * is used to ensure that all the secids in the lsmblob - * get the value returned from security_task_getsecid(), - * which means that the one expected by - * security_secid_to_secctx() will be set. - */ - lsmblob_init(&blob, secid); + security_task_getsecid_obj(proc->tsk, &blob); ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz); if (ret) { return_error = BR_FAILED_REPLY; diff --git a/include/linux/security.h b/include/linux/security.h index 886128899d5f..4070cef152f7 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -500,8 +500,8 @@ int security_task_fix_setgid(struct cred *new, const struct cred *old, int security_task_setpgid(struct task_struct *p, pid_t pgid); int security_task_getpgid(struct task_struct *p); int security_task_getsid(struct task_struct *p); -void security_task_getsecid_subj(struct task_struct *p, u32 *secid); -void security_task_getsecid_obj(struct task_struct *p, u32 *secid); +void security_task_getsecid_subj(struct task_struct *p, struct lsmblob *blob); +void security_task_getsecid_obj(struct task_struct *p, struct lsmblob *blob); int security_task_setnice(struct task_struct *p, int nice); int security_task_setioprio(struct task_struct *p, int ioprio); int security_task_getioprio(struct task_struct *p); @@ -1197,14 +1197,16 @@ static inline int security_task_getsid(struct task_struct *p) return 0; } -static inline void security_task_getsecid_subj(struct task_struct *p, u32 *secid) +static inline void security_task_getsecid_subj(struct task_struct *p, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } -static inline void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +static inline void security_task_getsecid_obj(struct task_struct *p, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } static inline int security_task_setnice(struct task_struct *p, int nice) diff --git a/kernel/audit.c b/kernel/audit.c index 22286163e93e..d92c7b894183 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2139,19 +2139,12 @@ int audit_log_task_context(struct audit_buffer *ab) char *ctx = NULL; unsigned len; int error; - u32 sid; struct lsmblob blob; - security_task_getsecid_subj(current, &sid); - if (!sid) + security_task_getsecid_subj(current, &blob); + if (!lsmblob_is_set(&blob)) return 0; - /* - * lsmblob_init sets all values in the lsmblob to sid. - * This is temporary until security_task_getsecid is converted - * to use a lsmblob, which happens later in this patch set. - */ - lsmblob_init(&blob, sid); error = security_secid_to_secctx(&blob, &ctx, &len); if (error) { if (error != -EINVAL) @@ -2359,6 +2352,7 @@ int audit_set_loginuid(kuid_t loginuid) int audit_signal_info(int sig, struct task_struct *t) { kuid_t uid = current_uid(), auid; + struct lsmblob blob; if (auditd_test_task(t) && (sig == SIGTERM || sig == SIGHUP || @@ -2369,7 +2363,9 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - security_task_getsecid_subj(current, &audit_sig_sid); + security_task_getsecid_subj(current, &blob); + /* scaffolding until audit_sig_sid is converted */ + audit_sig_sid = blob.secid[0]; } return audit_signal_info_syscall(t); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 6a04d762d272..1ba14a7a38f7 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1330,7 +1330,6 @@ int audit_filter(int msgtype, unsigned int listtype) for (i = 0; i < e->rule.field_count; i++) { struct audit_field *f = &e->rule.fields[i]; pid_t pid; - u32 sid; struct lsmblob blob; switch (f->type) { @@ -1362,8 +1361,7 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_CLR: if (f->lsm_isset) { security_task_getsecid_subj(current, - &sid); - lsmblob_init(&blob, sid); + &blob); result = security_audit_rule_match( &blob, f->type, f->op, f->lsm_rules); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index b4d214b21b97..50e3f2f4cb49 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -477,7 +477,6 @@ static int audit_filter_rules(struct task_struct *tsk, { const struct cred *cred; int i, need_sid = 1; - u32 sid; struct lsmblob blob; unsigned int sessionid; @@ -674,17 +673,9 @@ static int audit_filter_rules(struct task_struct *tsk, logged upon error */ if (f->lsm_isset) { if (need_sid) { - security_task_getsecid_subj(tsk, &sid); + security_task_getsecid_subj(tsk, &blob); need_sid = 0; } - /* - * lsmblob_init sets all values in the lsmblob - * to sid. This is temporary until - * security_task_getsecid() is converted to - * provide a lsmblob, which happens later in - * this patch set. - */ - lsmblob_init(&blob, sid); result = security_audit_rule_match(&blob, f->type, f->op, f->lsm_rules); @@ -2439,12 +2430,15 @@ int __audit_sockaddr(int len, void *a) void __audit_ptrace(struct task_struct *t) { struct audit_context *context = audit_context(); + struct lsmblob blob; context->target_pid = task_tgid_nr(t); context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &context->target_sid); + security_task_getsecid_obj(t, &blob); + /* scaffolding - until target_sid is converted */ + context->target_sid = blob.secid[0]; memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2460,6 +2454,7 @@ int audit_signal_info_syscall(struct task_struct *t) struct audit_aux_data_pids *axp; struct audit_context *ctx = audit_context(); kuid_t t_uid = task_uid(t); + struct lsmblob blob; if (!audit_signals || audit_dummy_context()) return 0; @@ -2471,7 +2466,9 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &ctx->target_sid); + security_task_getsecid_obj(t, &blob); + /* scaffolding until target_sid is converted */ + ctx->target_sid = blob.secid[0]; memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2492,7 +2489,9 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getsecid_obj(t, &axp->target_sid[axp->pid_count]); + security_task_getsecid_obj(t, &blob); + /* scaffolding until target_sid is converted */ + axp->target_sid[axp->pid_count] = blob.secid[0]; memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 5cbbc469ac7c..098d0a1a3330 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -1564,11 +1564,14 @@ int __init netlbl_unlabel_defconf(void) int ret_val; struct netlbl_dom_map *entry; struct netlbl_audit audit_info; + struct lsmblob blob; /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_task_getsecid_subj(current, &audit_info.secid); + security_task_getsecid_subj(current, &blob); + /* scaffolding until audit_info.secid is converted */ + audit_info.secid = blob.secid[0]; audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index 6190cbf94bf0..aa31f7bf79ee 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -32,7 +32,11 @@ */ static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info) { - security_task_getsecid_subj(current, &audit_info->secid); + struct lsmblob blob; + + security_task_getsecid_subj(current, &blob); + /* scaffolding until secid is converted */ + audit_info->secid = blob.secid[0]; audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index ef9dcfce45d4..e3d903d6e5e7 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -71,14 +71,16 @@ bool is_ima_appraise_enabled(void) int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode, int mask, enum ima_hooks func) { - u32 secid; + struct lsmblob blob; if (!ima_appraise) return 0; - security_task_getsecid_subj(current, &secid); - return ima_match_policy(mnt_userns, inode, current_cred(), secid, func, - mask, IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL); + security_task_getsecid_subj(current, &blob); + /* scaffolding the .secid[0] */ + return ima_match_policy(mnt_userns, inode, current_cred(), + blob.secid[0], func, mask, + IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL); } static int ima_fix_xattr(struct dentry *dentry, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 287b90509006..29befd24b945 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -388,12 +388,13 @@ static int process_measurement(struct file *file, const struct cred *cred, */ int ima_file_mmap(struct file *file, unsigned long prot) { - u32 secid; + struct lsmblob blob; if (file && (prot & PROT_EXEC)) { - security_task_getsecid_subj(current, &secid); - return process_measurement(file, current_cred(), secid, NULL, - 0, MAY_EXEC, MMAP_CHECK); + security_task_getsecid_subj(current, &blob); + /* scaffolding - until process_measurement changes */ + return process_measurement(file, current_cred(), blob.secid[0], + NULL, 0, MAY_EXEC, MMAP_CHECK); } return 0; @@ -419,9 +420,9 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) char *pathbuf = NULL; const char *pathname = NULL; struct inode *inode; + struct lsmblob blob; int result = 0; int action; - u32 secid; int pcr; /* Is mprotect making an mmap'ed file executable? */ @@ -429,11 +430,12 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) return 0; - security_task_getsecid_subj(current, &secid); + security_task_getsecid_subj(current, &blob); inode = file_inode(vma->vm_file); + /* scaffolding */ action = ima_get_action(file_mnt_user_ns(vma->vm_file), inode, - current_cred(), secid, MAY_EXEC, MMAP_CHECK, - &pcr, &template, NULL); + current_cred(), blob.secid[0], MAY_EXEC, + MMAP_CHECK, &pcr, &template, NULL); /* Is the mmap'ed file in policy? */ if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK))) @@ -469,10 +471,12 @@ int ima_bprm_check(struct linux_binprm *bprm) { int ret; u32 secid; + struct lsmblob blob; - security_task_getsecid_subj(current, &secid); - ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, - MAY_EXEC, BPRM_CHECK); + security_task_getsecid_subj(current, &blob); + /* scaffolding until process_measurement changes */ + ret = process_measurement(bprm->file, current_cred(), blob.secid[0], + NULL, 0, MAY_EXEC, BPRM_CHECK); if (ret) return ret; @@ -493,10 +497,11 @@ int ima_bprm_check(struct linux_binprm *bprm) */ int ima_file_check(struct file *file, int mask) { - u32 secid; + struct lsmblob blob; - security_task_getsecid_subj(current, &secid); - return process_measurement(file, current_cred(), secid, NULL, 0, + security_task_getsecid_subj(current, &blob); + /* scaffolding until process_measurement changes */ + return process_measurement(file, current_cred(), blob.secid[0], NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND), FILE_CHECK); } @@ -672,7 +677,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id, bool contents) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* * Do devices using pre-allocated memory run the risk of the @@ -692,8 +697,9 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id, /* Read entire file for all partial reads. */ func = read_idmap[read_id] ?: FILE_CHECK; - security_task_getsecid_subj(current, &secid); - return process_measurement(file, current_cred(), secid, NULL, + security_task_getsecid_subj(current, &blob); + /* scaffolding - until process_measurement changes */ + return process_measurement(file, current_cred(), blob.secid[0], NULL, 0, MAY_READ, func); } @@ -722,7 +728,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, enum kernel_read_file_id read_id) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* permit signed certs */ if (!file && read_id == READING_X509_CERTIFICATE) @@ -735,9 +741,10 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, } func = read_idmap[read_id] ?: FILE_CHECK; - security_task_getsecid_subj(current, &secid); - return process_measurement(file, current_cred(), secid, buf, size, - MAY_READ, func); + security_task_getsecid_subj(current, &blob); + /* scaffolding until process_measurement changes */ + return process_measurement(file, current_cred(), blob.secid[0], buf, + size, MAY_READ, func); } /** @@ -859,7 +866,7 @@ void process_buffer_measurement(struct user_namespace *mnt_userns, int digest_hash_len = hash_digest_size[ima_hash_algo]; int violation = 0; int action = 0; - u32 secid; + struct lsmblob blob; if (!ima_policy_flag) return; @@ -879,9 +886,10 @@ void process_buffer_measurement(struct user_namespace *mnt_userns, * buffer measurements. */ if (func) { - security_task_getsecid_subj(current, &secid); + security_task_getsecid_subj(current, &blob); + /* scaffolding */ action = ima_get_action(mnt_userns, inode, current_cred(), - secid, 0, func, &pcr, &template, + blob.secid[0], 0, func, &pcr, &template, func_data); if (!(action & IMA_MEASURE)) return; diff --git a/security/security.c b/security/security.c index c38816ef9778..458fded340ab 100644 --- a/security/security.c +++ b/security/security.c @@ -1904,17 +1904,30 @@ int security_task_getsid(struct task_struct *p) return call_int_hook(task_getsid, 0, p); } -void security_task_getsecid_subj(struct task_struct *p, u32 *secid) +void security_task_getsecid_subj(struct task_struct *p, struct lsmblob *blob) { - *secid = 0; - call_void_hook(task_getsecid_subj, p, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.task_getsecid_subj, + list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.task_getsecid_subj(p, &blob->secid[hp->lsmid->slot]); + } } EXPORT_SYMBOL(security_task_getsecid_subj); -void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +void security_task_getsecid_obj(struct task_struct *p, struct lsmblob *blob) { - *secid = 0; - call_void_hook(task_getsecid_obj, p, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.task_getsecid_obj, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.task_getsecid_obj(p, &blob->secid[hp->lsmid->slot]); + } } EXPORT_SYMBOL(security_task_getsecid_obj); From patchwork Thu Jul 22 00:47:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392643 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E78EDC6377B for ; Thu, 22 Jul 2021 01:00:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CCCF961263 for ; Thu, 22 Jul 2021 01:00:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230057AbhGVATq (ORCPT ); Wed, 21 Jul 2021 20:19:46 -0400 Received: from sonic309-28.consmr.mail.ne1.yahoo.com ([66.163.184.154]:32870 "EHLO sonic309-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229974AbhGVATq (ORCPT ); Wed, 21 Jul 2021 20:19:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915621; bh=88hEcSw0zf3tXzqlcfljipl307HiQH32cYtAYnCYsn0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=cN0Qa7mzIXweUXMmKAqXBsF1/4cJ8stnR+Eqy+BgCKxz5SggIvLEnduUIKcvsXNXMPoemK5xEiuwwB89VEnD7Jpu0o1q+zCZw4kUBO29V35AQ0of4/VNfug5S7Rbta4gPDvF9t0vsAfttMqTScPUUs/gl1cMRnc5cxGaQRzXvUXSU0512GbPnbL8BFGl0x3fFcJ0kGUeU0FicoCKHHatAok4Bcln2Fo8n1BuloZuMi3NyLlwSE50/pQ7zMSk7DbHWFX6AuCRVB1+BEpKCPwefIknxsezquIwudXpWKP29igyrHNHDvqK50S6Gdtt2oOwfC9LFSzj4qiH3Ntba0DnFg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915621; bh=G42p36VJKtGITi4Op10/0IS+txiN/t1eb3RNsfIW0nA=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=DelmIf26oETyEPHBkFQRaQxemfWx79HFSaW7OWo5sXcJVPXyN3urrFq+LlH/ekXXKLt9wSAGJhiKMOcZyVUsnYGKyPDr8OjREhNASd4c1mrs8PVdR5szYhQAv8rS1u/TlDEkvq8hj1kpblPqX5QpS0j/BB1Pf32FLGWk5DjKGVkY5JmzVNUFw62esm+lvs7z20enFvjFhqwBL92DonP+NFUz/7hIk8OplGWBtAD4+nKfRdzzHWe18mnX8UXMYIlxlJ4bDykssBioGz638snPwgt0tjUB387bfVtRZfXiZwwJ17sLxl8xLA8DqSbOCLHJ2UxpJBV/wSeyPGyxKGYKog== X-YMail-OSG: m5UZ0fwVM1kgR4pN76wC._VUEt1RzvX1y97iJ.0ke2WD3n2tXeGqKqQOjEWOcXQ Ox8Ho7VoT5EisYr0zub4F9kGPCfI9EyHJQ5qzN2c5e2Lc5KIqqjeZmL1uKOoH4uDvmZUCMO1q0dO XM4E9yEfvVgU8_9lfFHlMMQ5MkCFTmaEBckEHVFxlbcwB7ieJA71ilTV4SKqzaRzvEs.UphHG6K9 lj7PFhf8WLXLcnIl7KdVB5VrVX_iKGwvo0Kpal0Xp02lUVXk64yL5LLPL1lwAFyV5.WYPknEudGQ eJp8DTywwUijfgVwWgb0qgixXxywLji60eba8XABDBL2CsR.xjNnXkaj8Gde2F9VcZVhRboo82KJ jns_0rRouCz_yxQYthe3TGAORohPAOTuekMO42yqH6087LG2ghUVBO6X39JV23ofn_Dvx6VGzJiO YK.BmGSv182jZuhrKxHjIa0U2jd0W3qNlgQSnqJiajGkAWnDFpzPaoQNDCnlyNnXZx6pcQyKWrP7 GL2KxiFAYC.NzNK6_a_vo8J4Eta122RptEBz96vekeUuXSL.Zcq1lbtiTeT0m4k9IfuWsci61hzN WC5nleA.2fTNuBg9KsMI1tolQ.8lB6TwL4TyUc6.NVDNwzhhJ3NE4o53pjQe8f8U41EzYxPXM7vp ssDnoijvBBmhItkTM07PPHdylhpUUe0gO5F_rxywbiIfmMrHLbWcvlPtAD0ulMHry5DEd_Wwwpis VxdGzMziXI7mqNRxPW3aUHSBnE7Rb6s42nRl1jY5Lz9GLS4Sag7hUeawUDfOj2KKgabXN4bxfo6s WA6GmF8nID7tbhtfOEerLqpCxaLsQmGljOwiyEiM6ndOteZ.G8.RNA8ya64XtG46W8Yjmt.25oo5 DA.NWnlyZ1qjwQs8W4R6hAqm5UPK5wt9nUPZNGy_WENC1EiOsnJf9AxsN2FwAyUXx4P7AnYnxiUE .uvYGlTyCPpNlGVh2ik9ZaIumKMMPqKKIkKMQv1bq15iMDtP55zWaZUDACohwVtxhKZOqImO4V4o hGdPN1Sib6U_QEoQFHSPHGma0STk41RY6fKgDURdi4cjTeCk6Hj.RjvrNjtqxQVVnTGxauI.fKzX cBZxM7GD28ol21zzG1zsq546F2o.dXo4UlDrkZdMNQBwVXi6cSpqgqmN5kZhRIeKxePe2AsY_rcH YgVBKn04pb.28BwD_O.rn8mE5E0DxWzLfaOzudm84widaIp6OBZ6heP.r0GQDZVXBCjU5L9K923n .RRrOJTGgRwodaIpbItHaHAkryAOOpQE4NBcg6fpofGHOw_Y2MqnUUqhDPH0t8A4IwOnMhQbqQ3m Z2HiYlgR7lFmYelZNqafDptrdEvZRCoAGLHiYbSP4KxnyyWiuigxXR0Z3yFZ29aWUjsxpaISnQUk 8lC98pkOfkOq6wzxtlHpQ9ZIvy3pKmsKt1xgZf9HgcSCSLJUazYRY_R26l.GseO0ec3MmqSC7IUO P_ZUEKBswCZdoBliu_lwGB3KAcVIsewsVkePV2t1PNRBg1z9RqZUst8tY11u7081.mU9S7s7BCH5 WE_DyQL6KIVK1q_LYWZzX_9wDHU9.w5.lUomOku_iDMUYcG.FiDtRSxVOZNh.QfjCyHiQwWyXAzH JalPYeNShRQIL3vOXCla288H8NE2Dq5jjlI0owcC.XvteVmMZkyE6Ag4DIDDgNYRWMWEbbvoBafk 7JlMXH1J5zHDSHtYkd5.HEkpxR8rq6t6RS.l134gt9YsX6nqbcHOZZYSY8nWffZDoIviEvnoeuc1 iPgWyeAMN60_OXuE8OmCuAWLNYNZauQRygsICjo3y4tbhdhxOzJCahFO5SV_VyI8MPVrkeVxgD1C UdFezK7OY6EgEHuIH8L13VnaKaWhatNZdwLXCJDUpknvfLwLaV2_XQAzu8.90ywuKkxjdNP5aEE2 TDXTxaIQc6dkLYkzfrT2KH0RXDt0YYM7mWLeV1B2SBVM5LgnWkeoLvkOIuIlquNZCxWdlj7ZI_yy 0VV85B4X8OAOFFIuayVcNHkARGJpH3dQHqS3uEap_0BY66tynfVn617dkB6SlFTXJJKBN3fGeVjj Ic.awTe79vIcePbHd6c6izjxRLVYjQdOnUdxlTzPoy4xJOiwK8jrW2NtNpIY0sx1y6D28Hc7Hl1p nMBpsLFgrLFJHYMaw9KI_xovuV5IkkOG62U5CGi.52AZiJgGlcHR2ijPMf0X3qgTes_C8i0me0cf cLO2Xe0SaEwxQck4ZmECiRPV2TXAGhLLEBQ9dJFhCbNRgRQaMvfy_nVFXsQP3sx5TykhIZceh_.T Bg3LA3LQ6iWiQZpcbQ70lf_WkQJaVsOTfKYMRpR.xAe_GAUzfrgl2hyrpgZF0VxB9Yn.d3Ys_a3c cjAp4AjIbShNmOGTO35oMWVZc4N9pN1S4hUFopwNNNUoiiR9UDtNOSWdjhgA3KuwI7k0RDDRdZ0M 66GT8cVFM8vE9Y0D93PXLkqy3QKbc3VB5Lmc.cMlN0I31mTWKY3esVN96EdfAS3DG8nFIVN9tn6o sY29PmmUQvexoC6MR22nk3uCWlDT82ZTOYVyST_JS.9i4v2cGzRT_jvj3jTLG76If93_IL8gXWR_ PrYJD4FY9dg7h8XBE4.sHyUMdQfO54Y7B6KQEpb35u368K0Mr5Jer5Jux5WGzT9ROBo3FPIbV.DH wBfAPjT9LOC0zQokLR1ETEgVCav93Dsf0BJG79KDmpLfLNW1t1oiL_9okvOLBrxe0nO_GVs9LyUf Oqy_Xp14fUMfUahZK9xfWCdanBT6PhrEnsqsQAJFo81r1OHTGygwquLL4HhQ_zoyqvKKLxrumWBS 9zPhdErxZjM2RDnDoqfvS1wViZLdQMOSW10tJEogvHxBPu7i.tpjOgE8vPBqaU4e2lO3baqFB9X3 xkVXNO.a1bFQIqKKPAuIiOPVB0RMXVszfPkypke8y9gJs0eVRN0be6u2HVjI3Zf8ayHsQHaYsgV_ gTUw.MKy.Gqz3H_PVqI6jiG4panjgouUAl1mL4dk34b8LPPYaqu_jhqZSbrrHnZrJgFFl_0UMETh Ep6rrnZYxSnW0OlohWHKIdwj_BfWYBpaWqpYgXOSszbL9CwINgms2MaBUXVRfHbYNzLf8GTxTWgJ 2ZjxNmT4KaNm1TUMU8lSYyx.438WIZRgPXm2Y5wTp0qDoknwOTS96XRoTRbsYWQ1.boWpqyxnInb 0vfz4u_SnVvL5DD36MJhHCQZ.1yzcv9kvKD6iZsAP X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 01:00:21 +0000 Received: by kubenode502.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 018191927b598ade9ea45efd47ffb4fa; Thu, 22 Jul 2021 01:00:16 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [PATCH v28 11/25] LSM: Use lsmblob in security_inode_getsecid Date: Wed, 21 Jul 2021 17:47:44 -0700 Message-Id: <20210722004758.12371-12-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change the security_inode_getsecid() interface to fill in a lsmblob structure instead of a u32 secid. This allows for its callers to gather data from all registered LSMs. Data is provided for IMA and audit. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com --- include/linux/security.h | 7 ++++--- kernel/auditsc.c | 6 +++++- security/integrity/ima/ima_policy.c | 4 +--- security/security.c | 11 +++++++++-- 4 files changed, 19 insertions(+), 9 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 4070cef152f7..aa19fa4a553f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -454,7 +454,7 @@ int security_inode_getsecurity(struct user_namespace *mnt_userns, void **buffer, bool alloc); int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); -void security_inode_getsecid(struct inode *inode, u32 *secid); +void security_inode_getsecid(struct inode *inode, struct lsmblob *blob); int security_inode_copy_up(struct dentry *src, struct cred **new); int security_inode_copy_up_xattr(const char *name); int security_kernfs_init_security(struct kernfs_node *kn_dir, @@ -1005,9 +1005,10 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer, return 0; } -static inline void security_inode_getsecid(struct inode *inode, u32 *secid) +static inline void security_inode_getsecid(struct inode *inode, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } static inline int security_inode_copy_up(struct dentry *src, struct cred **new) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 50e3f2f4cb49..dcd1b988a2d3 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1975,13 +1975,17 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { + struct lsmblob blob; + name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getsecid(inode, &name->osid); + security_inode_getsecid(inode, &blob); + /* scaffolding until osid is updated */ + name->osid = blob.secid[0]; if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index af612a42eebe..6d112ec89c1b 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -608,7 +608,6 @@ static bool ima_match_rules(struct ima_rule_entry *rule, return false; for (i = 0; i < MAX_LSM_RULES; i++) { int rc = 0; - u32 osid; struct lsmblob lsmdata; if (!ima_lsm_isset(rule, i)) { @@ -621,8 +620,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_OBJ_USER: case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: - security_inode_getsecid(inode, &osid); - lsmblob_init(&lsmdata, osid); + security_inode_getsecid(inode, &lsmdata); rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type, Audit_equal, rule->lsm[i].rule); diff --git a/security/security.c b/security/security.c index 458fded340ab..da85932a4d53 100644 --- a/security/security.c +++ b/security/security.c @@ -1548,9 +1548,16 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer } EXPORT_SYMBOL(security_inode_listsecurity); -void security_inode_getsecid(struct inode *inode, u32 *secid) +void security_inode_getsecid(struct inode *inode, struct lsmblob *blob) { - call_void_hook(inode_getsecid, inode, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.inode_getsecid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.inode_getsecid(inode, &blob->secid[hp->lsmid->slot]); + } } int security_inode_copy_up(struct dentry *src, struct cred **new) From patchwork Thu Jul 22 00:47:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392645 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54F9EC6377A for ; Thu, 22 Jul 2021 01:01:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3060061261 for ; Thu, 22 Jul 2021 01:01:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230058AbhGVAUt (ORCPT ); Wed, 21 Jul 2021 20:20:49 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:35957 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230045AbhGVAUs (ORCPT ); Wed, 21 Jul 2021 20:20:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915684; bh=2X8LFvatnxpIK/lrE9liux7oG+mNLt1fOTdrK5/l/pE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=DBqP4303zE4sEGaVpgWNm9lNfaGU9SFfO35YrrZeRllSKJD37pQYe6JdNTHzOXby4hqfBgrmwCF2N94vYc6rnQ10GKHIYrTR/6yToMXLIijdADcAxS9Ah3rdgK9h4qL5mzaizCzS3xuAtBF8mStoLdhHH3CezGtAw69D75jOZE5VMxRK1J6QWwUdi4NG79XViER4FZ+ROdkyziwk8QWx1Ya3UlulIVgqWGaFSiKsz7ygFFVdn5vXsfGdow0Xj+ko0RyKe4pgydKCqCrd/PlGVQkFXLCSuhjb2LkvC/AytyQeXRn2hIB1lpfeYZARXn2mmDjRsiZSNIDTHF9YCS0phQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915684; bh=+AilvMnDjpXBQl/GogbK1EACpGJY+ej+qXUKeZaFBUo=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=QIH6ZxY44P5imv11JjAefjx7TGcFC6w4qaqySfs98Zl5fTlk0B1TvJjFpZwdh5uXJHV6N9ygCVKS7RugKrJrJ3Lzoq8t+XcwRwOzexqXEWvru74+cXSCXA3NXaSFciylFDtpyF7J3J4cDagXgYWWy/YFbP+YnO2ILc+V8Ma2K5MNZJ3LXS49EoEECrZumDJi6kXlkQoYfnJmxGjeKJJCinYmv3l18R+LpMZQQ/dJKPADAIN7r6s+boh5UrQW9RyMt8c9ZCEvDLdoy5bE7Vs/rZMjxRN9m0Z8p2figKGqB1C0XccHLiFb887/WEQ9/aTQV1qTzwzAv8Z17fx1b/d6cw== X-YMail-OSG: i4FdoqYVM1knNlIXY8KiFEIdv7SC30Kn7SNJFDRC6Vd7Ds9vjKgWSGLohSaxSWW 4QUBM3lp4ZJOKiE8BdVmyHqiCcTABZRoRZWbUy4x7GQnYmwCX9TasWjdqjjCAZktKqc7fx7wIzHL JoaQqzC0uaylOvdsyliUq16RTUhUsmV.LU1QY44ftHCPQOPMyAMhCnB6Mj_aGckkeWz7ZvaDD2n_ fDrNLlYTVwbWBBFDnTU5n_S5I2FMKCm_d7zfAvr0VdBoEEudaWlFhIzSKZlIzk4b.ru2hnnBvCz6 ULgbAjvY0gaNlpkTBcJf6hjy3Zl574MUpBARuQyGNrxxNDXvhW6ACdl4TynixJgBRDwXNpm2ZpNN r74fliTEdtK94uhHlF_aPBXo_ZOHyYP5ZxC4CV.Mo9MZZx1yUc_3eoWbdRJwchpUKyjJJcMJLcpT vT2Uh3f9O2aiLgYyXiiLo8.7125tAaztWVckWP539dwCfPGFXxOFRlhCkqSVBq9WLCeBIbM_LEQ3 4LXfNJugOZlKhr.kSrKN9Pe0n5lacxh9PsZELEvF19foewt8oRhPR152Nq2TkYB_i7v6422STiwH mdU1Tqphk1z.q892juO7UwnPGs8XjDp8jq7Kh1hRftHVJXQvo7hv2rK5IC3mfE67a52TlUMmZVtF HY6KM43TUC7vDpnC65.8DROE.pXS0vn0a09EVlGCNyspfIF2X0QN51sKEGWGfTdseZ7SU_JpxfAf 00DqUKHEkFEL7V1IJDRtAhy64rqUvbUjS5PlwhloBp2zlp0f1PpBQ2YzJHBF2ZFPh6OlyY64yTIZ jGVT8wln7Mrf6wYQksflwOak.tSAS33uZHSwo5QO5csor.g4bonmHefG3nG3t91x9UMqt4vosTL. Nr36FvcR0HYutpcx7ymkBeRukB1YSeuj0dY408OwCGuPw5J2VgcSsci.zelANB9sAMt.MN1N2wpU 3TT1ffIZkwLwNwOodREO3eeeWgta6U9YyQkgyQaKjZdiASuuOxNlLIk6SIYjHTqTeALiofy3Vujy U4ZyOwhmHKdwBiHYeTHeMk.GSzrGqRnutqj3tX.7eoK6UOUepn.AxdeZAYD6Tx5Gn7noXgMSI_27 a86ZiSJJtH1ar9AjFr1o6MynsH7C.7yQRQRAEsMfeaKp3uSSlf5shAqIb3X07GRY24qvK929pCm8 7XwcvesQvIfny_Mi51DIsOqgzGy56nW2kSmQBOVqxJZo3ltfut7Sa7ffE3iyptP6yNYvO2JbL2co x43J0DMxyc5nOxNRjE_puCgN0.KtODrLSpQsIRH9Kr77qi8yrydIbdzy_6Ioc6YYpjpQhaC9bO9k ujAxNMQ0o602Y1VO069AJDtpTz5pYhIgfyPWwETpHXfiLN.LbWJAi_jt2wEYBdxCcsh27UrhEYz. BhYpklng_.v9wtW3s7sstwYqgFj383TWPe2h0SKt3g5KJgoVgyfnIuCjnAXBLjHR0ze7HooYQUIL FfOjzx9jpklQeCc7DFU_5VwyAta44ESTj7ZgUUYVkyce1gnzSxyChaIgWwBFgcdAbFB6ESAy79r8 v0ozksfsZvhoH5MZTgypve94Gy.jbqgzwze7TbF8VDBL_h40A5gpX.V_8H8v39c280qL70nrdcjv bFrVy8ZJ3IrMPVlPvllTOsFrn_6A0IAj2Oi5ASk8QTTwA8tEZ5943WR0O9GUaBcEvan9Oh4nBSL5 6ozPXtW3rZvdBSpG7LnKDEeq6Dq3SlE2UkIHOE5pCEro1X_N42OPMzXacLpsmCr92E7MwcSMScdv S6sBdbTsfyTqbacsw375r_5TjtvfuDBGTRNA6yaGeCUYCe9LkCUvm7oDKP6chugMyCozQAH6Fk.2 qPUNKjTOJElThJ2Om_8ewxUktcXjmwN7ghiRpOqosO_vvYMSgu9k1FyXiyEIlJaaWHgF2UYyypxo jHKCBH8X99ogdoOcs_0FGEMHit58_XLqOAdOPsRvp7v99Gwix6GbjVl2pQ4RfxT0p6qVYQSxBaIB 8s0zMwH15pMSD21O7ZIi6g9Crn.PVPRvmXnrgyNO0uOVeC2Y8jFxg3OhECHThVs1XFKf7BgfbML. gUVLQh.EBXJyvB_6XyCTfmVMXfGaiMmBHK5EhfQhDodd8ihdV1OyC04r9wWkq1.YTv8.OXnlwVh4 xKNqhuFQ.eWQkvdub7xHbFECpwy1iXcF9mZj7LjyBaYDFP4taSczM.H1JzwmP2DSxbqeXOPc4GPW TtNpSx5s.ZpEKDlRDgqrhI7R2wMKll3teDLL7NDKZtZ7elvhKM2qnUfWFyFm2jg83yP_9Yovmgxw IDtNWS8UctSRsTmhilQPkebmsgnfQpZuSfgxZDTDujQq9LumPjM71kGuKuMR1G.iKsXGlRWtH28s PUtYmn.J.2Y6YQSBUWmHP3RS3lVs3t_R.V_8GlwClWnsWwfOKIGwEc.qn1kTDQL0xCjQdVgobtZN _PRP5voV784irw.SzkCUU30vZ2y1CCg4v3QFfk.LCF1EC64K9NkN3ZKbNkA2QBO1Ab1Dh2Sq83JJ ZUKBet5xv4rdmyUzx26ktUZ2x3lItJWXI0.Ilv6Ig11QCBmN4SJLP9a08iq8tBHCk5ObIcYuwnLZ eapULgZr4dixzYJSZ.NyBLyRjkA8FhwtkLFLTFdNEgWODQpXkEfrQt8iTO_SPjAKfitWosKA69ag hERgxHra.EGUIUDo0MDDqQxP60fBqIo0W1HTAsocdazj6gAJejbPTfc1ygsze_xRMglLxaG7hQI2 2iu6UZ5.i9aF4Xql.oQifgAKHU_mSQrzjFvY8DuiBxWanXEhG_lhlvHDcz7w4KikYBPxc3r_20zK IvkSf9dFFeHyeHUk4IOnOq4.zvq01FVQWK6.CxOiEH028ewt306qXGpYL8vfhMen1nSeyANc.dmT dzn_SBIYKaw6iNrJr3bnfDe.t6U39v2gHzIfzaEsJvSQchAUA.TwTJaNxQ27zUtfmoLYGkptPXq8 Se3UG0lvle9EBsf6vyws0jjfww6HjuESCMEd8vp41YIeUcLHj1dzbZCf4Mhs1fSo4Cel14EtUvgD gfL65TbLtYHCvq0O2v5nVWJFJzc0IUL5LY_efy7XFsavpPEbRFh2SFp5y1wHq1.HDeFYnjfKTNvd E3mXPXsL.6Sk83hl4Eb4zqX6ml.3zyF6VJ6eka4W3D2sw1.CroAygQ9KnITWSDyA- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 01:01:24 +0000 Received: by kubenode511.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 45dfe82e9b3831ed5b3bfa5b74958e01; Thu, 22 Jul 2021 01:01:22 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [PATCH v28 12/25] LSM: Use lsmblob in security_cred_getsecid Date: Wed, 21 Jul 2021 17:47:45 -0700 Message-Id: <20210722004758.12371-13-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change the security_cred_getsecid() interface to fill in a lsmblob instead of a u32 secid. The associated data elements in the audit sub-system are changed from a secid to a lsmblob to accommodate multiple possible LSM audit users. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com Reported-by: kernel test robot --- include/linux/security.h | 2 +- kernel/audit.c | 25 +++++++---------------- kernel/audit.h | 3 ++- kernel/auditsc.c | 33 +++++++++++-------------------- security/integrity/ima/ima_main.c | 8 ++++---- security/security.c | 12 ++++++++--- 6 files changed, 35 insertions(+), 48 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index aa19fa4a553f..cdd8d9122795 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -481,7 +481,7 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp); void security_cred_free(struct cred *cred); int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); void security_transfer_creds(struct cred *new, const struct cred *old); -void security_cred_getsecid(const struct cred *c, u32 *secid); +void security_cred_getsecid(const struct cred *c, struct lsmblob *blob); int security_kernel_act_as(struct cred *new, struct lsmblob *blob); int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); diff --git a/kernel/audit.c b/kernel/audit.c index d92c7b894183..8ec64e6e8bc0 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -125,7 +125,7 @@ static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; /* The identity of the user shutting down the audit system. */ static kuid_t audit_sig_uid = INVALID_UID; static pid_t audit_sig_pid = -1; -static u32 audit_sig_sid; +struct lsmblob audit_sig_lsm; /* Records can be lost in several ways: 0) [suppressed in audit_alloc] @@ -1441,29 +1441,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } case AUDIT_SIGNAL_INFO: len = 0; - if (audit_sig_sid) { - struct lsmblob blob; - - /* - * lsmblob_init sets all values in the lsmblob - * to audit_sig_sid. This is temporary until - * audit_sig_sid is converted to a lsmblob, which - * happens later in this patch set. - */ - lsmblob_init(&blob, audit_sig_sid); - err = security_secid_to_secctx(&blob, &ctx, &len); + if (lsmblob_is_set(&audit_sig_lsm)) { + err = security_secid_to_secctx(&audit_sig_lsm, &ctx, + &len); if (err) return err; } sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); if (!sig_data) { - if (audit_sig_sid) + if (lsmblob_is_set(&audit_sig_lsm)) security_release_secctx(ctx, len); return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; - if (audit_sig_sid) { + if (lsmblob_is_set(&audit_sig_lsm)) { memcpy(sig_data->ctx, ctx, len); security_release_secctx(ctx, len); } @@ -2352,7 +2344,6 @@ int audit_set_loginuid(kuid_t loginuid) int audit_signal_info(int sig, struct task_struct *t) { kuid_t uid = current_uid(), auid; - struct lsmblob blob; if (auditd_test_task(t) && (sig == SIGTERM || sig == SIGHUP || @@ -2363,9 +2354,7 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - security_task_getsecid_subj(current, &blob); - /* scaffolding until audit_sig_sid is converted */ - audit_sig_sid = blob.secid[0]; + security_task_getsecid_subj(current, &audit_sig_lsm); } return audit_signal_info_syscall(t); diff --git a/kernel/audit.h b/kernel/audit.h index b565ea16c0a5..b679517a3030 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -9,6 +9,7 @@ #include #include #include +#include #include #include @@ -134,7 +135,7 @@ struct audit_context { kuid_t target_auid; kuid_t target_uid; unsigned int target_sessionid; - u32 target_sid; + struct lsmblob target_lsm; char target_comm[TASK_COMM_LEN]; struct audit_tree_refs *trees, *first_trees; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index dcd1b988a2d3..b5807b9b8a4d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -111,7 +111,7 @@ struct audit_aux_data_pids { kuid_t target_auid[AUDIT_AUX_PIDS]; kuid_t target_uid[AUDIT_AUX_PIDS]; unsigned int target_sessionid[AUDIT_AUX_PIDS]; - u32 target_sid[AUDIT_AUX_PIDS]; + struct lsmblob target_lsm[AUDIT_AUX_PIDS]; char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN]; int pid_count; }; @@ -997,14 +997,14 @@ static inline void audit_free_context(struct audit_context *context) } static int audit_log_pid_context(struct audit_context *context, pid_t pid, - kuid_t auid, kuid_t uid, unsigned int sessionid, - u32 sid, char *comm) + kuid_t auid, kuid_t uid, + unsigned int sessionid, + struct lsmblob *blob, char *comm) { struct audit_buffer *ab; char *ctx = NULL; u32 len; int rc = 0; - struct lsmblob blob; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); if (!ab) @@ -1013,9 +1013,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (sid) { - lsmblob_init(&blob, sid); - if (security_secid_to_secctx(&blob, &ctx, &len)) { + if (lsmblob_is_set(blob)) { + if (security_secid_to_secctx(blob, &ctx, &len)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1590,7 +1589,7 @@ static void audit_log_exit(void) axs->target_auid[i], axs->target_uid[i], axs->target_sessionid[i], - axs->target_sid[i], + &axs->target_lsm[i], axs->target_comm[i])) call_panic = 1; } @@ -1599,7 +1598,7 @@ static void audit_log_exit(void) audit_log_pid_context(context, context->target_pid, context->target_auid, context->target_uid, context->target_sessionid, - context->target_sid, context->target_comm)) + &context->target_lsm, context->target_comm)) call_panic = 1; if (context->pwd.dentry && context->pwd.mnt) { @@ -1775,7 +1774,7 @@ void __audit_syscall_exit(int success, long return_code) context->aux = NULL; context->aux_pids = NULL; context->target_pid = 0; - context->target_sid = 0; + lsmblob_init(&context->target_lsm, 0); context->sockaddr_len = 0; context->type = 0; context->fds[0] = -1; @@ -2434,15 +2433,12 @@ int __audit_sockaddr(int len, void *a) void __audit_ptrace(struct task_struct *t) { struct audit_context *context = audit_context(); - struct lsmblob blob; context->target_pid = task_tgid_nr(t); context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &blob); - /* scaffolding - until target_sid is converted */ - context->target_sid = blob.secid[0]; + security_task_getsecid_obj(t, &context->target_lsm); memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2458,7 +2454,6 @@ int audit_signal_info_syscall(struct task_struct *t) struct audit_aux_data_pids *axp; struct audit_context *ctx = audit_context(); kuid_t t_uid = task_uid(t); - struct lsmblob blob; if (!audit_signals || audit_dummy_context()) return 0; @@ -2470,9 +2465,7 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &blob); - /* scaffolding until target_sid is converted */ - ctx->target_sid = blob.secid[0]; + security_task_getsecid_obj(t, &ctx->target_lsm); memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2493,9 +2486,7 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getsecid_obj(t, &blob); - /* scaffolding until target_sid is converted */ - axp->target_sid[axp->pid_count] = blob.secid[0]; + security_task_getsecid_obj(t, &axp->target_lsm[axp->pid_count]); memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 29befd24b945..de084954d0b9 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -470,7 +470,6 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) int ima_bprm_check(struct linux_binprm *bprm) { int ret; - u32 secid; struct lsmblob blob; security_task_getsecid_subj(current, &blob); @@ -480,9 +479,10 @@ int ima_bprm_check(struct linux_binprm *bprm) if (ret) return ret; - security_cred_getsecid(bprm->cred, &secid); - return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, - MAY_EXEC, CREDS_CHECK); + security_cred_getsecid(bprm->cred, &blob); + /* scaffolding until process_measurement changes */ + return process_measurement(bprm->file, bprm->cred, blob.secid[0], + NULL, 0, MAY_EXEC, CREDS_CHECK); } /** diff --git a/security/security.c b/security/security.c index da85932a4d53..b4a268c1aaec 100644 --- a/security/security.c +++ b/security/security.c @@ -1798,10 +1798,16 @@ void security_transfer_creds(struct cred *new, const struct cred *old) call_void_hook(cred_transfer, new, old); } -void security_cred_getsecid(const struct cred *c, u32 *secid) +void security_cred_getsecid(const struct cred *c, struct lsmblob *blob) { - *secid = 0; - call_void_hook(cred_getsecid, c, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.cred_getsecid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.cred_getsecid(c, &blob->secid[hp->lsmid->slot]); + } } EXPORT_SYMBOL(security_cred_getsecid); From patchwork Thu Jul 22 00:47:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392647 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40C09C6377C for ; Thu, 22 Jul 2021 01:02:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 267BE61283 for ; Thu, 22 Jul 2021 01:02:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230031AbhGVAVy (ORCPT ); Wed, 21 Jul 2021 20:21:54 -0400 Received: from sonic313-16.consmr.mail.ne1.yahoo.com ([66.163.185.39]:41906 "EHLO sonic313-16.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229923AbhGVAVx (ORCPT ); Wed, 21 Jul 2021 20:21:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915749; bh=whNleagmPbVrZg9/Fuf5mW+JpWC5kGDHMi1mup7addo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=R5YkLCKy9fIvnoaEzpQ9cxEwjgu508ecn3ffYLWT5OtOFMsOoa4lO10qI4bhQqqx8aqPymWi8wQXxNMFQ+IoTzS45aQOSPyCyaDfauzopr5D21nwhFbJuOJ7JeWYcDacDokQ6CFhLGU8aYIGoEaTdObk7eTSbhrdmVoUcqraFIo0VSfYvfGhgSsigJBrIfFxJU85mXa+dVGlAn+W8y2mf+0JYfj9Ws1KpYT3hl+2+tSKuMuSEx6R6/VDYhVmXJ3m8lnuxmm3CJh4lnraiyvJ8nR/UyJhLWGD8At5CJuTG8qDugxHdYVT3CHkyAIBvkSgyG+lxb4xqfq/uLV780HwRA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915749; bh=hJdcpsScFHLxSuD89GezFmntH+BH72yCXfOIskd5CDy=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=rmlpRO2rQCrJtG8olmSUglvmw+BLcvYnDn08ixWCBIYsgOf5AQD8wiIdPYGW1HFzAeZ87hSFTi4TtFZImrxBqK5Subn4o+yYpHDCjttM7eV6Cst5C1LA2cWd+Jf304/VpAeELEJ+0jO86a3vNjqEIoi+9JZK5a5z/yZTk1xtDUmG3hNzNXaPGr2dRA8wfdb1ECQnk/WbK06mvGpNhg2sfN8v14yZn0NR7dCrygompbjRled26pWRCXxoSkMPdlKYlVGtM8gQSzh42PJxZwuvMPWMrjOhxkOMxvSKvXVismSYjS8USMdOuNTByCm3pCBd5rfYnxb9roaQ2Ewqmk5R3A== X-YMail-OSG: cv_56ycVM1miIdP1HW9xti9tB76zi4yRT7zKbK4HgdPHDocgXhwGKT1W1wGhWi4 ek93MpwV.7iuz4V0cqs12j01yR2jbaySH.G9ZbDcO8X2UKG7MD..UBOwoJMOhQWt6pN6CTV.TIy8 WMvYwDFeTDuss_LZ2EJkec33nrmWnkseYbSWI94LgE9zKftkFdZmBS_6tE9eWDK7dkGixOCTSy57 Uy_LcEujsizhyavfjpa5wrv36cArrROTG.ID8yA5bNIHpUMZF4.IhC4HjKye2.C.HdEHI3uZNpkW XPplhCsLyn_d0Rd8pRYrf8I_kr6fZ10tMuqNXut7rCo88qACcWDA7Riz08w6AD_JJryRN.3OgHDn t4Y1uqVL53Id9gUxFWFYt9h_TdrGiLvomj7RCCGUPN7BgSX9yNv_4hCRFXcVvnbK.pnn3BoIznCQ furuYVE_0937pm3xX9fN7npByIQximTm_giJMxgMQzjuUIh5SMkhFlWxxLI.9xXUhDPCbFi_jVmk 59gAcXCZg9wV4XuLN3W89Q6WxUuzgc4ybNGprfO4mps.CTkMTgE5X81o1ZQNmL8gvxH7cQK_uSHQ AF9UQ15YCd6QHj1Qf4FStMHjF_WTEKAvJQnzLW6pdedIK8DQYz8u3jgz0fwxgkLsulqP._EU5NIc G3ASnpudAn6a9plkUn9LQPXyf5eKI7uW3abUkD_Lywvjb_.jM9YZ9oIGvPY3PROa28LyUXAaJApE sokF0QmIrQZLI6rKD.N_Cnmhbf8ZZzWfZTaBhu0Jb7wAZTWndGec11ee.kxyIc7CCxuNQfgWkdmm d69DVU.uqjLFlhVw5FNSE8VYadrv9jiGmAuXfRiDJhp8vLxE8DBwhQuu0JUdW6HOQDtzKtXcShEO tsoHQsCScyvh5eaPhUHmVyoK9YqesaWYOW3a1QGpoyg6koSmRlsowjPj.yOdw0h9lksQBGbpGNhZ ijg49tJpzRCde0KL1.uqqcNeqW.vsIOkHo3eV301eFgFozQYWdwUHehgNiGEQGVKkC1HBzxdd5hg jWe_dx0Z_gj1KJa17DSoTr4RgJoBqMfMwn7kc9D5aJXdNO3XpR1sT2D9qIo9F6zgiSRz_ek0Lfby 9bNly6mX7CCtnaaUK3PQhz3TLIXuKYNZ9d7MLRyyPOmo6ZaYwqUqMxLHNYZFvWPE2m6V6ZXnTUIt hPnfl_YRKHVjJxh7XhJ9HHJZAiTWeOA.g8AwmAHpBpQfUzcHW6xFObsWyQBZp2jueL5r4zlyECAF B583GqU1Y8EOGM7qrIibWP4mT717qaLKMTtaN9WkKaDSTBLx6TXw9VMXfbwcUJWO_iTgmvCZQCcI XWnQWLuITCZy8a0Q96nZwv45U94TXwzC2jOdfRJ9XApTTSDZEDkX3xtFjj05OnnWNIDk9bQKQtLD .qBw8DA19QzQqcy7Pd9wakblbN6gZROM2QHNvWRUWoVgCFalutYnND6QuxbW0Lzev1NT998vKRV9 bzexr5a7_h_caP0BaRr6ZMDB482ShbVog6Zk79yUT.96BjMbKy6l3ewhmCpcCalJef8WkoUgfOV8 ivoeTyKFWCHFbKcMAroGRKIM3bhZhvbdTiBirppu2gcNSja4IJzHyDhIdkMOD0IauN8pGMAb3R4b jn7vxe0PMaqingFhf9RcsatED_SSi0QAL4jKWaBjYU.wgxj.HLWVxZkRJv6E1C.hHvGbPP97Q2JB qFfGI.Xr8vmfm9SVAZZXji_w01SLBdNeJ52dXeBUnwixpgzsTRHSvuOiclzJswPfBz1VD29GK0qQ Kxj3XuTZqxvF3lTtP11BYrCNSCIvI9HIC6_sYLPX.NcFW.RQezidgCezTX56yU6Sc0mhstm1jBoN kZS_fuH0NIiX44kbeA49uWDK82gspTgrcvKLapoFLVnlj4V4ZD4ZaUCWZ002UpUie7_mcQEdkzp_ 44aqTiR.2DQOHpORattrE9Xp.vcUv2v.jlPxP8Iv9nl4IYH8IFcUH2bcc_A7ipEgV44FSYaWF0ey deXtTbJUUdqadbPeA5n7PNXwXj1kMV53bWrM2YW5zKhZHQvYBkQLx2asskHO8I8b4m6wOnXWsFmT iwfj70_teL1._Iz3kDivvvEysSDqBTL786BPnM_Pf2DhtXqrtDa9nIpeTvbSvCJrZrfCY5RhAPWu N5.IlJHFEbYbI51g0vzwKGiNZfhhaH6S3lxT5EtXI5zFK_UUUcF4ieWmcSKSGa0vjXUIcrObPxfH m5mtWuIb4QVmrc.CYjGglXCqjc1vZF6SofKBelLMXO2nf0Ya5tqHO2OccZJMKWZzz78M5rP4Cti0 .CKaW0OP5RBJ98qAz_zzF3HPovOD0MTYPy63HVCN4Qd_y8KZsZX725H8uNBr7p3s5iVkln9BiScy bvfEdm9qViDkN5DvSTa.nE7Uz9i2njU3.3QFg4ZuiFWY1EVgWuVO7lVid07rLmYZpeMEj9FVyoid jd21zJMRsTJBFgS5zRjUhTsvrlTdnMvblE3k5ia1jw_Uqe3scSfa_Bwwh0xm4AhNZXZ7fj6dZ6LC Rnoz4ABcCuWFPRdkQovdBP0l0veXkFReScoG5rWItQDFf8BJvqCKmZWaOdIADPTVtwYVrtSjEo.z 5CRou1fEvLYQpokEVADfE.Gz1N_MWm7QNqNND15p.5bOYgdwS9zpwkGJf3fdrwR8SopG6Dv4zhbm v6RRbMGbbcmXcAMiBMFBhG2N8JrNq1UAtZgO2.WEjLMWD_KQharxBuxCpBw5ifAxlXIrZnOp6a_j 4otOWqWvPBrm7LqfbtgG.UMTNdc2CZu22XKjeoogKm1nQUD8u3lGI4zN7VM6dz8o14uR6nYC7Lvo _mR5pzLV7V8BdodEFZaZ__7CyShETr0NCnExuO7f1TtfA3Rp7vdYPxY5ApT6AS7jjOw4YLR2Khy_ Laukq8cIvKaFRwb4iPIlz3Znh7C..UxuJqBzXyVQt6s9k_qk6hYLTfRxv0QYk8nT9oPhCxXjPaQg S2iLVbCxOI9_pDjch2dHg75oau3jP1JkcMTSloOORVwLtQp3EGIn1lokX7DIBYAZuO_s_1MXpRze _bBs_sUYmRmXPrFancGr1d_ZxiCFNkGvhuyXry1zBPIBnKM439tjLbr5IYDHZyPU51GS4Rpv60XG VP4z37n3YWxz7QiUkul4btC8CYjZT6Y_pP5e2T5iCuHjdYkmRt2uPLv7RTPPzUD6kp2yTc.y9ihf zyjZj_f7Lm8zXpNpJpVJojdzyAV_zbOQOdEqgTEXFAxLZPiST X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 01:02:29 +0000 Received: by kubenode532.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 10608ef7f8774cba27287058399213ae; Thu, 22 Jul 2021 01:02:28 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [PATCH v28 13/25] IMA: Change internal interfaces to use lsmblobs Date: Wed, 21 Jul 2021 17:47:46 -0700 Message-Id: <20210722004758.12371-14-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: The IMA interfaces ima_get_action() and ima_match_policy() call LSM functions that use lsmblobs. Change the IMA functions to pass the lsmblob to be compatible with the LSM functions. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org To: Mimi Zohar --- security/integrity/ima/ima.h | 6 ++--- security/integrity/ima/ima_api.c | 6 ++--- security/integrity/ima/ima_appraise.c | 5 ++-- security/integrity/ima/ima_main.c | 36 +++++++++++---------------- security/integrity/ima/ima_policy.c | 17 ++++++------- 5 files changed, 31 insertions(+), 39 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 55f3bd4f0b01..a6b59fcaf62a 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -251,7 +251,7 @@ static inline void ima_process_queued_keys(void) {} /* LIM API function definitions */ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, - const struct cred *cred, u32 secid, int mask, + const struct cred *cred, struct lsmblob *blob, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, const char *func_data); @@ -282,8 +282,8 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); /* IMA policy related functions */ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, - const struct cred *cred, u32 secid, enum ima_hooks func, - int mask, int flags, int *pcr, + const struct cred *cred, struct lsmblob *blob, + enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, const char *func_data); void ima_init_policy(void); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index d8e321cc6936..691f68d478f1 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -165,7 +165,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * @mnt_userns: user namespace of the mount the inode was found from * @inode: pointer to the inode associated with the object being validated * @cred: pointer to credentials structure to validate - * @secid: secid of the task being validated + * @blob: LSM data of the task being validated * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC, * MAY_APPEND) * @func: caller identifier @@ -185,7 +185,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * */ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, - const struct cred *cred, u32 secid, int mask, + const struct cred *cred, struct lsmblob *blob, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, const char *func_data) @@ -194,7 +194,7 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, flags &= ima_policy_flag; - return ima_match_policy(mnt_userns, inode, cred, secid, func, mask, + return ima_match_policy(mnt_userns, inode, cred, blob, func, mask, flags, pcr, template_desc, func_data); } diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index e3d903d6e5e7..de50ed4df878 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -77,10 +77,9 @@ int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode, return 0; security_task_getsecid_subj(current, &blob); - /* scaffolding the .secid[0] */ return ima_match_policy(mnt_userns, inode, current_cred(), - blob.secid[0], func, mask, - IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL); + &blob, func, mask, IMA_APPRAISE | IMA_HASH, + NULL, NULL, NULL); } static int ima_fix_xattr(struct dentry *dentry, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index de084954d0b9..2bcbfb577860 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -194,8 +194,8 @@ void ima_file_free(struct file *file) } static int process_measurement(struct file *file, const struct cred *cred, - u32 secid, char *buf, loff_t size, int mask, - enum ima_hooks func) + struct lsmblob *blob, char *buf, loff_t size, + int mask, enum ima_hooks func) { struct inode *inode = file_inode(file); struct integrity_iint_cache *iint = NULL; @@ -218,7 +218,7 @@ static int process_measurement(struct file *file, const struct cred *cred, * bitmask based on the appraise/audit/measurement policy. * Included is the appraise submask. */ - action = ima_get_action(file_mnt_user_ns(file), inode, cred, secid, + action = ima_get_action(file_mnt_user_ns(file), inode, cred, blob, mask, func, &pcr, &template_desc, NULL); violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && (ima_policy_flag & IMA_MEASURE)); @@ -392,8 +392,7 @@ int ima_file_mmap(struct file *file, unsigned long prot) if (file && (prot & PROT_EXEC)) { security_task_getsecid_subj(current, &blob); - /* scaffolding - until process_measurement changes */ - return process_measurement(file, current_cred(), blob.secid[0], + return process_measurement(file, current_cred(), &blob, NULL, 0, MAY_EXEC, MMAP_CHECK); } @@ -434,7 +433,7 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) inode = file_inode(vma->vm_file); /* scaffolding */ action = ima_get_action(file_mnt_user_ns(vma->vm_file), inode, - current_cred(), blob.secid[0], MAY_EXEC, + current_cred(), &blob, MAY_EXEC, MMAP_CHECK, &pcr, &template, NULL); /* Is the mmap'ed file in policy? */ @@ -473,16 +472,14 @@ int ima_bprm_check(struct linux_binprm *bprm) struct lsmblob blob; security_task_getsecid_subj(current, &blob); - /* scaffolding until process_measurement changes */ - ret = process_measurement(bprm->file, current_cred(), blob.secid[0], - NULL, 0, MAY_EXEC, BPRM_CHECK); + ret = process_measurement(bprm->file, current_cred(), &blob, NULL, 0, + MAY_EXEC, BPRM_CHECK); if (ret) return ret; security_cred_getsecid(bprm->cred, &blob); - /* scaffolding until process_measurement changes */ - return process_measurement(bprm->file, bprm->cred, blob.secid[0], - NULL, 0, MAY_EXEC, CREDS_CHECK); + return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0, + MAY_EXEC, CREDS_CHECK); } /** @@ -500,8 +497,7 @@ int ima_file_check(struct file *file, int mask) struct lsmblob blob; security_task_getsecid_subj(current, &blob); - /* scaffolding until process_measurement changes */ - return process_measurement(file, current_cred(), blob.secid[0], NULL, 0, + return process_measurement(file, current_cred(), &blob, NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND), FILE_CHECK); } @@ -698,9 +694,8 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id, /* Read entire file for all partial reads. */ func = read_idmap[read_id] ?: FILE_CHECK; security_task_getsecid_subj(current, &blob); - /* scaffolding - until process_measurement changes */ - return process_measurement(file, current_cred(), blob.secid[0], NULL, - 0, MAY_READ, func); + return process_measurement(file, current_cred(), &blob, NULL, 0, + MAY_READ, func); } const int read_idmap[READING_MAX_ID] = { @@ -742,9 +737,8 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, func = read_idmap[read_id] ?: FILE_CHECK; security_task_getsecid_subj(current, &blob); - /* scaffolding until process_measurement changes */ - return process_measurement(file, current_cred(), blob.secid[0], buf, - size, MAY_READ, func); + return process_measurement(file, current_cred(), &blob, buf, size, + MAY_READ, func); } /** @@ -889,7 +883,7 @@ void process_buffer_measurement(struct user_namespace *mnt_userns, security_task_getsecid_subj(current, &blob); /* scaffolding */ action = ima_get_action(mnt_userns, inode, current_cred(), - blob.secid[0], 0, func, &pcr, &template, + &blob, 0, func, &pcr, &template, func_data); if (!(action & IMA_MEASURE)) return; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 6d112ec89c1b..a2b8c0ad8b74 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -548,7 +548,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, * @mnt_userns: user namespace of the mount the inode was found from * @inode: a pointer to an inode * @cred: a pointer to a credentials structure for user validation - * @secid: the secid of the task to be validated + * @blob: the lsm data of the task to be validated * @func: LIM hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @func_data: func specific data, may be NULL @@ -558,8 +558,8 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, static bool ima_match_rules(struct ima_rule_entry *rule, struct user_namespace *mnt_userns, struct inode *inode, const struct cred *cred, - u32 secid, enum ima_hooks func, int mask, - const char *func_data) + struct lsmblob *blob, enum ima_hooks func, + int mask, const char *func_data) { int i; @@ -628,8 +628,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - lsmblob_init(&lsmdata, secid); - rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type, + rc = ima_filter_rule_match(blob, rule->lsm[i].type, Audit_equal, rule->lsm[i].rule); break; @@ -673,7 +672,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * @inode: pointer to an inode for which the policy decision is being made * @cred: pointer to a credentials structure for which the policy decision is * being made - * @secid: LSM secid of the task to be validated + * @blob: LSM data of the task to be validated * @func: IMA hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @pcr: set the pcr to extend @@ -688,8 +687,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * than writes so ima_match_policy() is classical RCU candidate. */ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, - const struct cred *cred, u32 secid, enum ima_hooks func, - int mask, int flags, int *pcr, + const struct cred *cred, struct lsmblob *blob, + enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, const char *func_data) { @@ -705,7 +704,7 @@ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, if (!(entry->action & actmask)) continue; - if (!ima_match_rules(entry, mnt_userns, inode, cred, secid, + if (!ima_match_rules(entry, mnt_userns, inode, cred, blob, func, mask, func_data)) continue; From patchwork Thu Jul 22 00:47:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392677 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E501C6377B for ; Thu, 22 Jul 2021 01:03:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4FB0861264 for ; Thu, 22 Jul 2021 01:03:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230017AbhGVAXE (ORCPT ); Wed, 21 Jul 2021 20:23:04 -0400 Received: from sonic313-16.consmr.mail.ne1.yahoo.com ([66.163.185.39]:45881 "EHLO sonic313-16.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229764AbhGVAXD (ORCPT ); Wed, 21 Jul 2021 20:23:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915819; bh=Pccl6zP/t0CxuewlyEafaxbC+zYjtgHMcdqr/hO082M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=j+bD9hq/udDthyJ3CnJtbNEXa8M0nVn1kNxdLqv30kL155Jd4sjrgiP25AWBJiqXjzaVUWF6DFKztcWjLPr4zE5AVNb3GMnNEQdjhtSlFcPlVcQSXBDrm/u0xwbUXYmdSR8CnqmVjcT8Vlm3Rbf/VlDkggFpxa3NUOc9PbwdcDnFCsl1R6Dpje6yLl9eLyCEdSVApAJ977tx6574BJIxwiHEJfR/bqmBT8pw2ePrHRyeJbjVCa3LKf5nkkKotujAbQo2Kx5iStXvFOwHMXAAAovHQiTMeEB5Iz7kAJxqMWe6I+ntXtjeStIIUj1tmN67fYnVu45jwmSQSFBxakuV5A== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915819; bh=e4SAlGUa4Fe6pDBifEU3mVq8ZbrClWN5OmgrTYvgKMu=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=LI4UW0JPgR/aoAhZDJGZavRb31pcnzvLf3N0FpvgSN4DnmSe5H+5iHXNA8sahEwAOtRzV3LcPrQexbcPIwgXlR5PMnri0t1nY+hKNlF+WjA04DHZ0EM5KBInpWeNTTggxZGIVWJm4wQwWvRLlbssrbneohz3DYU3d58gs9aYDlEoGl3TD8BJ2G4ajJwrsWes9IGfSR645L/8Kn5gaYwxB2z6DBriHtOiCHMydaSLiXfH2AHML9ncriJNDT2IMXFCQkUcGIotoGt8ZE2bujrp1tRm/tccES8rrVru+5ddBjePcvCFYibTYj5mLF2YhwmIVIpNoNK1Zhw1A/a++1fP5w== X-YMail-OSG: 4Kx2RA8VM1l5K9fCeqcrPB04.vBcfcAe0w6dW7II.ZewZ_.Unnv0DipgMFAfxZ4 KFdxRhpYxN9MTEm4mWK7SlhUKWcnZENu3.zitm1obnbz0YGT5f3wQYEp3beMhzDt7gemRdsuKJdm K8JBtQ6sLDEqn5OWmpDFfw8g7D89T2B8vbu_AQFgk8WEFcxDlVkZHLxeptoS2o37Rtncqe09ESfK BMvvesKTo6KfylGnj5v1zQfZgOe5pway8fqqw9kU7g.aLAbe6lng4u9PWHwddUK3YFo0_fqSP2mG FZBLxSx0Uv2.enQB49plS8vi0S.sWWPXVONID.VpLoCGyQJPqkSaJj4TSUx2jrkrUK3VQQg7VEEO dzJ.SK87SW4_0R5yhmz6IR3GKtz.9_IEB2VVkM2tfv2fOc3UcliwnYjIA0eK9H3sT08aWRjuszN9 eXTnE8TzBEhTwbjJrscPTMYYYvJXGLsbIRYmGCdRfkcJeC4HQG00yMVmUlMnCxsj6Lj85xSlK1HP odEYHOmXMMW27ZO09rKIlcunLINnSS.Xmdlcq7Gv52Qt_4eWbFWGkYCTGghwrBxz88F5ZA6fAY24 aJ9obiGd14qTNxbpPEyHhglX.m65S_j.RjICndGs3Z8eRKPr32UhC2z7ALiLdw1M4Rab1TjgFNCk 58IpCp8gEMvOmL.YxKZIAWLcsQQh6icYOcw6fTm1W1yIvqqu04XOrNx14x1ZpikUU0jG5J_jUIGg Ybp9g9JJMCQXFC01tjyfBdYxDsvCq.W1vyxR9w84vKTPuOajpYOeRTBqxSdN1zV.Fu2kxCaxitA3 7XBzr1DiGtQzcVjzhsYCIZsDZpXPbDBxNg.PPMjvxeLoU_FbzIjYOgHOSsSsykTMxYpfCsE6R9wh PeXVxJ1yOEozaP1RcqKcsRbzQFThY9UO27w.ZmgcNGRb5wQKNit10p1qrWzENFgR5cN2AK4RuCvN ZpFRHVSoeRavkedtJ0XLPblv1DKdN7_28Hj8cJG3px4Kf_3EbE8wz9TEMas4w2o4.tF6I0rv6fyF SIuPAPYnqHKQ7SjV4mlbg5uctrFBFqJTSs_WYQwj3R1UYLEsK6Kdia5o1ozmdNvLxr.ydM9UIFe5 KelZ3eyUWZRyn31eF1PVjmeiTgTlKF9DjXWN7OiUGOANMgtB62jtd9iqPon9FlaSpSa.Ma8Cn.7F eOBqgUYjy4GeZXjt_tsbhAUAlCr7RKUCXrZ49qIrSExXDMrKH2AHCCthsEeCbk_50UhwVJtt3mfk J1Jydl_69we99T1OTGTPQFXObtOFuE34sGgVlhrVoJtz4NSQBjqabHCY6_T4IttCGDgi.38On7.Y TT.Dzv5atxDmik7I6FylwZ71kxwAHjadKlGhN6hlo8oXzWs3a5.OzjRrcYIWbsewG4Fbn5GRcAJr dXSShZooxj970Jr6xUbwHs5qT6VwO.w_QskyuEOyl5DpmBp1U2i8FXq1B7fdId3kvtJBC0omfyGy X_upPtEB7xO2yJdPrWgbyAxsZkaLnX5GKtN_5e_wmvsCjlJmBM5C1Jh1eKORaA.7qGrz8ra5enbg bsre4dRoqFK86233mIuQKCMttco_2gPv3Kz5R_Hsp1ciSORwy9CUsoloilWITt1Autt3P2Dt0Ku3 ddVmVRHJwNsfo1.CFTtrmysh6m8qt1zhYSrYYbsXfQGZ.ZZrUTRZKp1mzrupQnHx146X1wwbYuxe uF1gkpZrS0apjBOGUMy61SFri2tr0cLuVkCdv9NGWiK0dnCh2Yxkd_RcgZX8VcWz5l5kEtLwARka PqtNGaS.QPVvEG0Kue7itNJWoUyu7w2nZ7y0zjJ7XmGBp_vGCh6CkCDH6CNb0SsTZ7EHaPSDqYBl UmQvUeIflU.16bYHauq81RmS5aseMjdj6UhmpkmUtuiyArjmlmsx5kkmjBfzBG8hMGu6ocrDa.oj q6yoM.xMnHkomDjUEJiobBO431iEvOfNcU0BMfo.zSQ_NSSEZVN4JukFTeoGg7YS6M19BS5QTKte 8Sejwj7lOIvQczU0thE_keWinP_C4.DeRoC3ctAzVWnO8mdaUeeHaU6QdJ30INx6hZqpbYslOH5A opctGsNJ0cM1ABRipMFbMmP.3VWDsCZ.D9zkI0LmnC6Tq4LQXwIFDclVo457jeE.3Oa5pLhOHkW_ L7i3EnRUx9oxmDTc6elHrQjEL5EXOK9.DOVRpAAxNWKGfVDqgg71flIf5IuYv47m5FWkWdYdEyJV I1abYek1tpMz5AHz3EfgXkxjWquvN97kkcDe9TfVyT5QoxVg_QLaJa5WmYS4rSVseEE40_bEorFk NOl5YT.IBA0hX_YHmUyobvzk2GGUs8MJSGiHRF3VQoYOh_RiObbRj6LJnD5IDwc.d63hsDTiuBez YYxX5_39eTatpBrPBXDyFK1aC05PJW1QpU4JUw8kkn9Z.QlRH15eC7duUqNAQVcQYEbrZwTrGStg n5DR0ixjFi5W_9gWqKwdwTHwE2dgXrXNjrV1sQsNcYma7Bq8wX_VKY734Enc_CT9ErDo74O5ZCdx 7e1Mk3IwnD5B4Fs21KwzDpwCMIL7tDnTLhbZNz8tvBigfMT_X4JZ.E7S_6A2x4BJ.zEudG42Ieia ZDn1XpPxLh_vLr50JmieQCz0er6r0utflhRiHzTm_yBnJLmzJjrDEV.5g.NmtS2YYOKJn3zPCDpG wePY6fetRdXh9zf5UBudDZHnPgwV.EVQjW3oMHO65mAhxyD.bfzEt_qGe5SNQIZJv8o7OfvlXpvg xk298yXUYncgjC_v2f_IuZJzjHEnhIBbtcodLtkWkqHf2ibUX_geo9pRU19udSmgoikWcvMEIai_ 4rywUPO9SCRaLhjRdd5BFOsGmIfNWUkMZWoZv1NBpNN8YcbLjDWPYsIxsiAvdus1UkJ9EbEY7Q14 u875qEbL9XojIqGNvKF7SkdAFn0vo61gAUVV63CtYDn18DPdn98rHwRX9BzxylO.bZFrw7pTQQxi lwZOy5H8t2a_goOqwom4NrSXbS8UE1xh9dUBttqyR6wzCcOHFHyAARhmd21Ch0rZ6wqrLheX7qji GapFmUj4IdjpbPcL9xbzaJ_YEv4fCpgz14SgQ9Fc3Mr2PPOHg6sf.0IjjzwRm57XjtnoyxtBfpfZ eCncTD9Mrd2xX.mWKwzV4m_lTRYl1DnJWxeftxQR.h7o4lGrmms7r58AypzFhQKEM9Cq5kSOHx31 WHzIR.6Rud_lBNbRPFwQcZVcOzRNWviIaJm5EOP_nnd3FEg31dzFcumLM0iRQQjY1vHvrjo4etVO 8milFkqjwvsxvs0as4hQbBsdma9uY43mKIDMvEvvHzkf4MHE5Stg.CR0_1Ma5W6U0JgcbKoPCIbF VBPKNdIREbK3FaaiA3XS_qTobp.jzF8S50xSlenallN6za2tdUHOzwkRZvH9VsmA2kpYH1F5jx8y 1q6B3hr1GmJV7bj1xLZakT61XmBeebdU2zAWcYBuqi1e54NhCLDhMii2qHwkD0tLc62Ct X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 01:03:39 +0000 Received: by kubenode548.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 975edf2d75cd54edf352b3c2fe720bd6; Thu, 22 Jul 2021 01:03:33 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Stephen Smalley , Greg Kroah-Hartman , linux-api@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v28 14/25] LSM: Specify which LSM to display Date: Wed, 21 Jul 2021 17:47:47 -0700 Message-Id: <20210722004758.12371-15-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Create a new entry "interface_lsm" in the procfs attr directory for controlling which LSM security information is displayed for a process. A process can only read or write its own display value. The name of an active LSM that supplies hooks for human readable data may be written to "interface_lsm" to set the value. The name of the LSM currently in use can be read from "interface_lsm". At this point there can only be one LSM capable of display active. A helper function lsm_task_ilsm() is provided to get the interface lsm slot for a task_struct. Setting the "interface_lsm" requires that all security modules using setprocattr hooks allow the action. Each security module is responsible for defining its policy. AppArmor hook provided by John Johansen SELinux hook provided by Stephen Smalley Signed-off-by: Casey Schaufler Cc: Kees Cook Cc: Stephen Smalley Cc: Paul Moore Cc: John Johansen Cc: Greg Kroah-Hartman Cc: linux-api@vger.kernel.org Cc: linux-doc@vger.kernel.org --- .../ABI/testing/procfs-attr-lsm_display | 22 +++ Documentation/security/lsm.rst | 14 ++ fs/proc/base.c | 1 + include/linux/lsm_hooks.h | 17 ++ security/apparmor/include/apparmor.h | 3 +- security/apparmor/lsm.c | 32 ++++ security/security.c | 166 ++++++++++++++++-- security/selinux/hooks.c | 11 ++ security/selinux/include/classmap.h | 2 +- security/smack/smack_lsm.c | 7 + 10 files changed, 256 insertions(+), 19 deletions(-) create mode 100644 Documentation/ABI/testing/procfs-attr-lsm_display diff --git a/Documentation/ABI/testing/procfs-attr-lsm_display b/Documentation/ABI/testing/procfs-attr-lsm_display new file mode 100644 index 000000000000..0f60005c235c --- /dev/null +++ b/Documentation/ABI/testing/procfs-attr-lsm_display @@ -0,0 +1,22 @@ +What: /proc/*/attr/lsm_display +Contact: linux-security-module@vger.kernel.org, +Description: The name of the Linux security module (LSM) that will + provide information in the /proc/*/attr/current, + /proc/*/attr/prev and /proc/*/attr/exec interfaces. + The details of permissions required to read from + this interface are dependent on the LSMs active on the + system. + A process cannot write to this interface unless it + refers to itself. + The other details of permissions required to write to + this interface are dependent on the LSMs active on the + system. + The format of the data used by this interface is a + text string identifying the name of an LSM. The values + accepted are: + selinux - the SELinux LSM + smack - the Smack LSM + apparmor - The AppArmor LSM + By convention the LSM names are lower case and do not + contain special characters. +Users: LSM user-space diff --git a/Documentation/security/lsm.rst b/Documentation/security/lsm.rst index 6a2a2e973080..b77b4a540391 100644 --- a/Documentation/security/lsm.rst +++ b/Documentation/security/lsm.rst @@ -129,3 +129,17 @@ to identify it as the first security module to be registered. The capabilities security module does not use the general security blobs, unlike other modules. The reasons are historical and are based on overhead, complexity and performance concerns. + +LSM External Interfaces +======================= + +The LSM infrastructure does not generally provide external interfaces. +The individual security modules provide what external interfaces they +require. + +The file ``/sys/kernel/security/lsm`` provides a comma +separated list of the active security modules. + +The file ``/proc/pid/attr/interface_lsm`` contains the name of the security +module for which the ``/proc/pid/attr/current`` interface will +apply. This interface can be written to. diff --git a/fs/proc/base.c b/fs/proc/base.c index e5b5f7709d48..f80ed1c40053 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2820,6 +2820,7 @@ static const struct pid_entry attr_dir_stuff[] = { ATTR(NULL, "fscreate", 0666), ATTR(NULL, "keycreate", 0666), ATTR(NULL, "sockcreate", 0666), + ATTR(NULL, "interface_lsm", 0666), #ifdef CONFIG_SECURITY_SMACK DIR("smack", 0555, proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops), diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index c61a16f0a5bc..d2c4bc94d47f 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1686,4 +1686,21 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, extern int lsm_inode_alloc(struct inode *inode); +/** + * lsm_task_ilsm - the "interface_lsm" for this task + * @task: The task to report on + * + * Returns the task's interface LSM slot. + */ +static inline int lsm_task_ilsm(struct task_struct *task) +{ +#ifdef CONFIG_SECURITY + int *ilsm = task->security; + + if (ilsm) + return *ilsm; +#endif + return LSMBLOB_INVALID; +} + #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h index 1fbabdb565a8..b1622fcb4394 100644 --- a/security/apparmor/include/apparmor.h +++ b/security/apparmor/include/apparmor.h @@ -28,8 +28,9 @@ #define AA_CLASS_SIGNAL 10 #define AA_CLASS_NET 14 #define AA_CLASS_LABEL 16 +#define AA_CLASS_DISPLAY_LSM 17 -#define AA_CLASS_LAST AA_CLASS_LABEL +#define AA_CLASS_LAST AA_CLASS_DISPLAY_LSM /* Control parameters settable through module/boot flags */ extern enum audit_mode aa_g_audit; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 392e25940d1f..4237536106aa 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -621,6 +621,25 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, return error; } + +static int profile_interface_lsm(struct aa_profile *profile, + struct common_audit_data *sa) +{ + struct aa_perms perms = { }; + unsigned int state; + + state = PROFILE_MEDIATES(profile, AA_CLASS_DISPLAY_LSM); + if (state) { + aa_compute_perms(profile->policy.dfa, state, &perms); + aa_apply_modes_to_perms(profile, &perms); + aad(sa)->label = &profile->label; + + return aa_check_perms(profile, &perms, AA_MAY_WRITE, sa, NULL); + } + + return 0; +} + static int apparmor_setprocattr(const char *name, void *value, size_t size) { @@ -632,6 +651,19 @@ static int apparmor_setprocattr(const char *name, void *value, if (size == 0) return -EINVAL; + /* LSM infrastructure does actual setting of interface_lsm if allowed */ + if (!strcmp(name, "interface_lsm")) { + struct aa_profile *profile; + struct aa_label *label; + + aad(&sa)->info = "set interface lsm"; + label = begin_current_label_crit_section(); + error = fn_for_each_confined(label, profile, + profile_interface_lsm(profile, &sa)); + end_current_label_crit_section(label); + return error; + } + /* AppArmor requires that the buffer must be null terminated atm */ if (args[size - 1] != '\0') { /* null terminate */ diff --git a/security/security.c b/security/security.c index b4a268c1aaec..7829b8f5d15f 100644 --- a/security/security.c +++ b/security/security.c @@ -77,7 +77,16 @@ static struct kmem_cache *lsm_file_cache; static struct kmem_cache *lsm_inode_cache; char *lsm_names; -static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init; + +/* + * The task blob includes the "interface_lsm" slot used for + * chosing which module presents contexts. + * Using a long to avoid potential alignment issues with + * module assigned task blobs. + */ +static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init = { + .lbs_task = sizeof(long), +}; /* Boot-time LSM user choice */ static __initdata const char *chosen_lsm_order; @@ -671,6 +680,8 @@ int lsm_inode_alloc(struct inode *inode) */ static int lsm_task_alloc(struct task_struct *task) { + int *ilsm; + if (blob_sizes.lbs_task == 0) { task->security = NULL; return 0; @@ -679,6 +690,15 @@ static int lsm_task_alloc(struct task_struct *task) task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL); if (task->security == NULL) return -ENOMEM; + + /* + * The start of the task blob contains the "interface" LSM slot number. + * Start with it set to the invalid slot number, indicating that the + * default first registered LSM be displayed. + */ + ilsm = task->security; + *ilsm = LSMBLOB_INVALID; + return 0; } @@ -1734,14 +1754,26 @@ int security_file_open(struct file *file) int security_task_alloc(struct task_struct *task, unsigned long clone_flags) { + int *oilsm = current->security; + int *nilsm; int rc = lsm_task_alloc(task); - if (rc) + if (unlikely(rc)) return rc; + rc = call_int_hook(task_alloc, 0, task, clone_flags); - if (unlikely(rc)) + if (unlikely(rc)) { security_task_free(task); - return rc; + return rc; + } + + if (oilsm) { + nilsm = task->security; + if (nilsm) + *nilsm = *oilsm; + } + + return 0; } void security_task_free(struct task_struct *task) @@ -2173,23 +2205,110 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name, char **value) { struct security_hook_list *hp; + int ilsm = lsm_task_ilsm(current); + int slot = 0; + + if (!strcmp(name, "interface_lsm")) { + /* + * lsm_slot will be 0 if there are no displaying modules. + */ + if (lsm_slot == 0) + return -EINVAL; + + /* + * Only allow getting the current process' interface_lsm. + * There are too few reasons to get another process' + * interface_lsm and too many LSM policy issues. + */ + if (current != p) + return -EINVAL; + + ilsm = lsm_task_ilsm(p); + if (ilsm != LSMBLOB_INVALID) + slot = ilsm; + *value = kstrdup(lsm_slotlist[slot]->lsm, GFP_KERNEL); + if (*value) + return strlen(*value); + return -ENOMEM; + } hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) { if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; + if (lsm == NULL && ilsm != LSMBLOB_INVALID && + ilsm != hp->lsmid->slot) + continue; return hp->hook.getprocattr(p, name, value); } return LSM_RET_DEFAULT(getprocattr); } +/** + * security_setprocattr - Set process attributes via /proc + * @lsm: name of module involved, or NULL + * @name: name of the attribute + * @value: value to set the attribute to + * @size: size of the value + * + * Set the process attribute for the specified security module + * to the specified value. Note that this can only be used to set + * the process attributes for the current, or "self" process. + * The /proc code has already done this check. + * + * Returns 0 on success, an appropriate code otherwise. + */ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size) { struct security_hook_list *hp; + char *termed; + char *copy; + int *ilsm = current->security; + int rc = -EINVAL; + int slot = 0; + + if (!strcmp(name, "interface_lsm")) { + /* + * Change the "interface_lsm" value only if all the security + * modules that support setting a procattr allow it. + * It is assumed that all such security modules will be + * cooperative. + */ + if (size == 0) + return -EINVAL; + + hlist_for_each_entry(hp, &security_hook_heads.setprocattr, + list) { + rc = hp->hook.setprocattr(name, value, size); + if (rc < 0) + return rc; + } + + rc = -EINVAL; + + copy = kmemdup_nul(value, size, GFP_KERNEL); + if (copy == NULL) + return -ENOMEM; + + termed = strsep(©, " \n"); + + for (slot = 0; slot < lsm_slot; slot++) + if (!strcmp(termed, lsm_slotlist[slot]->lsm)) { + *ilsm = lsm_slotlist[slot]->slot; + rc = size; + break; + } + + kfree(termed); + return rc; + } hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) { if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; + if (lsm == NULL && *ilsm != LSMBLOB_INVALID && + *ilsm != hp->lsmid->slot) + continue; return hp->hook.setprocattr(name, value, size); } return LSM_RET_DEFAULT(setprocattr); @@ -2209,15 +2328,15 @@ EXPORT_SYMBOL(security_ismaclabel); int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) { struct security_hook_list *hp; - int rc; + int ilsm = lsm_task_ilsm(current); hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; - rc = hp->hook.secid_to_secctx(blob->secid[hp->lsmid->slot], - secdata, seclen); - if (rc != LSM_RET_DEFAULT(secid_to_secctx)) - return rc; + if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) + return hp->hook.secid_to_secctx( + blob->secid[hp->lsmid->slot], + secdata, seclen); } return LSM_RET_DEFAULT(secid_to_secctx); @@ -2228,16 +2347,15 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob) { struct security_hook_list *hp; - int rc; + int ilsm = lsm_task_ilsm(current); lsmblob_init(blob, 0); hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; - rc = hp->hook.secctx_to_secid(secdata, seclen, - &blob->secid[hp->lsmid->slot]); - if (rc != 0) - return rc; + if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) + return hp->hook.secctx_to_secid(secdata, seclen, + &blob->secid[hp->lsmid->slot]); } return 0; } @@ -2245,7 +2363,14 @@ EXPORT_SYMBOL(security_secctx_to_secid); void security_release_secctx(char *secdata, u32 seclen) { - call_void_hook(release_secctx, secdata, seclen); + struct security_hook_list *hp; + int ilsm = lsm_task_ilsm(current); + + hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list) + if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) { + hp->hook.release_secctx(secdata, seclen); + return; + } } EXPORT_SYMBOL(security_release_secctx); @@ -2386,8 +2511,15 @@ EXPORT_SYMBOL(security_sock_rcv_skb); int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, int __user *optlen, unsigned len) { - return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock, - optval, optlen, len); + int ilsm = lsm_task_ilsm(current); + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_stream, + list) + if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) + return hp->hook.socket_getpeersec_stream(sock, optval, + optlen, len); + return -ENOPROTOOPT; } int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f84b6c274a10..3b95eb39a3bf 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6500,6 +6500,17 @@ static int selinux_setprocattr(const char *name, void *value, size_t size) /* * Basic control over ability to set these attributes at all. */ + + /* + * For setting interface_lsm, we only perform a permission check; + * the actual update to the interface_lsm value is handled by the + * LSM framework. + */ + if (!strcmp(name, "interface_lsm")) + return avc_has_perm(&selinux_state, + mysid, mysid, SECCLASS_PROCESS2, + PROCESS2__SETDISPLAY, NULL); + if (!strcmp(name, "exec")) error = avc_has_perm(&selinux_state, mysid, mysid, SECCLASS_PROCESS, diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 62d19bccf3de..8f4b0dd6dd78 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -53,7 +53,7 @@ struct security_class_mapping secclass_map[] = { "execmem", "execstack", "execheap", "setkeycreate", "setsockcreate", "getrlimit", NULL } }, { "process2", - { "nnp_transition", "nosuid_transition", NULL } }, + { "nnp_transition", "nosuid_transition", "setdisplay", NULL } }, { "system", { "ipc_info", "syslog_read", "syslog_mod", "syslog_console", "module_request", "module_load", NULL } }, diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 5c10ad27be37..7aa7ea38f627 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3508,6 +3508,13 @@ static int smack_setprocattr(const char *name, void *value, size_t size) struct smack_known_list_elem *sklep; int rc; + /* + * Allow the /proc/.../attr/current and SO_PEERSEC "interface_lsm" + * to be reset at will. + */ + if (strcmp(name, "interface_lsm") == 0) + return 0; + if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) return -EPERM; From patchwork Thu Jul 22 00:47:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392679 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4553FC6377B for ; Thu, 22 Jul 2021 01:04:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2BF336100C for ; Thu, 22 Jul 2021 01:04:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230169AbhGVAYJ (ORCPT ); Wed, 21 Jul 2021 20:24:09 -0400 Received: from sonic313-16.consmr.mail.ne1.yahoo.com ([66.163.185.39]:34958 "EHLO sonic313-16.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229783AbhGVAYI (ORCPT ); Wed, 21 Jul 2021 20:24:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915884; bh=Bcd17Z4mRBYEGxEMRMolb/6U+A3obw3/nhHKIji4ysE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=aTM8rM9LS2vJ9wBgFPWF+UA3bsaYahz9bn0A6e/SssC/IcBvdY1T+hDkkv51nJ86/a9MiY5tmV1NUZYuAJFymV1piLWtciIeTb8rOr9bzZB83fu8tUpDvryy5rTh+jpvjQPZpLOrLqiYayBhnrG83lFGr3DlJWoVxdkbi1fhnZy6I3wqYKwca2M9k+XVHIo+ykm4yeWMGn6EafwFxhhdUsbB9R0LvJCk2FGyRp5dpKu4IeWVBdg4/gpDqaqCuf9bW+Gv+DEgFCdbXST7KNneQfcFGscAVsBiQRj34tTr8wLB8IgiFUVORppyVH0h781dkME+64c+dCxcpuRVS/A5iQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915884; bh=7Xrq2+0JcwQGxqmnpBxge7RA0iGgSihT6gphcN/RF1a=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=psUxmFSqEXo0CBK4ttxswRK1625m0vxzL6cJGr4niXGElzpvHs3BqVgewOMSZc/3PyujnR4c529dnqN4W12X1NEd819mGUrKkf1dufUNOcj+9LKFaQsXmxsjCLUeN5Us+bjwpcEZyazJxOYF/ypSXgRM5Xk4ctEq+niN28GmaqBkwg1+/zrlawEnzuPWol1xMi8XM5u/jZYX9m3UO1DATuW9i99wcNg5xkuDPYiYY9oNWFL9ZTWsHuAZWL2CmbhiK0pgfCUKki2td0KiZEyE90dKQagE3g1sD0XzyF5mPBCyimMFVZuqnCz1mdpwGccNfrUYT2ziCzcyJRjepA9+WQ== X-YMail-OSG: 4JVQ.Z4VM1kuX_oiySrwabFzzxq3Z3AVvKFgGiX8YdgRFX1.L.fZar154yDkjBM cpMLQiiKUIjYaembwGaBApV9wUDBJffc4TWgoc81OcllMcwhQGMtDw9p515u5Jbp4sY8mF9N64hG .K69D5A_Wx4yhwI8xVcHsObVpJVDY85axFW6pUDqsQjKu6kDoT.70u4ZawmdLv9WAtuJt2ZvaUw0 jmBJGflhxzupy7KJc5ziTNbnqzDDOmZ6ajQOcz70KECAhs.l60vSX1SvUhx8sOVZrRA2_E7d9gfh tURSpGbXRvRaZg5tn4896.0NqVDvEWScSUtd0W5cIYgh5RZ6iUvm4n03SqWz4tcSqPhoWhMcps0_ UAiJEeSazqKxyxqWIMMeGdtCzJPcixn7lKp66tw8BbDDLZ53wC9z1SsJI1hp2qTtWrHyb3yINaHB pzi6Zq8eJ8P0temHYniiIsqJcCeVjiq9JZQQIg2dqAbJSuePhE2qRuP9fJWRDgBnOSbrDpl3Oa3N R4qVW_6zu1L.ArEEodT9nYJA33wxqcCiprZyz2HF4keAzwn8bAXtdDeD.ayMYYG5fAZLa3DBfYAM 2AyZlUKI.8vxKnQDGdLSHO6lk2jS8u9Wxt1LmmAFTCY5PdFDfSBLG23396R06o67bPjTKouXTegx gtgXskb15GOurdhJkwLivoHCrB8yC0wnSIbAcsVJ9C66_isV8UXe72D0WH35CQ6eEFcwoyUdGcPi 7uOPc_inZoeKXX.mIIU7mzZWJIjzchBxfg8CmJnVh6v5mZKMKM3snbc2Zg.L0nk3qlvZrwJ2rL3d SNMiLKqMc5fJDShFRu_UZsV6deBG3aj31YnnoBJA2EnxaFLsZQx_fuiW7B6rmYjDs_wRPSiOY3aD Z9BnQxz_OrTnIZ4Xd3hhkN5jxCKCkM4rqcmCu.MCKwaK3y.UkoseeJDvR3oMfDY121ZSttc3OeB9 SWTimh_3L1UdjzunauQsA2w7inejrwiq4u9L.NQ5KJp0HBbx.jpDyP8JEqSwoI0CH7BoYF8nbT5T FoaUax5mhKF5jNt7J5HtjqoD_vWHSyCSLe3K4N26ZkVfwRtIlqiwNtwl8iMyiQG_uwGuuPbYkKWE nCjAheC2OZN10o.QfDxznycVc1STsqadXuU2T.4pu25xp1lDUa0MJ9tikawWmAdJWLw8m7qBS_iH fGYqiL8Cmb7lKZo3ZTdYkn7INuGyZXLunA_PEV2KMPaf85_nmCa_ad5FVHOWNQVmeOKbYvF6mvwq K.V7_TXO0MzZKsSACC8Aq2Kg74EmchwpyDWDhHGggWNjWaAJsinsZpuBj1LyTVemi.ToJ2W.Ocnz qIeWv3ePPTHlfjohu4.0uPlG_NTTV4a2Rfh1yxxu6rAMOp3PTUvnmfabCZ0TWOC5zSrNTm3U0Kze 5tRpwXhsOlecVHQCTNq3f6dZSdjm4RB.zJjg.fPP_mDodF4ALx1_p.aSO3uQUDumvTdeiOGKHGtZ dA.HdxlFq.1eUnuZnOv1ptQAUUNlim_jQVrdVXMGZr9PBW7AE_EzVnVyOSnqKIjeKTmFdMo3kW9s uW.Fy.eVV4ouQd8Cc0hfwh_UOsDiZI7SZj9wCjwjYbHRzpbY43tmkcL9onoaze9yWrlEClT0TOjx ln_OVOtCgzjRilp2QS7t.zv_BdHf8zbfyt4IbYkzmx14bpQPlnX4dvtD0GEA76cwMnD.iH3dJV28 EpFTynZDYBblhaioT8LEH4sL5Rb_jC3gfakjSD4IrbJW9ARYt7W.3G3d5CHr9Z_qrwliwNwrED_8 9sYqSyh8UoYEk.7iafl9Wl1ASt2v_gJu.USCpBzX8.QSlC8g.qddpuGZQ0UEZV_3dDZtu6EivDUR qm8LypFBeOLqq2acZLYJCJfgHy7geUmXHqil.XOt9O0YIViG8krbkvUVANLoBrXDmXgdD5reZGYj ia4YrYwZFG0t9iMSaHhHxL34LDn5U7DSVsbkz3EBn.T_RAAlVC5NgoDyRYaMKTl2MsVXZKoLvGjf 8eB.wTr9hP_soGfUqp77qGcsx9T5f.biGnmRTdPcJE0TVbMuJ2FtY67M.9_NtO5szCVdTJEyiZzn kgKJSQY5z_8G4mFBLX4OZvxESUWYdy871O_hqQhFETg9NZ2dR3Jacg1.YlOODGqVXvYiQwvg0915 MqOjm1mdlOg_cmL2RcR2t63AfjR0EMefyagpeKIYm.6Bk1a32KGylWLbJTxFWXUF5nbzl6kxsgdm E_oEu_lgeKsmAFRDg4Sc5jjBUoaeK8ujkB8Smyr7jMCrITxAgxbT.V9luvq2SDj7pxfSmVHJ8j6Y .V6L8pFXJpPympU4AXmASDHBddHS6Z..f9ahPq7U1ToUZ7UY5alx6bij0whAEuYMawuK99Shk4yb GSH2SI9icJs0xO9XArDxnHBeCCJ5oeuirNJSNXZjMtoyX1sbTCY873anYevO8N7pjT77jJhTbGZv xsulJq18TyE1umpBjtfXAP6XsXdM2RPrvtm0xj03vubma.ukWDsQDCvOPwTgpkasJDQlq5xfWInu fvmhLEv1u44poI_WdOPMY5yRgkriQwYQA1fXgLlfhQ1knS4zWPFKokq8hsgD3fiE0vJfjltxWMVM lT8TrUnqLNwB.vyOoUCdxa6MuvzpQXHAGFFxj76iafVo8hhR8yFgcSzXe06dpgqvsNO_1dgIyJCi twrWCNiDdao_zYnXEmKEOSsJkemyyXtC8vTh5o2vWOpdthYbg40umfc0X97yi1u2NjyFAWohUr1_ wrwA2fGHkdf8d2s0vBCKWIF49Bg3vYqSnG956LZzTv.L1Y_RC6x_NYjbS2bhLAwiVtZ3U4.v81Ny osNrRAb2TTvV1sFaWztJcabP7oYJi0.cnsCRSVGPoKCkcvoV4rNzAYlEVklyyaiLd7pH9trhz9_3 e9u0t7XS3d54vJ8_mok2WwDg.KnMCsugJw.FtG07I.ZOvrhzMGAWb9lUROC9ZJcck6fHG7ZPMQJv hbl.FUeL5NJ.CnwPQ7CZ.OUnPoJSusSlCOMOc8XfhV9X_oNMRMGOc1ao9otbANa2VjTNmmBueFrQ 7jccdCsYYuvptMo.ngiL4swySwWA6JC579f1jQdkrU3ESzjhd40r_XNd2peIpxjx_CfWswpLFnc. B3B.VmCF2g21k4IAUqJq8zzEQuWA8jl0Ax2NzhIir8K.nkxMMopQxx7LROEmQn2aArtG8yQKHZKF jBVDB9UWV4Rd3yHa58jwnI9_uStm2aFj4noL8kumJrrrt5Fd17Yyd7RRy65nPLA6VmT.U0.2.y9W XI1P7TyFkvNubVLH_Rycy0FC4rzO8fAmSTZif9YvBuZgOxMHGAJep626vAzwMPEHVu8FApJ.hZfJ ghPpzoxLVYRqj32dsKFC9dUH63DKmbOzHI..0bd9vHErnlCHU.FITeD.hYiIsudoPr7jIJBkDquN JzgxubprQtlLSHH4MJNnugdPaD3Znfw7Sid2HIH4EBEG8Cjydai_IKPxxZz39nYJThPuJtBsMw6Y 1WXc- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 01:04:44 +0000 Received: by kubenode548.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 5a5e18f5df3293bfb2e0344944082a10; Thu, 22 Jul 2021 01:04:40 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Chuck Lever , linux-integrity@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH v28 15/25] LSM: Ensure the correct LSM context releaser Date: Wed, 21 Jul 2021 17:47:48 -0700 Message-Id: <20210722004758.12371-16-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Add a new lsmcontext data structure to hold all the information about a "security context", including the string, its size and which LSM allocated the string. The allocation information is necessary because LSMs have different policies regarding the lifecycle of these strings. SELinux allocates and destroys them on each use, whereas Smack provides a pointer to an entry in a list that never goes away. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Paul Moore Acked-by: Stephen Smalley Acked-by: Chuck Lever Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso Cc: linux-nfs@vger.kernel.org --- drivers/android/binder.c | 10 ++++--- fs/ceph/xattr.c | 6 ++++- fs/nfs/nfs4proc.c | 8 ++++-- fs/nfsd/nfs4xdr.c | 7 +++-- include/linux/security.h | 35 +++++++++++++++++++++++-- include/net/scm.h | 5 +++- kernel/audit.c | 14 +++++++--- kernel/auditsc.c | 12 ++++++--- net/ipv4/ip_sockglue.c | 4 ++- net/netfilter/nf_conntrack_netlink.c | 4 ++- net/netfilter/nf_conntrack_standalone.c | 4 ++- net/netfilter/nfnetlink_queue.c | 13 ++++++--- net/netlabel/netlabel_unlabeled.c | 19 +++++++++++--- net/netlabel/netlabel_user.c | 4 ++- security/security.c | 11 ++++---- 15 files changed, 121 insertions(+), 35 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 96dd728809ef..8976ac6a5adb 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2461,6 +2461,7 @@ static void binder_transaction(struct binder_proc *proc, int t_debug_id = atomic_inc_return(&binder_last_id); char *secctx = NULL; u32 secctx_sz = 0; + struct lsmcontext scaff; /* scaffolding */ e = binder_transaction_log_add(&binder_transaction_log); e->debug_id = t_debug_id; @@ -2772,7 +2773,8 @@ static void binder_transaction(struct binder_proc *proc, t->security_ctx = 0; WARN_ON(1); } - security_release_secctx(secctx, secctx_sz); + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); secctx = NULL; } t->buffer->debug_id = t->debug_id; @@ -3114,8 +3116,10 @@ static void binder_transaction(struct binder_proc *proc, binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: err_bad_extra_size: - if (secctx) - security_release_secctx(secctx, secctx_sz); + if (secctx) { + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); + } err_get_secctx_failed: kfree(tcomplete); binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c index 1242db8d3444..b867089e1aa4 100644 --- a/fs/ceph/xattr.c +++ b/fs/ceph/xattr.c @@ -1356,12 +1356,16 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx) { +#ifdef CONFIG_CEPH_FS_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ +#endif #ifdef CONFIG_CEPH_FS_POSIX_ACL posix_acl_release(as_ctx->acl); posix_acl_release(as_ctx->default_acl); #endif #ifdef CONFIG_CEPH_FS_SECURITY_LABEL - security_release_secctx(as_ctx->sec_ctx, as_ctx->sec_ctxlen); + lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0); + security_release_secctx(&scaff); #endif if (as_ctx->pagelist) ceph_pagelist_release(as_ctx->pagelist); diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index e1214bb6b7ee..71004670455b 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -136,8 +136,12 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, static inline void nfs4_label_release_security(struct nfs4_label *label) { - if (label) - security_release_secctx(label->label, label->len); + struct lsmcontext scaff; /* scaffolding */ + + if (label) { + lsmcontext_init(&scaff, label->label, label->len, 0); + security_release_secctx(&scaff); + } } static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label) { diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 7abeccb975b2..089ec4b61ef1 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -2844,6 +2844,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, int err; struct nfs4_acl *acl = NULL; #ifdef CONFIG_NFSD_V4_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ void *context = NULL; int contextlen; #endif @@ -3345,8 +3346,10 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, out: #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - if (context) - security_release_secctx(context, contextlen); + if (context) { + lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/ + security_release_secctx(&scaff); + } #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ kfree(acl); if (tempfh) { diff --git a/include/linux/security.h b/include/linux/security.h index cdd8d9122795..041e87f3fe4e 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -133,6 +133,37 @@ enum lockdown_reason { extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; +/* + * A "security context" is the text representation of + * the information used by LSMs. + * This structure contains the string, its length, and which LSM + * it is useful for. + */ +struct lsmcontext { + char *context; /* Provided by the module */ + u32 len; + int slot; /* Identifies the module */ +}; + +/** + * lsmcontext_init - initialize an lsmcontext structure. + * @cp: Pointer to the context to initialize + * @context: Initial context, or NULL + * @size: Size of context, or 0 + * @slot: Which LSM provided the context + * + * Fill in the lsmcontext from the provided information. + * This is a scaffolding function that will be removed when + * lsmcontext integration is complete. + */ +static inline void lsmcontext_init(struct lsmcontext *cp, char *context, + u32 size, int slot) +{ + cp->slot = slot; + cp->context = context; + cp->len = size; +} + /* * Data exported by the security modules * @@ -550,7 +581,7 @@ int security_ismaclabel(const char *name); int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); -void security_release_secctx(char *secdata, u32 seclen); +void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); @@ -1414,7 +1445,7 @@ static inline int security_secctx_to_secid(const char *secdata, return -EOPNOTSUPP; } -static inline void security_release_secctx(char *secdata, u32 seclen) +static inline void security_release_secctx(struct lsmcontext *cp) { } diff --git a/include/net/scm.h b/include/net/scm.h index 23a35ff1b3f2..f273c4d777ec 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -92,6 +92,7 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, #ifdef CONFIG_SECURITY_NETWORK static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { + struct lsmcontext context; struct lsmblob lb; char *secdata; u32 seclen; @@ -106,7 +107,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + /*scaffolding*/ + lsmcontext_init(&context, secdata, seclen, 0); + security_release_secctx(&context); } } } diff --git a/kernel/audit.c b/kernel/audit.c index 8ec64e6e8bc0..c17ec23158c4 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1192,6 +1192,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_sig_info *sig_data; char *ctx = NULL; u32 len; + struct lsmcontext scaff; /* scaffolding */ err = audit_netlink_ok(skb, msg_type); if (err) @@ -1449,15 +1450,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); if (!sig_data) { - if (lsmblob_is_set(&audit_sig_lsm)) - security_release_secctx(ctx, len); + if (lsmblob_is_set(&audit_sig_lsm)) { + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); + } return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; if (lsmblob_is_set(&audit_sig_lsm)) { memcpy(sig_data->ctx, ctx, len); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); } audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, sizeof(*sig_data) + len); @@ -2132,6 +2136,7 @@ int audit_log_task_context(struct audit_buffer *ab) unsigned len; int error; struct lsmblob blob; + struct lsmcontext scaff; /* scaffolding */ security_task_getsecid_subj(current, &blob); if (!lsmblob_is_set(&blob)) @@ -2145,7 +2150,8 @@ int audit_log_task_context(struct audit_buffer *ab) } audit_log_format(ab, " subj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); return 0; error_path: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index b5807b9b8a4d..1b1ddd62de6c 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1002,6 +1002,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; + struct lsmcontext lsmcxt; char *ctx = NULL; u32 len; int rc = 0; @@ -1019,7 +1020,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, rc = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/ + security_release_secctx(&lsmcxt); } } audit_log_format(ab, " ocomm="); @@ -1232,6 +1234,7 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) static void show_special(struct audit_context *context, int *call_panic) { + struct lsmcontext lsmcxt; struct audit_buffer *ab; int i; @@ -1266,7 +1269,8 @@ static void show_special(struct audit_context *context, int *call_panic) *call_panic = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); + security_release_secctx(&lsmcxt); } } if (context->ipc.has_perm) { @@ -1417,6 +1421,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, char *ctx = NULL; u32 len; struct lsmblob blob; + struct lsmcontext lsmcxt; lsmblob_init(&blob, n->osid); if (security_secid_to_secctx(&blob, &ctx, &len)) { @@ -1425,7 +1430,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, *call_panic = 2; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */ + security_release_secctx(&lsmcxt); } } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 2f089733ada7..a7e4c1b34b6c 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { + struct lsmcontext context; struct lsmblob lb; char *secdata; u32 seclen, secid; @@ -145,7 +146,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) return; put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */ + security_release_secctx(&context); } static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 9bf1f5460681..89be957f26bd 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -342,6 +342,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) int len, ret; char *secctx; struct lsmblob blob; + struct lsmcontext context; /* lsmblob_init() puts ct->secmark into all of the secids in blob. * security_secid_to_secctx() will know which security module @@ -362,7 +363,8 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) ret = 0; nla_put_failure: - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); return ret; } #else diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 89b6f5ebcfc4..ca2ae290d6ee 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -176,6 +176,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) u32 len; char *secctx; struct lsmblob blob; + struct lsmcontext context; lsmblob_init(&blob, ct->secmark); ret = security_secid_to_secctx(&blob, &secctx, &len); @@ -184,7 +185,8 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) seq_printf(s, "secctx=%s ", secctx); - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); } #else static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index a781e757d593..005900a0c397 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -397,6 +397,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, enum ip_conntrack_info ctinfo; struct nfnl_ct_hook *nfnl_ct; bool csum_verify; + struct lsmcontext scaff; /* scaffolding */ char *secdata = NULL; u32 seclen = 0; @@ -626,8 +627,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return skb; nla_put_failure: @@ -635,8 +638,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return NULL; } diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 098d0a1a3330..61346aaa2898 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -374,6 +374,7 @@ int netlbl_unlhsh_add(struct net *net, struct net_device *dev; struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; + struct lsmcontext context; char *secctx = NULL; u32 secctx_len; struct lsmblob blob; @@ -447,7 +448,9 @@ int netlbl_unlhsh_add(struct net *net, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); audit_log_end(audit_buf); @@ -478,6 +481,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct netlbl_unlhsh_addr4 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -509,7 +513,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -546,6 +552,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct netlbl_unlhsh_addr6 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -576,7 +583,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -1095,6 +1103,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, int ret_val = -ENOMEM; struct netlbl_unlhsh_walk_arg *cb_arg = arg; struct net_device *dev; + struct lsmcontext context; void *data; u32 secid; char *secctx; @@ -1165,7 +1174,9 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, NLBL_UNLABEL_A_SECCTX, secctx_len, secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); if (ret_val != 0) goto list_cb_failure; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 893301ae0131..ef139d8ae7cd 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -84,6 +84,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct netlbl_audit *audit_info) { struct audit_buffer *audit_buf; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -103,7 +104,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, if (audit_info->secid != 0 && security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/ + security_release_secctx(&context); } return audit_buf; diff --git a/security/security.c b/security/security.c index 7829b8f5d15f..4cb540d93ab8 100644 --- a/security/security.c +++ b/security/security.c @@ -2361,16 +2361,17 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, } EXPORT_SYMBOL(security_secctx_to_secid); -void security_release_secctx(char *secdata, u32 seclen) +void security_release_secctx(struct lsmcontext *cp) { struct security_hook_list *hp; - int ilsm = lsm_task_ilsm(current); hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list) - if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) { - hp->hook.release_secctx(secdata, seclen); - return; + if (cp->slot == hp->lsmid->slot) { + hp->hook.release_secctx(cp->context, cp->len); + break; } + + memset(cp, 0, sizeof(*cp)); } EXPORT_SYMBOL(security_release_secctx); From patchwork Thu Jul 22 00:47:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392681 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNWANTED_LANGUAGE_BODY, URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7721C6377C for ; Thu, 22 Jul 2021 01:05:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AF5226124B for ; Thu, 22 Jul 2021 01:05:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230163AbhGVAZO (ORCPT ); Wed, 21 Jul 2021 20:25:14 -0400 Received: from sonic313-16.consmr.mail.ne1.yahoo.com ([66.163.185.39]:35361 "EHLO sonic313-16.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229975AbhGVAZO (ORCPT ); Wed, 21 Jul 2021 20:25:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915949; bh=bcsGWRNg9stoCvb3cZ6B/7vL0GBO7VYIbuyzJPZmpCo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=K4Yb0B2feumS/3R4v44APz3WlLgz1hx2GsCjfCpHc8t6R4lk+04Ndd85vdsjShJnHWSDDzMSNpFanuKkMJJkfACZGgYMTgCc1AenUVxOIko3rFC2m1KIjP/5eflWvB50eFPeihYNpSAOU52cungAll5ehHpX6YuBJhyG9u8MGckzWvZ7fG+qUu2YryFrojBzFb5xIsHOSGcdrDbVprZekzUM0rWB+W7ektOGJcpR3c5MQRc4r+Ol6N/9XVkWwlIqeDt6FstuFoLEzlquniYx6JkZ1kAg9mA/zK8DVgwmHHQP0XiGOOAF6+Jmt7WdtCZflW/qKIkF+fOwild9iLnNtQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626915949; bh=Xv+zNm/xcXYWcOY4Zv136rJ3yqU8sKik/a21WWOZhZl=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=dlhEvLbXZ0VO1Rhn6ioprsTon9hSBO2NQm/viqZl0zdlqrYb9Q3Efi2zZ9kgN8yCeVJiBGHCMB8xJmuqgFG23KuaMRx7oV/i5pSugVBdiVEwWvieA6lV3NCGqr32RLHEcEIoErUx6IC+zrIfhHaCIAK9uNEN6sunqA+CfQCsv2buHVDlsgAiJRwsVZ4HeOibc5RJb2RjmiudiLr56dPns3xmdprNgAak+Ve5fo9iE7a9kvsOLTt6MtbqGjuf7TEa5mjLAgGmlo8nEwV2tikJt7hHAgrZ64tAN8gIBaybKIFqjhKrtiwM+pcNW1UoKmPOVEW8MXqfNyNeB6GOogVg7Q== X-YMail-OSG: BCm_vP0VM1nv6tcw2NX8zYm8xOoqbGgEEAHzXKptdy99luearKOKVxotzs8HRyx 7JhcqzLUmeXngfJawg83xn3N86k6Dk9KxwWCMYN10xFDBG_BQSQ75b_A7ZvnwfLW0uiBAjjfkBjq ft_BxzT4D77YS0x7IplMJwltLEP6EmGBgyvbWvEbXpiB0F161EAyV5Q2nHebx1Y8a1iD29NvKDpw L.WKCFvoblUXMtIO.6aQxXAB7mfzS5IPim9hgPH4unGZvj.9CRsak.NB9Q7pRhscM9EvPXf.jON2 psJYlu8RKjJRhfm9rBQLfuu7lRDIPwKKd30KNGmrOuNvhtNn.3ON.5m6nGJ68E9ShnOXNLuDQ8e1 B8LePWO7dFfcAbiNbVUaeqhE_aAP47Qoano7gfraC_T3GdcvDWAS.DNt0ygcrP7_boCDPO8XrAR_ fmSUQ11po5eLVt5qe93TV051p4p3lqmdjkHxA8cEK6Cgr1aHQy5odVbGXup92e5iOyn.jDynCf_y Y7eKHpLKWDi9Ex2MfgCbIhx1YD7iKtL4FmdnJ_T9ZGS.rnYFkjMGWQjctDO15rAkddeR4f9L2IbB MhBb7C6Icf6sKAuXlaZjI9.KAlnzJHx._63sZTHBtqcl2iymeJiLN_lqn1FTlk8jRNM9HutEJVYW 33xnAnmkluszRwgp_TcngN0T.8wT6VdxuNnZm7PGU488lDx2DZNPnTcR0PMQyOl75DPtOLLuQKUm pquqt8tI5ZTQDerUz1qFjOflqWElXgvhToZHxzjIU.QSx4rcAqKYR1RHf7V_9KpBe7AozRP_dkpE ho99ki634BdRPaHVcWZXZkbf1X6Z2XPUyBigrv1tOWhGN_fdOmTdlyhjTwQvShTf9lMTTePcCY11 z8nFA1avcWilOG0h8NS7bRf9xapYTXOZwiEfvNybjC_dQX7g2FFVUsJhbLLNDHRVAsVAOIw2GRjI YqXL76IwkQrNkguetFJLkVNEn5UmIiaXxxU3s5hi0A4vEBt6IyVeSruD1pd_4fX_rotjL8vkMjyZ dnJ8nxwUKu9xX592kiwEW8D2F3.gw_IYfBuiOZHXY9F9C6vnKPTLIvNMqdieYHRqgGzmxlLBKkIp LntzOvGSmwHrEkTr2b7ls28E_Re3onV.7ajOOf2iyt.InyMghTyfEepiOH0Xp6JAD74utMizwrNx 0baZ8a_2XlPlBktcl5wctzzaE6H._fqvq7VP.o.W6jryaOIg2oiVJ1qX7jpsPvJ_g8ucPlMqIocF tRX7ijZ4Jp5MdwKa5LkON_Z4KiT9iQ23u.zsSGScDnRDdWyk.2_GhDlE6x33Ed8EYFfHa6ENeb6l m23tSMK.lvaTqCIUNxyIGrG_88eUISxrG1VN9baw1FmlyR3n7jzkLUs5mzoDO4S_Dm3FoDYSUlMO Iiulco05tIeFFYxvbxKIMvq86_uNPoFyO68CS2QvRpZTWuINmJAvdnqBIExeZys8XM6xvDJfLTw. Xu9ROGBuQLmFDspCnf93pviwYGiHzMAU7fzMgnamJvE6ZmgdOa4_YzhUir0TFC141EHnrV3G_buw 6SjIndaqq72.IIhQuZiqwyWivLVmTeBW9nLN7eMo9EauqxpLVfQZQ1AFaWesj9a3ZyhViMsLQWQh bILI_URzBygO6JkmkGNYB33V7_IAfoDk0DdU9P91UlWTw7M1Uo76yqeVUoCXQ0YLBwBl0gncAsNL 4k6SgVaPmiAfQiDDXzosECLl9jselqMjTVPXN0RLYqTF.Ke_fkK_GcAKAUFh_ev_Zgfh74_0UpYX cho.n85jRrrHzwoFyq1e3L0bMReXdJcsaWaz57A8UBaaERv61VQPFmHhudQ90g8WeXrRJN3bGQTU 4VnF_PdQb6Wt0383bnVOIkdYBN7G1Fg1BdYcvlw8x5pVyzn8fVC7xaY9o.M65bU2JZvotb34ke1P XZur9Is108JLZb2MDiqBwSkKBP3mU57CQ40PM4kPt0yrnJoI.212peEr3jaL5xUfmnyyzD16.o0x c0liK5mLLPGzQ06aFJHmRYIDT2jZ0RRKNPiQySzQL.YT1nO61jeiPx4fnz9O_UC_BCxIti9yFIgC ix4aa5Y_7mxD6Udo5SovCZQF7xvgu6oUY5WnQSmWWuMU2yapB6lyiPTCr2DYqCe8RSAvrE5rNbM4 EISHmMDOQHL9dLoN5SUhvwUlVdmM0_I.rZQegRb4.LAvWRxQ7i0KHONRyZD0Ajcx7jSBI9YMUU1T U6.PUF0A.APD.WFdscrZaLxiws30Uws5w6EVRoSruJGtqd5BmjSt1p7114T2JpgJ0O7MJYapHP0m z.rO0On0B5UFvI3wyAksWccUibG5hToPV.WQUrtS29zzyPKas53xaK30TbS2.__CRYB_5rxONVfM JYaeq0ulqLd9ADq48GCOiqrFoKK45hgNmSzjKVGXdTMMB_TimZ4jPJhZk7VAVNXVftorQu2jh.1L w5AfibsC5N2EpRjbeA2VUIrH8TGnMg5TW6SH63cO_tvh4b3dsBNnvPT3t_YE0Y7vNZjYHTVGk7qN qbsth6i0V_lH9ZluuOhbwzphcuDofwJJeuve9EJVqoJRfQsL3gfcaEkkMQBlh7LC2dcLC5xxTyXG h8g9pjMzoUkTXVuV76Oz54QLX.xfEYbilg8AC7Svr1QuFEGQl1DRJHfFYUG2rNWnztTlS6nfay08 9JOFLMPeZElGJgy60LzHWEzTxtJCQY4e4ZwTL678aZQI4w.GHra0ZR392aFjYZP357nBQ8gQgAN_ aZ3_8XlUmLFZdGXnBpNOpX_A7EmapTN5meyAl9n1DMybEF0ompHwnZXy8XKwxQxkq12fLZUHFR.3 iKbbe8QLEGgGYkafhE_.mSJhb2DwWu3bnJ5bjcPLK7nRa3JeymYL5VB.ueR_qlPBHmzzwM1egHRU wLfnD1phRmjYm9vy7rbwnHgE34BCZiAjIQF1Siknm8F0GsyuFVIDbrM6q.cUT821HHQt_66qZCRt Qrtl4GE1eQiUsk_B8rK4obyYn_EC.cFeVEgyNnY0bv82m8BSW3WreHc_dQXVBNzUI6moCZWf7oD. qc8HsU7iXv7Hovxh61d.Zm.6ghtm0c6oBHDMh8IPaIE5aAA3..WWWPkZ3.QvUwGomOky5P5b6V3D j52he7wRT15Nrww.AAcc0d937.uAMU96ZVNTYlNnhbhLLhAsQZgLJyiNy5NEC6h0iDUhdIQ6eOE0 8kx6K0yqpQgoby8x5830bFWmASQIUi3o.O8NOJsciqGsEPRRFJWVkemILMjWnYujbI54_BGPDAhx vMn8- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 01:05:49 +0000 Received: by kubenode531.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID c59849c02fd015e8d97a1c115f73a394; Thu, 22 Jul 2021 01:05:46 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v28 16/25] LSM: Use lsmcontext in security_secid_to_secctx Date: Wed, 21 Jul 2021 17:47:49 -0700 Message-Id: <20210722004758.12371-17-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Replace the (secctx,seclen) pointer pair with a single lsmcontext pointer to allow return of the LSM identifier along with the context and context length. This allows security_release_secctx() to know how to release the context. Callers have been modified to use or save the returned data from the new structure. Reviewed-by: Kees Cook Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org --- drivers/android/binder.c | 26 +++++++--------- include/linux/security.h | 4 +-- include/net/scm.h | 9 ++---- kernel/audit.c | 39 +++++++++++------------- kernel/auditsc.c | 31 +++++++------------ net/ipv4/ip_sockglue.c | 8 ++--- net/netfilter/nf_conntrack_netlink.c | 18 +++++------ net/netfilter/nf_conntrack_standalone.c | 7 ++--- net/netfilter/nfnetlink_queue.c | 5 +++- net/netlabel/netlabel_unlabeled.c | 40 ++++++++----------------- net/netlabel/netlabel_user.c | 7 ++--- security/security.c | 10 +++++-- 12 files changed, 81 insertions(+), 123 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 8976ac6a5adb..2c3a2348a144 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2459,9 +2459,7 @@ static void binder_transaction(struct binder_proc *proc, binder_size_t last_fixup_min_off = 0; struct binder_context *context = proc->context; int t_debug_id = atomic_inc_return(&binder_last_id); - char *secctx = NULL; - u32 secctx_sz = 0; - struct lsmcontext scaff; /* scaffolding */ + struct lsmcontext lsmctx = { }; e = binder_transaction_log_add(&binder_transaction_log); e->debug_id = t_debug_id; @@ -2724,14 +2722,14 @@ static void binder_transaction(struct binder_proc *proc, * case well anyway. */ security_task_getsecid_obj(proc->tsk, &blob); - ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz); + ret = security_secid_to_secctx(&blob, &lsmctx); if (ret) { return_error = BR_FAILED_REPLY; return_error_param = ret; return_error_line = __LINE__; goto err_get_secctx_failed; } - added_size = ALIGN(secctx_sz, sizeof(u64)); + added_size = ALIGN(lsmctx.len, sizeof(u64)); extra_buffers_size += added_size; if (extra_buffers_size < added_size) { /* integer overflow of extra_buffers_size */ @@ -2758,24 +2756,22 @@ static void binder_transaction(struct binder_proc *proc, t->buffer = NULL; goto err_binder_alloc_buf_failed; } - if (secctx) { + if (lsmctx.context) { int err; size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) + ALIGN(tr->offsets_size, sizeof(void *)) + ALIGN(extra_buffers_size, sizeof(void *)) - - ALIGN(secctx_sz, sizeof(u64)); + ALIGN(lsmctx.len, sizeof(u64)); t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset; err = binder_alloc_copy_to_buffer(&target_proc->alloc, t->buffer, buf_offset, - secctx, secctx_sz); + lsmctx.context, lsmctx.len); if (err) { t->security_ctx = 0; WARN_ON(1); } - lsmcontext_init(&scaff, secctx, secctx_sz, 0); - security_release_secctx(&scaff); - secctx = NULL; + security_release_secctx(&lsmctx); } t->buffer->debug_id = t->debug_id; t->buffer->transaction = t; @@ -2832,7 +2828,7 @@ static void binder_transaction(struct binder_proc *proc, off_end_offset = off_start_offset + tr->offsets_size; sg_buf_offset = ALIGN(off_end_offset, sizeof(void *)); sg_buf_end_offset = sg_buf_offset + extra_buffers_size - - ALIGN(secctx_sz, sizeof(u64)); + ALIGN(lsmctx.len, sizeof(u64)); off_min = 0; for (buffer_offset = off_start_offset; buffer_offset < off_end_offset; buffer_offset += sizeof(binder_size_t)) { @@ -3116,10 +3112,8 @@ static void binder_transaction(struct binder_proc *proc, binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: err_bad_extra_size: - if (secctx) { - lsmcontext_init(&scaff, secctx, secctx_sz, 0); - security_release_secctx(&scaff); - } + if (lsmctx.context) + security_release_secctx(&lsmctx); err_get_secctx_failed: kfree(tcomplete); binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); diff --git a/include/linux/security.h b/include/linux/security.h index 041e87f3fe4e..b19bd9e1d583 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -578,7 +578,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); void security_release_secctx(struct lsmcontext *cp); @@ -1433,7 +1433,7 @@ static inline int security_ismaclabel(const char *name) } static inline int security_secid_to_secctx(struct lsmblob *blob, - char **secdata, u32 *seclen) + struct lsmcontext *cp) { return -EOPNOTSUPP; } diff --git a/include/net/scm.h b/include/net/scm.h index f273c4d777ec..b77a52f93389 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -94,8 +94,6 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc { struct lsmcontext context; struct lsmblob lb; - char *secdata; - u32 seclen; int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { @@ -103,12 +101,11 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc * and the infrastructure will know which it is. */ lsmblob_init(&lb, scm->secid); - err = security_secid_to_secctx(&lb, &secdata, &seclen); + err = security_secid_to_secctx(&lb, &context); if (!err) { - put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); - /*scaffolding*/ - lsmcontext_init(&context, secdata, seclen, 0); + put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, context.len, + context.context); security_release_secctx(&context); } } diff --git a/kernel/audit.c b/kernel/audit.c index c17ec23158c4..841123390d41 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1190,9 +1190,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_buffer *ab; u16 msg_type = nlh->nlmsg_type; struct audit_sig_info *sig_data; - char *ctx = NULL; - u32 len; - struct lsmcontext scaff; /* scaffolding */ err = audit_netlink_ok(skb, msg_type); if (err) @@ -1440,33 +1437,34 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) kfree(new); break; } - case AUDIT_SIGNAL_INFO: - len = 0; + case AUDIT_SIGNAL_INFO: { + struct lsmcontext context = { }; + int len = 0; + if (lsmblob_is_set(&audit_sig_lsm)) { - err = security_secid_to_secctx(&audit_sig_lsm, &ctx, - &len); + err = security_secid_to_secctx(&audit_sig_lsm, + &context); if (err) return err; } - sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); + sig_data = kmalloc(sizeof(*sig_data) + context.len, GFP_KERNEL); if (!sig_data) { - if (lsmblob_is_set(&audit_sig_lsm)) { - lsmcontext_init(&scaff, ctx, len, 0); - security_release_secctx(&scaff); - } + if (lsmblob_is_set(&audit_sig_lsm)) + security_release_secctx(&context); return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; if (lsmblob_is_set(&audit_sig_lsm)) { - memcpy(sig_data->ctx, ctx, len); - lsmcontext_init(&scaff, ctx, len, 0); - security_release_secctx(&scaff); + len = context.len; + memcpy(sig_data->ctx, context.context, len); + security_release_secctx(&context); } audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, sizeof(*sig_data) + len); kfree(sig_data); break; + } case AUDIT_TTY_GET: { struct audit_tty_status s; unsigned int t; @@ -2132,26 +2130,23 @@ void audit_log_key(struct audit_buffer *ab, char *key) int audit_log_task_context(struct audit_buffer *ab) { - char *ctx = NULL; - unsigned len; int error; struct lsmblob blob; - struct lsmcontext scaff; /* scaffolding */ + struct lsmcontext context; security_task_getsecid_subj(current, &blob); if (!lsmblob_is_set(&blob)) return 0; - error = security_secid_to_secctx(&blob, &ctx, &len); + error = security_secid_to_secctx(&blob, &context); if (error) { if (error != -EINVAL) goto error_path; return 0; } - audit_log_format(ab, " subj=%s", ctx); - lsmcontext_init(&scaff, ctx, len, 0); - security_release_secctx(&scaff); + audit_log_format(ab, " subj=%s", context.context); + security_release_secctx(&context); return 0; error_path: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 1b1ddd62de6c..d198f307a4d8 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1002,9 +1002,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; - struct lsmcontext lsmcxt; - char *ctx = NULL; - u32 len; + struct lsmcontext lsmctx; int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); @@ -1015,13 +1013,12 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (lsmblob_is_set(blob)) { - if (security_secid_to_secctx(blob, &ctx, &len)) { + if (security_secid_to_secctx(blob, &lsmctx)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/ - security_release_secctx(&lsmcxt); + audit_log_format(ab, " obj=%s", lsmctx.context); + security_release_secctx(&lsmctx); } } audit_log_format(ab, " ocomm="); @@ -1234,7 +1231,6 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) static void show_special(struct audit_context *context, int *call_panic) { - struct lsmcontext lsmcxt; struct audit_buffer *ab; int i; @@ -1259,17 +1255,15 @@ static void show_special(struct audit_context *context, int *call_panic) from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); if (osid) { - char *ctx = NULL; - u32 len; + struct lsmcontext lsmcxt; struct lsmblob blob; lsmblob_init(&blob, osid); - if (security_secid_to_secctx(&blob, &ctx, &len)) { + if (security_secid_to_secctx(&blob, &lsmcxt)) { audit_log_format(ab, " osid=%u", osid); *call_panic = 1; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); + audit_log_format(ab, " obj=%s", lsmcxt.context); security_release_secctx(&lsmcxt); } } @@ -1418,20 +1412,17 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, MAJOR(n->rdev), MINOR(n->rdev)); if (n->osid != 0) { - char *ctx = NULL; - u32 len; struct lsmblob blob; - struct lsmcontext lsmcxt; + struct lsmcontext lsmctx; lsmblob_init(&blob, n->osid); - if (security_secid_to_secctx(&blob, &ctx, &len)) { + if (security_secid_to_secctx(&blob, &lsmctx)) { audit_log_format(ab, " osid=%u", n->osid); if (call_panic) *call_panic = 2; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */ - security_release_secctx(&lsmcxt); + audit_log_format(ab, " obj=%s", lsmctx.context); + security_release_secctx(&lsmctx); } } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index a7e4c1b34b6c..ae073b642fa7 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -132,8 +132,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { struct lsmcontext context; struct lsmblob lb; - char *secdata; - u32 seclen, secid; + u32 secid; int err; err = security_socket_getpeersec_dgram(NULL, skb, &secid); @@ -141,12 +140,11 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) return; lsmblob_init(&lb, secid); - err = security_secid_to_secctx(&lb, &secdata, &seclen); + err = security_secid_to_secctx(&lb, &context); if (err) return; - put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); - lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */ + put_cmsg(msg, SOL_IP, SCM_SECURITY, context.len, context.context); security_release_secctx(&context); } diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 89be957f26bd..668b31ecd638 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -339,8 +339,7 @@ static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) { struct nlattr *nest_secctx; - int len, ret; - char *secctx; + int ret; struct lsmblob blob; struct lsmcontext context; @@ -348,7 +347,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) * security_secid_to_secctx() will know which security module * to use to create the secctx. */ lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &secctx, &len); + ret = security_secid_to_secctx(&blob, &context); if (ret) return 0; @@ -357,13 +356,12 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) if (!nest_secctx) goto nla_put_failure; - if (nla_put_string(skb, CTA_SECCTX_NAME, secctx)) + if (nla_put_string(skb, CTA_SECCTX_NAME, context.context)) goto nla_put_failure; nla_nest_end(skb, nest_secctx); ret = 0; nla_put_failure: - lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ security_release_secctx(&context); return ret; } @@ -658,15 +656,15 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct) #ifdef CONFIG_NF_CONNTRACK_SECMARK int len, ret; struct lsmblob blob; + struct lsmcontext context; - /* lsmblob_init() puts ct->secmark into all of the secids in blob. - * security_secid_to_secctx() will know which security module - * to use to create the secctx. */ - lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, NULL, &len); + ret = security_secid_to_secctx(&blob, &context); if (ret) return 0; + len = context.len; + security_release_secctx(&context); + return nla_total_size(0) /* CTA_SECCTX */ + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */ #else diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index ca2ae290d6ee..b5796a8e5e90 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -173,19 +173,16 @@ static void ct_seq_stop(struct seq_file *s, void *v) static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) { int ret; - u32 len; - char *secctx; struct lsmblob blob; struct lsmcontext context; lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &secctx, &len); + ret = security_secid_to_secctx(&blob, &context); if (ret) return; - seq_printf(s, "secctx=%s ", secctx); + seq_printf(s, "secctx=%s ", context.context); - lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ security_release_secctx(&context); } #else diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 005900a0c397..d5cff4559237 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -306,6 +306,7 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) struct lsmblob blob; + struct lsmcontext context = { }; if (!skb || !sk_fullsock(skb->sk)) return 0; @@ -317,10 +318,12 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) * blob. security_secid_to_secctx() will know which security * module to use to create the secctx. */ lsmblob_init(&blob, skb->secmark); - security_secid_to_secctx(&blob, secdata, &seclen); + security_secid_to_secctx(&blob, &context); + *secdata = context.context; } read_unlock_bh(&skb->sk->sk_callback_lock); + seclen = context.len; #endif return seclen; } diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 61346aaa2898..9910d3e9d287 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -375,8 +375,6 @@ int netlbl_unlhsh_add(struct net *net, struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; struct lsmcontext context; - char *secctx = NULL; - u32 secctx_len; struct lsmblob blob; if (addr_len != sizeof(struct in_addr) && @@ -444,12 +442,9 @@ int netlbl_unlhsh_add(struct net *net, * security_secid_to_secctx() will know which security module * to use to create the secctx. */ lsmblob_init(&blob, secid); - if (security_secid_to_secctx(&blob, - &secctx, - &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - /* scaffolding */ - lsmcontext_init(&context, secctx, secctx_len, 0); + if (security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", + context.context); security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); @@ -482,8 +477,6 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - char *secctx; - u32 secctx_len; struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); @@ -510,11 +503,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, if (entry != NULL) lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, - &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - /* scaffolding */ - lsmcontext_init(&context, secctx, secctx_len, 0); + security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", + context.context); security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); @@ -553,8 +544,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - char *secctx; - u32 secctx_len; struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); @@ -580,10 +569,9 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, if (entry != NULL) lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, - &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - lsmcontext_init(&context, secctx, secctx_len, 0); + security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", + context.context); security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); @@ -1106,8 +1094,6 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, struct lsmcontext context; void *data; u32 secid; - char *secctx; - u32 secctx_len; struct lsmblob blob; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, @@ -1167,15 +1153,13 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, * security_secid_to_secctx() will know which security module * to use to create the secctx. */ lsmblob_init(&blob, secid); - ret_val = security_secid_to_secctx(&blob, &secctx, &secctx_len); + ret_val = security_secid_to_secctx(&blob, &context); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, NLBL_UNLABEL_A_SECCTX, - secctx_len, - secctx); - /* scaffolding */ - lsmcontext_init(&context, secctx, secctx_len, 0); + context.len, + context.context); security_release_secctx(&context); if (ret_val != 0) goto list_cb_failure; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index ef139d8ae7cd..951ba0639d20 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -85,8 +85,6 @@ struct audit_buffer *netlbl_audit_start_common(int type, { struct audit_buffer *audit_buf; struct lsmcontext context; - char *secctx; - u32 secctx_len; struct lsmblob blob; if (audit_enabled == AUDIT_OFF) @@ -102,9 +100,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, lsmblob_init(&blob, audit_info->secid); if (audit_info->secid != 0 && - security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " subj=%s", secctx); - lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/ + security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " subj=%s", context.context); security_release_secctx(&context); } diff --git a/security/security.c b/security/security.c index 4cb540d93ab8..713e0340a0d4 100644 --- a/security/security.c +++ b/security/security.c @@ -2325,18 +2325,22 @@ int security_ismaclabel(const char *name) } EXPORT_SYMBOL(security_ismaclabel); -int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp) { struct security_hook_list *hp; int ilsm = lsm_task_ilsm(current); + memset(cp, 0, sizeof(*cp)); + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; - if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) + if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) { + cp->slot = hp->lsmid->slot; return hp->hook.secid_to_secctx( blob->secid[hp->lsmid->slot], - secdata, seclen); + &cp->context, &cp->len); + } } return LSM_RET_DEFAULT(secid_to_secctx); From patchwork Thu Jul 22 00:47:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392683 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 149EFC6377C for ; Thu, 22 Jul 2021 01:06:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DB8036109F for ; Thu, 22 Jul 2021 01:06:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230002AbhGVA0V (ORCPT ); Wed, 21 Jul 2021 20:26:21 -0400 Received: from sonic309-28.consmr.mail.ne1.yahoo.com ([66.163.184.154]:45427 "EHLO sonic309-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229990AbhGVA0V (ORCPT ); Wed, 21 Jul 2021 20:26:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916017; bh=ADonezOyML6n8js9H3OmQ6Hkog2RHBUahaYJXHI29uM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=LKMRCM8nQcXUHzodcIzwQK9I2h6CktPQevO6xTxOUUm5lSntSyvMrgCfcKrxJVlPiPHGu/Fdx4ef4kejVmCBk4QNZRfT7LdwTkKvxps9Fz7PWq7PJUKjsI7WYohjJvlFnleYirWB04f+dcbqszqy8aHJcVHGoGiN2DUYMLlVinBpPr4GRXkA7w2ZzQ2tgv+sEpNXaD0iQkAZeY+ZQzvYGRsglR3oRfk+o6QY/Pelci7oDPpaHsc5rAgDgNPNmzIW6ULzicYzXJXiK0Ra1g4Oj8TZ9HazIR/lEc/UHYCsdhMpm6/bTPfBoo4IBzkMs49pgBQ9u1t5OErQDGui52sgkA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916017; bh=n7QP1BTXPZOSS3Jg2ox2mdhqrlMuCZZq1XLAa4ZteiW=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=do+vNnvrvJxS411MnnQYcut+ii6sNaSmL3ptAXJUIs8ExA3lfuGfizgBuz7o5XFMJaLS3ZlhD9OWzgWIiD7sX8wXv+l9ZOvXnw5Qmnq6Em7wHHl42ujmq4U2Y1YzOcz3Dp+IAilq4GoBtsMSN/g+mMivp27ou9SUDC+LK6ha+UPyOmd+hRPsYhTySuJYcrKyMx3TfwN4Sh21KDm2FG/vK2OBqF2Aw9oCa1C754D8D2wAsZ3T4NkuBX4iIGQvy2tBU7xEPRyUA2s9ZwZyT2GgqdQVxlwdDi51+scjSXpc1p0etsJh5bqsEy6ieZz3/lc2nCDn3KQQKNInq6k2YBHUdg== X-YMail-OSG: CC6kAJ8VM1neS98A10xlTg_D5mOB_48KT4oY1tun1CAPeZvZwOFVk00N_hhDlgf mPCd1QNO2uIqCX_2GacECYd6_WjOPWienct4vSZ222OjB0SBDyDWjI_0ZVr1s8TGiKREc5XFsZvZ O_uVZZxeZ.0LUgGk1qJ8DzA6h.4XPQWqFHQ_F4zRjpnj.O9Bb.a...BylP05xYeJBTEjOokvwQIG onplFbf.1HKYK3qB_OUrVibNhNkO8Lqk.dNNlkIDXF.ItYjIS2uHQDCjEHPlGnGp2YKKjuHiFiMr lOVS2mw0AGJFWVkwCKq9GtRWcYGCDZSQYlCWfbkAQr1J3b8iEa3BtvLF2H96W6WoIaSWau6szeR0 2I6G8KfsERHBsmBYfCBAOyWFd0RIwbcRnxH9FjdADAkuUB.3z0hQ9lZG7LSjSqDjAOg0ByvWiHki lAJVv8.dRCrOOn.ke3F4mLWosZOm5_OzGE3iAtDmDdNFKcW02xdhQU64TIcNidH6RNRD9qniN0WE Yn9vAtgxjqPdWUX26_8LvVAhAuN0e_UWlGB57btzsc4xk1OOXTrVlyYUkBLDFl_Hmwn4qO7oI2X1 bp9HS3ATIRd5DlOy2SXA.6bmaAVF84G510vLk8Jlbh_SLCPF7jeLWmqY3NGlw4L6LpIwBeYtginW CX4P2_0om1RKeZdS9_5Cn347qJWlERbFNMAVOClnJNqUJp7dCd1eVXV_CtjlBYXVywAq3qs.WzCX VREnV.cDekLroNlar9FRRbzbLPrcy17NjsGdZuJe_qA1HTaENYvAczjDf8xAMwp7.YAYL7ek1t7u yoQaNw32XMy5mC9j7ucES_odKkh.GXBZVJ9iG7JpqdgbmIR8kPzTPFD2dF5fJP7khFZ2usa1nIh1 549wExJsJx37yGIQ09dVA8MmFsTlUZMudb7_80D.B_GxT1XDyfH4YejpufO__JCdqX520jjbI4Ug 6ABrdTANjFFUAM6cJ4tchqit73kmvI6eWWIjRUjs5SdrnYY6LV6xgpyUD7y19QUfqSeH3ayUJeAD TbxqnV_6Gu0xpXI9b2sQnC9v67QQ_FBdLt63BK2pA4VrT0f8gY.ZTg6z62CNEtMyg_GYv66uaZzZ kPLShGmZx0xmVrUkF3dWcoPyIdoZAmUOG2urrRzG9jqD2xA8xCigm1.gHySOghQTwqlbWZPVRbXH Ghb8cAnzQoJ_kHlJC.61zKyDjWvuoAZuDZew8uZb15.MGLoKTE66Zj51yF_CPg6I_l6Ar5uGUGdB y.uhBfHc289hbjwbd.RPHAIesjs4GkBEYtIBGkPnLegVu1_eMy5CzGRjuIVrERcrVb7zEE3169DD yHtOx1yFwChkG2vv1HDjhWvmg_.CfiuJgsG_W1ppyeYcoDpB1RGgBrU1e_vHKQB8FfNE2X7Ql179 laHAohzYqxB4F_RqUCum3g06l7_bQCCYA3kEdbk2i61w5egvQvgRBiaL6gtWhHNebNvmfAFN6ezd 87H7KriiQX1Gx7xzD_LcStjUfMXdlQbW47o9tcEVcNWtIL0nXEtAJNVzFkqXNN.oBJemD19pSYN9 _z2kaqqq1AyHr4lhY0wHm4fVl1sBqtECHruVmQUbZTcdoXygsy4nz6iMMA7yMwRZzo97JeuWTGb. Z2VdQS8Sf3Oz4osgFP3wfkfIJ9IKQW6htdQsx9hwgBhG8DtWNg9LY3497suj6r7X5qMQ6TC3pwAn kNC398lqgiI8iexCallFM9fx9ezsc.Yd41LR27DKbL9J2rLu1iQPp8tn_cDqndIXv89HK4fM27v_ ATnWrdEugeAqQTvPS5X_Bhx1yzY6sdlTfnvCwSlj.Ok3oPaAAJlLirVcFkS8S1QTPX3x1hQ_LYhL nNXxaCQET.MUBW1mNwuHS4OWFhuNTjqSxuxNE4ET1BQQVOVexagpaHt1pvm7a7qy1qqOdE8AAsV6 snDWbiYwc7WnRcUmrv3AaRRVz53Iu0yDFjPZr0yXgnwVthGYqRE8TjbXST25alFNeQlZ3Ucmq2zl DKicuYYUucykXbQooyGyadV.WHtPURwAlKMMBdjGW3CDUZLH.CBQuX1rdtaznSskNK.TwEHUf.8_ aXtY65ycQdXvaEQv1uOkfX0kPpX5.Y9sjJrD1wzAuGr9.sxoz5YEf5e_G.RGj8ml8bKzMH3lFnWh SWvptB_KJhX83sxS0tjSzrfVPYHm7wtN1iPIycloAEYJXIAHhLU8G6d7dYxrJo8p3_ga1Xity_d_ fTx3XGY.03sM6e4cWYrspEs_ZpnJ6bqNoZjLLal.ibh8TqqV2PrV67OVawzvuVk38.sJWnczXGum CqnhuAfwc8yr8ogjiI6Sq0Dl2uHUyDmuL6w_jVnO7vndAanJw5eBZ0hgUP0lnt2OpvZVjeaVQB6H w3McSDBvrjT7uu85WRxy.HNDYQUOIqGkCvZwXgdsQiJPBNoBgMsnSd8rB93nRciM7jSt5G6BwV94 n5O7w7bB3MNKQw_Gp6P8cv5lwMdcrufujdpwQ0FPV67ftZ7tfcCTNYWONJOlbJmHSxOMknsE7Eo0 0nX9o6HaOZbttN1ogCZaub9qI4Ym15IklNG2fVSf_n64NUVCAqEqZCRzs2Jt4DJBtCBB3Zm_F_s9 KBAh_MqPn9ff6UwexG.5b8LAtOYJIu0Dis7lrLdEvKcgS4b1OqMX1kFlueqCxqTBaCQgQCg_eNw9 .hwJxcDkMvF5MfFvzvJ5rlp7flzxESYP_MbmM6wGn5GSFwKpIphYOjzdmdWrtSFa.tfJo2KDNhJK 3_J.u1y3ig9hRQIJMveAQtqWGpTfM6LogMwdhxtWMNSCWOyAx2ftXcaIOe5LfXExUQnUnY4vDeLU yJ4SktWCU7frjje3z4DXHjsKsINx_wvklO22rQOhXZ9McVUObDihyAxC7_jSTHa90xfWRLlKH.81 l.I8jkQNqeo4NZwXM.l9jsQrhOyHJWi7r2Ob_TCKdqrFnBOHdFlaEhFu7cb.P2QS45Xzp8gSEMf3 rAPYbOagvpwMb2Dt0Zn1ytQP1GghnemmlXasmN3wwe3ebNOFNt8V.Kf17rvZslm8Smwyjv0lmnL3 E.vGontUKdpVSF1zdVLYGe.LS74jukwPVCyysFG9niqhqPYeZfj_KLMnFev3i9Znpq5NRNk9Ca0S F8XTuK5SvGG2g7JNmyH3JIK_UEDAjV7_WLH8Bhrx.pMkl37IK8Rel7jYJLvQsoJc7VRBnxzWvYc6 lfgUqp5mFhV4BtHJo0a5t3G3uLZqasOgktLZ_bkscqswH1CWGV7FYKbqUFkk1KQ-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 01:06:57 +0000 Received: by kubenode577.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 66311a3188bd5bff0fcd3bd712d8dae4; Thu, 22 Jul 2021 01:06:54 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Chuck Lever , linux-nfs@vger.kernel.org Subject: [PATCH v28 17/25] LSM: Use lsmcontext in security_inode_getsecctx Date: Wed, 21 Jul 2021 17:47:50 -0700 Message-Id: <20210722004758.12371-18-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change the security_inode_getsecctx() interface to fill a lsmcontext structure instead of data and length pointers. This provides the information about which LSM created the context so that security_release_secctx() can use the correct hook. Acked-by: Stephen Smalley Acked-by: Paul Moore Acked-by: Chuck Lever Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler Cc: linux-nfs@vger.kernel.org --- fs/nfsd/nfs4xdr.c | 23 +++++++++-------------- include/linux/security.h | 5 +++-- security/security.c | 13 +++++++++++-- 3 files changed, 23 insertions(+), 18 deletions(-) diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 089ec4b61ef1..fc7ba114c298 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -2727,11 +2727,11 @@ nfsd4_encode_layout_types(struct xdr_stream *xdr, u32 layout_types) #ifdef CONFIG_NFSD_V4_SECURITY_LABEL static inline __be32 nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, - void *context, int len) + struct lsmcontext *context) { __be32 *p; - p = xdr_reserve_space(xdr, len + 4 + 4 + 4); + p = xdr_reserve_space(xdr, context->len + 4 + 4 + 4); if (!p) return nfserr_resource; @@ -2741,13 +2741,13 @@ nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, */ *p++ = cpu_to_be32(0); /* lfs */ *p++ = cpu_to_be32(0); /* pi */ - p = xdr_encode_opaque(p, context, len); + p = xdr_encode_opaque(p, context->context, context->len); return 0; } #else static inline __be32 nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, - void *context, int len) + struct lsmcontext *context) { return 0; } #endif @@ -2844,9 +2844,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, int err; struct nfs4_acl *acl = NULL; #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - struct lsmcontext scaff; /* scaffolding */ - void *context = NULL; - int contextlen; + struct lsmcontext context = { }; #endif bool contextsupport = false; struct nfsd4_compoundres *resp = rqstp->rq_resp; @@ -2904,7 +2902,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, bmval0 & FATTR4_WORD0_SUPPORTED_ATTRS) { if (exp->ex_flags & NFSEXP_SECURITY_LABEL) err = security_inode_getsecctx(d_inode(dentry), - &context, &contextlen); + &context); else err = -EOPNOTSUPP; contextsupport = (err == 0); @@ -3324,8 +3322,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, #ifdef CONFIG_NFSD_V4_SECURITY_LABEL if (bmval2 & FATTR4_WORD2_SECURITY_LABEL) { - status = nfsd4_encode_security_label(xdr, rqstp, context, - contextlen); + status = nfsd4_encode_security_label(xdr, rqstp, &context); if (status) goto out; } @@ -3346,10 +3343,8 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, out: #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - if (context) { - lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/ - security_release_secctx(&scaff); - } + if (context.context) + security_release_secctx(&context); #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ kfree(acl); if (tempfh) { diff --git a/include/linux/security.h b/include/linux/security.h index b19bd9e1d583..3e9743118fb9 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -585,7 +585,7 @@ void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); -int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); +int security_inode_getsecctx(struct inode *inode, struct lsmcontext *cp); int security_locked_down(enum lockdown_reason what); #else /* CONFIG_SECURITY */ @@ -1461,7 +1461,8 @@ static inline int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 { return -EOPNOTSUPP; } -static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) +static inline int security_inode_getsecctx(struct inode *inode, + struct lsmcontext *cp) { return -EOPNOTSUPP; } diff --git a/security/security.c b/security/security.c index 713e0340a0d4..13ded9c55344 100644 --- a/security/security.c +++ b/security/security.c @@ -2397,9 +2397,18 @@ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) } EXPORT_SYMBOL(security_inode_setsecctx); -int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) +int security_inode_getsecctx(struct inode *inode, struct lsmcontext *cp) { - return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, ctx, ctxlen); + struct security_hook_list *hp; + + memset(cp, 0, sizeof(*cp)); + + hlist_for_each_entry(hp, &security_hook_heads.inode_getsecctx, list) { + cp->slot = hp->lsmid->slot; + return hp->hook.inode_getsecctx(inode, (void **)&cp->context, + &cp->len); + } + return -EOPNOTSUPP; } EXPORT_SYMBOL(security_inode_getsecctx); From patchwork Thu Jul 22 00:47:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392685 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNWANTED_LANGUAGE_BODY, URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EAC05C6377A for ; Thu, 22 Jul 2021 01:08:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C9ECD6124C for ; Thu, 22 Jul 2021 01:08:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230117AbhGVA13 (ORCPT ); Wed, 21 Jul 2021 20:27:29 -0400 Received: from sonic313-16.consmr.mail.ne1.yahoo.com ([66.163.185.39]:43834 "EHLO sonic313-16.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229974AbhGVA13 (ORCPT ); Wed, 21 Jul 2021 20:27:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916084; bh=tJAwSelRtnA20TVgVj9Y3KhFAdN3sk+uAxfLqwCxMqI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=Lt6CLRqe2LO1sr/osGFQZt4FMecgSdrDN0qfICvy+9OcciO/xmY3ZZ2X0b+Omu2ry4kXok49cdOIr06zXMlEG+9e3grpe9pygirV/dCzW3RM7KGkhNeXP98Jf70VGUE9o9WkEWKIxid/eBvQeEnofz75XCQGwtl0XrBLpOH0KnomaNpYxnRKCyLA6ASwGIADLpULP2usrtRji4aEkZkA4UTh6nDiCH9UoSTYuQWOnRyEWTxoPoD1GOvCtehEycP5ecvPhcHuylGNnnRu4XoSHQuQckxNgac8ZPdaeUDGYhEepHp/HYOaxfXntRMLmwoFUTxrfMr385l8vnXaVmSi4A== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916084; bh=/S10Cne118glpCJEOJ7LcWu8cu+6LV1b5bFXdIbxpiG=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=bsgm2xxoGBco9BOygySY9a6klOmRe445hyBVBbG4N5QQ7AoszbbO8VCCFAScO8L9GEa6IPOmaCgHISJght3BJdB1JNASsD1V/IFKCSK+9aOwbmbn8P6S5YYSJKVRPeNuL/+b3hP3FnAqxcDKhYpX/o5RR6VGKyskk+GlfCJ0AIjRhCpMopY+N7JiFAAvbkAkbHKzG//NgZNEx1jITAtpOazORtiAaDaS/uDfO53C9Takh+7uCsOfixpS2Px1/B4vBpn+FLPzmg66tyeA9QSGaQBwp6qhAP8oMcLqXgmCG5WqP/or3zWofC1LByjW8VC+8mpEIDetg+cIFzgDW3UA8w== X-YMail-OSG: wQHRWIkVM1kB40c.I4T0wArblMzb7K8.Fd1cMvI2D5Xn2XlKnScqm.VuOS6Gt2z o9SJnCwWouQuwxY2t5Xvu4fJT.zBpezv1FW.j1WBYfivuIHZXQGM6QdLhvzVKiDu_QX..W4eUgeD vCRmoW2vHg2vOx5Fvknl5YdX6ovuEDggw7.WXx3bZh0.a4LudSIzUpTekFAcrkm3alFjKTcPytXg 5.lksbFJC1izsELsp.CT1ZI71CdnUabAscJLiCcu57WUQa.yN_qFKln6eomAEXyAxLLOQvLoS1yj meJPDuplGMf9r1lP34KeFk.iC.gHCqIDK8G.xkwY91.qX7eMhwRRYmJr60St29eQbaW146tApXRp yyU9oG0lfi7qrjGnIcuQz.aFuFBimq.k9tPZef.YtHPtrWuWYYOXv6t5kdhbhPgGRmaVrxyxMsH. JB6rcpZPYEmkviizXGbtTLcWWCTD.VlqxzwjQWDfpT6EOlIsiWQRQMPYix43lJAiOgtrf0L6dMVn pYLcZJVSaKH8fX0FiaboRPiKu.8Jrr1UQyiGw7VSKSeBfqOBLANSYEaNLkTNScbYErRlw3PZo3Qc wcgHSQwHbmy6Y06duFtyC404gJPFuu68_sDM9TJEab6yPeJ72m4zu4JcTAYTDanMeUsV20bOz2a2 R1hWh.6LA_Og_eWKwOaAt6OYHaRNU5ELvzKMPgtkvojnUlnRXacTn1fId0XzRWa8LfOUrp3ju1bz .RHATPo3UTntqFM4DKjgyvpeTFM6MXeIalHo5swVoTps7nhTGwpqoU3S4yF8KMEL3p0AWh3HfN1U bSM8D5Df.OxUG.VMDLsJwkpZ_xOcxzo3jZ2rj3Sdg4ab8XDlb80Wp0rlP9cBIJa6xGi4y_HCRh.3 XxIFcdYN4esWm3bCuNhGVbJ1WkoawhDF81f_01GtmpmaJb4v0lTTa7w.RdLD5pAbe0YOECSWIk4g PypezNOr5nEgJIVu2yVYvwUkXwBg7JnN41iHIpRQA_eJESCpk3J16tnVyr58rFexQfPJXtrEK9fQ omsl0cziiePDqu.egePuDQbOmfxTmERyqUP.4_lfJP4YCeOpcjdXyc7MxSATkSil1ffhH6it1GbS z_L2X9V3Cnxpq9R_QrnLMfxBLBEN6.9HtEjhck2foHWbRhsw7ir0z2myAECbw7Z4hsp173iGm.px _6UpDcejSnkWk.G29fsfA21ySGN_hj073KaOOsc9FPr0DmgzBItq3npSD5MyRMR9m4zEhbbl4vWN VCear2f3AIDXR9noNJvrWA6C0fqetRqOR1XbOgbxu7SlxNrBDnnUEh2XeGV31ZiOC1wUl8qMObJU SaV70FOwmzDP_px8mQZ7qNn0qgu8eS0kgrFSKNIiolBxYWEvT8M3BMOCu5FQEws1EEYpLWFqlrbi d2JRrn9aa_yc66QjojuyBOkvb7gUGAf09fYF4UY5HkEqGG35LODRerlll6VhMkLK0Vdmpx4DZH04 Mt_KQ.K0qqYYkHis49n0WfnIfg.p2EiAYHIMWdGmUMNwL6VpPmN0GRQJWiYJXxsZNVj7qIaRtWdk dxmJUi3V9Wig_cvaHMkyV0MXgmW9iLWNTxBGlq9FE.DdmVYJwqSvD.WOHvPfxvAnounZTB1QlDlZ 2Rfk5G1qlJPejmCSBKG2Hw4W4XzCpUeFoT724noHOnovVzcs9vJB12GEch38SJ2epY5Hh8NGpe3h .2dHlfRmvhYmZUIMWGSjx1MksrvrYoateben5yQkEA2fIy9A5BW.BJrz1E_.NsKTS_Xsd0DayOPr ZepOl4AqhtkZgqU5ZUe9NayvunKLLauCKy9bB1.DQdd0dCVbYzkdyqK_w7yJWKydznC4nOSlhxN7 7aPXFWUc7YZ6d5ku4RUImv0XmYHpsjmCRBk4oNHscRJ34oqzyhKGV6DYpQUHwXd6EkI5jzXUPjNV OpZrXvVymjDdcVZIfRco7EGvLJTwMdNJY1X5AXytG9dvQnJV6KvX.f5wBUQRvPiS9gdYM7vJQ9Hk r0_MClJcN4cgpDSMBkYKj23Atlxl9d_g926jN_fjdm0.8I.r.h4SN6zFnea5ZRhazKQmdI46XuSi c7BMq_KBPGudSBsCtcEBCz.XplTdpRD5F5eJ.EAeASL9p5z6wpM17qGJGHkWvy.ORoCXdzLNgPFB gl3im.qIjgPjQoMTma.oLlrUEVv_7UPq4_ekmfRibwIfTlGXxG7wglF2igrEwWAxoSOhqLg.QjF. pAsvQSbaM131TAvTbqWOYWW7MA077BZIjgsxveUyXC5zHNvNjCiwKuEeAmTzNTm5GBALxqaiABCm auOENwHqDdJbzJojV3AypJ1NJppuBmy8IWK_AyAWTCpXHIbOFs4dbpQFqYSYol8MdIklLMslYIYK Yy2IxtLwzxhrSpZAYDKnO1R4mSJnoIaRWgtdAuKHsw80fj65dntw8ioNenZk8v3dcmU5wxuyxR9m hr0zBB_FLuckXsH0t3rt.QtaKHAWg...xd.K_GvDvxDaemfLlLqn4XBZOnK8B7fgc0ZcnVGW_U8H C_FPv0gFinGRxXQo_LGG34DJ2QysytzdDuqWR5bEQk4dyUU_9I1qDNhrG.VX62CSA_3zFw3HZFrE Pqw_p9ODyrLOUw05gxIlqXTEbS4pYpsY3wnISzKjV7qToe3.qxmF.gIPWFTbwR3h9WFFFcuT3uyZ RIDAauvLQjN59OQfpsFRfpFrRoQDd.dn0sDmFGClFxYuT2LVDCqj_ufH1zPIwlqiAvtmsqjHSBN7 jjG7_mNgoFyO5HROZKu7p0MM3Sajx.P0mdY9HTOgoKkNyxsq0kDu.TjFJXzjTyHpTsEoPsKjEbhQ vmMzBRj3TOun6HIndSiq3OllcwAKzLgCk71bx9XssRy1WxhWo5vGT47i1eMiV0BuwUyxn_m6vcQP Hu_Yo5M7sD5f7VOaigpJgFq1.4Fnt48mCzxvqCXpE2Wpf8ZzcQk.4MXI7X3y6bCXS0lrY6FXzEH6 qKvS11midAQOhPHRcS2GO8oG1gJixkrHjNEip_.SrosJ.9ZtvtaKrnlpdYg1g8X5BLu4Mrn.7zSS KJ_qCEk12qxImtXKj11_.5Vmkug4PT04aXZu0wDLQyoEBnyPZ3lh9swAnpAH1T6sUtupS.RnjcVo clRpUs.l9hcwGkyR5Wts0oi6vNO6mF48CLywif8mjo_39juqHZgL4I6wZy3OLDzQb9CR2AD3Yd8. Ptz5jQnHUobMYDAuIm.PUPmjAhJsvPNQmTD.OReZtCyMYa_8r8F9DpjOyd0ZO4nY4GOHMY9DCPyr j_KoouR20ZtuwqyAZG.YjrRYCnlurQEfqjXKgEUQwoXMK9EVPKVjeh8sZHR5RGllEiVEMrmhS4Ag vwajZJ3wyYRfIr_6oWu4cLytqbtcG_Q4XM20qewFGguWnphj432qAC8PdlpYHAYVF X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 01:08:04 +0000 Received: by kubenode523.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 73c59ba14959d5075c3acfdad7dcbf4c; Thu, 22 Jul 2021 01:08:00 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Pablo Neira Ayuso , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v28 18/25] LSM: security_secid_to_secctx in netlink netfilter Date: Wed, 21 Jul 2021 17:47:51 -0700 Message-Id: <20210722004758.12371-19-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change netlink netfilter interfaces to use lsmcontext pointers, and remove scaffolding. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Paul Moore Acked-by: Stephen Smalley Acked-by: Pablo Neira Ayuso Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: netfilter-devel@vger.kernel.org --- net/netfilter/nfnetlink_queue.c | 37 +++++++++++++-------------------- 1 file changed, 14 insertions(+), 23 deletions(-) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index d5cff4559237..cffb04baf7b8 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -301,15 +301,13 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk) return -1; } -static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) +static void nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context) { - u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) struct lsmblob blob; - struct lsmcontext context = { }; if (!skb || !sk_fullsock(skb->sk)) - return 0; + return; read_lock_bh(&skb->sk->sk_callback_lock); @@ -318,14 +316,12 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) * blob. security_secid_to_secctx() will know which security * module to use to create the secctx. */ lsmblob_init(&blob, skb->secmark); - security_secid_to_secctx(&blob, &context); - *secdata = context.context; + security_secid_to_secctx(&blob, context); } read_unlock_bh(&skb->sk->sk_callback_lock); - seclen = context.len; #endif - return seclen; + return; } static u32 nfqnl_get_bridge_size(struct nf_queue_entry *entry) @@ -397,12 +393,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, struct net_device *indev; struct net_device *outdev; struct nf_conn *ct = NULL; + struct lsmcontext context = { }; enum ip_conntrack_info ctinfo; struct nfnl_ct_hook *nfnl_ct; bool csum_verify; - struct lsmcontext scaff; /* scaffolding */ - char *secdata = NULL; - u32 seclen = 0; size = nlmsg_total_size(sizeof(struct nfgenmsg)) + nla_total_size(sizeof(struct nfqnl_msg_packet_hdr)) @@ -470,9 +464,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) { - seclen = nfqnl_get_sk_secctx(entskb, &secdata); - if (seclen) - size += nla_total_size(seclen); + nfqnl_get_sk_secctx(entskb, &context); + if (context.len) + size += nla_total_size(context.len); } skb = alloc_skb(size, GFP_ATOMIC); @@ -602,7 +596,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, nfqnl_put_sk_uidgid(skb, entskb->sk) < 0) goto nla_put_failure; - if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata)) + if (context.len && + nla_put(skb, NFQA_SECCTX, context.len, context.context)) goto nla_put_failure; if (ct && nfnl_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0) @@ -630,10 +625,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) { - lsmcontext_init(&scaff, secdata, seclen, 0); - security_release_secctx(&scaff); - } + if (context.len) + security_release_secctx(&context); return skb; nla_put_failure: @@ -641,10 +634,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) { - lsmcontext_init(&scaff, secdata, seclen, 0); - security_release_secctx(&scaff); - } + if (context.len) + security_release_secctx(&context); return NULL; } From patchwork Thu Jul 22 00:47:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392717 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E321C6377C for ; Thu, 22 Jul 2021 01:09:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8CD4E6124C for ; Thu, 22 Jul 2021 01:09:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230211AbhGVA2c (ORCPT ); Wed, 21 Jul 2021 20:28:32 -0400 Received: from sonic309-28.consmr.mail.ne1.yahoo.com ([66.163.184.154]:35504 "EHLO sonic309-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230209AbhGVA2b (ORCPT ); Wed, 21 Jul 2021 20:28:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916147; bh=oqfX25qubJ2925xsa3Sc6greV54XIyLEb930Xqz2DRc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=rcS11NSF9Oe5y9UPBuKUQIK4FQA5fwvq8UzsR8s3ymtQA5iKXzltinOm2bAKVhciS8GI+06TCT+dgoqzm2Fh5dSqzjUM5Pp1z3g8np+r4rTtxomhWnmqvLlnrMO/4d2XabfM3gZ8jJg4rabwXZ8E/yCPc6COz5NnIZVvPFQW8LKU6CXcQzZhZd7jiSPdzK2ONQ/Tc1Z2yYDyrDD0A4HbgC9Y2jgxhuvQg+amE+Biov7TUcll7Bmg79jss3/X91RiT4piByC9fyv5LG6aomIlevKUnrpdsibfsl1d2vj0SmNYNxgVWyUvY4FW0dj5K17R1hRzJR9gHimVhjBAQY7D1Q== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916147; bh=NVBtfuf+ElJfuONX4AfXQl0wtjxtUNf25ZFyoJTiOzX=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=kj7AeWfygZazoFm+yCzkVb/1MFnzYG0iS83Z10U4ok2NwDY74kFu+M/cLW7Ck1LdBWsSZYJ378rWYXWms4zVTe+9l+7PSClNa6X7gJETmRu5JSo1sO59F436nFV26KmAgN0lZ/RNEscnV0wcRTefr4DdgfJvrLwYh6/1zCD8MGLDoXOZjEB8IU5F5tkY0zrH2NMGkaiLogb70zbGAHg8Ff6r7DTeLGIRlA+phJBOZGWczihkG4cvCQM6rolRi/oipTc+v58vvKzhiGDnVehUuDTfwjUCnQ2GKnOAk16cXMPSv2Ppvux8rtYrL9EF4uxllZ/Wd3W3bcZhntelo2PKJw== X-YMail-OSG: NrJ9yGUVM1nxuuYdjy6_3zoNPLBQysyxbqdCUZOHuxrGXlCtieLN888TEWFYjbm UqcZ4.nmYEQkODtO2kLykkrbLPqFXTviub6i5nCWdezHIg7xvnbk.WdtrT4VSG1AFSiOL7pKlmQK jfSxj4nOh4hWmZGFF7FnnJLRNLc_joBdf3XqzU8_5oX7N2v4SC0Xf6ZormNHu7zGv9CebW4yPfvf LOknqO_z78Afr5Id39FW05EQIGgHJOdwH5Ct2YuERnpLHnKCvv6yoAR..Pe2WwyKnaRt7DzqwAHx 1L8_pVCBP8NkNX.Xf.qSmjR.hk2j0KwxLlRSlYC7Zt01nyv3_wk4csDdE0x9FT5YbpiyuzIMQkbX W5tZOPyh40.xYsN3hOP0uqIQowgbF7S08S1lMckN668Q2ayoQkPbFmqptR5bmwFLd7krflumaL6u cVoI.n9aLqmFIhK0ZxEgRrpMnsJa5ZaXs_pJDzxOITsHX3gEtNOZF0qrCTQocqh32GC7Z94HALNV CuNkF9D.c9ySyA5.YY0CzSg0z2mOeexVaz1EkRlaUOW6CbcvAhOeksBzbeJ1FELgtLcy5BDSsXIU 2h9ww1c59uFMwfRw.fiL.LJS3ZthMlYcJDiuIyX09bMQUj6K9wMsYa3dVcsHhEq1X6U1PjjCDByD MjBiYA6K7LyFTN6GYEfiAPfvcTbxBe_mD01kiTB9R13UT0dAXcsFJRDY4LMUsRT3WlgxvypayCpr WduL5a4iuboCZ.1Tm2u8N82bTetfdgTgw8xW0d.al.WaeqpuCZPda_L80COJ3915NrbRDhornHHe GMp1bgAWDeJbnaui1NihPWCfMTmEmHsBYrBQQiSP0PbxzMl_PIaEewbb.cznLjwuP3s4WZWZgjjn AEgl2razN38T0ANBVbCoPyl4ZZ2MvDiFjJct.8yqD2ZJ1EByIwGUYIf2KBV75qCPYu7QxMp0NLdQ O8vdvDM6lSjJlNmbqtOGRINUdLkoPD3KO9ZmBFy7fYAuPTcnQy1FLHRx1U1RctenWxxWxycEgrr7 7SNWhfHjA5jFAZwv1yGPxaPsA5hKxCok.0ji0RLUhT6._XgWnE2wWiuIfAxouLZOXdU_vEDc5kwf GibsPcVMofbBOmNJyJWMgw9Wno05B768ewrN3nFQTc9QRUAIEMvzb.XBzqDSZh85PqKpTJIce2Km jrqGmEFu4dRQrOAGgoIr0yCT6BQUbREPbFq9FmK7cFjTaVuzRaiMaBt1U0E1cGMUn0B85bY7o0dq HBpV7K56mbB.u8J_7nL3UPfOP_afcHjP.37aTOgmzMi6cHeqK_YcP3i42D30yJ6hsCV9UkLB.2yM LYCaDtJ.rBPyWmVdI2.dOjFNYFkDW3z.N350wAd3ma1PeoN2ihMucRmCLdvGvIdC89yW9njIFnLO spXZ8TZlU0Z65DdFNjFt3IxCrdV9GCfisquGw4nWoNWEyr2cH84xsv1Xza0OlLgeIa52Uf31V68w macvirKkcMpR9izXlbu9yBg.pe7aqydAMaSEaK2_L2OlDaZM0JxEp.EKqc7AM4lOFmwPfa8X5BhS s9hdmC_X9hAfqOq.G2VFgC3zmy0m9oqv00zafuwrgUnnP09hDT0Dn5eR9Yfl9T5uj01F9nwnUi8b oZ9K6qTlHYn2hlOKLFo04Tx6EWto2kJOcXNbF1E5UtNgbkD1I1DWa.g9iuEKXXDdB6LrFq_0oHoh JMlKHZqcXEpUl2PSRpew2lCWhxgSdrZ.15iQENX4efeaS8XYm7tMSox1XTm4RGbU71rzCD2cPiLi cRheMnNfPh3esi_6X48h1EtZscn0._7gmW9KTzSkR5ZpyOjwZZFBEw39aAQZsTTZ0eHsSD1yjUlH GEyuDccqV2y3EeFVFTv44UBPJG2zsqXEqQjMLMSX4zogpWjuGTQzbexl3o4ZkUzOuHcAO9s2PBGe HzuQoWkK.PHHyoqbEiOnOGrQiA_3eqaTU5.JqhOhMyfHvrC3zW56WEpmViHC6b3ba6zTlq9.pwB0 ufeR7sRaN06pLexOCFyX.vZtbvCHBwmcjg6PWqZ85HWVtajYqXuUppQ91qw6vz1hQlAGA5Sa5CtA XsVJdHte7YxGJOVt_1.FyjWTeGIAtN4LjtE5JKP_8tJaLg2fUPju5zhotJLO4RQqByeoTnjziRCj L9S.zbujr55qJok8r4Wy6Qls5m_9Ew.dvYHU4W9Bh.2vn39izWz1X4gszCpbV0Ib3LqB05QV0OtS rQjJs8Pc3o6ieFcpph6Ycr_I9O6bNUCx9mGmCGaKttD141mFUZUpM7g13jn61R4EMhSA5FSkxKtp CJOAV0IsoAnWdjDI59FMn14pYQ99SO4Q_PL0WlzmGLZe5GxuMK4SFIroRdeTyY.iv8Uz6Am8xavp d7Y.3VtYL2jBqqqYT59zjXzdie.y642b5wDYoBrRwUuhyFeG05eAEmEWMuuVUczPHnICsw7lHuWg uiInT8NglWMEipXAUUt77UchzGnoFRMj_086Ezy3KIWJWmKSxNh2jIkUyvGYjU1H9l7UfpyokouX xf7mWUmz4suvrU8KIc6Y7HnxmyP8MFWQfhXgGDT0kZVMH4YaF_Ztp93k915pltXLG.HOuzE5ns68 5YrmE0XNZtDXyNWLgb1LLbfj.n9JBy9gkaAwG5tAmMjeaStW6UzPTZ8.R0AL6N8_yy1uwvDXn8yQ 68Enm7sGhfuJa_jo05GOkoTD9nV7rdsD7QirXUQKSxPS0YJ.O.qf7IvXOQV_0uO6q25d98IOmKuG 7xowMdUYqJdGGNYe03d8_AioNo7hDoM4_8dRaNw75K.8dppPWtqdFv1TwWfbc_aubHXAqB6Eyp.T 7y61k61HYF7uiy11_5RzjwfXXkfl3O_AlLqtBlkHXRtUqiLYpdf0a2XvXWRR97vda8n39rPBbM8U WPuBU2wXSjXty1QudWqnCoZapHfbtQ9LDswlbDRtiD3sce0pll6aMd2oYNfq6N8cqkih2elB0tKD WFzR0LobRpj35icPX0Hww3vF29r_wxOhU1Czl7xWBvRQHtwUy.JXdz4r_4uW4l0yXJcT5qehkOBr nhVhgwioNYztp4LOGHusKb_5ffQv8NYFtJxndARYja1tWMmUq6ipKsdoW.YPXJeE6JwgMmgsbSEp Vnnf29tjlV6JTl_xYm9ZRL01vhSy0GFLInwf54V6aE2GqlB7vrqkMsLQTfbX5ozmXX8WRMnIOyH5 01Qa5uP2hPXAoL2oIADt7 X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 01:09:07 +0000 Received: by kubenode531.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 13d13dd9dabac2713fe54010fff125be; Thu, 22 Jul 2021 01:09:06 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH v28 19/25] NET: Store LSM netlabel data in a lsmblob Date: Wed, 21 Jul 2021 17:47:52 -0700 Message-Id: <20210722004758.12371-20-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Netlabel uses LSM interfaces requiring an lsmblob and the internal storage is used to pass information between these interfaces, so change the internal data from a secid to a lsmblob. Update the netlabel interfaces and their callers to accommodate the change. This requires that the modules using netlabel use the lsm_id.slot to access the correct secid when using netlabel. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org --- include/net/netlabel.h | 8 +-- net/ipv4/cipso_ipv4.c | 26 ++++++---- net/netlabel/netlabel_kapi.c | 6 +-- net/netlabel/netlabel_unlabeled.c | 79 +++++++++-------------------- net/netlabel/netlabel_unlabeled.h | 2 +- security/selinux/hooks.c | 2 +- security/selinux/include/security.h | 1 + security/selinux/netlabel.c | 2 +- security/selinux/ss/services.c | 4 +- security/smack/smack.h | 1 + security/smack/smack_access.c | 2 +- security/smack/smack_lsm.c | 11 ++-- security/smack/smackfs.c | 10 ++-- 13 files changed, 68 insertions(+), 86 deletions(-) diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 43ae50337685..73fc25b4042b 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h @@ -166,7 +166,7 @@ struct netlbl_lsm_catmap { * @attr.mls: MLS sensitivity label * @attr.mls.cat: MLS category bitmap * @attr.mls.lvl: MLS sensitivity level - * @attr.secid: LSM specific secid token + * @attr.lsmblob: LSM specific data * * Description: * This structure is used to pass security attributes between NetLabel and the @@ -201,7 +201,7 @@ struct netlbl_lsm_secattr { struct netlbl_lsm_catmap *cat; u32 lvl; } mls; - u32 secid; + struct lsmblob lsmblob; } attr; }; @@ -415,7 +415,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, const void *addr, const void *mask, u16 family, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info); int netlbl_cfg_unlbl_static_del(struct net *net, const char *dev_name, @@ -523,7 +523,7 @@ static inline int netlbl_cfg_unlbl_static_add(struct net *net, const void *addr, const void *mask, u16 family, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info) { return -ENOSYS; diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 099259fc826a..9bd72ec01785 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -106,15 +106,17 @@ int cipso_v4_rbm_strictvalid = 1; /* Base length of the local tag (non-standard tag). * Tag definition (may change between kernel versions) * - * 0 8 16 24 32 - * +----------+----------+----------+----------+ - * | 10000000 | 00000110 | 32-bit secid value | - * +----------+----------+----------+----------+ - * | in (host byte order)| - * +----------+----------+ - * + * 0 8 16 16 + sizeof(struct lsmblob) + * +----------+----------+---------------------+ + * | 10000000 | 00000110 | LSM blob data | + * +----------+----------+---------------------+ + * + * All secid and flag fields are in host byte order. + * The lsmblob structure size varies depending on which + * Linux security modules are built in the kernel. + * The data is opaque. */ -#define CIPSO_V4_TAG_LOC_BLEN 6 +#define CIPSO_V4_TAG_LOC_BLEN (2 + sizeof(struct lsmblob)) /* * Helper Functions @@ -1460,7 +1462,11 @@ static int cipso_v4_gentag_loc(const struct cipso_v4_doi *doi_def, buffer[0] = CIPSO_V4_TAG_LOCAL; buffer[1] = CIPSO_V4_TAG_LOC_BLEN; - *(u32 *)&buffer[2] = secattr->attr.secid; + /* Ensure that there is sufficient space in the CIPSO header + * for the LSM data. */ + BUILD_BUG_ON(CIPSO_V4_TAG_LOC_BLEN > CIPSO_V4_OPT_LEN_MAX); + memcpy(&buffer[2], &secattr->attr.lsmblob, + sizeof(secattr->attr.lsmblob)); return CIPSO_V4_TAG_LOC_BLEN; } @@ -1480,7 +1486,7 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def, const unsigned char *tag, struct netlbl_lsm_secattr *secattr) { - secattr->attr.secid = *(u32 *)&tag[2]; + memcpy(&secattr->attr.lsmblob, &tag[2], sizeof(secattr->attr.lsmblob)); secattr->flags |= NETLBL_SECATTR_SECID; return 0; diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index beb0e573266d..158bab993e32 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -196,7 +196,7 @@ int netlbl_cfg_unlbl_map_add(const char *domain, * @addr: IP address in network byte order (struct in[6]_addr) * @mask: address mask in network byte order (struct in[6]_addr) * @family: address family - * @secid: LSM secid value for the entry + * @lsmblob: LSM data value for the entry * @audit_info: NetLabel audit information * * Description: @@ -210,7 +210,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, const void *addr, const void *mask, u16 family, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info) { u32 addr_len; @@ -230,7 +230,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, return netlbl_unlhsh_add(net, dev_name, addr, mask, addr_len, - secid, audit_info); + lsmblob, audit_info); } /** diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 9910d3e9d287..289602835b75 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -66,7 +66,7 @@ struct netlbl_unlhsh_tbl { #define netlbl_unlhsh_addr4_entry(iter) \ container_of(iter, struct netlbl_unlhsh_addr4, list) struct netlbl_unlhsh_addr4 { - u32 secid; + struct lsmblob lsmblob; struct netlbl_af4list list; struct rcu_head rcu; @@ -74,7 +74,7 @@ struct netlbl_unlhsh_addr4 { #define netlbl_unlhsh_addr6_entry(iter) \ container_of(iter, struct netlbl_unlhsh_addr6, list) struct netlbl_unlhsh_addr6 { - u32 secid; + struct lsmblob lsmblob; struct netlbl_af6list list; struct rcu_head rcu; @@ -220,7 +220,7 @@ static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex) * @iface: the associated interface entry * @addr: IPv4 address in network byte order * @mask: IPv4 address mask in network byte order - * @secid: LSM secid value for entry + * @lsmblob: LSM data value for entry * * Description: * Add a new address entry into the unlabeled connection hash table using the @@ -231,7 +231,7 @@ static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex) static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, const struct in_addr *addr, const struct in_addr *mask, - u32 secid) + struct lsmblob *lsmblob) { int ret_val; struct netlbl_unlhsh_addr4 *entry; @@ -243,7 +243,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, entry->list.addr = addr->s_addr & mask->s_addr; entry->list.mask = mask->s_addr; entry->list.valid = 1; - entry->secid = secid; + entry->lsmblob = *lsmblob; spin_lock(&netlbl_unlhsh_lock); ret_val = netlbl_af4list_add(&entry->list, &iface->addr4_list); @@ -260,7 +260,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, * @iface: the associated interface entry * @addr: IPv6 address in network byte order * @mask: IPv6 address mask in network byte order - * @secid: LSM secid value for entry + * @lsmblob: LSM data value for entry * * Description: * Add a new address entry into the unlabeled connection hash table using the @@ -271,7 +271,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface, const struct in6_addr *addr, const struct in6_addr *mask, - u32 secid) + struct lsmblob *lsmblob) { int ret_val; struct netlbl_unlhsh_addr6 *entry; @@ -287,7 +287,7 @@ static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface, entry->list.addr.s6_addr32[3] &= mask->s6_addr32[3]; entry->list.mask = *mask; entry->list.valid = 1; - entry->secid = secid; + entry->lsmblob = *lsmblob; spin_lock(&netlbl_unlhsh_lock); ret_val = netlbl_af6list_add(&entry->list, &iface->addr6_list); @@ -366,7 +366,7 @@ int netlbl_unlhsh_add(struct net *net, const void *addr, const void *mask, u32 addr_len, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info) { int ret_val; @@ -375,7 +375,6 @@ int netlbl_unlhsh_add(struct net *net, struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; struct lsmcontext context; - struct lsmblob blob; if (addr_len != sizeof(struct in_addr) && addr_len != sizeof(struct in6_addr)) @@ -408,7 +407,7 @@ int netlbl_unlhsh_add(struct net *net, const struct in_addr *addr4 = addr; const struct in_addr *mask4 = mask; - ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid); + ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, lsmblob); if (audit_buf != NULL) netlbl_af4list_audit_addr(audit_buf, 1, dev_name, @@ -421,7 +420,7 @@ int netlbl_unlhsh_add(struct net *net, const struct in6_addr *addr6 = addr; const struct in6_addr *mask6 = mask; - ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid); + ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, lsmblob); if (audit_buf != NULL) netlbl_af6list_audit_addr(audit_buf, 1, dev_name, @@ -438,11 +437,7 @@ int netlbl_unlhsh_add(struct net *net, unlhsh_add_return: rcu_read_unlock(); if (audit_buf != NULL) { - /* lsmblob_init() puts secid into all of the secids in blob. - * security_secid_to_secctx() will know which security module - * to use to create the secctx. */ - lsmblob_init(&blob, secid); - if (security_secid_to_secctx(&blob, &context) == 0) { + if (security_secid_to_secctx(lsmblob, &context) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -477,7 +472,6 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr, @@ -497,13 +491,8 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, addr->s_addr, mask->s_addr); if (dev != NULL) dev_put(dev); - /* lsmblob_init() puts entry->secid into all of the secids - * in blob. security_secid_to_secctx() will know which - * security module to use to create the secctx. */ - if (entry != NULL) - lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, &context) == 0) { + security_secid_to_secctx(&entry->lsmblob, &context) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -544,7 +533,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list); @@ -563,13 +551,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, addr, mask); if (dev != NULL) dev_put(dev); - /* lsmblob_init() puts entry->secid into all of the secids - * in blob. security_secid_to_secctx() will know which - * security module to use to create the secctx. */ - if (entry != NULL) - lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, &context) == 0) { + security_secid_to_secctx(&entry->lsmblob, &context) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -923,14 +906,8 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, if (ret_val != 0) return ret_val; - /* netlbl_unlhsh_add will be changed to pass a struct lsmblob * - * instead of a u32 later in this patch set. security_secctx_to_secid() - * will only be setting one entry in the lsmblob struct, so it is - * safe to use lsmblob_value() to get that one value. */ - - return netlbl_unlhsh_add(&init_net, - dev_name, addr, mask, addr_len, - lsmblob_value(&blob), &audit_info); + return netlbl_unlhsh_add(&init_net, dev_name, addr, mask, addr_len, + &blob, &audit_info); } /** @@ -977,11 +954,8 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, if (ret_val != 0) return ret_val; - /* security_secctx_to_secid() will only put one secid into the lsmblob - * so it's safe to use lsmblob_value() to get the secid. */ - return netlbl_unlhsh_add(&init_net, - NULL, addr, mask, addr_len, - lsmblob_value(&blob), &audit_info); + return netlbl_unlhsh_add(&init_net, NULL, addr, mask, addr_len, &blob, + &audit_info); } /** @@ -1093,8 +1067,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, struct net_device *dev; struct lsmcontext context; void *data; - u32 secid; - struct lsmblob blob; + struct lsmblob *lsmb; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, cb_arg->seq, &netlbl_unlabel_gnl_family, @@ -1132,7 +1105,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, if (ret_val != 0) goto list_cb_failure; - secid = addr4->secid; + lsmb = (struct lsmblob *)&addr4->lsmblob; } else { ret_val = nla_put_in6_addr(cb_arg->skb, NLBL_UNLABEL_A_IPV6ADDR, @@ -1146,14 +1119,10 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, if (ret_val != 0) goto list_cb_failure; - secid = addr6->secid; + lsmb = (struct lsmblob *)&addr6->lsmblob; } - /* lsmblob_init() secid into all of the secids in blob. - * security_secid_to_secctx() will know which security module - * to use to create the secctx. */ - lsmblob_init(&blob, secid); - ret_val = security_secid_to_secctx(&blob, &context); + ret_val = security_secid_to_secctx(lsmb, &context); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, @@ -1512,7 +1481,7 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb, &iface->addr4_list); if (addr4 == NULL) goto unlabel_getattr_nolabel; - secattr->attr.secid = netlbl_unlhsh_addr4_entry(addr4)->secid; + secattr->attr.lsmblob = netlbl_unlhsh_addr4_entry(addr4)->lsmblob; break; } #if IS_ENABLED(CONFIG_IPV6) @@ -1525,7 +1494,7 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb, &iface->addr6_list); if (addr6 == NULL) goto unlabel_getattr_nolabel; - secattr->attr.secid = netlbl_unlhsh_addr6_entry(addr6)->secid; + secattr->attr.lsmblob = netlbl_unlhsh_addr6_entry(addr6)->lsmblob; break; } #endif /* IPv6 */ diff --git a/net/netlabel/netlabel_unlabeled.h b/net/netlabel/netlabel_unlabeled.h index 058e3a285d56..168920780994 100644 --- a/net/netlabel/netlabel_unlabeled.h +++ b/net/netlabel/netlabel_unlabeled.h @@ -211,7 +211,7 @@ int netlbl_unlhsh_add(struct net *net, const void *addr, const void *mask, u32 addr_len, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info); int netlbl_unlhsh_remove(struct net *net, const char *dev_name, diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3b95eb39a3bf..12ae311b7275 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7112,7 +7112,7 @@ static int selinux_perf_event_write(struct perf_event *event) } #endif -static struct lsm_id selinux_lsmid __lsm_ro_after_init = { +struct lsm_id selinux_lsmid __lsm_ro_after_init = { .lsm = "selinux", .slot = LSMBLOB_NEEDED }; diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index ac0ece01305a..9f856f2cd277 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -73,6 +73,7 @@ struct netlbl_lsm_secattr; extern int selinux_enabled_boot; +extern struct lsm_id selinux_lsmid; /* * type_datum properties diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 6a94b31b5472..d8d7603ab14e 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -108,7 +108,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr( return NULL; if ((secattr->flags & NETLBL_SECATTR_SECID) && - (secattr->attr.secid == sid)) + (secattr->attr.lsmblob.secid[selinux_lsmid.slot] == sid)) return secattr; return NULL; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index d84c77f370dc..f6be8cd7666b 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3899,7 +3899,7 @@ int security_netlbl_secattr_to_sid(struct selinux_state *state, if (secattr->flags & NETLBL_SECATTR_CACHE) *sid = *(u32 *)secattr->cache->data; else if (secattr->flags & NETLBL_SECATTR_SECID) - *sid = secattr->attr.secid; + *sid = secattr->attr.lsmblob.secid[selinux_lsmid.slot]; else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { rc = -EIDRM; ctx = sidtab_search(sidtab, SECINITSID_NETMSG); @@ -3977,7 +3977,7 @@ int security_netlbl_sid_to_secattr(struct selinux_state *state, if (secattr->domain == NULL) goto out; - secattr->attr.secid = sid; + secattr->attr.lsmblob.secid[selinux_lsmid.slot] = sid; secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID; mls_export_netlbl_lvl(policydb, ctx, secattr); rc = mls_export_netlbl_cat(policydb, ctx, secattr); diff --git a/security/smack/smack.h b/security/smack/smack.h index b5bdf947792f..0eaae6b3f935 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -303,6 +303,7 @@ int smack_populate_secattr(struct smack_known *skp); * Shared data. */ extern int smack_enabled; +extern struct lsm_id smack_lsmid; extern int smack_cipso_direct; extern int smack_cipso_mapped; extern struct smack_known *smack_net_ambient; diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 1f391f6a3d47..ceea74bbaedc 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -525,7 +525,7 @@ int smack_populate_secattr(struct smack_known *skp) { int slen; - skp->smk_netlabel.attr.secid = skp->smk_secid; + skp->smk_netlabel.attr.lsmblob.secid[smack_lsmid.slot] = skp->smk_secid; skp->smk_netlabel.domain = skp->smk_known; skp->smk_netlabel.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); if (skp->smk_netlabel.cache != NULL) { diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 7aa7ea38f627..e65497a5c095 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3720,11 +3720,12 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) return (struct smack_known *)sap->cache->data; + /* + * Looks like a fallback, which gives us a secid. + */ if ((sap->flags & NETLBL_SECATTR_SECID) != 0) - /* - * Looks like a fallback, which gives us a secid. - */ - return smack_from_secid(sap->attr.secid); + return smack_from_secid( + sap->attr.lsmblob.secid[smack_lsmid.slot]); if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { /* @@ -4701,7 +4702,7 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_superblock = sizeof(struct superblock_smack), }; -static struct lsm_id smack_lsmid __lsm_ro_after_init = { +struct lsm_id smack_lsmid __lsm_ro_after_init = { .lsm = "smack", .slot = LSMBLOB_NEEDED }; diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 3a75d2a8f517..9cda52f2ec31 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -1142,6 +1142,7 @@ static void smk_net4addr_insert(struct smk_net4addr *new) static ssize_t smk_write_net4addr(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { + struct lsmblob lsmblob; struct smk_net4addr *snp; struct sockaddr_in newname; char *smack; @@ -1273,10 +1274,13 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf, * this host so that incoming packets get labeled. * but only if we didn't get the special CIPSO option */ - if (rc == 0 && skp != NULL) + if (rc == 0 && skp != NULL) { + lsmblob_init(&lsmblob, 0); + lsmblob.secid[smack_lsmid.slot] = snp->smk_label->smk_secid; rc = netlbl_cfg_unlbl_static_add(&init_net, NULL, - &snp->smk_host, &snp->smk_mask, PF_INET, - snp->smk_label->smk_secid, &audit_info); + &snp->smk_host, &snp->smk_mask, PF_INET, &lsmblob, + &audit_info); + } if (rc == 0) rc = count; From patchwork Thu Jul 22 00:47:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392719 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27722C6377A for ; Thu, 22 Jul 2021 01:10:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 088D06124C for ; Thu, 22 Jul 2021 01:10:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230026AbhGVA3m (ORCPT ); Wed, 21 Jul 2021 20:29:42 -0400 Received: from sonic309-28.consmr.mail.ne1.yahoo.com ([66.163.184.154]:46724 "EHLO sonic309-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229975AbhGVA3l (ORCPT ); Wed, 21 Jul 2021 20:29:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916217; bh=b12ERVlT9S4eYvBwPCEeUwivFDGtvbIegsUNYemMVwo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=MM+ygjobUaaHiC8Wy+5+HqX+tXzmMtzvMaT8e5uVF7dVn/+EEKFU0xfDO0GJ9cIWkB7k08b/04e94tm7ZRvZOQE+0SGVUvfMbOfnnLM5XdF1Np7UanAH8L2e0BPIfZ7Zl0neSqoEJq6bd7eFDnvx9a2423IdDJfE4Ctl0KEtzBuoW+1TpbReIlOk11S2rgldUzq5kdEglzTd8KrXmlXe1ds6seydSzl0w46acqPWA/voMUI15F5mxKXhrg9p0m/qDL2HQafIF3shubtqX7b3cU33Dkmv+NIVTuajutzYDEZ1YUTGxZwEPatkR3bcKWhqUwZBnfzOmQ2B0fHDw/VcTg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916217; bh=S49dCPt6PKnUV9OAiBiHXqDlUEWb7A5r/0y9CouQyr0=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=qIfkTsMnxN9QAx18Eh1nBqzUISNDfxSBwucKAcmZOFVzYiGpY6fUUwxnqW4gQLO6ftomOMjlh167MOIRSwQ/MJ0QGpOXVB1we6jubyiO+lOhH3BF26ZdklX3CGqLLHQ7peCYCU2Hk+WEEGXaVzESwM0rnkCNNhCEWKT7dKu4FjsQFcdKEEDQ94/EyCj3wQeWNAUMpXCuLOE3GlEr5ZIgORtbweyYoI67JwYF8/9lxtudhy1TQzwSzKSgp8Ferj6+zgWbm0hghA6E0d7OiWMJOVAeEpCK8B29v+/RKdepZqVX/1uj1/PTOZIAaW7xtqk2/wG3LdD22x5gj+P8/46BYw== X-YMail-OSG: eOk6FRsVM1nS4Cf.zmon8LXLR_l_qsW.DwKEmlJNcT_go0E0ngz5juAlSwWuSUX pnnwZFIPyRa0q9nM1avgjAxswHGlFuYhmatMOFg77_GTTm0WA4kV5i0TdKnLKfLUlwBuzI3qccwh 2L.merS.sjPrQvvZEZ3bBQ6uI7DpJlFFIyvmfSy1wHM_IJF0HnNHENHeTyZ6vFZ6WBK094v6F8sy d_xjgjZlqVHf5Pu84m23wRqS7Pi2pN5WJDXE1t07A1Es4ieDx0N6m1P432AxYYilH_YW27Qah5Fk 8tps25racpF2ZqSJLTOypB0RlSCo4gpoRD63sqkn6rhMWWu169QprzaKgU9UJbakCMoPm0xM3BDb ieS3tYQmxJJ1ecJy6zxdbMICGGjhQip1xRcvEGPS6h0PWVBfJ6CCB4HQEFpGTF9M6DOJmMFZrdXN 2NAIunE0nmcOv_u5LEq.EqW6rQhu8W53YekjGiEv49ulBrvtAeB7FEjqZLYnOJ0BuZIuZ8inW94m ZwEngBQzeVe_bT9ohSGiUFkQdy2avzWnJklVkl7.o0XNdsb.z3C5ThWW8IgtbOXYjQFu8F.CC3GX 76FlPkfqrVXJv63InBaId8AEjPPyF7_HiNqiqta0yFVw6d.84DUCBeGM1qVwoo7H30gph_EvizJi QK9HhFCIthWrVkepyuqauPbqUHSQ1PUWiJ0ZIZNTDsJ.9_jKbSU1IkWiYWJDdukPsUXPViq8i0fu xw171fe.kRyVHzVfBDd1oSzu7Ni.ewPeIv_gNudhHIZVkrm6wrXRCbY2r87U97WNe7I4xECanroq oKzdGwO_th7dCGIl2rZJ.58roomZkP27VnKMQiSd2kisa5VXrwSH0EJUSQA_H8Qxqt7Th7HCRVLk l7A1J49oMDeN3vtymUANxRQ7mjbHsLWQ1fbmRyzV4xMNSmxYC8q7gdlMovhQIm.1jnx.FqS4k0Zw eR79UFbXTtz211a4SJKbQi2zQhnYe3wbsjl2VOjt7V0Bv4m98uyY5LQZoKm7CK9E9g5ugHKfLMd5 E8svjNdWbLpTsXvDNtFnml1cRVNdcCYT5t5bpH_AaPBFhsaApJdtZIs6ZcpOYf4sHKaJh8PYKBHu 6etltcy5Cbtiqr5zfullm49BW4Ym_k9zX3Pg0Xkp8wh2sAvP_rVgdoIJM6uAKU3Twd9Dd0MBiU55 Scw2EDQTRtDy5yv7u05LCOEa2s89QNSfaiu5BS.5T5sre.ReOElBqTtyRq7giLFNtmr8Ipmo9AEM hPZ6g9UjDRP.oHfh8S7DMLIf84emGlrB2n1f7YyzQpE4xFiNX102Qnm3ahB0E20i7myT4XFjCOAR .iZ1ROq4.J8Vq6rY4XVegYsAmYypZWXzqrRFVNhkeDxCVfBzBe5KTu.SLF3DuTlyTm1Buxy0grd6 dUERzRMlLZyfm8tF5G6X5fET0fIX.0RewaWhRzsxA.KAmu1gVgRNHBGnSg5OZ6CVgHwmJuxA.Mv2 5RpWSCKttzj.L6h1sHWKc44ylWj0OfwEd0hMZ7BeCaOhK69easSxoJVLeP64uhM6Yu09Gc5pnbzK M7xh13BCsPOp4NZqAaECGxe8zFVkm6IgQ6uCZQizlddtBYh5e3XEB_xDbYn_QAzRGxHmh9WOVIwD WJGUhJlAGvoUMlBMve4eDHNG62sTtQMVQTm_415HedHVud56jvi7O7.oHMge45KYMP8Z8Ll0xrnX n_4.ZtKJ3__miofDLfXucp2P5fDuRQF8s4cfSBfP3ItLH7psfqBXGQo.nx0bsefHvhi1z0r3DlYa bD4JPBawm4fy9T9iTx8sfJE9Tjs_TqK8qs_.x.gs1f3EzjL96CK7J5QufuI8E3NDphy15VGTwegW gYBsq1gRdNgYZjERjRz3ZYSDEvu29v0wjY8Qey4mPU.bw_EGiUUORTTqRj4dSD5VSTM3JHzgDXV6 Oo_wmH5Dr2v05Or6634jAphpU1rfcIA3MkzPpNT1TIm.DVkAghdpTSHWME80SgiG.OtdIzXO_5Wl t3fGpKfKhEjqtT_V08Ovb4emkZAGKmEqmaY390QaOn3u56yUbrRhCCpIwlczXfQ2d.BAi59J5kYE wx4zG5FFeYbV4rZE7gjsa2YGv95JQWqAWfYYGLCfDc_MYaq2vuRkTtlT3oc_6EKl1RhAhaw7b3ky hw3_gV7UCJIpPxkqXTKRlDu3F7x_16LEJb.dDTp7._LXm2MthvJwa3z7DFXQ06PqEXGnV9sI9XG0 K4Ps_.wFaWKzmXm5g_vzy5BcEc9UPK0Cr5.7j7lclc4gHHJU_MY4zFDlpNDFxRy5SX90Sr6IvlZJ fw9x30FuiV_EvuRRUZLCxE6ReWzfm4qCeAlQa.JBebm6lnMAJM.QnQNVRDSGhUfAZLai_d.fbmm3 NdDnjKgXozFkwsYKeXM.sHg4cesVjIu5PEFEV1WANvojev33hl_VDgXrUeLdebCdxOjgP7yvsD0C xtQNEvkdRyYV3oSycswkwpyOqaSlrAG.9aayoQQyIwk6Inpa0AnlxdH2Hv3alrczG2zEo65ABvQ_ s1fl6b.JUY9z2krfmTxS2ineNG0Q1MVAk4SeS9SQgMJN_WiTPQ8YKMv13KVkRopiExKYS2S2CrIp A9RpVEObE4YkEaYmcNJt3ZP4clhit0uev2L6w6skkLfNNbD4_SXDvssfRICACiy1yRKeJUNe_Ntv 02IsVCJ1ccOyWIQig.Ensjnu3nWYuKMuSSN2l4NrzIeknY5BdRzBMwYxlr8yAwJJgnFA.zNrOTwW ZfxAg8mUutK9bqCznruIyDS0vbAnKGcFwI72COEm27q5YoWMs8SBdIFDEnbWoraHc1DoKfYR0s25 BS_vdYcUrlkjuM4A3Ul2OlYHlMWiOu9F8Ju8BdVrEBzlOWnLqfAYrG_dk.DGCfwX6lBKSqz.Sgxy b1e3QaC_tqTC0rPRbGXQ1ZKmxco0iAOBIe7VjTHvLFIyoPiz8kKKSRc2_ulFjhChF4pShxmZS2FE XVmFCbwVMuczuUeucHEDBozpIaMIyaBAnI_pEbYC7DjjcH9AyXoTfO6b4uhWxAVXIS4bdLF1A3Wy fLx_e9LCh2WYEC8Mn1sAlQMsIFTpxEiSlXf8AswqT9_iM_F2gnd9TQb1h8F.4uGBroT80MgphFBI AEFwTf5vtK.15cJQu5dGNLIWroiC9DNiB X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 01:10:17 +0000 Received: by kubenode550.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 71b7637e4e3d198acd7e7fcdbb55fc7f; Thu, 22 Jul 2021 01:10:13 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v28 20/25] LSM: Verify LSM display sanity in binder Date: Wed, 21 Jul 2021 17:47:53 -0700 Message-Id: <20210722004758.12371-21-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Verify that the tasks on the ends of a binder transaction use the same "interface_lsm" security module. This prevents confusion of security "contexts". Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler --- security/security.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/security/security.c b/security/security.c index 13ded9c55344..cb359e185d1a 100644 --- a/security/security.c +++ b/security/security.c @@ -859,9 +859,38 @@ int security_binder_set_context_mgr(struct task_struct *mgr) return call_int_hook(binder_set_context_mgr, 0, mgr); } +/** + * security_binder_transaction - Binder driver transaction check + * @from: source of the transaction + * @to: destination of the transaction + * + * Verify that the tasks have the same LSM "display", then + * call the security module hooks. + * + * Returns -EINVAL if the displays don't match, or the + * result of the security module checks. + */ int security_binder_transaction(struct task_struct *from, struct task_struct *to) { + int from_ilsm = lsm_task_ilsm(from); + int to_ilsm = lsm_task_ilsm(to); + + /* + * If the ilsm is LSMBLOB_INVALID the first module that has + * an entry is used. This will be in the 0 slot. + * + * This is currently only required if the server has requested + * peer contexts, but it would be unwieldly to have too much of + * the binder driver detail here. + */ + if (from_ilsm == LSMBLOB_INVALID) + from_ilsm = 0; + if (to_ilsm == LSMBLOB_INVALID) + to_ilsm = 0; + if (from_ilsm != to_ilsm) + return -EINVAL; + return call_int_hook(binder_transaction, 0, from, to); } From patchwork Thu Jul 22 00:47:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392721 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B774AC6377A for ; Thu, 22 Jul 2021 01:11:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 938616124C for ; Thu, 22 Jul 2021 01:11:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230058AbhGVAat (ORCPT ); Wed, 21 Jul 2021 20:30:49 -0400 Received: from sonic313-16.consmr.mail.ne1.yahoo.com ([66.163.185.39]:35589 "EHLO sonic313-16.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229838AbhGVAat (ORCPT ); Wed, 21 Jul 2021 20:30:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916285; bh=Ncs9h5aFS121GKJa6zcxI6BEv7GaAhOBBGhS26B5l5c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=NOvQ3KfFQv4Ajz26Xl1giErfa3982ByhvIvS+e8U4Tx/DMmmK4N64cn/s0ETx5N7EVBoXTcHHxwjoUBbVi4i17nYHEoelOf8BqS1NJ68YSvOSsg5ty5YZDI7mM7PBPnh0bxyB1RgOtNGTOSabW12bsMjrbt3eV1Vqw/5XNeD8i8w+YbsUpx2WuSdqv3Of/imvrw+l1/AN/SN6du9UbEAZ+VINDekbeTxnmtkqRwTk+eD/fmabjX75c30WiZzStHNEF5wtZZaT29AgOLqyne9iVL7ylprF7NNlPoB2Rvl3CY5ja0puHokrkyBMXVKez9BX9FTFSEoejIgXG+eYvycnw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916285; bh=7shhavg4/Os/Efin+6R4D17JPUm8em/trug5cJtzxel=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=nmiapQ4bRm6+o2zv1qBvMPOwcbtxxTif2URrEtgzdKwSrJ5FPqVcZkjwB9M0BJ+Yvp1lNSZpSdvA4j7thzT8GRCZQ7hMrf2CBpH1mTjlaymJvcqw8l7vyPIjqMNnBNPa9XSR2bGRgqUSsxKJkFa7cEyxc9bCaJ/q+1CGyGIQNiSU/cLVmX7bBxiiU7LuQCSZ6BP9D5ngiF5Ck5eWy3z4ZmW9oEdaljIr1y7vCzywxZl5twLg8FpKG4O22XymniG9INtASFfbcTDwkhBehn1KtfC89imfazB4mPkfoCQ0pL9Kco7g7pUlo3rzL1pWuFi/PafN3G2ny7ZWfMMVdwFjhg== X-YMail-OSG: qIowusEVM1m0XKrbcFg0NDIadfEzgD5ZH_E3DCy8icK4O.OSutkusc28NEWHKex SeKZt7l_ySElzWqZSkVztB79eTYONw4r9i2iQjJCt0egDGJJ1jTG_LaAieXPa1pBcwrzJFRMW3QK 4IV8Nl5oU6asc.YqWhvOgNcj8XdXGouQ_WSj8JVrnpmZxG6PLXUgDGd7Sc3s1rmXNj8U0MEodoLG i0xpwxx.Bb2lHx4auFmFzAhVUDYRsyh3dcZyBwymROPxjG6SPjisQRJ.17nVV8f.R.P4VNQ4GOBi H_8RScx5dFFtOXqi486e3WKt6RhXbMode.kzR1ByTWAgKfGdgVGOsq6TfHD6FOwKM0rU5trxbnnW hD9PiEQcqTk6Sbqz.EsdyV487w.gQV2IuOg33YqwXYBQHxq8Fq.SiGUD49GSgr2zpzadJSiMJD7N ocNkqzpF7vEzQLOg6i7s4Pu1eW9y2a3Yj_rSsNwHs6GaxoznNKOh81T0p20hHxZZr2nowZdEIhxh Uue2h_Sy66aMNttJJhdU5_4ZnejdvaY43YG1BKpAnaUf4qyUxCwd63fReML0V5bANVr9P8W3p8.n H8Otz68n7wIZo5FONVm76OPWhfSAr4LSv.V70B_DBaRGR7xagV1Hop9t2d3I6uWegPDpuksWANvq 9eDmOgqEJjmpBj6gS5jNieYKsGbeK9fnH4oTZjsskuUxCY7qIUyhp._kRK_HoiZ1fQQl855Skcv8 luQpDjiv8mi2mmliJ8qH2bAnNgSAtYn1HRwpOf..M50NEUVHdzlSLTZJdBhZVcZrcL.8guKOBpzW WmoPdfGBPXIViFTu6288tCJYiPQXwxdNrgamynEbLnFzxV890Vo7VCqEl5WY8lvWRZLS8wkjW0vk Oc8SUi3lMzbjy5yiiIccIOWV5HX0L_n1G8BHrZHQ6LGS7AYzRbadm_97KT1zA.5zEQOE5FTiJqfx _zXmFLXgT64UJbsfj7Uw.H246Igk4RTfzbctP64i9rlmJ_zGgMsgt6xULo0bAzw1AYqwC86zHhiK 08sRVEqWhTfBuRhS4HCBS.2.qwXB3QWrxiiLfQlhAYLuD3l_9RQVI.zf4JIZHdN8udFPvG4ZxZMI KZtEe9lZEaCQQDVuvsgWHQ593.c0U3ibmtyeQ1S0wVrCghRdaxmXc.mJ40evK24cV_5YhFiuUbsl moGuFeGYgKKxumGcegVGO2_zHqw3VTlfLT.NDdEudHMdiR4LMkK6LO5jauCIVEkwCZXHJzrlHj_v _Na6JB6StXVMopaIKGnYi8m.RLwba7vdp.bkZn94UWw0znyhCmvg6fBYkQajcWouJ6q_ANzLp9kr twfmWqa5EhfPomveS.ok1J2qZ7uJxtGEl7t62zXGGDZxjRmnvLkLW2_Bd8TTxU7RQeU.XUmVhyyO YTGaJ12T447X42qL3XDD0b5B74H94GGJ8tDsjsTm8FV7N0OZRBuXN5ypvXvJh8hWo697NgH1xmaP C_Cxyta36MouEwmanYIGM8v4Hr10Mhg4x1AFFC.AyInRC0lj1cGpyNj1QBt_xikel.fIZtE1AzHV bljByPGe3GOHTE5HIZG_sJlwa3PV2JztQm_v3xscXY4vIi85ODy8N5SFxaqc3TgAWFHj6KBzVxmm qgRS02PViIWolB8Cy800KZU4wRzPPkjwy9p8NxoHdmdwLArM7Ylj4HgUDeU3RlEXUFKu15BbxXKx z3j11W6MuSrNa.JrABcx54Pv9lcLGosB4iTGAHl8Cr0.yArU7egzG92lr88PfQ.uj1ObYRERf95. Sl1x32k4uip8HuqUjAfB.RZU8mecHQsp3swiQ9kDc2y_CWu5MWkXsXMdbcc4HQj3ugDwcwSYcUPW TOHKK0ADhMNIbIa6QYpw_k5IMtRShj7ztkW_SImZrU1o6N.2dn3qlbgFB0p6Qjf1ah10fuf5.dQ3 EHABZvP4hCiPDcgugLBVXyhY3tivrP3HCJ_jx.ewiR1Wvqc47dXkmvCN_qyHm..CRVvjzrrhEO8_ 3d9x8D.zmpUNZfqBYU_3mQ_3VCJSBrsMphhAJ4h6M0BT1lw2JKGJ5058bxSblvPzGxYnpqNzZhkH IlIT5_oJ8JCgkJWy1FK55JWXMyQkT9T8HD94BPSIz1kN_E3dhVVWK9A1c5FqE65ilxf7BCLY8.qs Dsfieej7C3Lvle0K.a3lbY.qt6d90tT4KQCGklE0HWrIvjbg9pKjv9XTzPzSnnOtIa9aK_N3s5Qf F.iFKQY3RdPa7B6hbJWuYQJCIvG.4KEAsiP09wdONR9WS_K9affVyi7yj9qRCgKfgF65KQPS79TK WT8W83otDkwKBce5uDc1sSVAG1wIo6x7_Le7LJyp6U2qTwoEgF3UQKeRShzDlFuGZU2kjiZv18b_ azHUxIjQl4izTIxas3eaF1Tezt0A5lunCxpJ76nJx.tKQ41Ja1PLbu2Sp8M3tjR3OwuEwGKRctUq j39QH6L4.72x2mEqjXYFOUyzVYLvIb70UzwwEb9BHmeswyXkbbluQSw5E_fugM2nrykG_ll.Fdzd iISgFWcBa272h6aDPiyyhPzBQSblYoa2ztWwIAGUayHLVOY1o.pajlsqYho2UZ93BT8BuD20CqUP 2eID0Ot.iuyOFMBhqh_70QSgXkJxSNkktNOPyzYjMnuEN0khSig7eOvJlbayymbbdrOn_e8sKWMp LRBpgQUI2U8mB1pBbZxnpJB9qfqNvou2dRMVqmZGOzmsSnddTwEE2PX5SLdAohMl5nIAEeqnYWuZ uumzorYWnDg02qLJMZUgE.kc1ki0rVyPL1kI22HTdcdTijvuZmRO6I12ZJDreTJOPU11C.fEq4Bn li5ZK_xGD2bbBQlysj5B_G2bZXtMD_k_iphn6uHby8KKNGHehpQz7qYyXux7.9Im6cIcaGX2LnVi _VHmcExf6VOvWn1A9jKAC5AsThwBsJxIY19LkJaQI.Fx1zlrJ9zoEUU1cdo814jKRK0XYXCO7q_h 7naPQWWFQA26ndFv5cNzH0yjwn7ac6Dj4gY3Q0B_EdFPr.c3ODHmf0IjSqaaqwcsrfInZ3uHXmWc 8nrMKT_d_qV.FT1qQq1ivDINPlMZF8S6HtLcNipw5aBNkEBLO0I7EV9MXUuJz_Z5YQuNwf9LmCbg rkndtRkP7lMNRf99XMYn3fR9.mN51eqNBUoGnlU6IiTvN X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 01:11:25 +0000 Received: by kubenode532.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 31c47ade2e21ad1695861294f7cf99bc; Thu, 22 Jul 2021 01:11:19 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Richard Guy Briggs Subject: [PATCH v28 21/25] audit: support non-syscall auxiliary records Date: Wed, 21 Jul 2021 17:47:54 -0700 Message-Id: <20210722004758.12371-22-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Standalone audit records have the timestamp and serial number generated on the fly and as such are unique, making them standalone. This new function audit_alloc_local() generates a local audit context that will be used only for a standalone record and its auxiliary record(s). The context is discarded immediately after the local associated records are produced. Acked-by: Paul Moore Signed-off-by: Richard Guy Briggs Signed-off-by: Casey Schaufler Cc: linux-audit@redhat.com To: Richard Guy Briggs Reported-by: kernel test robot --- include/linux/audit.h | 8 ++++++++ kernel/audit.h | 1 + kernel/auditsc.c | 33 ++++++++++++++++++++++++++++----- 3 files changed, 37 insertions(+), 5 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 418a485af114..97cd7471e572 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -289,6 +289,8 @@ static inline int audit_signal_info(int sig, struct task_struct *t) /* Public API */ extern int audit_alloc(struct task_struct *task); extern void __audit_free(struct task_struct *task); +extern struct audit_context *audit_alloc_local(gfp_t gfpflags); +extern void audit_free_context(struct audit_context *context); extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, unsigned long a2, unsigned long a3); extern void __audit_syscall_exit(int ret_success, long ret_value); @@ -552,6 +554,12 @@ static inline void audit_log_nfcfg(const char *name, u8 af, extern int audit_n_rules; extern int audit_signals; #else /* CONFIG_AUDITSYSCALL */ ++static inline struct audit_context *audit_alloc_local(gfp_t gfpflags) +{ + return NULL; +} +static inline void audit_free_context(struct audit_context *context) +{ } static inline int audit_alloc(struct task_struct *task) { return 0; diff --git a/kernel/audit.h b/kernel/audit.h index b679517a3030..ddc1a69edc79 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -99,6 +99,7 @@ struct audit_proctitle { struct audit_context { int dummy; /* must be the first element */ int in_syscall; /* 1 if task is in a syscall */ + bool local; /* local context needed */ enum audit_state state, current_state; unsigned int serial; /* serial number for record */ int major; /* syscall number */ diff --git a/kernel/auditsc.c b/kernel/auditsc.c index d198f307a4d8..0e58a3ab56f5 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -931,11 +931,13 @@ static inline void audit_free_aux(struct audit_context *context) } } -static inline struct audit_context *audit_alloc_context(enum audit_state state) +static inline struct audit_context *audit_alloc_context(enum audit_state state, + gfp_t gfpflags) { struct audit_context *context; - context = kzalloc(sizeof(*context), GFP_KERNEL); + /* We can be called in atomic context via audit_tg() */ + context = kzalloc(sizeof(*context), gfpflags); if (!context) return NULL; context->state = state; @@ -971,7 +973,8 @@ int audit_alloc(struct task_struct *tsk) return 0; } - if (!(context = audit_alloc_context(state))) { + context = audit_alloc_context(state, GFP_KERNEL); + if (!context) { kfree(key); audit_log_lost("out of memory in audit_alloc"); return -ENOMEM; @@ -983,8 +986,27 @@ int audit_alloc(struct task_struct *tsk) return 0; } -static inline void audit_free_context(struct audit_context *context) +struct audit_context *audit_alloc_local(gfp_t gfpflags) { + struct audit_context *context = NULL; + + context = audit_alloc_context(AUDIT_STATE_BUILD, gfpflags); + if (!context) { + audit_log_lost("out of memory in audit_alloc_local"); + goto out; + } + context->serial = audit_serial(); + ktime_get_coarse_real_ts64(&context->ctime); + context->local = true; +out: + return context; +} +EXPORT_SYMBOL(audit_alloc_local); + +void audit_free_context(struct audit_context *context) +{ + if (!context) + return; audit_free_module(context); audit_free_names(context); unroll_tree_refs(context, NULL, 0); @@ -995,6 +1017,7 @@ static inline void audit_free_context(struct audit_context *context) audit_proctitle_free(context); kfree(context); } +EXPORT_SYMBOL(audit_free_context); static int audit_log_pid_context(struct audit_context *context, pid_t pid, kuid_t auid, kuid_t uid, @@ -2223,7 +2246,7 @@ EXPORT_SYMBOL_GPL(__audit_inode_child); int auditsc_get_stamp(struct audit_context *ctx, struct timespec64 *t, unsigned int *serial) { - if (!ctx->in_syscall) + if (!ctx->in_syscall && !ctx->local) return 0; if (!ctx->serial) ctx->serial = audit_serial(); From patchwork Thu Jul 22 00:47:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392723 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02378C6377C for ; Thu, 22 Jul 2021 01:12:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E0F006124C for ; Thu, 22 Jul 2021 01:12:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230190AbhGVAbz (ORCPT ); Wed, 21 Jul 2021 20:31:55 -0400 Received: from sonic313-16.consmr.mail.ne1.yahoo.com ([66.163.185.39]:42945 "EHLO sonic313-16.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229975AbhGVAby (ORCPT ); Wed, 21 Jul 2021 20:31:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916350; bh=totCkXXbljmk28mBeylIMSCxhVoY9uHDY9U5Hm/rKj4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=Zfy0igP/osRQ+9fCASF0aUweqKZbaFR3CzlkiWapYi/xcVB+aHj5T0ljGxhRGnaaiOgYfakXDrirCdPU9+OHTIAoDfsh6neOZUQ2EqQ3DobVUlqDF1Mea6k3sKXYS3cTyGKAJDIrTATOdbDLP0O2xQj7Gaq3AF1tqMhQP5t/tiCgsUXFRWfj8YJ6Yr7m2TKaERzz920GTBxVm7SygPb+5gGxC+O7KU3Vf/CGFqmkqTDfMSrRC0o3mpuo5TWlozTExaNz2TS3UhbUlRi5wyo8nnWwdySXjWid09PBeVZdKFoFZhjD7SLjCogNqSYrMVunLlN5Jp76qIPfmvDa/easxQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916350; bh=hTmWFSKphDYRj4jX15ygCHDKyum+OCLAdFRJD52nMhM=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=P8JeNKAv8fEcW5r+qa+nAXnLT2jT2bE43NCkDD6VlbzoTqRN9SpvB62Ai7uvhfjalZ9D60Y9427TekEkcGQnkVT4hr0Ts44dszYEIibc8OHGQebKY2hsOD2XIF9/xaHFeYo4F3Fb36kJ2/G5ShObz9/eAkpVicITPn064zTEnG9AlfJhzAXZzCuhUsmUFCUyQtatAYE1GzUGqwDccJvyrsndh+m9Vi/s6G36tGoLTDcnDAGotUKkmlGV0z+fRdAXhoMqGw3uPGl/39GefGeDrXTN1XqPfpxGG5KxUd2DvbG+wXmnjCozdKMiLwylkkcZ21icz2XdVzUEzQQpWYZPuQ== X-YMail-OSG: 7izSpxUVM1mOtEyUE2qHUm3vO6Kzz2kjNZdoUNMTBRvh8Ec_Z2vVSJMzRsuOQaN j6r1fWcCQlTELM55MpPi9NX9DAR6borMXLPuaUm5EGOeIwyHo.7weTyqpAhEzmZARyZEecly7vp7 KJrr9j25KBLjhQpfmau_cXkvum3n0Yfb_nwzSVdHeNGL8YiBykIpOe7jvqvqS.j9Dn1L_NezhY5O C3s_.zxn3i5pspBgX0DOg6ERpECWGUTtEjGagpO7qOg9.djjm9hyTWGTKwFPTLirKiWNtlRqSAww BtmYQGJFWNNjZ_EK6gyT5ksK5L04og13dSECckKsAUg.5Hctei_ZgZ.S23UCNI.PNrRgnLiFxOfU egWhLX4XmjdIBBNzwztLxI6fCawayE4UOW9i2oEpqWiagfRPTrzQpz6rMJcbzknxr8brenR_WEr5 zut69LpKNbGqwp9tEyvXP4QNDOnAh4kTPtq7.ImU2l6rZnTOXCJFq1T02yCd.jo5pKX0sAdceAbU Uny_MzxkGLkhhlS7A1_b5a5.J01ZcUSsA2k_Hx2g.ijFt7Pb1BJK3Vqqjf4ztFIU7ajZNkjVeOvK nN6NnpUrTjvNyVtOd_L9pass3XEocvRsSUh3ugZaQY7TSRCWMqxhwTHPTKm9_ZIO6sd.YxA_h3o8 QF9F.M5dR6V5E0r4_biR_G6.S8YIpEMtUHbUjQ8_mG22UJwrOh4apsqSvOuW3SdGlGZi3q._BDAj va87NCv.GbDiM9bHWlj2XjcHDjdhedIK7NyUIpEGtV6rZzN6BwvINtdcAwXluo8Qbs8stH9opvOs LsdXeWIJh8LCal4xL_Q.OVSeimel6D99M6lVWX5.yvFh9KWh3AhxIcbucgQpEYYZJIDIUcCefaoY 3KFXZ.LBPzKQISrlTZBrFrEwdzADi9dd.k6DZgT4JNW9pLlwY3E1mGYB.QuHXgQsHBHd.cF6Zuc7 SrgnYN.914BbJ3Bm9k53EfYztGnKjy1qMyYIYcfzA95NPBSm7q.i1B2XU1s7CImx8Eup2kW1jx_t l8.GRe983zZKboxsoJvzD.R1FZYJqbEkYjebx5JvIqEtUM6e217t6859Lsg8uex7029t6J700sif rsNsCLwQza0ckCkiQgPD1ylo.6khWwH.lW4UDl0sKWgv_GBw_G2KVrROvfUBmjfcmxFpgbWpZNF8 ogHGx0u29foFCfH11sCrWiWcvimR7l5t1PBqpdW3ey541TIKGFEtsPj7EGWYKZHis.PKAHxvKJ_m rpDDg0SDSNi7ad0iXBf8BpUH_8cMPI1Z2IWWZY2OGoT8UmRmdkSjWdK6c7q0tIfhAN2JcgRZ0MxV OpqG0ZXuRJbOY4bwycBSdFUnZ1YzAH6C7bZFt5AZV6IEW6bSSBbjxvMmpJc0qje3EazX9W1FbvnP K42UvpH.pWSZnOm5_STcgNZ2ZtF4zc3SUihl9GOQFjU8cV1lyAUv4EzZQxSYifreuiFHDFPAqKvM V7bg1xx5atOcS1zbxzEtMnvWq2ON18pFZto9ptrdyJHLDKl3AyieyoC6jKOZ5oGKAO7Py6TBx2.T byoYoFeWiYBT98zKMBOJ_.win.rJuTgM3oydOQJNUk_myNiAd7k37stattWj1f9EQQpFWW7rtiuU TN.MD4WC_xOkJL1B6ymbMS6G4.7pT0lhHb4iWBwGoJ.zjewheJ14QJkZiq3azZ7D1ovRyfEInEln PtBRux7WpcoBmU1oW8oxOKEeYzeJzGRIZr5izpH0_ajCvGL.mbftulsUT0QR.R1QjrJwpRQ4xvDb akQSDrN1AkqlQWiwJMNlmxS14KQCeHEqUUPyFiwgZY.GokqBJ8B6Gju49O6H_nvqknwYXxi.YaV2 W9FoMhS9Mfi5tKQM2hyNnGl5r711E14Mw7xt83U060C0nk8CGQN8dxSLTquoYJldWOGTu2ZewZ4v bM9UrGJ.oZOt5Fk7_xlHQu7uznB4rZ.uObQg67MUZ_xyP8JBe.6VrVOcx._oDGMgteruLoPmfIqA rHp.NgNIiVO5Er6IEtNJP07OQT_9BKw8gmSP5FR8lUk6T6kQt54_G2ocr70XbQ87kD58a2YgpgSP zmkbING3.04KIFxRvVDRdoocPQl2YxFf4SSGN5DQvdCWlxodE72VdneHUQ_pkXoPvdwamp2Qz2Yq SwSmCBZ2hDe86QEwBn4sEKXnM3uUa2sPCnYTjVDegUs7BaBiZ5NNJXe9_7pWFMfjUmm4TLtzCVYc cbER3ekH9mg7XoOt8yzaG7myYb1XFJOG3R4Fgl9pp8PjYZQtkpD4OQsHC05H3xu6ljoQC2TO5vXw xTR0df_YSeZ8pbHNSOalB2FvVKSuNuWduO_7Ncb8rOyjK6dHwJ36fKAL8xktT2.JEmI4y_FMaZS1 _6Bp7KPpV9YLVbHVhHHC4AbN6o1S49yhiMGqbCsO6CxEM9CPr5g57K3FLhL0cX.HzrJ1NExhqKH1 n.O4O498Cf.GW2p6jb9tveDxGyzM9So9XGyGEryO1IJDdyKjNuckPxrtQ.3PHbFbwWWjD_YwJlJz SPS5TdgA3QZb2SOaB1eig5bRZpxN9Uv62MXpt_T1sKhZ.du2r2z7uI5AbqzHNSdy9TILVKi_fVjP NWQiryx2EQnPdo0Ag3PahR8SyqT3EDUWnm6WvEdoYxogkUepogl48.hFr3vOxAiu4AxMWg8kda2m pGrgTaPu00G861pdIuwAWGmRyLlLgu..msb61gxwfnMUHwvxvzgbm.RlatoZeSC32rmnbWRnw00E ZGhez_KulT4tiaiDL5wKRutuNcl3zL8TDN5IA3vK.GIF3j1p.EiyFCH2nE.vc5MIEfGsqWhwpjUO SUy86QZ7goxqTXMIqaz6nMt0BKtktthGlLM9p5JFREsVDPEz6qQuvMMdBONgUexM1Oasg01N588a db.42zE_VIwy.HA73Xkc_MPSMn7_reltyRHB44PiNcNATyuuL_eI8zgeq3fVLK79exE1sbCl2MkL _C3KYh1mjbuvAwZzZwNGOQAsFcn3ISEgJ_HRbAzV7tidbVR94SceG7zy.foG2KQRSZ8quF..wcGi xBmM8mHvp_hUkmciu70K_Na8KRRRbS9rnlW2AWMw8TAnAxSsjsuE2EDH2VBtX.HNZNcsT7aQzmvI 7..J2PoiuojT_E4DY8w4bN5.Nx4W6S3Mle4ngrBSvBYFDw756pLbb3YR0zApYpT4sPK3MxwY3tfv V13DEhZyEnCufm8xLQiYvs7kN2_4fcgw- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 01:12:30 +0000 Received: by kubenode523.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 1d522cf2f444aeac678d47f4ddf51e15; Thu, 22 Jul 2021 01:12:28 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH v28 22/25] Audit: Add record for multiple process LSM attributes Date: Wed, 21 Jul 2021 17:47:55 -0700 Message-Id: <20210722004758.12371-23-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Create a new audit record type to contain the subject information when there are multiple security modules that require such data. This record is linked with the same timestamp and serial number using the audit_alloc_local() mechanism. The record is produced only in cases where there is more than one security module with a process "context". In cases where this record is produced the subj= fields of other records in the audit event will be set to "subj=?". An example of the MAC_TASK_CONTEXTS (1420) record is: type=UNKNOWN[1420] msg=audit(1600880931.832:113) subj_apparmor="=unconfined" subj_smack="_" There will be a subj_$LSM= entry for each security module LSM that supports the secid_to_secctx and secctx_to_secid hooks. The BPF security module implements secid/secctx translation hooks, so it has to be considered to provide a secctx even though it may not actually do so. Signed-off-by: Casey Schaufler To: paul@paul-moore.com To: linux-audit@redhat.com To: rgb@redhat.com Cc: netdev@vger.kernel.org --- drivers/android/binder.c | 2 +- include/linux/audit.h | 16 +++++ include/linux/security.h | 16 ++++- include/net/netlabel.h | 2 +- include/net/scm.h | 2 +- include/net/xfrm.h | 13 +++- include/uapi/linux/audit.h | 1 + kernel/audit.c | 90 +++++++++++++++++++------ kernel/auditfilter.c | 5 +- kernel/auditsc.c | 27 ++++++-- net/ipv4/ip_sockglue.c | 2 +- net/netfilter/nf_conntrack_netlink.c | 4 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nfnetlink_queue.c | 2 +- net/netlabel/netlabel_unlabeled.c | 21 +++--- net/netlabel/netlabel_user.c | 14 ++-- net/netlabel/netlabel_user.h | 6 +- net/xfrm/xfrm_policy.c | 8 ++- net/xfrm/xfrm_state.c | 18 +++-- security/integrity/ima/ima_api.c | 6 +- security/integrity/integrity_audit.c | 5 +- security/security.c | 46 ++++++++----- security/smack/smackfs.c | 3 +- 23 files changed, 221 insertions(+), 90 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 2c3a2348a144..3520caa0260c 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2722,7 +2722,7 @@ static void binder_transaction(struct binder_proc *proc, * case well anyway. */ security_task_getsecid_obj(proc->tsk, &blob); - ret = security_secid_to_secctx(&blob, &lsmctx); + ret = security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_DISPLAY); if (ret) { return_error = BR_FAILED_REPLY; return_error_param = ret; diff --git a/include/linux/audit.h b/include/linux/audit.h index 97cd7471e572..85eb87f6f92d 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -291,6 +291,7 @@ extern int audit_alloc(struct task_struct *task); extern void __audit_free(struct task_struct *task); extern struct audit_context *audit_alloc_local(gfp_t gfpflags); extern void audit_free_context(struct audit_context *context); +extern void audit_free_local(struct audit_context *context); extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, unsigned long a2, unsigned long a3); extern void __audit_syscall_exit(int ret_success, long ret_value); @@ -386,6 +387,19 @@ static inline void audit_ptrace(struct task_struct *t) __audit_ptrace(t); } +static inline struct audit_context *audit_alloc_for_lsm(gfp_t gfp) +{ + struct audit_context *context = audit_context(); + + if (context) + return context; + + if (lsm_multiple_contexts()) + return audit_alloc_local(gfp); + + return NULL; +} + /* Private API (for audit.c only) */ extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); @@ -560,6 +574,8 @@ extern int audit_signals; } static inline void audit_free_context(struct audit_context *context) { } +static inline void audit_free_local(struct audit_context *context) +{ } static inline int audit_alloc(struct task_struct *task) { return 0; diff --git a/include/linux/security.h b/include/linux/security.h index 3e9743118fb9..b3cf68cf2bd6 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -182,6 +182,8 @@ struct lsmblob { #define LSMBLOB_INVALID -1 /* Not a valid LSM slot number */ #define LSMBLOB_NEEDED -2 /* Slot requested on initialization */ #define LSMBLOB_NOT_NEEDED -3 /* Slot not requested */ +#define LSMBLOB_DISPLAY -4 /* Use the "display" slot */ +#define LSMBLOB_FIRST -5 /* Use the default "display" slot */ /** * lsmblob_init - initialize an lsmblob structure @@ -248,6 +250,15 @@ static inline u32 lsmblob_value(const struct lsmblob *blob) return 0; } +static inline bool lsm_multiple_contexts(void) +{ +#ifdef CONFIG_SECURITY + return lsm_slot_to_name(1) != NULL; +#else + return false; +#endif +} + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); @@ -578,7 +589,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp); +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp, + int display); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); void security_release_secctx(struct lsmcontext *cp); @@ -1433,7 +1445,7 @@ static inline int security_ismaclabel(const char *name) } static inline int security_secid_to_secctx(struct lsmblob *blob, - struct lsmcontext *cp) + struct lsmcontext *cp, int display) { return -EOPNOTSUPP; } diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 73fc25b4042b..216cb1ffc8f0 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h @@ -97,7 +97,7 @@ struct calipso_doi; /* NetLabel audit information */ struct netlbl_audit { - u32 secid; + struct lsmblob lsmdata; kuid_t loginuid; unsigned int sessionid; }; diff --git a/include/net/scm.h b/include/net/scm.h index b77a52f93389..f4d567d4885e 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -101,7 +101,7 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc * and the infrastructure will know which it is. */ lsmblob_init(&lb, scm->secid); - err = security_secid_to_secctx(&lb, &context); + err = security_secid_to_secctx(&lb, &context, LSMBLOB_DISPLAY); if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, context.len, diff --git a/include/net/xfrm.h b/include/net/xfrm.h index cbff7c2a9724..a10fa01f7bf4 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -660,13 +660,22 @@ struct xfrm_spi_skb_cb { #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0])) #ifdef CONFIG_AUDITSYSCALL -static inline struct audit_buffer *xfrm_audit_start(const char *op) +static inline struct audit_buffer *xfrm_audit_start(const char *op, + struct audit_context **lac) { + struct audit_context *context; struct audit_buffer *audit_buf = NULL; if (audit_enabled == AUDIT_OFF) return NULL; - audit_buf = audit_log_start(audit_context(), GFP_ATOMIC, + context = audit_context(); + if (lac != NULL) { + if (lsm_multiple_contexts() && context == NULL) + context = audit_alloc_local(GFP_ATOMIC); + *lac = context; + } + + audit_buf = audit_log_start(context, GFP_ATOMIC, AUDIT_MAC_IPSEC_EVENT); if (audit_buf == NULL) return NULL; diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index daa481729e9b..4432a8bed8e0 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -139,6 +139,7 @@ #define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */ #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ +#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM contexts */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/kernel/audit.c b/kernel/audit.c index 841123390d41..cba63789a164 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -386,10 +386,12 @@ void audit_log_lost(const char *message) static int audit_log_config_change(char *function_name, u32 new, u32 old, int allow_changes) { + struct audit_context *context; struct audit_buffer *ab; int rc = 0; - ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE); if (unlikely(!ab)) return rc; audit_log_format(ab, "op=set %s=%u old=%u ", function_name, new, old); @@ -399,6 +401,7 @@ static int audit_log_config_change(char *function_name, u32 new, u32 old, allow_changes = 0; /* Something weird, deny request */ audit_log_format(ab, " res=%d", allow_changes); audit_log_end(ab); + audit_free_local(context); return rc; } @@ -1072,12 +1075,6 @@ static void audit_log_common_recv_msg(struct audit_context *context, audit_log_task_context(*ab); } -static inline void audit_log_user_recv_msg(struct audit_buffer **ab, - u16 msg_type) -{ - audit_log_common_recv_msg(NULL, ab, msg_type); -} - int is_audit_feature_set(int i) { return af.features & AUDIT_FEATURE_TO_MASK(i); @@ -1190,6 +1187,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_buffer *ab; u16 msg_type = nlh->nlmsg_type; struct audit_sig_info *sig_data; + struct audit_context *lcontext; err = audit_netlink_ok(skb, msg_type); if (err) @@ -1357,7 +1355,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (err) break; } - audit_log_user_recv_msg(&ab, msg_type); + lcontext = audit_alloc_for_lsm(GFP_KERNEL); + audit_log_common_recv_msg(lcontext, &ab, msg_type); if (msg_type != AUDIT_USER_TTY) { /* ensure NULL termination */ str[data_len - 1] = '\0'; @@ -1371,6 +1370,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) audit_log_n_untrustedstring(ab, str, data_len); } audit_log_end(ab); + audit_free_local(lcontext); } break; case AUDIT_ADD_RULE: @@ -1378,13 +1378,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (data_len < sizeof(struct audit_rule_data)) return -EINVAL; if (audit_enabled == AUDIT_LOCKED) { - audit_log_common_recv_msg(audit_context(), &ab, + lcontext = audit_alloc_for_lsm(GFP_KERNEL); + audit_log_common_recv_msg(lcontext, &ab, AUDIT_CONFIG_CHANGE); audit_log_format(ab, " op=%s audit_enabled=%d res=0", msg_type == AUDIT_ADD_RULE ? "add_rule" : "remove_rule", audit_enabled); audit_log_end(ab); + audit_free_local(lcontext); return -EPERM; } err = audit_rule_change(msg_type, seq, data, data_len); @@ -1394,10 +1396,11 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) break; case AUDIT_TRIM: audit_trim_trees(); - audit_log_common_recv_msg(audit_context(), &ab, - AUDIT_CONFIG_CHANGE); + lcontext = audit_alloc_for_lsm(GFP_KERNEL); + audit_log_common_recv_msg(lcontext, &ab, AUDIT_CONFIG_CHANGE); audit_log_format(ab, " op=trim res=1"); audit_log_end(ab); + audit_free_local(lcontext); break; case AUDIT_MAKE_EQUIV: { void *bufp = data; @@ -1425,14 +1428,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) /* OK, here comes... */ err = audit_tag_tree(old, new); - audit_log_common_recv_msg(audit_context(), &ab, - AUDIT_CONFIG_CHANGE); + lcontext = audit_alloc_for_lsm(GFP_KERNEL); + audit_log_common_recv_msg(lcontext, &ab, AUDIT_CONFIG_CHANGE); audit_log_format(ab, " op=make_equiv old="); audit_log_untrustedstring(ab, old); audit_log_format(ab, " new="); audit_log_untrustedstring(ab, new); audit_log_format(ab, " res=%d", !err); audit_log_end(ab); + audit_free_local(lcontext); kfree(old); kfree(new); break; @@ -1443,7 +1447,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (lsmblob_is_set(&audit_sig_lsm)) { err = security_secid_to_secctx(&audit_sig_lsm, - &context); + &context, LSMBLOB_FIRST); if (err) return err; } @@ -1498,13 +1502,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) old.enabled = t & AUDIT_TTY_ENABLE; old.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD); - audit_log_common_recv_msg(audit_context(), &ab, - AUDIT_CONFIG_CHANGE); + lcontext = audit_alloc_for_lsm(GFP_KERNEL); + audit_log_common_recv_msg(lcontext, &ab, AUDIT_CONFIG_CHANGE); audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d" " old-log_passwd=%d new-log_passwd=%d res=%d", old.enabled, s.enabled, old.log_passwd, s.log_passwd, !err); audit_log_end(ab); + audit_free_local(lcontext); break; } default: @@ -1550,6 +1555,7 @@ static void audit_receive(struct sk_buff *skb) /* Log information about who is connecting to the audit multicast socket */ static void audit_log_multicast(int group, const char *op, int err) { + struct audit_context *context; const struct cred *cred; struct tty_struct *tty; char comm[sizeof(current->comm)]; @@ -1558,7 +1564,8 @@ static void audit_log_multicast(int group, const char *op, int err) if (!audit_enabled) return; - ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_EVENT_LISTENER); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, GFP_KERNEL, AUDIT_EVENT_LISTENER); if (!ab) return; @@ -1577,6 +1584,7 @@ static void audit_log_multicast(int group, const char *op, int err) audit_log_d_path_exe(ab, current->mm); /* exe= */ audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op, !err); audit_log_end(ab); + audit_free_local(context); } /* Run custom bind function on netlink socket group connect or bind requests. */ @@ -2128,6 +2136,36 @@ void audit_log_key(struct audit_buffer *ab, char *key) audit_log_format(ab, "(null)"); } +static void audit_log_lsm(struct audit_context *context, struct lsmblob *blob) +{ + struct audit_buffer *ab; + struct lsmcontext lsmdata; + bool sep = false; + int error; + int i; + + ab = audit_log_start(context, GFP_ATOMIC, AUDIT_MAC_TASK_CONTEXTS); + if (!ab) + return; /* audit_panic or being filtered */ + + for (i = 0; i < LSMBLOB_ENTRIES; i++) { + if (blob->secid[i] == 0) + continue; + error = security_secid_to_secctx(blob, &lsmdata, i); + if (error && error != -EINVAL) { + audit_panic("error in audit_log_lsm"); + return; + } + + audit_log_format(ab, "%ssubj_%s=\"%s\"", sep ? " " : "", + lsm_slot_to_name(i), lsmdata.context); + sep = true; + + security_release_secctx(&lsmdata); + } + audit_log_end(ab); +} + int audit_log_task_context(struct audit_buffer *ab) { int error; @@ -2138,7 +2176,18 @@ int audit_log_task_context(struct audit_buffer *ab) if (!lsmblob_is_set(&blob)) return 0; - error = security_secid_to_secctx(&blob, &context); + /* + * If there is more than one security module that has a + * subject "context" it's necessary to put the subject data + * into a separate record to maintain compatibility. + */ + if (lsm_multiple_contexts()) { + audit_log_format(ab, " subj=?"); + audit_log_lsm(ab->ctx, &blob); + return 0; + } + + error = security_secid_to_secctx(&blob, &context, LSMBLOB_FIRST); if (error) { if (error != -EINVAL) goto error_path; @@ -2274,6 +2323,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, unsigned int oldsessionid, unsigned int sessionid, int rc) { + struct audit_context *context; struct audit_buffer *ab; uid_t uid, oldloginuid, loginuid; struct tty_struct *tty; @@ -2281,7 +2331,8 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, if (!audit_enabled) return; - ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_LOGIN); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, GFP_KERNEL, AUDIT_LOGIN); if (!ab) return; @@ -2297,6 +2348,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, oldsessionid, sessionid, !rc); audit_put_tty(tty); audit_log_end(ab); + audit_free_local(context); } /** diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 1ba14a7a38f7..fd71c6bac200 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1098,12 +1098,14 @@ static void audit_list_rules(int seq, struct sk_buff_head *q) /* Log rule additions and removals */ static void audit_log_rule_change(char *action, struct audit_krule *rule, int res) { + struct audit_context *context; struct audit_buffer *ab; if (!audit_enabled) return; - ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE); if (!ab) return; audit_log_session_info(ab); @@ -1112,6 +1114,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re audit_log_key(ab, rule->filterkey); audit_log_format(ab, " list=%d res=%d", rule->listnr, res); audit_log_end(ab); + audit_free_local(context); } /** diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 0e58a3ab56f5..01fdcbf468c0 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -993,12 +993,11 @@ struct audit_context *audit_alloc_local(gfp_t gfpflags) context = audit_alloc_context(AUDIT_STATE_BUILD, gfpflags); if (!context) { audit_log_lost("out of memory in audit_alloc_local"); - goto out; + return NULL; } context->serial = audit_serial(); ktime_get_coarse_real_ts64(&context->ctime); context->local = true; -out: return context; } EXPORT_SYMBOL(audit_alloc_local); @@ -1019,6 +1018,13 @@ void audit_free_context(struct audit_context *context) } EXPORT_SYMBOL(audit_free_context); +void audit_free_local(struct audit_context *context) +{ + if (context && context->local) + audit_free_context(context); +} +EXPORT_SYMBOL(audit_free_local); + static int audit_log_pid_context(struct audit_context *context, pid_t pid, kuid_t auid, kuid_t uid, unsigned int sessionid, @@ -1036,7 +1042,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (lsmblob_is_set(blob)) { - if (security_secid_to_secctx(blob, &lsmctx)) { + if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1282,7 +1288,8 @@ static void show_special(struct audit_context *context, int *call_panic) struct lsmblob blob; lsmblob_init(&blob, osid); - if (security_secid_to_secctx(&blob, &lsmcxt)) { + if (security_secid_to_secctx(&blob, &lsmcxt, + LSMBLOB_FIRST)) { audit_log_format(ab, " osid=%u", osid); *call_panic = 1; } else { @@ -1439,7 +1446,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, struct lsmcontext lsmctx; lsmblob_init(&blob, n->osid); - if (security_secid_to_secctx(&blob, &lsmctx)) { + if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) { audit_log_format(ab, " osid=%u", n->osid); if (call_panic) *call_panic = 2; @@ -2637,10 +2644,12 @@ void __audit_ntp_log(const struct audit_ntp_data *ad) void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, enum audit_nfcfgop op, gfp_t gfp) { + struct audit_context *context; struct audit_buffer *ab; char comm[sizeof(current->comm)]; - ab = audit_log_start(audit_context(), gfp, AUDIT_NETFILTER_CFG); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, gfp, AUDIT_NETFILTER_CFG); if (!ab) return; audit_log_format(ab, "table=%s family=%u entries=%u op=%s", @@ -2651,6 +2660,7 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, audit_log_format(ab, " comm="); audit_log_untrustedstring(ab, get_task_comm(comm, current)); audit_log_end(ab); + audit_free_local(context); } EXPORT_SYMBOL_GPL(__audit_log_nfcfg); @@ -2685,6 +2695,7 @@ static void audit_log_task(struct audit_buffer *ab) */ void audit_core_dumps(long signr) { + struct audit_context *context; struct audit_buffer *ab; if (!audit_enabled) @@ -2693,12 +2704,14 @@ void audit_core_dumps(long signr) if (signr == SIGQUIT) /* don't care for those */ return; - ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, GFP_KERNEL, AUDIT_ANOM_ABEND); if (unlikely(!ab)) return; audit_log_task(ab); audit_log_format(ab, " sig=%ld res=1", signr); audit_log_end(ab); + audit_free_local(context); } /** diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index ae073b642fa7..5c0029a3a595 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -140,7 +140,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) return; lsmblob_init(&lb, secid); - err = security_secid_to_secctx(&lb, &context); + err = security_secid_to_secctx(&lb, &context, LSMBLOB_DISPLAY); if (err) return; diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 668b31ecd638..05bdbb942499 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -347,7 +347,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) * security_secid_to_secctx() will know which security module * to use to create the secctx. */ lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &context); + ret = security_secid_to_secctx(&blob, &context, LSMBLOB_DISPLAY); if (ret) return 0; @@ -658,7 +658,7 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct) struct lsmblob blob; struct lsmcontext context; - ret = security_secid_to_secctx(&blob, &context); + ret = security_secid_to_secctx(&blob, &context, LSMBLOB_DISPLAY); if (ret) return 0; diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index b5796a8e5e90..3da3770e9739 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -177,7 +177,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) struct lsmcontext context; lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &context); + ret = security_secid_to_secctx(&blob, &context, LSMBLOB_DISPLAY); if (ret) return; diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index cffb04baf7b8..9bef0bddf7d6 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -316,7 +316,7 @@ static void nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context) * blob. security_secid_to_secctx() will know which security * module to use to create the secctx. */ lsmblob_init(&blob, skb->secmark); - security_secid_to_secctx(&blob, context); + security_secid_to_secctx(&blob, context, LSMBLOB_DISPLAY); } read_unlock_bh(&skb->sk->sk_callback_lock); diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 289602835b75..245f63f5773a 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -437,7 +437,8 @@ int netlbl_unlhsh_add(struct net *net, unlhsh_add_return: rcu_read_unlock(); if (audit_buf != NULL) { - if (security_secid_to_secctx(lsmblob, &context) == 0) { + if (security_secid_to_secctx(lsmblob, &context, + LSMBLOB_FIRST) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -492,7 +493,8 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, if (dev != NULL) dev_put(dev); if (entry != NULL && - security_secid_to_secctx(&entry->lsmblob, &context) == 0) { + security_secid_to_secctx(&entry->lsmblob, &context, + LSMBLOB_FIRST) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -552,7 +554,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, if (dev != NULL) dev_put(dev); if (entry != NULL && - security_secid_to_secctx(&entry->lsmblob, &context) == 0) { + security_secid_to_secctx(&entry->lsmblob, &context, + LSMBLOB_FIRST) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -738,11 +741,10 @@ static void netlbl_unlabel_acceptflg_set(u8 value, netlabel_unlabel_acceptflg = value; audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, audit_info); - if (audit_buf != NULL) { + if (audit_buf != NULL) audit_log_format(audit_buf, " unlbl_accept=%u old=%u", value, old_val); - audit_log_end(audit_buf); - } + audit_log_end(audit_buf); } /** @@ -1122,7 +1124,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, lsmb = (struct lsmblob *)&addr6->lsmblob; } - ret_val = security_secid_to_secctx(lsmb, &context); + ret_val = security_secid_to_secctx(lsmb, &context, LSMBLOB_FIRST); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, @@ -1528,14 +1530,11 @@ int __init netlbl_unlabel_defconf(void) int ret_val; struct netlbl_dom_map *entry; struct netlbl_audit audit_info; - struct lsmblob blob; /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_task_getsecid_subj(current, &blob); - /* scaffolding until audit_info.secid is converted */ - audit_info.secid = blob.secid[0]; + security_task_getsecid_subj(current, &audit_info.lsmdata); audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 951ba0639d20..9c43c3cb2088 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -85,7 +85,6 @@ struct audit_buffer *netlbl_audit_start_common(int type, { struct audit_buffer *audit_buf; struct lsmcontext context; - struct lsmblob blob; if (audit_enabled == AUDIT_OFF) return NULL; @@ -98,11 +97,14 @@ struct audit_buffer *netlbl_audit_start_common(int type, from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); - lsmblob_init(&blob, audit_info->secid); - if (audit_info->secid != 0 && - security_secid_to_secctx(&blob, &context) == 0) { - audit_log_format(audit_buf, " subj=%s", context.context); - security_release_secctx(&context); + if (lsmblob_is_set(&audit_info->lsmdata)) { + if (!lsm_multiple_contexts() && + security_secid_to_secctx(&audit_info->lsmdata, &context, + LSMBLOB_FIRST) == 0) { + audit_log_format(audit_buf, " subj=%s", + context.context); + security_release_secctx(&context); + } } return audit_buf; diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index aa31f7bf79ee..e5b15ad41df7 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -32,11 +32,7 @@ */ static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info) { - struct lsmblob blob; - - security_task_getsecid_subj(current, &blob); - /* scaffolding until secid is converted */ - audit_info->secid = blob.secid[0]; + security_task_getsecid_subj(current, &audit_info->lsmdata); audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 827d84255021..2152e319951d 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -4178,30 +4178,34 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp, void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid) { + struct audit_context *context; struct audit_buffer *audit_buf; - audit_buf = xfrm_audit_start("SPD-add"); + audit_buf = xfrm_audit_start("SPD-add", &context); if (audit_buf == NULL) return; xfrm_audit_helper_usrinfo(task_valid, audit_buf); audit_log_format(audit_buf, " res=%u", result); xfrm_audit_common_policyinfo(xp, audit_buf); audit_log_end(audit_buf); + audit_free_local(context); } EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, bool task_valid) { + struct audit_context *context; struct audit_buffer *audit_buf; - audit_buf = xfrm_audit_start("SPD-delete"); + audit_buf = xfrm_audit_start("SPD-delete", &context); if (audit_buf == NULL) return; xfrm_audit_helper_usrinfo(task_valid, audit_buf); audit_log_format(audit_buf, " res=%u", result); xfrm_audit_common_policyinfo(xp, audit_buf); audit_log_end(audit_buf); + audit_free_local(context); } EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete); #endif diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index a2f4001221d1..4d174f42eb60 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -2796,29 +2796,33 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family, void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid) { + struct audit_context *context; struct audit_buffer *audit_buf; - audit_buf = xfrm_audit_start("SAD-add"); + audit_buf = xfrm_audit_start("SAD-add", &context); if (audit_buf == NULL) return; xfrm_audit_helper_usrinfo(task_valid, audit_buf); xfrm_audit_helper_sainfo(x, audit_buf); audit_log_format(audit_buf, " res=%u", result); audit_log_end(audit_buf); + audit_free_local(context); } EXPORT_SYMBOL_GPL(xfrm_audit_state_add); void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid) { + struct audit_context *context; struct audit_buffer *audit_buf; - audit_buf = xfrm_audit_start("SAD-delete"); + audit_buf = xfrm_audit_start("SAD-delete", &context); if (audit_buf == NULL) return; xfrm_audit_helper_usrinfo(task_valid, audit_buf); xfrm_audit_helper_sainfo(x, audit_buf); audit_log_format(audit_buf, " res=%u", result); audit_log_end(audit_buf); + audit_free_local(context); } EXPORT_SYMBOL_GPL(xfrm_audit_state_delete); @@ -2828,7 +2832,7 @@ void xfrm_audit_state_replay_overflow(struct xfrm_state *x, struct audit_buffer *audit_buf; u32 spi; - audit_buf = xfrm_audit_start("SA-replay-overflow"); + audit_buf = xfrm_audit_start("SA-replay-overflow", NULL); if (audit_buf == NULL) return; xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); @@ -2846,7 +2850,7 @@ void xfrm_audit_state_replay(struct xfrm_state *x, struct audit_buffer *audit_buf; u32 spi; - audit_buf = xfrm_audit_start("SA-replayed-pkt"); + audit_buf = xfrm_audit_start("SA-replayed-pkt", NULL); if (audit_buf == NULL) return; xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); @@ -2861,7 +2865,7 @@ void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family) { struct audit_buffer *audit_buf; - audit_buf = xfrm_audit_start("SA-notfound"); + audit_buf = xfrm_audit_start("SA-notfound", NULL); if (audit_buf == NULL) return; xfrm_audit_helper_pktinfo(skb, family, audit_buf); @@ -2875,7 +2879,7 @@ void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, struct audit_buffer *audit_buf; u32 spi; - audit_buf = xfrm_audit_start("SA-notfound"); + audit_buf = xfrm_audit_start("SA-notfound", NULL); if (audit_buf == NULL) return; xfrm_audit_helper_pktinfo(skb, family, audit_buf); @@ -2893,7 +2897,7 @@ void xfrm_audit_state_icvfail(struct xfrm_state *x, __be32 net_spi; __be32 net_seq; - audit_buf = xfrm_audit_start("SA-icv-failure"); + audit_buf = xfrm_audit_start("SA-icv-failure", NULL); if (audit_buf == NULL) return; xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 691f68d478f1..3481990a25a6 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -342,6 +342,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, void ima_audit_measurement(struct integrity_iint_cache *iint, const unsigned char *filename) { + struct audit_context *context; struct audit_buffer *ab; char *hash; const char *algo_name = hash_algo_name[iint->ima_hash->algo]; @@ -358,8 +359,8 @@ void ima_audit_measurement(struct integrity_iint_cache *iint, hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]); hash[i * 2] = '\0'; - ab = audit_log_start(audit_context(), GFP_KERNEL, - AUDIT_INTEGRITY_RULE); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, GFP_KERNEL, AUDIT_INTEGRITY_RULE); if (!ab) goto out; @@ -369,6 +370,7 @@ void ima_audit_measurement(struct integrity_iint_cache *iint, audit_log_task_info(ab); audit_log_end(ab); + audit_free_local(context); iint->flags |= IMA_AUDITED; out: diff --git a/security/integrity/integrity_audit.c b/security/integrity/integrity_audit.c index 29220056207f..c3b313886e15 100644 --- a/security/integrity/integrity_audit.c +++ b/security/integrity/integrity_audit.c @@ -38,13 +38,15 @@ void integrity_audit_message(int audit_msgno, struct inode *inode, const char *cause, int result, int audit_info, int errno) { + struct audit_context *context; struct audit_buffer *ab; char name[TASK_COMM_LEN]; if (!integrity_audit_info && audit_info == 1) /* Skip info messages */ return; - ab = audit_log_start(audit_context(), GFP_KERNEL, audit_msgno); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, GFP_KERNEL, audit_msgno); audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u", task_pid_nr(current), from_kuid(&init_user_ns, current_uid()), @@ -64,4 +66,5 @@ void integrity_audit_message(int audit_msgno, struct inode *inode, } audit_log_format(ab, " res=%d errno=%d", !result, errno); audit_log_end(ab); + audit_free_local(context); } diff --git a/security/security.c b/security/security.c index cb359e185d1a..5d7fd982f84a 100644 --- a/security/security.c +++ b/security/security.c @@ -2309,7 +2309,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) { rc = hp->hook.setprocattr(name, value, size); - if (rc < 0) + if (rc < 0 && rc != -EINVAL) return rc; } @@ -2354,13 +2354,31 @@ int security_ismaclabel(const char *name) } EXPORT_SYMBOL(security_ismaclabel); -int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp) +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp, + int ilsm) { struct security_hook_list *hp; - int ilsm = lsm_task_ilsm(current); memset(cp, 0, sizeof(*cp)); + /* + * ilsm either is the slot number use for formatting + * or an instruction on which relative slot to use. + */ + if (ilsm == LSMBLOB_DISPLAY) + ilsm = lsm_task_ilsm(current); + else if (ilsm == LSMBLOB_FIRST) + ilsm = LSMBLOB_INVALID; + else if (ilsm < 0) { + WARN_ONCE(true, + "LSM: %s unknown interface LSM\n", __func__); + ilsm = LSMBLOB_INVALID; + } else if (ilsm >= lsm_slot) { + WARN_ONCE(true, + "LSM: %s invalid interface LSM\n", __func__); + ilsm = LSMBLOB_INVALID; + } + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; @@ -2390,7 +2408,7 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, return hp->hook.secctx_to_secid(secdata, seclen, &blob->secid[hp->lsmid->slot]); } - return 0; + return -EOPNOTSUPP; } EXPORT_SYMBOL(security_secctx_to_secid); @@ -2884,23 +2902,17 @@ int security_key_getsecurity(struct key *key, char **_buffer) int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) { struct security_hook_list *hp; - bool one_is_good = false; - int rc = 0; - int trc; + int ilsm = lsm_task_ilsm(current); hlist_for_each_entry(hp, &security_hook_heads.audit_rule_init, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; - trc = hp->hook.audit_rule_init(field, op, rulestr, - &lsmrule[hp->lsmid->slot]); - if (trc == 0) - one_is_good = true; - else - rc = trc; + if (ilsm != LSMBLOB_INVALID && ilsm != hp->lsmid->slot) + continue; + return hp->hook.audit_rule_init(field, op, rulestr, + &lsmrule[hp->lsmid->slot]); } - if (one_is_good) - return 0; - return rc; + return 0; } int security_audit_rule_known(struct audit_krule *krule) @@ -2932,6 +2944,8 @@ int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, continue; if (lsmrule[hp->lsmid->slot] == NULL) continue; + if (lsmrule[hp->lsmid->slot] == NULL) + continue; rc = hp->hook.audit_rule_match(blob->secid[hp->lsmid->slot], field, op, &lsmrule[hp->lsmid->slot]); diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 9cda52f2ec31..2f0f412fc403 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -185,7 +185,8 @@ static void smk_netlabel_audit_set(struct netlbl_audit *nap) nap->loginuid = audit_get_loginuid(current); nap->sessionid = audit_get_sessionid(current); - nap->secid = skp->smk_secid; + lsmblob_init(&nap->lsmdata, 0); + nap->lsmdata.secid[smack_lsmid.slot] = skp->smk_secid; } /* From patchwork Thu Jul 22 00:47:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392747 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EDF60C6377C for ; Thu, 22 Jul 2021 01:13:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D684E61263 for ; Thu, 22 Jul 2021 01:13:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229963AbhGVAdE (ORCPT ); Wed, 21 Jul 2021 20:33:04 -0400 Received: from sonic313-16.consmr.mail.ne1.yahoo.com ([66.163.185.39]:41831 "EHLO sonic313-16.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229838AbhGVAdE (ORCPT ); Wed, 21 Jul 2021 20:33:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916420; bh=LolF5q/70QBnc7/4zTQony9YAaqgeX4sPLn2alIKSBE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=kJVN8dWadVKVhtw5gs/ZhdkmJ9OCBtgbffeYfGrk5xtpHKyKOoSginFCs/S8c/3I9Cs40BJqIn89vXKmBVvFBuYCQMHbiSPWtjCqj663BhAnI8h6v171Akl29J35yVk6WewzVhM/UGnWEKHagsESreEHJRYAtCuhJDZolgNw2/1w8Vzhpr9qlOLnLQ6BK9lD8OKPRgZhgDE1KjV2eFKRjTSur3/+6R0JvszaIta28jSqPnNRqnxeZgUotOhshN4grBzrbU6Lm9DmPxDNGrzocOjI1l0fU+5WgmNk8qqPrLE3YVNVzGTVyVUPaBcidA9unH8vTdIZw7nCaFzzP5xzqQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916420; bh=pnBI2aTaz1s1PhZCI/qRQCbpIY3MfUVLoV1GlZoQiHQ=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=QFH2CLQh7a4CyKah+fAw3GxnNUI+zMPt6GC/tF2muMo1Aq8SgGUgVxDzEOsmUovMT3pVcQJnAGRd/Zyu/PI2/qJ9dRNNGfV8XSRaMttruU2mZd51/RoNDvvOC6n24Kqku2DhkuAg6hGUdRWtx4IEGlUDuRnxqlyhwN8/hP4+1+NeKPlWN9xTwQGTiNcOkPoiGXZa5uq4x4fBzxc6hgL3imriXHQtMtl65pJZYJxv0BFWIus1MuZ+TyiSIZZSFkJeF+OtmWnd3P2nO0MJoGJNTyTqzYg1qyUfFo7n3UWWgQSGkdN5OYxOj9OBqeSJ6BPnDT63jIC/oLslbpAmECqzeQ== X-YMail-OSG: kJ427cMVM1kvBuZ6_UysSBhnNSHwX8QlL685NX628nB_fq8EPu4wAMUH2HDvkLL tYCXm7yahkCyr2AC7fdgdESs4yaEXhmRnAWTcOVbp8sdl0DvkfEUnHewUYPdKx2W4EQrPWSYa_44 NdIQlAinb2LCpylxuOAhD7x4oMQeU96DOxEUB1twtWyptxONfdKMFDzzEitlOxzRR8o1J776FXFG m.NHyAVq1b_aWFFJp1L6IMKBZHpMRYyaBsUeqaIsiLqXOqkN8CXwRHVsVCxHf4roJTGuD92VNfRr 3MoiSMsk5R5gSw56bum8vzXoCq5p769Q8YFfUJInJS37tRYLA4pp_odPyhUhl6xlG7A5dVGmEtrm NRT14SB0KsFC2eJsOcVBiA4M_th3_pv3OcP4tU_fuqOnfSUaFcZM6i8Ak.WCJc88TMuvHAcJnib6 x4R4vbVNRc4.Qq5W7hmtOjfMxsC.dgxEjBODEnw34jNZoXZbmgwWCNcxCQWYxoROjJH8HOke5vlU nL0INzi7FScbCPqx195GQlL_wVTaGvMpPgGk0tN0lrOIGJBglRD_j4ebH43zVa7YLwkSww5q0pEA eZlQ0llYGJu4eAM59aziw07oC7f8IH8UjWjepWm9qDNBXb72yggpa8GVnlFxJRDyJU4IkAF7tBo2 9VaFvWdwJxRbu9ZJFdVZ1OiouHLjLbpdOLl_je1XA7n6kIVqzu5hjauc0AsSvQeBkYxYP5iQNwk5 owviz5ayYf_jQnfVtgdJZ8Xz4RgIDYtkoydcMw1P5p7nkAZjQxEdHmR2nCyZHBxBJXJZFtBUhDAT DtAlZcqlb_MYMUoGsIXrb5fr95geGql7SJLtGQDsGKDW_nrBZmB7EFKNulaLO38U_gSVyzKJAkN3 7Xgc4QkSx4uF58W4jY6ufeqhbE14tOAlGrhGNAIxCwCM_46Rup31h7jFLZICXgSKEw6w1u2adGNn 3a467ZwYsXqAgCqSKA3yGc.Ly021blTx6icmKAsrIO3qUoy.GWpjqpYl8ZuCp0Bh8LKdHbf7a1RX dfIL3WpwVlg9ZoxMgO.b_KIj8NLGPFivaBKuVhPoba0kZdVrmDuHLhqRKEYVD8gBa5KoN8DmumI4 PocRmKMbdlSxD5oWzJaOXGjKPqvdUKpHfn6rqjRv00XsJFH5j97BT3de3WRVoBUawYJEajR1SmBI 4i4LeErSrGaF.sa0RkT48yokS5dS.pb8nnS.uYN_m2yfJK81xNAsXq7TXQ8JYfhN5dgtiKzsE2rG esNHg0ZRf78ukIxJsYJ1wUOVCWqZpa5HGoOXsvYzLTLCoT2Z_RAYhqBtqN._xso3fQWbo9zKeruz uzanxS6n4oSKE1yYtW9yC9ZN2iFGX01ArhP.swda9BACgsLsojoAjxb1LrdGxlG6fAtOZEJhFyFU EiUclfjeEZm3KG1JyDXZ7GkHDgePwq1kFy8P4EjdWYhi_3rjEjHtgHCsSS6fDIs9jh6UpLy6FvzO JGyivq9gQ6kjYGy0LVp9pH_Cl.Mz4nrpYoxzxyLfRIwtK.SKTe2pce0aabGY5R.2WbRuaUGnXwMz mG98CcbImeQowV98o4hf1nw1ZQZGKq.Di8MphgwTM7mgaaKptGTQYLGJg4qmPJEz7NlpFxO_hFx5 y8zy_QyUfzxrzyJz2CB0E5Ybhqmuit43OXm9Jqtb9cSwU.cWbTbsv7ukU5S1SeY.UD7.z0bjWrpc y0EsbQGTUSz_5AyfUB7g5ecSnuz4vIlFxYfclZ_dhlPOnQlfLC5xj1B8DhfiNqLlFQi38H3_TaNO LZhLyFbRX_aF5u_VwYje.1poEcG9FJd0zresfUPS6ChuEVaDarTs1wS6k3b9DRccxcXxzeyT_W4d 8oaE66H4Ew5Z.jYxwh9zlHIqixcQRxvHioRDgScqLL93IEQ._xCEmptMewHrxudThWT_uUCE00Jr RSIxw8mWRIJ7dINlVPbHx9FEzpGXaDwA5vDUcodEy0q.5ijH_jNkNgvbURhcns3TPMzSIu_R5f5Q r9hWy59R65Gzbh2pecDAKF7mUzy2chhRn0WTA0hkZbCp5P86UlGVTURW0RmvlbbGM5AmsCaz74GQ sHI.n6JE1JlR0adIjJu9otc6T3LpHBkt6zJEh9drRzM5bDnTmdNlaZSaiBLS9fKjiwU8tZtRoI2e 5H88C024LUSQM9AH8Anq.y9kS.gvzhrVCmhtRxYye2KZdMbG32yp0ir7FqkdWf0EKAqiHIUlZ9ZJ hYcp8yiHjZyZcepSk9Dg677p98EecNei2s6po8ziqUSyDoLXTc4vqoCrGGRuYwaPpAqaRSYVkjl1 3V9OHy5zfv7DcPpT4bzhMbDrEhHEkFmbaBKTPlXi3lTBo7G7AYJFDiYOZhvChKp2vmvtidnIj2F1 rzDDmBdgZ3cw3ASWdmwPjACbIjF0N.3ufL78e9KCCZVmXDPyHPhxWGELsfORQgmFEsK3r606xioV GBzNZCMp0.4s0n54EwZ7VWovN_xfJetZkTQL9Thnzz0NLRYoGGr.osieLLNWPrfrNUWc.aetcPbG gONBMGCQxi7G_2EcLAUy31lScQz2nHxUj_9fxfWgq5Nn6v7xTVgkQKj631_pIFnNAdBkmfUpbSi5 YnQXI25_17ZhUXpc0ybjsg349OC0PT0M.u4OaidfM9hAK2zvJruzfKhcnnYJp8q4F_ecgqn1WEOB IOWoEAwlynoi8xHuDv3FhsUV0sqXLvBzlJpAOVD7TmioMcFyRm7bF5cPtDHL1.7I_BiCdpD.BHRT _oyXKWIvASKP9qeXNJQsDzyCtfwSx09gOxdm89h8oRQTjEy6Ep4Zs9yZ4tkj0EIxl_joOokrygjg xRq46h2DWjK0OV45_jX3DYnh_da0.kMM5ugIIEy3pDbHRGavrSo647b.eBCoTWyFrae4FGBcwFfC IJljbAkHTYVbGkAEcK2LJuN5_ymCRwzYct62p_g7ecHlkR4PtgER5xD1loJTte3UFXGxxgC8ei0t okfb_dK2Jw2TqEiwYNK4ULn9ab9wMuljIGL4HjHHFuT8eWiTt7vCGoum7kkd696FEc6UsicT83WW hC2pg.jgW6DML7d4.9A4g45p1uS4k_LM10QVbjz85Gx6V3g6Z_2U_6JQlaDx5I9aaPg-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 01:13:40 +0000 Received: by kubenode532.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 2fc765c43d5a306eaddb85061762472d; Thu, 22 Jul 2021 01:13:35 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v28 23/25] Audit: Add record for multiple object LSM attributes Date: Wed, 21 Jul 2021 17:47:56 -0700 Message-Id: <20210722004758.12371-24-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Create a new audit record type to contain the object information when there are multiple security modules that may require such data. This record is linked with the same timestamp and serial number. An example of the MAC_OBJ_CONTEXTS (1421) record is: type=UNKNOWN[1421] msg=audit(1601152467.009:1050): obj_selinux="unconfined_u:object_r:user_home_t:s0" Not all security modules that can provide object information do so in all cases. It is possible that a security module won't apply an object attribute in all cases. Signed-off-by: Casey Schaufler Cc: linux-audit@redhat.com To: Paul Moore --- include/linux/audit.h | 7 ++++ include/uapi/linux/audit.h | 1 + kernel/audit.c | 54 ++++++++++++++++++++++++++++ kernel/audit.h | 4 +-- kernel/auditsc.c | 73 +++++++------------------------------- 5 files changed, 76 insertions(+), 63 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 85eb87f6f92d..6bf0c86fcbc9 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -187,6 +187,8 @@ extern void audit_log_path_denied(int type, extern void audit_log_lost(const char *message); extern int audit_log_task_context(struct audit_buffer *ab); +extern int audit_log_object_context(struct audit_buffer *ab, + struct lsmblob *blob); extern void audit_log_task_info(struct audit_buffer *ab); extern int audit_update_lsm_rules(void); @@ -250,6 +252,11 @@ static inline int audit_log_task_context(struct audit_buffer *ab) { return 0; } +static inline int audit_log_object_context(struct audit_buffer *ab, + struct lsmblob *blob) +{ + return 0; +} static inline void audit_log_task_info(struct audit_buffer *ab) { } diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 4432a8bed8e0..4efed1abcd54 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -140,6 +140,7 @@ #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ #define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM contexts */ +#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multiple LSM object contexts */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/kernel/audit.c b/kernel/audit.c index cba63789a164..c500b303e39f 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2204,6 +2204,60 @@ int audit_log_task_context(struct audit_buffer *ab) } EXPORT_SYMBOL(audit_log_task_context); +int audit_log_object_context(struct audit_buffer *ab, + struct lsmblob *blob) +{ + int i; + int error; + bool sep = false; + struct lsmcontext lsmdata; + struct audit_buffer *lsmab = NULL; + struct audit_context *context = NULL; + + /* + * If there is more than one security module that has a + * object "context" it's necessary to put the object data + * into a separate record to maintain compatibility. + */ + if (lsm_multiple_contexts()) { + audit_log_format(ab, " obj=?"); + context = ab->ctx; + if (context) + lsmab = audit_log_start(context, GFP_KERNEL, + AUDIT_MAC_OBJ_CONTEXTS); + WARN_ONCE(!context, "Context not set for object\n"); + } + + for (i = 0; i < LSMBLOB_ENTRIES; i++) { + if (blob->secid[i] == 0) + continue; + error = security_secid_to_secctx(blob, &lsmdata, i); + if (error && error != -EINVAL) { + audit_panic("error in audit_log_object_context"); + return error; + } + + if (context) { + audit_log_format(lsmab, "%sobj_%s=\"%s\"", + sep ? " " : "", + lsm_slot_to_name(i), + lsmdata.context); + sep = true; + } else + audit_log_format(ab, " obj=%s", lsmdata.context); + + security_release_secctx(&lsmdata); + if (!context) + break; + } + + if (context) + audit_log_end(lsmab); + + return 0; +} +EXPORT_SYMBOL(audit_log_object_context); + void audit_log_d_path_exe(struct audit_buffer *ab, struct mm_struct *mm) { diff --git a/kernel/audit.h b/kernel/audit.h index ddc1a69edc79..d62f3cb09278 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -78,7 +78,7 @@ struct audit_names { kuid_t uid; kgid_t gid; dev_t rdev; - u32 osid; + struct lsmblob oblob; struct audit_cap_data fcap; unsigned int fcap_ver; unsigned char type; /* record type */ @@ -153,7 +153,7 @@ struct audit_context { kuid_t uid; kgid_t gid; umode_t mode; - u32 osid; + struct lsmblob oblob; int has_perm; uid_t perm_uid; gid_t perm_gid; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 01fdcbf468c0..5261a69a050a 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -691,14 +691,6 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_isset) { /* Find files that match */ if (name) { - /* - * lsmblob_init sets all values in the - * lsmblob to sid. This is temporary - * until name->osid is converted to a - * lsmblob, which happens later in - * this patch set. - */ - lsmblob_init(&blob, name->osid); result = security_audit_rule_match( &blob, f->type, @@ -706,7 +698,6 @@ static int audit_filter_rules(struct task_struct *tsk, f->lsm_rules); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { - lsmblob_init(&blob, name->osid); if (security_audit_rule_match( &blob, f->type, @@ -720,8 +711,7 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - lsmblob_init(&blob, ctx->ipc.osid); - if (security_audit_rule_match(&blob, + if (security_audit_rule_match(&ctx->ipc.oblob, f->type, f->op, f->lsm_rules)) ++result; @@ -1031,7 +1021,6 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; - struct lsmcontext lsmctx; int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); @@ -1041,15 +1030,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (lsmblob_is_set(blob)) { - if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) { - audit_log_format(ab, " obj=(none)"); - rc = 1; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + if (lsmblob_is_set(blob)) + rc = audit_log_object_context(ab, blob); audit_log_format(ab, " ocomm="); audit_log_untrustedstring(ab, comm); audit_log_end(ab); @@ -1277,26 +1259,15 @@ static void show_special(struct audit_context *context, int *call_panic) context->socketcall.args[i]); break; } case AUDIT_IPC: { - u32 osid = context->ipc.osid; + struct lsmblob *oblob = &context->ipc.oblob; audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho", from_kuid(&init_user_ns, context->ipc.uid), from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); - if (osid) { - struct lsmcontext lsmcxt; - struct lsmblob blob; - - lsmblob_init(&blob, osid); - if (security_secid_to_secctx(&blob, &lsmcxt, - LSMBLOB_FIRST)) { - audit_log_format(ab, " osid=%u", osid); - *call_panic = 1; - } else { - audit_log_format(ab, " obj=%s", lsmcxt.context); - security_release_secctx(&lsmcxt); - } - } + if (lsmblob_is_set(oblob) && + audit_log_object_context(ab, oblob)) + *call_panic = 1; if (context->ipc.has_perm) { audit_log_end(ab); ab = audit_log_start(context, GFP_KERNEL, @@ -1441,20 +1412,9 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, from_kgid(&init_user_ns, n->gid), MAJOR(n->rdev), MINOR(n->rdev)); - if (n->osid != 0) { - struct lsmblob blob; - struct lsmcontext lsmctx; - - lsmblob_init(&blob, n->osid); - if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) { - audit_log_format(ab, " osid=%u", n->osid); - if (call_panic) - *call_panic = 2; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + if (lsmblob_is_set(&n->oblob) && + audit_log_object_context(ab, &n->oblob) && call_panic) + *call_panic = 2; /* log the audit_names record type */ switch (n->type) { @@ -2001,17 +1961,13 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { - struct lsmblob blob; - name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getsecid(inode, &blob); - /* scaffolding until osid is updated */ - name->osid = blob.secid[0]; + security_inode_getsecid(inode, &name->oblob); if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; @@ -2358,17 +2314,12 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) void __audit_ipc_obj(struct kern_ipc_perm *ipcp) { struct audit_context *context = audit_context(); - struct lsmblob blob; context->ipc.uid = ipcp->uid; context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - security_ipc_getsecid(ipcp, &blob); - /* context->ipc.osid will be changed to a lsmblob later in - * the patch series. This will allow auditing of all the object - * labels associated with the ipc object. */ - context->ipc.osid = lsmblob_value(&blob); + security_ipc_getsecid(ipcp, &context->ipc.oblob); context->type = AUDIT_IPC; } From patchwork Thu Jul 22 00:47:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392749 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 59603C6377D for ; Thu, 22 Jul 2021 01:14:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3DF0061261 for ; Thu, 22 Jul 2021 01:14:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229621AbhGVAeK (ORCPT ); Wed, 21 Jul 2021 20:34:10 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:44594 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230017AbhGVAeJ (ORCPT ); Wed, 21 Jul 2021 20:34:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916485; bh=hUIEN/jkZKY8m2uzjLwNZCG83d2ZZblt6dRbcr8DXxA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=EANc1bFP44hMnyOO2/dzZAihxfbH6QcYuZQGbhjM1WggjWYXZmyH0OFo1x8O5zArCnJGRrVQQ60DvOKWy/TP2w4yuvQ/zfkhFJ27yD1vUjZKlw9o/avWK9rJyR/scXm0IDAnDzV3Z0mapUWezA+ndEan01HY3Ptwnd7M3MZObDA8Ghk2V3/F6Ero5BsWOSrD0Ij7qocJ+RmWzW2/KmwCCxV3QDgZsSmD6d5o65wqfhdpjAefB2nobvZKjlzHnTjUZSEWhXtd63NKZEUyBElK/qIv74iYc5W9/GN19F2uVncicPNmZ7+68tcGFjdCZF8YaEYIFzLPmAmocGgmkXMukA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916485; bh=O/nnbz454/CSSydAFHr2zdhp/ev8vulWnObRXQFnUaa=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=rRvfNqWF9LMkEkjyu/EVLX9jxp6KgtDZo5opdC5RUpilDLVl7ncTeMmYaDA8lO97h6OVeeY+uWImgNMV2Mu0ONoKFFfPeHB8b8J9TuZI819V9gaTF7brgAfGkYEo8rUQ/+YdWUtoIF4Sh5UPUbQZC8MfC73RDz0c8dtLrQGBmdjombX8MD/MqfWmK0J+9NKf+nzZGU87Dbjjcgb3iz+61qGGi4vDGnYajbHnkxfxC4YMHOxeErzjv5KJB1sLOcDkgCTl9OoWuGr/w6/DVPfF++6mguByCvcB5rtza+sJQtqGLV3JYHmdIaaJLtW/dVRxWqwKQlPgkV3Kjw7Piu9SaA== X-YMail-OSG: lKg6aNYVM1krbXvx3w4xcDJa35JUYwGpWg3TuZHlCcX_0mc.shpQ_0wrhuWwyIC _PSglAINUl07GOoW9SSQyMYumX6j5AoMRqaj1hSzXbpntmNh57MIqoL7iXsrovy_FPb7fHxvcaOk mFIohkaxGxeefBaX_xx.vBbDXqXHKZy60.fbgSZXJ4FD_hafdxd3XDLmw1KeyqkJRYjeKkZUzOYs AfF37r0cLDsMtvSupm14vl3Tf_mVx1RC8XoPzdJtPf64KuDVwkR2UGeenk8.tCr3WY.TeDD40bFU qqlWjJiJ_Xrv3YmQm6mUR8iyLKtEMPr7X4W0U41AwYnUWS8sL02H2upGbjl4BtKjVXrl_o1aE1U6 b5VL06mHMadAfLVGnJYD5rIU8AacX4TSD_uTwFGpYmDnxlyk2ATnmrM1wLRWHlPQKMukBZIW_fY_ Xg5FDVPhgwYrLqmqYWsRANX.Z4_9lf8YoijmOTNHXkYUTiAKkYO_qBfMmLNmurI_QcLeH7aHQLO0 7TN4n.2BOL2UjgbNmfvkiOB1Ttkt8IsNzq7Hwxb6OV7BPhG3d7XG0ibYeZZB39_a2fcy4iLmgeFL YNCLoXUJExSJ9fb7oazdfPYU3C3TR2MStqGQeTP8ocEn6xwUswRXDLEeqIPTcve_7wAtiVN.GBp. gEyXfg5oRbX7skpwQ6ErP3sMQO.vwZrvtpKaZYeHqZgW3Rzbp.LP4fJqRXqm2UXIIDtOd1yJJHbQ 7RydC_zGPf2mC.9fzfl2c9OMeNBPpFDDJreWxm3N9jCukR64l4qdP7j2vPjdeni1TJrSFInJVkH0 rr_yoVxYhBPcLLOC0ynfBi27TfFDJLWjv4RQ_PTYlgSdqebdc4jBbAWpcdAHcdPmPjzHeoBvbFfX sE0nnGSmGd44NQHxwtyBM3T_.8xbDSJakwIq4_LptGfI4nolUPykCudDgA3avvOVsjhMq_0WDPsd TUWrBUDoIpQrTPVsnjRUMydflUuvSgrkW4WbOCWNCvOJ9KktS7P7_En3pvVIvdAaILFedr.f_pqJ rczBd.H5_5x2yI15.nXmT8pfRIiKnwUsxSvW07B8uXPGo3hCfW_llqV87NpvUx6mOZxD4dHLnD1V Fyh1r.p.KrorV9CdEyfnXy8O8B8vAdPkBrgnEdwofcQYOuILpyxhBn.Gb13PTGnU_QCTkQiD5XFk qPO1mU6Pfi2YqcCisk6eHrvAruxPVryPV4jPeZ4H_mwivWTwmk.g75SNrEe3QT5O93HsTvSf1UnZ x8NFvgcT1PZB803l0exypO_wDvMEWW0MvR0vIExTeoEOr2fNqzod55IskrVcKKg3JUA8QfQ6VETS WI3_zB.C_sv1AYJb_CvUMit0HgffZsjp5corBUtpPB2H2A5QvgAmHr4SR4KQWhY5SyiyJyUB9WIA csFa._ezo8WSMKqUi7oBldAnWT1Pnv0GhEuSRN6x33g3Jjmh.o9.3JGnpdR8nPqQWSRu4LfDTzx. uDdVHhtIMTseFBLHWekExyq9q.iWigxDg9aa1XwUx_tgoFABNKfYID_J71pmltazP2B5NaqRsOzn 527U3YA6dvQYi4AbCnba8lI3qkf5vhXqlDCJX4IB1WsXNq4cv9vLF8xdQvAZ14OkUlmHh4ZeXSst v8bJSiaZiKTm2WVRAgU3oXBIWozsJpLwcdloSdnhtxpzT53UGkNBZeKKlDpxQHc9He5iDS6LivRj xo8i_IOB59YNzss9TBWrb08U1U7qAkhOf1EOdC9fgAZL.Khl5EMznpERuZn88IL5an1lRIWoo.Oc k3rT.hpT1To2EF82Ofy9XteibbJ647jRbHmKWJzIN35tM_ecjLUKy4krfStnqCZTDq1h7XknBiZq _zTMyBEicwBAcUbJFT2n8JsKRy_9s3c6434SUpEDRYFlRX4mbVsBlhqJrQd6mbGWRuEr3HpbphzX Abv9Wpjb435mQhP5iGRZKbe3.HSYfpNQYqOlzMpC9E8n66ugCWLTkLi6c1mnessmK6NWD2WM7J_d WOslzlFZdkScp_jlfrG2apD0ELVBS3KzohoxZ.Ger7gsqy7NTFbWaBaYeP203CmZHSVJCmFB1wHD 3dMwMn53XUS4hdAPSTcAmX75t575jHSkMzoATH2O2_7l6oPmA06Q3i08M8GjiEma.C8IBc6VxDad R4FG_VKsfxgltmbWIcyz84ZdteTZKN3unXq4wmHZn1F78JTuSA0VWxv7WmGTN7xe0qZyodYdHQly aEEPoYcV6NGD_JXn8VSxUgW.QB8qkM6axtlwGHf51JcfWYKVnBejNKWQu.D17LAVw.sgx0EYsJc. HomuX1khQZLGtvxmMsug.UC63NkFmPT7trq03MbN_E5D85NH2ifMPHbdMEhodJOxw1Pz9KxH5EXR Wfzhz1kTw594bwACUyqOEonqKGpGP4G8ywf46S3eZ_jP7ZKiEVLUQjPMg..5O_apKYp5C.RRUjgs kO6JPisKyf1xPuLM.iK3XnZ2W52_PTx.CpbMGQ8COZYPdc_lwqX298us5bSS6VBY6KhgaZ8bCkid 1FKohrMPxYTMQ.KD_pJ5CJLuTDHxT0JHQR89E05ah_gSGfxw3cGBZkFQWJCTyz6N9GDJCsYCqo.m sjTUwiBYx_baQR5ofQKgrIdYCKY0fDNqk0KBStuv358YFwvD3.Yxxr98QWKRU_vYNyQDDKfKk0Kg 5jEUR7_HOdqAGQAR4jZTlrbeiR.CYO0CyNVOKcFEJ8OTOLhppROk574qyi03hTkir.M8N8vCaTGe o_zGbRKaEPEl1P2lGkWi_GjAQFf8LsUnr7zF6rSRR3of6Hu8XAYzxO5qBm2aOcP1YK.sTSZTGagu RBwE6zJreHXdZSNEAV6Uo9odBC4H8EVW5LlPXx6qKgjXcs_2hdQpIsrAfpv5CnrHmWBl3tqQqPzY u0YYJSTxxJMPVF.uTThOAFPgEe1FFpUtNfF9PiI6tAYkwsatLhHDAmCA1z7GK.BZ5W9BpG5WKye0 3psOlsxg27x4G7M4BbylzEzI5pnpLC0lkPuGO_Ajia5k1xLbyth7wDSkJ8WSEGBPR09wv1yFYELr 0Evbik.5kcpcfJCPymZHkmETDtHR0VBcpMe7IswtVGgG9pI9wv2QJTstyPFGiQfxSKFlbDKXyV1M 9LhpehMjLHEIikq4HHkbInESQwXZWdpe1z9uSMpLGHPkIulHIMDLDL41meAIHroR.9XHcimwk9Zd Ffo4S.Aa0kbsYzbV_XxBA5cCl1__WWKlidsA_NKRYhyQ_l.l_jpi8yJYRreZ1HVY9Ts.S.kBUcbx _Um0Qj.EjmC4Xxl9PwWJy1JDY X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 01:14:45 +0000 Received: by kubenode577.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 5053ca2438d7ae37367f534ca924a89a; Thu, 22 Jul 2021 01:14:42 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v28 24/25] LSM: Add /proc attr entry for full LSM context Date: Wed, 21 Jul 2021 17:47:57 -0700 Message-Id: <20210722004758.12371-25-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Add an entry /proc/.../attr/context which displays the full process security "context" in compound format: lsm1\0value\0lsm2\0value\0... This entry is not writable. A security module may decide that its policy does not allow this information to be displayed. In this case none of the information will be displayed. Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler Cc: linux-api@vger.kernel.org Cc: linux-doc@vger.kernel.org --- Documentation/ABI/testing/procfs-attr-context | 14 ++++ Documentation/security/lsm.rst | 14 ++++ fs/proc/base.c | 1 + include/linux/lsm_hooks.h | 6 ++ security/apparmor/include/procattr.h | 2 +- security/apparmor/lsm.c | 8 +- security/apparmor/procattr.c | 22 +++--- security/security.c | 79 +++++++++++++++++++ security/selinux/hooks.c | 2 +- security/smack/smack_lsm.c | 2 +- 10 files changed, 135 insertions(+), 15 deletions(-) create mode 100644 Documentation/ABI/testing/procfs-attr-context diff --git a/Documentation/ABI/testing/procfs-attr-context b/Documentation/ABI/testing/procfs-attr-context new file mode 100644 index 000000000000..40da1c397c30 --- /dev/null +++ b/Documentation/ABI/testing/procfs-attr-context @@ -0,0 +1,14 @@ +What: /proc/*/attr/context +Contact: linux-security-module@vger.kernel.org, +Description: The current security information used by all Linux + security module (LSMs) that are active on the system. + The details of permissions required to read from + this interface and hence obtain the security state + of the task identified is dependent on the LSMs that + are active on the system. + A process cannot write to this interface. + The data provided by this interface will have the form: + lsm_name\0lsm_data\0[lsm_name\0lsm_data\0]... + where lsm_name is the name of the LSM and the following + lsm_data is the process data for that LSM. +Users: LSM user-space diff --git a/Documentation/security/lsm.rst b/Documentation/security/lsm.rst index b77b4a540391..070225ae6ceb 100644 --- a/Documentation/security/lsm.rst +++ b/Documentation/security/lsm.rst @@ -143,3 +143,17 @@ separated list of the active security modules. The file ``/proc/pid/attr/interface_lsm`` contains the name of the security module for which the ``/proc/pid/attr/current`` interface will apply. This interface can be written to. + +The infrastructure does provide an interface for the special +case where multiple security modules provide a process context. +This is provided in compound context format. + +- `lsm\0value\0lsm\0value\0` + +The `lsm` and `value` fields are NUL-terminated bytestrings. +Each field may contain whitespace or non-printable characters. +The NUL bytes are included in the size of a compound context. +The context ``Bell\0Secret\0Biba\0Loose\0`` has a size of 23. + +The file ``/proc/pid/attr/context`` provides the security +context of the identified process. diff --git a/fs/proc/base.c b/fs/proc/base.c index f80ed1c40053..387627fd8313 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2821,6 +2821,7 @@ static const struct pid_entry attr_dir_stuff[] = { ATTR(NULL, "keycreate", 0666), ATTR(NULL, "sockcreate", 0666), ATTR(NULL, "interface_lsm", 0666), + ATTR(NULL, "context", 0444), #ifdef CONFIG_SECURITY_SMACK DIR("smack", 0555, proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops), diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index d2c4bc94d47f..f6ffe8b069e2 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1397,6 +1397,12 @@ * @pages contains the number of pages. * Return 0 if permission is granted. * + * @getprocattr: + * Provide the named process attribute for display in special files in + * the /proc/.../attr directory. Attribute naming and the data displayed + * is at the discretion of the security modules. The exception is the + * "context" attribute, which will contain the security context of the + * task as a nul terminated text string without trailing whitespace. * @ismaclabel: * Check if the extended attribute specified by @name * represents a MAC label. Returns 1 if name is a MAC diff --git a/security/apparmor/include/procattr.h b/security/apparmor/include/procattr.h index 31689437e0e1..03dbfdb2f2c0 100644 --- a/security/apparmor/include/procattr.h +++ b/security/apparmor/include/procattr.h @@ -11,7 +11,7 @@ #ifndef __AA_PROCATTR_H #define __AA_PROCATTR_H -int aa_getprocattr(struct aa_label *label, char **string); +int aa_getprocattr(struct aa_label *label, char **string, bool newline); int aa_setprocattr_changehat(char *args, size_t size, int flags); #endif /* __AA_PROCATTR_H */ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 4237536106aa..65a004597e53 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -602,6 +602,7 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, const struct cred *cred = get_task_cred(task); struct aa_task_ctx *ctx = task_ctx(current); struct aa_label *label = NULL; + bool newline = true; if (strcmp(name, "current") == 0) label = aa_get_newest_label(cred_label(cred)); @@ -609,11 +610,14 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, label = aa_get_newest_label(ctx->previous); else if (strcmp(name, "exec") == 0 && ctx->onexec) label = aa_get_newest_label(ctx->onexec); - else + else if (strcmp(name, "context") == 0) { + label = aa_get_newest_label(cred_label(cred)); + newline = false; + } else error = -EINVAL; if (label) - error = aa_getprocattr(label, value); + error = aa_getprocattr(label, value, newline); aa_put_label(label); put_cred(cred); diff --git a/security/apparmor/procattr.c b/security/apparmor/procattr.c index c929bf4a3df1..be3b083d9b74 100644 --- a/security/apparmor/procattr.c +++ b/security/apparmor/procattr.c @@ -20,6 +20,7 @@ * aa_getprocattr - Return the profile information for @profile * @profile: the profile to print profile info about (NOT NULL) * @string: Returns - string containing the profile info (NOT NULL) + * @newline: Should a newline be added to @string. * * Returns: length of @string on success else error on failure * @@ -30,20 +31,21 @@ * * Returns: size of string placed in @string else error code on failure */ -int aa_getprocattr(struct aa_label *label, char **string) +int aa_getprocattr(struct aa_label *label, char **string, bool newline) { struct aa_ns *ns = labels_ns(label); struct aa_ns *current_ns = aa_get_current_ns(); + int flags = FLAG_VIEW_SUBNS | FLAG_HIDDEN_UNCONFINED; int len; if (!aa_ns_visible(current_ns, ns, true)) { aa_put_ns(current_ns); return -EACCES; } + if (newline) + flags |= FLAG_SHOW_MODE; - len = aa_label_snxprint(NULL, 0, current_ns, label, - FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | - FLAG_HIDDEN_UNCONFINED); + len = aa_label_snxprint(NULL, 0, current_ns, label, flags); AA_BUG(len < 0); *string = kmalloc(len + 2, GFP_KERNEL); @@ -52,19 +54,19 @@ int aa_getprocattr(struct aa_label *label, char **string) return -ENOMEM; } - len = aa_label_snxprint(*string, len + 2, current_ns, label, - FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | - FLAG_HIDDEN_UNCONFINED); + len = aa_label_snxprint(*string, len + 2, current_ns, label, flags); if (len < 0) { aa_put_ns(current_ns); return len; } - (*string)[len] = '\n'; - (*string)[len + 1] = 0; + if (newline) { + (*string)[len] = '\n'; + (*string)[++len] = 0; + } aa_put_ns(current_ns); - return len + 1; + return len; } /** diff --git a/security/security.c b/security/security.c index 5d7fd982f84a..4572da4e27f7 100644 --- a/security/security.c +++ b/security/security.c @@ -801,6 +801,57 @@ static int lsm_superblock_alloc(struct super_block *sb) return 0; } +/** + * append_ctx - append a lsm/context pair to a compound context + * @ctx: the existing compound context + * @ctxlen: size of the old context, including terminating nul byte + * @lsm: new lsm name, nul terminated + * @new: new context, possibly nul terminated + * @newlen: maximum size of @new + * + * replace @ctx with a new compound context, appending @newlsm and @new + * to @ctx. On exit the new data replaces the old, which is freed. + * @ctxlen is set to the new size, which includes a trailing nul byte. + * + * Returns 0 on success, -ENOMEM if no memory is available. + */ +static int append_ctx(char **ctx, int *ctxlen, const char *lsm, char *new, + int newlen) +{ + char *final; + size_t llen; + size_t nlen; + size_t flen; + + llen = strlen(lsm) + 1; + /* + * A security module may or may not provide a trailing nul on + * when returning a security context. There is no definition + * of which it should be, and there are modules that do it + * each way. + */ + nlen = strnlen(new, newlen); + + flen = *ctxlen + llen + nlen + 1; + final = kzalloc(flen, GFP_KERNEL); + + if (final == NULL) + return -ENOMEM; + + if (*ctxlen) + memcpy(final, *ctx, *ctxlen); + + memcpy(final + *ctxlen, lsm, llen); + memcpy(final + *ctxlen + llen, new, nlen); + + kfree(*ctx); + + *ctx = final; + *ctxlen = flen; + + return 0; +} + /* * The default value of the LSM hook is defined in linux/lsm_hook_defs.h and * can be accessed with: @@ -2234,6 +2285,10 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name, char **value) { struct security_hook_list *hp; + char *final = NULL; + char *cp; + int rc = 0; + int finallen = 0; int ilsm = lsm_task_ilsm(current); int slot = 0; @@ -2261,6 +2316,30 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name, return -ENOMEM; } + if (!strcmp(name, "context")) { + hlist_for_each_entry(hp, &security_hook_heads.getprocattr, + list) { + rc = hp->hook.getprocattr(p, "context", &cp); + if (rc == -EINVAL) + continue; + if (rc < 0) { + kfree(final); + return rc; + } + rc = append_ctx(&final, &finallen, hp->lsmid->lsm, + cp, rc); + kfree(cp); + if (rc < 0) { + kfree(final); + return rc; + } + } + if (final == NULL) + return -EINVAL; + *value = final; + return finallen; + } + hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) { if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 12ae311b7275..046570556e5a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6458,7 +6458,7 @@ static int selinux_getprocattr(struct task_struct *p, goto bad; } - if (!strcmp(name, "current")) + if (!strcmp(name, "current") || !strcmp(name, "context")) sid = __tsec->sid; else if (!strcmp(name, "prev")) sid = __tsec->osid; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index e65497a5c095..1618d7d6154b 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3477,7 +3477,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value) char *cp; int slen; - if (strcmp(name, "current") != 0) + if (strcmp(name, "current") != 0 && strcmp(name, "context") != 0) return -EINVAL; cp = kstrdup(skp->smk_known, GFP_KERNEL); From patchwork Thu Jul 22 00:47:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12392751 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10566C6377B for ; Thu, 22 Jul 2021 01:15:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id ED54C61261 for ; Thu, 22 Jul 2021 01:15:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230210AbhGVAfU (ORCPT ); Wed, 21 Jul 2021 20:35:20 -0400 Received: from sonic313-16.consmr.mail.ne1.yahoo.com ([66.163.185.39]:41272 "EHLO sonic313-16.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230169AbhGVAfT (ORCPT ); Wed, 21 Jul 2021 20:35:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916555; bh=Zs5PRqDTSPyCtuu45vKKUeviuxf3LXsqVRryLcTyfl8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=giV6uSo6WfE0jmbFslrFW62d12g7SE628RTwbbeGI4Vv2s5knDgqIXHwqJkj3kTMb7GqrywtjTqSv5e6cyEPX1h69hk+CS7ctq79SAj8LxUv+n3MGcfX/RBzUgqAIvwSssCBsSE/cp+E1pPpE3SwZaaViEyTxs7ORApGgxwDRBUOj8oiO1tRh5v0eyTfmKn4xpLgTmKO6H6G+MPcMNs37s0FqTMUuUMWad4u1LEUKlWkQMRCFJTwJQOfcpB+/2EMR4WhLpsB7gOsf8bX3krRfY0KqIWHyD1yiGlkdg5WMswfVWfnTxNrIYTC5qQ/JhxMR6gfxvPa+8v3tsbJDDhYeQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626916555; bh=ttIWdwOGKPZTjAFdOZNqpK+qJGCIjHJ66fNA+Eu1OEN=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=WhxQ4g/e/qeGWuNCTQDyGutS2Um+Ktn77r/xj4K/kQVFbGT4sXyPnggwFvTcFshMpe3faAfkYdWVqTXdc4Tb9SYqNJhRXAW/xW1P2R/vG2xFXMjCn4de3Y3SiCeCzHsGohzIQe0tFHy3f/4gN7whT7gIvDqc8qPSeGtpdJRfq6JWRPEMRqhgfMC+ywU+uNOQAQDAPBOLr1CzIFCfVW8zg/pQSgcU7pPxtWqV1N+iHNqmXnNw7j2Y8jmXHwGUZo6F6Cqy2xwoq4PsQkkrU2OP54RSqvOjlkP9IefMXiBiSU3WNW8SIqlTDy+Axp4gRtOizDrlyUvyQZ0BgpEbi/2Q/A== X-YMail-OSG: 9cLK3XIVM1kxiXENb0EpKJqoOSOg4kk_fObNRp2valBWOODGNZLSYEhN8wSoSza tPJdDc7CTQ6ujUplYnwvEXxYhD2v5G.BbZEYD0n7qCTztmjtx93JEaEsediQvgcIU7J8Rrjsce2n VTSZIcILrS7bBWTywTxPvnOGi_sn1PRI.8f1O4xlwxQxD_YN7SUHmChXqfTU6xHHoB8Fy28E6Cgk kr_sRrBY0A4N_sSTopNsgtsHj0kt_AGBRhmhp.xDJHhjNjA7Gyw5Nf1dPZoBrbEUhioZVP68_7mD cTKYm5tXmm7n6s7TWuSIUyF_TnxUhafJgi88NJjLKIOD3pc5W_QiJKK067bt6yBN0YvVxnqXw9tO 8Jl6gzVrTp7j42Yafhw2BW1tQWrJcrt3Jyye3M73FMTZnY1Cfuq1IwS82Wv3M7gnnuG47n.iIRA8 RdyWBiAnuz5ZZRwLXz4yNPHhyWinUY8TsfFL96icaFcXTmTNELJe1X..6ZES2WzVQwbYBiDXgmkf RcjwgLFl8GEhnFJtk4_A49glsTi6Ip3a3GbYUdNBpCGyfIU.aOiWXEo7qm3y.XBP63_DjYMVjfPg 1Vpgaw_Diwee15hbcq7.ioIygVrE6Uoj3xOUtFCDww5pPg_rTxx.EYdYZRo7eEieDuQb5ypA4Cma uju2MuGLpojfCT3gXCXCynqdcFWfQD_VjhgHsUxNVYWb7lx5VHcmflkzkFhY7j7LNbxj0IVyFHD9 kYScvf61oXz0AaoxHnpcYnPnkWjuFmSwN9ew4imSxkSnlzpyVDJr8I8xR_WbymJcTSRwfyMe5p7S 8ML4iyg7p.d4rHZQhaPxbva8rLxytyK3hWBukeC6fK96adM4qzy8O92xNO_ZQNeVyXtOGWd7mFLx qgPPHeyxYvrDJ.gFIDitp4q2GYri3aPw6zkEXx.4U6Cfx7o61epfTSlpxvz3TT8Kij5RICBJknOk tpyKF8hYmsoZUlFeRIrjDN_nEu8xSozz3Gg4BBJxfNyMTUv__msNYPVRkZtgIYMWEIT5CjXKqzSY 68NUfoDXMQnHGjU2_FpJM9g61rsxQXLh0PYs_aqdMbPJ4gOeBsY6QLfuQ2UC8Kmm0Tjn1_acLlNC nMCySo4ncmqA_M3Mg1uixGPIRH8QK2URmxtVOSlNrb73nitHpMRxCBYhmXbkTmFPmYxi6xgQ.76p 1E_JMeIVVkP2nMeIvZsoMbrUkDtD_D.cN8zjkgF_.qcas4k461BMQE2fi7A6_wFIMiVdmr9MB51H SDNkCwwn7TrbjYfnv86XZxoudSAVuT3NiFCi_REQTkpYYmrpo3D4ywNcQEN.o80JWYtJZqPPuDHp 2jFMsiJxEJf_5u2a5vLgC73.Qlht6KfQvk6PdiJHDAX0KoShmruSNvPx0t1scA8l.L0iK55yY7w9 .TQkv5r3XkmQUZYmhY9lZACXto7Chic0jy_8For2tOumuJCGDy_x12f2kNdJZdXpqtbHhiHvGp.8 e5BXZj6yoWjEY.tTJN3MmF1Wi9v6Tac58bnQj5TQcAAhdVA3XjoBE79nDbPgb3WhtgJMxnryIs1e eNv.kIYe7Nv2S.r6KYGjaxb2CaF6itUl55bYLU0CRyxVlCGr4rCwz1R8GWKJNRtVupq08Z_mIdEC VkybApwrBA4fSSMXsdQgeIhCFhi4hYQHvCOolpRE1f7Ojqbi.YXCbM0AwGEl4T4Kq1CXUY8sJ7F6 m14YPFE_30CstR9KlMFHZ1Hq5TAYVrZ9KEzUW7ijlSSuotje.x3Aa.fOhimQ.zPpDPwyCH_8b6y6 0yO.AjmjmHOfaPpCh_Q1M2eDwMEhdYYIa1KZs_fX._ins_NVXxODykXS9m1kjsOACOq0.Ga9rb4A CC.ys46bf.txf45JiHnGQqX8xDZFPLYBNIozppDUKxwsVunnf3PWCadzvsgbQInRi8kBvqF3D1Hi WE8I4sALqJ.0pyNimuhWOZRgECZeGYy.Jl.wEGerqxWmaXbWklsn4bA.ThNYv4wlaOH7VRYPQ.10 jeb4wm.hYqJw7Bit2pYVck75dG.eCV5cPgscVW2h51GLrgnNjbHq6BGD4lZxIOkkaOF35IGJPGWc LcoN.OqxKBUHXkL4va9.dOuRFpYawKpxCkxZk0NcU8tl7Uln8XoLpXuQ5rwsTot4KoUWlsT_B0TZ NK4dHoY_VtwRQ3j2gCKd4aXpiNV16d98YXUGTdLqLcsQHhA9YfetPWaViZ5V7Z42z8fQmmzWCeP1 kKjhwNvLDPr4a_vBt4lxvBD59g_d86D7xqE5MdDYtvm_RlxsLice0gAuiMcMRdVBGix8e_2vUQgE zB7gunZdoRzwQxDPlwqVGXGAj8HfxOozvq..DQFSufaqxPWTR9D1Barl_9OwxlHo2QP0Dnsh_a8m gdDxdNvYro3_N4V8npciyiyue2drHxbOTIdA4PAkohTLyXiD9Q0tGG09wbc1kNk27eTkTnM1neFb X9F063Jc3vyyfNpkE8HCEC0Fbcatf9eOTadw9dUYyRG46X_0.e7bJY325fAW7ClQsZRE6ivj3tSm VN8AUvkC5uJx3HKmtHE8XxWIA1_d6m0tJOIIgdmsWTf.OIXL9J3CdVAYEbbrWzz1UKpDONHLwVKL Xpr5q8_U6wzv2FcxBAdN5kxFS2rLkY7._n.gNJLA4d87NnXN7w8VE1Es6hwpWeweWrHUXz_ArHk5 bg925HUY1Mv9z6aRCS1JwSZ58X0lTVVrTwF_jSXQ4rE1kEPFeQqqJ2rixTLMXD2UFfS4Ds7J.Tql DIagdfT66f1MgJlLOpzMN18J4NKUPwJT4vb6f3lalJExxRF3kP88cf8V79FK_Txvqf3HIRhha.dt ox45L_MocPZHXBidzqdw3GmIYymfO7nExp5joLll9wob4JTcDddS8H1rnMaWOXoIMEACVEGphxqc cYztrHjbwULRbpGUTUOFmqpZUbuPj7wIoIrQlsod13xLR8o7q21H8XXukYx2j8Ty0Xk21dvK2Ab5 sVB.dk5V6YZ06o3aYTed4P06Txu47lOWREJfVEkcVC0857dtkyLcgT.VkaF4d7CbV33_DtpK6.Xc DpWpCYYcQi.v1Tw.s930TVMM95h1dWrN65NQoqU9aDYmd6jI7.lvT6C7PFbm2BEdlI5iTwqJKetn FzQw4vkmD318golBH0wcghmmxI6I- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Thu, 22 Jul 2021 01:15:55 +0000 Received: by kubenode520.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 2f3755ccd4bf344096bd339e2fe7a05a; Thu, 22 Jul 2021 01:15:49 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v28 25/25] AppArmor: Remove the exclusive flag Date: Wed, 21 Jul 2021 17:47:58 -0700 Message-Id: <20210722004758.12371-26-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: With the inclusion of the interface LSM process attribute mechanism AppArmor no longer needs to be treated as an "exclusive" security module. Remove the flag that indicates it is exclusive. Remove the stub getpeersec_dgram AppArmor hook as it has no effect in the single LSM case and interferes in the multiple LSM case. Acked-by: Stephen Smalley Acked-by: John Johansen Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler --- security/apparmor/lsm.c | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 65a004597e53..15af5a5cb0c0 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1138,22 +1138,6 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock, return error; } -/** - * apparmor_socket_getpeersec_dgram - get security label of packet - * @sock: the peer socket - * @skb: packet data - * @secid: pointer to where to put the secid of the packet - * - * Sets the netlabel socket state on sk from parent - */ -static int apparmor_socket_getpeersec_dgram(struct socket *sock, - struct sk_buff *skb, u32 *secid) - -{ - /* TODO: requires secid support */ - return -ENOPROTOOPT; -} - /** * apparmor_sock_graft - Initialize newly created socket * @sk: child sock @@ -1257,8 +1241,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { #endif LSM_HOOK_INIT(socket_getpeersec_stream, apparmor_socket_getpeersec_stream), - LSM_HOOK_INIT(socket_getpeersec_dgram, - apparmor_socket_getpeersec_dgram), LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), #ifdef CONFIG_NETWORK_SECMARK LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request), @@ -1928,7 +1910,7 @@ static int __init apparmor_init(void) DEFINE_LSM(apparmor) = { .name = "apparmor", - .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, + .flags = LSM_FLAG_LEGACY_MAJOR, .enabled = &apparmor_enabled, .blobs = &apparmor_blob_sizes, .init = apparmor_init,