From patchwork Tue Jun 28 00:55:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12897399 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E6F7C43334 for ; Tue, 28 Jun 2022 01:03:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242893AbiF1BDT (ORCPT ); Mon, 27 Jun 2022 21:03:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58100 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242849AbiF1BCd (ORCPT ); Mon, 27 Jun 2022 21:02:33 -0400 Received: from sonic316-27.consmr.mail.ne1.yahoo.com (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D24C722B31 for ; Mon, 27 Jun 2022 18:02:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1656378151; bh=z3jiL2tCAI8K9XeufR5jyTcN598SmLsZZztorcUuBNM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=XIUprzOOn613dOmiS1XbrYT4yPlc6d55MhS5QawvlPhdb4CoW5J06pi2WPHJHVwTyGZdR50J7qT5hgA/2VAQ6ZdgfZQWTTFItITg1QK5iywfcJNCAJOZ1t/krOXN1hTJGoVgjS+0KhA9zM0eTxI5XkWaiVVPWA4sthY1c0/dR61a33YWWT16FRZRTq29x5eITTADTr3YC4E4PVIzFiC0gxvSEGZMZoXAfC8YqMAGn53V9P9EqHMiXd65Msxf06fbBl7jkbtk3aLgM447/w2iQb8xBTYmcR4okVRXVH0VXADk7eYnwdQbB/qvVu9J2SQuAv/U2pCePhf1YGQQEYvudA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1656378151; bh=NNZ8jDM4uDDZqf6115zwAN06m2X+w/j043teU3HyfDP=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=cJm2kcoyOEhHvzjH6mAsyAYE7ar/ZswJXp6ZkW/t+OIDk06L2SggO4AYLORlTMmHvskNTMQUXjfh/DlcBY9RRobuQ2hvnIt1GEjXkof78kQzLstidJdU5taGFnBrMmP0v4SJInGNXhoN9FZm3KDG5NmbLgg0aiOSFKH+rJidQEVYbwETSxKhmJXdNn3QhLU55GAzxI/8jRIZfsKlVc9iynT0GPfr7r/HK3NHaZ+qcsVgi4up7T/mlE0UiuxMNfjocMe48VoU9eWk+NqMoZU0Xcwh5ZVI7a9tFa1Cn8vevc7vPEncUtzNL9PL6dViyDqGMDz+E2IwOvOOuNlQLbop1g== X-YMail-OSG: 6AvIDGcVM1kGIjMnTaPeAbSRNjUbhRHB0lUa7MF.sbYvlB45vlC6b0F5oyMxRtu 6gujOHQPCcfKq1Qf0B72_ZucWzWi.48cI69nuG.6LuZ9TOiVzSMIXgdbKnV2wVCNRgT8Br_2.GoV giuODmTQMjGksOTQgK2AxhhrB9e5Qhj9aAr_GbDbqnTDB3LR9xzMRuj3WHFPicgJYfO7v8NaW5gf zMCmZWEioDf0FJimiUBAdKhex2SWvJK7LWRa.qM5IGst8OSvwsUh.zbE5gv8pmXYN22niYvIFQ4. cxX45dpPpRwNeVGoo0lzDXGoDdm4zMexhhHwV02SwgtyJOa6pp0WOyoKbMB5Gt4jqAstGIEUeVij 6yCw9TwTSmxuLnABOj_.25PAn8X.dvHmocGDbK.12fqGaF9Szf.63hDea5.to9P2m8VS94P.BkjF aDJAid.jmOAUjrgDCztCXCk.ykemTpKQHJ5IoBY46kYu9J2LnX1m02VkgGtUuSPKAcHr4OYOEq5u yNv.RjpSV2QoSUSSy20ZLhwAEo8.iegZ6odZ4X_qzPOq_sqgRW9INhhIZKBnuHSoaGFc2XfBK9Qp QTBHe0t22iHcQn6KhzawX8tvEODfUI8C5lCw2A88DUL4GIEDy6Sh9HjWUy7crqzrAfSCU0YVIizj SlWSvUmgAD8SS8.o76UPuKFbUo9wl0rITZNI5e15l7tQY74J6IfPHFBuD4mtLt0asTdYRwSrFwfJ iLdhyhQjhoTZDFBotbunksFe3pigpmUahDTVXZ4u82h.r8tOB282cIYWI0klcN8Ws9YkPWklpu8U fHqkoVLksOosTEwz5nYe1u6aU40h0o2kFpdrGrrfcMWnhk6fHd6WFMwufKo.3n1xNyNlCShFavmc 3LUF.klGnEuD74kZl6nC7OPFoUv73RsOILQX4gbi2tkPwr.mjDFsjne2qKvOn55Xkve9_RnDJUGs MFWbBkw4pn9odrZGnTFbkxIZaN1p_h4.s_PTlKvOekqPvPs.aUkFRk1ENPGrEwRWlj4lp.Yu6m_p MOua9gilxjMynHGV9sU.fXzT837SL1i2E3J_YD1H.fHQ6RfILTUQgx0apgxCwZ0KC2qkwRjpJ2Zl bcYQDk4eM.ebwA5BElA630Trvj5Ucbzl5ifvHoycaEPP6Dex23GhxV6G5Plt17J1yXmnNmV9vo7T rkEH7qasEHRyLxxKF3CJSLuMEVMXN5JP7PKUWnqF2Tk2Z.5.El6upeOuq9minSpCzqGy4gF1a7iW HTMY6kbbLFj7O9oDw0uOPMqfMMjdgw0.pVbGdFp8QU9nBIuPoJiCSe1t2oYPk_oUxTxhd6yDlJH. bFQFhtZlcp1DjgzlWHil40uG8TUOGe9sECTMDwsdEBn2eu4AhpMFNKmUSjTKEbpJCh1oz70ZHDSB uGApgIfiPYKy1V7buBUFkyAMLhj8LVgeByd25ZZf7oM3AUDbCqy4e8ivxgD9VUm6HdXDaOlfET.B 2RU1fvxmZ2bq2rCjmwZPQB2SokdsBkLZHdPR._.B5kF8FDN53bP_qq34gxMmo_qAbvypyNdbFuKZ BYjkiShaUBH2rrT56eb3o24E78CiqI7sZQznxLlHIF4LklxUpPncpFM4bWxhD_QZalR0ChHfzOZt hcARMEsjRmJ8gtgSdPBVBDa3XZmGVhhFk6LId1aB_4GF7_Y4KkkED49MB6zMdXrjoeSppUA2fLre RTytQ8E2jbyczVWBBgCKINIrxXOzzhUXXeGkYVxhMiWwJ5DIiCqVqN04hCg0lU.m_o6wN9PCWUAL E5KviX5dG1sITPnz8WV27h8zWy_lNTBKbzX0vHNXt4xKMccbAq25fkhZaXK_B4.exQ1gBNC9hMXQ FuDQ.3lxy56rqSc8cgrpRndv2nVPl2cwTKP8AVrGXin14pg30dVXWYpXPOtHW5TnoZrT884O1Rqh RhUWdefwyyOdVbat_Z0obfQju7Uuq9rnfdt5ADnqFvy0__LdxoUL1IR64O.cgz9xERBeeBfhaq5H ZpOxXSeHK5HtbMqhTgsoGFunEngAi5VjQDFdlniMZEuZ9DCVt0LrBz31hzTBK_sTZujuyU8zR6TN yozckMq1TVeOwJS.KqcjiehH.nHpxXJmSPhOWuHivdZuAWUlf3bvFsjhu7qgZBQwEFDgboyB81l2 lZnj.w9JCHFw.PGvp36CAadNixwU76TOffauHQcVwrwQypHGiDiJ7hl3PyyDjNKbig4U5ruTPQ5w Q27rUC7vIsLkZmJH_AAJNVCs3M_rDqTeseAZVajD7S53AtDpN.4pdG.3ZbkGNGHpcAVdDj7uWum2 qicBMEKiR.4mIzN5mBRIyWdu8kGjKrkH9S9j_74vreI9VXEPSskqF2DXLdc4A1Fs- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Tue, 28 Jun 2022 01:02:31 +0000 Received: by hermes--production-bf1-7f5f59bd5b-wm5tz (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID dbf52cafe43ef47006ff0c558ab03737; Tue, 28 Jun 2022 01:02:23 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v37 08/33] LSM: Use lsmblob in security_secctx_to_secid Date: Mon, 27 Jun 2022 17:55:46 -0700 Message-Id: <20220628005611.13106-9-casey@schaufler-ca.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220628005611.13106-1-casey@schaufler-ca.com> References: <20220628005611.13106-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Change the security_secctx_to_secid interface to use a lsmblob structure in place of the single u32 secid in support of module stacking. Change its callers to do the same. The security module hook is unchanged, still passing back a secid. The infrastructure passes the correct entry from the lsmblob. Acked-by: Paul Moore Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso --- include/linux/security.h | 26 ++++++++++++++++++-- kernel/cred.c | 4 +--- net/netfilter/nft_meta.c | 10 ++++---- net/netfilter/xt_SECMARK.c | 7 +++++- net/netlabel/netlabel_unlabeled.c | 23 +++++++++++------- security/security.c | 40 ++++++++++++++++++++++++++----- 6 files changed, 85 insertions(+), 25 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 823880ba613e..8e09302bded7 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -201,6 +201,27 @@ static inline bool lsmblob_equal(const struct lsmblob *bloba, extern int lsm_name_to_slot(char *name); extern const char *lsm_slot_to_name(int slot); +/** + * lsmblob_value - find the first non-zero value in an lsmblob structure. + * @blob: Pointer to the data + * + * This needs to be used with extreme caution, as the cases where + * it is appropriate are rare. + * + * Return the first secid value set in the lsmblob. + * There should only be one. + */ +static inline u32 lsmblob_value(const struct lsmblob *blob) +{ + int i; + + for (i = 0; i < LSMBLOB_ENTRIES; i++) + if (blob->secid[i]) + return blob->secid[i]; + + return 0; +} + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); @@ -531,7 +552,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value, int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); -int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); +int security_secctx_to_secid(const char *secdata, u32 seclen, + struct lsmblob *blob); void security_release_secctx(char *secdata, u32 seclen); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); @@ -1386,7 +1408,7 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle static inline int security_secctx_to_secid(const char *secdata, u32 seclen, - u32 *secid) + struct lsmblob *blob) { return -EOPNOTSUPP; } diff --git a/kernel/cred.c b/kernel/cred.c index 3925d38f49f4..adea727744f4 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -791,14 +791,12 @@ EXPORT_SYMBOL(set_security_override); int set_security_override_from_ctx(struct cred *new, const char *secctx) { struct lsmblob blob; - u32 secid; int ret; - ret = security_secctx_to_secid(secctx, strlen(secctx), &secid); + ret = security_secctx_to_secid(secctx, strlen(secctx), &blob); if (ret < 0) return ret; - lsmblob_init(&blob, secid); return set_security_override(new, &blob); } EXPORT_SYMBOL(set_security_override_from_ctx); diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index ac4859241e17..fc0028c9e33d 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -860,21 +860,21 @@ static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = { static int nft_secmark_compute_secid(struct nft_secmark *priv) { - u32 tmp_secid = 0; + struct lsmblob blob; int err; - err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid); + err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &blob); if (err) return err; - if (!tmp_secid) + if (!lsmblob_is_set(&blob)) return -ENOENT; - err = security_secmark_relabel_packet(tmp_secid); + err = security_secmark_relabel_packet(lsmblob_value(&blob)); if (err) return err; - priv->secid = tmp_secid; + priv->secid = lsmblob_value(&blob); return 0; } diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index 498a0bf6f044..87ca3a537d1c 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c @@ -42,13 +42,14 @@ secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info) static int checkentry_lsm(struct xt_secmark_target_info_v1 *info) { + struct lsmblob blob; int err; info->secctx[SECMARK_SECCTX_MAX - 1] = '\0'; info->secid = 0; err = security_secctx_to_secid(info->secctx, strlen(info->secctx), - &info->secid); + &blob); if (err) { if (err == -EINVAL) pr_info_ratelimited("invalid security context \'%s\'\n", @@ -56,6 +57,10 @@ static int checkentry_lsm(struct xt_secmark_target_info_v1 *info) return err; } + /* xt_secmark_target_info can't be changed to use lsmblobs because + * it is exposed as an API. Use lsmblob_value() to get the one + * value that got set by security_secctx_to_secid(). */ + info->secid = lsmblob_value(&blob); if (!info->secid) { pr_info_ratelimited("unable to map security context \'%s\'\n", info->secctx); diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 8490e46359ae..f3e2cde76919 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -880,7 +880,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, void *addr; void *mask; u32 addr_len; - u32 secid; + struct lsmblob blob; struct netlbl_audit audit_info; /* Don't allow users to add both IPv4 and IPv6 addresses for a @@ -904,13 +904,18 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, ret_val = security_secctx_to_secid( nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), - &secid); + &blob); if (ret_val != 0) return ret_val; + /* netlbl_unlhsh_add will be changed to pass a struct lsmblob * + * instead of a u32 later in this patch set. security_secctx_to_secid() + * will only be setting one entry in the lsmblob struct, so it is + * safe to use lsmblob_value() to get that one value. */ + return netlbl_unlhsh_add(&init_net, - dev_name, addr, mask, addr_len, secid, - &audit_info); + dev_name, addr, mask, addr_len, + lsmblob_value(&blob), &audit_info); } /** @@ -931,7 +936,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, void *addr; void *mask; u32 addr_len; - u32 secid; + struct lsmblob blob; struct netlbl_audit audit_info; /* Don't allow users to add both IPv4 and IPv6 addresses for a @@ -953,13 +958,15 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, ret_val = security_secctx_to_secid( nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), - &secid); + &blob); if (ret_val != 0) return ret_val; + /* security_secctx_to_secid() will only put one secid into the lsmblob + * so it's safe to use lsmblob_value() to get the secid. */ return netlbl_unlhsh_add(&init_net, - NULL, addr, mask, addr_len, secid, - &audit_info); + NULL, addr, mask, addr_len, + lsmblob_value(&blob), &audit_info); } /** diff --git a/security/security.c b/security/security.c index d3b28a6b9248..08ed7acf4205 100644 --- a/security/security.c +++ b/security/security.c @@ -2205,10 +2205,22 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) } EXPORT_SYMBOL(security_secid_to_secctx); -int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) +int security_secctx_to_secid(const char *secdata, u32 seclen, + struct lsmblob *blob) { - *secid = 0; - return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid); + struct security_hook_list *hp; + int rc; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.secctx_to_secid(secdata, seclen, + &blob->secid[hp->lsmid->slot]); + if (rc != 0) + return rc; + } + return 0; } EXPORT_SYMBOL(security_secctx_to_secid); @@ -2359,10 +2371,26 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, optval, optlen, len); } -int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, + u32 *secid) { - return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, - skb, secid); + struct security_hook_list *hp; + int rc = -ENOPROTOOPT; + + /* + * Only one security module should provide a real hook for + * this. A stub or bypass like is used in BPF should either + * (somehow) leave rc unaltered or return -ENOPROTOOPT. + */ + hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram, + list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.socket_getpeersec_dgram(sock, skb, secid); + if (rc != -ENOPROTOOPT) + break; + } + return rc; } EXPORT_SYMBOL(security_socket_getpeersec_dgram); From patchwork Tue Jun 28 00:55:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12897403 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49DC7CCA480 for ; Tue, 28 Jun 2022 01:04:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242929AbiF1BE3 (ORCPT ); Mon, 27 Jun 2022 21:04:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60460 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242881AbiF1BEQ (ORCPT ); Mon, 27 Jun 2022 21:04:16 -0400 Received: from sonic304-28.consmr.mail.ne1.yahoo.com (sonic304-28.consmr.mail.ne1.yahoo.com [66.163.191.154]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BDF4E22B31 for ; Mon, 27 Jun 2022 18:04:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1656378244; bh=SEDujFIIf9a7F3wg8aOHzGN1rhozmxWwcgf1f6Nw8pc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=bXPDlz+w3V/JKxuIRD5s7Q1jtS/6lnTLVPrMzkhahsqFsIGyCYj4ldSiHbz6yTO9uKKKepYM8K4obZNY9AoYhRkbmUe9coRFIzDhxSsFeQN5n5SytjGCuJgk5Tq61l/A1/inwha4Idk+I/T3h3fhhz1ZmA9j1hoCcqTjpKRi+4PS4npM4k1t5Zj7+diAaM1ncpcMglbIuj8sZ+Fap9fIUtKCpObAiHIeuAjfBC3IXHsovS4QJECQ7jeRpSPtOc5DWF0VT+LJYezAnUldjaM4z3RWpgpM0+iGV5/uB72OMHt6QZQGiJq4HQtIMqaMkQFz7WgpS5vPWaWxSrMBU9419g== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1656378244; bh=L67yYUQwK6wU1ow7uhiFWRYMVl3bxhnv9kSLuMHcpwD=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=N4zt5wwgjnA/mqT1RawwkCT2IU1SZUHRLXucCVktTswvmLElfFBC27V/yrcf26LNWNvKok6lVzJ2YOMshDnuCV3X4nYoklD89aR2CkL4L+RrBwxi7eYNgwcll/K7SllJTrJ9cVdQ3LqleMra927N0gaFIbMMDNQvCegyWtpNMzWj0ZK3/0T7CAcdHOS3uiXLjxmfeJgD9sCeYSt1Tzny9TdPevDcHsUQMxlcQnI6riw6aQKsIWhBqTw8XPX8WR+vnF1qUB08Hpq+vJuZrpDdWDShA17QyTOg+sFb3+HE009HQq19LPfKy/rEsXPSu6y4h5gPHd9QnzH8bH8T3+Czuw== X-YMail-OSG: X6JkT.YVM1lG75mSc8_fcWmpY_w4IBznuLFq7dgxHrVdJQitnBCmGR9BnvWJYYu U6mRIjBCZKq3e5_HTyOgKKbTmmvFLzZ8VXg9fAOpBAwvXGAQFupUSM5bLTyqlt2jManY4aINasNP aVfClf3hgozv18NiHcdkIoEPE3rivqNSuRV4ax72xe14YBudZsK4VeuFwhHCpDMxnqrLovE4WTHs lLi4U7HbBEEUSwxB4I8O561zWbHtfgB9kxNeEnnzUQC8T4sq0i2VTAaoKJZYQCDvo_wD8VabzA5b cJvdpFVTGJs_ZQuvKm4bKIeJOf1VpefVhwtCbFO4G.ZTHX1Yc47D.6rcaj1uHfp3opA1hS1T7ixZ mHSk9SybnskzTOwq9Q2gjaBSJbuxC3wTRFcjrtD8GWqqS_bq_qQlQY1axNiR3JIqRSbdqXIMCiLg JHQNd3r7xdymj1d8i4aQR9UdiCuZfJoPagrPdvj_AefuZ9u.HDnle4qE3L341tnn8Cc2gqQfhZTv nZkrXMmgEVQxXywgkZPTGRXt7h6nwQzb.04NU1uU.YQF.fBEvE7hqeFbwwNXsoaXFORP7JzUjXl1 EXbKAVnBAvpKA.6mQqGjt4d1r3LBd3JChCLXkAJQ177pOGKFyAStU_0zYp6JdLEEBSjVxUnC7SKb hjx6xfMMyYbT7c6cP.hHjh4o5dUkGKmYHB5Z2E96d0fsHBDeBlzfAaO5qZ_xA_ebuEqITncGesht HDI1bRFiT4LaYAVcYSv.KqrThVcQN30tJ477G67YN.nE31ZYB1KFxzn7DUFqqq9Kd_T7JhEfw1ln nR0F6zGm5Q1YykQsatTgnsxlenXgrbkafuTzT6oak5pEXbReYYinjUBQvG1IvrWNJ8U9O7pAGhwr C8oiTuEjj1ElJEsaYxjbYfjPb4Bfp_wYGcXFZJWzAmKBWE7FPhgubxM3mnS6zwnMBsjErqzwkPVA .DFyvrF3xS5U18_W7e3uUnX9fIpKpoBC8J3jOjVguVniksxEd2zVZisN7q61kICxX6n2VFBb98aC AZxdyFMKhiv0bjKkIpLw1xG_PP9tWl2qY410mnddHxjxRkxQzHbJ1wGMC_KAI7IOse3B2Cp4tb5z Eek4wdAelOWihE0sc7sl.VN9wTSqF_MNjsFnLysSn4gHUurlhO6HJ8EdG7utoqBgttz5EDZCM9ou tftXR12nj2eVQYloUUq6sTXOVnqk9n1sUbBUyIfXxCm5Z2Pt7mhpHPuMFu9TAKV3vVpwoDOM4yXO Px_uz8Z.c2yRuErSMgvo0cU9yMCyfcbI616aCaxEp5tMIwM.ZRB1SiVOcdJC0BVrU285OIng6Z8O x94wmOvYA0L8onR7EXkIiyekov73bOIpk6xPQOimr4O8pdg7mKnaBzBZunIb7xZoHBShFHRovkkl RwXj8FK3D8cgn6x6EEcoHw.ymz_devPUv0.kXmtuk0vZHWPk.u4j3NNNERPyGotB3QyATSIHllpk l7jYpJdY2symeR_YloGMoVL5QhUZu8YYjHPytUZzE8EiYb5t8uDzvgu8MzMbqeriOUTprGTV6X_u fK9WP0eMDh5v3OTVRong7kdE3DHVS.ftu1PFribcHPozrs3ihdFjpaGc_fNRnt4syNhkvnUcZwUr EhVHsYpTSrsfetnhLu6Hooel9LDAtUpIdavjQffoIQomAKGMqi2AaySK7usCKg4LY9d0VV1stTWR M98gDeu7ObaEavW396ucz9UQmz6ZsuYx1XLttfa8k4JXZlBAPd38vHQzvXhCRY_PVAbQAbz80iF0 n.ui4OGbqsOp1AM.Pnh8jUSzq1GG2MNicFQ9hOswfdjx.gJbTVor3fys7iXLWCypdeP1PqaPccOt NcXdC6srhNAkvr4LAyhqXHRahCYBYifJB5lClMoKQPKCsS4fSL0xDwPmYzwO5mYuyMmaKw_89Yhs THP6XzKPJBnFI0YxC1V3c3g_DUQCpD_njDqEvkwB9kBXnjDwo_9GU2iB_6Wz3KJahzqUagAq6WBx W3_bbST_rILH4T.PMIdAu7RUNahpqWkpdDQxJ6omXpRe604jut7pBx939d6fx82ubmlMFf25oL3Z mPLQrONvfTW06GrJZ1PzBsH6n7WJyxFVD4wif_yZcWMB4.5Y2vFb9zqucf7n6jv45ZTaYgqW_OSF GYKQa0ihti8F5mFYI.VK8JRsbbENF.Bo.vKfFSUvTHX69fTTbjEq0x2fgr7oFJ2EccFck5JvrbjO Nua4XrJtbp9wvA2ibt1sZeFmkQ6_DN4z7AbSvVmfwrJQugD77hzjYmQnfVX9DU7uB1Xk6B24DehN Aa05wYFod_gD3i4LB_l2eoK1fJHdmCZbhoiMsG.mML7a8.h4D8KL.Nk1jPGqN9K1B X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Tue, 28 Jun 2022 01:04:04 +0000 Received: by hermes--production-ne1-7459d5c5c9-fdkvw (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 7521274ed3fde3701c40279c1a2b59fb; Tue, 28 Jun 2022 01:03:58 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v37 09/33] LSM: Use lsmblob in security_secid_to_secctx Date: Mon, 27 Jun 2022 17:55:47 -0700 Message-Id: <20220628005611.13106-10-casey@schaufler-ca.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220628005611.13106-1-casey@schaufler-ca.com> References: <20220628005611.13106-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Change security_secid_to_secctx() to take a lsmblob as input instead of a u32 secid. It will then call the LSM hooks using the lsmblob element allocated for that module. The callers have been updated as well. This allows for the possibility that more than one module may be called upon to translate a secid to a string, as can occur in the audit code. Acked-by: Paul Moore Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso --- drivers/android/binder.c | 12 +++++++++- include/linux/security.h | 5 +++-- include/net/scm.h | 7 +++++- kernel/audit.c | 21 +++++++++++++++-- kernel/auditsc.c | 27 ++++++++++++++++++---- net/ipv4/ip_sockglue.c | 4 +++- net/netfilter/nf_conntrack_netlink.c | 14 ++++++++++-- net/netfilter/nf_conntrack_standalone.c | 4 +++- net/netfilter/nfnetlink_queue.c | 11 +++++++-- net/netlabel/netlabel_unlabeled.c | 30 +++++++++++++++++++++---- net/netlabel/netlabel_user.c | 6 ++--- security/security.c | 11 +++++---- 12 files changed, 123 insertions(+), 29 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 362c0deb65f1..4ead3360a1c0 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3055,10 +3055,20 @@ static void binder_transaction(struct binder_proc *proc, if (target_node && target_node->txn_security_ctx) { u32 secid; + struct lsmblob blob; size_t added_size; security_cred_getsecid(proc->cred, &secid); - ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); + /* + * Later in this patch set security_task_getsecid() will + * provide a lsmblob instead of a secid. lsmblob_init + * is used to ensure that all the secids in the lsmblob + * get the value returned from security_task_getsecid(), + * which means that the one expected by + * security_secid_to_secctx() will be set. + */ + lsmblob_init(&blob, secid); + ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz); if (ret) { binder_txn_error("%d:%d failed to get security context\n", thread->pid, proc->pid); diff --git a/include/linux/security.h b/include/linux/security.h index 8e09302bded7..e8e4a7a1029b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -551,7 +551,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); +int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); void security_release_secctx(char *secdata, u32 seclen); @@ -1401,7 +1401,8 @@ static inline int security_ismaclabel(const char *name) return 0; } -static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +static inline int security_secid_to_secctx(struct lsmblob *blob, + char **secdata, u32 *seclen) { return -EOPNOTSUPP; } diff --git a/include/net/scm.h b/include/net/scm.h index 1ce365f4c256..23a35ff1b3f2 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -92,12 +92,17 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, #ifdef CONFIG_SECURITY_NETWORK static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { + struct lsmblob lb; char *secdata; u32 seclen; int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { - err = security_secid_to_secctx(scm->secid, &secdata, &seclen); + /* There can only be one security module using the secid, + * and the infrastructure will know which it is. + */ + lsmblob_init(&lb, scm->secid); + err = security_secid_to_secctx(&lb, &secdata, &seclen); if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); diff --git a/kernel/audit.c b/kernel/audit.c index 7690c29d4ee4..2acf95cf9895 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1464,7 +1464,16 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) case AUDIT_SIGNAL_INFO: len = 0; if (audit_sig_sid) { - err = security_secid_to_secctx(audit_sig_sid, &ctx, &len); + struct lsmblob blob; + + /* + * lsmblob_init sets all values in the lsmblob + * to audit_sig_sid. This is temporary until + * audit_sig_sid is converted to a lsmblob, which + * happens later in this patch set. + */ + lsmblob_init(&blob, audit_sig_sid); + err = security_secid_to_secctx(&blob, &ctx, &len); if (err) return err; } @@ -2170,12 +2179,20 @@ int audit_log_task_context(struct audit_buffer *ab) unsigned len; int error; u32 sid; + struct lsmblob blob; security_current_getsecid_subj(&sid); if (!sid) return 0; - error = security_secid_to_secctx(sid, &ctx, &len); + /* + * lsmblob_init sets all values in the lsmblob to sid. + * This is temporary until security_task_getsecid is converted + * to use a lsmblob, which happens later in this patch set. + */ + lsmblob_init(&blob, sid); + error = security_secid_to_secctx(&blob, &ctx, &len); + if (error) { if (error != -EINVAL) goto error_path; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 221196b0cde3..f2ba966c8838 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -679,6 +679,13 @@ static int audit_filter_rules(struct task_struct *tsk, security_current_getsecid_subj(&sid); need_sid = 0; } + /* + * lsmblob_init sets all values in the lsmblob + * to sid. This is temporary until + * security_task_getsecid() is converted to + * provide a lsmblob, which happens later in + * this patch set. + */ lsmblob_init(&blob, sid); result = security_audit_rule_match(&blob, f->type, f->op, @@ -695,6 +702,13 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_str) { /* Find files that match */ if (name) { + /* + * lsmblob_init sets all values in the + * lsmblob to sid. This is temporary + * until name->osid is converted to a + * lsmblob, which happens later in + * this patch set. + */ lsmblob_init(&blob, name->osid); result = security_audit_rule_match( &blob, @@ -1118,6 +1132,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, char *ctx = NULL; u32 len; int rc = 0; + struct lsmblob blob; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); if (!ab) @@ -1127,7 +1142,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (sid) { - if (security_secid_to_secctx(sid, &ctx, &len)) { + lsmblob_init(&blob, sid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1418,8 +1434,10 @@ static void show_special(struct audit_context *context, int *call_panic) if (osid) { char *ctx = NULL; u32 len; + struct lsmblob blob; - if (security_secid_to_secctx(osid, &ctx, &len)) { + lsmblob_init(&blob, osid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " osid=%u", osid); *call_panic = 1; } else { @@ -1585,9 +1603,10 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, if (n->osid != 0) { char *ctx = NULL; u32 len; + struct lsmblob blob; - if (security_secid_to_secctx( - n->osid, &ctx, &len)) { + lsmblob_init(&blob, n->osid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " osid=%u", n->osid); if (call_panic) *call_panic = 2; diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 445a9ecaefa1..933a8f94f93a 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { + struct lsmblob lb; char *secdata; u32 seclen, secid; int err; @@ -138,7 +139,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) if (err) return; - err = security_secid_to_secctx(secid, &secdata, &seclen); + lsmblob_init(&lb, secid); + err = security_secid_to_secctx(&lb, &secdata, &seclen); if (err) return; diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 722af5e309ba..ddc8cd65ed12 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -347,8 +347,13 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) struct nlattr *nest_secctx; int len, ret; char *secctx; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + /* lsmblob_init() puts ct->secmark into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, &secctx, &len); if (ret) return 0; @@ -656,8 +661,13 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct) { #ifdef CONFIG_NF_CONNTRACK_SECMARK int len, ret; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, NULL, &len); + /* lsmblob_init() puts ct->secmark into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, NULL, &len); if (ret) return 0; diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 6ad7bbc90d38..2c1f3280d56e 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -178,8 +178,10 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) int ret; u32 len; char *secctx; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, &secctx, &len); if (ret) return; diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index a364f8e5e698..6269fe122345 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -305,13 +305,20 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) { u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) + struct lsmblob blob; + if (!skb || !sk_fullsock(skb->sk)) return 0; read_lock_bh(&skb->sk->sk_callback_lock); - if (skb->secmark) - security_secid_to_secctx(skb->secmark, secdata, &seclen); + if (skb->secmark) { + /* lsmblob_init() puts ct->secmark into all of the secids in + * blob. security_secid_to_secctx() will know which security + * module to use to create the secctx. */ + lsmblob_init(&blob, skb->secmark); + security_secid_to_secctx(&blob, secdata, &seclen); + } read_unlock_bh(&skb->sk->sk_callback_lock); #endif diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index f3e2cde76919..0a99663e6edb 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -376,6 +376,7 @@ int netlbl_unlhsh_add(struct net *net, struct audit_buffer *audit_buf = NULL; char *secctx = NULL; u32 secctx_len; + struct lsmblob blob; if (addr_len != sizeof(struct in_addr) && addr_len != sizeof(struct in6_addr)) @@ -438,7 +439,11 @@ int netlbl_unlhsh_add(struct net *net, unlhsh_add_return: rcu_read_unlock(); if (audit_buf != NULL) { - if (security_secid_to_secctx(secid, + /* lsmblob_init() puts secid into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, secid); + if (security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); @@ -475,6 +480,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct net_device *dev; char *secctx; u32 secctx_len; + struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr, @@ -493,8 +499,13 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, (dev != NULL ? dev->name : NULL), addr->s_addr, mask->s_addr); dev_put(dev); + /* lsmblob_init() puts entry->secid into all of the secids + * in blob. security_secid_to_secctx() will know which + * security module to use to create the secctx. */ + if (entry != NULL) + lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(entry->secid, + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -536,6 +547,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct net_device *dev; char *secctx; u32 secctx_len; + struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list); @@ -553,8 +565,13 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, (dev != NULL ? dev->name : NULL), addr, mask); dev_put(dev); + /* lsmblob_init() puts entry->secid into all of the secids + * in blob. security_secid_to_secctx() will know which + * security module to use to create the secctx. */ + if (entry != NULL) + lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(entry->secid, + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -1080,6 +1097,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, u32 secid; char *secctx; u32 secctx_len; + struct lsmblob blob; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, cb_arg->seq, &netlbl_unlabel_gnl_family, @@ -1134,7 +1152,11 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, secid = addr6->secid; } - ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len); + /* lsmblob_init() secid into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, secid); + ret_val = security_secid_to_secctx(&blob, &secctx, &secctx_len); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 3ed4fea2a2de..893301ae0131 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -86,6 +86,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct audit_buffer *audit_buf; char *secctx; u32 secctx_len; + struct lsmblob blob; if (audit_enabled == AUDIT_OFF) return NULL; @@ -98,10 +99,9 @@ struct audit_buffer *netlbl_audit_start_common(int type, from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); + lsmblob_init(&blob, audit_info->secid); if (audit_info->secid != 0 && - security_secid_to_secctx(audit_info->secid, - &secctx, - &secctx_len) == 0) { + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); security_release_secctx(secctx, secctx_len); } diff --git a/security/security.c b/security/security.c index 08ed7acf4205..552a08750843 100644 --- a/security/security.c +++ b/security/security.c @@ -2186,17 +2186,16 @@ int security_ismaclabel(const char *name) } EXPORT_SYMBOL(security_ismaclabel); -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) { struct security_hook_list *hp; int rc; - /* - * Currently, only one LSM can implement secid_to_secctx (i.e this - * LSM hook is not "stackable"). - */ hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { - rc = hp->hook.secid_to_secctx(secid, secdata, seclen); + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.secid_to_secctx(blob->secid[hp->lsmid->slot], + secdata, seclen); if (rc != LSM_RET_DEFAULT(secid_to_secctx)) return rc; } From patchwork Tue Jun 28 00:55:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12897404 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62E85CCA47F for ; Tue, 28 Jun 2022 01:04:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242881AbiF1BEa (ORCPT ); Mon, 27 Jun 2022 21:04:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60260 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242888AbiF1BER (ORCPT ); Mon, 27 Jun 2022 21:04:17 -0400 Received: from sonic301-36.consmr.mail.ne1.yahoo.com (sonic301-36.consmr.mail.ne1.yahoo.com [66.163.184.205]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A69B2237D9 for ; Mon, 27 Jun 2022 18:04:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1656378247; bh=nmEsFqWoYBqCdeY+npaal0/9kZnTY11aQGu0witiIJY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=kZjV5uwqjKiuoDa4p5TUgbstW9bYz1jV81nuMQdNwfPLqGLownndcTNkOd/Xf5pJ8V9pDYMG9V9cDjEwOuQu7FkPBkXn3jdj2/c4scy7sHgFNuPKXQTnh35oeUm9/nR16rmuHqNEnL6KuTV66Qv7ZPTVy9ej5GdZLm/GbJdAZRTGBrDs33yDRmeqLf0d3X2HouvLYXeBtj7mHU0id60upv5Mh11iddUBZeJLidra81jvKutABfwE3Wu+M16rHlsCdiRP9Y6JdNB6Zbj32vLPkEbOC7xrCN3WQ5KC5ReoYugDkPLymFGisHvpST6bdMOwDedCPBHQgK1t/qgm4O0hVg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1656378247; bh=wbHaa582LUoeYQeoh/+jg7KwS1x+/5YaJvDqYvvcto2=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Jg4DmEbP/MZzYwOQhqLzVQrYhG2gOubHc+a8hNz4FSkMuJVDBgZ/RNIScmVzMcG/SUFBJL1VZRPwNPhL2mNc7p6NLwDzHiKjl5YlCb7I3WMMIFBiN7JJwUfuWb+4R16lLg8wGjJvaWjLuogvnOiRigTOe9RQhAdwxhXXd2KUWRtD6t3GLQRs0EhGOR43u1Eopfd0rTiGepAeoKNtYzYjQ/+AUdfws79q2pfSRsHZWJloJ/tA4Ej5sfAiTH4jy21k2hd+E/tjmeHarn7DYQsn2bY4SyLxU4nEeyFuVY8UlULiDDHSojbBvE3MrYbBoEhjdziJ2yEw7YF0TDNPwmnDaQ== X-YMail-OSG: ShVfbiUVM1k_9XCpzPiwi58xeRh4Yk75VWvavbqMfn1i5hcSRsE1EXsnibZzKKG HWkEOjSu8k0jBB1A5BH3A6WizgDVM69DwZSbS9yPizSpAPjKxYBXSAPuuSGK59xixfvozVxzGpfK Aep0HVvR6TPpKePpcUQlsn29SFghnw5.IwFg.OzjQ7VMchReirY2WUE5xeENaXXu4kCXKOw.I4nA Wwy12Xlw3VrZUpAF_Vm55AzJZt37clh4pFksi4aM8NTAZVh8Mz20rG8lvocwCvQulVUIX.ZFwnYS DkRf1cGFL6Bs93CVVUpHtJqAW2RACuoRkqwafhJS5.R6GzS9FeuTnfLbHH6s0S9jIqVlLlhdv3eQ D3hJsrNHk7PibbSb7kA4lRIbJutSLihuB2FbRFe44s_oR1ZLZmiov6RDTxMQVcCEtjrrBwbHbexi xwKdHPrBOtZ1fmx7aNQPMYQEF7XJ72PnI_kRYkReMyPz6n.5DCGQmHSlxOYpeoMlKI45UnsAbw9h WTDNkKhPsO5LooM2MTlDVBiJEASYwbQjSF3uhbVUTs2YzoxR3vGvTOCpQ0GqCq2NTSWv48dok2Py UbW2VVBProHLvSEiL5mEvtNOhVSZIAtmzhra0ZmC3ssMQ_v8qVY8lm6VZuh2nfm6TM4lVxX3t2YW IL9UohUTlj0RaJfAmN_8Lk4KSjFiduljlCfOCkZAifKPI9pPNE7xAWcOYaxB2o3y05JOTb8WNKKr sWeV1BIXNw7BVG6uot4qOqXvejZkznvPApX8SjRyy8A75PQVfLuZgNIg7do.67Eamrj24Nr1ylsK y5ZxlOdMyughOGedml6TF9KF5CvkpQ_v9k2GZ62EMPuVt6IqMhsQUXvwzhOLfoi_Soq2tUAHwGBr fPS90CUltmA4ZG..gaPeOdQpexFkyOdKaPPVwA9dRmG7Ane.kg5llyHpilmotR4D4XG.G2uobR4. x8C9YYg9kAUQn7ujqzZ1TDkA8ChCKHgBy.4rSJ290ywwnKWClwD8ThKHpbVP0hRUATIActFJ6wLr cuXCugPxPtWSakLYQq6OHfe_KLSCEDqGTorDa5j593yVXoziZdp9wKml1CZ0LL5fzl1nQoo2hkKJ yrwFg1V5CMongg0Ob5EjrXEH6U.Hv_uVci0UWdQ7a8w_BFM6nePOBz3GltCGUUKEGQvpDa87TwXk KDwXoW8_6w9fuLK8crgKvdJUZwYWa7MmnSXj27OTKLs7IJZR9j2VSNHMe44_sHnb75nSti6LGzPy 2JcKISuXJTwoCtOJ.9LDjvcarGrXRm3hTCAs.bWHHlOzHEk8u5Sdwu32yLcGS8baZPk8ZyD5TY7X QrUGdqdx5WmGRoHBhqk3WVgne2KgWmBGr8SSp4nppO4qsIhNmIXWRRGd2002UL4561wynVqDVzEL iyfaboWZRNLj_q.NkKI_Eb8zp4iwt3sMFwSlOslnNj3EnFfVUNgoqvMbzFwW2WC.t6TwnKQqGuVh iofQOYUaC74FoAvwgBg1.3f3ccrJxmW_9UEXjGJUbNmCT7uu2PHW3sqokYif7Kv5f3s0bTPGIEkG xsow4St1Kpv5hKF9YKKic0A08LA5PB6MQHnvqTVVmMwlAZBfovnwrHicJMa95DoftFPhCCIa0qYl GMD2hHfaoFkonZUoqeptK.D7WGHn.STXfmhVsfBcsGS698b8hd.0HFf8JFk7Eofv0o3MNvDf54yb kpGEv8.7S7Emza1Zrp.H.yzEEifcSfctiHR.MSmL8RdR_GgdxCjIGWt1E_RMPAHQP3j.X_kh9JTZ 0YTE2Bz1tqz7jtsQ.pNAS4_woOHebulcBk6wFS9hN0kzznn1KGGJvv.6olQFTRkxQiT00IoekmL8 Q_wEYM6bzZTvT5zp3PcfJ5z2LU7b37gFmuCMYQPYT7t6TsZ.B_3tyc2xIYm9ja4mljFgqH9ivXR7 B5uVtVWzop4zQZ2.SLdgiitjHgq82BCTCtgq5ISKjE2t9W6yM2paOZlVeRcpoeMlKVjT7Cfp9Mnq jfjrMjBKsMvSr4x3t0OYPTE5MjGfIz8.YrPopl5_m.fFMXlAiRE0nL3HRJSo3Kh69twtN5B6zIv. 8HMAL.L6mFVtajbwF12Q4BgQdGibeZ1iVlQJqZg3Az.wFCEa_286A5h0zTIQnpeXSTHZn8Qqt378 9hsOqVy77BQFqGKxYpOPusCZfQ4Qad0xVcM7XgMw6JcUZops_lYjrMN5kRDtgKvJT2GW11pJS848 QgA6V8jPfRyCLkC12g3o8JBvL9GvjuVFifTmBylWulofScFXpHXSKWD7d.dJjBJRPna4tVKQ8GG1 rcH86PItUP_3aJdf5BaZ.N8k9LZZpIsq2Ma_IBNtYyWNVsbvpr9QVnEBcPtBg303X X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.ne1.yahoo.com with HTTP; Tue, 28 Jun 2022 01:04:07 +0000 Received: by hermes--production-ne1-7459d5c5c9-fdkvw (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 7521274ed3fde3701c40279c1a2b59fb; Tue, 28 Jun 2022 01:04:01 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH v37 11/33] LSM: Use lsmblob in security_current_getsecid Date: Mon, 27 Jun 2022 17:55:49 -0700 Message-Id: <20220628005611.13106-12-casey@schaufler-ca.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220628005611.13106-1-casey@schaufler-ca.com> References: <20220628005611.13106-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Change the security_current_getsecid_subj() and security_task_getsecid_obj() interfaces to fill in a lsmblob structure instead of a u32 secid in support of LSM stacking. Audit interfaces will need to collect all possible secids for possible reporting. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com Cc: netdev@vger.kernel.org --- drivers/android/binder.c | 6 +-- include/linux/security.h | 31 ++++++++++++--- kernel/audit.c | 16 +++----- kernel/auditfilter.c | 4 +- kernel/auditsc.c | 25 ++++++------ net/netlabel/netlabel_unlabeled.c | 4 +- net/netlabel/netlabel_user.h | 6 ++- security/integrity/ima/ima.h | 6 +-- security/integrity/ima/ima_api.c | 6 +-- security/integrity/ima/ima_appraise.c | 11 +++--- security/integrity/ima/ima_main.c | 57 ++++++++++++++------------- security/integrity/ima/ima_policy.c | 15 +++---- security/security.c | 25 +++++++++--- 13 files changed, 124 insertions(+), 88 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 4ead3360a1c0..f25a867063e5 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3054,16 +3054,16 @@ static void binder_transaction(struct binder_proc *proc, t->priority = task_nice(current); if (target_node && target_node->txn_security_ctx) { - u32 secid; struct lsmblob blob; size_t added_size; + u32 secid; security_cred_getsecid(proc->cred, &secid); /* - * Later in this patch set security_task_getsecid() will + * Later in this patch set security_cred_getsecid() will * provide a lsmblob instead of a secid. lsmblob_init * is used to ensure that all the secids in the lsmblob - * get the value returned from security_task_getsecid(), + * get the value returned from security_cred_getsecid(), * which means that the one expected by * security_secid_to_secctx() will be set. */ diff --git a/include/linux/security.h b/include/linux/security.h index 029c23719a5c..ce4a4af362f3 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -222,6 +222,24 @@ static inline u32 lsmblob_value(const struct lsmblob *blob) return 0; } +/** + * lsmblob_first - secid value for the first LSM slot + * @blob: Pointer to the data + * + * Return the secid value from the first LSM slot. + * There may not be any LSM slots. + * + * Return the value in secid[0] if there are any slots, 0 otherwise. + */ +static inline u32 lsmblob_first(const struct lsmblob *blob) +{ +#if LSMBLOB_ENTRIES > 0 + return blob->secid[0]; +#else + return 0; +#endif +} + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); @@ -504,8 +522,8 @@ int security_task_fix_setgid(struct cred *new, const struct cred *old, int security_task_setpgid(struct task_struct *p, pid_t pgid); int security_task_getpgid(struct task_struct *p); int security_task_getsid(struct task_struct *p); -void security_current_getsecid_subj(u32 *secid); -void security_task_getsecid_obj(struct task_struct *p, u32 *secid); +void security_current_getsecid_subj(struct lsmblob *blob); +void security_task_getsecid_obj(struct task_struct *p, struct lsmblob *blob); int security_task_setnice(struct task_struct *p, int nice); int security_task_setioprio(struct task_struct *p, int ioprio); int security_task_getioprio(struct task_struct *p); @@ -1201,14 +1219,15 @@ static inline int security_task_getsid(struct task_struct *p) return 0; } -static inline void security_current_getsecid_subj(u32 *secid) +static inline void security_current_getsecid_subj(struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } -static inline void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +static inline void security_task_getsecid_obj(struct task_struct *p, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } static inline int security_task_setnice(struct task_struct *p, int nice) diff --git a/kernel/audit.c b/kernel/audit.c index 2acf95cf9895..2834e55844db 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2178,19 +2178,12 @@ int audit_log_task_context(struct audit_buffer *ab) char *ctx = NULL; unsigned len; int error; - u32 sid; struct lsmblob blob; - security_current_getsecid_subj(&sid); - if (!sid) + security_current_getsecid_subj(&blob); + if (!lsmblob_is_set(&blob)) return 0; - /* - * lsmblob_init sets all values in the lsmblob to sid. - * This is temporary until security_task_getsecid is converted - * to use a lsmblob, which happens later in this patch set. - */ - lsmblob_init(&blob, sid); error = security_secid_to_secctx(&blob, &ctx, &len); if (error) { @@ -2399,6 +2392,7 @@ int audit_set_loginuid(kuid_t loginuid) int audit_signal_info(int sig, struct task_struct *t) { kuid_t uid = current_uid(), auid; + struct lsmblob blob; if (auditd_test_task(t) && (sig == SIGTERM || sig == SIGHUP || @@ -2409,7 +2403,9 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - security_current_getsecid_subj(&audit_sig_sid); + security_current_getsecid_subj(&blob); + /* scaffolding until audit_sig_sid is converted */ + audit_sig_sid = lsmblob_first(&blob); } return audit_signal_info_syscall(t); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 15cd4fe35e9c..39ded5cb2429 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1339,7 +1339,6 @@ int audit_filter(int msgtype, unsigned int listtype) struct audit_field *f = &e->rule.fields[i]; struct lsmblob blob; pid_t pid; - u32 sid; switch (f->type) { case AUDIT_PID: @@ -1369,8 +1368,7 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: if (f->lsm_str) { - security_current_getsecid_subj(&sid); - lsmblob_init(&blob, sid); + security_current_getsecid_subj(&blob); result = security_audit_rule_match( &blob, f->type, f->op, &f->lsm_rules); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 94537d1feb9a..e5530bbfc83b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -467,7 +467,6 @@ static int audit_filter_rules(struct task_struct *tsk, { const struct cred *cred; int i, need_sid = 1; - u32 sid; struct lsmblob blob; unsigned int sessionid; @@ -676,17 +675,9 @@ static int audit_filter_rules(struct task_struct *tsk, * here even though it always refs * @current's creds */ - security_current_getsecid_subj(&sid); + security_current_getsecid_subj(&blob); need_sid = 0; } - /* - * lsmblob_init sets all values in the lsmblob - * to sid. This is temporary until - * security_task_getsecid() is converted to - * provide a lsmblob, which happens later in - * this patch set. - */ - lsmblob_init(&blob, sid); result = security_audit_rule_match(&blob, f->type, f->op, &f->lsm_rules); @@ -2770,12 +2761,15 @@ int __audit_sockaddr(int len, void *a) void __audit_ptrace(struct task_struct *t) { struct audit_context *context = audit_context(); + struct lsmblob blob; context->target_pid = task_tgid_nr(t); context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &context->target_sid); + security_task_getsecid_obj(t, &blob); + /* scaffolding - until target_sid is converted */ + context->target_sid = lsmblob_first(&blob); memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2791,6 +2785,7 @@ int audit_signal_info_syscall(struct task_struct *t) struct audit_aux_data_pids *axp; struct audit_context *ctx = audit_context(); kuid_t t_uid = task_uid(t); + struct lsmblob blob; if (!audit_signals || audit_dummy_context()) return 0; @@ -2802,7 +2797,9 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &ctx->target_sid); + security_task_getsecid_obj(t, &blob); + /* scaffolding until target_sid is converted */ + ctx->target_sid = lsmblob_first(&blob); memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2823,7 +2820,9 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getsecid_obj(t, &axp->target_sid[axp->pid_count]); + security_task_getsecid_obj(t, &blob); + /* scaffolding until target_sid is converted */ + axp->target_sid[axp->pid_count] = lsmblob_first(&blob); memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 0a99663e6edb..bbb3b6a4f0d7 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -1562,11 +1562,13 @@ int __init netlbl_unlabel_defconf(void) int ret_val; struct netlbl_dom_map *entry; struct netlbl_audit audit_info; + struct lsmblob blob; /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_current_getsecid_subj(&audit_info.secid); + security_current_getsecid_subj(&blob); + audit_info.secid = lsmblob_first(&blob); audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index d6c5b31eb4eb..34bb6572f33b 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -32,7 +32,11 @@ */ static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info) { - security_current_getsecid_subj(&audit_info->secid); + struct lsmblob blob; + + security_current_getsecid_subj(&blob); + /* scaffolding until secid is converted */ + audit_info->secid = lsmblob_first(&blob); audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 1b5d70ac2dc9..f347d63b61e7 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -255,7 +255,7 @@ static inline void ima_process_queued_keys(void) {} /* LIM API function definitions */ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, - const struct cred *cred, u32 secid, int mask, + const struct cred *cred, struct lsmblob *blob, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos); @@ -286,8 +286,8 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); /* IMA policy related functions */ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, - const struct cred *cred, u32 secid, enum ima_hooks func, - int mask, int flags, int *pcr, + const struct cred *cred, struct lsmblob *blob, + enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos); void ima_init_policy(void); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index c1e76282b5ee..8c48da6a6583 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -166,7 +166,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * @mnt_userns: user namespace of the mount the inode was found from * @inode: pointer to the inode associated with the object being validated * @cred: pointer to credentials structure to validate - * @secid: secid of the task being validated + * @blob: secid(s) of the task being validated * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC, * MAY_APPEND) * @func: caller identifier @@ -187,7 +187,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * */ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, - const struct cred *cred, u32 secid, int mask, + const struct cred *cred, struct lsmblob *blob, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos) @@ -196,7 +196,7 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, flags &= ima_policy_flag; - return ima_match_policy(mnt_userns, inode, cred, secid, func, mask, + return ima_match_policy(mnt_userns, inode, cred, blob, func, mask, flags, pcr, template_desc, func_data, allowed_algos); } diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index cdb84dccd24e..9ef8210e901f 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -73,15 +73,16 @@ bool is_ima_appraise_enabled(void) int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode, int mask, enum ima_hooks func) { - u32 secid; + struct lsmblob blob; if (!ima_appraise) return 0; - security_current_getsecid_subj(&secid); - return ima_match_policy(mnt_userns, inode, current_cred(), secid, - func, mask, IMA_APPRAISE | IMA_HASH, NULL, - NULL, NULL, NULL); + security_current_getsecid_subj(&blob); + return ima_match_policy(mnt_userns, inode, current_cred(), + &blob, func, mask, + IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL, + NULL); } static int ima_fix_xattr(struct dentry *dentry, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 040b03ddc1c7..5d6029ac52f0 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -199,8 +199,8 @@ void ima_file_free(struct file *file) } static int process_measurement(struct file *file, const struct cred *cred, - u32 secid, char *buf, loff_t size, int mask, - enum ima_hooks func) + struct lsmblob *blob, char *buf, loff_t size, + int mask, enum ima_hooks func) { struct inode *inode = file_inode(file); struct integrity_iint_cache *iint = NULL; @@ -224,7 +224,7 @@ static int process_measurement(struct file *file, const struct cred *cred, * bitmask based on the appraise/audit/measurement policy. * Included is the appraise submask. */ - action = ima_get_action(file_mnt_user_ns(file), inode, cred, secid, + action = ima_get_action(file_mnt_user_ns(file), inode, cred, blob, mask, func, &pcr, &template_desc, NULL, &allowed_algos); violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && @@ -405,12 +405,13 @@ static int process_measurement(struct file *file, const struct cred *cred, */ int ima_file_mmap(struct file *file, unsigned long prot) { - u32 secid; + struct lsmblob blob; if (file && (prot & PROT_EXEC)) { - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, NULL, - 0, MAY_EXEC, MMAP_CHECK); + security_current_getsecid_subj(&blob); + return process_measurement(file, current_cred(), + &blob, NULL, 0, + MAY_EXEC, MMAP_CHECK); } return 0; @@ -437,9 +438,9 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) char *pathbuf = NULL; const char *pathname = NULL; struct inode *inode; + struct lsmblob blob; int result = 0; int action; - u32 secid; int pcr; /* Is mprotect making an mmap'ed file executable? */ @@ -447,11 +448,12 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) return 0; - security_current_getsecid_subj(&secid); + security_current_getsecid_subj(&blob); inode = file_inode(vma->vm_file); action = ima_get_action(file_mnt_user_ns(vma->vm_file), inode, - current_cred(), secid, MAY_EXEC, MMAP_CHECK, - &pcr, &template, NULL, NULL); + current_cred(), &blob, + MAY_EXEC, MMAP_CHECK, &pcr, &template, NULL, + NULL); /* Is the mmap'ed file in policy? */ if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK))) @@ -487,10 +489,11 @@ int ima_bprm_check(struct linux_binprm *bprm) { int ret; u32 secid; + struct lsmblob blob; - security_current_getsecid_subj(&secid); - ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, - MAY_EXEC, BPRM_CHECK); + security_current_getsecid_subj(&blob); + ret = process_measurement(bprm->file, current_cred(), + &blob, NULL, 0, MAY_EXEC, BPRM_CHECK); if (ret) return ret; @@ -511,10 +514,10 @@ int ima_bprm_check(struct linux_binprm *bprm) */ int ima_file_check(struct file *file, int mask) { - u32 secid; + struct lsmblob blob; - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, NULL, 0, + security_current_getsecid_subj(&blob); + return process_measurement(file, current_cred(), &blob, NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND), FILE_CHECK); } @@ -710,7 +713,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id, bool contents) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* * Do devices using pre-allocated memory run the risk of the @@ -730,9 +733,9 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id, /* Read entire file for all partial reads. */ func = read_idmap[read_id] ?: FILE_CHECK; - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, NULL, - 0, MAY_READ, func); + security_current_getsecid_subj(&blob); + return process_measurement(file, current_cred(), &blob, NULL, 0, + MAY_READ, func); } const int read_idmap[READING_MAX_ID] = { @@ -760,7 +763,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, enum kernel_read_file_id read_id) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* permit signed certs */ if (!file && read_id == READING_X509_CERTIFICATE) @@ -773,8 +776,8 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, } func = read_idmap[read_id] ?: FILE_CHECK; - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, buf, size, + security_current_getsecid_subj(&blob); + return process_measurement(file, current_cred(), &blob, buf, size, MAY_READ, func); } @@ -900,7 +903,7 @@ int process_buffer_measurement(struct user_namespace *mnt_userns, int digest_hash_len = hash_digest_size[ima_hash_algo]; int violation = 0; int action = 0; - u32 secid; + struct lsmblob blob; if (digest && digest_len < digest_hash_len) return -EINVAL; @@ -923,9 +926,9 @@ int process_buffer_measurement(struct user_namespace *mnt_userns, * buffer measurements. */ if (func) { - security_current_getsecid_subj(&secid); + security_current_getsecid_subj(&blob); action = ima_get_action(mnt_userns, inode, current_cred(), - secid, 0, func, &pcr, &template, + &blob, 0, func, &pcr, &template, func_data, NULL); if (!(action & IMA_MEASURE) && !digest) return -ENOENT; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index b04733a5d066..5c2bc6782e17 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -563,7 +563,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, * @mnt_userns: user namespace of the mount the inode was found from * @inode: a pointer to an inode * @cred: a pointer to a credentials structure for user validation - * @secid: the secid of the task to be validated + * @blob: the secid(s) of the task to be validated * @func: LIM hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @func_data: func specific data, may be NULL @@ -573,7 +573,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, static bool ima_match_rules(struct ima_rule_entry *rule, struct user_namespace *mnt_userns, struct inode *inode, const struct cred *cred, - u32 secid, enum ima_hooks func, int mask, + struct lsmblob *blob, enum ima_hooks func, int mask, const char *func_data) { int i; @@ -657,7 +657,8 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - rc = ima_filter_rule_match(secid, rule->lsm[i].type, + rc = ima_filter_rule_match(lsmblob_first(blob), + rule->lsm[i].type, Audit_equal, rule->lsm[i].rule, rule->lsm[i].rules_lsm); @@ -702,7 +703,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * @inode: pointer to an inode for which the policy decision is being made * @cred: pointer to a credentials structure for which the policy decision is * being made - * @secid: LSM secid of the task to be validated + * @blob: LSM secid(s) of the task to be validated * @func: IMA hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @pcr: set the pcr to extend @@ -718,8 +719,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * than writes so ima_match_policy() is classical RCU candidate. */ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, - const struct cred *cred, u32 secid, enum ima_hooks func, - int mask, int flags, int *pcr, + const struct cred *cred, struct lsmblob *blob, + enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos) { @@ -737,7 +738,7 @@ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, if (!(entry->action & actmask)) continue; - if (!ima_match_rules(entry, mnt_userns, inode, cred, secid, + if (!ima_match_rules(entry, mnt_userns, inode, cred, blob, func, mask, func_data)) continue; diff --git a/security/security.c b/security/security.c index 1e9c06607c39..1a4741178944 100644 --- a/security/security.c +++ b/security/security.c @@ -1916,17 +1916,30 @@ int security_task_getsid(struct task_struct *p) return call_int_hook(task_getsid, 0, p); } -void security_current_getsecid_subj(u32 *secid) +void security_current_getsecid_subj(struct lsmblob *blob) { - *secid = 0; - call_void_hook(current_getsecid_subj, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.current_getsecid_subj, + list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.current_getsecid_subj(&blob->secid[hp->lsmid->slot]); + } } EXPORT_SYMBOL(security_current_getsecid_subj); -void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +void security_task_getsecid_obj(struct task_struct *p, struct lsmblob *blob) { - *secid = 0; - call_void_hook(task_getsecid_obj, p, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.task_getsecid_obj, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.task_getsecid_obj(p, &blob->secid[hp->lsmid->slot]); + } } EXPORT_SYMBOL(security_task_getsecid_obj); From patchwork Tue Jun 28 00:55:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12897405 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB55BCCA480 for ; Tue, 28 Jun 2022 01:07:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242874AbiF1BHT (ORCPT ); Mon, 27 Jun 2022 21:07:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242689AbiF1BHS (ORCPT ); Mon, 27 Jun 2022 21:07:18 -0400 Received: from sonic304-28.consmr.mail.ne1.yahoo.com (sonic304-28.consmr.mail.ne1.yahoo.com [66.163.191.154]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 01128205EB for ; Mon, 27 Jun 2022 18:07:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1656378434; bh=aw7sdlRZ8+yTH4ZutWyqDOvJ3351w3XteiZy62cDUVM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=YY3r3riZc5HbOfs1ic71Qou6blZT/88EC6ngwEPCvV9b9cpIUKvxLDXQ3QmD2Wr8pwUzrx8kLEzaVl942vQrjVqfFmwUSh91lR4MAZiBOJLITUDTIEq28dt91ghMiCDRLpuk4pkW8bDrDzTpMYqM5HN/S8ghvQks2pvikPlyYAJlz0TiDg4fscTB/YlbO84VYVdDX07go28lGNLhWGwBp3g4o6kGIhr+pQxIpLGGV1DQjUuReIgXoNgpENMQd5Fl6keA+LuvQ+sgIajg3C0V7PsoUnfBwR6edguomDAMtk1JFNkyfsXljcCmTU2nXXnR6JftzLVlClUCY2sSHbafkA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1656378434; bh=8a8JxfEKsl4hP/RPXhvPmjxxfyzvrLjdGGuivDs/i8j=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=QzDolqyQvbaT/HFve69pyXUkioiPYQCRGyC0x4LRgAtay2osjmTpsW7TAyRcb9mYkAQAd1CfcmV4GLVKY6f56rngB8mAguVedevjbmW8Nf2otDppW/0RXjWGf8k8yJE2ubz8V2Xk1DEpdS2f1OjIJIvEiTcCuktZHsE/gOvwrnNBCi8Q2pk+0x8eOrUCxVB7SC9WXeN/PTG5gRq2YSs4i3pbF2jHG2WZyfEvECqEefeMP1TBi4mFtVHrF7VnPSF6czNL4O5lvHknandJcANHQWY2ENNQ5a6boDfT4J6l+rbsqcPLXH688zwbjxGYAwuChZ58/LwNdt4PckltadmXUQ== X-YMail-OSG: BbX5a8YVM1kl0nymA5_sb.E2emLuMr8Qnnz2kRiSToGaxeefgOUzTChJXMPlQTa yZPOd.IkJ3u7gJ_hul50fUbt38PtctvZL7cBgaAMDkRlyI81DEN8Px.LXoPfqEFbiorYyLpLUQri YmvKp3loecIEMnn4NEaywv.3bW4m1MXe_Zz19Y.R0oZbYH7CPXWU_dQ6U98TClQD.K8k4uD7NU_M a3pFSRbnYf9RbRzzjde3kZhepxVvbIGIwPsftbc_BA8BXvBhhpk7EYyvCKIdEzDEzkiFounJcdJP wtCksL7hyhK08v2o1.lAkh70162SyN3.S0eO5agnmsDk3HATjT5JNH4FOuDbMlwJrWrAm.4V8eZy uLdWkXWizImwt4FpwYLWiv43zEhbisVqNRkpIRbjj2guzlk1CVDqdTI9WcVHLhcK0Q7XUs8fUuO9 YTMbIGxQqlMrDHcQK6i5vBN4FiVYaNDoVlLkeQIquRa5YdOcUKRPRBLgrRCgBszBG8XgZbU1QbAH oErJS1wiHvxaknYKfJmIK6vPo_YR8B.ZOfblH7Lb3YhJn7lja3cg87DTVen65VVsMpCoWSM8o2.D ck_zkEFBnnTCI0DClKOt.delWEF8owamdYW_VHs7tmQzEDIWq6fFLywugjax9eQ2JxqFDR8g9040 MVanoYx0pjuaEJby94tqucTxp0i1PlHHcHkASVK4AkvGoISHfBWVjXN9ICp2oSwLkaqMwEZXPi5i m7KN0eNbf7fgINAnZax0PxTjoMdl2BDhAHlrWHDJdiKseoi28lgYZIHTvyNKqnL5qe8o6u7Xre7Z AXV6jnAy92s07tPXyTuYmm1nmglLdQg0E2YmQjYeti8ye8fm2fHgclTWiVDKyGvmoO2XaTpihgiA 87QQ42J5hatGyD9wCfwhQImN9BJ3BrR8xIB6UEhjlQRuMu3mjsZXYqRzvngjrIJND._D2jv0dMZF ZT4zMo_TrjrdNhvrKE7vbsJq7enyFfKgPZln2jWT_glfC3znc4RSROL6DRYyB5o65dKW.PbxEcw5 pqlhPu4u2uPk4feS4tR6od1tXc0km92QD98OVfxjAlMGLTD07JFfnwSqbvzFth91.rKHTNdTW9dM dgh6y8weZXojz8Ri3RkZijVgTYP1pwtlB3dkgHTGIyjUj8TW05anEq_ho0fdPAKcCZ2fH8kTPSf8 KbRKq10cSCmo_apxyz5uHYz1LJKj1vna4M2zhlmNNty3BoTdTZ_NFhwBqWd2xsgIRrpEfji_q0Dj 6_EJrWXll74C.5FvF_FevNDkVqGF9nTgDW_6B1Qt9IERoxdzHJOPIucqLOo5i0rXDKTZ6Jrivky7 _MyJAMOYAdzc67jglh.npV.4T94jKJZOD2aE.oHmQSX_VHYYlhuXJpvPLN0cn0LrbNfblTOFTHZS RXXILoStZM8GvxViETAvjHXQMKYLit31zIAaZ7UMlZscEXcunHSAUssXV6JGZP4JY4AVLNktvH2I HtfAAV4yTnkpe_rkZoUHnoxxcLdY.oRP_s7Q3zlzKfYVcmHxfEGfqbtyHcxRXOnyI.2BcVKZ9pMN 3jxvCGzKjN.nbDGSkCEOo9vjD.lI3EmQaRN5mTmb_ttULAR00dGQyOVHC8QsKb5yx41lJxwrkIjF fVtBw2HOKJ99sOEaNnLUwWLWPCkEP3qH6Iaif3Aoy0S_y5dCecJ1eqv7kmynwQFHvnNRPq2NRXfF UjXtqM9pt3SC36beAgV.gZV0TZCV_A9Wz5AcYRqGPl0i6rBcYLKgyx4hd_gbdwHbYNU3gKbxP6fP .mc.YtgJdrwXmwE51XCKaGYAPdJptwds5Qfuc5RTvciMWRujhpvx3FTvoyc1HvjB0yEBGKsrJ58u pxrhvs.FrQtsqnkXxdkqVwmiC9YanaSLkE.SsrT9gsbaStdoVC3SNmoiTqeIU87rnEd1vT8aNvaG dQ6_tZ4bpv5poWo.Vs3GWh_kE2yA9TQzl7hciRBUZYNLU9C7qVK528jg3MS34r1PxDgQ.20X5zZy NnckRrOv9f3e.IloOxFN_qeqPoL6VfDkNfaJr4iTpkM5tTbRZHKWjV58fKPR6QHWSQszZlPGhXTq 9bnX5IWL41MEYzwUjZ1EYyX1uMRlyGZhfuNQLIu32LlhuZHtg6m.w.JzWOwPrkFoIopU_ihPzviD oqRmcIWVhLkiJpihDVUKp84pkyn.SAtC.uicsz1e1avV52Vxsn4f.w.n5O7p1x_ar6ArW5vlZ1.b zzpDiFdTyHuYpCuqzxyErN_9tnYSoqLe6c7jXSqD1v34PagBtPepfNzpNUrIEbzdC7MJh_ekJazq Jv62nkJWb3S6kY4F6eDIhnHfL_x0dw_qdxHZENyMAhIGFiKpYbSsxWObm.O2XAueV X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Tue, 28 Jun 2022 01:07:14 +0000 Received: by hermes--production-ne1-7459d5c5c9-fdkvw (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 2b15a6d5cfb14c238c7aa5ef58eb279b; Tue, 28 Jun 2022 01:07:12 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, Chuck Lever , linux-integrity@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH v37 15/33] LSM: Ensure the correct LSM context releaser Date: Mon, 27 Jun 2022 17:55:53 -0700 Message-Id: <20220628005611.13106-16-casey@schaufler-ca.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220628005611.13106-1-casey@schaufler-ca.com> References: <20220628005611.13106-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Add a new lsmcontext data structure to hold all the information about a "security context", including the string, its size and which LSM allocated the string. The allocation information is necessary because LSMs have different policies regarding the lifecycle of these strings. SELinux allocates and destroys them on each use, whereas Smack provides a pointer to an entry in a list that never goes away. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Paul Moore Acked-by: Stephen Smalley Acked-by: Chuck Lever Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso Cc: linux-nfs@vger.kernel.org --- drivers/android/binder.c | 10 ++++--- fs/ceph/xattr.c | 6 ++++- fs/nfs/nfs4proc.c | 8 ++++-- fs/nfsd/nfs4xdr.c | 7 +++-- include/linux/security.h | 35 +++++++++++++++++++++++-- include/net/scm.h | 5 +++- kernel/audit.c | 14 +++++++--- kernel/auditsc.c | 12 ++++++--- net/ipv4/ip_sockglue.c | 4 ++- net/netfilter/nf_conntrack_netlink.c | 4 ++- net/netfilter/nf_conntrack_standalone.c | 4 ++- net/netfilter/nfnetlink_queue.c | 13 ++++++--- net/netlabel/netlabel_unlabeled.c | 19 +++++++++++--- net/netlabel/netlabel_user.c | 4 ++- security/security.c | 11 ++++---- 15 files changed, 121 insertions(+), 35 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index c2f71c22a90e..9c1ed7fbda87 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2783,6 +2783,7 @@ static void binder_transaction(struct binder_proc *proc, int t_debug_id = atomic_inc_return(&binder_last_id); char *secctx = NULL; u32 secctx_sz = 0; + struct lsmcontext scaff; /* scaffolding */ struct list_head sgc_head; struct list_head pf_head; const void __user *user_buffer = (const void __user *) @@ -3116,7 +3117,8 @@ static void binder_transaction(struct binder_proc *proc, t->security_ctx = 0; WARN_ON(1); } - security_release_secctx(secctx, secctx_sz); + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); secctx = NULL; } t->buffer->debug_id = t->debug_id; @@ -3532,8 +3534,10 @@ static void binder_transaction(struct binder_proc *proc, binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: err_bad_extra_size: - if (secctx) - security_release_secctx(secctx, secctx_sz); + if (secctx) { + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); + } err_get_secctx_failed: kfree(tcomplete); binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c index f141f5246163..4c4dad4713b6 100644 --- a/fs/ceph/xattr.c +++ b/fs/ceph/xattr.c @@ -1391,12 +1391,16 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx) { +#ifdef CONFIG_CEPH_FS_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ +#endif #ifdef CONFIG_CEPH_FS_POSIX_ACL posix_acl_release(as_ctx->acl); posix_acl_release(as_ctx->default_acl); #endif #ifdef CONFIG_CEPH_FS_SECURITY_LABEL - security_release_secctx(as_ctx->sec_ctx, as_ctx->sec_ctxlen); + lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0); + security_release_secctx(&scaff); #endif if (as_ctx->pagelist) ceph_pagelist_release(as_ctx->pagelist); diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index c0fdcf8c0032..d6bdb0868729 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -133,8 +133,12 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, static inline void nfs4_label_release_security(struct nfs4_label *label) { - if (label) - security_release_secctx(label->label, label->len); + struct lsmcontext scaff; /* scaffolding */ + + if (label) { + lsmcontext_init(&scaff, label->label, label->len, 0); + security_release_secctx(&scaff); + } } static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label) { diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 61b2aae81abb..512ad208d62a 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -2830,6 +2830,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, int err; struct nfs4_acl *acl = NULL; #ifdef CONFIG_NFSD_V4_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ void *context = NULL; int contextlen; #endif @@ -3341,8 +3342,10 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, out: #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - if (context) - security_release_secctx(context, contextlen); + if (context) { + lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/ + security_release_secctx(&scaff); + } #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ kfree(acl); if (tempfh) { diff --git a/include/linux/security.h b/include/linux/security.h index a7a445bac8ce..a20fc156c697 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -137,6 +137,37 @@ enum lockdown_reason { extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; +/* + * A "security context" is the text representation of + * the information used by LSMs. + * This structure contains the string, its length, and which LSM + * it is useful for. + */ +struct lsmcontext { + char *context; /* Provided by the module */ + u32 len; + int slot; /* Identifies the module */ +}; + +/** + * lsmcontext_init - initialize an lsmcontext structure. + * @cp: Pointer to the context to initialize + * @context: Initial context, or NULL + * @size: Size of context, or 0 + * @slot: Which LSM provided the context + * + * Fill in the lsmcontext from the provided information. + * This is a scaffolding function that will be removed when + * lsmcontext integration is complete. + */ +static inline void lsmcontext_init(struct lsmcontext *cp, char *context, + u32 size, int slot) +{ + cp->slot = slot; + cp->context = context; + cp->len = size; +} + /* * Data exported by the security modules * @@ -589,7 +620,7 @@ int security_ismaclabel(const char *name); int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); -void security_release_secctx(char *secdata, u32 seclen); +void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); @@ -1453,7 +1484,7 @@ static inline int security_secctx_to_secid(const char *secdata, return -EOPNOTSUPP; } -static inline void security_release_secctx(char *secdata, u32 seclen) +static inline void security_release_secctx(struct lsmcontext *cp) { } diff --git a/include/net/scm.h b/include/net/scm.h index 23a35ff1b3f2..f273c4d777ec 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -92,6 +92,7 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, #ifdef CONFIG_SECURITY_NETWORK static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { + struct lsmcontext context; struct lsmblob lb; char *secdata; u32 seclen; @@ -106,7 +107,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + /*scaffolding*/ + lsmcontext_init(&context, secdata, seclen, 0); + security_release_secctx(&context); } } } diff --git a/kernel/audit.c b/kernel/audit.c index f67f1eb7f4fa..23c8f8cbe8a6 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1214,6 +1214,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_sig_info *sig_data; char *ctx = NULL; u32 len; + struct lsmcontext scaff; /* scaffolding */ err = audit_netlink_ok(skb, msg_type); if (err) @@ -1471,15 +1472,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } sig_data = kmalloc(struct_size(sig_data, ctx, len), GFP_KERNEL); if (!sig_data) { - if (lsmblob_is_set(&audit_sig_lsm)) - security_release_secctx(ctx, len); + if (lsmblob_is_set(&audit_sig_lsm)) { + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); + } return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; if (lsmblob_is_set(&audit_sig_lsm)) { memcpy(sig_data->ctx, ctx, len); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); } audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, struct_size(sig_data, ctx, len)); @@ -2171,6 +2175,7 @@ int audit_log_task_context(struct audit_buffer *ab) unsigned len; int error; struct lsmblob blob; + struct lsmcontext scaff; /* scaffolding */ security_current_getsecid_subj(&blob); if (!lsmblob_is_set(&blob)) @@ -2185,7 +2190,8 @@ int audit_log_task_context(struct audit_buffer *ab) } audit_log_format(ab, " subj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); return 0; error_path: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index fa3cfe569ce2..9ed58db58965 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1121,6 +1121,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; + struct lsmcontext lsmcxt; char *ctx = NULL; u32 len; int rc = 0; @@ -1138,7 +1139,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, rc = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/ + security_release_secctx(&lsmcxt); } } audit_log_format(ab, " ocomm="); @@ -1398,6 +1400,7 @@ static void audit_log_time(struct audit_context *context, struct audit_buffer ** static void show_special(struct audit_context *context, int *call_panic) { + struct lsmcontext lsmcxt; struct audit_buffer *ab; int i; @@ -1432,7 +1435,8 @@ static void show_special(struct audit_context *context, int *call_panic) *call_panic = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); + security_release_secctx(&lsmcxt); } } if (context->ipc.has_perm) { @@ -1594,6 +1598,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, char *ctx = NULL; u32 len; struct lsmblob blob; + struct lsmcontext lsmcxt; lsmblob_init(&blob, n->osid); if (security_secid_to_secctx(&blob, &ctx, &len)) { @@ -1602,7 +1607,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, *call_panic = 2; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */ + security_release_secctx(&lsmcxt); } } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 933a8f94f93a..70ca4510ea35 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { + struct lsmcontext context; struct lsmblob lb; char *secdata; u32 seclen, secid; @@ -145,7 +146,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) return; put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */ + security_release_secctx(&context); } static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index ddc8cd65ed12..da36301e2185 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -348,6 +348,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) int len, ret; char *secctx; struct lsmblob blob; + struct lsmcontext context; /* lsmblob_init() puts ct->secmark into all of the secids in blob. * security_secid_to_secctx() will know which security module @@ -368,7 +369,8 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) ret = 0; nla_put_failure: - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); return ret; } #else diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 2c1f3280d56e..644dec6a8ef5 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -179,6 +179,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) u32 len; char *secctx; struct lsmblob blob; + struct lsmcontext context; lsmblob_init(&blob, ct->secmark); ret = security_secid_to_secctx(&blob, &secctx, &len); @@ -187,7 +188,8 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) seq_printf(s, "secctx=%s ", secctx); - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); } #else static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 6269fe122345..f69d5e997da2 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -397,6 +397,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, enum ip_conntrack_info ctinfo = 0; const struct nfnl_ct_hook *nfnl_ct; bool csum_verify; + struct lsmcontext scaff; /* scaffolding */ char *secdata = NULL; u32 seclen = 0; ktime_t tstamp; @@ -634,8 +635,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return skb; nla_put_failure: @@ -643,8 +646,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return NULL; } diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index bbb3b6a4f0d7..b3e3d920034d 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -374,6 +374,7 @@ int netlbl_unlhsh_add(struct net *net, struct net_device *dev; struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; + struct lsmcontext context; char *secctx = NULL; u32 secctx_len; struct lsmblob blob; @@ -447,7 +448,9 @@ int netlbl_unlhsh_add(struct net *net, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); audit_log_end(audit_buf); @@ -478,6 +481,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct netlbl_unlhsh_addr4 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -508,7 +512,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -545,6 +551,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct netlbl_unlhsh_addr6 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -574,7 +581,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -1093,6 +1101,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, int ret_val = -ENOMEM; struct netlbl_unlhsh_walk_arg *cb_arg = arg; struct net_device *dev; + struct lsmcontext context; void *data; u32 secid; char *secctx; @@ -1163,7 +1172,9 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, NLBL_UNLABEL_A_SECCTX, secctx_len, secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); if (ret_val != 0) goto list_cb_failure; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 893301ae0131..ef139d8ae7cd 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -84,6 +84,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct netlbl_audit *audit_info) { struct audit_buffer *audit_buf; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -103,7 +104,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, if (audit_info->secid != 0 && security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/ + security_release_secctx(&context); } return audit_buf; diff --git a/security/security.c b/security/security.c index d60bc6abaa40..e434f085afab 100644 --- a/security/security.c +++ b/security/security.c @@ -2373,16 +2373,17 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, } EXPORT_SYMBOL(security_secctx_to_secid); -void security_release_secctx(char *secdata, u32 seclen) +void security_release_secctx(struct lsmcontext *cp) { struct security_hook_list *hp; - int ilsm = lsm_task_ilsm(current); hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list) - if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) { - hp->hook.release_secctx(secdata, seclen); - return; + if (cp->slot == hp->lsmid->slot) { + hp->hook.release_secctx(cp->context, cp->len); + break; } + + memset(cp, 0, sizeof(*cp)); } EXPORT_SYMBOL(security_release_secctx); From patchwork Tue Jun 28 00:55:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12897406 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 865D1C43334 for ; Tue, 28 Jun 2022 01:07:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242889AbiF1BHU (ORCPT ); Mon, 27 Jun 2022 21:07:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35106 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242858AbiF1BHT (ORCPT ); Mon, 27 Jun 2022 21:07:19 -0400 Received: from sonic308-16.consmr.mail.ne1.yahoo.com (sonic308-16.consmr.mail.ne1.yahoo.com [66.163.187.39]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B108A22B3A for ; Mon, 27 Jun 2022 18:07:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1656378436; bh=NiIy7QTRHRBgsiIQdXsX4B3Vyj7nqIbe7567Auk3J/c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=qVH/ePa1/z8/2Vsga/biVeWphhZ90NZhQ1SJUC28DQlEP3L9UiJ1lEt3juzdHFvWG2kjpGNnSRi/BHLfuX2eupv8JTcV+ifsBJCTzPexSThSBIi4xL6j5nY1tDuMvPUX4prsaRSlO3X0x3M3BiMxh8ZvXdASW1kStMDyZZKkv40jj+P7lXTh5cj/9WL4dJTZWcNruk3AwAvNPAdL2AaRceTDxHOKPsut9pcwdHuiYHW2css+IBV0E/b855m59Btwo2WIl4prHZIjuKDb1yKoksYLvJ8bjmdt/GTluVvAmaIZru5wtHs+1O9fOSe8PMbyRvHtHf+q/0SS7XhIyZjlwg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1656378436; bh=3gU2HMZCIPTZiSHJ9otTH1fOOzaT2zwYSHaOITXlrog=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=iafgohqCG2zHGaMh+bZjuZ13VLtARkND+mPfXlt6mDxc55qViT9OafMkWUkPTfFqLA4BZiuL9amKtrV+zv5ZLeneU0hqQ9qCRddB95V5CTyABTxlrmmK11xjWBHxcgW7tONqFRuCJyXAL5WJlduhDNAdV/Fj9k2mT3hFu4BnFhlVZ6aH9NI6U/Yg9lB5bCkvu5cqeiHfyz0mnVvtZ9hy/6PFhqc+e6C5x6GJzePwF6BXR+NWcqw8l6XaPLxTVYQTpEKeom/Cg19Y0xPQJvm22yAFcF7oetCfgu/OP2NjKXA+d6ulGKUkUaGZoQe1N/k5ktDUKNoz5KK0aRnGDVtrTg== X-YMail-OSG: PnwVhmMVM1m6b.R0tG5V7YfW4k6wWmnw0bx8Yyi1KaPDkwQQigqgzcIf.8iUw0e kYa3koc6gIs0.088Nh1Z.KEHLhelAqFq9OztJM7Auu5.Q2YtfNg_aITFh2u.sHRdbT1SQ.4YvjIP POYkEFc9nawyeO.pjc9oG36pl0dmr4nj9DT8TaDufvSMIh9KtbKVcpJJeDnQ4uqZgcYqx0Uo4Em9 yhIGnB7Yen4ZJ55QNAUgnKk0HT0df79m.XBP33qzdClWGoYbzSdiFzsPCfcLz88O4L8i3oKVHhf6 .90lrnGQYA1_GK6sprq9UBdPRY3.fO6UCXQjbPhgodNu8Y509H9DCBqce3kVvtsTXTK94pnjt_SB ECX2IroD6S28QdjEm6BVnuP.c2AKZmQ1uqwCnMclMpR2qxk6tnWMUHwSGEwxQSc_PdL9vvtUclZ2 O.Yu7jC3bVGk.6P_YH0bKiDd5QSjbo.oOldP5mPFZayCoGO1ujQ3ZT8PHFKzuC6VQ9yNfCz6UbRH R_YJVY8HqAjonN5MOqD4gl5JEG6W5Iw38eEgOMgARONhWStfbZDqsGUlT_a6EvYb2pv556gwWAW7 upoq0GwyTbg04AQBYjjqaZuORoL_DBG6HahPSiIMEfUbPOjsaTRWavAHyRRaTk6ZnVL7_TcZfw59 jYPDss43gcefKKwUXmaMcGU.sHeby8dWvOQTWfBKhcdQ54yO5chvC4fUc5zg73QCPaQ95GPZjLpl hjBNDvdLLN1aX9BkqUNKTN3E9LLBEv.bSq_KRyCPJSPwkVVpG1O92QhUmQcD_OsOpw6vxuhEht_m zWvhpyJ4rx7b33ynjPeqQ704eMFz7nolVsz1PPBIGTJK30CnzqOBW5bSEk.F3LSVEiJ.JY5pHKO3 o3DSn52JYczlbPeFJ1VQF4vvZ2cBQatQjXV1Yrjp1QIMc2lYZP6UCg..lRBB2xfNf5msJqrK0AM. ZpNEkbAhID9GqhFiQlJH69cnTrbwZMqyBBNw_jIgkcV1CO__.iiTJxZinzNptwKL.5AVXBdQ7tJq xVXQK2viTR48cquk59OXnOq9lbXSnPc_WfgWZB0wqq2z4Icl7RTioaDGG93bM50fVpxZGFhJwALI yLHkcpKK0TjBBXNdssftDEW0R0IFsb7m3jmpphdmghIz3gQuUlcIJAE.PLBpJod2rTLnisOVP6Ar .gUXgA6U_gdacFh6EhHk__uj8.tPOSmfIslM0Oi6x1LjDcbSBGIkqNF5PtHWE2wZ9PBgsjOUaWtw SOaA0pBrVw6xLfbMJYElOtyFqrbCZbEJmpoS1COaql4P5LI2FmGBnR9EPaKBcdTkAeBu0SSO0cCS 9z_F2pSQamhDub2IZKgwyD6TvY3WxCHTMHuCDTwSdqm9Q.CPu5Q0KAEe8onOmANZuka.us_wTX3v le8.A6NQ129XVBnsxO0xnkogKWHuNoaaS0vMr9P3WabeFD.1fdgNjnZbrTEpDGcz3m.KJEvgbdSN uppUNu5DRvqIfVwS.3qb6x33X64x7oaE.sHDAf4.3wSJi.wCcefWTcxsUTPNCH1sbzN.NCGvWbN4 yjQrQc0KEEWm2QUBBYZAXVeYqvBUj4pYx8_4LYXt1NlCADNMnQNzb8_A8ew1H5M7.VOGn5uDBHTm zKpNiPWV.iV4GnMdF7CDF_SoWoDrdOFYCvGXLiCmHecFhnGKY_FG1_1H1uFfU1IADJHL4vN0myrr F.OOB8pvRGcjSriPBYjhdQv6D1nyYrLeG.BR0BqmIjW9kLLruE35iMsrchSjrToVCDRKHqgi6FDT jXaR5SDUPEkwhyPbqs8ZLzbmHYP4IvruRnw35ZL6as7L5UHy64zBIou5wrK5.v03Fs1K44D8BcJu .KZwqBcr5GDEm6OfWorPtevJ6qEYPQFNZaCZBweyNBukyPT3unSZJDRG_nwCeKxdADQCNobgk0mp hosTuSVgZiAC9CrHDNgY0P4bfbPkV_1s5pB.DCi2_Fn76XiHh5UeN0cWTJ_76i2hM3ytz587IKM1 M8WBhqoD7OFBvId7xcKtMS0esMR8pYWiQSRrWlZC.oG_MBWEM6bM8SG1gaNsErMI0B0WjYaWfkZW whj.O2ZXA_I9pi3EHkwRbqTYVLwIyGnpokJlEzIIBrX1Vxta61grYswvUqFGsjS9AT.ReUirNxy4 FPgFZCdH2j_qG0dsHTkCsa0OHpnX4OQ1cwsrBHGgVzCTAbJO4jsOG8pK1x4ZnH_uWD2f7KjpZhDD zuWCQj8L1zwh1lHBB2mM_xHV5LuMFx1eaqfqBoVrZUWxksZXcntkaQpfNByIWj_3sYHmacl93SvY N6BDnsIfk8Rac_3PdFHqMRNrPth8ZWSR75SjCJvflmTpzhUhyWHBThNydb6sD9C5q X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Tue, 28 Jun 2022 01:07:16 +0000 Received: by hermes--production-ne1-7459d5c5c9-fdkvw (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 2b15a6d5cfb14c238c7aa5ef58eb279b; Tue, 28 Jun 2022 01:07:14 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v37 16/33] LSM: Use lsmcontext in security_secid_to_secctx Date: Mon, 27 Jun 2022 17:55:54 -0700 Message-Id: <20220628005611.13106-17-casey@schaufler-ca.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220628005611.13106-1-casey@schaufler-ca.com> References: <20220628005611.13106-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Replace the (secctx,seclen) pointer pair with a single lsmcontext pointer to allow return of the LSM identifier along with the context and context length. This allows security_release_secctx() to know how to release the context. Callers have been modified to use or save the returned data from the new structure. security_secid_to_secctx() will now return the length value if the passed lsmcontext pointer is NULL. Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org --- drivers/android/binder.c | 26 ++++++--------- include/linux/security.h | 4 +-- include/net/scm.h | 9 ++---- kernel/audit.c | 42 +++++++++++-------------- kernel/auditsc.c | 31 +++++++----------- net/ipv4/ip_sockglue.c | 8 ++--- net/netfilter/nf_conntrack_netlink.c | 18 ++++------- net/netfilter/nf_conntrack_standalone.c | 7 ++--- net/netfilter/nfnetlink_queue.c | 5 ++- net/netlabel/netlabel_unlabeled.c | 40 +++++++---------------- net/netlabel/netlabel_user.c | 7 ++--- security/security.c | 29 +++++++++++++++-- 12 files changed, 99 insertions(+), 127 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 9c1ed7fbda87..8ae1a624cd37 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2781,9 +2781,7 @@ static void binder_transaction(struct binder_proc *proc, binder_size_t last_fixup_min_off = 0; struct binder_context *context = proc->context; int t_debug_id = atomic_inc_return(&binder_last_id); - char *secctx = NULL; - u32 secctx_sz = 0; - struct lsmcontext scaff; /* scaffolding */ + struct lsmcontext lsmctx = { }; struct list_head sgc_head; struct list_head pf_head; const void __user *user_buffer = (const void __user *) @@ -3059,7 +3057,7 @@ static void binder_transaction(struct binder_proc *proc, size_t added_size; security_cred_getsecid(proc->cred, &blob); - ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz); + ret = security_secid_to_secctx(&blob, &lsmctx); if (ret) { binder_txn_error("%d:%d failed to get security context\n", thread->pid, proc->pid); @@ -3068,7 +3066,7 @@ static void binder_transaction(struct binder_proc *proc, return_error_line = __LINE__; goto err_get_secctx_failed; } - added_size = ALIGN(secctx_sz, sizeof(u64)); + added_size = ALIGN(lsmctx.len, sizeof(u64)); extra_buffers_size += added_size; if (extra_buffers_size < added_size) { binder_txn_error("%d:%d integer overflow of extra_buffers_size\n", @@ -3102,24 +3100,22 @@ static void binder_transaction(struct binder_proc *proc, t->buffer = NULL; goto err_binder_alloc_buf_failed; } - if (secctx) { + if (lsmctx.context) { int err; size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) + ALIGN(tr->offsets_size, sizeof(void *)) + ALIGN(extra_buffers_size, sizeof(void *)) - - ALIGN(secctx_sz, sizeof(u64)); + ALIGN(lsmctx.len, sizeof(u64)); t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset; err = binder_alloc_copy_to_buffer(&target_proc->alloc, t->buffer, buf_offset, - secctx, secctx_sz); + lsmctx.context, lsmctx.len); if (err) { t->security_ctx = 0; WARN_ON(1); } - lsmcontext_init(&scaff, secctx, secctx_sz, 0); - security_release_secctx(&scaff); - secctx = NULL; + security_release_secctx(&lsmctx); } t->buffer->debug_id = t->debug_id; t->buffer->transaction = t; @@ -3163,7 +3159,7 @@ static void binder_transaction(struct binder_proc *proc, off_end_offset = off_start_offset + tr->offsets_size; sg_buf_offset = ALIGN(off_end_offset, sizeof(void *)); sg_buf_end_offset = sg_buf_offset + extra_buffers_size - - ALIGN(secctx_sz, sizeof(u64)); + ALIGN(lsmctx.len, sizeof(u64)); off_min = 0; for (buffer_offset = off_start_offset; buffer_offset < off_end_offset; buffer_offset += sizeof(binder_size_t)) { @@ -3534,10 +3530,8 @@ static void binder_transaction(struct binder_proc *proc, binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: err_bad_extra_size: - if (secctx) { - lsmcontext_init(&scaff, secctx, secctx_sz, 0); - security_release_secctx(&scaff); - } + if (lsmctx.context) + security_release_secctx(&lsmctx); err_get_secctx_failed: kfree(tcomplete); binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); diff --git a/include/linux/security.h b/include/linux/security.h index a20fc156c697..5afd0148a1a5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -617,7 +617,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); void security_release_secctx(struct lsmcontext *cp); @@ -1472,7 +1472,7 @@ static inline int security_ismaclabel(const char *name) } static inline int security_secid_to_secctx(struct lsmblob *blob, - char **secdata, u32 *seclen) + struct lsmcontext *cp) { return -EOPNOTSUPP; } diff --git a/include/net/scm.h b/include/net/scm.h index f273c4d777ec..b77a52f93389 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -94,8 +94,6 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc { struct lsmcontext context; struct lsmblob lb; - char *secdata; - u32 seclen; int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { @@ -103,12 +101,11 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc * and the infrastructure will know which it is. */ lsmblob_init(&lb, scm->secid); - err = security_secid_to_secctx(&lb, &secdata, &seclen); + err = security_secid_to_secctx(&lb, &context); if (!err) { - put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); - /*scaffolding*/ - lsmcontext_init(&context, secdata, seclen, 0); + put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, context.len, + context.context); security_release_secctx(&context); } } diff --git a/kernel/audit.c b/kernel/audit.c index 23c8f8cbe8a6..6500d97ce9ad 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1212,9 +1212,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_buffer *ab; u16 msg_type = nlh->nlmsg_type; struct audit_sig_info *sig_data; - char *ctx = NULL; - u32 len; - struct lsmcontext scaff; /* scaffolding */ err = audit_netlink_ok(skb, msg_type); if (err) @@ -1462,33 +1459,33 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) kfree(new); break; } - case AUDIT_SIGNAL_INFO: - len = 0; + case AUDIT_SIGNAL_INFO: { + struct lsmcontext context = { }; + if (lsmblob_is_set(&audit_sig_lsm)) { - err = security_secid_to_secctx(&audit_sig_lsm, &ctx, - &len); + err = security_secid_to_secctx(&audit_sig_lsm, + &context); if (err) return err; } - sig_data = kmalloc(struct_size(sig_data, ctx, len), GFP_KERNEL); + sig_data = kmalloc(struct_size(sig_data, ctx, context.len), + GFP_KERNEL); if (!sig_data) { - if (lsmblob_is_set(&audit_sig_lsm)) { - lsmcontext_init(&scaff, ctx, len, 0); - security_release_secctx(&scaff); - } + if (lsmblob_is_set(&audit_sig_lsm)) + security_release_secctx(&context); return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; if (lsmblob_is_set(&audit_sig_lsm)) { - memcpy(sig_data->ctx, ctx, len); - lsmcontext_init(&scaff, ctx, len, 0); - security_release_secctx(&scaff); + memcpy(sig_data->ctx, context.context, context.len); + security_release_secctx(&context); } - audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, - sig_data, struct_size(sig_data, ctx, len)); + audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, + struct_size(sig_data, ctx, context.len)); kfree(sig_data); break; + } case AUDIT_TTY_GET: { struct audit_tty_status s; unsigned int t; @@ -2171,17 +2168,15 @@ void audit_log_key(struct audit_buffer *ab, char *key) int audit_log_task_context(struct audit_buffer *ab) { - char *ctx = NULL; - unsigned len; int error; struct lsmblob blob; - struct lsmcontext scaff; /* scaffolding */ + struct lsmcontext context; security_current_getsecid_subj(&blob); if (!lsmblob_is_set(&blob)) return 0; - error = security_secid_to_secctx(&blob, &ctx, &len); + error = security_secid_to_secctx(&blob, &context); if (error) { if (error != -EINVAL) @@ -2189,9 +2184,8 @@ int audit_log_task_context(struct audit_buffer *ab) return 0; } - audit_log_format(ab, " subj=%s", ctx); - lsmcontext_init(&scaff, ctx, len, 0); - security_release_secctx(&scaff); + audit_log_format(ab, " subj=%s", context.context); + security_release_secctx(&context); return 0; error_path: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9ed58db58965..25a6c2a5b4b3 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1121,9 +1121,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; - struct lsmcontext lsmcxt; - char *ctx = NULL; - u32 len; + struct lsmcontext lsmctx; int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); @@ -1134,13 +1132,12 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (lsmblob_is_set(blob)) { - if (security_secid_to_secctx(blob, &ctx, &len)) { + if (security_secid_to_secctx(blob, &lsmctx)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/ - security_release_secctx(&lsmcxt); + audit_log_format(ab, " obj=%s", lsmctx.context); + security_release_secctx(&lsmctx); } } audit_log_format(ab, " ocomm="); @@ -1400,7 +1397,6 @@ static void audit_log_time(struct audit_context *context, struct audit_buffer ** static void show_special(struct audit_context *context, int *call_panic) { - struct lsmcontext lsmcxt; struct audit_buffer *ab; int i; @@ -1425,17 +1421,15 @@ static void show_special(struct audit_context *context, int *call_panic) from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); if (osid) { - char *ctx = NULL; - u32 len; + struct lsmcontext lsmcxt; struct lsmblob blob; lsmblob_init(&blob, osid); - if (security_secid_to_secctx(&blob, &ctx, &len)) { + if (security_secid_to_secctx(&blob, &lsmcxt)) { audit_log_format(ab, " osid=%u", osid); *call_panic = 1; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); + audit_log_format(ab, " obj=%s", lsmcxt.context); security_release_secctx(&lsmcxt); } } @@ -1595,20 +1589,17 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, MAJOR(n->rdev), MINOR(n->rdev)); if (n->osid != 0) { - char *ctx = NULL; - u32 len; struct lsmblob blob; - struct lsmcontext lsmcxt; + struct lsmcontext lsmctx; lsmblob_init(&blob, n->osid); - if (security_secid_to_secctx(&blob, &ctx, &len)) { + if (security_secid_to_secctx(&blob, &lsmctx)) { audit_log_format(ab, " osid=%u", n->osid); if (call_panic) *call_panic = 2; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */ - security_release_secctx(&lsmcxt); + audit_log_format(ab, " obj=%s", lsmctx.context); + security_release_secctx(&lsmctx); } } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 70ca4510ea35..ad5be7707bca 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -132,8 +132,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { struct lsmcontext context; struct lsmblob lb; - char *secdata; - u32 seclen, secid; + u32 secid; int err; err = security_socket_getpeersec_dgram(NULL, skb, &secid); @@ -141,12 +140,11 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) return; lsmblob_init(&lb, secid); - err = security_secid_to_secctx(&lb, &secdata, &seclen); + err = security_secid_to_secctx(&lb, &context); if (err) return; - put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); - lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */ + put_cmsg(msg, SOL_IP, SCM_SECURITY, context.len, context.context); security_release_secctx(&context); } diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index da36301e2185..8bd6ce5f9e93 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -345,8 +345,7 @@ static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) { struct nlattr *nest_secctx; - int len, ret; - char *secctx; + int ret; struct lsmblob blob; struct lsmcontext context; @@ -354,7 +353,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) * security_secid_to_secctx() will know which security module * to use to create the secctx. */ lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &secctx, &len); + ret = security_secid_to_secctx(&blob, &context); if (ret) return 0; @@ -363,13 +362,12 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) if (!nest_secctx) goto nla_put_failure; - if (nla_put_string(skb, CTA_SECCTX_NAME, secctx)) + if (nla_put_string(skb, CTA_SECCTX_NAME, context.context)) goto nla_put_failure; nla_nest_end(skb, nest_secctx); ret = 0; nla_put_failure: - lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ security_release_secctx(&context); return ret; } @@ -662,15 +660,11 @@ static inline size_t ctnetlink_acct_size(const struct nf_conn *ct) static inline int ctnetlink_secctx_size(const struct nf_conn *ct) { #ifdef CONFIG_NF_CONNTRACK_SECMARK - int len, ret; + int len; struct lsmblob blob; - /* lsmblob_init() puts ct->secmark into all of the secids in blob. - * security_secid_to_secctx() will know which security module - * to use to create the secctx. */ - lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, NULL, &len); - if (ret) + len = security_secid_to_secctx(&blob, NULL); + if (len <= 0) return 0; return nla_total_size(0) /* CTA_SECCTX */ diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 644dec6a8ef5..5003acf79794 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -176,19 +176,16 @@ static void ct_seq_stop(struct seq_file *s, void *v) static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) { int ret; - u32 len; - char *secctx; struct lsmblob blob; struct lsmcontext context; lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &secctx, &len); + ret = security_secid_to_secctx(&blob, &context); if (ret) return; - seq_printf(s, "secctx=%s ", secctx); + seq_printf(s, "secctx=%s ", context.context); - lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ security_release_secctx(&context); } #else diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index f69d5e997da2..35c3cde6bacd 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -306,6 +306,7 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) struct lsmblob blob; + struct lsmcontext context = { }; if (!skb || !sk_fullsock(skb->sk)) return 0; @@ -317,10 +318,12 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) * blob. security_secid_to_secctx() will know which security * module to use to create the secctx. */ lsmblob_init(&blob, skb->secmark); - security_secid_to_secctx(&blob, secdata, &seclen); + security_secid_to_secctx(&blob, &context); + *secdata = context.context; } read_unlock_bh(&skb->sk->sk_callback_lock); + seclen = context.len; #endif return seclen; } diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index b3e3d920034d..12e5d508bd08 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -375,8 +375,6 @@ int netlbl_unlhsh_add(struct net *net, struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; struct lsmcontext context; - char *secctx = NULL; - u32 secctx_len; struct lsmblob blob; if (addr_len != sizeof(struct in_addr) && @@ -444,12 +442,9 @@ int netlbl_unlhsh_add(struct net *net, * security_secid_to_secctx() will know which security module * to use to create the secctx. */ lsmblob_init(&blob, secid); - if (security_secid_to_secctx(&blob, - &secctx, - &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - /* scaffolding */ - lsmcontext_init(&context, secctx, secctx_len, 0); + if (security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", + context.context); security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); @@ -482,8 +477,6 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - char *secctx; - u32 secctx_len; struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); @@ -509,11 +502,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, if (entry != NULL) lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, - &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - /* scaffolding */ - lsmcontext_init(&context, secctx, secctx_len, 0); + security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", + context.context); security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); @@ -552,8 +543,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - char *secctx; - u32 secctx_len; struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); @@ -578,10 +567,9 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, if (entry != NULL) lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, - &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - lsmcontext_init(&context, secctx, secctx_len, 0); + security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", + context.context); security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); @@ -1104,8 +1092,6 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, struct lsmcontext context; void *data; u32 secid; - char *secctx; - u32 secctx_len; struct lsmblob blob; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, @@ -1165,15 +1151,13 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, * security_secid_to_secctx() will know which security module * to use to create the secctx. */ lsmblob_init(&blob, secid); - ret_val = security_secid_to_secctx(&blob, &secctx, &secctx_len); + ret_val = security_secid_to_secctx(&blob, &context); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, NLBL_UNLABEL_A_SECCTX, - secctx_len, - secctx); - /* scaffolding */ - lsmcontext_init(&context, secctx, secctx_len, 0); + context.len, + context.context); security_release_secctx(&context); if (ret_val != 0) goto list_cb_failure; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index ef139d8ae7cd..951ba0639d20 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -85,8 +85,6 @@ struct audit_buffer *netlbl_audit_start_common(int type, { struct audit_buffer *audit_buf; struct lsmcontext context; - char *secctx; - u32 secctx_len; struct lsmblob blob; if (audit_enabled == AUDIT_OFF) @@ -102,9 +100,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, lsmblob_init(&blob, audit_info->secid); if (audit_info->secid != 0 && - security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " subj=%s", secctx); - lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/ + security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " subj=%s", context.context); security_release_secctx(&context); } diff --git a/security/security.c b/security/security.c index e434f085afab..b52c7c55a092 100644 --- a/security/security.c +++ b/security/security.c @@ -2337,18 +2337,41 @@ int security_ismaclabel(const char *name) } EXPORT_SYMBOL(security_ismaclabel); -int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) +/** + * security_secid_to_secctx - convert secid to secctx + * @blob: set of secids + * @cp: lsm context into which result is put + * + * Translate secid information into a secctx string. + * Return a negative value on error. + * If cp is NULL return the length of the string. + * Otherwise, return 0. + */ +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp) { struct security_hook_list *hp; int ilsm = lsm_task_ilsm(current); + if (cp) + memset(cp, 0, sizeof(*cp)); + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; - if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) + if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) { + if (!cp) { + int len; + int rc; + rc = hp->hook.secid_to_secctx( + blob->secid[hp->lsmid->slot], + NULL, &len); + return rc ? rc : len; + } + cp->slot = hp->lsmid->slot; return hp->hook.secid_to_secctx( blob->secid[hp->lsmid->slot], - secdata, seclen); + &cp->context, &cp->len); + } } return LSM_RET_DEFAULT(secid_to_secctx); From patchwork Tue Jun 28 00:55:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12897451 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56463C43334 for ; Tue, 28 Jun 2022 01:09:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242961AbiF1BJF (ORCPT ); Mon, 27 Jun 2022 21:09:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36740 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241842AbiF1BJB (ORCPT ); Mon, 27 Jun 2022 21:09:01 -0400 Received: from sonic304-28.consmr.mail.ne1.yahoo.com (sonic304-28.consmr.mail.ne1.yahoo.com [66.163.191.154]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 382A222511 for ; Mon, 27 Jun 2022 18:09:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1656378539; bh=WZac+aRC2uz0l+4S4NGEdN/ZurgpD1tHTTaIIPo8luY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=MEg/maQSHSDdAcI9zGAkeKXDVjKIGt61Qd1Vic8eeD5uhfV33dNpkr1P/HByTB0zpeKi79f+rujd5kzVZDp40AebzMlOAFGaq0Fdm6aDIQ7fLUF65jjW80M6UXwl4PSYqyPIcs52P4NHWqo+vgLUJTHDPwOGAZfKxfpwcz/0y+4X7Qg+mKaxWlRNor9oemYXwx8ko0AXR3QZjPXyeLeQXAVAuVNkQZqwXz9wcbjZxam5s52WOM6KILcqcRIE1Q5zbpLf7RxA093twl+tFylgqFXekS8UekxJlndI746ZaCsw+Y3trfyzX+2COVP7XrjmYMvRPNaCHCA60bdCzAJxCA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1656378539; bh=tG6rYld6ccFoLx1nGWc2NfgcUdU9kaJjHLKNE4hYq58=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=h0rD2pl2xUd2jYdkli744YAHvjsUnppTWBQM7ymC6ZTtntz4v2EAobJBnF0VbIGm0IGOFSFpwdmRm0zDM114tigxM/Phe80nS07Nol1vzUL4K+IklR5WDjuBGPSq6VAMSQ+a0CssyrqqyK8aY2BNwY7dSne/wlT6FOpQb1mmRK4jAezs1pBpokpZXjRwlNoPOHjy82E3pf46xLs8Xoc7MrQsxkbtC5VscfqisY7gji7aBmeuCmuheTu49nARQgWvQ2+4+vnXi0vrfRpXV6VsPXEwwk0InUM8AYpXVDR0GQAuuVJXBuOc+lk2G86EuYkIEipjOGoMsKliNCUMGoyVHg== X-YMail-OSG: QRWirEgVM1l5I0DmvR10bTKnmlIF60OqpETy7C7c9cuK0C3bzInsf5agnbzChnI KkMPQGQltsdYQRbBU3hXqFKSI2dIG3aIKGM1y0M.Gvlajg5b0erGVqhrzz_.srypzCmoQ3F2ee7G WIZfF7feymV1Zn48kW0KedF1l1YBsn9pPJznY3UGLtpbAz6S0n9l9kUom2JzItAwAlWjVgawij4U K6LEQDW_YIcM4ECfvt6ZAhsPQGkBZmGwfbseKlfHuGPB_n8ygmmBGtAuA3qPH3wAUDXNDexCXl2l ck99dtg3gbFq1tmAMaTF7.ZGW9av3qacOtF.5dUY1n8Le7bBNtrn5ROE27vNxs7UnD7jNieQSgVw 6uY3B.M.huz6Vd._5_5FfqLljEOYtfCIuddiIJc0ueIlX9D81j8lmiXAFJCZPrc_mmkxBX.4sYoj Hd9VPRqLx8zzTZai_eJ5rZdV629KNRnZvNTD3OvIg9YzmiSdsSjdiXALTII2fR4a_47p.RtdFtva ho8DBZ3Sw8xmzyc7AUYvJma5lgz_BhuID.PPa4Lgy_2AC6jREXNoIJgTyWCxvYDGXSC3NqNKBCaq CFOTtUV3T4x3TtvQ537_IiW9VlPhQ81YX6m_vuch5rsThSxBKLNZ.lUP_uJhcCtQhbSa.Qj8qCVx .LsJjxqkmRwtWVwZXZLSy3AVHVbsmnoV3xbJArbcMWQqmvzeQX31NY0oUF3EWtz_xMhQqezxG1JB 8XWWUe5__rBT9R.oB9qbuPDnw6IoSwzEcRqHzElH_hPZ7JvyDOeatqtLwLI9pUDMk_C6l5wcsbT_ iAhNcx4szGeKmLSjRoPaHg0_RRLDQ1hYu9AaF8OmTaTU0SA5Pl11_mXufLO3Lf6Za3hTYw5LzdnG GREmM6azOJSg3xkYnVdXYe.5ZPbepuPzye8Ao8vYDPQkfaryOke2h7DK.IBlElHvoKXRwMWt.pJF oBxKLhK0HvyldAGGxbssQuSUnDi0F3ZHtNX_PkciCQOT8YWkbZMdZI77vw9J0DND_r_J_jLosWAW ZDeg.vK2pwMmbdWHtCiivFWAWOPAY.8BSXtPqsk.gXoTQIC4tgX6kBoioFDD5Ar9ZMYXn7kC4ETK n8UuqxW7OAgyCw1UNC.V_Ny3DYufDzEYl9BNMC0GrCbo6SnMGU_rS_SE6F5_NdF2Xt8pJ0KUKoWl XCXazn.rvXpBNoLakvGBqNcwySLNQ9mW8ad9r0f7BS5B3ErMdEhiLrsIj0ep4r4OnA3nuNdkrvKR AP0mUvfK6Hny01jvsWMhgfmDjAzxtpHxAk2js7uVq6saEyPEYTdCKnvIBEtE3IK16uSeLBeZLca5 y0BI_1joODZnAJGb5g.QYMRF3SiSsQ_uxXOO8ZvG22vh5B354VJC.ycyb3KUoYdyA67sQrw80Ym. 8QI2zHOGP87TaZUkOi8hXlQ2cfvV1m1NImxTs4silEnM9uH8eIavQZU8AV_Dh.6GjOVSV2CTJ3fE PElpQsjp4KhOZyfNcI7ywW1f_LPjSIx4KcJiBxrglIyxQBkdxvEA34HLi5ls2ftVtM0LMBmfgV.K 5Qi79FeE5Yjs.rEeS.kOSyGMVz1CXBzOsE8gh5Kv9LdSPqna90DgP4u2tqtJVoi8mJ6UBACLH0X4 e8ARht0w9i3Xo9JtAQnvkpkpZ7faRM4gkS714uYXhOcph8I7gNe2Tw2P1zl12aPlL42pTE1iSUEX m15COFGqV7JTaBk9kh_3nIgj5MErrvSmaPzRGyw3dsnurlJ9r21O_yG1C3qXZbOoeMciZd4H4foe 6JUrHZJ5tk6Udz9ieHI0SLmL4VK0R2Zps6Q8AOoFEmOK.rXShrO9T.zVp5Wf4pZHrvJiN4kNvqL5 gYz53lGLwgl3j14XHSV0d3WmtpV8P9Jw4cyIDqyZKicFqEV_AD0B.eVpjsi.kVWqMqBEq864GGvC Fj73ptuoBx2JwLmK2rmKINtGSsg107YZwpvg_yI10VzqwNzfsw1e2GSiRQp6RqZB1RoaDLLCPQR_ 5YhZkS4y.bE73VMlgQVH3yLUvpKfFXt6Mrr4ZEiym_L3dmoM2INwFTyo.tPN0ddw41xWs0COXip0 PF7wHhjFu3r3j9oR3X_Ox9DE7sAySPZ7GAA6zE3U8WBypjCcsnLOUUcgy3ezBlxHFVl1T12xgspQ iE60tQNBwAQCSZqi9Cyi_xvnrMSceufBXzU_tQzFuVgWtdRFw3yEugE_hOFPfSf2.DM6Z1N5ZIgp NB1uAawWQEhbnSTQWuBqvYyberh49yJh_8Yo7sqzQ2rMGybjfS5RYPconlI.1.ndi6cenMSkNFY3 mono- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Tue, 28 Jun 2022 01:08:59 +0000 Received: by hermes--production-bf1-7f5f59bd5b-fj9wt (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 05fbaa230dcbeea0318fe174d0a2d20b; Tue, 28 Jun 2022 01:08:54 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, Pablo Neira Ayuso , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v37 19/33] LSM: security_secid_to_secctx in netlink netfilter Date: Mon, 27 Jun 2022 17:55:57 -0700 Message-Id: <20220628005611.13106-20-casey@schaufler-ca.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220628005611.13106-1-casey@schaufler-ca.com> References: <20220628005611.13106-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Change netlink netfilter interfaces to use lsmcontext pointers, and remove scaffolding. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Paul Moore Acked-by: Stephen Smalley Acked-by: Pablo Neira Ayuso Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: netfilter-devel@vger.kernel.org --- net/netfilter/nfnetlink_queue.c | 37 +++++++++++++-------------------- 1 file changed, 14 insertions(+), 23 deletions(-) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 35c3cde6bacd..f60a0b6240ff 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -301,15 +301,13 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk) return -1; } -static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) +static void nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context) { - u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) struct lsmblob blob; - struct lsmcontext context = { }; if (!skb || !sk_fullsock(skb->sk)) - return 0; + return; read_lock_bh(&skb->sk->sk_callback_lock); @@ -318,14 +316,12 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) * blob. security_secid_to_secctx() will know which security * module to use to create the secctx. */ lsmblob_init(&blob, skb->secmark); - security_secid_to_secctx(&blob, &context); - *secdata = context.context; + security_secid_to_secctx(&blob, context); } read_unlock_bh(&skb->sk->sk_callback_lock); - seclen = context.len; #endif - return seclen; + return; } static u32 nfqnl_get_bridge_size(struct nf_queue_entry *entry) @@ -397,12 +393,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, struct net_device *indev; struct net_device *outdev; struct nf_conn *ct = NULL; + struct lsmcontext context = { }; enum ip_conntrack_info ctinfo = 0; const struct nfnl_ct_hook *nfnl_ct; bool csum_verify; - struct lsmcontext scaff; /* scaffolding */ - char *secdata = NULL; - u32 seclen = 0; ktime_t tstamp; size = nlmsg_total_size(sizeof(struct nfgenmsg)) @@ -473,9 +467,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) { - seclen = nfqnl_get_sk_secctx(entskb, &secdata); - if (seclen) - size += nla_total_size(seclen); + nfqnl_get_sk_secctx(entskb, &context); + if (context.len) + size += nla_total_size(context.len); } skb = alloc_skb(size, GFP_ATOMIC); @@ -610,7 +604,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, nfqnl_put_sk_uidgid(skb, entskb->sk) < 0) goto nla_put_failure; - if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata)) + if (context.len && + nla_put(skb, NFQA_SECCTX, context.len, context.context)) goto nla_put_failure; if (ct && nfnl_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0) @@ -638,10 +633,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) { - lsmcontext_init(&scaff, secdata, seclen, 0); - security_release_secctx(&scaff); - } + if (context.len) + security_release_secctx(&context); return skb; nla_put_failure: @@ -649,10 +642,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) { - lsmcontext_init(&scaff, secdata, seclen, 0); - security_release_secctx(&scaff); - } + if (context.len) + security_release_secctx(&context); return NULL; } From patchwork Tue Jun 28 00:55:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12897452 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBEF1C43334 for ; Tue, 28 Jun 2022 01:09:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242130AbiF1BJV (ORCPT ); Mon, 27 Jun 2022 21:09:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242964AbiF1BJF (ORCPT ); Mon, 27 Jun 2022 21:09:05 -0400 Received: from sonic301-36.consmr.mail.ne1.yahoo.com (sonic301-36.consmr.mail.ne1.yahoo.com [66.163.184.205]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F296122511 for ; Mon, 27 Jun 2022 18:09:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1656378542; bh=D1JsPsnCVN0+jqrYq4LFS3OvZjCufzqNfNeCL92tKX8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=WriS1hX9aPFkg7+2hLWZC0zYRNl+FZabHbW89LdJl3qGKK8B3HIe+EBiRhW0yyq3tNdVQHWVH+1kJk/L9ReLge52mWKpLYxBzTeprfaWisjLp1SY5zSXs2isMSWYXXRfJq7Hi7U8VPKJscUBjEC6Llryl2GI1eGZHSux2TFkZqZVqJWVyGoLbH667g8MpxmKP1C0kprnC1o2SnsmeQROgMPlYjfK0Lckr0lfUM+Ppy6ME+OKUWqm92TVOvkd0TGefhsy1rAP+1UEnZergbVw/CyULY5svyFKMVhns+815s9u8GA5bNS4Z0mWv07l//8hn9mggg1jkfgGXswCTl+2Iw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1656378542; bh=tbOjgeAv4/DLNTiLg+E/EKrNcLq6lLIP/YSlvzCg3+N=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=GyrIcxJ5VY+n7D33gA4Gv9FJVwXROpqGqvLCz34zJAiPn6g9DJLTLZKH/+uev6tAaVBZ85Jl2THgbKYJCsJQXCelYnCDWrku/z7/56SUnoOjG4zsh7H/2wZm2HdzxOZzT7K0TQHEqz9VBdS+fKGMKRCupv5I4p2x5I0zv/Jg+1vNxfKHGDe4ZOQWbtwgJ95ZigFKqg9k5Fx2vG/tmMz9S2jGnXixJYBS9IYXxNM5FpyAV1Yjcfn/QXYO6g1J3DK3HtIkgMioO0j+z4Rh6nRcTVj3g0TuayU/znejP42N1I9/iEiPbiIF0aWOtqY0bvV3/GTeTDEEZ31fs5zish0yUw== X-YMail-OSG: Uo0AqoIVM1mA6f015e5WJkK4ZGIfCskhQpQtmW6yQ9NQSRtGW3OnGjYBEwDT4iL r5xbMKuoNBhZ0ihRrvGvXyHIdQBV75iYzJvcpeZsm.zepjw_bw.UwwEZI58rReNGAAdTT7GpWo45 v4x8YgSBp5pV12hftXOFvlTgr9jJQFhy2S2v.hHa7KZzymQRidFJItqFpLCmq_zFZt.._zkOy1rc Mr7g5ANatpyNemrYmKEyUI7S0XcbYCQnYE_Ed4pzu31HKeoFKxrMH1MW_Qga7uFOfS2xGJBhTN4K bgtRENOZhgn8W_OcqhRrv9S57ZQgrOBNQofrQKUpd6EM.xZYXn3YdcKzvQHy3Vv2n4ga638hLzB6 xNqienqYagS6e0W.em5MLwgUyFMpwiZLiSdl.4XooX6QMrAN5Dj9v2xpH2RxWSk.s7BGnux9rLKS nFAZjZaG3hLOaHlaBIB_cqRMVS64E70CK3ddS._BVj3mJlboksQoLSwyiut9c2Oq5yNqbilgTXdk 5wX68eZQUJ87NvlcHtD0vrhDgDQzII_DQHwKXRE.6QyjM_Cn6vaz6RhMiqs1rYJAEC8TV1iQZL3. WgpPO57iBr8eHZXXy8S.XWBXw6f_M6ewDMtXg2lczCAioIBnBnl_Nz1sgE8UKLKiInRMm4f3ADzZ t2NjteqwaYpHnXcjaDA9dBPr_cUiptwL7uX6lgiFRgHZDU1hI5PC5DYW62PZE2c4QYYRljh9AouG a6CxoXyn8nl4aiTFeUfShSddFwCAfg9Hr5DNdjRIHFpJt6lcnIMomUjt1TfKlNxltsD7yek8V.wX ZIfXwLCoG97wVzhEQmQZYCKUYmcjwADeSa6yVIPRR1APpTKK_8rt778WU0US7YH3QXfYQsTTMU7g EfHH8fkID9ZDlPoP5z1GPKimk.JEiHnhgpKAeIelsvgfkBNdyKhx78F38hRxXYnJmsbGv2GBSqwK OZ1S3siymcNZrO5O44E9isXeAlNaE0QRylS5TYCwPpvrrqsExzn5F8ZI6XpOZ9HZVTxPw.nxBCDX hID0Juw5rUUJlidvBjOfP2aB8XiiNebZsi1KEO16WXWsDDfQbGOKt6nguQNvkyj8P71xd8uAJqJ6 Psn2bdrIq_Y4LaVAQ5OFtNeipdpwIMT0KABbwc35YnrLu6glszHTkXlkRNIIWwSp0U11.CVpPUUY 8FFntk18RQhlylbU_GJw6A.upVOUrH4nwHU539eov.pi7FVxpFnGlAcLp1MUOiybsMUazLvAJHq7 HztbO.zcAFtFYWamZVUw28fuxfAF5siGuEf7fgBvgNN3eTq5nPcwy32z2qVeVkiGnVlp4Pks89Rx FgC9b2DcIvNO6OUJLFzWElgT_Hv0PG634AILLt01cYbpFDW2_o7YwuDk7gAOdRgDA3NfYZ7aJXoS AKCEe8Ypy6Wn8HVuVj6K6_.rS_IsCClWe7sbi1W.pUILyOVSGjspNGxpddBosiTCBMjuQRHz7dPf VVrFusiHBB4roRmOi3e.BJFRDPk0LHnqv.UmFjh43E1Z7dFH0GRcl9klk2CgtJnmoZhvyI2pUHVN _dstJy_9d3IqPfhrrciGfrzWlEtZNShg4bU7Os1izEhabXGvJBDdYCAkrOE1JMAf3mzQo1oND5Gv c__QuiDWRD8rajxGTA7hkkzk9tIq.aht32I91Z4f_dCx3kxn5ZqtlqKHVl9BYiHZqpcRXn9BIoxJ r2LgD4W2U.vq2FSfLFm5Eb6ow_rs4xzonKMCgQh7XZKIWUy_Qkm_OFASl9ZLkhj0lO.FONDUdftR H4Wfs9fHqPHX_mMDNdA0zemwjzsLVmu289vzU9FrX9DaNuZ36pll.fwZ9kTRP4uWgaXymvHQ4wAK AO9dloOKLkah9XUOunUZLfaGtkvtp44X9k2sdq7QRxHIjyGm5oieaeE82avKlrEPUsILc5Y5zDC6 QEUjghh.ZlXYD76GVaoOBwwjd6kAfyE_CBTPs8.0IYk.ndDtgT3aTx68JsDVoZ0PfgcMwsYsE6LC sZz2X6rEVKyHMvKXenNHaT_LSzgeZmu3kFR8wkk5pquI.FoKZ35qlNr8etER0ZQBRrhZBbyFu06E dRDZnRv5jy9NM6KaIA5rBJsoai0rKdEiqr0wOyz3rOgFcbqm6lP43yip98ooItEzluITSgrnnqJ2 _HTaQeRGhF.XlCqBFDkcDVP.ykBhuhMUPQ7Q_eBJFzwWEGxq8HmFj0JOL0zJZPs1u6aWwBWlaW.c Ek_LB.yXJSB9o_BiqjPHtdTwOUgwUbw9h4cra96e1x.autKNOKxUUQvkLjOIr0wyUV2wJwL_4139 202K6ROB9D6DP5bqwlCJVNz47.WTa_ZmA_Og_5Q-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.ne1.yahoo.com with HTTP; Tue, 28 Jun 2022 01:09:02 +0000 Received: by hermes--production-bf1-7f5f59bd5b-fj9wt (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 05fbaa230dcbeea0318fe174d0a2d20b; Tue, 28 Jun 2022 01:08:56 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH v37 20/33] NET: Store LSM netlabel data in a lsmblob Date: Mon, 27 Jun 2022 17:55:58 -0700 Message-Id: <20220628005611.13106-21-casey@schaufler-ca.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220628005611.13106-1-casey@schaufler-ca.com> References: <20220628005611.13106-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Netlabel uses LSM interfaces requiring an lsmblob and the internal storage is used to pass information between these interfaces, so change the internal data from a secid to a lsmblob. Update the netlabel interfaces and their callers to accommodate the change. This requires that the modules using netlabel use the lsm_id.slot to access the correct secid when using netlabel. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org --- include/net/netlabel.h | 8 +-- net/ipv4/cipso_ipv4.c | 26 ++++++---- net/netlabel/netlabel_kapi.c | 6 +-- net/netlabel/netlabel_unlabeled.c | 79 +++++++++-------------------- net/netlabel/netlabel_unlabeled.h | 2 +- security/selinux/hooks.c | 2 +- security/selinux/include/security.h | 1 + security/selinux/netlabel.c | 2 +- security/selinux/ss/services.c | 4 +- security/smack/smack.h | 1 + security/smack/smack_access.c | 2 +- security/smack/smack_lsm.c | 11 ++-- security/smack/smackfs.c | 10 ++-- 13 files changed, 68 insertions(+), 86 deletions(-) diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 43ae50337685..73fc25b4042b 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h @@ -166,7 +166,7 @@ struct netlbl_lsm_catmap { * @attr.mls: MLS sensitivity label * @attr.mls.cat: MLS category bitmap * @attr.mls.lvl: MLS sensitivity level - * @attr.secid: LSM specific secid token + * @attr.lsmblob: LSM specific data * * Description: * This structure is used to pass security attributes between NetLabel and the @@ -201,7 +201,7 @@ struct netlbl_lsm_secattr { struct netlbl_lsm_catmap *cat; u32 lvl; } mls; - u32 secid; + struct lsmblob lsmblob; } attr; }; @@ -415,7 +415,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, const void *addr, const void *mask, u16 family, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info); int netlbl_cfg_unlbl_static_del(struct net *net, const char *dev_name, @@ -523,7 +523,7 @@ static inline int netlbl_cfg_unlbl_static_add(struct net *net, const void *addr, const void *mask, u16 family, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info) { return -ENOSYS; diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 62d5f99760aa..bb9c900da6b0 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -106,15 +106,17 @@ int cipso_v4_rbm_strictvalid = 1; /* Base length of the local tag (non-standard tag). * Tag definition (may change between kernel versions) * - * 0 8 16 24 32 - * +----------+----------+----------+----------+ - * | 10000000 | 00000110 | 32-bit secid value | - * +----------+----------+----------+----------+ - * | in (host byte order)| - * +----------+----------+ - * + * 0 8 16 16 + sizeof(struct lsmblob) + * +----------+----------+---------------------+ + * | 10000000 | 00000110 | LSM blob data | + * +----------+----------+---------------------+ + * + * All secid and flag fields are in host byte order. + * The lsmblob structure size varies depending on which + * Linux security modules are built in the kernel. + * The data is opaque. */ -#define CIPSO_V4_TAG_LOC_BLEN 6 +#define CIPSO_V4_TAG_LOC_BLEN (2 + sizeof(struct lsmblob)) /* * Helper Functions @@ -1460,7 +1462,11 @@ static int cipso_v4_gentag_loc(const struct cipso_v4_doi *doi_def, buffer[0] = CIPSO_V4_TAG_LOCAL; buffer[1] = CIPSO_V4_TAG_LOC_BLEN; - *(u32 *)&buffer[2] = secattr->attr.secid; + /* Ensure that there is sufficient space in the CIPSO header + * for the LSM data. */ + BUILD_BUG_ON(CIPSO_V4_TAG_LOC_BLEN > CIPSO_V4_OPT_LEN_MAX); + memcpy(&buffer[2], &secattr->attr.lsmblob, + sizeof(secattr->attr.lsmblob)); return CIPSO_V4_TAG_LOC_BLEN; } @@ -1480,7 +1486,7 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def, const unsigned char *tag, struct netlbl_lsm_secattr *secattr) { - secattr->attr.secid = *(u32 *)&tag[2]; + memcpy(&secattr->attr.lsmblob, &tag[2], sizeof(secattr->attr.lsmblob)); secattr->flags |= NETLBL_SECATTR_SECID; return 0; diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index 54c083003947..14ebe0424811 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -196,7 +196,7 @@ int netlbl_cfg_unlbl_map_add(const char *domain, * @addr: IP address in network byte order (struct in[6]_addr) * @mask: address mask in network byte order (struct in[6]_addr) * @family: address family - * @secid: LSM secid value for the entry + * @lsmblob: LSM data value for the entry * @audit_info: NetLabel audit information * * Description: @@ -210,7 +210,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, const void *addr, const void *mask, u16 family, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info) { u32 addr_len; @@ -230,7 +230,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, return netlbl_unlhsh_add(net, dev_name, addr, mask, addr_len, - secid, audit_info); + lsmblob, audit_info); } /** diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 12e5d508bd08..910a03f15b0d 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -66,7 +66,7 @@ struct netlbl_unlhsh_tbl { #define netlbl_unlhsh_addr4_entry(iter) \ container_of(iter, struct netlbl_unlhsh_addr4, list) struct netlbl_unlhsh_addr4 { - u32 secid; + struct lsmblob lsmblob; struct netlbl_af4list list; struct rcu_head rcu; @@ -74,7 +74,7 @@ struct netlbl_unlhsh_addr4 { #define netlbl_unlhsh_addr6_entry(iter) \ container_of(iter, struct netlbl_unlhsh_addr6, list) struct netlbl_unlhsh_addr6 { - u32 secid; + struct lsmblob lsmblob; struct netlbl_af6list list; struct rcu_head rcu; @@ -220,7 +220,7 @@ static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex) * @iface: the associated interface entry * @addr: IPv4 address in network byte order * @mask: IPv4 address mask in network byte order - * @secid: LSM secid value for entry + * @lsmblob: LSM data value for entry * * Description: * Add a new address entry into the unlabeled connection hash table using the @@ -231,7 +231,7 @@ static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex) static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, const struct in_addr *addr, const struct in_addr *mask, - u32 secid) + struct lsmblob *lsmblob) { int ret_val; struct netlbl_unlhsh_addr4 *entry; @@ -243,7 +243,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, entry->list.addr = addr->s_addr & mask->s_addr; entry->list.mask = mask->s_addr; entry->list.valid = 1; - entry->secid = secid; + entry->lsmblob = *lsmblob; spin_lock(&netlbl_unlhsh_lock); ret_val = netlbl_af4list_add(&entry->list, &iface->addr4_list); @@ -260,7 +260,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, * @iface: the associated interface entry * @addr: IPv6 address in network byte order * @mask: IPv6 address mask in network byte order - * @secid: LSM secid value for entry + * @lsmblob: LSM data value for entry * * Description: * Add a new address entry into the unlabeled connection hash table using the @@ -271,7 +271,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface, const struct in6_addr *addr, const struct in6_addr *mask, - u32 secid) + struct lsmblob *lsmblob) { int ret_val; struct netlbl_unlhsh_addr6 *entry; @@ -287,7 +287,7 @@ static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface, entry->list.addr.s6_addr32[3] &= mask->s6_addr32[3]; entry->list.mask = *mask; entry->list.valid = 1; - entry->secid = secid; + entry->lsmblob = *lsmblob; spin_lock(&netlbl_unlhsh_lock); ret_val = netlbl_af6list_add(&entry->list, &iface->addr6_list); @@ -366,7 +366,7 @@ int netlbl_unlhsh_add(struct net *net, const void *addr, const void *mask, u32 addr_len, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info) { int ret_val; @@ -375,7 +375,6 @@ int netlbl_unlhsh_add(struct net *net, struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; struct lsmcontext context; - struct lsmblob blob; if (addr_len != sizeof(struct in_addr) && addr_len != sizeof(struct in6_addr)) @@ -408,7 +407,7 @@ int netlbl_unlhsh_add(struct net *net, const struct in_addr *addr4 = addr; const struct in_addr *mask4 = mask; - ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid); + ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, lsmblob); if (audit_buf != NULL) netlbl_af4list_audit_addr(audit_buf, 1, dev_name, @@ -421,7 +420,7 @@ int netlbl_unlhsh_add(struct net *net, const struct in6_addr *addr6 = addr; const struct in6_addr *mask6 = mask; - ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid); + ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, lsmblob); if (audit_buf != NULL) netlbl_af6list_audit_addr(audit_buf, 1, dev_name, @@ -438,11 +437,7 @@ int netlbl_unlhsh_add(struct net *net, unlhsh_add_return: rcu_read_unlock(); if (audit_buf != NULL) { - /* lsmblob_init() puts secid into all of the secids in blob. - * security_secid_to_secctx() will know which security module - * to use to create the secctx. */ - lsmblob_init(&blob, secid); - if (security_secid_to_secctx(&blob, &context) == 0) { + if (security_secid_to_secctx(lsmblob, &context) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -477,7 +472,6 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr, @@ -496,13 +490,8 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, (dev != NULL ? dev->name : NULL), addr->s_addr, mask->s_addr); dev_put(dev); - /* lsmblob_init() puts entry->secid into all of the secids - * in blob. security_secid_to_secctx() will know which - * security module to use to create the secctx. */ - if (entry != NULL) - lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, &context) == 0) { + security_secid_to_secctx(&entry->lsmblob, &context) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -543,7 +532,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list); @@ -561,13 +549,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, (dev != NULL ? dev->name : NULL), addr, mask); dev_put(dev); - /* lsmblob_init() puts entry->secid into all of the secids - * in blob. security_secid_to_secctx() will know which - * security module to use to create the secctx. */ - if (entry != NULL) - lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, &context) == 0) { + security_secid_to_secctx(&entry->lsmblob, &context) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -921,14 +904,8 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, if (ret_val != 0) return ret_val; - /* netlbl_unlhsh_add will be changed to pass a struct lsmblob * - * instead of a u32 later in this patch set. security_secctx_to_secid() - * will only be setting one entry in the lsmblob struct, so it is - * safe to use lsmblob_value() to get that one value. */ - - return netlbl_unlhsh_add(&init_net, - dev_name, addr, mask, addr_len, - lsmblob_value(&blob), &audit_info); + return netlbl_unlhsh_add(&init_net, dev_name, addr, mask, addr_len, + &blob, &audit_info); } /** @@ -975,11 +952,8 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, if (ret_val != 0) return ret_val; - /* security_secctx_to_secid() will only put one secid into the lsmblob - * so it's safe to use lsmblob_value() to get the secid. */ - return netlbl_unlhsh_add(&init_net, - NULL, addr, mask, addr_len, - lsmblob_value(&blob), &audit_info); + return netlbl_unlhsh_add(&init_net, NULL, addr, mask, addr_len, &blob, + &audit_info); } /** @@ -1091,8 +1065,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, struct net_device *dev; struct lsmcontext context; void *data; - u32 secid; - struct lsmblob blob; + struct lsmblob *lsmb; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, cb_arg->seq, &netlbl_unlabel_gnl_family, @@ -1130,7 +1103,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, if (ret_val != 0) goto list_cb_failure; - secid = addr4->secid; + lsmb = (struct lsmblob *)&addr4->lsmblob; } else { ret_val = nla_put_in6_addr(cb_arg->skb, NLBL_UNLABEL_A_IPV6ADDR, @@ -1144,14 +1117,10 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, if (ret_val != 0) goto list_cb_failure; - secid = addr6->secid; + lsmb = (struct lsmblob *)&addr6->lsmblob; } - /* lsmblob_init() secid into all of the secids in blob. - * security_secid_to_secctx() will know which security module - * to use to create the secctx. */ - lsmblob_init(&blob, secid); - ret_val = security_secid_to_secctx(&blob, &context); + ret_val = security_secid_to_secctx(lsmb, &context); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, @@ -1510,7 +1479,7 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb, &iface->addr4_list); if (addr4 == NULL) goto unlabel_getattr_nolabel; - secattr->attr.secid = netlbl_unlhsh_addr4_entry(addr4)->secid; + secattr->attr.lsmblob = netlbl_unlhsh_addr4_entry(addr4)->lsmblob; break; } #if IS_ENABLED(CONFIG_IPV6) @@ -1523,7 +1492,7 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb, &iface->addr6_list); if (addr6 == NULL) goto unlabel_getattr_nolabel; - secattr->attr.secid = netlbl_unlhsh_addr6_entry(addr6)->secid; + secattr->attr.lsmblob = netlbl_unlhsh_addr6_entry(addr6)->lsmblob; break; } #endif /* IPv6 */ diff --git a/net/netlabel/netlabel_unlabeled.h b/net/netlabel/netlabel_unlabeled.h index 058e3a285d56..168920780994 100644 --- a/net/netlabel/netlabel_unlabeled.h +++ b/net/netlabel/netlabel_unlabeled.h @@ -211,7 +211,7 @@ int netlbl_unlhsh_add(struct net *net, const void *addr, const void *mask, u32 addr_len, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info); int netlbl_unlhsh_remove(struct net *net, const char *dev_name, diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 332214d17268..aaf602d7daaf 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6999,7 +6999,7 @@ static int selinux_uring_sqpoll(void) } #endif /* CONFIG_IO_URING */ -static struct lsm_id selinux_lsmid __lsm_ro_after_init = { +struct lsm_id selinux_lsmid __lsm_ro_after_init = { .lsm = "selinux", .slot = LSMBLOB_NEEDED }; diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 393aff41d3ef..cfd6c1075b16 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -75,6 +75,7 @@ struct netlbl_lsm_secattr; extern int selinux_enabled_boot; +extern struct lsm_id selinux_lsmid; /* * type_datum properties diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 800ab4b4239e..0b8f99703462 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -109,7 +109,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr( return NULL; if ((secattr->flags & NETLBL_SECATTR_SECID) && - (secattr->attr.secid == sid)) + (secattr->attr.lsmblob.secid[selinux_lsmid.slot] == sid)) return secattr; return NULL; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 69b2734311a6..b4a0570b48bb 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3896,7 +3896,7 @@ int security_netlbl_secattr_to_sid(struct selinux_state *state, if (secattr->flags & NETLBL_SECATTR_CACHE) *sid = *(u32 *)secattr->cache->data; else if (secattr->flags & NETLBL_SECATTR_SECID) - *sid = secattr->attr.secid; + *sid = secattr->attr.lsmblob.secid[selinux_lsmid.slot]; else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { rc = -EIDRM; ctx = sidtab_search(sidtab, SECINITSID_NETMSG); @@ -3974,7 +3974,7 @@ int security_netlbl_sid_to_secattr(struct selinux_state *state, if (secattr->domain == NULL) goto out; - secattr->attr.secid = sid; + secattr->attr.lsmblob.secid[selinux_lsmid.slot] = sid; secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID; mls_export_netlbl_lvl(policydb, ctx, secattr); rc = mls_export_netlbl_cat(policydb, ctx, secattr); diff --git a/security/smack/smack.h b/security/smack/smack.h index ef9d0b7b1954..ac79313ea95d 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -303,6 +303,7 @@ int smack_populate_secattr(struct smack_known *skp); * Shared data. */ extern int smack_enabled __initdata; +extern struct lsm_id smack_lsmid; extern int smack_cipso_direct; extern int smack_cipso_mapped; extern struct smack_known *smack_net_ambient; diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index d2186e2757be..c6dcafe18912 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -524,7 +524,7 @@ int smack_populate_secattr(struct smack_known *skp) { int slen; - skp->smk_netlabel.attr.secid = skp->smk_secid; + skp->smk_netlabel.attr.lsmblob.secid[smack_lsmid.slot] = skp->smk_secid; skp->smk_netlabel.domain = skp->smk_known; skp->smk_netlabel.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); if (skp->smk_netlabel.cache != NULL) { diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 552c4d4d8fac..2190c03ae3d0 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3728,11 +3728,12 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) return (struct smack_known *)sap->cache->data; + /* + * Looks like a fallback, which gives us a secid. + */ if ((sap->flags & NETLBL_SECATTR_SECID) != 0) - /* - * Looks like a fallback, which gives us a secid. - */ - return smack_from_secid(sap->attr.secid); + return smack_from_secid( + sap->attr.lsmblob.secid[smack_lsmid.slot]); if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { /* @@ -4751,7 +4752,7 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_superblock = sizeof(struct superblock_smack), }; -static struct lsm_id smack_lsmid __lsm_ro_after_init = { +struct lsm_id smack_lsmid __lsm_ro_after_init = { .lsm = "smack", .slot = LSMBLOB_NEEDED }; diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 4b58526450d4..314336463111 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -1144,6 +1144,7 @@ static void smk_net4addr_insert(struct smk_net4addr *new) static ssize_t smk_write_net4addr(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { + struct lsmblob lsmblob; struct smk_net4addr *snp; struct sockaddr_in newname; char *smack; @@ -1274,10 +1275,13 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf, * this host so that incoming packets get labeled. * but only if we didn't get the special CIPSO option */ - if (rc == 0 && skp != NULL) + if (rc == 0 && skp != NULL) { + lsmblob_init(&lsmblob, 0); + lsmblob.secid[smack_lsmid.slot] = snp->smk_label->smk_secid; rc = netlbl_cfg_unlbl_static_add(&init_net, NULL, - &snp->smk_host, &snp->smk_mask, PF_INET, - snp->smk_label->smk_secid, &audit_info); + &snp->smk_host, &snp->smk_mask, PF_INET, &lsmblob, + &audit_info); + } if (rc == 0) rc = count;