From patchwork Mon Dec 13 23:40:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12674943 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9730DC433FE for ; Mon, 13 Dec 2021 23:49:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244279AbhLMXtl (ORCPT ); Mon, 13 Dec 2021 18:49:41 -0500 Received: from sonic306-28.consmr.mail.ne1.yahoo.com ([66.163.189.90]:37160 "EHLO sonic306-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243921AbhLMXtj (ORCPT ); Mon, 13 Dec 2021 18:49:39 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639439378; bh=jED1FKxellw4KtQDkWf6Z/5uafpV100mgrllKbb8X90=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=DEIbbkGO6YIqi7gr3KJm9RTXTpuAYmaPK4b2ckhYa9hDnniHq60fPqZHdPWpbIgibhGLXTyI2hnOpvmilltqIqsucKpjOshaGu2e2y9ynhTqOdhr71BeWgVR98KCrpFagjysirbdVY7PjKKvvcIZsjBCgqYjwyb3Bz7WxVxSZATD1KPr/vlPF2xVs5mnb6xuSgE5QnYVtNAqXQQjhlZmWd+PwnF+A+g4T9eCJE0XQ9XjaNn1AQLL8wDIuzKf5eL6iEYHffLuQYJXOzv7Kg0bCS02K8BUc0D4/cMW51vqccoauVVeHT7Hf7X09XlkF6m+GV5RQ+I22U9nj6POuTFKRw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639439378; bh=V/ADtwObiPT035hBwB4n02igK7ErvLlMXO92/D5Wt8Z=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=kDB31NVsOWacd5kJumDs9pfT4GG+uPgCxeteU8YZLxLbpohVgT2O5vHy0NO3W7aA0zSPgUbJLDkyCpNlGZPO/q4BAvaCL8WcaK1dvL95aIl5gL+IXcxxz4htcNh8yX2Ap3CZDpY3Z4nnDKTw5F51EJUNAptxuspiJ9UHUgnw9tqWGmYb+cuOAKcTB5Hpsrppe63/9l9Hh4859itgwsBsCJEgrurwICW2W45O6X+2fRjQ3fIJJdrfwf0j5GZIWt1+JXSGe9D2+zUlBykZnv1WMJmmW1dF7M9urmKfpIQvHwNi1bw9CINQiIeHCxgMLTOwMbTH1GA2HGbwicRONGMuJA== X-YMail-OSG: yxJ0gS4VM1mvuKEFInuzdpAPEHoEFSCzPrBQDCOuxRhSVefQ9ewJ5LrKxndhrSM oBKRpVUT2u8VpLCnsA4.hCyQMgXkqPQV5fiU.b_dmo4peXOevUU4j6zbJTdpwCT4giViHf49xtaJ D6x7Rr7ePN5s3cW.13az9qExpQ7m8iwmtwD2.wNteznkx586M..1GYcljFnyNf0e9OXsiJ.s3Rum xrZACBEft800Q0yCPk.WFN0SoEqo06dYfHChE1CIGGFvdPS8aDmLhfHrp7of2o65cJP.dDCfiOFH IdggmbJv0kpCNx6NIb7WYOIGgQ0vMkZ_4wWBi_euiM5alMg1hpC.fQ4YfjgWcQcRhMHpse5OQ1iH vsPPaFQsrixonA9U5fOKOfAuGLZBToLAb0T8UHzjyfzUpJEGnwdIl0axH9WZhObocA3InBAiw_GP .ZygM3Zu2AqwwivqnCLTYEONOgiq1jqY0iTjvnjojehtnOMr9Uufv9Rl0SO371xGPw_epsaB2wb2 NnL.R6.yfV0CYo76IXny046riaPLW9pbgi1IkyO0l0q01uBZurRBd.46VZ8ISYB5tSOuIuc1Z8Cx 6VSHtaRjepIE4BYHTS97O_DG5yTROKJhg_lnYxL37DcGvtw_.HBivAxzgVAh3f5CIhc_ts_XhVoG ndJMrOarleASemNaUjTs991aOYAyb72HuOvWILgIWnKzXz7Rbkcj38a7xmxaaxt0x45bp63Hbmsb 60gz_cPyDH0THVEL3mZs0_anIlmsMRNKUk75Aw6JBpxnO3_2wexH60c_EejnITb2yWRwaT43WGkV cWLep3OGk5R4JyqK64LI4at_qDj3kWr1w9rmnLLNxfqXDxSTa4YpDBYej8Umr82CBnatovbR1GjR oFybsMT9SN5eqc12xGbbXIkbuy3qIOpSHNTG.m.H_s8ZIWBuOeFcRF4ONqexzafKzP8KKuI_5l2p fsDeqTTC_FsGMvudP9Yo9VM4t1Zv1ABp8YCBnra5UbeKQyJ3uiMExgiDTLJDT9ben53rh27jgVhL 4aIF0t_vhltqEDQl4TO6U7WKZHjo80vQdOKCK1pgjS7gbQLSH0w8eoCACMjIQYAe9E448Ynrcfnu ALvznzjnbda4b2SkV.Rsw5X4NTIEAOPZNpLdUo_oajMqQ3AHVCKBQKvB9OImXWKZ8cY1g.nFm9Tx oTH19CM9YhOm2cPHHCOgj8mvpEOsKNwTkcKdSh2DmOjKDo1bkQdd9QsynNAq6SjLdudD09Cl47gW 2c73FejA_PT7kBKmEc_pxjsE49alizY0cJ0QUci9gmlVtvsr9cziedUu4U71XnFWMdTwyvbb0CMP UVQAMWc_TnTTCsYk_BQjpbYR90I5w1Afb0eYXSqNJbT0RQ9Qiqs0gIZmFoibtWEJr0MOLRfY_Yy3 gA9VkW98HkeupgCpaJJTmxLAuoXtI6wf9cVWafpxzDbKRNCYW64MFp7BUW0PGxn3psqxFppLZ7wW 7NOPNjJ7IJE1QXLY1R9JmGlGY0s5dGsd.zxyud0BOdOZEMpA0uLhNaJQC1yyN_fodt0U_baqTjDP bknPzP6UgaP.Lu8wzvXgXi_Fz7s98vkl_otQq.dEiHGRG3ISqgUlE.4kTRtZXnaIAel7n.XFWKmC XGaYoQfWZ1i0KEdLqPtO3QYChwvO2n_K0ObRC0fz2oVXjLsnzmKzlvO6bHepDGjtj_Zjbydllk.s jGpx9fz_4l2o9leW.7FFo7z9NzyiXfxdpM54SPfehZvIgkHp5ajALDE9BYZg_18D0gidt1x0A8XZ uTo8uyjMtifsMtx9JOnbEcJCtJhCp3SSfUmPoiHvXtbM8eUscoyp2AuzNP3epL5xGTd7n97ZBa_k 266rlx09mw0cR75zOQ2xedLJkM0t9RPKdqIGWyCVWGRv0y0qY2gRyT6oDQuVsZXvFzR0mf6TkYIg odpjd4Mm.5Qz7hh301YwiXLvAqfPX8F27XqCIlhsS7QC_5A_L.Zkt4TTuFcHANtW3L_It0acJEKd Vyanji.mORQCXlDgLyRrIto_HcbSxBT6TEVqFcWmeV1n5eaxKDCL7qHdUwh580jX5Cpfzld.d7fV j7EaG2JiuPTksEiVq5Hj5OOlZHKRxu_O8inY3OwVu4FNEroYDALWZLaH5xrugPxofCGg.NPt23b7 dkwb_R02NjP3XdZZNAx2KC0Zdd2mjEu2NS_pdVsfYsHHi.GoYzBgIuVWdoepqoA0EEpQ5qrJLWTN SEeXqfDrUjqdLmenbGXFinvtSdIxKVZMng5iHHR4.oxrzJ7KT4Uqc1cDur1Onw_RCHfqFUSHt_Ae Vf8z14KGi4OL24U_4wUId6luhGjE0zcW37qdvV7sedew- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Mon, 13 Dec 2021 23:49:38 +0000 Received: by kubenode527.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 3c37c5f8f0988af181e864687125ff70; Mon, 13 Dec 2021 23:49:33 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v31 08/28] LSM: Use lsmblob in security_secctx_to_secid Date: Mon, 13 Dec 2021 15:40:14 -0800 Message-Id: <20211213234034.111891-9-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211213234034.111891-1-casey@schaufler-ca.com> References: <20211213234034.111891-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Change the security_secctx_to_secid interface to use a lsmblob structure in place of the single u32 secid in support of module stacking. Change its callers to do the same. The security module hook is unchanged, still passing back a secid. The infrastructure passes the correct entry from the lsmblob. Acked-by: Paul Moore Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso --- include/linux/security.h | 26 ++++++++++++++++++-- kernel/cred.c | 4 +--- net/netfilter/nft_meta.c | 10 ++++---- net/netfilter/xt_SECMARK.c | 7 +++++- net/netlabel/netlabel_unlabeled.c | 23 +++++++++++------- security/security.c | 40 ++++++++++++++++++++++++++----- 6 files changed, 85 insertions(+), 25 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index aaa63bf5026e..8a547fc4affa 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -198,6 +198,27 @@ static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb) extern int lsm_name_to_slot(char *name); extern const char *lsm_slot_to_name(int slot); +/** + * lsmblob_value - find the first non-zero value in an lsmblob structure. + * @blob: Pointer to the data + * + * This needs to be used with extreme caution, as the cases where + * it is appropriate are rare. + * + * Return the first secid value set in the lsmblob. + * There should only be one. + */ +static inline u32 lsmblob_value(const struct lsmblob *blob) +{ + int i; + + for (i = 0; i < LSMBLOB_ENTRIES; i++) + if (blob->secid[i]) + return blob->secid[i]; + + return 0; +} + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); @@ -530,7 +551,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value, int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); -int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); +int security_secctx_to_secid(const char *secdata, u32 seclen, + struct lsmblob *blob); void security_release_secctx(char *secdata, u32 seclen); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); @@ -1391,7 +1413,7 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle static inline int security_secctx_to_secid(const char *secdata, u32 seclen, - u32 *secid) + struct lsmblob *blob) { return -EOPNOTSUPP; } diff --git a/kernel/cred.c b/kernel/cred.c index e5e41bd4efc3..a112ea708b6e 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -796,14 +796,12 @@ EXPORT_SYMBOL(set_security_override); int set_security_override_from_ctx(struct cred *new, const char *secctx) { struct lsmblob blob; - u32 secid; int ret; - ret = security_secctx_to_secid(secctx, strlen(secctx), &secid); + ret = security_secctx_to_secid(secctx, strlen(secctx), &blob); if (ret < 0) return ret; - lsmblob_init(&blob, secid); return set_security_override(new, &blob); } EXPORT_SYMBOL(set_security_override_from_ctx); diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index fe91ff5f8fbe..c171c9aadb01 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -813,21 +813,21 @@ static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = { static int nft_secmark_compute_secid(struct nft_secmark *priv) { - u32 tmp_secid = 0; + struct lsmblob blob; int err; - err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid); + err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &blob); if (err) return err; - if (!tmp_secid) + if (!lsmblob_is_set(&blob)) return -ENOENT; - err = security_secmark_relabel_packet(tmp_secid); + err = security_secmark_relabel_packet(lsmblob_value(&blob)); if (err) return err; - priv->secid = tmp_secid; + priv->secid = lsmblob_value(&blob); return 0; } diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index 498a0bf6f044..87ca3a537d1c 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c @@ -42,13 +42,14 @@ secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info) static int checkentry_lsm(struct xt_secmark_target_info_v1 *info) { + struct lsmblob blob; int err; info->secctx[SECMARK_SECCTX_MAX - 1] = '\0'; info->secid = 0; err = security_secctx_to_secid(info->secctx, strlen(info->secctx), - &info->secid); + &blob); if (err) { if (err == -EINVAL) pr_info_ratelimited("invalid security context \'%s\'\n", @@ -56,6 +57,10 @@ static int checkentry_lsm(struct xt_secmark_target_info_v1 *info) return err; } + /* xt_secmark_target_info can't be changed to use lsmblobs because + * it is exposed as an API. Use lsmblob_value() to get the one + * value that got set by security_secctx_to_secid(). */ + info->secid = lsmblob_value(&blob); if (!info->secid) { pr_info_ratelimited("unable to map security context \'%s\'\n", info->secctx); diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 566ba4397ee4..762561318d78 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -880,7 +880,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, void *addr; void *mask; u32 addr_len; - u32 secid; + struct lsmblob blob; struct netlbl_audit audit_info; /* Don't allow users to add both IPv4 and IPv6 addresses for a @@ -904,13 +904,18 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, ret_val = security_secctx_to_secid( nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), - &secid); + &blob); if (ret_val != 0) return ret_val; + /* netlbl_unlhsh_add will be changed to pass a struct lsmblob * + * instead of a u32 later in this patch set. security_secctx_to_secid() + * will only be setting one entry in the lsmblob struct, so it is + * safe to use lsmblob_value() to get that one value. */ + return netlbl_unlhsh_add(&init_net, - dev_name, addr, mask, addr_len, secid, - &audit_info); + dev_name, addr, mask, addr_len, + lsmblob_value(&blob), &audit_info); } /** @@ -931,7 +936,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, void *addr; void *mask; u32 addr_len; - u32 secid; + struct lsmblob blob; struct netlbl_audit audit_info; /* Don't allow users to add both IPv4 and IPv6 addresses for a @@ -953,13 +958,15 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, ret_val = security_secctx_to_secid( nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), - &secid); + &blob); if (ret_val != 0) return ret_val; + /* security_secctx_to_secid() will only put one secid into the lsmblob + * so it's safe to use lsmblob_value() to get the secid. */ return netlbl_unlhsh_add(&init_net, - NULL, addr, mask, addr_len, secid, - &audit_info); + NULL, addr, mask, addr_len, + lsmblob_value(&blob), &audit_info); } /** diff --git a/security/security.c b/security/security.c index 171e2fe66e5e..7ae68b6ffc7f 100644 --- a/security/security.c +++ b/security/security.c @@ -2195,10 +2195,22 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) } EXPORT_SYMBOL(security_secid_to_secctx); -int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) +int security_secctx_to_secid(const char *secdata, u32 seclen, + struct lsmblob *blob) { - *secid = 0; - return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid); + struct security_hook_list *hp; + int rc; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.secctx_to_secid(secdata, seclen, + &blob->secid[hp->lsmid->slot]); + if (rc != 0) + return rc; + } + return 0; } EXPORT_SYMBOL(security_secctx_to_secid); @@ -2349,10 +2361,26 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, optval, optlen, len); } -int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, + u32 *secid) { - return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, - skb, secid); + struct security_hook_list *hp; + int rc = -ENOPROTOOPT; + + /* + * Only one security module should provide a real hook for + * this. A stub or bypass like is used in BPF should either + * (somehow) leave rc unaltered or return -ENOPROTOOPT. + */ + hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram, + list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.socket_getpeersec_dgram(sock, skb, secid); + if (rc != -ENOPROTOOPT) + break; + } + return rc; } EXPORT_SYMBOL(security_socket_getpeersec_dgram); From patchwork Mon Dec 13 23:40:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12674945 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA38BC433FE for ; Mon, 13 Dec 2021 23:50:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238519AbhLMXup (ORCPT ); Mon, 13 Dec 2021 18:50:45 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:42720 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238940AbhLMXuo (ORCPT ); Mon, 13 Dec 2021 18:50:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639439444; bh=4DGh/JM0QhmeTFRLj4qUlvPwzAsptonLJlq2DPQNd6g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=TCZmH7xIgpQBbo+jxRo28BK+loPYFWOrQC+5dQNOUmuMks31yultzW2RY/YRc0qacwfjHt3KSr0BemMpOctoFZCd2/wg43XdKWKsjQIt+XT90EcTIo3xMnWutCE1bz1MNO+UlH3RSj2QkLNsJQYWnmpv5UO31nimmfI7uaedOE4v0sKz+XUuxe1qGtIGajOtmHVArUWneWySalY3jG75sJu9Y1Exwl/h2XE8F34M+ZRcdogTPD8LMRpcK01w6w3uW/ct1NVNI+XVZyfn4xS+1qX1pCgRibsHm0O57pnuqu8yYQEw93ixLcyJ3IxOlwlKubSqQB0gRq0BjSx3dcBmGw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639439444; bh=lAw7NxdpvQt21T1uv17BItigZvUklMnHpeY8CDny0z5=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=BPzuj8B7xLj42GC5TwOUYHShWKsfXIh7vdm3i0zVj6KYtGp6F0Iv7X2Ok9APdb68k9nhw30bFw7Ubfp3zYIaCUbz/+KLSvpw5JDVKNxmldpAvX0eKGHBsGXC19JGZC/BPjl7za5qhOhLv1zKYZnP1cEBohLWS9uidzpYPFN51tfVnEL0ygPAoqekt+KbyBlV8gkUHvNJVZMFznDupa38WDkPkxnSCio5m28kGXFB6lrXGsNxL9xQLAhbyU2KGSY2og4CxGZ03i4b72h7NpRA/lEFMk9TdLuuIyxkVz3K1x3jCsj87jebd0TBxj9IdYUmIv6WJJhPtePZi15eOixcvA== X-YMail-OSG: R7I091AVM1nKhsbJkLLpNRrEidQ3CCFDZ1QO3dRgE42V70_beT34NuGz6D.XBHM KHngGSK4I30212WLBgCfsh6Q5CQbv9xRrfW9Ca9vNfmDKXe7l.OkIE_Zd5Yio5urYvYZvHTWrKKQ gb2w7TM_v4hqBNwScPqOKyJcBsi7VZvZQU5LD6F3rUck9EBvXbxSREJHT1d.wk.MhDWMa1V_48vZ 52_kxoEhjEQw_U5iZz11BKF3URmxXQ7MXVz6H9OeaGMEweB_mF3stYgZW3ThF0pzSNVeQsd2y6jZ NqS02rVPzjj0dYHvkfzG67eUKK7NzCKL_zbolRQMzCpzUtVNBp8bu.RRDNA64GIJkMPoiYys9oBX 2qcysRQQC6B6jQdXXV6Bd2GEOERq.7LWVXXh5HW082U9GMFKvXtk9ADmmZzcnaTtU8A41BhstszS z8gaLbZ.1ec5ShB1DC2Fao6kIgSHZYGBPS3cf_Ax2Pwa.OSFGtV9ivGtO7hNspse4sT9sPRuu91u .aKHmVUhqVeLDHidBy1l0B1afczseQeTQahOcBu_qDX.hGi82xq16Oe9KpJh3nExIB_pMpatj8z1 3Gw9JPTIr5kK5Z3ovtFzs9L6l_NZtCKAYfcLs8S51Uzq8QjtrvBVyb79E94OdMEOUTh.lCRZhgBg z9jENebH5ARp95F_GMAws5UQfu8AcFjFI3nvlZrdibnW6oReg5_drFfHTBisl9UGVViBQFO0llDe uAL12jw0xl8HCWd9UDKt_BOd9YThgNuowwbksWDnIj9KHXXRjxrtVGTN9owvN9G0xhxOwDSc90Om LUxYCZ5Q3Bi53GJhwmGhDd8k2pn.t6lH0PdvBw8EJlctl8JH2NoTkrmK_.uTYMQUy4C9vq6fA_iq POR.ywLsDZ4vV17ZgT7re8MzsJRRedRagHokZhFcOpjg3uWR2dIg2mVi3is.gCwkZZhb40sodGE6 K4Tm93CUB0LsqXpMGYb3yiYxP_vnIX4UZnEUpDgbO8fgLKiDkr6OKnazYZ6p4G5dUD_bUBX4z5kJ TSDoovqZE3xJGyqQRvsFZnzhhdlmorF7T4C3AEG9.ZTxJsK01hZPBdK5t0ae6CZ2IL4F.kauflaq 9PTHk9aHdoaQj0ZteYD2OYXtVprpwn96nOTiGqbG92ABr5ctKZfEu8j6e9XI4P8BcDuSTw7f.SK5 G4n7Mx0eP2TC8wFNaa09ujMY_D9odjwavUKLnrX48ajhch9c5SZkExsl278LWdh53toXKcLp0N8d dcvMFU4ON_o1KHlixO39_Ce97eUcEeqwfVGGQYeRriMHLx9rna65LqmC.E2iXiAl6fpB0d76kTa_ gutmaQsNQsWd2WDZ1HmypTvF6m7VW81.DrgPm45AlMH07AFV7IwCYuQ1pspuR_GGOe2jlIo.QHyy 6iMFpb1cfHMhWgR4i.kbHQesQbNOYuDJqD261SW2HCxaZX00l36NQ3oxfG5uaZ407dSss0fD482o eYsHtf_kcMYdG5q6TJXbPYiqVE4PC7YtVTsHKi5Ncl5c7_LjIJiB0d74y5MarzZOFmnIm6FSeiJn byy4Eb8QSUVXPszL_7zyLW9nCqkZM0QKdCiDD6FHKGeGWgXUW_KrtfWdfizHCuLEatnE96DZO8PO nHE5mVip3avsg4CU8Yd_hy4PuS0AW6gpNeInf1T9vB_WlAoCqCwF8lkPHZ9JVK8Gj08ZRiNosrK2 ZcOyeEXhjji78aWSN.rlnwRv4LF47gFjIaWPgkzICXWuw3Y4T_omIfNr4DbQzml3B0umasdL0fWn fSgdquIyBm9vEboAfF1lBIvjvIrl1YnJe36XSniwr5VOX25FnNwhcqHSEt435AcjhwGBtFgIrovI SwMAYk4N9Sx5Xn2dj3hW.yCkXZRy3uORsDRlYswV3txqROvxU2SEjmv7snF5LaiEjBn7_t9e.q7S NyH7YlSFGmz6HRLDuFyC9tGXyC2yhMd_nmIAOHA2oTA21PsxdS.BBprZZxqPkKE5dwhkIE9OxG98 CPAaUbYD_VGLItLzU0AE_moY7Hxw_Qzl_KYMqiWBBVqofmLcxTZ2B_pa7lb6_4iek4HVeiYHYa.e SWp57qQh9OA2xr.HYpU1omJrU_6zA_UtqceUzgsnzhWnmng3tSxvDGQ4nEmgcjq15j0g6ATvQ.2l 4kdOr11q8oZIXE0s5AzkcjMDsK8cQqE8NQu2EH8wbcMbjIiB5FE59fMoMJ3XyOJEKBC0qtMB1TLU BBloHtBuI8AA65NQyg5_ocQuwfvupXr9OWXuaHHUxHLrBsXo6crXM691hzB9iCYIeTKA- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 13 Dec 2021 23:50:44 +0000 Received: by kubenode527.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 57efa93688f26ab0173e0a80180e1c16; Mon, 13 Dec 2021 23:50:39 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v31 09/28] LSM: Use lsmblob in security_secid_to_secctx Date: Mon, 13 Dec 2021 15:40:15 -0800 Message-Id: <20211213234034.111891-10-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211213234034.111891-1-casey@schaufler-ca.com> References: <20211213234034.111891-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Change security_secid_to_secctx() to take a lsmblob as input instead of a u32 secid. It will then call the LSM hooks using the lsmblob element allocated for that module. The callers have been updated as well. This allows for the possibility that more than one module may be called upon to translate a secid to a string, as can occur in the audit code. Acked-by: Paul Moore Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso --- drivers/android/binder.c | 12 +++++++++- include/linux/security.h | 5 +++-- include/net/scm.h | 7 +++++- kernel/audit.c | 20 +++++++++++++++-- kernel/auditsc.c | 27 ++++++++++++++++++---- net/ipv4/ip_sockglue.c | 4 +++- net/netfilter/nf_conntrack_netlink.c | 14 ++++++++++-- net/netfilter/nf_conntrack_standalone.c | 4 +++- net/netfilter/nfnetlink_queue.c | 11 +++++++-- net/netlabel/netlabel_unlabeled.c | 30 +++++++++++++++++++++---- net/netlabel/netlabel_user.c | 6 ++--- security/security.c | 11 +++++---- 12 files changed, 122 insertions(+), 29 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index cffbe57a8e08..7805d08cd1e7 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2719,10 +2719,20 @@ static void binder_transaction(struct binder_proc *proc, if (target_node && target_node->txn_security_ctx) { u32 secid; + struct lsmblob blob; size_t added_size; security_cred_getsecid(proc->cred, &secid); - ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); + /* + * Later in this patch set security_task_getsecid() will + * provide a lsmblob instead of a secid. lsmblob_init + * is used to ensure that all the secids in the lsmblob + * get the value returned from security_task_getsecid(), + * which means that the one expected by + * security_secid_to_secctx() will be set. + */ + lsmblob_init(&blob, secid); + ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz); if (ret) { return_error = BR_FAILED_REPLY; return_error_param = ret; diff --git a/include/linux/security.h b/include/linux/security.h index 8a547fc4affa..669eff47737a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -550,7 +550,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); +int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); void security_release_secctx(char *secdata, u32 seclen); @@ -1406,7 +1406,8 @@ static inline int security_ismaclabel(const char *name) return 0; } -static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +static inline int security_secid_to_secctx(struct lsmblob *blob, + char **secdata, u32 *seclen) { return -EOPNOTSUPP; } diff --git a/include/net/scm.h b/include/net/scm.h index 1ce365f4c256..23a35ff1b3f2 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -92,12 +92,17 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, #ifdef CONFIG_SECURITY_NETWORK static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { + struct lsmblob lb; char *secdata; u32 seclen; int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { - err = security_secid_to_secctx(scm->secid, &secdata, &seclen); + /* There can only be one security module using the secid, + * and the infrastructure will know which it is. + */ + lsmblob_init(&lb, scm->secid); + err = security_secid_to_secctx(&lb, &secdata, &seclen); if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); diff --git a/kernel/audit.c b/kernel/audit.c index 121d37e700a6..22286163e93e 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1442,7 +1442,16 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) case AUDIT_SIGNAL_INFO: len = 0; if (audit_sig_sid) { - err = security_secid_to_secctx(audit_sig_sid, &ctx, &len); + struct lsmblob blob; + + /* + * lsmblob_init sets all values in the lsmblob + * to audit_sig_sid. This is temporary until + * audit_sig_sid is converted to a lsmblob, which + * happens later in this patch set. + */ + lsmblob_init(&blob, audit_sig_sid); + err = security_secid_to_secctx(&blob, &ctx, &len); if (err) return err; } @@ -2131,12 +2140,19 @@ int audit_log_task_context(struct audit_buffer *ab) unsigned len; int error; u32 sid; + struct lsmblob blob; security_task_getsecid_subj(current, &sid); if (!sid) return 0; - error = security_secid_to_secctx(sid, &ctx, &len); + /* + * lsmblob_init sets all values in the lsmblob to sid. + * This is temporary until security_task_getsecid is converted + * to use a lsmblob, which happens later in this patch set. + */ + lsmblob_init(&blob, sid); + error = security_secid_to_secctx(&blob, &ctx, &len); if (error) { if (error != -EINVAL) goto error_path; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index e0c71fe27c2f..b28e2cbcc92c 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -670,6 +670,13 @@ static int audit_filter_rules(struct task_struct *tsk, security_task_getsecid_subj(tsk, &sid); need_sid = 0; } + /* + * lsmblob_init sets all values in the lsmblob + * to sid. This is temporary until + * security_task_getsecid() is converted to + * provide a lsmblob, which happens later in + * this patch set. + */ lsmblob_init(&blob, sid); result = security_audit_rule_match(&blob, f->type, f->op, @@ -686,6 +693,13 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_str) { /* Find files that match */ if (name) { + /* + * lsmblob_init sets all values in the + * lsmblob to sid. This is temporary + * until name->osid is converted to a + * lsmblob, which happens later in + * this patch set. + */ lsmblob_init(&blob, name->osid); result = security_audit_rule_match( &blob, @@ -1109,6 +1123,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, char *ctx = NULL; u32 len; int rc = 0; + struct lsmblob blob; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); if (!ab) @@ -1118,7 +1133,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (sid) { - if (security_secid_to_secctx(sid, &ctx, &len)) { + lsmblob_init(&blob, sid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1362,8 +1378,10 @@ static void show_special(struct audit_context *context, int *call_panic) if (osid) { char *ctx = NULL; u32 len; + struct lsmblob blob; - if (security_secid_to_secctx(osid, &ctx, &len)) { + lsmblob_init(&blob, osid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " osid=%u", osid); *call_panic = 1; } else { @@ -1524,9 +1542,10 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, if (n->osid != 0) { char *ctx = NULL; u32 len; + struct lsmblob blob; - if (security_secid_to_secctx( - n->osid, &ctx, &len)) { + lsmblob_init(&blob, n->osid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " osid=%u", n->osid); if (call_panic) *call_panic = 2; diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 38d29b175ca6..be7073df19a5 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { + struct lsmblob lb; char *secdata; u32 seclen, secid; int err; @@ -138,7 +139,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) if (err) return; - err = security_secid_to_secctx(secid, &secdata, &seclen); + lsmblob_init(&lb, secid); + err = security_secid_to_secctx(&lb, &secdata, &seclen); if (err) return; diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index c7708bde057c..67b0f3cfc5c7 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -341,8 +341,13 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) struct nlattr *nest_secctx; int len, ret; char *secctx; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + /* lsmblob_init() puts ct->secmark into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, &secctx, &len); if (ret) return 0; @@ -650,8 +655,13 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct) { #ifdef CONFIG_NF_CONNTRACK_SECMARK int len, ret; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, NULL, &len); + /* lsmblob_init() puts ct->secmark into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, NULL, &len); if (ret) return 0; diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 80f675d884b2..79c280d1efce 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -178,8 +178,10 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) int ret; u32 len; char *secctx; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, &secctx, &len); if (ret) return; diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 4acc4b8e9fe5..62c0c5b847c6 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -305,13 +305,20 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) { u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) + struct lsmblob blob; + if (!skb || !sk_fullsock(skb->sk)) return 0; read_lock_bh(&skb->sk->sk_callback_lock); - if (skb->secmark) - security_secid_to_secctx(skb->secmark, secdata, &seclen); + if (skb->secmark) { + /* lsmblob_init() puts ct->secmark into all of the secids in + * blob. security_secid_to_secctx() will know which security + * module to use to create the secctx. */ + lsmblob_init(&blob, skb->secmark); + security_secid_to_secctx(&blob, secdata, &seclen); + } read_unlock_bh(&skb->sk->sk_callback_lock); #endif diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 762561318d78..51cb4fce5edf 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -376,6 +376,7 @@ int netlbl_unlhsh_add(struct net *net, struct audit_buffer *audit_buf = NULL; char *secctx = NULL; u32 secctx_len; + struct lsmblob blob; if (addr_len != sizeof(struct in_addr) && addr_len != sizeof(struct in6_addr)) @@ -438,7 +439,11 @@ int netlbl_unlhsh_add(struct net *net, unlhsh_add_return: rcu_read_unlock(); if (audit_buf != NULL) { - if (security_secid_to_secctx(secid, + /* lsmblob_init() puts secid into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, secid); + if (security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); @@ -475,6 +480,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct net_device *dev; char *secctx; u32 secctx_len; + struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr, @@ -493,8 +499,13 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, (dev != NULL ? dev->name : NULL), addr->s_addr, mask->s_addr); dev_put(dev); + /* lsmblob_init() puts entry->secid into all of the secids + * in blob. security_secid_to_secctx() will know which + * security module to use to create the secctx. */ + if (entry != NULL) + lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(entry->secid, + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -536,6 +547,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct net_device *dev; char *secctx; u32 secctx_len; + struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list); @@ -553,8 +565,13 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, (dev != NULL ? dev->name : NULL), addr, mask); dev_put(dev); + /* lsmblob_init() puts entry->secid into all of the secids + * in blob. security_secid_to_secctx() will know which + * security module to use to create the secctx. */ + if (entry != NULL) + lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(entry->secid, + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -1080,6 +1097,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, u32 secid; char *secctx; u32 secctx_len; + struct lsmblob blob; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, cb_arg->seq, &netlbl_unlabel_gnl_family, @@ -1134,7 +1152,11 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, secid = addr6->secid; } - ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len); + /* lsmblob_init() secid into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, secid); + ret_val = security_secid_to_secctx(&blob, &secctx, &secctx_len); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 3ed4fea2a2de..893301ae0131 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -86,6 +86,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct audit_buffer *audit_buf; char *secctx; u32 secctx_len; + struct lsmblob blob; if (audit_enabled == AUDIT_OFF) return NULL; @@ -98,10 +99,9 @@ struct audit_buffer *netlbl_audit_start_common(int type, from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); + lsmblob_init(&blob, audit_info->secid); if (audit_info->secid != 0 && - security_secid_to_secctx(audit_info->secid, - &secctx, - &secctx_len) == 0) { + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); security_release_secctx(secctx, secctx_len); } diff --git a/security/security.c b/security/security.c index 7ae68b6ffc7f..a0612afefc24 100644 --- a/security/security.c +++ b/security/security.c @@ -2176,17 +2176,16 @@ int security_ismaclabel(const char *name) } EXPORT_SYMBOL(security_ismaclabel); -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) { struct security_hook_list *hp; int rc; - /* - * Currently, only one LSM can implement secid_to_secctx (i.e this - * LSM hook is not "stackable"). - */ hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { - rc = hp->hook.secid_to_secctx(secid, secdata, seclen); + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.secid_to_secctx(blob->secid[hp->lsmid->slot], + secdata, seclen); if (rc != LSM_RET_DEFAULT(secid_to_secctx)) return rc; } From patchwork Mon Dec 13 23:40:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12674947 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 697A5C433FE for ; Mon, 13 Dec 2021 23:52:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242043AbhLMXwz (ORCPT ); Mon, 13 Dec 2021 18:52:55 -0500 Received: from sonic306-28.consmr.mail.ne1.yahoo.com ([66.163.189.90]:36086 "EHLO sonic306-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239467AbhLMXwy (ORCPT ); Mon, 13 Dec 2021 18:52:54 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639439574; bh=nVQjtMtAC70j8vT/pvUy3gBv56B7tT2mEw9lP5LTAR8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=pyGBVqBWb2suFoVZMuSdCJNpAw9mWxZR66aMdfEPMDIm/3i0P2hBDWs6PMsVndw/+qsSgg2jgRofVNGXohM/091uFBVEQ3CMIyUe1ua2v2T9/NzI+gdQV7WLTnGUZzSBTNUEijT4ZUH8IL39oe5bL3bzPTRQhfJ5eJlDFYU2/YOvocrlPECQ45/CaDaA4J2jJL7Dsu9gqE1r7Xfl5GUlDE3pkBVRs2K8TL8wwCcKqnCXX9SGY1iGVeBLeuE6cBVkm5pseDcE7o+JDzRHKK6f1iqcedHVlUkKOJ1WwQGUgsCtboww8z6p6qPThz8zWjqPrq3TDEUKmK2m6MfzQZcjig== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639439574; bh=e/6xIKIq9L9DDZobZ5M4IV2S222X7qF6A0QXFnzTFcx=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=GePTuOwb+fy+OsYLj4zHQ9aUMCYquYII+TiTFpBgHUZ6Kizg99YCEyh93nZW3tnhi5WiJXeNjx7yd52g7N32dQpAMRDJzU3txIJY9QvTN200f9j1Pv/g6ITYJqnY4Md0TC7YDQBIECHD/GlVXZPeMf/2WNta2vE8YcFyzUPC5FQDTRaUTMccVxyIsdOgKS7zcGyFNvyg+vqPiSwq9+EMM9DtPsxMriUBVVjaZ7hHakGl5MQvU9h6xRUUQx5gBecoyMrDR5xSKh5xP2QFiHWLVthOD/6ft0w3rhfb+DVeHyqYO4NADsCn5y+AMIf7h11tJl/3SD2At2rfDymAgIYvWA== X-YMail-OSG: nSEMfysVM1mLWoKWMVpifKjqKqDOtANx.pDpfcijV7Y6y2FIhyEZYY.xWZblcMU rG825EVCHtgh4Qqk7BnQGL53WltUH20VEHptICxw.Xr6s6FttJ363PTOqUYIGdu12F6Jw_FeMJcn f_euRD2xpyOdH28umf_2Y.xoM28MLRYUnrR.I9FO88Dprr0cxYbB7t13g3ix7_8xZLN._9DvlG3D STsasO3IZ5bSPCzG.x5INOddqN9J79NN1CBT7B7Mvbn.upq1cmMdQhwjxi6d4jxhxlI3t9fmXJ42 HAKOpyfaERBRYspUxZdINLBu1ddxoCSzxfg_CArSgQha.Ksdp1...sSc1u3NVhCmv.CjolwEKvlY B_fqt60fGXTYcm4lJyGDPZ4QIV4OeXGWBhEJHd7.1mjetGYVv9CU7EgJHOywvpe0yKSwomTsFSi4 V7V_4TiVdbZQUtafJkPUjj11ESNdQEuCqCX23a5ocd07GQlkUUeJmoPPTCBTlMYYlTmRYev7gcer 6xTE1JHKn.mnnuiGXOxSgsdwO1GtfmihB9wRcgeYoc.7g7ZycrwpLywOOgolMGGHI.fH7Lzeyy19 hsGu8lUCMx74AMixj_Kisu49qqRlRQ8eIoDBtYWx_P9tP_SwTTIpmhMFFZyqvfkOxOZpDixKtaMO FnGpr8IDQqRRgb5kxc1lA94QA31XawrjPZIoE_hJUmCpEzu2h01zhCv25oyzwAlnIUmZAamakWBj 7cCvRgPPT8TajWp1A6G1GAwOjk2CJU3c2MVsmARg2209o.zc6CoEYWUoX9r.q6ItoHJCe5YhXMW2 mJIRO0JGSmzPtx7yswg23T5cWvGFWIb1o0kujWRzwtEU7i9FVfc268AwHQXi4kfKTmeW4qoPUElT P7poGSVhdxwrPVm1ts.v46vTkLtARXKvTe9K7i7atlBBL8EEm8FCPBsVPSc1eJx0qA7jDhgAP6ly vRdRMFaxW17YVLmhu.iz_2qgV.K5XMOt6wsptmrdxW3Hb8UjjIxgAO6Z9xKuDe1BJvJlRrxwiUBy UKhPgXr8bqzMMSp_cVVu4KTR8yZj5fl3R4jhJ3jB892bwORIUkRDn8ljjFXb5C8777U85EwCCwcX CsYdisYfuxxaeKbeUqTBdOj2.J23W2t50pk4GJNSY9PoSscFGSDWxa6X7q5d5qLespruKnFCSYdM azgZQ_koAMPp1yg48OGHJd65bD0a614.zw0IMI8dgVd0Urufht67RrzfL4zW8TOMnVpjFRSz52Rz MeSdv.rvHhwjq2mA8v0744gxeuKwWmy5xBbuJBHLp5VziT1SSkI3Prv1wZtb44CJieJs0PNTI1W0 wUdNfpa9E4DcxsR30S9vk2QvHuocZyr638OeYpKFtb_GxVV4AgGC5u__tMhmmf6JE.QAcV553B7b GMPwwIkW_ku9aLUKrvPTo6GWUpkyU39yt.oGVuWYr3pyDYqwPx5_niuOX8gr4jQtpV0UkDLSE08h gOVXg8xpI_ajf1RyC1yAeKuRl83VbytbxUS95qqAZj1fE6bzKzjWtrj_of5yPStGcqVpctq_kQOO yfqF23HF9UaV_3nbVecTtCm3tvJiamYSXy.6YdmsG28amP6AfbauobyeMwyswSkQFjse03v1NwsO GQZoa0MQ17mjSbI3y9Zc38tdTstO6EvgfnIZ8irVxmdDtYCiT8TLNSZVdGbvbB8hNljCL00JGbIB PH4pDxAmOWawbhms2yVf0oRBi1dKzY1OOTKfyj8CZPUbZbaK2zc8meUcXqgc6rU.HctzfZ_envnp PeSy.kuuNHn1vldxjQoxh.wr7vtcHtNCxUDrOvk8srvbhCpSm_pYkKxiKEG3Kc1lJ_Pa2jd66luU yguyUMdn2gM42f17YnsgXydfOSNWnbO5Se1Q6_fPR9IUQDi40YwQDTEDXmGZPHaTlwj6IFo.R2j3 iPYPFia4cMQYwNWx55MqQ5zfgiLPzFASFXlSjCD7h.E0cgvqTNb5eud3NmOwMP_ymmpMjNTmmZWa qMp2eXgggceX8t_zvUlZ7rto5VWmXQovbVZEjaE3zfxiBR9mNembGhJ3zQ8Z7MYlihW3MJF21hj8 76RdH95RKX4_FM3J0H1rztZSMAtI_E.Yr6G4mtuUx5MEIF.0WGn8FyHnSvce3oOGKGBx93WAmbOA RmxTPjMD.2AUx.53dD0TIsS3d5FwjwH8TebIq7VKzpU705Qjei_M4CpJTTHwCQY7BOUT2teLqZQ4 pyCuerxUnafIEs.X5qKElojYFaPrS7DfNbX3VSGbLZk9iZ4T2q8CW3ZmvJkeG8ReftMzLhaVa7zb pSlpTMv4LVd71sLUJ28J_L2.Whwxj.b58y73anTvbXYRXVlQz X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Mon, 13 Dec 2021 23:52:54 +0000 Received: by kubenode500.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID f07ace6e59053715f081c87d7cd69284; Mon, 13 Dec 2021 23:52:49 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Stephen Smalley , linux-integrity@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH v31 11/28] LSM: Use lsmblob in security_task_getsecid Date: Mon, 13 Dec 2021 15:40:17 -0800 Message-Id: <20211213234034.111891-12-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211213234034.111891-1-casey@schaufler-ca.com> References: <20211213234034.111891-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Change the security_task_getsecid_subj() and security_task_getsecid_obj() interfaces to fill in a lsmblob structure instead of a u32 secid in support of LSM stacking. Audit interfaces will need to collect all possible secids for possible reporting. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com Cc: netdev@vger.kernel.org --- drivers/android/binder.c | 6 +-- include/linux/security.h | 14 ++++--- kernel/audit.c | 16 +++----- kernel/auditfilter.c | 4 +- kernel/auditsc.c | 25 ++++++------ net/netlabel/netlabel_unlabeled.c | 5 ++- net/netlabel/netlabel_user.h | 6 ++- security/integrity/ima/ima_appraise.c | 12 +++--- security/integrity/ima/ima_main.c | 55 +++++++++++++++------------ security/security.c | 25 +++++++++--- 10 files changed, 96 insertions(+), 72 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 7805d08cd1e7..916a42c68b58 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2718,16 +2718,16 @@ static void binder_transaction(struct binder_proc *proc, t->priority = task_nice(current); if (target_node && target_node->txn_security_ctx) { - u32 secid; struct lsmblob blob; size_t added_size; + u32 secid; security_cred_getsecid(proc->cred, &secid); /* - * Later in this patch set security_task_getsecid() will + * Later in this patch set security_cred_getsecid() will * provide a lsmblob instead of a secid. lsmblob_init * is used to ensure that all the secids in the lsmblob - * get the value returned from security_task_getsecid(), + * get the value returned from security_cred_getsecid(), * which means that the one expected by * security_secid_to_secctx() will be set. */ diff --git a/include/linux/security.h b/include/linux/security.h index a0b9bf48a60d..bf91ff071ea0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -503,8 +503,8 @@ int security_task_fix_setgid(struct cred *new, const struct cred *old, int security_task_setpgid(struct task_struct *p, pid_t pgid); int security_task_getpgid(struct task_struct *p); int security_task_getsid(struct task_struct *p); -void security_task_getsecid_subj(struct task_struct *p, u32 *secid); -void security_task_getsecid_obj(struct task_struct *p, u32 *secid); +void security_task_getsecid_subj(struct task_struct *p, struct lsmblob *blob); +void security_task_getsecid_obj(struct task_struct *p, struct lsmblob *blob); int security_task_setnice(struct task_struct *p, int nice); int security_task_setioprio(struct task_struct *p, int ioprio); int security_task_getioprio(struct task_struct *p); @@ -1206,14 +1206,16 @@ static inline int security_task_getsid(struct task_struct *p) return 0; } -static inline void security_task_getsecid_subj(struct task_struct *p, u32 *secid) +static inline void security_task_getsecid_subj(struct task_struct *p, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } -static inline void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +static inline void security_task_getsecid_obj(struct task_struct *p, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } static inline int security_task_setnice(struct task_struct *p, int nice) diff --git a/kernel/audit.c b/kernel/audit.c index 22286163e93e..d92c7b894183 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2139,19 +2139,12 @@ int audit_log_task_context(struct audit_buffer *ab) char *ctx = NULL; unsigned len; int error; - u32 sid; struct lsmblob blob; - security_task_getsecid_subj(current, &sid); - if (!sid) + security_task_getsecid_subj(current, &blob); + if (!lsmblob_is_set(&blob)) return 0; - /* - * lsmblob_init sets all values in the lsmblob to sid. - * This is temporary until security_task_getsecid is converted - * to use a lsmblob, which happens later in this patch set. - */ - lsmblob_init(&blob, sid); error = security_secid_to_secctx(&blob, &ctx, &len); if (error) { if (error != -EINVAL) @@ -2359,6 +2352,7 @@ int audit_set_loginuid(kuid_t loginuid) int audit_signal_info(int sig, struct task_struct *t) { kuid_t uid = current_uid(), auid; + struct lsmblob blob; if (auditd_test_task(t) && (sig == SIGTERM || sig == SIGHUP || @@ -2369,7 +2363,9 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - security_task_getsecid_subj(current, &audit_sig_sid); + security_task_getsecid_subj(current, &blob); + /* scaffolding until audit_sig_sid is converted */ + audit_sig_sid = blob.secid[0]; } return audit_signal_info_syscall(t); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 88a8d69d03dd..3054e06cc207 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1339,7 +1339,6 @@ int audit_filter(int msgtype, unsigned int listtype) struct audit_field *f = &e->rule.fields[i]; struct lsmblob blob; pid_t pid; - u32 sid; switch (f->type) { case AUDIT_PID: @@ -1370,8 +1369,7 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_CLR: if (f->lsm_str) { security_task_getsecid_subj(current, - &sid); - lsmblob_init(&blob, sid); + &blob); result = security_audit_rule_match( &blob, f->type, f->op, &f->lsm_rules); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index c469368818fd..b9a6760f55cc 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -467,7 +467,6 @@ static int audit_filter_rules(struct task_struct *tsk, { const struct cred *cred; int i, need_sid = 1; - u32 sid; struct lsmblob blob; unsigned int sessionid; @@ -667,17 +666,9 @@ static int audit_filter_rules(struct task_struct *tsk, logged upon error */ if (f->lsm_str) { if (need_sid) { - security_task_getsecid_subj(tsk, &sid); + security_task_getsecid_subj(tsk, &blob); need_sid = 0; } - /* - * lsmblob_init sets all values in the lsmblob - * to sid. This is temporary until - * security_task_getsecid() is converted to - * provide a lsmblob, which happens later in - * this patch set. - */ - lsmblob_init(&blob, sid); result = security_audit_rule_match(&blob, f->type, f->op, &f->lsm_rules); @@ -2703,12 +2694,15 @@ int __audit_sockaddr(int len, void *a) void __audit_ptrace(struct task_struct *t) { struct audit_context *context = audit_context(); + struct lsmblob blob; context->target_pid = task_tgid_nr(t); context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &context->target_sid); + security_task_getsecid_obj(t, &blob); + /* scaffolding - until target_sid is converted */ + context->target_sid = blob.secid[0]; memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2724,6 +2718,7 @@ int audit_signal_info_syscall(struct task_struct *t) struct audit_aux_data_pids *axp; struct audit_context *ctx = audit_context(); kuid_t t_uid = task_uid(t); + struct lsmblob blob; if (!audit_signals || audit_dummy_context()) return 0; @@ -2735,7 +2730,9 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &ctx->target_sid); + security_task_getsecid_obj(t, &blob); + /* scaffolding until target_sid is converted */ + ctx->target_sid = blob.secid[0]; memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2756,7 +2753,9 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getsecid_obj(t, &axp->target_sid[axp->pid_count]); + security_task_getsecid_obj(t, &blob); + /* scaffolding until target_sid is converted */ + axp->target_sid[axp->pid_count] = blob.secid[0]; memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 51cb4fce5edf..15b53fc4e83f 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -1562,11 +1562,14 @@ int __init netlbl_unlabel_defconf(void) int ret_val; struct netlbl_dom_map *entry; struct netlbl_audit audit_info; + struct lsmblob blob; /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_task_getsecid_subj(current, &audit_info.secid); + security_task_getsecid_subj(current, &blob); + /* scaffolding until audit_info.secid is converted */ + audit_info.secid = blob.secid[0]; audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index 6190cbf94bf0..aa31f7bf79ee 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -32,7 +32,11 @@ */ static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info) { - security_task_getsecid_subj(current, &audit_info->secid); + struct lsmblob blob; + + security_task_getsecid_subj(current, &blob); + /* scaffolding until secid is converted */ + audit_info->secid = blob.secid[0]; audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index dbba51583e7c..2fedda131a39 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -71,15 +71,17 @@ bool is_ima_appraise_enabled(void) int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode, int mask, enum ima_hooks func) { - u32 secid; + struct lsmblob blob; if (!ima_appraise) return 0; - security_task_getsecid_subj(current, &secid); - return ima_match_policy(mnt_userns, inode, current_cred(), secid, - func, mask, IMA_APPRAISE | IMA_HASH, NULL, - NULL, NULL, NULL); + security_task_getsecid_subj(current, &blob); + /* scaffolding the .secid[0] */ + return ima_match_policy(mnt_userns, inode, current_cred(), + blob.secid[0], func, mask, + IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL, + NULL); } static int ima_fix_xattr(struct dentry *dentry, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 465865412100..c327f93d3962 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -405,12 +405,13 @@ static int process_measurement(struct file *file, const struct cred *cred, */ int ima_file_mmap(struct file *file, unsigned long prot) { - u32 secid; + struct lsmblob blob; if (file && (prot & PROT_EXEC)) { - security_task_getsecid_subj(current, &secid); - return process_measurement(file, current_cred(), secid, NULL, - 0, MAY_EXEC, MMAP_CHECK); + security_task_getsecid_subj(current, &blob); + /* scaffolding - until process_measurement changes */ + return process_measurement(file, current_cred(), blob.secid[0], + NULL, 0, MAY_EXEC, MMAP_CHECK); } return 0; @@ -436,9 +437,9 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) char *pathbuf = NULL; const char *pathname = NULL; struct inode *inode; + struct lsmblob blob; int result = 0; int action; - u32 secid; int pcr; /* Is mprotect making an mmap'ed file executable? */ @@ -446,11 +447,11 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) return 0; - security_task_getsecid_subj(current, &secid); + security_task_getsecid_subj(current, &blob); inode = file_inode(vma->vm_file); action = ima_get_action(file_mnt_user_ns(vma->vm_file), inode, - current_cred(), secid, MAY_EXEC, MMAP_CHECK, - &pcr, &template, NULL, NULL); + current_cred(), blob.secid[0], MAY_EXEC, + MMAP_CHECK, &pcr, &template, NULL, NULL); /* Is the mmap'ed file in policy? */ if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK))) @@ -486,10 +487,12 @@ int ima_bprm_check(struct linux_binprm *bprm) { int ret; u32 secid; + struct lsmblob blob; - security_task_getsecid_subj(current, &secid); - ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, - MAY_EXEC, BPRM_CHECK); + security_task_getsecid_subj(current, &blob); + /* scaffolding until process_measurement changes */ + ret = process_measurement(bprm->file, current_cred(), blob.secid[0], + NULL, 0, MAY_EXEC, BPRM_CHECK); if (ret) return ret; @@ -510,10 +513,11 @@ int ima_bprm_check(struct linux_binprm *bprm) */ int ima_file_check(struct file *file, int mask) { - u32 secid; + struct lsmblob blob; - security_task_getsecid_subj(current, &secid); - return process_measurement(file, current_cred(), secid, NULL, 0, + security_task_getsecid_subj(current, &blob); + /* scaffolding until process_measurement changes */ + return process_measurement(file, current_cred(), blob.secid[0], NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND), FILE_CHECK); } @@ -689,7 +693,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id, bool contents) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* * Do devices using pre-allocated memory run the risk of the @@ -709,8 +713,9 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id, /* Read entire file for all partial reads. */ func = read_idmap[read_id] ?: FILE_CHECK; - security_task_getsecid_subj(current, &secid); - return process_measurement(file, current_cred(), secid, NULL, + security_task_getsecid_subj(current, &blob); + /* scaffolding - until process_measurement changes */ + return process_measurement(file, current_cred(), blob.secid[0], NULL, 0, MAY_READ, func); } @@ -739,7 +744,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, enum kernel_read_file_id read_id) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* permit signed certs */ if (!file && read_id == READING_X509_CERTIFICATE) @@ -752,9 +757,10 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, } func = read_idmap[read_id] ?: FILE_CHECK; - security_task_getsecid_subj(current, &secid); - return process_measurement(file, current_cred(), secid, buf, size, - MAY_READ, func); + security_task_getsecid_subj(current, &blob); + /* scaffolding until process_measurement changes */ + return process_measurement(file, current_cred(), blob.secid[0], buf, + size, MAY_READ, func); } /** @@ -882,7 +888,7 @@ int process_buffer_measurement(struct user_namespace *mnt_userns, int digest_hash_len = hash_digest_size[ima_hash_algo]; int violation = 0; int action = 0; - u32 secid; + struct lsmblob blob; if (digest && digest_len < digest_hash_len) return -EINVAL; @@ -905,9 +911,10 @@ int process_buffer_measurement(struct user_namespace *mnt_userns, * buffer measurements. */ if (func) { - security_task_getsecid_subj(current, &secid); + security_task_getsecid_subj(current, &blob); + /* scaffolding */ action = ima_get_action(mnt_userns, inode, current_cred(), - secid, 0, func, &pcr, &template, + blob.secid[0], 0, func, &pcr, &template, func_data, NULL); if (!(action & IMA_MEASURE) && !digest) return -ENOENT; diff --git a/security/security.c b/security/security.c index f8b5e2fa37a0..ab285557a31f 100644 --- a/security/security.c +++ b/security/security.c @@ -1906,17 +1906,30 @@ int security_task_getsid(struct task_struct *p) return call_int_hook(task_getsid, 0, p); } -void security_task_getsecid_subj(struct task_struct *p, u32 *secid) +void security_task_getsecid_subj(struct task_struct *p, struct lsmblob *blob) { - *secid = 0; - call_void_hook(task_getsecid_subj, p, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.task_getsecid_subj, + list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.task_getsecid_subj(p, &blob->secid[hp->lsmid->slot]); + } } EXPORT_SYMBOL(security_task_getsecid_subj); -void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +void security_task_getsecid_obj(struct task_struct *p, struct lsmblob *blob) { - *secid = 0; - call_void_hook(task_getsecid_obj, p, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.task_getsecid_obj, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.task_getsecid_obj(p, &blob->secid[hp->lsmid->slot]); + } } EXPORT_SYMBOL(security_task_getsecid_obj); From patchwork Mon Dec 13 23:40:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12674979 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AC6CC433FE for ; Mon, 13 Dec 2021 23:57:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244362AbhLMX5Q (ORCPT ); Mon, 13 Dec 2021 18:57:16 -0500 Received: from sonic306-28.consmr.mail.ne1.yahoo.com ([66.163.189.90]:43897 "EHLO sonic306-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244308AbhLMX5O (ORCPT ); Mon, 13 Dec 2021 18:57:14 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639439834; bh=Sn5tjjAGSmqW3nsqIgtZNqgzkhGliBqVHotdg9HEefo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=YP84/wT2Xty3MBSNMp7XC4nnHiBV1Se90j+VUuV2H6dw53bcAeXNevBQihCVfBdqpgyPmzltM0md/PKZTXw7T1qtKuHz+mmWvSaeUdVuuofjrp3uaaNGgYAoTnaMJkvpkWrjW1sQuxznSLdve4Sr3iVHY77TCfE7e/Ra8BsSdvsg2/13AyxB02GptdtX491D3HD7SvoB9qTczkEIUFFKWJaGoKzxnsS5FdpwblJ2wVUEAmX+X3SIAiWUwN2q5hrjIgDuYzuT/CgE0WRsoGz1zfDoy7CD8ocbcPKW/vHt/fxgPvOp7EscQIStdGXhAOHYRDr2A4PXJa58bUcRrva1/A== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639439834; bh=WWHXYx/YU0+TYu8UNTr5i2Tvia2wLWZDXQiN9WRM7v1=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=aazwde7/k1nIb62hXiFt1TvqqgFMaKRsUQdU6y3Fiy9nHj3HejDoHoP3/M/335opGhPe8pkdD+c9VCE4LkxnhNMEyh0luDq+NzWeaw3d7xYU95WRhW1R0wyqnSnLKe87xooY4ah7xJSR2SQOUrQIrXeU9hyLrZwQtpxDaUd4zmuT4k7Sk3xVQrGS0854ktBd/QS/m9SHnNYJGye84wFJ08Io0sn5/xMIjpZe44GbqUamINER4/xigTqr4rxqf1sb4zRYQ5XEM+2LbXiS9/6G3a+rfun/qWoq77Ll3s2A0E0L5O8a/eTStTJ4vfTM5Uk4vs+RzWdfAyAuM+nFxtit0g== X-YMail-OSG: OEodNHwVM1lLc70lSb3Q7McpeYOUxzSMiC.VqaCS6Wjwe5xTSb59hzGao34qiKu uL32ec_SK00UScL6pFM.sEJltybyuVpFz0imSBdLLTby6G5Z1aIa31nZL0uqwPnXrjFKPKOm4c1m 0k8HLpluKSUjHwYVg.6DebM0joz5sm1qSMzoq5.UMiOPStVKfcSvP4O8tTdwtYVD9e40uFqmvCpG eulXmrurJevY2p4Gk88OT1wMYNg8trNtLHjJf7GQ1S2evO0y2GTzhVoEcnZUvdmgLlyFT7Qjqk1Q zNlzSFt_IKDoAQOgnRE7u5tP4rkaV_6.XTLbHAZ1AM4h4fkIcgi1K57_4BAX7I8d1MNOMEAV.clQ a86dAO_Wxm4W34dgTYmt_oHbDrRPS4DBWFw46aBoA7scOmGuX7vKuqlN1eRNTIepCWP5ZMWG_wyB oGxTpaHUL2WNvw5h5GvA5QFQCPBUiOrutkf6HXL041LUh37bnsbAjiyIxmzCg3I3dLxv2eavksX6 WrCwvWRp4SFJ2lIcxKr44tr9Xi50x4e.qmksfWxX.Rkf2QwvPDB95GERcv.VLdnvqMN1bcuhFQyC zwmwtmk4smmlpkg9ulNz6EAc5olnTgOsw9Asm13D5cUcEnC9ZDnHyQUPp7tY8YftGkR2aqeXv6JR 3r2DmkXUEjz2nADYXpn46LinhDQOWFaIr9vmnjtpgEZ5TMrr3J3RAmkHg.z8xQEJq6KmKR3LSftW h7FEfG8NhrpT.rtWwglNTuIjOMp3Fro0CrkNJL0zuqptgEJsy7dNum2loO2Jp3.yKp3O5fnlxnSy 5rfSz793NsTkiio6OELgPtIiWs2oaa6qB5WJ.GNZdJgBsP67Oey9lRwFZxQUIKSDVxP2xQRMZQG9 zAZGcRjMyE30dlIvsN3wEjLamECq0g9zVETmy1MZ656oF2k564WYY9ee73Fv5emPXtNfTa9J0cEf TaQ9utj2tads_lvTlEDwW9k39M68P.wslaMP0OEez3JHMNPUI1z8CQWHTHgWVVhVmyY8cnU3jA_v JFw3ITbejy11v31Rn4ugdGgfzlSlpx21O.3uHNrykZgD.lL0D7wdAc9Cf2ekGJ4qAuR1L7IFphg. dyWttI6rdXuOAqHGgvPaAx4ulsCULFKE0VC604YEU56ZagnSUikNmofiH0F31HptE1V6gaAcphBF 1mIpIOzJIGghzsQqy3Et9HlBoh1KbYsZPKm9vh8o9_u0sbzPEyuHqBNelagCxg4OpWIZKMjFKV_C PddmWocLOuLPPDckhPmXiEIfxQ0pUB1hPPADvM5F_8Ep56X6nFxQemMKGMBmu.gJekCAX.yHLAPB x_9RHnuz3RDzwkt5aLzwSEFdyVBs1G83wUsDdOy2oPCDc6rEiV8I_0R.4YVVqiODdFnkzdC1u8bS njTsr4DDV7Et3MCDg_zGUdVH_XCClEYReBTs8ja79aGuONvO9Z8rBkYI1Z3EFEYM.Fti11qZYl43 8Q1hvLNX1xLbtMDxwZG07vVM147I1wYw1aVw10FJ7bByi9JuekUBYNifi3558Lfgi25AI2wQwcaB l_xoKZpw4zBbmwL7fMI5jN77dczJMO8XiDOCDmlqQbM8aKHnu.cL1Q_N7DSy_9p6eZ7PplxgDlrO BPqPGzD2LrOySeNgT6tkwIHBy2IajI2r5yi9Wx6GXaVkTX3ue55qDRyTmlWIkydrovWghaqTD.Zb s.rsCxwP4ggHZW293Bwz2H3vCuh2o4l4Abgp_gXy7gzxeCZjHGUOZWLlNnpaaUFgPsr7VnjPMhHm oYrL8EIOZqQkgYBSi7KAviizCmK.LHTyklCMeVToSa9BuRRIDPq3BuFunA4N.r.UjC5LcngeWhcK s6Za3H9R9QTJXpAUd40jzxEEoEfsiqQmCAFMp4IKDzPX.9O_M1vleTEG.0ligq7Eo.d4NFC5Vy0Y 9zmquCiaXzPgyqLIIU5joT8ezreDD9poSZLg2badE9WcuGLIDedmVFG9yRQqcErY1tajoxGkZSTM GrbmEuwuBeoAQYMEXQnutfR0yFMMBRajfysAX44MCONoDd_g191vCGb1wwMeqf2vLopztD6rmqz8 Nd0Szpaje_67ZDhZRTQ9k_aWeJwCABRwKHXZUqle5DE6HJBLaDHdkaA9Z2yXPslJIZ.k9sD.Ctdb 0fCAvibIGdbAXaQs1x8AXe0Xzwruv1NmMt9ypCwJyz_0rTisa61529WBkK81.lXGuQX4sJyJavIc VwyJeczoGDSRAdTpGrj1JwasepWbBVJY_cqTD5VmPsEhcJoapkEYekCLY1DLNI2hC4zmz2B0- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Mon, 13 Dec 2021 23:57:14 +0000 Received: by kubenode527.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 2cfefa36b6f587455d7cc15b16ec7ee3; Mon, 13 Dec 2021 23:57:12 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Stephen Smalley , Chuck Lever , linux-integrity@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH v31 15/28] LSM: Ensure the correct LSM context releaser Date: Mon, 13 Dec 2021 15:40:21 -0800 Message-Id: <20211213234034.111891-16-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211213234034.111891-1-casey@schaufler-ca.com> References: <20211213234034.111891-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Add a new lsmcontext data structure to hold all the information about a "security context", including the string, its size and which LSM allocated the string. The allocation information is necessary because LSMs have different policies regarding the lifecycle of these strings. SELinux allocates and destroys them on each use, whereas Smack provides a pointer to an entry in a list that never goes away. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Paul Moore Acked-by: Stephen Smalley Acked-by: Chuck Lever Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso Cc: linux-nfs@vger.kernel.org --- drivers/android/binder.c | 10 ++++--- fs/ceph/xattr.c | 6 ++++- fs/nfs/nfs4proc.c | 8 ++++-- fs/nfsd/nfs4xdr.c | 7 +++-- include/linux/security.h | 35 +++++++++++++++++++++++-- include/net/scm.h | 5 +++- kernel/audit.c | 14 +++++++--- kernel/auditsc.c | 12 ++++++--- net/ipv4/ip_sockglue.c | 4 ++- net/netfilter/nf_conntrack_netlink.c | 4 ++- net/netfilter/nf_conntrack_standalone.c | 4 ++- net/netfilter/nfnetlink_queue.c | 13 ++++++--- net/netlabel/netlabel_unlabeled.c | 19 +++++++++++--- net/netlabel/netlabel_user.c | 4 ++- security/security.c | 11 ++++---- 15 files changed, 121 insertions(+), 35 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 27b53e5f71a1..32dca5b40e8a 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2469,6 +2469,7 @@ static void binder_transaction(struct binder_proc *proc, int t_debug_id = atomic_inc_return(&binder_last_id); char *secctx = NULL; u32 secctx_sz = 0; + struct lsmcontext scaff; /* scaffolding */ e = binder_transaction_log_add(&binder_transaction_log); e->debug_id = t_debug_id; @@ -2771,7 +2772,8 @@ static void binder_transaction(struct binder_proc *proc, t->security_ctx = 0; WARN_ON(1); } - security_release_secctx(secctx, secctx_sz); + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); secctx = NULL; } t->buffer->debug_id = t->debug_id; @@ -3112,8 +3114,10 @@ static void binder_transaction(struct binder_proc *proc, binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: err_bad_extra_size: - if (secctx) - security_release_secctx(secctx, secctx_sz); + if (secctx) { + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); + } err_get_secctx_failed: kfree(tcomplete); binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c index fcf7dfdecf96..df2b3bf46364 100644 --- a/fs/ceph/xattr.c +++ b/fs/ceph/xattr.c @@ -1374,12 +1374,16 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx) { +#ifdef CONFIG_CEPH_FS_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ +#endif #ifdef CONFIG_CEPH_FS_POSIX_ACL posix_acl_release(as_ctx->acl); posix_acl_release(as_ctx->default_acl); #endif #ifdef CONFIG_CEPH_FS_SECURITY_LABEL - security_release_secctx(as_ctx->sec_ctx, as_ctx->sec_ctxlen); + lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0); + security_release_secctx(&scaff); #endif if (as_ctx->pagelist) ceph_pagelist_release(as_ctx->pagelist); diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index ee3bc79f6ca3..194bb09663e0 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -137,8 +137,12 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, static inline void nfs4_label_release_security(struct nfs4_label *label) { - if (label) - security_release_secctx(label->label, label->len); + struct lsmcontext scaff; /* scaffolding */ + + if (label) { + lsmcontext_init(&scaff, label->label, label->len, 0); + security_release_secctx(&scaff); + } } static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label) { diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 5a93a5db4fb0..f96da9ac116a 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -2841,6 +2841,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, int err; struct nfs4_acl *acl = NULL; #ifdef CONFIG_NFSD_V4_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ void *context = NULL; int contextlen; #endif @@ -3342,8 +3343,10 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, out: #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - if (context) - security_release_secctx(context, contextlen); + if (context) { + lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/ + security_release_secctx(&scaff); + } #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ kfree(acl); if (tempfh) { diff --git a/include/linux/security.h b/include/linux/security.h index 872e543d37dd..e439663c955f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -135,6 +135,37 @@ enum lockdown_reason { extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; +/* + * A "security context" is the text representation of + * the information used by LSMs. + * This structure contains the string, its length, and which LSM + * it is useful for. + */ +struct lsmcontext { + char *context; /* Provided by the module */ + u32 len; + int slot; /* Identifies the module */ +}; + +/** + * lsmcontext_init - initialize an lsmcontext structure. + * @cp: Pointer to the context to initialize + * @context: Initial context, or NULL + * @size: Size of context, or 0 + * @slot: Which LSM provided the context + * + * Fill in the lsmcontext from the provided information. + * This is a scaffolding function that will be removed when + * lsmcontext integration is complete. + */ +static inline void lsmcontext_init(struct lsmcontext *cp, char *context, + u32 size, int slot) +{ + cp->slot = slot; + cp->context = context; + cp->len = size; +} + /* * Data exported by the security modules * @@ -570,7 +601,7 @@ int security_ismaclabel(const char *name); int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); -void security_release_secctx(char *secdata, u32 seclen); +void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); @@ -1440,7 +1471,7 @@ static inline int security_secctx_to_secid(const char *secdata, return -EOPNOTSUPP; } -static inline void security_release_secctx(char *secdata, u32 seclen) +static inline void security_release_secctx(struct lsmcontext *cp) { } diff --git a/include/net/scm.h b/include/net/scm.h index 23a35ff1b3f2..f273c4d777ec 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -92,6 +92,7 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, #ifdef CONFIG_SECURITY_NETWORK static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { + struct lsmcontext context; struct lsmblob lb; char *secdata; u32 seclen; @@ -106,7 +107,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + /*scaffolding*/ + lsmcontext_init(&context, secdata, seclen, 0); + security_release_secctx(&context); } } } diff --git a/kernel/audit.c b/kernel/audit.c index 8ec64e6e8bc0..c17ec23158c4 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1192,6 +1192,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_sig_info *sig_data; char *ctx = NULL; u32 len; + struct lsmcontext scaff; /* scaffolding */ err = audit_netlink_ok(skb, msg_type); if (err) @@ -1449,15 +1450,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); if (!sig_data) { - if (lsmblob_is_set(&audit_sig_lsm)) - security_release_secctx(ctx, len); + if (lsmblob_is_set(&audit_sig_lsm)) { + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); + } return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; if (lsmblob_is_set(&audit_sig_lsm)) { memcpy(sig_data->ctx, ctx, len); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); } audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, sizeof(*sig_data) + len); @@ -2132,6 +2136,7 @@ int audit_log_task_context(struct audit_buffer *ab) unsigned len; int error; struct lsmblob blob; + struct lsmcontext scaff; /* scaffolding */ security_task_getsecid_subj(current, &blob); if (!lsmblob_is_set(&blob)) @@ -2145,7 +2150,8 @@ int audit_log_task_context(struct audit_buffer *ab) } audit_log_format(ab, " subj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); return 0; error_path: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 930254bca7b5..3c72ff647fd8 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1112,6 +1112,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; + struct lsmcontext lsmcxt; char *ctx = NULL; u32 len; int rc = 0; @@ -1129,7 +1130,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, rc = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/ + security_release_secctx(&lsmcxt); } } audit_log_format(ab, " ocomm="); @@ -1342,6 +1344,7 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) static void show_special(struct audit_context *context, int *call_panic) { + struct lsmcontext lsmcxt; struct audit_buffer *ab; int i; @@ -1376,7 +1379,8 @@ static void show_special(struct audit_context *context, int *call_panic) *call_panic = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); + security_release_secctx(&lsmcxt); } } if (context->ipc.has_perm) { @@ -1533,6 +1537,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, char *ctx = NULL; u32 len; struct lsmblob blob; + struct lsmcontext lsmcxt; lsmblob_init(&blob, n->osid); if (security_secid_to_secctx(&blob, &ctx, &len)) { @@ -1541,7 +1546,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, *call_panic = 2; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */ + security_release_secctx(&lsmcxt); } } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index be7073df19a5..dbba700fb151 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { + struct lsmcontext context; struct lsmblob lb; char *secdata; u32 seclen, secid; @@ -145,7 +146,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) return; put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */ + security_release_secctx(&context); } static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 67b0f3cfc5c7..40cbb00432d4 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -342,6 +342,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) int len, ret; char *secctx; struct lsmblob blob; + struct lsmcontext context; /* lsmblob_init() puts ct->secmark into all of the secids in blob. * security_secid_to_secctx() will know which security module @@ -362,7 +363,8 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) ret = 0; nla_put_failure: - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); return ret; } #else diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 79c280d1efce..3fcf44342b14 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -179,6 +179,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) u32 len; char *secctx; struct lsmblob blob; + struct lsmcontext context; lsmblob_init(&blob, ct->secmark); ret = security_secid_to_secctx(&blob, &secctx, &len); @@ -187,7 +188,8 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) seq_printf(s, "secctx=%s ", secctx); - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); } #else static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 62c0c5b847c6..5961a9b17f66 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -397,6 +397,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, enum ip_conntrack_info ctinfo; struct nfnl_ct_hook *nfnl_ct; bool csum_verify; + struct lsmcontext scaff; /* scaffolding */ char *secdata = NULL; u32 seclen = 0; @@ -626,8 +627,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return skb; nla_put_failure: @@ -635,8 +638,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return NULL; } diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 15b53fc4e83f..7cb6f27c8cb2 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -374,6 +374,7 @@ int netlbl_unlhsh_add(struct net *net, struct net_device *dev; struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; + struct lsmcontext context; char *secctx = NULL; u32 secctx_len; struct lsmblob blob; @@ -447,7 +448,9 @@ int netlbl_unlhsh_add(struct net *net, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); audit_log_end(audit_buf); @@ -478,6 +481,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct netlbl_unlhsh_addr4 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -508,7 +512,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -545,6 +551,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct netlbl_unlhsh_addr6 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -574,7 +581,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -1093,6 +1101,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, int ret_val = -ENOMEM; struct netlbl_unlhsh_walk_arg *cb_arg = arg; struct net_device *dev; + struct lsmcontext context; void *data; u32 secid; char *secctx; @@ -1163,7 +1172,9 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, NLBL_UNLABEL_A_SECCTX, secctx_len, secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); if (ret_val != 0) goto list_cb_failure; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 893301ae0131..ef139d8ae7cd 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -84,6 +84,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct netlbl_audit *audit_info) { struct audit_buffer *audit_buf; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -103,7 +104,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, if (audit_info->secid != 0 && security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/ + security_release_secctx(&context); } return audit_buf; diff --git a/security/security.c b/security/security.c index 1d734d9579f1..d14717fe0cb7 100644 --- a/security/security.c +++ b/security/security.c @@ -2363,16 +2363,17 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, } EXPORT_SYMBOL(security_secctx_to_secid); -void security_release_secctx(char *secdata, u32 seclen) +void security_release_secctx(struct lsmcontext *cp) { struct security_hook_list *hp; - int ilsm = lsm_task_ilsm(current); hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list) - if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) { - hp->hook.release_secctx(secdata, seclen); - return; + if (cp->slot == hp->lsmid->slot) { + hp->hook.release_secctx(cp->context, cp->len); + break; } + + memset(cp, 0, sizeof(*cp)); } EXPORT_SYMBOL(security_release_secctx); From patchwork Mon Dec 13 23:40:22 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12674981 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A1AEC433EF for ; Mon, 13 Dec 2021 23:58:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239232AbhLMX6W (ORCPT ); Mon, 13 Dec 2021 18:58:22 -0500 Received: from sonic301-38.consmr.mail.ne1.yahoo.com ([66.163.184.207]:39582 "EHLO sonic301-38.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239070AbhLMX6V (ORCPT ); Mon, 13 Dec 2021 18:58:21 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639439901; bh=PBedEzlKAak40yG894Xfp/LLsmNg/dxYLK2k0ILkdSA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=h4AqiYb9pZGfAS7g9IZfGIuDiSGxxzehsrJ+spAZ5QFiOxeNnlVdBeUNQ5Vr2e13bupg00h3zOOyIfhJj06DOg6p2BTMCVJxjpybqRDL/Oe1qr68Y4UzlSyZ8d0MyBXjimX7LIpcci5+E50UHoaDNhN25iJLh1C/JvcOqQq/G9+wVjYKLvX8fbN+vrG6AvwbMRWFU0gOK0sclDCk/sLsXMAqFC3zhV4cCCyRU153PzmeMoZLJzioMDVQKYb1BjkLsB34vh/pWmG1eJ1I7HYDDH7RrWSxM4Ir2zLS/aS5AK9IVg6lcJJocJvL7iyAxz+xil/NnqpFGYYzKl0ylRtI6g== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639439901; bh=8lHTP5kxRVnD3Ao+M8IU6wp6xqsDgQ3d25cUAITR3J0=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=JyW1xLUmZpVX1go82DEkoVT6QNJhcdHpWhEjD0AhS2YsWg9JtHOeV2j1lg4yAOf8s7fl2Mct9Wp+amhTL2pAXCB0XDv3M5rDg4+GnmgGCZSaQl2Rp4GTBkAEPmU6JdvDyK9zXpLZoketm/Dqc8O8Pm3ZYhFV1wpVq5YZKhkfPGxoUYtvlsvgaVMIURiAZacxlP7dnq7MQdbRWPUmomUngROLuiG/uDV8q9VzZVyrqsTEtFSL1s5gc75ICRXom/g6Re/zQ90kh/L9YOh9A3lKxQ80w3+BZKnrFq3sBz2E+XZUUhlnn7/4PaLtxFNviDPf8Ltag4Bp0qeQbQ6opKV3Hw== X-YMail-OSG: 1mVmxF0VM1mufzy0HK7RrvJAFctnMUMSID69e7rsYqLuHf1wj8_BbWb7S08LaxB M8Xw0zz7W3r.OPl0dSGwRU_xr2p1tXRnSGIjJj1rXZd78AQAAA8ATgl4SF70GX05hydy0nAgw.4n P8YhAKdlhPHYRg6Vl_Pv2VxUDm_tSl5OIvewsAUq6zRk80.Tf4dSn6QtGlU2HnT.LOeBp94xAnjx REFHpfoVqavl5.UMPxJapNUp8Qe3EicS4Cl4dlZ.GXYUKK2e4Lweu.Zvac3jiW9G4AaK2V4XPIoZ t451ufQBEpyAT.RQP89VOiyRC2298NTgpdrHhxdonhcTxmtcXnLaK3tpZ78DBA4c1dL1Os6T4YT_ b4HF0Ip3H5FLIqdXbecvGN_5SuLZmNA_Cuj2XatgLyBIvUlpBBwpBtH2xgayRcufMJNQW7GjTrRf _NmyOhUPpDLl3.boryNgRM0Ct3GlF2M1Pa8Zdr_D.imxalALcoko1lESbGTlfMZCN5uRCFNGR4S7 0tXflxXkcQEp_TNiX1dHh_D8Cr6LLbikkfLUst0Hwc8c1rBKmSjskyO6ulAi2c8CT3H_sRelI.1H flaPZC94ckJewTC_.zxFX2tejT708IocHZ0ypnnSiEEIY02X7Fo44vQ_FTB9IbDoDm.PH8AOjgRb kfyRrSotrtaPNlNGprSKH8RXj7H79WSLnuWWQprh12E1Czc60pdtguWUygZqy8QvzXCmfnmkKudx owIJNe6FMVKTqqyiDrlosUeiYvRIifU8q5toGa0YDcifeDIxGF.EUUEQiqVntcKU5uiS4HcKQiQC 75HXKmeBsjFAnVcBaVMQCpY1wz_7QRjvKoFdVKO5ppcmTuCMORgPD_HdSJqw5yDAhESudS55TLUZ iDon3VrqmbZ_uwkpBv1yfvIv85hEe8hodlHV4V.5nJhuGnYcXO7lwGfdTUHZK9jRad_OJQBlN4qT yCYdmTsSTzYlYwTFEnH2wPB.JvanGvBxE1TaVExzpo6.axoMUO7N2Q9huWs76aGyNEgV3RS1KNyV yalvm4_oHrIyrQjuIlGbMYD3LOGfwLDpFsXi.1_O58P4z6qkcxVth41ot7fBm80HoUGVLfFuBiwt .P8TxB4WtbPYOIU5GNxj9_MapVpo5kWCAynfKRx6jBMkexCZtkOiHictBeiZXqCD1c5iojkUjHBq ehz_ZvrvqW0Q1jX.hrBbgugVU29i7ZF3WWUl.9GD46GhyesQ_3FhEWg4VffRKKnP6xHvvXi3UoM5 RydWs4FejpItzR.iNHMSZqePnbx0DE4A_ONaRto2TuXHT6GhiYyNNQxIHQ38KeGClhh7fOomRaen z46fwafiJXFCLuu7xP5Tmpw4lG2CZIGJEzdNVsDTlk8iPXttm8yhwVcich016EpFid3gcKyku7kY YdawH_bsc_qzBvzZDxcB8DMtPQbxmz69F5Ic0Ok2el1eC5Wmep.bimvBZsih.h8PjISbnAQRR7Yg MnC_YVdpkWDwWaf2DKx2AAS7keAg.6iqrbpqNOea.iEKxjeEPEkQrLx.icrL14P8c_nIknOK7.NV EBcdlW8l.QpmVNZgXtwKefoBhJZrZ0xNZQIEjsdJv11LE7VIX0v7bahl7bchUgBSawJ63UZMGx5K zMRgtzipltGMFT4BpNS2_Wxjb5pyq.VujepoJB.glRqnTxC9JPyxG0f.BqTWBsiNqLqHe37IBbsg aJZb72U9B24NnuigYruXa.2EtVWYK2b._tYb6xxbOJSHPQZ4NKNWG.Oq1jrX5dEw6vgvdQxxVDYV .xFZsyTql1cUUywPsey3sbpFO.gtpabCHOPOZRhLHiDQGX4rj.1fseZBka1dlmb0sLiD19Av5HWX fd_BOH1t411oxmvi0aIIzXW4DXCUapq72U4cGoe3eFFg3c_WFE74YPTjMZcrhv5l8ugCSVGdUVB7 VNnaq7LuD7uWj4i.vOTd.R2Kfl3PsrbfUH5DNeWErCOn62LnriM8X1TBCJBjuIHUZnnet5vnPOIz ubFKbsW915clcjH5aX_GqxZJ.rgoIQFgPJcMPM4KRWQPpALDpnt9u82VT.6ICK1k4TlVtVD2mwVK JGvA5X57Wea77OEs0zx5kM6ZwMzZpiZt0OUa603j42JXVfS83CbBwyRhQQgXoEPi.rCEnWK3.9gw TtPBMNlcSu.8lVKqunJGt61KXR2LV5ttAFu3uhrrQvWrxzE8m1_ZZm574sdPaxSbppXhDiJ.RhJk XbgnztS0Mwq2ec_Z7HYjQAfEiKYdNlgOEI.8TYCJI_c7GrOQkPYyFcr6lTgljKs6WzWRhtY597gu cSqY5MV0wl.Qv4x5LS.H60Ha37pFIcelS9oB1hnVME5aevhkr X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.ne1.yahoo.com with HTTP; Mon, 13 Dec 2021 23:58:21 +0000 Received: by kubenode529.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 1cbb5caca434fc2d243d7902734cae87; Mon, 13 Dec 2021 23:58:18 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v31 16/28] LSM: Use lsmcontext in security_secid_to_secctx Date: Mon, 13 Dec 2021 15:40:22 -0800 Message-Id: <20211213234034.111891-17-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211213234034.111891-1-casey@schaufler-ca.com> References: <20211213234034.111891-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Replace the (secctx,seclen) pointer pair with a single lsmcontext pointer to allow return of the LSM identifier along with the context and context length. This allows security_release_secctx() to know how to release the context. Callers have been modified to use or save the returned data from the new structure. security_secid_to_secctx() will now return the length value if the passed lsmcontext pointer is NULL. Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org --- drivers/android/binder.c | 26 +++++++--------- include/linux/security.h | 4 +-- include/net/scm.h | 9 ++---- kernel/audit.c | 39 +++++++++++------------- kernel/auditsc.c | 31 +++++++------------ net/ipv4/ip_sockglue.c | 8 ++--- net/netfilter/nf_conntrack_netlink.c | 18 ++++------- net/netfilter/nf_conntrack_standalone.c | 7 ++--- net/netfilter/nfnetlink_queue.c | 5 +++- net/netlabel/netlabel_unlabeled.c | 40 ++++++++----------------- net/netlabel/netlabel_user.c | 7 ++--- security/security.c | 29 ++++++++++++++++-- 12 files changed, 98 insertions(+), 125 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 32dca5b40e8a..b9699f7ac603 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2467,9 +2467,7 @@ static void binder_transaction(struct binder_proc *proc, binder_size_t last_fixup_min_off = 0; struct binder_context *context = proc->context; int t_debug_id = atomic_inc_return(&binder_last_id); - char *secctx = NULL; - u32 secctx_sz = 0; - struct lsmcontext scaff; /* scaffolding */ + struct lsmcontext lsmctx = { }; e = binder_transaction_log_add(&binder_transaction_log); e->debug_id = t_debug_id; @@ -2723,14 +2721,14 @@ static void binder_transaction(struct binder_proc *proc, size_t added_size; security_cred_getsecid(proc->cred, &blob); - ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz); + ret = security_secid_to_secctx(&blob, &lsmctx); if (ret) { return_error = BR_FAILED_REPLY; return_error_param = ret; return_error_line = __LINE__; goto err_get_secctx_failed; } - added_size = ALIGN(secctx_sz, sizeof(u64)); + added_size = ALIGN(lsmctx.len, sizeof(u64)); extra_buffers_size += added_size; if (extra_buffers_size < added_size) { /* integer overflow of extra_buffers_size */ @@ -2757,24 +2755,22 @@ static void binder_transaction(struct binder_proc *proc, t->buffer = NULL; goto err_binder_alloc_buf_failed; } - if (secctx) { + if (lsmctx.context) { int err; size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) + ALIGN(tr->offsets_size, sizeof(void *)) + ALIGN(extra_buffers_size, sizeof(void *)) - - ALIGN(secctx_sz, sizeof(u64)); + ALIGN(lsmctx.len, sizeof(u64)); t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset; err = binder_alloc_copy_to_buffer(&target_proc->alloc, t->buffer, buf_offset, - secctx, secctx_sz); + lsmctx.context, lsmctx.len); if (err) { t->security_ctx = 0; WARN_ON(1); } - lsmcontext_init(&scaff, secctx, secctx_sz, 0); - security_release_secctx(&scaff); - secctx = NULL; + security_release_secctx(&lsmctx); } t->buffer->debug_id = t->debug_id; t->buffer->transaction = t; @@ -2831,7 +2827,7 @@ static void binder_transaction(struct binder_proc *proc, off_end_offset = off_start_offset + tr->offsets_size; sg_buf_offset = ALIGN(off_end_offset, sizeof(void *)); sg_buf_end_offset = sg_buf_offset + extra_buffers_size - - ALIGN(secctx_sz, sizeof(u64)); + ALIGN(lsmctx.len, sizeof(u64)); off_min = 0; for (buffer_offset = off_start_offset; buffer_offset < off_end_offset; buffer_offset += sizeof(binder_size_t)) { @@ -3114,10 +3110,8 @@ static void binder_transaction(struct binder_proc *proc, binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: err_bad_extra_size: - if (secctx) { - lsmcontext_init(&scaff, secctx, secctx_sz, 0); - security_release_secctx(&scaff); - } + if (lsmctx.context) + security_release_secctx(&lsmctx); err_get_secctx_failed: kfree(tcomplete); binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); diff --git a/include/linux/security.h b/include/linux/security.h index e439663c955f..3c66edb31e14 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -598,7 +598,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); void security_release_secctx(struct lsmcontext *cp); @@ -1459,7 +1459,7 @@ static inline int security_ismaclabel(const char *name) } static inline int security_secid_to_secctx(struct lsmblob *blob, - char **secdata, u32 *seclen) + struct lsmcontext *cp) { return -EOPNOTSUPP; } diff --git a/include/net/scm.h b/include/net/scm.h index f273c4d777ec..b77a52f93389 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -94,8 +94,6 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc { struct lsmcontext context; struct lsmblob lb; - char *secdata; - u32 seclen; int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { @@ -103,12 +101,11 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc * and the infrastructure will know which it is. */ lsmblob_init(&lb, scm->secid); - err = security_secid_to_secctx(&lb, &secdata, &seclen); + err = security_secid_to_secctx(&lb, &context); if (!err) { - put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); - /*scaffolding*/ - lsmcontext_init(&context, secdata, seclen, 0); + put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, context.len, + context.context); security_release_secctx(&context); } } diff --git a/kernel/audit.c b/kernel/audit.c index c17ec23158c4..841123390d41 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1190,9 +1190,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_buffer *ab; u16 msg_type = nlh->nlmsg_type; struct audit_sig_info *sig_data; - char *ctx = NULL; - u32 len; - struct lsmcontext scaff; /* scaffolding */ err = audit_netlink_ok(skb, msg_type); if (err) @@ -1440,33 +1437,34 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) kfree(new); break; } - case AUDIT_SIGNAL_INFO: - len = 0; + case AUDIT_SIGNAL_INFO: { + struct lsmcontext context = { }; + int len = 0; + if (lsmblob_is_set(&audit_sig_lsm)) { - err = security_secid_to_secctx(&audit_sig_lsm, &ctx, - &len); + err = security_secid_to_secctx(&audit_sig_lsm, + &context); if (err) return err; } - sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); + sig_data = kmalloc(sizeof(*sig_data) + context.len, GFP_KERNEL); if (!sig_data) { - if (lsmblob_is_set(&audit_sig_lsm)) { - lsmcontext_init(&scaff, ctx, len, 0); - security_release_secctx(&scaff); - } + if (lsmblob_is_set(&audit_sig_lsm)) + security_release_secctx(&context); return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; if (lsmblob_is_set(&audit_sig_lsm)) { - memcpy(sig_data->ctx, ctx, len); - lsmcontext_init(&scaff, ctx, len, 0); - security_release_secctx(&scaff); + len = context.len; + memcpy(sig_data->ctx, context.context, len); + security_release_secctx(&context); } audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, sizeof(*sig_data) + len); kfree(sig_data); break; + } case AUDIT_TTY_GET: { struct audit_tty_status s; unsigned int t; @@ -2132,26 +2130,23 @@ void audit_log_key(struct audit_buffer *ab, char *key) int audit_log_task_context(struct audit_buffer *ab) { - char *ctx = NULL; - unsigned len; int error; struct lsmblob blob; - struct lsmcontext scaff; /* scaffolding */ + struct lsmcontext context; security_task_getsecid_subj(current, &blob); if (!lsmblob_is_set(&blob)) return 0; - error = security_secid_to_secctx(&blob, &ctx, &len); + error = security_secid_to_secctx(&blob, &context); if (error) { if (error != -EINVAL) goto error_path; return 0; } - audit_log_format(ab, " subj=%s", ctx); - lsmcontext_init(&scaff, ctx, len, 0); - security_release_secctx(&scaff); + audit_log_format(ab, " subj=%s", context.context); + security_release_secctx(&context); return 0; error_path: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 3c72ff647fd8..a3de97beba21 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1112,9 +1112,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; - struct lsmcontext lsmcxt; - char *ctx = NULL; - u32 len; + struct lsmcontext lsmctx; int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); @@ -1125,13 +1123,12 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (lsmblob_is_set(blob)) { - if (security_secid_to_secctx(blob, &ctx, &len)) { + if (security_secid_to_secctx(blob, &lsmctx)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/ - security_release_secctx(&lsmcxt); + audit_log_format(ab, " obj=%s", lsmctx.context); + security_release_secctx(&lsmctx); } } audit_log_format(ab, " ocomm="); @@ -1344,7 +1341,6 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) static void show_special(struct audit_context *context, int *call_panic) { - struct lsmcontext lsmcxt; struct audit_buffer *ab; int i; @@ -1369,17 +1365,15 @@ static void show_special(struct audit_context *context, int *call_panic) from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); if (osid) { - char *ctx = NULL; - u32 len; + struct lsmcontext lsmcxt; struct lsmblob blob; lsmblob_init(&blob, osid); - if (security_secid_to_secctx(&blob, &ctx, &len)) { + if (security_secid_to_secctx(&blob, &lsmcxt)) { audit_log_format(ab, " osid=%u", osid); *call_panic = 1; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); + audit_log_format(ab, " obj=%s", lsmcxt.context); security_release_secctx(&lsmcxt); } } @@ -1534,20 +1528,17 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, MAJOR(n->rdev), MINOR(n->rdev)); if (n->osid != 0) { - char *ctx = NULL; - u32 len; struct lsmblob blob; - struct lsmcontext lsmcxt; + struct lsmcontext lsmctx; lsmblob_init(&blob, n->osid); - if (security_secid_to_secctx(&blob, &ctx, &len)) { + if (security_secid_to_secctx(&blob, &lsmctx)) { audit_log_format(ab, " osid=%u", n->osid); if (call_panic) *call_panic = 2; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */ - security_release_secctx(&lsmcxt); + audit_log_format(ab, " obj=%s", lsmctx.context); + security_release_secctx(&lsmctx); } } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index dbba700fb151..47d1085e037e 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -132,8 +132,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { struct lsmcontext context; struct lsmblob lb; - char *secdata; - u32 seclen, secid; + u32 secid; int err; err = security_socket_getpeersec_dgram(NULL, skb, &secid); @@ -141,12 +140,11 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) return; lsmblob_init(&lb, secid); - err = security_secid_to_secctx(&lb, &secdata, &seclen); + err = security_secid_to_secctx(&lb, &context); if (err) return; - put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); - lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */ + put_cmsg(msg, SOL_IP, SCM_SECURITY, context.len, context.context); security_release_secctx(&context); } diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 40cbb00432d4..e4a0d1c8ac55 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -339,8 +339,7 @@ static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) { struct nlattr *nest_secctx; - int len, ret; - char *secctx; + int ret; struct lsmblob blob; struct lsmcontext context; @@ -348,7 +347,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) * security_secid_to_secctx() will know which security module * to use to create the secctx. */ lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &secctx, &len); + ret = security_secid_to_secctx(&blob, &context); if (ret) return 0; @@ -357,13 +356,12 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) if (!nest_secctx) goto nla_put_failure; - if (nla_put_string(skb, CTA_SECCTX_NAME, secctx)) + if (nla_put_string(skb, CTA_SECCTX_NAME, context.context)) goto nla_put_failure; nla_nest_end(skb, nest_secctx); ret = 0; nla_put_failure: - lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ security_release_secctx(&context); return ret; } @@ -656,15 +654,11 @@ static inline size_t ctnetlink_acct_size(const struct nf_conn *ct) static inline int ctnetlink_secctx_size(const struct nf_conn *ct) { #ifdef CONFIG_NF_CONNTRACK_SECMARK - int len, ret; + int len; struct lsmblob blob; - /* lsmblob_init() puts ct->secmark into all of the secids in blob. - * security_secid_to_secctx() will know which security module - * to use to create the secctx. */ - lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, NULL, &len); - if (ret) + len = security_secid_to_secctx(&blob, NULL); + if (len <= 0) return 0; return nla_total_size(0) /* CTA_SECCTX */ diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 3fcf44342b14..c8825e89a21e 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -176,19 +176,16 @@ static void ct_seq_stop(struct seq_file *s, void *v) static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) { int ret; - u32 len; - char *secctx; struct lsmblob blob; struct lsmcontext context; lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &secctx, &len); + ret = security_secid_to_secctx(&blob, &context); if (ret) return; - seq_printf(s, "secctx=%s ", secctx); + seq_printf(s, "secctx=%s ", context.context); - lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ security_release_secctx(&context); } #else diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 5961a9b17f66..f19897b3cf39 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -306,6 +306,7 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) struct lsmblob blob; + struct lsmcontext context = { }; if (!skb || !sk_fullsock(skb->sk)) return 0; @@ -317,10 +318,12 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) * blob. security_secid_to_secctx() will know which security * module to use to create the secctx. */ lsmblob_init(&blob, skb->secmark); - security_secid_to_secctx(&blob, secdata, &seclen); + security_secid_to_secctx(&blob, &context); + *secdata = context.context; } read_unlock_bh(&skb->sk->sk_callback_lock); + seclen = context.len; #endif return seclen; } diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 7cb6f27c8cb2..596a75814fbf 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -375,8 +375,6 @@ int netlbl_unlhsh_add(struct net *net, struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; struct lsmcontext context; - char *secctx = NULL; - u32 secctx_len; struct lsmblob blob; if (addr_len != sizeof(struct in_addr) && @@ -444,12 +442,9 @@ int netlbl_unlhsh_add(struct net *net, * security_secid_to_secctx() will know which security module * to use to create the secctx. */ lsmblob_init(&blob, secid); - if (security_secid_to_secctx(&blob, - &secctx, - &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - /* scaffolding */ - lsmcontext_init(&context, secctx, secctx_len, 0); + if (security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", + context.context); security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); @@ -482,8 +477,6 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - char *secctx; - u32 secctx_len; struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); @@ -509,11 +502,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, if (entry != NULL) lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, - &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - /* scaffolding */ - lsmcontext_init(&context, secctx, secctx_len, 0); + security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", + context.context); security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); @@ -552,8 +543,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - char *secctx; - u32 secctx_len; struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); @@ -578,10 +567,9 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, if (entry != NULL) lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, - &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - lsmcontext_init(&context, secctx, secctx_len, 0); + security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", + context.context); security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); @@ -1104,8 +1092,6 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, struct lsmcontext context; void *data; u32 secid; - char *secctx; - u32 secctx_len; struct lsmblob blob; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, @@ -1165,15 +1151,13 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, * security_secid_to_secctx() will know which security module * to use to create the secctx. */ lsmblob_init(&blob, secid); - ret_val = security_secid_to_secctx(&blob, &secctx, &secctx_len); + ret_val = security_secid_to_secctx(&blob, &context); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, NLBL_UNLABEL_A_SECCTX, - secctx_len, - secctx); - /* scaffolding */ - lsmcontext_init(&context, secctx, secctx_len, 0); + context.len, + context.context); security_release_secctx(&context); if (ret_val != 0) goto list_cb_failure; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index ef139d8ae7cd..951ba0639d20 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -85,8 +85,6 @@ struct audit_buffer *netlbl_audit_start_common(int type, { struct audit_buffer *audit_buf; struct lsmcontext context; - char *secctx; - u32 secctx_len; struct lsmblob blob; if (audit_enabled == AUDIT_OFF) @@ -102,9 +100,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, lsmblob_init(&blob, audit_info->secid); if (audit_info->secid != 0 && - security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " subj=%s", secctx); - lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/ + security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " subj=%s", context.context); security_release_secctx(&context); } diff --git a/security/security.c b/security/security.c index d14717fe0cb7..dc0d4ae44a64 100644 --- a/security/security.c +++ b/security/security.c @@ -2327,18 +2327,41 @@ int security_ismaclabel(const char *name) } EXPORT_SYMBOL(security_ismaclabel); -int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) +/** + * security_secid_to_secctx - convert secid to secctx + * @blob: set of secids + * @cp: lsm context into which result is put + * + * Translate secid information into a secctx string. + * Return a negative value on error. + * If cp is NULL return the length of the string. + * Otherwise, return 0. + */ +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp) { struct security_hook_list *hp; int ilsm = lsm_task_ilsm(current); + if (cp) + memset(cp, 0, sizeof(*cp)); + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; - if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) + if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) { + if (!cp) { + int len; + int rc; + rc = hp->hook.secid_to_secctx( + blob->secid[hp->lsmid->slot], + NULL, &len); + return rc ? rc : len; + } + cp->slot = hp->lsmid->slot; return hp->hook.secid_to_secctx( blob->secid[hp->lsmid->slot], - secdata, seclen); + &cp->context, &cp->len); + } } return LSM_RET_DEFAULT(secid_to_secctx); From patchwork Mon Dec 13 23:40:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12675015 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15FD0C43217 for ; Tue, 14 Dec 2021 00:00:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244388AbhLNAAg (ORCPT ); Mon, 13 Dec 2021 19:00:36 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:42477 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244382AbhLNAAf (ORCPT ); Mon, 13 Dec 2021 19:00:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639440035; bh=IIKa//ZfOf9ldI+2RZhwihcRPJzmFh5O4/PZDXiqrxo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=At4f0v9ZRIeAl1TmpXlWbNAtmLwMyclenQ84AtCqi+1JgsAv+dFNs+KkLTH7qB2RFVc/TlMRNd2wuPXVDdZqKn0pmWbuU/mKSjoLEhn5WosF6zjJd7w1h95NCtc2ns63wFxsXEYdNs0/GdER9gytuhUbeQc9rDTKA0D3JYDOvltiPXallT3OPOS0Mtc73e/yALQu8vGguN7b3aGwdqLU2pIXZa9Kjlj07CuRrOUSOwngrFeSQvrPqmgA4CVoqpPTOA5RNPlP9Tty7o9mi4/gVaG009pwePTIzOI7aDk4mBYZd3VZilzTxel2w7n034d9nwbcy01ov65Q3phIdcdyjQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639440035; bh=CwPoWL/GQUcdxFWZsBGI8L44rlH3jTfPje7Kl4NSJE3=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=rU6SnYCpMTBsfLk7PNtn1y7yEK8+xbithXL1qp4ja/SWW/3H2Q836OVdwiD/bLQz4/Bfrrn193jtI5u+kEZJCMADCYdLnHl7e1OdmfAJNfS4PzkK2KK8GK+37dFiHrMcEr9RnLhTAT93KzY8xklYlg/+U9SnpD5iCD7yuoZyi0YxjpOAhoIUPCM3CovSCLtJNkOcLikcav4F9gElyzq/WFtAgLLS/rgGGdrBo+fY447l9rWKgllqtiTnBA+JAZ5AI8N8AYRIf+cXq+Jj28rF+k1pJfGFSXV5jadcal06HIsK8E2/Do+MgjrmW85JsLeI+Hs4kW2tP5OqQ0rwyxULCQ== X-YMail-OSG: rPKqrxgVM1n1y6qm4CPuvvnOVf0sfan3XVDMFwN.kTgvOzpa9FWkCNIVLgeYCEG FtwLQMWh8g3bXOiaXXiwPB5Y5fDUAycL0zi6wSChz2rLMumeZnpQcI.S99zEqtfgjoo8VGHkHDKS fDFz3yvgmhwxilA7bIPpAEoooo1iT34NZmS88hByExLZkuT1qTOZQQEfH5rwZtz2mQE80zbFHAo9 JCZcMo5pSTVE4.lHuVK75r7Uqh2o.zeTr49hZLuV96A8rEux0WWcxHEvGkLdVeiwpDC3SPwXt3sX B3X_PtcywSxTSWiqgJbsCVS4pUqF2p3WxLMfdYmBQSf_cgLRL0uHP5O2LVGbK92tDXOa35bTgn_N bfAKE.72Li12I4EPPMr16x_NxcXVAdA6c7udIeoa9zSiLzr0rBHzQzHpY0.otklcHyK3w7jPDo4R pFggCihPx_DybzA9ywLAXf.ZZJ_mzTQ6NkqtvIdSmRmtH.oTtrmEHKeo6xEe4.CjO.Cdi65DKqoh qt3WYpzLX7qPJNwPOba4WR1U3jEYK3Nexfjf8fmaktI_BFtx5gbw9de8XCPMaLril4KiZUooCW.n wcVTKTVlWSE47NrNIp4BMca6PP_0dbYBqe7iyypRjWfZ9LpL0Ok5sGYMmi3btJNJi029oM73ssa0 _tbK5nQxrpyPSGzN92kQFzQcYnKqyJA8M7YnD3.WyEwv0izfGbozD0R_xmo0yuoKLrMs6sgKt._B E5P_GoyPj1SarNgF268uT1SxalLQoeKL3xEyEDzv5yNyQZeurVGj4tx8Zo0yQCakpfigSfoOj.za P5D5xw49SYDGNDg9aFyRLvgWxQyWmOCjAiJ.yzgAzPg3m_Qg3SZmGdcQv58LoBjYrFQ8GXeowc2l uLryjYaUrQw.TARsYK6mpVRF.lKYUVwqvsb1Ig6DPGWaLSt9a4zHwI9bsj4eG7oYXiWLi9ZvJLRE BGr6LzCnrBph8Y2x5BMWNxOepov4I04eOvshf_ssPAWJY9GFQXqiSGaUiPD1kv_SXd8SpcabPtAr ON5UNHRETqoRb1i9jWdLrKGhFc7KKLyk0dv5noNqtWfGR4kXHICDNfChFVVvPW0YZi5yLQY90DzB l725TIhxBDnNQNF69mbJsiRFrBohmqsrUFfUO4uUYIhbHbth_m1VSLD2_1zHpSje58DtjZQPvEkb O2Tz045REDfWYoggILcqaOGfMEBDtLko0SRvAjDX3f4YcAg7hhhdFhY225q_EAtPR4nn3B6SSWqz 7RXesQuGL3v6A76QMrY7x.id90b5LVF99YWytqI1yZ6VkOgoEUQaUNNBiZMWUjFGXPDPqYe_exse b7aO0L_ECXJNhRhX7I_TWWisnD.Hd0XkkS1jJO8PZgDtFpWIuFeFXCpQj.5G7lJ0oJzl3bq6hMHq Ik6ANLQbg92yoAvX1S.p2uHzwmUbjskZLql.PUy8O60tqCz8bmZaSTeYIhKpfPbZ7vGudtimqScN 8UrPSQT2_1trBFfJlQL0LSQI0KIQUz4AWJLOd0lfXzkzDVJt6fC_1PUx8kFz_vzCqZAhpiXikOU0 g0_8PEhMXyoVUly5bY8ukLVNcLXyxt8GDTAV_Qny_G1RHtlkp7Nb0C69Y6.trm1bHBqtcjQ6AVfI AQfnkSmOaJuvLeDfsM4idMOMp.Td3oiVWDqhfghguGO8aBLv._Kt0gVgKRTsi7mSgFNZqAajMvM6 m4BN0UwrPtluMTeuLUNDXCl3JS1eAZXcGrPUDH5qg0vlLLe8JTLobnVnq86OaHKhoXSs5slZMh.I hKg2WjHwqh1TMQd_VYQk75cIQi4QI4h2mUHCDU0Wj1mM5jDtfpFCDp5SwPc9WOkVYtTfd5nuk2BJ nR7O3fefbTr35SrD3sqFqr0URG2Y.knWgEAWoIJ12LCeXuYUdFw7o8qULYzYtKgPs3CUO3I9RDfr 1gMEyodS_xjU0SJvoJO6wiAqn4yGalNWraMG7mNg3C0t705b4nNz2bfCuaSxfjUPwGPKhPnNDm4J p_5ZT.mSc.iCqiDNz7DVdBetBnL9TDXKoD6tLWKKZgM3N0AxHDouB.urlhXyNyLtiAICZ_.sJaDK SdEHX1D28vmJCyx4jou_E3aDk77TCaL9V.aeNPii6As5m_YDNtZLqhYVpr8W3FbJhASUHsMVVSGs L3DTKqIqgyrZSkP.a1SMqrq2y6omzEU86kXkqdHXYnCr.GCBqO44BnRnRpNdxiVvZkaid8IYR_Cu mkNh56jOIeA3LLoLASPGxVC4V6hfWf1eLXv_3SIGqPlj3fXSPmmkMElZk9KTdLA5QFUu0cMpRZH1 bIUNCrX7bVNmDYrSw3G55Oc.ZNVmpxyxEUlAZLIwDXiackaI- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Tue, 14 Dec 2021 00:00:35 +0000 Received: by kubenode516.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID d9da30bbc942afdefef6ca173bbb7167; Tue, 14 Dec 2021 00:00:30 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Stephen Smalley , Pablo Neira Ayuso , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v31 18/28] LSM: security_secid_to_secctx in netlink netfilter Date: Mon, 13 Dec 2021 15:40:24 -0800 Message-Id: <20211213234034.111891-19-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211213234034.111891-1-casey@schaufler-ca.com> References: <20211213234034.111891-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Change netlink netfilter interfaces to use lsmcontext pointers, and remove scaffolding. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Paul Moore Acked-by: Stephen Smalley Acked-by: Pablo Neira Ayuso Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: netfilter-devel@vger.kernel.org --- net/netfilter/nfnetlink_queue.c | 37 +++++++++++++-------------------- 1 file changed, 14 insertions(+), 23 deletions(-) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index f19897b3cf39..69343275c54b 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -301,15 +301,13 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk) return -1; } -static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) +static void nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context) { - u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) struct lsmblob blob; - struct lsmcontext context = { }; if (!skb || !sk_fullsock(skb->sk)) - return 0; + return; read_lock_bh(&skb->sk->sk_callback_lock); @@ -318,14 +316,12 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) * blob. security_secid_to_secctx() will know which security * module to use to create the secctx. */ lsmblob_init(&blob, skb->secmark); - security_secid_to_secctx(&blob, &context); - *secdata = context.context; + security_secid_to_secctx(&blob, context); } read_unlock_bh(&skb->sk->sk_callback_lock); - seclen = context.len; #endif - return seclen; + return; } static u32 nfqnl_get_bridge_size(struct nf_queue_entry *entry) @@ -397,12 +393,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, struct net_device *indev; struct net_device *outdev; struct nf_conn *ct = NULL; + struct lsmcontext context = { }; enum ip_conntrack_info ctinfo; struct nfnl_ct_hook *nfnl_ct; bool csum_verify; - struct lsmcontext scaff; /* scaffolding */ - char *secdata = NULL; - u32 seclen = 0; size = nlmsg_total_size(sizeof(struct nfgenmsg)) + nla_total_size(sizeof(struct nfqnl_msg_packet_hdr)) @@ -470,9 +464,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) { - seclen = nfqnl_get_sk_secctx(entskb, &secdata); - if (seclen) - size += nla_total_size(seclen); + nfqnl_get_sk_secctx(entskb, &context); + if (context.len) + size += nla_total_size(context.len); } skb = alloc_skb(size, GFP_ATOMIC); @@ -602,7 +596,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, nfqnl_put_sk_uidgid(skb, entskb->sk) < 0) goto nla_put_failure; - if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata)) + if (context.len && + nla_put(skb, NFQA_SECCTX, context.len, context.context)) goto nla_put_failure; if (ct && nfnl_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0) @@ -630,10 +625,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) { - lsmcontext_init(&scaff, secdata, seclen, 0); - security_release_secctx(&scaff); - } + if (context.len) + security_release_secctx(&context); return skb; nla_put_failure: @@ -641,10 +634,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) { - lsmcontext_init(&scaff, secdata, seclen, 0); - security_release_secctx(&scaff); - } + if (context.len) + security_release_secctx(&context); return NULL; } From patchwork Mon Dec 13 23:40:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12675017 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 07AC9C433EF for ; Tue, 14 Dec 2021 00:01:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244007AbhLNABm (ORCPT ); Mon, 13 Dec 2021 19:01:42 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:37844 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244393AbhLNABk (ORCPT ); Mon, 13 Dec 2021 19:01:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639440100; bh=GSurOhVzqUI/nNz8OcXYb0Mj9Kn5l034tUBurXhhR90=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=UD1S1lKq2OpJHcL9VBdK72mwn0QTIX2gdu0FUJ3jYTM8jTfiXQ5//hwUE48cdzzKL4onRo8GyCXfAe1jnJ0uH3OynXu/+AnLTg6g7MdsuY0qODuw0MJs+piedrM9ctoDXcxBE5ebHYUS8kM8ezlnGglYlM2Ql7ob8MAmrqAOzSgPZ4JGpYYCSjfUIlfqZU7zH5ogiGGLbPfBBt0xS/DMFNMHByACXVpolXRxbw+YkR25Cmqlhji59DLkCDJLlcyWT94Pmu+0JfMfB6/a9bLMuXwPLX5OlVk/oQNupatj2O9Z65doUB8iEQDGSbaxEhnCdcUuETDcwTX1KhW/eHRBbg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639440100; bh=r5CHfpI0eoaIWEkwmyLH8njrGMSU6xE379+DpX1Oz/H=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Cp3yMTrEkPJUzYr2k5Fu+qzQX5UxtjAN0bMipepZGh65eDmHI2fuupX6InYpoe6K1TQTPmF4TAqZ9duhpCRHgUwEX5oDNjNPC0d6U7sdg1V2GR4O9PFK7m8RW5WVxOE/Zqb2ugNEQkan7d/NWVr9SkUECchLGAsA8H7I9Dp5LxEG7jD3jIxP/GD9cmDzpq8jKGZ3mkI05iYbeGzF4MGv5z11U2n0vkrbd9BDBuKc+7Vic5g6vIcHDk09b+/LgY7qSG8n6lmEiyaizDF/0d1f1XKlRJPAvYk62DtyImVjYRZTmd/4i+bwZQh9X9ud54LrcbO6b3peL/N19eNTqOswZQ== X-YMail-OSG: zNgAoPgVM1nCfo6fJydlGuyYiazr.ZYj8GJ.8lXpohDXUh_A2bG26kDE6BKGdaU 5fbDZDww4yizg4u8aezHCQd4gEx28mVoALEXZWsWzQeqqnDS9j80v1ZFNajqeZXSqsL5kx8Pf7MS GhZ3D.uExLINjEU0L3Afnpfgz5EFxG0__YdiIhkFa_OrfENcRrpNatqc9obvW3pdQWJ4n0v23qBO k6MjAJjxqcn6UdvOLRHcdL7wRhMEWA07OKTgknEHO1H25ncrUYwKAEm_hh7e5trRsPp_YHzLT3ji uoz3fojLHUfNh03_PyRX_vjsCAXhUwZSXjeEG_W7GH0r7N7Dvg2kgxnUtpY3i1j3hYo.pg3ypYsL Dwo7wbGl5.PIvbXWE5EorEGRTschoJbyQe.tt_OqllUhyoqrRRZMIWlZJCN1ospAQ2cxZlTjgsL2 7fPa5JjKW9WS8bqXCoA4jvGf88XbcTV7cBdFMauiaoZLBQhg1n5Ao3IKAtj1a1N3ZazRP0it3xuf CPEWyhGwEf1_U2Eh4l_JL3qha6JONYmg0ELB2B2rV8MdWjcWRUr2AmHeCBrRVwKVEYToFppASZeo X3ProX3skf4VWLZdR1TwN.i9CKbzVo6pcLUqAGCszkoCfLUJtEeZn4OA4p9YKyI321kj5tPAp1_y 7LQeEeWJySJf_Bw29GFtiXbFdYm2IXPIKqbYUfAktl9Jcbl1fc66RPsPY1usz.HGS97epHqFtKTB BUoMeUmdcmcQUDYZQ3bAg_tcYTXxuX4BG8YO2wC6lhYLeYXYRrq_DuMNVb2V0ZYCpw.zYo9AMeI_ UyyvvM.s1iualwr.wl0WZuVO4d2UmcjhIxsHoyap7q9nu4TcyggEExe2Sj3i1fi.LyZp78AX37mq HiFAqs.TZGEZTULd_p4_c9T1LD1ETBf93Fi3yqVNuvToZl_._5Tm7fg2NycNHqnokmgPrC6oKQ8s xW5mpS84QTmuQga8kleDCFOPwY_f1ykieeg7j4twKPUgSHOnrnJaEPk_4C_v65ba.jadFt.aB1f2 Q8EXPvzHH7KRbvq8D2T3LFvDEpri0smCsshO1FZW7pLyWB2QDLdItPRSlkV2JE9Fv4OdI9JM6HfL FSsA9mYy4ciGqffNCNC0WqQa8wtPVdJb2tfFfm6Kyu6fKbRlIfcWVKoTDy3sFaBDLfNM_S0xvngc zZ9DevBsXnMWc0UWlEDc.yOPZrUASnpWT2O3c5ZsqfE3gB0_zyuZnBggQ_59uKbxMmx7IKZwCkhA e34OI5ZSqcZfCIHcHKb9h_mnp7eE7P1K1x9Rnykyw6hw9_N4IYnzOaQ6vbsbpHFsCZMTi6V_lOGz 8BXPAzd1ZN1_CRm0UJMwmN8oZJotaxXUYKOtYDNS2lCt15n32sZiQDwlsZHHxH7OWiU7JrCkPFTX s26C8XDLIC7Ktaze76Xyb0yWyfHJNB5v9noYIV1oj4CW6202SquG9d3aR4APCe21qaSdydD_FnHR ydEWtjgvFZQe3CJWoPaD3kZE0sDUrKGpyPz4CzUOvChhlFBhHDdShEAs6bq9GnGt_bMWdt8DKcb9 gkkmathHVlmNRVDQjZcHXJPEoEl6EqKjo012EA.2BRjS.63eulHdMdWDhgVLhxMySmFwFWYdcKhf iexBqcc2_KFICPSbcvJEHDbEky_ygxDkyLn6nxi4ck02E..5_hicVtwpmFlFeVxRnWqpi3Xl7YfX Dm3fB5umSlyymwMVQOyDZOrJgqIdadMX3VYzdgwuak.8hqt2ciVnXrATnFo4ynBClQCOHDAClums IvGZTJZh3XCkGO8guJeI3TrcdPUlRXskQySvCXiWsJbD91lVtHfDGd.R_AQlhLWQKY8Sl7G5yz5n MpIjXF93gwznLxgrPmD6gXAVXnTPnAVgtpKaqEz6Q.jfuKZmyIgmoO9Q1ZMtKzgnGZK1gOUOYLGe 7eDGN3UKfZwdksT0lrJOUHbTgGTeXKSH7jDw9Ut1T3M2s6aB8ed6kD0ImUmpU3AEKNIkdOfbjbvt rq8N6o9DG_4FrPyCSbLyaLH5KzQ1AscN64BD_LH5UbDBOFXJERZkl5gegiEqI1BnoplepR9C5L3A DYygX7FK320hm.OY9aqU4OT.7LbS5owiti9YGUIoIQbdwbwr5HUUrkuHMeFOHONjIyyzfDvW9MBo 8ag3QCNQJo7B1jx_EJUGsgYFN9Px.IIVsMFHC7mZ4apOwHO7NNr22bJb_rAN_9k8ouhnHxj.xIlF aOtdVHxtRbWDjeM3C0DYSmJnyXrc9mwa2OEynH9_B_4v9XlKIMp6bAt.iSwoTbwpw51Phi3JeH28 YH0PtXB8EynkXfES.Reqi48c- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Tue, 14 Dec 2021 00:01:40 +0000 Received: by kubenode503.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 0cc56464e1a1cc4f0054ea02a08fc52b; Tue, 14 Dec 2021 00:01:35 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Stephen Smalley , netdev@vger.kernel.org Subject: [PATCH v31 19/28] NET: Store LSM netlabel data in a lsmblob Date: Mon, 13 Dec 2021 15:40:25 -0800 Message-Id: <20211213234034.111891-20-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211213234034.111891-1-casey@schaufler-ca.com> References: <20211213234034.111891-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Netlabel uses LSM interfaces requiring an lsmblob and the internal storage is used to pass information between these interfaces, so change the internal data from a secid to a lsmblob. Update the netlabel interfaces and their callers to accommodate the change. This requires that the modules using netlabel use the lsm_id.slot to access the correct secid when using netlabel. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org --- include/net/netlabel.h | 8 +-- net/ipv4/cipso_ipv4.c | 26 ++++++---- net/netlabel/netlabel_kapi.c | 6 +-- net/netlabel/netlabel_unlabeled.c | 79 +++++++++-------------------- net/netlabel/netlabel_unlabeled.h | 2 +- security/selinux/hooks.c | 2 +- security/selinux/include/security.h | 1 + security/selinux/netlabel.c | 2 +- security/selinux/ss/services.c | 4 +- security/smack/smack.h | 1 + security/smack/smack_access.c | 2 +- security/smack/smack_lsm.c | 11 ++-- security/smack/smackfs.c | 10 ++-- 13 files changed, 68 insertions(+), 86 deletions(-) diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 43ae50337685..73fc25b4042b 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h @@ -166,7 +166,7 @@ struct netlbl_lsm_catmap { * @attr.mls: MLS sensitivity label * @attr.mls.cat: MLS category bitmap * @attr.mls.lvl: MLS sensitivity level - * @attr.secid: LSM specific secid token + * @attr.lsmblob: LSM specific data * * Description: * This structure is used to pass security attributes between NetLabel and the @@ -201,7 +201,7 @@ struct netlbl_lsm_secattr { struct netlbl_lsm_catmap *cat; u32 lvl; } mls; - u32 secid; + struct lsmblob lsmblob; } attr; }; @@ -415,7 +415,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, const void *addr, const void *mask, u16 family, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info); int netlbl_cfg_unlbl_static_del(struct net *net, const char *dev_name, @@ -523,7 +523,7 @@ static inline int netlbl_cfg_unlbl_static_add(struct net *net, const void *addr, const void *mask, u16 family, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info) { return -ENOSYS; diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 62d5f99760aa..bb9c900da6b0 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -106,15 +106,17 @@ int cipso_v4_rbm_strictvalid = 1; /* Base length of the local tag (non-standard tag). * Tag definition (may change between kernel versions) * - * 0 8 16 24 32 - * +----------+----------+----------+----------+ - * | 10000000 | 00000110 | 32-bit secid value | - * +----------+----------+----------+----------+ - * | in (host byte order)| - * +----------+----------+ - * + * 0 8 16 16 + sizeof(struct lsmblob) + * +----------+----------+---------------------+ + * | 10000000 | 00000110 | LSM blob data | + * +----------+----------+---------------------+ + * + * All secid and flag fields are in host byte order. + * The lsmblob structure size varies depending on which + * Linux security modules are built in the kernel. + * The data is opaque. */ -#define CIPSO_V4_TAG_LOC_BLEN 6 +#define CIPSO_V4_TAG_LOC_BLEN (2 + sizeof(struct lsmblob)) /* * Helper Functions @@ -1460,7 +1462,11 @@ static int cipso_v4_gentag_loc(const struct cipso_v4_doi *doi_def, buffer[0] = CIPSO_V4_TAG_LOCAL; buffer[1] = CIPSO_V4_TAG_LOC_BLEN; - *(u32 *)&buffer[2] = secattr->attr.secid; + /* Ensure that there is sufficient space in the CIPSO header + * for the LSM data. */ + BUILD_BUG_ON(CIPSO_V4_TAG_LOC_BLEN > CIPSO_V4_OPT_LEN_MAX); + memcpy(&buffer[2], &secattr->attr.lsmblob, + sizeof(secattr->attr.lsmblob)); return CIPSO_V4_TAG_LOC_BLEN; } @@ -1480,7 +1486,7 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def, const unsigned char *tag, struct netlbl_lsm_secattr *secattr) { - secattr->attr.secid = *(u32 *)&tag[2]; + memcpy(&secattr->attr.lsmblob, &tag[2], sizeof(secattr->attr.lsmblob)); secattr->flags |= NETLBL_SECATTR_SECID; return 0; diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index beb0e573266d..158bab993e32 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -196,7 +196,7 @@ int netlbl_cfg_unlbl_map_add(const char *domain, * @addr: IP address in network byte order (struct in[6]_addr) * @mask: address mask in network byte order (struct in[6]_addr) * @family: address family - * @secid: LSM secid value for the entry + * @lsmblob: LSM data value for the entry * @audit_info: NetLabel audit information * * Description: @@ -210,7 +210,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, const void *addr, const void *mask, u16 family, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info) { u32 addr_len; @@ -230,7 +230,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, return netlbl_unlhsh_add(net, dev_name, addr, mask, addr_len, - secid, audit_info); + lsmblob, audit_info); } /** diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 596a75814fbf..60e36324568f 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -66,7 +66,7 @@ struct netlbl_unlhsh_tbl { #define netlbl_unlhsh_addr4_entry(iter) \ container_of(iter, struct netlbl_unlhsh_addr4, list) struct netlbl_unlhsh_addr4 { - u32 secid; + struct lsmblob lsmblob; struct netlbl_af4list list; struct rcu_head rcu; @@ -74,7 +74,7 @@ struct netlbl_unlhsh_addr4 { #define netlbl_unlhsh_addr6_entry(iter) \ container_of(iter, struct netlbl_unlhsh_addr6, list) struct netlbl_unlhsh_addr6 { - u32 secid; + struct lsmblob lsmblob; struct netlbl_af6list list; struct rcu_head rcu; @@ -220,7 +220,7 @@ static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex) * @iface: the associated interface entry * @addr: IPv4 address in network byte order * @mask: IPv4 address mask in network byte order - * @secid: LSM secid value for entry + * @lsmblob: LSM data value for entry * * Description: * Add a new address entry into the unlabeled connection hash table using the @@ -231,7 +231,7 @@ static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex) static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, const struct in_addr *addr, const struct in_addr *mask, - u32 secid) + struct lsmblob *lsmblob) { int ret_val; struct netlbl_unlhsh_addr4 *entry; @@ -243,7 +243,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, entry->list.addr = addr->s_addr & mask->s_addr; entry->list.mask = mask->s_addr; entry->list.valid = 1; - entry->secid = secid; + entry->lsmblob = *lsmblob; spin_lock(&netlbl_unlhsh_lock); ret_val = netlbl_af4list_add(&entry->list, &iface->addr4_list); @@ -260,7 +260,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, * @iface: the associated interface entry * @addr: IPv6 address in network byte order * @mask: IPv6 address mask in network byte order - * @secid: LSM secid value for entry + * @lsmblob: LSM data value for entry * * Description: * Add a new address entry into the unlabeled connection hash table using the @@ -271,7 +271,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface, const struct in6_addr *addr, const struct in6_addr *mask, - u32 secid) + struct lsmblob *lsmblob) { int ret_val; struct netlbl_unlhsh_addr6 *entry; @@ -287,7 +287,7 @@ static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface, entry->list.addr.s6_addr32[3] &= mask->s6_addr32[3]; entry->list.mask = *mask; entry->list.valid = 1; - entry->secid = secid; + entry->lsmblob = *lsmblob; spin_lock(&netlbl_unlhsh_lock); ret_val = netlbl_af6list_add(&entry->list, &iface->addr6_list); @@ -366,7 +366,7 @@ int netlbl_unlhsh_add(struct net *net, const void *addr, const void *mask, u32 addr_len, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info) { int ret_val; @@ -375,7 +375,6 @@ int netlbl_unlhsh_add(struct net *net, struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; struct lsmcontext context; - struct lsmblob blob; if (addr_len != sizeof(struct in_addr) && addr_len != sizeof(struct in6_addr)) @@ -408,7 +407,7 @@ int netlbl_unlhsh_add(struct net *net, const struct in_addr *addr4 = addr; const struct in_addr *mask4 = mask; - ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid); + ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, lsmblob); if (audit_buf != NULL) netlbl_af4list_audit_addr(audit_buf, 1, dev_name, @@ -421,7 +420,7 @@ int netlbl_unlhsh_add(struct net *net, const struct in6_addr *addr6 = addr; const struct in6_addr *mask6 = mask; - ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid); + ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, lsmblob); if (audit_buf != NULL) netlbl_af6list_audit_addr(audit_buf, 1, dev_name, @@ -438,11 +437,7 @@ int netlbl_unlhsh_add(struct net *net, unlhsh_add_return: rcu_read_unlock(); if (audit_buf != NULL) { - /* lsmblob_init() puts secid into all of the secids in blob. - * security_secid_to_secctx() will know which security module - * to use to create the secctx. */ - lsmblob_init(&blob, secid); - if (security_secid_to_secctx(&blob, &context) == 0) { + if (security_secid_to_secctx(lsmblob, &context) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -477,7 +472,6 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr, @@ -496,13 +490,8 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, (dev != NULL ? dev->name : NULL), addr->s_addr, mask->s_addr); dev_put(dev); - /* lsmblob_init() puts entry->secid into all of the secids - * in blob. security_secid_to_secctx() will know which - * security module to use to create the secctx. */ - if (entry != NULL) - lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, &context) == 0) { + security_secid_to_secctx(&entry->lsmblob, &context) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -543,7 +532,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list); @@ -561,13 +549,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, (dev != NULL ? dev->name : NULL), addr, mask); dev_put(dev); - /* lsmblob_init() puts entry->secid into all of the secids - * in blob. security_secid_to_secctx() will know which - * security module to use to create the secctx. */ - if (entry != NULL) - lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, &context) == 0) { + security_secid_to_secctx(&entry->lsmblob, &context) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -921,14 +904,8 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, if (ret_val != 0) return ret_val; - /* netlbl_unlhsh_add will be changed to pass a struct lsmblob * - * instead of a u32 later in this patch set. security_secctx_to_secid() - * will only be setting one entry in the lsmblob struct, so it is - * safe to use lsmblob_value() to get that one value. */ - - return netlbl_unlhsh_add(&init_net, - dev_name, addr, mask, addr_len, - lsmblob_value(&blob), &audit_info); + return netlbl_unlhsh_add(&init_net, dev_name, addr, mask, addr_len, + &blob, &audit_info); } /** @@ -975,11 +952,8 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, if (ret_val != 0) return ret_val; - /* security_secctx_to_secid() will only put one secid into the lsmblob - * so it's safe to use lsmblob_value() to get the secid. */ - return netlbl_unlhsh_add(&init_net, - NULL, addr, mask, addr_len, - lsmblob_value(&blob), &audit_info); + return netlbl_unlhsh_add(&init_net, NULL, addr, mask, addr_len, &blob, + &audit_info); } /** @@ -1091,8 +1065,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, struct net_device *dev; struct lsmcontext context; void *data; - u32 secid; - struct lsmblob blob; + struct lsmblob *lsmb; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, cb_arg->seq, &netlbl_unlabel_gnl_family, @@ -1130,7 +1103,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, if (ret_val != 0) goto list_cb_failure; - secid = addr4->secid; + lsmb = (struct lsmblob *)&addr4->lsmblob; } else { ret_val = nla_put_in6_addr(cb_arg->skb, NLBL_UNLABEL_A_IPV6ADDR, @@ -1144,14 +1117,10 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, if (ret_val != 0) goto list_cb_failure; - secid = addr6->secid; + lsmb = (struct lsmblob *)&addr6->lsmblob; } - /* lsmblob_init() secid into all of the secids in blob. - * security_secid_to_secctx() will know which security module - * to use to create the secctx. */ - lsmblob_init(&blob, secid); - ret_val = security_secid_to_secctx(&blob, &context); + ret_val = security_secid_to_secctx(lsmb, &context); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, @@ -1510,7 +1479,7 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb, &iface->addr4_list); if (addr4 == NULL) goto unlabel_getattr_nolabel; - secattr->attr.secid = netlbl_unlhsh_addr4_entry(addr4)->secid; + secattr->attr.lsmblob = netlbl_unlhsh_addr4_entry(addr4)->lsmblob; break; } #if IS_ENABLED(CONFIG_IPV6) @@ -1523,7 +1492,7 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb, &iface->addr6_list); if (addr6 == NULL) goto unlabel_getattr_nolabel; - secattr->attr.secid = netlbl_unlhsh_addr6_entry(addr6)->secid; + secattr->attr.lsmblob = netlbl_unlhsh_addr6_entry(addr6)->lsmblob; break; } #endif /* IPv6 */ diff --git a/net/netlabel/netlabel_unlabeled.h b/net/netlabel/netlabel_unlabeled.h index 058e3a285d56..168920780994 100644 --- a/net/netlabel/netlabel_unlabeled.h +++ b/net/netlabel/netlabel_unlabeled.h @@ -211,7 +211,7 @@ int netlbl_unlhsh_add(struct net *net, const void *addr, const void *mask, u32 addr_len, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info); int netlbl_unlhsh_remove(struct net *net, const char *dev_name, diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 824a6e4fb126..6f790d96594d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7056,7 +7056,7 @@ static int selinux_uring_sqpoll(void) } #endif /* CONFIG_IO_URING */ -static struct lsm_id selinux_lsmid __lsm_ro_after_init = { +struct lsm_id selinux_lsmid __lsm_ro_after_init = { .lsm = "selinux", .slot = LSMBLOB_NEEDED }; diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index ac0ece01305a..9f856f2cd277 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -73,6 +73,7 @@ struct netlbl_lsm_secattr; extern int selinux_enabled_boot; +extern struct lsm_id selinux_lsmid; /* * type_datum properties diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 800ab4b4239e..0b8f99703462 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -109,7 +109,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr( return NULL; if ((secattr->flags & NETLBL_SECATTR_SECID) && - (secattr->attr.secid == sid)) + (secattr->attr.lsmblob.secid[selinux_lsmid.slot] == sid)) return secattr; return NULL; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 8e92af7dd284..23a45c9dcf04 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3899,7 +3899,7 @@ int security_netlbl_secattr_to_sid(struct selinux_state *state, if (secattr->flags & NETLBL_SECATTR_CACHE) *sid = *(u32 *)secattr->cache->data; else if (secattr->flags & NETLBL_SECATTR_SECID) - *sid = secattr->attr.secid; + *sid = secattr->attr.lsmblob.secid[selinux_lsmid.slot]; else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { rc = -EIDRM; ctx = sidtab_search(sidtab, SECINITSID_NETMSG); @@ -3977,7 +3977,7 @@ int security_netlbl_sid_to_secattr(struct selinux_state *state, if (secattr->domain == NULL) goto out; - secattr->attr.secid = sid; + secattr->attr.lsmblob.secid[selinux_lsmid.slot] = sid; secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID; mls_export_netlbl_lvl(policydb, ctx, secattr); rc = mls_export_netlbl_cat(policydb, ctx, secattr); diff --git a/security/smack/smack.h b/security/smack/smack.h index 66b813e15196..44fd5bc8ba71 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -303,6 +303,7 @@ int smack_populate_secattr(struct smack_known *skp); * Shared data. */ extern int smack_enabled __initdata; +extern struct lsm_id smack_lsmid; extern int smack_cipso_direct; extern int smack_cipso_mapped; extern struct smack_known *smack_net_ambient; diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index d2186e2757be..c6dcafe18912 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -524,7 +524,7 @@ int smack_populate_secattr(struct smack_known *skp) { int slen; - skp->smk_netlabel.attr.secid = skp->smk_secid; + skp->smk_netlabel.attr.lsmblob.secid[smack_lsmid.slot] = skp->smk_secid; skp->smk_netlabel.domain = skp->smk_known; skp->smk_netlabel.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); if (skp->smk_netlabel.cache != NULL) { diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 1069ba7abf40..9832b5e5c9fd 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3729,11 +3729,12 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) return (struct smack_known *)sap->cache->data; + /* + * Looks like a fallback, which gives us a secid. + */ if ((sap->flags & NETLBL_SECATTR_SECID) != 0) - /* - * Looks like a fallback, which gives us a secid. - */ - return smack_from_secid(sap->attr.secid); + return smack_from_secid( + sap->attr.lsmblob.secid[smack_lsmid.slot]); if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { /* @@ -4752,7 +4753,7 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_superblock = sizeof(struct superblock_smack), }; -static struct lsm_id smack_lsmid __lsm_ro_after_init = { +struct lsm_id smack_lsmid __lsm_ro_after_init = { .lsm = "smack", .slot = LSMBLOB_NEEDED }; diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 658eab05599e..13c2fa728054 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -1143,6 +1143,7 @@ static void smk_net4addr_insert(struct smk_net4addr *new) static ssize_t smk_write_net4addr(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { + struct lsmblob lsmblob; struct smk_net4addr *snp; struct sockaddr_in newname; char *smack; @@ -1274,10 +1275,13 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf, * this host so that incoming packets get labeled. * but only if we didn't get the special CIPSO option */ - if (rc == 0 && skp != NULL) + if (rc == 0 && skp != NULL) { + lsmblob_init(&lsmblob, 0); + lsmblob.secid[smack_lsmid.slot] = snp->smk_label->smk_secid; rc = netlbl_cfg_unlbl_static_add(&init_net, NULL, - &snp->smk_host, &snp->smk_mask, PF_INET, - snp->smk_label->smk_secid, &audit_info); + &snp->smk_host, &snp->smk_mask, PF_INET, &lsmblob, + &audit_info); + } if (rc == 0) rc = count;