From patchwork Sun Aug 25 19:00:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13776893 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic314-27.consmr.mail.ne1.yahoo.com (sonic314-27.consmr.mail.ne1.yahoo.com [66.163.189.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D6DD1803A for ; Sun, 25 Aug 2024 19:11:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.189.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724613069; cv=none; b=i6khLUPhsPt8IRjlsjlcAfmxdWUjmnYB1BL55FzKZoKg2OoKp/vme0POe1CQ6SlhT8qUoOBUiD8AxFzp2mz5Dr/MfrWdwCuW10yMua+7MH0AGcUK+b/yXRo8toKfToU4wrtsK9v2YnIBaqXB3GGLiEFcclaDgQg6bPr7grmthrw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724613069; c=relaxed/simple; bh=0zxDquNpcXYMX0VzwwYvvIHYhYqJ2dLHjSTsBAJadMw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=togsK3FVTbY8j4YozBdixxHs5Rujo5LSKx0IFpATPj+lOVd67rQcNJpdQmp2U3rekNkOg13Wthjkoh/zu/P7yZWF1ykKmLiqCRPktaECZnvwQNdsLlh+N644SkPYLyLq+G7gIszIYprDALQ1bpeAurv+BF59MUGTyxm0d1tlDEI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=cU2Zu+DU; arc=none smtp.client-ip=66.163.189.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="cU2Zu+DU" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724613066; bh=K8ngif8BbH+uQhs46NfpiBquT6dHItO3b9MLzJbd82s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=cU2Zu+DUVTfLCM2bP72FC56B2wIu48W1j2YBSGQsZil24bL5juaXeIzo7DLeUh7hiIkWn6r/GoiagjDlPyUo30Wc4F9vV8Qao3hP8CJj99xogu8oIwTxBzw6qg+WIiMsJTZTSa4+QqnednJlxvqtPT20qXhlUOsO0HW5MWIc+TItuZpGGwoJ6G80Vwztnt85rFRdKbwB6uTEgw1akyEg/tjQJ4ed7xigrfQj6rpZEoZ+cWRFJojQHInB8Xsl4Ogvt+gqG+IoPU90fkXc6k5uOLf4XEBQKaL8oW8Jxp7TdKJCcE8rPyOuzDZ1vJqMwDdbuLmInx8nI7QCIVVI1d6F9w== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724613066; bh=X+TZkBkmkToe4x5WsAhcQFP3biMC/QJ18juOIAdFOHO=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=ZHSB+V7y1xxbTrEVBiHd1edlrPVuOiRUwDx1HNv3ddf1ICh1YZf7f4Knbky0U6en7CjTmwgRw804kVasTQcetNTBiBz9a75K8E4yX9/+GbPlhn8da2xAc1s5x+e9GPl7aooBdizd/KDI8IoRHScjdLpEvn5YPfydkqXA6rg/M5j7kE5/UZTddIDBFG4Z60/pQgG769RJ4jiRrT2b5/9/uXGsPKMkt1MhAvdP9O7z2MMA+TvECnjdASns3IJKsL9O5VgFvWQqJLrLrAFYynLOnwMCzueUSunnVeekZHzk27Qx5xdsl7AD/61C9d4hozdT/LZjoumGyl6HDunzfasuUw== X-YMail-OSG: 5zCNsycVM1nq4nY.1QbbNZKWAHg5Z.8KzQzhjAfQ3jRj1RPmSRV7mpcxVw4aQ1r _BLE1NF6mp2rlWh.vs6w_C9tEQj5pqNTP.qCkN3p7F3AK7xcXidxM888pH2aNUjJjKek731rBv9q YaKzqvcQ7M4rFk5aqenJ8mL40e8JOValLrTLtPEjC8BkhiCNFNIoqEZNOJx6YQb0KfBShiqxVIEn H2D.77NMBy.WajvAD93wIidlg.Nel_BB3Yo.sP2lMdZ05t5fYCjECdBK_axG_vKLIo9yjEoVAXZe HXqNlEViu5AbHQPSw2ujaGlAsr4_pbAdy2xRz7O5oDzJ1Qb6JhfL3kZrZ_LrNJ7IVPcCZOrKrQGb r1GXkZ4nwVtUmfokF1WfLCsAIJ56qYJ5AA7g2_1Ohwe1Z9LgDWzux9B2EwYLaPtY3aVIrmjTWI.1 RIwwJGGxYX3KYX0VAXeDMLIFCOYURrUs7clhUN5PCcf.5qvwW87DPsMAP3LOFNumsnXTkHYhU5Yd LwjV9kNpGDd8IrWwuw28FyriJ3Ww7wUkVI5ZZClBvCIrGcBhP9dZ9D_3w_QWb9BBPpq_8PiEAmVk 8qQotRJay8etN2PBoM_5NV5AdM5.LH5ZkT6LqB.3ZRQ1knuyrt0SonoWEoetjGR7rcOJafAKyX1u IVj5dGDCBKtVyI9jKr64_0QzZXSrRxLIUhQuVRTfZF8Sja60_Os0FtyTsTAkjPECs3SHgOFQ8W81 KMVbZ4qRDcCAejkDPqND5Ycj2D7f_rf4unr94mqopRXy6mqMcpCb3lN0dAL9hnnwMVTf05IE1VKR vE12.LJ8knzJFWESGXDrZplBMm00jTDE2F07Rqb5liwChhr0UXdtFw8jyF9FffGnODCPzeXGeGW. jz1WC0sQQ0kdZPKYXBzT5Ynufj5.G2qwwFt7PCU4NOwG9Aez2xQCTputgZcNFeBe_vQ3D0czVYA. VIxGcGj.pHbcw3CUEqlbF93BucItv16_ken7FsDZMB_8WjhMfT5r2VOg7OLXSHztPHSRhOm3uEQV 2blUnEbXDNnaIByZ_bdnWSZTKoJ4kwzJS6QQSXvAxCzjR4PtpCl2awgQWTrDYiWMNWqxfBfN55HR JVtLSzvD_zXc3kzpeVRA0MPQ__qSaGnzrRrIzP3DoV1HByNAjLDiA.r437A1pwVv5SgHQmefDXAq mHg7FRpqMPlfWXfL067OUXgvhh54NewyA1o6.aaVifslvRwZZOxRWWlQLzkXwUFwTzxwVEAQxlRX sAgSLOzeKn2TpF0Exk.f37qShtBv0tTfqxphpaaLpXF0MX6e2oz6P3_1mNLqoCya6uWXgbqE0pTD ThvbOvzA3r9ZIK3T..piwDOlu_OE7szIJ.i9fYMqWYS8HW8kmGAoo1OTkLlwZEfm0WSIhOXo6mEw dx7S3SV0iibVOE_hkf7Og2MMdw9t51nHoeLXtiHKOsCv3dkQMb0q6PtKcwkDsQv4bdoK8Q6ZojQw 9bOFPiC5ANojAwe.QHQIlxB7bOTJTQQ9AO8gXsY1vRm5F2SR4m3QY9h35U9efXbQrzltXwUUkHER JCTlgL_h3E04wYWJ_SlBeJsjuA1Go_D0hbEN83XOzSy83UYEjmBZOFiFmMNRdCPTFLnlWQnTz1AY DWoj23yFCQed3FVL25Up8rfvdif95kQm88bVk8smgzTmBqBJN9mNYd0w2t4W5pxBZ79XqibHeeY3 SZe9ddab.suep5GIAG0x.h8vhaMfDwlzR9TZw699r97E2E04ABAv4_GLxtJIkCK04td6me0xCz9F x2vrvOHrHwR9MIZ8jfalwQpJ2NRd6Xysuv05zuZuYfKf2XWehp7dgFmWWIly04wr2G6Woawjq4Jw WC_0qX6JzOqu5hBV3veVwPootiPelD4eEBKmCuldfa1FLgRhmiUIGFlO3LTsxZys22veVCjVd__8 QG2oIeGIpZsmcuwOoASE6KDWPX_UvvP7ogpqzToSqqCA60dXDr_PlGDdza7uNBDlGm6I627x79Tv q2Ej33SknoOotY0_RhKMn6r4_DCyaEXN9TzDcuZ7XH6gEBGjWxGRJaVFwEOCKROMBdYaTGVFeZiL 19fDcJFgSF0mRZP14c8xTz3dhBW0UZkNr3DBzZhgfIK0LC53BbRFoy853Ed21CeGsQOcphkD4lwa NVQ2fSIRcPY63.O1tE3fPcyX6sADtHTIfrxNLORNizQc6Fh4PqNz29C_ltVhNpHD6_KyxO_g7sCk lFU5gRrS4r15gcgrUHENZ_QOOpGadjtsS939N7rGDAhpcys5_O93guHEAqNolt.yD12ot.3GhnHj vYqhK6XHPg_xo6Sgvlsfgg7z8CqYGufFHHA-- X-Sonic-MF: X-Sonic-ID: 75c47b77-9dc4-449b-a3dd-0f89cbb378f9 Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Sun, 25 Aug 2024 19:11:06 +0000 Received: by hermes--production-gq1-5d95dc458-rvnnh (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 6fc1ee0505485e3267054d717b5fc74f; Sun, 25 Aug 2024 19:00:56 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH 01/13] LSM: Add the lsmblob data structure. Date: Sun, 25 Aug 2024 12:00:36 -0700 Message-ID: <20240825190048.13289-2-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240825190048.13289-1-casey@schaufler-ca.com> References: <20240825190048.13289-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 When more than one security module is exporting data to audit and networking sub-systems a single 32 bit integer is no longer sufficient to represent the data. Add a structure to be used instead. The lsmblob structure definition is intended to keep the LSM specific information private to the individual security modules. The module specific information is included in a new set of header files under include/lsm. Each security module is allowed to define the information included for its use in the lsmblob. SELinux includes a u32 secid. Smack includes a pointer into its global label list. The conditional compilation based on feature inclusion is contained in the include/lsm files. Suggested-by: Paul Moore Signed-off-by: Casey Schaufler --- include/linux/lsm/apparmor.h | 17 +++++++++++++++++ include/linux/lsm/bpf.h | 16 ++++++++++++++++ include/linux/lsm/selinux.h | 16 ++++++++++++++++ include/linux/lsm/smack.h | 17 +++++++++++++++++ include/linux/security.h | 20 ++++++++++++++++++++ 5 files changed, 86 insertions(+) create mode 100644 include/linux/lsm/apparmor.h create mode 100644 include/linux/lsm/bpf.h create mode 100644 include/linux/lsm/selinux.h create mode 100644 include/linux/lsm/smack.h diff --git a/include/linux/lsm/apparmor.h b/include/linux/lsm/apparmor.h new file mode 100644 index 000000000000..8ff1cd899a20 --- /dev/null +++ b/include/linux/lsm/apparmor.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Linux Security Module interface to other subsystems. + * AppArmor presents a single u32 value which is known as a secid. + */ +#ifndef __LINUX_LSM_APPARMOR_H +#define __LINUX_LSM_APPARMOR_H + +struct aa_label; + +struct lsmblob_apparmor { +#ifdef CONFIG_SECURITY_APPARMOR + struct aa_label *label; +#endif +}; + +#endif /* ! __LINUX_LSM_APPARMOR_H */ diff --git a/include/linux/lsm/bpf.h b/include/linux/lsm/bpf.h new file mode 100644 index 000000000000..48abdcd82ded --- /dev/null +++ b/include/linux/lsm/bpf.h @@ -0,0 +1,16 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Linux Security Module interface to other subsystems. + * BPF may present a single u32 value. + */ +#ifndef __LINUX_LSM_BPF_H +#define __LINUX_LSM_BPF_H +#include + +struct lsmblob_bpf { +#ifdef CONFIG_BPF_LSM + u32 secid; +#endif +}; + +#endif /* ! __LINUX_LSM_BPF_H */ diff --git a/include/linux/lsm/selinux.h b/include/linux/lsm/selinux.h new file mode 100644 index 000000000000..fd16456b36ac --- /dev/null +++ b/include/linux/lsm/selinux.h @@ -0,0 +1,16 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Linux Security Module interface to other subsystems. + * SELinux presents a single u32 value which is known as a secid. + */ +#ifndef __LINUX_LSM_SELINUX_H +#define __LINUX_LSM_SELINUX_H +#include + +struct lsmblob_selinux { +#ifdef CONFIG_SECURITY_SELINUX + u32 secid; +#endif +}; + +#endif /* ! __LINUX_LSM_SELINUX_H */ diff --git a/include/linux/lsm/smack.h b/include/linux/lsm/smack.h new file mode 100644 index 000000000000..2018f288302f --- /dev/null +++ b/include/linux/lsm/smack.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Linux Security Module interface to other subsystems. + * Smack presents a pointer into the global Smack label list. + */ +#ifndef __LINUX_LSM_SMACK_H +#define __LINUX_LSM_SMACK_H + +struct smack_known; + +struct lsmblob_smack { +#ifdef CONFIG_SECURITY_SMACK + struct smack_known *skp; +#endif +}; + +#endif /* ! __LINUX_LSM_SMACK_H */ diff --git a/include/linux/security.h b/include/linux/security.h index 1390f1efb4f0..0057a22137e8 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -34,6 +34,10 @@ #include #include #include +#include +#include +#include +#include struct linux_binprm; struct cred; @@ -140,6 +144,22 @@ enum lockdown_reason { LOCKDOWN_CONFIDENTIALITY_MAX, }; +/* scaffolding */ +struct lsmblob_scaffold { + u32 secid; +}; + +/* + * Data exported by the security modules + */ +struct lsmblob { + struct lsmblob_selinux selinux; + struct lsmblob_smack smack; + struct lsmblob_apparmor apparmor; + struct lsmblob_bpf bpf; + struct lsmblob_scaffold scaffold; +}; + extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; extern u32 lsm_active_cnt; extern const struct lsm_id *lsm_idlist[]; From patchwork Sun Aug 25 19:00:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13776894 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic308-15.consmr.mail.ne1.yahoo.com (sonic308-15.consmr.mail.ne1.yahoo.com [66.163.187.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3849F383BF for ; Sun, 25 Aug 2024 19:11:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.187.38 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724613070; cv=none; b=Bo5hHNXW0hukhL3glQoTEKklrS9gglmQqTgEAtFLrqH1gaulBfnG180uNb0auxXTaQNYcw+9RlPbRgK53olOzVmYnNbY6CWTUEG116FwjXufN3mEaPrn/8k3uNAhqpBio74dDdTUEawrH6v/kaop58gVPMMgPLHo1K6CCg3+AQA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724613070; c=relaxed/simple; bh=LeB8X7+ZJITov5x6L6aFo3j/PNTvgzI7vPg4NLbRQWY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fTxA9ZYJCmYy0S0HOInQYpu7Cv/QYv/U9mcBetJ75LnRR3y3bera8e8YbqmwdAMLcqucV9iVg4zet4mVCdATP4ILCURC5oL9NJGrENkEWAkVq4oQ5U5DdD+A/qNWjBliXb9oHBzEDrvhWg2nVK26tP7lCKkJcEv+XWlE4G8ffzA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=e9o8tz8x; arc=none smtp.client-ip=66.163.187.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="e9o8tz8x" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724613067; bh=UimBTnRsvOOlheUTsD/8wlPBEHMvbpszab7VOu1lPs8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=e9o8tz8xZ8dpUz3BCII9UBBhPcXU0vZpUQWDtv/SvTxsSv/dleocyEMKPXA/gPPOL7ZozoezsKbN15PzDC+Twf/2+NTGD5Bgkj5qsQDzx7JqrWUdreWJdF7zb6wo21/bB9D5B3UHuqXKpYDmC6QcJqI0f+9MRUFmnFdXA8BjSGtuVReqSjDPk+dJDvR8YqWs+fsfoIPyPuAZG/VnF1dqd5LuCkhGYJO5Qk/e0JsyLrZ1K2ibddsAHKkMPRhUqPWpf3/K0wS9qhbyvYZnQNAPd4mAB+C5/an3JD1u4McBGtrHYsbqfmn28g+aYxydUImCxeQU9ynCivh+RfrssjTxYQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724613067; bh=o93hdrto2CHERWGz3rP4R6vtHi8AjRTkAEO1tMDq6vE=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=b3lf0III45V2HPfwUSneV21QIsPL/Ytse7KqDpOAG39jv50KXcQpv8SPw9dWX1GK07SXAqQefZssFOwyamDLmjxVAHvMzyLVtmNp/CzTJXivSMco6hvPonobCA3OhwKSUFlDZnLcRwsLNwPIqLkkKen5StdxVdre21/ayxDVQi5lM2S4gtmYTEooRVP5Sgxza7JKD12fy8zvDHGlnDdg1GinMB/mS48aM2DwbJqTRMQ09KuZna4QHHiXYo4TRqJbwW4bD8K4BnhW0Qpsx3I9yRxzPagh33TVSmiogvhTSdbP+0cfSJa7wSfAXBWMqVlbZplaLxdldGxSwv2ZmS1Eiw== X-YMail-OSG: WR.JJOYVM1noQokXfDLr1Qh73B74.m6Vz9GDe1UpUirQdDLpu0BPnKKfSfAtjcS GlxdLjXosxgPsYUKM2SB5gsqN98m2Pi3LWxoFQvNvhsdAsFpdFF3r7TGjOOREfjYM5ZV950yg4uK k6G49r8wf6Mx8cezrjPLZ4r2ZFoG2asHxie9UP.4bNtxAG4IM.mqwVnlTKekZqQiZTLz_Bj17cwm xKm63qMjOIk7DOa.6LtqvpRUtBURXUvaeM_Ht3zxOiFzNti2uIWHe_TgLB1Oxwuq9AjVjbbS765t bmrABiV9Fo7vSjQsz05BUF.hDGGJ0J8P6FglBUsZQ8_RjvQQf3bqBCtaDxY.FxRJccLqYtld1LTN 8sxCBg5p7ROZkfm.4eKQWZxKCU95dGOMQ2UZ4_W4iouCxnvHopWaEH_LbbF9D2X7ppTGEfhZemHG YRk63E5.nbUzhbMMb7tJ2uD5wGRNWB.xP82Pvu0T43GjWF1RqQTcOUQ05fFKH8oM7yWn2r08qrde YlGzM6h._K2AZhQVtmtOz1V4Tw7A6L_PJoW3k9yXZPKOExpa4w9fQwC_07nbL2zINBUcK.M3hZXU HqBAwNtymZrEDBBbBx0KalXzHjanLecpqJM_17hkjgGAUZLztlqVfVXhe9n_wE9ENkxu4yE1Nx3. XPp7mampixioco7rJHMcn2zniC3hMo5.jR5sKDv9zmE2vNhg0S.OktibbTIykMbBrwqReeZc2g0q 9qmXJG28iujmdsPmPwQw9T37Vd_fEVhq11S9ekqxXWc3PxY9Dm0Ah7HFb3_LK1TBreivRlsd.nnU A8zgc3ZFHfiMAZTwUBVZHdXfQepIBDY.vkg5LKsRKGVyOsTC5UnydFs2D0HeLjrWn6WmI7gyMTZH TfvDXS69cZnJmf_1VbHANsbRlSF6lxu0zx1VPg_tHnRBx_w.Cg8G58G6aIIgRAWc.h7T6jUuurCX eNk7crVu1iNuKwUSVQC5EPq52YD_pmpcAoyD7sViTckmRgMtaASfTHXrXLfRQC1EBLfA4T4AJHYY BUBAJextuet6hlSb7xEUaWTDw3aiztRj0zYg9zQA38vvR729LKxRFpMlGFdV7mk1ylxyUUU5T_bC DTrn7pMS0C5pSTNUrV6236XgJBfGsaBvmuSuE9Jzzg3LtHF6jvaZSKt2vGIHz2b72URYgnNop8np O0.1b_f4ONADTWqSKxq2sH6f8r7HrbUAQMACtFgQcnMBVDHmrPcQTlfoq7hPXLRYgpADq51In5Fh yR6HF_Q_3HM.mr2YGNjRz99HEzq6Vw7Muqp4rvXXOgx4ummfcxfYK6Crh8zLUU8g6sdK_sUdfLP_ aCD1LlGg39BoQJBX8kWIoO9XbhAQG.P2cBmd2kqlF8qJu7Lcu.g5D0en9GRKCyd9Vdygx8HgGjs5 7yNj2A0qkVcEEek6BLKZ4L2nYuVtBL0zov7pabYkTS8.JhW1djxw6L0qowZrfqiAcYoG87Ht.Vsb Nr3MAigt3RrfN1IVPrLmMD3uhpBEAOIc4DKJ8gnN_e1y10YOWmh68FloWXYNE.i_2HbRMxhg0Qz7 m3v9vVBlTRQLNlWBta0q9EkkGGQO5tmldCxCOf8RM.zzM3bMcOa45ZAhUHu9DSLrSWZg39lgm3Nh W5PAl.pZQRlhAF7XqOazadvHZ1Tv.mMgnW.fdqAvXQ4FWpNoNPfyKV1Jl31HlRF6I42MU0AWoJua XynMGfDBwr581SQw5mrxmKLAlK01iMseKpPxbWG8kazswaSh_uA0DbHbn6elNw24It3Jizvu72gk HuztlFpbExSkw_hDr8z5MCQ7xuy5kiu.s3ZlWVxrZAVpqsFagMe8TBrB76kMRlsMvhf9Glr3vb0i lYqmiYQr2QIX99ueYT3TcIvsbmTnBGXywWL14jQ7GgZctdUPz.pJcBrj_n13aqQRyU2F0oNoE7fQ .hESdWSJNTIL8uGz5TaX6_HLvrLXGh58PS1wZ2c8kikNqPN_SMxHJYChugaVLVmnPfCwQyR6svNu VYm1y3GYxPz4zoHTOkXl2lljj2c7eLVz2ow1L6z7Kg.NFi2opK3N1RbmtTELPcoMb.8w7vE.O8A2 D8s8QNzXpdQh_9lsgDt8FwSEALh56nenFk_Ms15tNNWCbbvQsR3x65Y13rFVv6vyI8QgqY2DwlO8 wOTiOe2CoObkAjzsV_A_3.fbdDEb6Swhdly6l1Df_wb_nrSyPbfWGvP_5fgOjcO_OXjytfz2mm.J wlEMbRy7WyQr8JuIn7lqR._UONYP4sOyWltxk9d5ZgD9ddTnLgo_4IzYSwnjUJ_pPM9auCogb7_9 y1DIyr3X8QfExue40.bFS.G8l45v5t8F4MN.E X-Sonic-MF: X-Sonic-ID: 180a0a24-8275-41a3-a658-e31d44370de4 Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Sun, 25 Aug 2024 19:11:07 +0000 Received: by hermes--production-gq1-5d95dc458-rvnnh (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 6fc1ee0505485e3267054d717b5fc74f; Sun, 25 Aug 2024 19:00:57 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH 02/13] LSM: Use lsmblob in security_audit_rule_match Date: Sun, 25 Aug 2024 12:00:37 -0700 Message-ID: <20240825190048.13289-3-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240825190048.13289-1-casey@schaufler-ca.com> References: <20240825190048.13289-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Change the secid parameter of security_audit_rule_match to a lsmblob structure pointer. Pass the entry from the lsmblob structure for the approprite slot to the LSM hook. Change the users of security_audit_rule_match to use the lsmblob instead of a u32. The scaffolding function lsmblob_init() fills the blob with the value of the old secid, ensuring that it is available to the appropriate module hook. The sources of the secid, security_task_getsecid() and security_inode_getsecid(), will be converted to use the blob structure later in the series. At the point the use of lsmblob_init() is dropped. Signed-off-by: Casey Schaufler Acked-by: Paul Moore Reviewed-by: John Johansen --- include/linux/lsm_hook_defs.h | 3 ++- include/linux/security.h | 7 ++++--- kernel/auditfilter.c | 11 +++++++---- kernel/auditsc.c | 18 ++++++++++++++---- security/apparmor/audit.c | 8 ++++++-- security/apparmor/include/audit.h | 2 +- security/integrity/ima/ima_policy.c | 11 +++++++---- security/security.c | 7 ++++--- security/selinux/include/audit.h | 5 +++-- security/selinux/ss/services.c | 11 ++++++++--- security/smack/smack_lsm.c | 11 ++++++++--- 11 files changed, 64 insertions(+), 30 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 855db460e08b..1d3bdf71109e 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -416,7 +416,8 @@ LSM_HOOK(void, LSM_RET_VOID, key_post_create_or_update, struct key *keyring, LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, void **lsmrule, gfp_t gfp) LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) -LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) +LSM_HOOK(int, 0, audit_rule_match, struct lsmblob *blob, u32 field, u32 op, + void *lsmrule) LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule) #endif /* CONFIG_AUDIT */ diff --git a/include/linux/security.h b/include/linux/security.h index 0057a22137e8..c0ed2119a622 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2071,7 +2071,8 @@ static inline void security_key_post_create_or_update(struct key *keyring, int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, gfp_t gfp); int security_audit_rule_known(struct audit_krule *krule); -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *lsmrule); void security_audit_rule_free(void *lsmrule); #else @@ -2087,8 +2088,8 @@ static inline int security_audit_rule_known(struct audit_krule *krule) return 0; } -static inline int security_audit_rule_match(u32 secid, u32 field, u32 op, - void *lsmrule) +static inline int security_audit_rule_match(struct lsmblob *blob, u32 field, + u32 op, void *lsmrule) { return 0; } diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index d6ef4f4f9cba..c4c7cda3b846 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1339,8 +1339,8 @@ int audit_filter(int msgtype, unsigned int listtype) for (i = 0; i < e->rule.field_count; i++) { struct audit_field *f = &e->rule.fields[i]; + struct lsmblob blob = { }; pid_t pid; - u32 sid; switch (f->type) { case AUDIT_PID: @@ -1370,9 +1370,12 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: if (f->lsm_rule) { - security_current_getsecid_subj(&sid); - result = security_audit_rule_match(sid, - f->type, f->op, f->lsm_rule); + /* scaffolding */ + security_current_getsecid_subj( + &blob.scaffold.secid); + result = security_audit_rule_match( + &blob, f->type, f->op, + f->lsm_rule); } break; case AUDIT_EXE: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 6f0d6fb6523f..23adb15cae43 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -471,6 +471,7 @@ static int audit_filter_rules(struct task_struct *tsk, const struct cred *cred; int i, need_sid = 1; u32 sid; + struct lsmblob blob = { }; unsigned int sessionid; if (ctx && rule->prio <= ctx->prio) @@ -681,7 +682,10 @@ static int audit_filter_rules(struct task_struct *tsk, security_current_getsecid_subj(&sid); need_sid = 0; } - result = security_audit_rule_match(sid, f->type, + /* scaffolding */ + blob.scaffold.secid = sid; + result = security_audit_rule_match(&blob, + f->type, f->op, f->lsm_rule); } @@ -696,15 +700,19 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_rule) { /* Find files that match */ if (name) { + /* scaffolding */ + blob.scaffold.secid = name->osid; result = security_audit_rule_match( - name->osid, + &blob, f->type, f->op, f->lsm_rule); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { + /* scaffolding */ + blob.scaffold.secid = n->osid; if (security_audit_rule_match( - n->osid, + &blob, f->type, f->op, f->lsm_rule)) { @@ -716,7 +724,9 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - if (security_audit_rule_match(ctx->ipc.osid, + /* scaffolding */ + blob.scaffold.secid = ctx->ipc.osid; + if (security_audit_rule_match(&blob, f->type, f->op, f->lsm_rule)) ++result; diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 6b5181c668b5..758b75a9c1c5 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -264,13 +264,17 @@ int aa_audit_rule_known(struct audit_krule *rule) return 0; } -int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) +int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule) { struct aa_audit_rule *rule = vrule; struct aa_label *label; int found = 0; - label = aa_secid_to_label(sid); + /* scaffolding */ + if (!blob->apparmor.label && blob->scaffold.secid) + label = aa_secid_to_label(blob->scaffold.secid); + else + label = blob->apparmor.label; if (!label) return -ENOENT; diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index 0c8cc86b417b..c5a516e61318 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h @@ -202,6 +202,6 @@ static inline int complain_error(int error) void aa_audit_rule_free(void *vrule); int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp); int aa_audit_rule_known(struct audit_krule *rule); -int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); +int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule); #endif /* __AA_AUDIT_H */ diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 09da8e639239..40119816b848 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -635,7 +635,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, return false; for (i = 0; i < MAX_LSM_RULES; i++) { int rc = 0; - u32 osid; + struct lsmblob blob = { }; if (!lsm_rule->lsm[i].rule) { if (!lsm_rule->lsm[i].args_p) @@ -649,15 +649,18 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_OBJ_USER: case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: - security_inode_getsecid(inode, &osid); - rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type, + /* scaffolding */ + security_inode_getsecid(inode, &blob.scaffold.secid); + rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, Audit_equal, lsm_rule->lsm[i].rule); break; case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type, + /* scaffolding */ + blob.scaffold.secid = secid; + rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, Audit_equal, lsm_rule->lsm[i].rule); break; diff --git a/security/security.c b/security/security.c index 8cee5b6c6e6d..64a6d6bbd1f4 100644 --- a/security/security.c +++ b/security/security.c @@ -5399,7 +5399,7 @@ void security_audit_rule_free(void *lsmrule) /** * security_audit_rule_match() - Check if a label matches an audit rule - * @secid: security label + * @lsmblob: security label * @field: LSM audit field * @op: matching operator * @lsmrule: audit rule @@ -5410,9 +5410,10 @@ void security_audit_rule_free(void *lsmrule) * Return: Returns 1 if secid matches the rule, 0 if it does not, -ERRNO on * failure. */ -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *lsmrule) { - return call_int_hook(audit_rule_match, secid, field, op, lsmrule); + return call_int_hook(audit_rule_match, blob, field, op, lsmrule); } #endif /* CONFIG_AUDIT */ diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index 29c7d4c86f6d..104165e4c931 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -41,7 +41,7 @@ void selinux_audit_rule_free(void *rule); /** * selinux_audit_rule_match - determine if a context ID matches a rule. - * @sid: the context ID to check + * @blob: includes the context ID to check * @field: the field this rule refers to * @op: the operator the rule uses * @rule: pointer to the audit rule to check against @@ -49,7 +49,8 @@ void selinux_audit_rule_free(void *rule); * Returns 1 if the context id matches the rule, 0 if it does not, and * -errno on failure. */ -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule); +int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *rule); /** * selinux_audit_rule_known - check to see if rule contains selinux fields. diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index e33e55384b75..43eb1d46942c 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3633,7 +3633,8 @@ int selinux_audit_rule_known(struct audit_krule *rule) return 0; } -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) +int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *vrule) { struct selinux_state *state = &selinux_state; struct selinux_policy *policy; @@ -3659,10 +3660,14 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) goto out; } - ctxt = sidtab_search(policy->sidtab, sid); + /* scaffolding */ + if (!blob->selinux.secid && blob->scaffold.secid) + blob->selinux.secid = blob->scaffold.secid; + + ctxt = sidtab_search(policy->sidtab, blob->selinux.secid); if (unlikely(!ctxt)) { WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n", - sid); + blob->selinux.secid); match = -ENOENT; goto out; } diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 4164699cd4f6..52d5ef986db8 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4776,7 +4776,7 @@ static int smack_audit_rule_known(struct audit_krule *krule) /** * smack_audit_rule_match - Audit given object ? - * @secid: security id for identifying the object to test + * @blob: security id for identifying the object to test * @field: audit rule flags given from user-space * @op: required testing operator * @vrule: smack internal rule presentation @@ -4784,7 +4784,8 @@ static int smack_audit_rule_known(struct audit_krule *krule) * The core Audit hook. It's used to take the decision of * whether to audit or not to audit a given object. */ -static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) +static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *vrule) { struct smack_known *skp; char *rule = vrule; @@ -4797,7 +4798,11 @@ static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) return 0; - skp = smack_from_secid(secid); + /* scaffolding */ + if (!blob->smack.skp && blob->scaffold.secid) + skp = smack_from_secid(blob->scaffold.secid); + else + skp = blob->smack.skp; /* * No need to do string comparisons. If a match occurs, From patchwork Sun Aug 25 19:00:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13776880 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic314-27.consmr.mail.ne1.yahoo.com (sonic314-27.consmr.mail.ne1.yahoo.com [66.163.189.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D5A698C07 for ; Sun, 25 Aug 2024 19:02:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.189.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612561; cv=none; b=s1guMcHht6lmoE2Nux1w+iiRJ9TUTzrBrkPFC6gsPS9G1Nc4ALKuArggZCbzvad4RGnQ19l+GpCyhR0InTo7yrcGOGYQmA6yBOrcABta9PLIgYrRq4lEMLnsxYKz774R4EuzfD02ntvXwEWtxblFUh6HGpZaIDTIaWnAXGiZRcc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612561; c=relaxed/simple; bh=9lz7Q4lfBcv8FOmmLMF7MG/JQ2alqql4oDj0tG8KuwM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YG3oPHX3bHAcBl2xBsb1sypnfdsNEp0fG8TMJNIKI8RjkXZLEiYEeLHcHFnxmC8EppQdhQAxtL+96Sv5DH2XYHAK3lfvF2MMEnu5dN9ReuOjZgia8bsL42+Ok7CVed9oqttlsCemzFMtLU1QieTWFKJnxjl0YNXo3miDikWwh88= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=e9lXxKgZ; arc=none smtp.client-ip=66.163.189.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="e9lXxKgZ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612553; bh=Qo8RS7tfulktRq4Jy9rhDoTvdOZ4eieDVbkNVBsAa9I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=e9lXxKgZb9JZGSiHvSd4Eg6KS+qRVP2jAFD4E4oW+lMqMNZoSYzbdcSDhuwfVtOiEsdZqDVHTVODUzwfqnn5s2SwqwC2LEm3RUkKA+rSilJ5Sdqizu/6Qk9DVdeZrspQDqJezLxlPVUFpx87khWrrlTc4pszmd6b/jdG1eeQ9FNX30IoLhydt3DSGMdgIvDZ9eJemTcnqCKb02VkeffG/Svmhsx+3tuaY7oObzbXA8pqD5lCUVGiqV6AhJbOeQQIl38Eo11UmFCgcctunXXzBMmJzQ1qCpsi6JFw5K3j8es2tUVOIQE59gLtegaMx7GgEdObQ4zDU0Vt0rKySDW1aw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612553; bh=nt8a0yYmRANq0fd72V/Sm1mzd19DMN9LUYRubXh/5oK=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=f++kNQwK9gNdVJHeuSkN9yxfjgvTrHxZwfDJhpkqSQhTpMc1d6nDmpU7ywsAItqArOrEd8pMGTdYIJ1oVdsdHmH/wetLLdJpaGWQ9fikL9NwmDyNq5HRMwzdEWsoYnMqZh080x0wMQOMpZH8/ZRkjmToj2qV/5vxbSQdFeEbvvxv5xfVEMcVc43dgD2LmeZjiDWJmErgTopS/Tgy3pl3E4QvEoia160TDImHrmVndZR4xxw4uZRMb3YYXyxjo3WTWdeP9F4gGctK4Z6Jc1urwLLk0cygFZuvf53fNvaG9zUajMZLtTl726WgSMT/Tit2oJD5DIJG7D1bP/FPpqcjrw== X-YMail-OSG: cBn1UjgVM1kwixQsu4gAa1ONx6CtDRAdbnrbra0etnVXT_Yaj77OgO7ytohEjhs 61sNWAOpH25ZcfnwtWwPJr5uA9q6oDtdKVIWcs6JDzn.iI.IZgWgmSTLLjzr9fKLQk6ITUvFohs6 p_42BMBdg.kCsvj.b8fQbOgakPZdJTUcaSz8ScM1xAnIfkyMWJhIlkXYFoTcZTLIOo4f8t3Kiyom spBjXlVw5ZIv439VR2RVnvVhpCssI2UjQ3Fp686x9GLWT1n566mUpPpJwL5NFqUdBAleuP75Ps11 i9SDFXIFxN3uFObDSUvsw805lv3H9s7bygQ2XAsj8JdLQT3gs6rIECjnEU4BYj907B_lykLKUk2d lGwjgxKO42eq9sOysUftMtTBV2rGiqUybFNA6SdnEGeDPZqbPXy3RtN.QLhQq635qgruIpV.APzg .KQlozVgmrOdDUxeDFalr7IBUHJFOOh11ABm_Gt_FIdzRbRjoKwguM8Dw7AW1yg5S_D4_OQeOUy7 8zRv777cCpccOz7Xm4y0FmXKNanOxXWSMNRWAB5o2FFB6IX6BgMFpaesUShXALxTUZt75EQp.mHW nG1ljH2gNtlOQv27y9Hf6WqSjDfWkIqik4_WfX0u.odB_p3KG8Dvdofe8zThYqmpaz6UPbUbvxU0 DVj_JcbqK_oMsi6xREDOKyjbEgsuGLqqieHjRnViI002TJmV4qup2xpDTHmvnpvZhujD1bWth2dd rTaRYzwsTXF4LNx727IbwwevKX6VMr6ulPM6jLb65Qm8KAsxxzy8cFy41ubIGVBXBOaT0IDBBWJP Hg5zg5DqWqp7yjg1yXZgTdoWPHO5ux1hca.5tCfLNFbKxxhv2RWuGZxmWFWZPgme4Wm6i.FJZI22 gHg0zGSdVMU0g9uoPbkF.A3a6mecFvQpDy2lczWH0FvlYaHnpB7peeTrdcJyAF1zeKwFIJqSroHq G_sO4aqUB4B7dvI2cHhPtit8uL3KLxlS3GlcLF_2UlUCXlEhWB7_e1Bs.hIPuflB74hvlKIsbDel O0DJtR3V2d0g6xbGAI5Dpr1fjTU9eqHeFUsfKPkkUVf5_h6cPWFEm5.421ZkzLSvfxKLlqmEp.eI AF95rxBwmSAZCmrSyCHrYGiky7k0d0rdT6lczQe07sOCJAMswV__qoq4CDuVloqz_a08A36vDYG9 NDJ68bvUbhukrk94QWH_RTvXY8PrUzgJpiy16Z9v26nBjKtGqqgoO2o30jBH7sEjgLqAxavvnLoo YCE0BCIZrL82M2U2eg04b4dWM4LbMKD4zcU4_EzJMIswT5A.NiyXPMusXEwiie8hGsSdMZCj.x1g KQRMX0ULF_YEZECPz4MPiH_cJIwQJwlPp5GDklO0D7aXAYjzXbfwBy7wX4FJdgusjNigi17dS28c k9QKO.6EmjKiZZC2FazF0VgF402aJfmoQYJArTOCBeHX7P1rLdaFyPw8puHoESYVAgSdHEqoJIrw XEkVQwrx7fZs4q1gozkD4Tx6TKhWNtjUMYzZ.Jhrcg2q6d0_VmccaCF246KOQxJaFRKR56JidHRH uu67HL0xvrVpf9rtDhxxSn4BOyCDOE6vRffnXi_yQDNJG55VxIfsGuEGNfu_D8go.Ml7NP0_lbDv 2Y_.42_RQXCazqhFR4GAwPLsTcMkaF6G3utnRegkrZzi4zwHKsTwg_YV4d24umwqKV4vp8Ft0cZn pE5chI.3MC1qAr0Ay3a5tFruv525wf1smY07galE766DlYh6y03P08nUHusb9cGXb4XELi9V__p9 PyQgpHlKNTN2HJVamXIy8rp1mRIoUBZ6bvlgpMtNJhfVukYo5y55fd8pic2qHSBEQdwxUHSXvTRS pYxkav.GlolJ8lDfrim9J2KFfgHGNJE2OXB98vUh4rm193PNxa0Ua2JOGmNAl.t8z42Xjt6iQOB1 U_O3hAz69skvkAvzX7KBbKbnuWtojx4x9FfVAWmepDR2gj3FdW9o36y9AMdx2hLzrltXuFK.UFcV esD_3eH5su2KGfT0h_ly29uK8ajlNznQlvm1mZsMeFOWKmC0G97NmutVc002GLaQzw5aAg.XhhCE 7FIAQ5ooIdOY0Z78.3yK6sRt.mST0uHv5z7VGqohUMBB4.rhKL8xpilPXfMGAsgXgTsGHDgP8vP7 ha3LGnyHAl6VijV7TMEdEGCnKeYAL.RWSgxWjcAOvOi7BB0vh93TN_NneSArAhzug_9seHiy4S1a 9FZjFKuzRxV1Z.rq2hLhfw2AOXhcsS_JjPmJSyYVAK9dq1_isy4UkBGNW8PaU8abPNCBGH.q0iBT AFMlKscKtQB3tUnqZMoj2euxCx9jFuYAfWQo- X-Sonic-MF: X-Sonic-ID: c11662c1-0971-443b-b78c-0f1d3aae9aef Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Sun, 25 Aug 2024 19:02:33 +0000 Received: by hermes--production-gq1-5d95dc458-24x88 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 9a60282a87ef6e0dec5cdda503c29ed7; Sun, 25 Aug 2024 19:02:31 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH 03/13] LSM: Add lsmblob_to_secctx hook Date: Sun, 25 Aug 2024 12:00:38 -0700 Message-ID: <20240825190048.13289-4-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240825190048.13289-1-casey@schaufler-ca.com> References: <20240825190048.13289-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add a new hook security_lsmblob_to_secctx() and its LSM specific implementations. The LSM specific code will use the lsmblob element allocated for that module. This allows for the possibility that more than one module may be called upon to translate a secid to a string, as can occur in the audit code. Signed-off-by: Casey Schaufler --- include/linux/lsm_hook_defs.h | 2 ++ include/linux/security.h | 11 +++++++++- security/apparmor/include/secid.h | 2 ++ security/apparmor/lsm.c | 1 + security/apparmor/secid.c | 36 +++++++++++++++++++++++++++++++ security/security.c | 30 ++++++++++++++++++++++++++ security/selinux/hooks.c | 16 ++++++++++++-- security/smack/smack_lsm.c | 31 +++++++++++++++++++++----- 8 files changed, 121 insertions(+), 8 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 1d3bdf71109e..3e5f6baa7b9f 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -291,6 +291,8 @@ LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size) LSM_HOOK(int, 0, ismaclabel, const char *name) LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata, u32 *seclen) +LSM_HOOK(int, -EOPNOTSUPP, lsmblob_to_secctx, struct lsmblob *blob, + char **secdata, u32 *seclen) LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid) LSM_HOOK(void, LSM_RET_VOID, release_secctx, char *secdata, u32 seclen) LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode) diff --git a/include/linux/security.h b/include/linux/security.h index c0ed2119a622..457fafc32fb0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -520,6 +520,8 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); +int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); void security_release_secctx(char *secdata, u32 seclen); void security_inode_invalidate_secctx(struct inode *inode); @@ -1461,7 +1463,14 @@ static inline int security_ismaclabel(const char *name) return 0; } -static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +static inline int security_secid_to_secctx(u32 secid, char **secdata, + u32 *seclen) +{ + return -EOPNOTSUPP; +} + +static inline int security_lsmblob_to_secctx(struct lsmblob *blob, + char **secdata, u32 *seclen) { return -EOPNOTSUPP; } diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h index a912a5d5d04f..816a425e2023 100644 --- a/security/apparmor/include/secid.h +++ b/security/apparmor/include/secid.h @@ -26,6 +26,8 @@ extern int apparmor_display_secid_mode; struct aa_label *aa_secid_to_label(u32 secid); int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); +int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen); int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); void apparmor_release_secctx(char *secdata, u32 seclen); diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 808060f9effb..050d103f5ca5 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1532,6 +1532,7 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = { #endif LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx), + LSM_HOOK_INIT(lsmblob_to_secctx, apparmor_lsmblob_to_secctx), LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid), LSM_HOOK_INIT(release_secctx, apparmor_release_secctx), diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c index 83d3d1e6d9dc..3c389e5810cd 100644 --- a/security/apparmor/secid.c +++ b/security/apparmor/secid.c @@ -90,6 +90,42 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) return 0; } +int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen) +{ + /* TODO: cache secctx and ref count so we don't have to recreate */ + struct aa_label *label; + int flags = FLAG_VIEW_SUBNS | FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT; + int len; + + AA_BUG(!seclen); + + /* scaffolding */ + if (!blob->apparmor.label && blob->scaffold.secid) + label = aa_secid_to_label(blob->scaffold.secid); + else + label = blob->apparmor.label; + + if (!label) + return -EINVAL; + + if (apparmor_display_secid_mode) + flags |= FLAG_SHOW_MODE; + + if (secdata) + len = aa_label_asxprint(secdata, root_ns, label, + flags, GFP_ATOMIC); + else + len = aa_label_snxprint(NULL, 0, root_ns, label, flags); + + if (len < 0) + return -ENOMEM; + + *seclen = len; + + return 0; +} + int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) { struct aa_label *label; diff --git a/security/security.c b/security/security.c index 64a6d6bbd1f4..bb541a3be410 100644 --- a/security/security.c +++ b/security/security.c @@ -4192,6 +4192,36 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) } EXPORT_SYMBOL(security_secid_to_secctx); +/** + * security_lsmblob_to_secctx() - Convert a lsmblob to a secctx + * @blob: lsm specific information + * @secdata: secctx + * @seclen: secctx length + * + * Convert a @blob entry to security context. If @secdata is NULL the + * length of the result will be returned in @seclen, but no @secdata + * will be returned. This does mean that the length could change between + * calls to check the length and the next call which actually allocates + * and returns the @secdata. + * + * Return: Return 0 on success, error on failure. + */ +int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen) +{ + struct security_hook_list *hp; + int rc; + + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { + rc = hp->hook.lsmblob_to_secctx(blob, secdata, seclen); + if (rc != LSM_RET_DEFAULT(secid_to_secctx)) + return rc; + } + + return LSM_RET_DEFAULT(secid_to_secctx); +} +EXPORT_SYMBOL(security_lsmblob_to_secctx); + /** * security_secctx_to_secid() - Convert a secctx to a secid * @secdata: secctx diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 55c78c318ccd..102489e6d579 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6610,8 +6610,19 @@ static int selinux_ismaclabel(const char *name) static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) { - return security_sid_to_context(secid, - secdata, seclen); + return security_sid_to_context(secid, secdata, seclen); +} + +static int selinux_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen) +{ + u32 secid = blob->selinux.secid; + + /* scaffolding */ + if (!secid) + secid = blob->scaffold.secid; + + return security_sid_to_context(secid, secdata, seclen); } static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) @@ -7388,6 +7399,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), + LSM_HOOK_INIT(lsmblob_to_secctx, selinux_lsmblob_to_secctx), LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 52d5ef986db8..5d74d8590862 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4787,7 +4787,7 @@ static int smack_audit_rule_known(struct audit_krule *krule) static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule) { - struct smack_known *skp; + struct smack_known *skp = blob->smack.skp; char *rule = vrule; if (unlikely(!rule)) { @@ -4799,10 +4799,8 @@ static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, return 0; /* scaffolding */ - if (!blob->smack.skp && blob->scaffold.secid) + if (!skp && blob->scaffold.secid) skp = smack_from_secid(blob->scaffold.secid); - else - skp = blob->smack.skp; /* * No need to do string comparisons. If a match occurs, @@ -4833,7 +4831,6 @@ static int smack_ismaclabel(const char *name) return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); } - /** * smack_secid_to_secctx - return the smack label for a secid * @secid: incoming integer @@ -4852,6 +4849,29 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) return 0; } +/** + * smack_lsmblob_to_secctx - return the smack label + * @blob: includes incoming Smack data + * @secdata: destination + * @seclen: how long it is + * + * Exists for audit code. + */ +static int smack_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen) +{ + struct smack_known *skp = blob->smack.skp; + + /* scaffolding */ + if (!skp && blob->scaffold.secid) + skp = smack_from_secid(blob->scaffold.secid); + + if (secdata) + *secdata = skp->smk_known; + *seclen = strlen(skp->smk_known); + return 0; +} + /** * smack_secctx_to_secid - return the secid for a smack label * @secdata: smack label @@ -5208,6 +5228,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), + LSM_HOOK_INIT(lsmblob_to_secctx, smack_lsmblob_to_secctx), LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), From patchwork Sun Aug 25 19:00:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13776881 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic310-30.consmr.mail.ne1.yahoo.com (sonic310-30.consmr.mail.ne1.yahoo.com [66.163.186.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B22963987D for ; Sun, 25 Aug 2024 19:02:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.186.211 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612566; cv=none; b=aNE78jinudYmayF8rLJoQpKOACY1p5CoEYQmFYQ5vCQbn5NrDt6+uwo/PDvlIs/57GqAh5F0bF+GMvkcx9JHM3+6eI3/BVGFsC7KI7miBHH4rv/g5ejxuJyUUbfMZgiXnDq6JEm7x3JVOB+0r8r2HBgfJdW8Czlp+9geaVeTRaQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612566; c=relaxed/simple; bh=LcHqPrkPEEFFHdhzxgu4iRQ0Tt4BNZV2Va6r0mI1N2E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=H3UZSSrGAk1iQN4u0xcBtmZEdTcV0h0mYvNq1QTAkYmQ4papKnq+iVeFnFWgyta0+70sdeKn4Y34lpJr6YgaZAwYy0oloBgPfXA63uEsdNIsqpAaY/54hqhZOEML3rZHaGdpYAvKXMjtUSaDEMcKLGbk44xg6mJJITW1NrmWLL8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=rqWMBLnd; arc=none smtp.client-ip=66.163.186.211 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="rqWMBLnd" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612557; bh=7DLvTlvt8Ehn7CzLgfq7BkFdeiaLATaqWWfDllacuwQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=rqWMBLnd02hSwuIxXSVrGFthCdnzDw+kxP/Uu01hqas2+7HXmO3ipamYKOwAeBuNP3DEg1g14HY0yDrWaMUc++bwIHbLJk5/lPRAzUgJTA7bkZ0p71AaiRTMsLwHapP8oFbwi1Tpi88uax94cbuBq3OX7gyircsbotdviN+CU0Y6ahNUzg0NQW4Ium68m1nAQfVjdKmhme5XDNDAMMw/NcPwgd14R4kb2l1yeNZpl3dTaWyZzop+Oms9hht82tVG84rwUCW8PcrG2YAY3D/P6X5oSSsTimsolumETlodf49A0xWr3iWria3/2pmSuCmy7bbt3G75s016NrSbC/0ApQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612557; bh=REVtL9pX9y9jpDWEX01VnjzrKMFArO3KO5D9V06iUxM=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=RnruNdoFSrhHOaB6LJ4JsM07B3r8w7jdfr2MdHnuDRsHJRVtqZmaEyCKC+vR4EG6SyFHwXokdS5VWfjblCkVDyPUEVdcuIQE3K0bdbqFVw9ZHRFK8nuRrQK55E/89mNdIYV1a5FEsyLCS7YkcMoyS8e77kuwjMl0tL28doNY6BCAYNNAUmp6wZC6rjneMh+sB3yH0RLz3xlKZPb3qqQc1UJrGQVxA/qzSWulSLJIvCbpge8XLJZT6ufXouy21OJIq8MFeNW0UDd5DVmE4gfgYUF8uEXzcZ1YS+xEbD42+IvcSiZ4pQhKF8xaKQG863ieuqayOxzy+fn2D0+vkL4org== X-YMail-OSG: iemYCF0VM1kqpHMSC7jfbrRob7ujbDpZPrfj9wi9ESmXiHi.WwbJkqVN1pMTAu4 WGCj7JPsiRYm03IQX4ywMvWUBEYk6PwbWLcRy9VW2FJDWMoh7utoQ6b3roHrLmZBIjvg99ihJ2G2 UtpOq4Si6KNRJoY90M6cAa1R_ToyYZVN.xDS89jML457Qs7BVfyNWyyLDJPRvz3zn6POejTI52aK glIk1c6G6tMLkYn6COwRvZWdbhFd8kLTTcIsQ73DlI.tXDydeyu8tyASizWHaODdz8Gl_uvjGym7 tMw0FVt7OphKVagpee37_bcfgdxJoxCISAPIymK8_vKHeLr1yknhhYr03g73IiKgO2VAHJo.iJ0z L374yUXoDHMVUPO0ja7WGS4p1lqn.LUzvR332.QPkAhBaGsioS3wRPApplHxIcIo0p1.uc1aG.uk kLgL9ZOklVXB1A7LCLQ7BjCz.dyOcGSIN.jaAgZaMVyQ.ejWTpDXVJb0y9RpA5mbGx7mlpbNx4Lo rY.IYF_qL47I2.QUY.xXTbZdqlCJG4N3j7twuP5acRG9EkcPhX9f6pbVl_Hoku.guV1QmTlxxQ2o stTcN7ksPie5.qKthCjSA7lRgQ2fTRRnqN4wZkyeppsiCtVZkST.bDLmxCuoIEdSCC_a32yNAsNl 55XnN13BllRwj3kjAzUfrmugc2OURQW0orGAEJZLHWCk3drrQD4r1BY_3nhNa9QOaf1I2nZPVQxE Upc7lMOCtEb4awp8mHas7XER0a0USx.A9d.RgSrca_qZkQOfZmEICbih.KDlhAWLGbWYqU_MRoHY 5znPW_e37GqkXKJieayu6Hj2qtkzhydYsunulvHwSI5UxuhZoB89qD39cgarz0B29BP.jmtQW85h b8LSs9UKS0jSf0M16_MsEHJywL_6G2otPl__YKMXBCCnt4mHbYcTVQjzaUGw7wQRXnJBJb6du6V9 Ol46TPsfM5_xPhegP1OEXC5XmiUvodtrgdaplvxBHS6y36FmlW6C.ucfvsvUOxMj9sqwfoyXfSMj 4cATdAIX9nWt0vnHO4TbMm6QHY7.wv6b0NXa.soqPHt18QQw0vMpHHvf2W_m4TYHZOerrlq.kytK BrqjZFH30oNSk7buGsKS3Ug02UhN0pvvC_1EXl06OdC6iRdpudIk8qTnJ2Fsfd.Bt6BPeDSCkEjX ZqG2GaZJDoUZKLBxCxiuyjiQzOg7YaYHdGy0Q4hffj32z9gUOs6Itg.0UMHnHDYMfuFz.8OnSPY8 jRVjz3TbLYt93Iwz3y7PZ2AsWp3X6QFGZtwxt4ICHR0apJFktFJGThgzSBwGJ018uANnEuw1IQw3 VJDKHY69Tu9PYGR.rHvl0pxm5vMX9o0DVvHh0uMwL0.VXuLbofxMUE421EVq44ZSclRqLd1GT8Rg ZLj2qcGXw7eLBX67aSAg6PI3XRWnqv3W0BsHaBiMpZCwoeYiI87nHPBl1iqbfzx0M_o1oijlGBSa u.5kekGxnvKYN9ojPlSmgQ7vtLz0bG9FYie6j7C3T5hYHjS6dr67e2XWS_96SOux15QWxS4WJ11t tJ1n4upoeNOpN0KGH2121NXrd7WnIlVhizyC8Z7MrwesMibmAqLKEzOlBUZoQvUsPe9Ewt.koNbm Ffq87WWOseCfSRjG5HqHm5.7W.MevfaTv_tZVmhA2KahqRbjUmsnVzFbDHXdGlxIW99R_fVNczPE gm55U11Vsk_70jqx4kaUKxDLcLfzk8CcS.aDMAOydVjr.H6T_CG5flZO08I.NCQ9dUCm1Zi9pl.t KQiARAIJm9K7QtkTaXkSkT6FywWr3tLEeUwruKet7RGNiNAwEDvIUjfJa3SjMgkdXsz4NZjiw3yW tpNlO.Cqj9ZDj1ER1M4rPY.WBpB4bjpG.BHl7zJGVbOkeN674GAfbw_BxdGICpf3NMVH7LGlIRIi i3RAe30LCbUmmUM3vB5YKYB5skTAuJvOvglhxwlCuAs1B.Nv8Oab65I4Hv8k8ayh8hW8Kw0t8LYs gEkwPAn0DbvqVTi7U4vgEdxQtg5_8B2FKJH9wI2Z37zKJvu.ZaPN2f_1LSKZacaCnvKzo7OOfs92 5XgH91EqSpeUWASY3eUkaphnBGlZYx_9vk352hgwBHHx4rwJDM8UjyrlEBG3weDCOZscdInc1aZs P56x0BTlnqa8AfQw.pBOx.5a643dobOzB7FOudyVuHKirjygPYwmmbKhd9rjBpuANweA2wuQqERL w8BYBrdZOaLyBVmQVX2eNeCEKqjtEwHcxDhxfjJx52MxSVO1335eMnnzc07Fm37O6Z2OHvRiqaS6 Oh6mHWWj5B_yrG5K7EGf3eWnAnAa.XyS9GQ-- X-Sonic-MF: X-Sonic-ID: bb48e948-3421-4e81-9bd8-5a2d9ab9ab89 Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.ne1.yahoo.com with HTTP; Sun, 25 Aug 2024 19:02:37 +0000 Received: by hermes--production-gq1-5d95dc458-24x88 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 9a60282a87ef6e0dec5cdda503c29ed7; Sun, 25 Aug 2024 19:02:33 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH 04/13] Audit: maintain an lsmblob in audit_context Date: Sun, 25 Aug 2024 12:00:39 -0700 Message-ID: <20240825190048.13289-5-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240825190048.13289-1-casey@schaufler-ca.com> References: <20240825190048.13289-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the secid value stored in struct audit_context with a struct lsmblob. Change the code that uses this value to accommodate the change. security_audit_rule_match() expects a lsmblob, so existing scaffolding can be removed. A call to security_secid_to_secctx() is changed to security_lsmblob_to_secctx(). The call to security_ipc_getsecid() is scaffolded. A new function lsmblob_is_set() is introduced to identify whether an lsmblob contains a non-zero value. Signed-off-by: Casey Schaufler --- include/linux/security.h | 13 +++++++++++++ kernel/audit.h | 3 ++- kernel/auditsc.c | 19 ++++++++----------- 3 files changed, 23 insertions(+), 12 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 457fafc32fb0..a0b23b6e8734 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -277,6 +277,19 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id) return kernel_load_data_str[id]; } +/** + * lsmblob_is_set - report if there is a value in the lsmblob + * @blob: Pointer to the exported LSM data + * + * Returns true if there is a value set, false otherwise + */ +static inline bool lsmblob_is_set(struct lsmblob *blob) +{ + const struct lsmblob empty = {}; + + return !!memcmp(blob, &empty, sizeof(*blob)); +} + #ifdef CONFIG_SECURITY int call_blocking_lsm_notifier(enum lsm_event event, void *data); diff --git a/kernel/audit.h b/kernel/audit.h index a60d2840559e..b1f2de4d4f1e 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -11,6 +11,7 @@ #include #include +#include #include #include #include @@ -160,7 +161,7 @@ struct audit_context { kuid_t uid; kgid_t gid; umode_t mode; - u32 osid; + struct lsmblob oblob; int has_perm; uid_t perm_uid; gid_t perm_gid; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 23adb15cae43..84f6e9356b8f 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -724,9 +724,7 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - /* scaffolding */ - blob.scaffold.secid = ctx->ipc.osid; - if (security_audit_rule_match(&blob, + if (security_audit_rule_match(&ctx->ipc.oblob, f->type, f->op, f->lsm_rule)) ++result; @@ -1394,19 +1392,17 @@ static void show_special(struct audit_context *context, int *call_panic) audit_log_format(ab, " a%d=%lx", i, context->socketcall.args[i]); break; } - case AUDIT_IPC: { - u32 osid = context->ipc.osid; - + case AUDIT_IPC: audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho", from_kuid(&init_user_ns, context->ipc.uid), from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); - if (osid) { + if (lsmblob_is_set(&context->ipc.oblob)) { char *ctx = NULL; u32 len; - if (security_secid_to_secctx(osid, &ctx, &len)) { - audit_log_format(ab, " osid=%u", osid); + if (security_lsmblob_to_secctx(&context->ipc.oblob, + &ctx, &len)) { *call_panic = 1; } else { audit_log_format(ab, " obj=%s", ctx); @@ -1426,7 +1422,7 @@ static void show_special(struct audit_context *context, int *call_panic) context->ipc.perm_gid, context->ipc.perm_mode); } - break; } + break; case AUDIT_MQ_OPEN: audit_log_format(ab, "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld " @@ -2642,7 +2638,8 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp) context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - security_ipc_getsecid(ipcp, &context->ipc.osid); + /* scaffolding */ + security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid); context->type = AUDIT_IPC; } From patchwork Sun Aug 25 19:00:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13776897 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic305-27.consmr.mail.ne1.yahoo.com (sonic305-27.consmr.mail.ne1.yahoo.com [66.163.185.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F267A1DFFB for ; Sun, 25 Aug 2024 19:12:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.185.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724613170; cv=none; b=IUcnP9ei10q/o24u7D+HGDkhkYaLvVaEWrXIiRmdA62pEWLWwlQc+LqLkYl9NDj9OqOc+82dwUHg6ElrNm8Sk6+KOwiSukqYxPebLbhvzvZe10KSbHUvd6HwuCKjBmi+8lx8cerwvYtQCT2KHxHP964E/JanCFl4iWQEQ+6O0Wg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724613170; c=relaxed/simple; bh=67ymlQDOa1Der05uWcWmKFyIg/qwS1ENd9dk4rFsI2E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Hb9LxRK8ae9bKZNou5PHrCXJGHW/VX2GUvg1T48g6nigV0dl5CFwKbh99Min3h5c5rCeTqqE/kTp5fkJJa0oJsJ14BXZatSI5FFv5wm3XjtTXNz1VSlmjHrV0BDaLH1Yhxh5+mpoDwHttyK4BtBUtUD4U7vHjRgAmpp2e56OvNY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=C+WjFqNZ; arc=none smtp.client-ip=66.163.185.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="C+WjFqNZ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724613167; bh=dqraIuMpwR6bHt3tfUB7hIAQsUylj3oQRwTA/i7LrWI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=C+WjFqNZS5euSGhR1O6yH1jVp159gjJQqIndjNBkHXyd80KVb5jxPqXo0q5LwRPigBmKtn2BfdGZWRzzA/W/cOmmGH0KU6PgxJ4qpgdkMeDl8f8522bCn0Obc7sQ/1zZ4OEif65oWWYosIsB94P3AS75EBwKbN6z4vecOYWOkTBhxPwI/UHLlgEkWn+gOcbZL7aKwVuT6noLv/iV8A9j7OhcHgzSW2PMgezSRfcbxQpLH5uBi3sYhaR3yZHvy1HtDsWeoZ8ML0H0eOfz6dWTfw5xRydaUj+rkfvYrbGx+CPDmYFMx6pKqajMWmgBK0TKoUA5agj7YlCWM8ismRqb3A== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724613167; bh=eO1PYtKjZ6ioD1d3/AkG8BKGwfiw77zAsgAMVORv6KT=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=MHZ7E9jCbYvw60nL2f6t+KTQlIzb1yciDHIN3YNkbktGXYsJ6srY0uO/dqXoY4WqUyYU0G4WQV/y1v3Wqc1Kc2g1fChnps9t1z9fx3lfXrOm9byjiHF7gI/BB2mh3MH207jXaifws+vdqHa+3Qsksvlqr7jpozk/QqFGT3kOvtZj90yLWqibVn/YeixF9JwkPIA/WAPW2liSNuMuqRnAipXn1PWUN+jyN3vfr6pNTpUpnTuC1VqIwS1oStLWttNlDO2HW3TIocTAoXl3rH8fXQ1F5ABTY1WFE6ssDZbInlCgfAJWWmsy1a1JnH8+DozCMUSovOpuh+SzGdoOIcN86Q== X-YMail-OSG: g1nSUcsVM1nuk8omOIYAZrp6oAtG34T6J7m_VcyzLD6qPqL4_zCN2Xq5Z8Gh_2G Y5DlxRp.uwA5zMDe93vrRpLImIS2P9j_EFxP0b0M1Q36bxuO1V7RDjx.tuUaJ4Z7_yxKX6z5jbjO 1dY92_U_JGPYpshkJWUPTeaR16TFrwCf28dEZv3TLvUcmub_PHYQ58mCGf6w0Ctu0BMl1WiEyBzX qBcK_7cDqsPV2033yDB_CNCv166TUA94S.Y5A.HeExyqB74H2SwHkYHO9XUSEzLCTxBz9GbYxCa1 EZO497rFG_l96RL7IOr5Z5XV2MmmaQFhJ9B1w0fWNkssfutmd9bZkjK.jK.RWhLgUo.5Z30QsZru rs31n.lx1enLKwzjD99r1F6wWEvCm91a42dGeChzTQn601YY1xjbyrNtdWD9bvSSlE.6xTHekuTB 9ijwz1TpdLvIHyPCnM7ZpDO0D9A2vDpp3sUWVQcv_eFluQGoaxzXc3FDlWuveo6dzWK5a_S8KYLg TehiuTnbS1GVOgxLOSFPElnj4bjku62OKNUPJk8.zNzkgSfAX8iULPo7wf.8vw2VgWogjP324rME 0NwVIMKID1jp1QPd7CRhLqGuNXLpXlbs0KGmPNbZ7xbjrg2VPwUeD3ozuvliXeTqshO3ghRDnD41 .uHVThf67KPI6ZV0KyUcQpm57MxXCujh6s2P5ReFm8g7sOQIAPeqxjBYVlwoiSPYW6Z5oyRuDI67 v6xS6dL.UKL6vefWozd2xpDXkBOo8kEjEFhGkhYSy5Dw0D2HcSZI1H8tnUuy5Anwq565.2VO9C.u 5RSkKnsqmbrsPUmw2SJhRmlbvMIpB9.cRC7Sul5PJVViAqv8GJeb4tQ4TiQwgF2bnKGtcUOkUCm2 loSDbc7afbNflo12CJs58sDR3aA97XCwRGRUFFrlfdQDvYFMMLg3GzN85091qpNNch8jhoEqTMkZ Udv6X6.yDO9MRGf_bFgXnLBFQK7sTc1BgFnc8J.2kACTZT9iVkDbWZI35inwBM.89gfVQoRdpAvx kglqYUV3bSHpVQvacN3H8k88PGWBoXzLRZXx0F7UmSb62M6PcPAIp8zXAnf0U3il71e3.kYbHbZE sf8Ro9apSUGZ0EZ.xtGE4CDBJZNxV0z1tjFKCJPUBZQvc.K0AHkJahgu01J8UdKC2jNXF82Qre4Y lu._RanL1TWU88fIEsDhniXw3mDdkGveO4d9FOEN0Z6w6Uy7bzfXYsSjzYR37Ql4uvICqowVAbYl 3Mv2gZE3gPh0qClU.Johb.JS9Lm8zsCRSHIgWo0AYKnlQwb_7R1g9uLbgALiD0Gw55YIMTBMZ4oJ ECWLGmnL8bGSrx8QKk3J_jAPLmQv0GT6F81DKZggTForY.53r5wX9aosyx_i2WJCClV3bfx60.uS 57ptovSGajQI7PyWfdZfvSNVHB9x9dxJwYwdQ_eUg_SkxyC0X7AH76j8crDqbVszNz_u_RPP2j1W DaANd_CfuqVgZ8_7tbCeNFA1g6G.iSJEigq.PELM4ac0wPVSvuRkz0wQXwLdouJcKKfa636SVMcn 5SMUMfs_pC6wNnZUgGnCAEJ.Gq11W8Itas74_sebiWcFO5v4ZubYpf9c1txc2t4GHkXOHoOV9brn 3Cshj1sSbm6MygXgafGUcBfsSKmn7XXLJPEfWOoUXJDVD0s.E4h41m4eiwxZvQn1Nk_xiFXghoOq AlLIc7OMmrGtPIlmv1cB4vF8tzUGDakgs1cOlIvn6n8vbAcm174ObC.ISL.Sygp7cyQSFIopk_nI 2IcXp513MRJl8NhWL78.u4_ru0ssQ0rCUgmAgpxf9dQwHdAe2lqsBRIX1Zf2EG9dKdzX6_xzRn_v IJ6qiJuYQQgGkYxmP91vR6jKhR_Dh02bdUC3..lya8eB0AnLJTaauQGqQvkmc7XeDtuaL2.z_bxf x1IbjzAFyLEfW4XDQ1nByKKW4uGO.VVaQn2slqIhnDgLncv3BBxdDLn83wulIdoO43CqcLEnSbl. 4IOsIdsJ2bWiEFZpOq4a7RfxShZoz05uXLUvGMQJuTDvgvehipsTYUjrI23aZuuYn8AY4b04ugPE UPKr9ItgVqg3u4YyjCrRVv2l.mBNDVvg7uxCAUbait5u1nD7eWQARUORjipF2QcqLYQbyG3UDFTr 2p6vWEFHB.YP_CP.zzPSjj4gI.TwAJR4gRzM1i4Ze8TsCp0iZwOeskj6FCfqBNkw5prBo_c5JDX0 WjSgBm5j._ibL7sdZyMIhu_ZFnPtmbQiZBeJH5DCGBwHiQeRfGkV43s36Tg3bQ.l9.bRgRiLuwAP uhzFvsvz1MCsxgUTME5Umr6pL97RzcR0FoEdz X-Sonic-MF: X-Sonic-ID: 54319396-7e8c-4c84-a22d-16d7a6eb5d5a Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.ne1.yahoo.com with HTTP; Sun, 25 Aug 2024 19:12:47 +0000 Received: by hermes--production-gq1-5d95dc458-24x88 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 9a60282a87ef6e0dec5cdda503c29ed7; Sun, 25 Aug 2024 19:02:35 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, linux-audit@redhat.com, audit@vger.kernel.org Subject: [PATCH 05/13] LSM: Use lsmblob in security_ipc_getsecid Date: Sun, 25 Aug 2024 12:00:40 -0700 Message-ID: <20240825190048.13289-6-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240825190048.13289-1-casey@schaufler-ca.com> References: <20240825190048.13289-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 There may be more than one LSM that provides IPC data for auditing. Change security_ipc_getsecid() to fill in a lsmblob structure instead of the u32 secid. Change the name to security_ipc_getlsmblob() to reflect the change. The audit data structure containing the secid will be updated later, so there is a bit of scaffolding here. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-audit@redhat.com Cc: audit@vger.kernel.org --- include/linux/lsm_hook_defs.h | 4 ++-- include/linux/security.h | 18 +++++++++++++++--- kernel/auditsc.c | 3 +-- security/security.c | 14 +++++++------- security/selinux/hooks.c | 9 ++++++--- security/smack/smack_lsm.c | 17 ++++++++++------- 6 files changed, 41 insertions(+), 24 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 3e5f6baa7b9f..c3ffc3f98343 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -253,8 +253,8 @@ LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p, struct inode *inode) LSM_HOOK(int, 0, userns_create, const struct cred *cred) LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag) -LSM_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp, - u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, ipc_getlsmblob, struct kern_ipc_perm *ipcp, + struct lsmblob *blob) LSM_HOOK(int, 0, msg_msg_alloc_security, struct msg_msg *msg) LSM_HOOK(void, LSM_RET_VOID, msg_msg_free_security, struct msg_msg *msg) LSM_HOOK(int, 0, msg_queue_alloc_security, struct kern_ipc_perm *perm) diff --git a/include/linux/security.h b/include/linux/security.h index a0b23b6e8734..ebe8edaae953 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -290,6 +290,17 @@ static inline bool lsmblob_is_set(struct lsmblob *blob) return !!memcmp(blob, &empty, sizeof(*blob)); } +/** + * lsmblob_init - initialize a lsmblob structure + * @blob: Pointer to the data to initialize + * + * Set all secid for all modules to the specified value. + */ +static inline void lsmblob_init(struct lsmblob *blob) +{ + memset(blob, 0, sizeof(*blob)); +} + #ifdef CONFIG_SECURITY int call_blocking_lsm_notifier(enum lsm_event event, void *data); @@ -500,7 +511,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, void security_task_to_inode(struct task_struct *p, struct inode *inode); int security_create_user_ns(const struct cred *cred); int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid); +void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob); int security_msg_msg_alloc(struct msg_msg *msg); void security_msg_msg_free(struct msg_msg *msg); int security_msg_queue_alloc(struct kern_ipc_perm *msq); @@ -1340,9 +1351,10 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp, return 0; } -static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +static inline void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob); } static inline int security_msg_msg_alloc(struct msg_msg *msg) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 84f6e9356b8f..94b7ef89da2e 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2638,8 +2638,7 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp) context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - /* scaffolding */ - security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid); + security_ipc_getlsmblob(ipcp, &context->ipc.oblob); context->type = AUDIT_IPC; } diff --git a/security/security.c b/security/security.c index bb541a3be410..6e72e678b5b4 100644 --- a/security/security.c +++ b/security/security.c @@ -3611,17 +3611,17 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) } /** - * security_ipc_getsecid() - Get the sysv ipc object's secid + * security_ipc_getlsmblob() - Get the sysv ipc object LSM data * @ipcp: ipc permission structure - * @secid: secid pointer + * @blob: pointer to lsm information * - * Get the secid associated with the ipc object. In case of failure, @secid - * will be set to zero. + * Get the lsm information associated with the ipc object. */ -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) + +void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob) { - *secid = 0; - call_void_hook(ipc_getsecid, ipcp, secid); + lsmblob_init(blob); + call_void_hook(ipc_getlsmblob, ipcp, blob); } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 102489e6d579..1b34b86426e8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6328,10 +6328,13 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) return ipc_has_perm(ipcp, av); } -static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +static void selinux_ipc_getlsmblob(struct kern_ipc_perm *ipcp, + struct lsmblob *blob) { struct ipc_security_struct *isec = selinux_ipc(ipcp); - *secid = isec->sid; + blob->selinux.secid = isec->sid; + /* scaffolding */ + blob->scaffold.secid = isec->sid; } static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) @@ -7252,7 +7255,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(userns_create, selinux_userns_create), LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), - LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), + LSM_HOOK_INIT(ipc_getlsmblob, selinux_ipc_getlsmblob), LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 5d74d8590862..370ca7fb1843 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3442,16 +3442,19 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) } /** - * smack_ipc_getsecid - Extract smack security id + * smack_ipc_getlsmblob - Extract smack security data * @ipp: the object permissions - * @secid: where result will be saved + * @blob: where result will be saved */ -static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) +static void smack_ipc_getlsmblob(struct kern_ipc_perm *ipp, + struct lsmblob *blob) { - struct smack_known **blob = smack_ipc(ipp); - struct smack_known *iskp = *blob; + struct smack_known **iskpp = smack_ipc(ipp); + struct smack_known *iskp = *iskpp; - *secid = iskp->smk_secid; + blob->smack.skp = iskp; + /* scaffolding */ + blob->scaffold.secid = iskp->smk_secid; } /** @@ -5157,7 +5160,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), - LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), + LSM_HOOK_INIT(ipc_getlsmblob, smack_ipc_getlsmblob), LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), From patchwork Sun Aug 25 19:00:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13776882 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic308-15.consmr.mail.ne1.yahoo.com (sonic308-15.consmr.mail.ne1.yahoo.com [66.163.187.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 69A0A28DC1 for ; Sun, 25 Aug 2024 19:04:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.187.38 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612653; cv=none; b=DNbn/LCYiLS4AlpLc9I/GwMlIuWZdLb4X0+Ew7k98bRudVndBdgwLqYLqxzxIfDX5FYgqiQoleNYCRQPz2nRJ8f978TCs+Q+E1UtTeGv5ckvCQIDY/b+Bn7IKj8ezd1Y8ES4NFAQ+7A4HemShkUR+Z2xK77Eh4QTPpKlQdNl2sQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612653; c=relaxed/simple; bh=nisAlOqrbSB1p/Vv7LMd2fNCpuWwRrGJ71NJb4sjikc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UN1artUZQwZZfMAs0t4SP3iU1DQTzvASXZt3kGT7UVmZOPCt37QHXwtIYLDL0YKCtIZ6W2fY67mMOO19NYv0qrb5HVEcjI4vfZlqz+V0cSvvgpYT3Vrk3JU6BZIjioVDQZpb+5jiqPGEsnUpSqTal27AA8Q3Ody0lTJcZ/VCjIY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=tAVu2yjU; arc=none smtp.client-ip=66.163.187.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="tAVu2yjU" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612651; bh=NlnwdP3mIK//o8Be0+fD1f34cp8awF0dOr1PdMaucwc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=tAVu2yjUjWiRQE4CdIaVZQkWxXt5e5QqVw6qwKpcFgVhAGRtgF+3Rl5Npb4htCYbvFXi+P2ysJEI59AIw3bpBaWejidvXfUZXVcGjjoRMj7HKjyPtIcTakR9E/7GNuHBnjPgO9oZG7nGX7fS5JEUylrxpD/M5yd5/uHEr9V+fyPR2Xml02VaDiTWeFJ2VlJqntRWC+MzhXmK5c77vBpMJh/e+wc6eMvXrIIVv407uyN3PjWMWN+b9bAlaw60qMK54Bm0NoSSf0iWpU5twa8y6TUFSRrWLzuYtTDBO2GEUVJyHenHI9ctczsb7z8xtbXvcXIsr49RbyWyxbs3qlNUqw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612651; bh=3EB5yf0mVCE012aBk1XEJJzqCFIBgKE1Zl4yd0hHCRa=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Kjc24T326gxDqJfq/Tm/McSTSfr3gF6aSlUFujBVF335yBAnZQtOPMqicWeQhafJW96SQ2xzYihRd2uAovvEitTi4iScQE+tbUCgEMGliLD8qi+mafpYTDEUkUlrN9BUC5Fgyf1mTDbGne8ohgiWs+T+X2vawiNUOkk5+1t2oTipE9gXeTO4wSoaIIRMDqATkY9jNVoa26NcT5w9lpBXfpz4VSDVYnz9MFGg9xfEZgm1aUQ/5HAe76dCGzMcx1l6z5yvRJQ+xis1McQgmbXsWi/mgPU+DtTAzTeZz8Vw7DzcSvIejIitzQJzFF/W8kjXcZgNLG9xzO/zXzbyouZnmw== X-YMail-OSG: S87BsjIVM1nCRPhkfZTfGOiZI.C1urD_pLaNLiIBCf3u6Yj1twjgF.ZQQ5jf9K3 KWBWh3BP5Y_Y_7z2byI8pmAzFFqDtkTFEcJ8dgEOysk79uf5jRVq0X7zdO4BIbvBU18Qpp7ZxT16 B2d6.QLd69Xwt4FwETKTpCZFb4bsrU8H5lTRSkXcSy5j.lbdNsvf1u.KikecOnuUzbKDCShmvmzR 6owSpB1Fk2tnxHLnd8va5AHfn3WiCis8lAQfV_LzRJAmIsUdS6epHtXEelQqMo5etCT1l3N7.yIG amkr9ortOIcXXoxLJQ_ldcTvOTTHX7P7uQZhXHwdu3ywqY.H1CAv_J8REJe5MqBK.yMJB7tFYFM4 r9DiSPcWyaQ2keDbsaTUCderbQ7Z1l0Um5qeys5H16LgLFB49F3FrYyNq6Yjvp835LXZx5xJDw2c Pfr32irUklzdii2yTmxZYD51Ywv4.ovjlyJpl.5qBc10f3GIjCHqsyMUvA9R.B_1Hj0fbfHzD6.5 qR2Rm8t_4q12tLwCuppTpqzUxI8Ik0iFltHpf8e1DsRncy0XcmAHEZkKb_CGkd1Xsg_3yuv._wxD kFzDXdYZEMe7SKXVJ4t4HF4LqkfR6JMw9CIJXBXYVsoBI0g0feCq1CpVuIhhqM7qWJKQY7fYkK_e MyzFLtCz80IRWIJiVFoOhvUuGJ3f1sDe9pKGLb5oMCl0Cckz9j6oqJrsyxMhVYXLYCJgFHktXU19 PvyXavgLdPZWSFnEB9hOeuIOravsZTGqcoTSIyDpiWk7b13mG7MHCvCGIxwTx_jRfrfaMvz5ZP8i h70l3JMZmozrUEq89QWI64hwkXU75OnSV2YJKm.OIRxDQiyaYNekfJJuXDuU.Q3CIxYbO6CxheIE oeWA16KHRJjTwPGyyL3CjSBPCMbvLgog5G0efmG4mUltc8fMqsN70wYVDXBvhNVCa2BzLqfQiHcr BCnMCopUi4iOcGpqA9kNvG5QVNecODoXNYLm7u8fZDeZoUuFWn._iyJjMGZumC3dSWbHyY0Nf97t XFPo2Qu8O2iuDTHFyTxcuvq9T29UxFa0xYGBMXMLBmapSGQWf0FE4urm8dyp2s66NmGDyJzusW1I 1Hba1_FwhNicDVsdOhtFfmFoqJ3hxYigZVyCAMsNljdZDRE1gskrs3oLFJB5jWhaA05hZxDDCB0h .zBMcxqdn0MDdoOPftvQ4DNqroHfamK9aJ6h4TiyvxkN9npwbE7mOrj68hKoT4UTlK2SylUu4PZQ oHi6GDkPeLTZZptVT0iS82.lRBznk6ZKcfFJ7aM4VRmKdim41USrzktpG4C3EMBlXJi_fEUTSv8C y6w90MFY.QvnrxkmpMLV7YFtujvG5aRbYzW2Suu4woLbxIRPAYRExBO0UkxAi1V0iDjT7LOn7kJ0 KN1QRCX1szHvho4rpULuVNA0wDbGlnol_UpObq9KqabJbcIIp5_hXmUlDvAEzoH98mBHu5ly9FcO ZjXkM1SDACui.KaLv2k5sF5AeJqFfgYYKN2YSsa6xaxpjRGnr0nRlxCgvTPzzhakFv2oK_2f4Tfe Jn4XNK74wvH4l7M2lEbjBa2wjmzWNdBBfpUWu2OWsGofh0jdhUt0raRzfI6tOnpfxTvLv2SOYMlJ 6eA8vLixp00jFtMBSnvPWu2cKLKloiUVdDCVcLuyxg.Lc3bi0kf6S4Eq1LDJtTXXmkY.PtYSd14t 394Sc0Jm6rBHH0ovEYvbZA3Kt.JlWbThSfOXJah0wqB91QBztrmHdJSEqbgMX_uwjlm.fQZl8z8H 71WVY9Gte4D4eZ9RyC_06LvaolI7aK1wXTd4B7TXKJwto.Aim5wRYepQB8TC0Gw5.G6rpnesVXAm vRqacAek3p74z6jdU8T8tjrtjP9B52UkUWUZqd2oJq32uPQRHN8mssOGea3RtSLMsowTMQNN6zXf UtQZhmvtMK9Uxawd.GrxVxATlvigwIu9QKJdvqf9Qv5jucKUoZ8STMOUAkqQvatchelWS8A.Jt98 IPhjh8Eyd2lZKdN_g5ClSk1uTwbnGb8F_Ewi_YqJnfs2G0vrP7zMjfxyZY0W3ut5fhuJ4Eeo18qJ lPNw8dQkHkRzmDysdMo_cf7hTEZ0dSWEyGyQp96mPaYZEFrD.i._pKr7A7xIn236TTeeM3K_CjCC L0STLwbI1.trBMaVLF5.Abp_Q9c1oVQohpnP0Y3zJmQaC27IpMuacB0HsdecD9jb1S5ZsfQG5g10 nxTVftaSDW8Qi6U1lOXYyOsdOUrcS7C0_kjgHWU7E4N1AzBSgJgowifArxB25R5hN_R0vEd7b3Ww gKon6CoC7eSUlBxnsHtZh6UdzMNSJ1Kce X-Sonic-MF: X-Sonic-ID: 117f4ca8-956e-48ae-bf73-d643d65f15dc Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Sun, 25 Aug 2024 19:04:11 +0000 Received: by hermes--production-gq1-5d95dc458-dxlpk (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID acda3a00d6062e816b69b20719962769; Sun, 25 Aug 2024 19:04:08 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH 06/13] Audit: Update shutdown LSM data Date: Sun, 25 Aug 2024 12:00:41 -0700 Message-ID: <20240825190048.13289-7-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240825190048.13289-1-casey@schaufler-ca.com> References: <20240825190048.13289-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The audit process LSM information is changed from a secid audit_sig_sid to an lsmblob in audit_sig_lsm. Update the users of this data appropriately. Calls to security_secid_to_secctx() are changed to use security_lsmblob_to_secctx() instead. security_current_getsecid_subj() is scaffolded. It will be updated in a subsequent patch. Signed-off-by: Casey Schaufler --- kernel/audit.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index e7a62ebbf4d1..9dac776b60a7 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -123,7 +123,7 @@ static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; /* The identity of the user shutting down the audit system. */ static kuid_t audit_sig_uid = INVALID_UID; static pid_t audit_sig_pid = -1; -static u32 audit_sig_sid; +static struct lsmblob audit_sig_lsm; /* Records can be lost in several ways: 0) [suppressed in audit_alloc] @@ -1473,20 +1473,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh, } case AUDIT_SIGNAL_INFO: len = 0; - if (audit_sig_sid) { - err = security_secid_to_secctx(audit_sig_sid, &ctx, &len); + if (lsmblob_is_set(&audit_sig_lsm)) { + err = security_lsmblob_to_secctx(&audit_sig_lsm, &ctx, + &len); if (err) return err; } sig_data = kmalloc(struct_size(sig_data, ctx, len), GFP_KERNEL); if (!sig_data) { - if (audit_sig_sid) + if (lsmblob_is_set(&audit_sig_lsm)) security_release_secctx(ctx, len); return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; - if (audit_sig_sid) { + if (lsmblob_is_set(&audit_sig_lsm)) { memcpy(sig_data->ctx, ctx, len); security_release_secctx(ctx, len); } @@ -2404,7 +2405,8 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - security_current_getsecid_subj(&audit_sig_sid); + /* scaffolding */ + security_current_getsecid_subj(&audit_sig_lsm.scaffold.secid); } return audit_signal_info_syscall(t); From patchwork Sun Aug 25 19:00:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13776883 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic305-27.consmr.mail.ne1.yahoo.com (sonic305-27.consmr.mail.ne1.yahoo.com [66.163.185.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D89C915538C for ; Sun, 25 Aug 2024 19:04:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.185.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612658; cv=none; b=j6jgnzxNUQnwhHIkaI6aaE/6fZkVEg1M9hoc8JwDSg8lU2oCq3AU87dZZXIxD1Np6xs61X4qWU2otLkwltcxV6ta7sMdUUmHnmK3KxW+hxqFoWiev/ANEdv0CoB4DGfsbaEQTOQgvZJvWZMWMD7w3TAl7dNBJFxKY7eV6OqA7bs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612658; c=relaxed/simple; bh=9zYQ3GW3YC4yN93W1YD9IafWkuGNE4K/c19lroiqBRM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=I6Fb9vwFYcJe8RirGcNfR0owEanezwhJSM9TzX/hooAitvz32hivpoeQcokExyZLllAv0LfZnVBVZnCSKksfj1NQ/EfSEuV77mzLlBjnRXQXSZEDEOs/m+OJeMXbcGnBhdvIiEGyLIvrYpTKmZ8xgcaxArhp4GNakQUDu7qTrLw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=WZhSaTzW; arc=none smtp.client-ip=66.163.185.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="WZhSaTzW" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612655; bh=yFoDbiXxMQOSPnSs0v9vLpOXlKAcud/ulSsZq5Pm96c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=WZhSaTzW+H4xunnu+/XULo/zm3QPc65u7pm+hBNyLOuH54oDGtKuMnfBJfPE/9iE2k2RYBLuC9yfge6db0PNrIrgj9j8+V/njVROHprba/DSwwOCIrdlsaeDWvFshrCmgcxap4n/+e4gf7Yufjeq9ZN87lFVLfOUfSz9WWTgl/hSNFjkpfZIZxKY3J70h4cNajDWsJYUWAiyrJlG4csKvImOKZyYC8+jztBXZz4Yi5f3v3HvYoxEUAs99ZVBhIB08TMLIRmQu08N2Z3m5Dv4IjZzAyNZn5nY3S2PMQ8jh8Iz4GbLw76UPleGdXdvWtIB1/Vh0Wu/3jSkorOmLqADtQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612655; bh=E8MEH9vAPlvutJTzqXmGmco+4+kX+QQcLbXk4E7RnDF=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=TedHqyw8NglzMg0xs6tzVKtuerZU/zAfMRiLKC+KEeX0ZQGECE91aKcNAKD9J6urG1FPlj7U8Zla+5xCvej4qv6SyGyAqIqjJSSWCwDi5PyzbWbVxBIGPoVQqWMbNuXOFvBKlxniQcjXAebgDZNj79B+VNfKueDYO2Ug+B5t7JQbr36UffIyBt0cerCLdp9Fc+0He+CaVfSRunu0WEWin1+BuIFf8HQy+uql4l9dkYnOVGMrBXNaJkprZlKIQBAJtAt2TSnzSvRPah/HRc2znsSlRgQ+yRKMX9ltLY9VY4TQNE5PjGoyrsd/LvcZwKBqRKWhf0naNWD2/Hur4iUZyQ== X-YMail-OSG: xSCC63IVM1lIKnY.a6SvDJTl7mIv906mDR_lncrUi7_HnK4.0IOQLKPRvIDGPRj cccRX5tIIZ9IR4juM9rw4Ur1Kp.BpuHAkeWngiRSB.pR_qM.mZZFLfQRMfEa2tBUtm1vWcfPbF7O EZfA408KdP_hnuCA6sKS6z0dSSe0ajTiUXRGtR3wMBJ_1o8ojLn857Le0T0uOZ6xWwt0VFxGXdsU TisdB6lMCoskU9v6Cijd3mWYhYAbZ3BZ34IAb0hXyXyfS.bEpiZyVvDuambeGvzOkoCxGQ_vFbtu VcIBjipol.IeGQF9UQxg2NZBSC1kUpvx10qCgLWCpR3sQg38kdrGOj2WRycPLPpmgRHJJ0uJ3RMN bRi.u5wGl8M7V1p5POlo6E0E5Bhd1yPm_0V9S.V5S5.hWC4bOdGD8QekqwJ3ZzCDdPK_4oFC6sf7 wSatyyE4rV6Qwy5t5mY.R9VlIHuRdgIYdL2J88N1NVuALd1R_5NJM.nVQ.c7yHEqtn7p9imUZxKW vOmq1.Jt0l_1mYBSdDWmxbmQi.OFI2Af795WCwUamC8KQiSrrCJ6JoT5_KfKVn_F13yIj2lUrdU3 iiCRHxPtFOlWDDWKqkPLQNAen1pfYWKFcoiIfNGaAnzazh2qo69vhjrF_Hq8R5L4xB_20SPtfstO qKnOmnzniAqO.l_qidDZx61h727cV_FYPaVjxrLU4m0AqUxCe8C7imOG7iNc1JG0.MQnoq8nlmpz FBOBJps91jPhqrTcAxL8WhaIdljPtr1Mj4f2L912Xv74PIX2jWB8SKH7PpRls44otGSrOD0NFt4V kyLcr2hFhEdzl1ST60xIosz09n.AkuBhK9oqV5Foqtw8PLdUFeMrOAlKKhtvceZTxDASaQvCyhT7 fPY6OspjYYnbrq96tuQ8XsmgyRmMiXeIwxNgTZToCllWth9fWzCspzP56G7z_BlcIkLFMqBJRBUa sUPFXD21PQh1AMpTSxjGZZJ66.9Dedoe29GhubnFqMTlIMthP2.XKsqHk_Ux4IblW.ZUrl7I_e.M F.NJ6uSSnJqgZlo_Y4GHIrdob0jd4UcgKBD9Lh6IKgP1Cr4CXimHiTfHZ7LdYZJQiUKpFoV5USGF sv7.NIizuBnI7MFWo4qEMCgEAK4I1sWSyAxBK134gevhwmAIu81Yr66Zx8PEg6TptTF0sXVdf7cm vdVl1Z9Z8RyCuBQGrCDIswBaRyZ24B32fjUeOoLKCWmlgSx8Grp5r1iu9hklL45bh398na_WsoLh vP0PLiHQN7fpXqh3_5vABon1GyTpLmPJS6DmA6jNawoKDktJE0HhMVa9SGl3oMtMP9OI8IHrq1ib HXdG0QPyyDzismOtu0wYLBP2uOOL.SzLPbMe4Zo5ZUEImwd4PNeTCP17FUBvGxHSi6yCHb34Ewq6 whL8t2ZFB75WmpSI5TUV8MEP_GrUX9csZAHlR07wbAlXHkT5CwzLfJLbItA4eIvNmDYRaOd2gHK_ LSmhB_.XGr.TkqAfaUdEFc75G2uQm8FQU6KhW3cKV_IVwXpW0OnhsB6jFVK3.rioBABz9NxyAt9u .os4SDF91_LPk.z.mZSw5h28ILBp4hIU.XS4PwQNNAnnhiJuyiNpHzYEE0ndTAWm5dIFvz9B2JVl 1AHGjDj8phansJy1CjDYQ3PULv6vbaYE5GFpnLigTaxPGaZBPWhAu.gwf2UD8MDtlqqH4YhrP899 Ex.EuBpIgHmuoMs4J.gxtAJOCIXX509GOWPDfQEXUBmBQaHImU8tVexbJ.cvTH5.UIiP2CWOidr3 akaUp5mvk78SzPGW8GdzppTswAd.pQG0CqPsWOp8TiddNTgDaMuDTX5GuddSC6GnpBowr3pPl749 g3qQQihG4N6620v2ByU8iROvqX.0a7qgHZO.cYqThN8gJRPEiTveIGdokD3vqCqluAAIkzD9MPkg 7DZldi4lcis1IDKEhn2BFiaVjMmOe5d2I4.NQBk3kyAwfA_25zGDu2jiEwubRlRUna.9IDjODoT0 D.zeZpJnPsWEQejkUgBEnHHLx4zQ1g9moQ_6Ff_FHHZt00A.POOhUJ.EfDJ41AnqQc3.l0dO696C UBZRGeH1LYM.9sP34HxDCRbsyxhTtw2Lpv.FmnYxskDeyE6oSl5H5mE8Tvd4dtzydVFoYA74WU6A BcDHWOlTjUcsG9k72Xxzmm4eMwGKcMPlvYC74BhXanDTbnGiHfRZS5s3r4GhqdAOXkTdmwKCa2zN t0__EwXoJ7WPD5b6FxZBxjXhwaeAH2BNrkZ4_jRWqQelqzTQpqHBdhU3cdWUdO8YHLRkgOs5KKwl FI4SOUwY5LvLqEU2L4c.N2SHlry8.Tq5a3nbj9g-- X-Sonic-MF: X-Sonic-ID: 334e4785-8bab-496c-bfa0-430875829517 Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.ne1.yahoo.com with HTTP; Sun, 25 Aug 2024 19:04:15 +0000 Received: by hermes--production-gq1-5d95dc458-dxlpk (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID acda3a00d6062e816b69b20719962769; Sun, 25 Aug 2024 19:04:10 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, linux-integrity@vger.kernel.org, linux-audit@redhat.com, netdev@vger.kernel.org Subject: [PATCH 07/13] LSM: Use lsmblob in security_current_getsecid Date: Sun, 25 Aug 2024 12:00:42 -0700 Message-ID: <20240825190048.13289-8-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240825190048.13289-1-casey@schaufler-ca.com> References: <20240825190048.13289-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Change the security_current_getsecid_subj() and security_task_getsecid_obj() interfaces to fill in a lsmblob structure instead of a u32 secid. Audit interfaces will need to collect all possible security data for possible reporting. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com Cc: netdev@vger.kernel.org --- include/linux/lsm_hook_defs.h | 6 +-- include/linux/security.h | 13 +++--- kernel/audit.c | 11 +++-- kernel/auditfilter.c | 3 +- kernel/auditsc.c | 22 ++++++---- net/netlabel/netlabel_unlabeled.c | 5 ++- net/netlabel/netlabel_user.h | 6 ++- security/apparmor/lsm.c | 20 ++++++--- security/integrity/ima/ima.h | 6 +-- security/integrity/ima/ima_api.c | 6 +-- security/integrity/ima/ima_appraise.c | 6 +-- security/integrity/ima/ima_main.c | 59 ++++++++++++++------------- security/integrity/ima/ima_policy.c | 14 +++---- security/security.c | 28 ++++++------- security/selinux/hooks.c | 17 +++++--- security/smack/smack_lsm.c | 23 +++++++---- 16 files changed, 138 insertions(+), 107 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index c3ffc3f98343..06c60f1aefa7 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -232,9 +232,9 @@ LSM_HOOK(int, 0, task_fix_setgroups, struct cred *new, const struct cred * old) LSM_HOOK(int, 0, task_setpgid, struct task_struct *p, pid_t pgid) LSM_HOOK(int, 0, task_getpgid, struct task_struct *p) LSM_HOOK(int, 0, task_getsid, struct task_struct *p) -LSM_HOOK(void, LSM_RET_VOID, current_getsecid_subj, u32 *secid) -LSM_HOOK(void, LSM_RET_VOID, task_getsecid_obj, - struct task_struct *p, u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, current_getlsmblob_subj, struct lsmblob *blob) +LSM_HOOK(void, LSM_RET_VOID, task_getlsmblob_obj, + struct task_struct *p, struct lsmblob *blob) LSM_HOOK(int, 0, task_setnice, struct task_struct *p, int nice) LSM_HOOK(int, 0, task_setioprio, struct task_struct *p, int ioprio) LSM_HOOK(int, 0, task_getioprio, struct task_struct *p) diff --git a/include/linux/security.h b/include/linux/security.h index ebe8edaae953..b28f2f7fe4ef 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -492,8 +492,8 @@ int security_task_fix_setgroups(struct cred *new, const struct cred *old); int security_task_setpgid(struct task_struct *p, pid_t pgid); int security_task_getpgid(struct task_struct *p); int security_task_getsid(struct task_struct *p); -void security_current_getsecid_subj(u32 *secid); -void security_task_getsecid_obj(struct task_struct *p, u32 *secid); +void security_current_getlsmblob_subj(struct lsmblob *blob); +void security_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob); int security_task_setnice(struct task_struct *p, int nice); int security_task_setioprio(struct task_struct *p, int ioprio); int security_task_getioprio(struct task_struct *p); @@ -1268,14 +1268,15 @@ static inline int security_task_getsid(struct task_struct *p) return 0; } -static inline void security_current_getsecid_subj(u32 *secid) +static inline void security_current_getlsmblob_subj(struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob); } -static inline void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +static inline void security_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob); } static inline int security_task_setnice(struct task_struct *p, int nice) diff --git a/kernel/audit.c b/kernel/audit.c index 9dac776b60a7..97c0dea0e3a1 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2179,16 +2179,16 @@ void audit_log_key(struct audit_buffer *ab, char *key) int audit_log_task_context(struct audit_buffer *ab) { + struct lsmblob blob; char *ctx = NULL; unsigned len; int error; - u32 sid; - security_current_getsecid_subj(&sid); - if (!sid) + security_current_getlsmblob_subj(&blob); + if (!lsmblob_is_set(&blob)) return 0; - error = security_secid_to_secctx(sid, &ctx, &len); + error = security_lsmblob_to_secctx(&blob, &ctx, &len); if (error) { if (error != -EINVAL) goto error_path; @@ -2405,8 +2405,7 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - /* scaffolding */ - security_current_getsecid_subj(&audit_sig_lsm.scaffold.secid); + security_current_getlsmblob_subj(&audit_sig_lsm); } return audit_signal_info_syscall(t); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index c4c7cda3b846..06309227a0eb 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1371,8 +1371,7 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_CLR: if (f->lsm_rule) { /* scaffolding */ - security_current_getsecid_subj( - &blob.scaffold.secid); + security_current_getlsmblob_subj(&blob); result = security_audit_rule_match( &blob, f->type, f->op, f->lsm_rule); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 94b7ef89da2e..1f05445978f9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -470,7 +470,6 @@ static int audit_filter_rules(struct task_struct *tsk, { const struct cred *cred; int i, need_sid = 1; - u32 sid; struct lsmblob blob = { }; unsigned int sessionid; @@ -675,15 +674,14 @@ static int audit_filter_rules(struct task_struct *tsk, * fork()/copy_process() in which case * the new @tsk creds are still a dup * of @current's creds so we can still - * use security_current_getsecid_subj() + * use + * security_current_getlsmblob_subj() * here even though it always refs * @current's creds */ - security_current_getsecid_subj(&sid); + security_current_getlsmblob_subj(&blob); need_sid = 0; } - /* scaffolding */ - blob.scaffold.secid = sid; result = security_audit_rule_match(&blob, f->type, f->op, @@ -2730,12 +2728,15 @@ int __audit_sockaddr(int len, void *a) void __audit_ptrace(struct task_struct *t) { struct audit_context *context = audit_context(); + struct lsmblob blob; context->target_pid = task_tgid_nr(t); context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &context->target_sid); + security_task_getlsmblob_obj(t, &blob); + /* scaffolding */ + context->target_sid = blob.scaffold.secid; memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2751,6 +2752,7 @@ int audit_signal_info_syscall(struct task_struct *t) struct audit_aux_data_pids *axp; struct audit_context *ctx = audit_context(); kuid_t t_uid = task_uid(t); + struct lsmblob blob; if (!audit_signals || audit_dummy_context()) return 0; @@ -2762,7 +2764,9 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &ctx->target_sid); + security_task_getlsmblob_obj(t, &blob); + /* scaffolding */ + ctx->target_sid = blob.scaffold.secid; memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2783,7 +2787,9 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getsecid_obj(t, &axp->target_sid[axp->pid_count]); + security_task_getlsmblob_obj(t, &blob); + /* scaffolding */ + axp->target_sid[axp->pid_count] = blob.scaffold.secid; memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 9996883bf2b7..7f38dc9b6b57 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -1534,11 +1534,14 @@ int __init netlbl_unlabel_defconf(void) int ret_val; struct netlbl_dom_map *entry; struct netlbl_audit audit_info; + struct lsmblob blob; /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_current_getsecid_subj(&audit_info.secid); + security_current_getlsmblob_subj(&blob); + /* scaffolding */ + audit_info.secid = blob.scaffold.secid; audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index d6c5b31eb4eb..40841d7af1d8 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -32,7 +32,11 @@ */ static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info) { - security_current_getsecid_subj(&audit_info->secid); + struct lsmblob blob; + + security_current_getlsmblob_subj(&blob); + /* scaffolding */ + audit_info->secid = blob.scaffold.secid; audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 050d103f5ca5..877c4e809ae8 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -982,17 +982,24 @@ static void apparmor_bprm_committed_creds(const struct linux_binprm *bprm) return; } -static void apparmor_current_getsecid_subj(u32 *secid) +static void apparmor_current_getlsmblob_subj(struct lsmblob *blob) { struct aa_label *label = __begin_current_label_crit_section(); - *secid = label->secid; + + blob->apparmor.label = label; + /* scaffolding */ + blob->scaffold.secid = label->secid; __end_current_label_crit_section(label); } -static void apparmor_task_getsecid_obj(struct task_struct *p, u32 *secid) +static void apparmor_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { struct aa_label *label = aa_get_task_label(p); - *secid = label->secid; + + blob->apparmor.label = label; + /* scaffolding */ + blob->scaffold.secid = label->secid; aa_put_label(label); } @@ -1518,8 +1525,9 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_free, apparmor_task_free), LSM_HOOK_INIT(task_alloc, apparmor_task_alloc), - LSM_HOOK_INIT(current_getsecid_subj, apparmor_current_getsecid_subj), - LSM_HOOK_INIT(task_getsecid_obj, apparmor_task_getsecid_obj), + LSM_HOOK_INIT(current_getlsmblob_subj, + apparmor_current_getlsmblob_subj), + LSM_HOOK_INIT(task_getlsmblob_obj, apparmor_task_getlsmblob_obj), LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), LSM_HOOK_INIT(task_kill, apparmor_task_kill), LSM_HOOK_INIT(userns_create, apparmor_userns_create), diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index c51e24d24d1e..64bd77aa28e9 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -369,7 +369,7 @@ static inline void ima_process_queued_keys(void) {} /* LIM API function definitions */ int ima_get_action(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, int mask, + const struct cred *cred, struct lsmblob *blob, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos); @@ -400,8 +400,8 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); /* IMA policy related functions */ int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, enum ima_hooks func, - int mask, int flags, int *pcr, + const struct cred *cred, struct lsmblob *blob, + enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos); void ima_init_policy(void); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 984e861f6e33..896cf716dd6d 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -165,7 +165,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * @idmap: idmap of the mount the inode was found from * @inode: pointer to the inode associated with the object being validated * @cred: pointer to credentials structure to validate - * @secid: secid of the task being validated + * @blob: secid(s) of the task being validated * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC, * MAY_APPEND) * @func: caller identifier @@ -187,7 +187,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * */ int ima_get_action(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, int mask, + const struct cred *cred, struct lsmblob *blob, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos) @@ -196,7 +196,7 @@ int ima_get_action(struct mnt_idmap *idmap, struct inode *inode, flags &= ima_policy_flag; - return ima_match_policy(idmap, inode, cred, secid, func, mask, + return ima_match_policy(idmap, inode, cred, blob, func, mask, flags, pcr, template_desc, func_data, allowed_algos); } diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 656c709b974f..b0db2f38efc6 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -73,13 +73,13 @@ bool is_ima_appraise_enabled(void) int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode, int mask, enum ima_hooks func) { - u32 secid; + struct lsmblob blob; if (!ima_appraise) return 0; - security_current_getsecid_subj(&secid); - return ima_match_policy(idmap, inode, current_cred(), secid, + security_current_getlsmblob_subj(&blob); + return ima_match_policy(idmap, inode, current_cred(), &blob, func, mask, IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL, NULL); } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index f04f43af651c..d408a700fe6f 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -206,8 +206,8 @@ static void ima_file_free(struct file *file) } static int process_measurement(struct file *file, const struct cred *cred, - u32 secid, char *buf, loff_t size, int mask, - enum ima_hooks func) + struct lsmblob *blob, char *buf, loff_t size, + int mask, enum ima_hooks func) { struct inode *real_inode, *inode = file_inode(file); struct ima_iint_cache *iint = NULL; @@ -232,7 +232,7 @@ static int process_measurement(struct file *file, const struct cred *cred, * bitmask based on the appraise/audit/measurement policy. * Included is the appraise submask. */ - action = ima_get_action(file_mnt_idmap(file), inode, cred, secid, + action = ima_get_action(file_mnt_idmap(file), inode, cred, blob, mask, func, &pcr, &template_desc, NULL, &allowed_algos); violation_check = ((func == FILE_CHECK || func == MMAP_CHECK || @@ -443,23 +443,23 @@ static int process_measurement(struct file *file, const struct cred *cred, static int ima_file_mmap(struct file *file, unsigned long reqprot, unsigned long prot, unsigned long flags) { - u32 secid; + struct lsmblob blob; int ret; if (!file) return 0; - security_current_getsecid_subj(&secid); + security_current_getlsmblob_subj(&blob); if (reqprot & PROT_EXEC) { - ret = process_measurement(file, current_cred(), secid, NULL, + ret = process_measurement(file, current_cred(), &blob, NULL, 0, MAY_EXEC, MMAP_CHECK_REQPROT); if (ret) return ret; } if (prot & PROT_EXEC) - return process_measurement(file, current_cred(), secid, NULL, + return process_measurement(file, current_cred(), &blob, NULL, 0, MAY_EXEC, MMAP_CHECK); return 0; @@ -488,9 +488,9 @@ static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, char *pathbuf = NULL; const char *pathname = NULL; struct inode *inode; + struct lsmblob blob; int result = 0; int action; - u32 secid; int pcr; /* Is mprotect making an mmap'ed file executable? */ @@ -498,13 +498,13 @@ static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) return 0; - security_current_getsecid_subj(&secid); + security_current_getlsmblob_subj(&blob); inode = file_inode(vma->vm_file); action = ima_get_action(file_mnt_idmap(vma->vm_file), inode, - current_cred(), secid, MAY_EXEC, MMAP_CHECK, + current_cred(), &blob, MAY_EXEC, MMAP_CHECK, &pcr, &template, NULL, NULL); action |= ima_get_action(file_mnt_idmap(vma->vm_file), inode, - current_cred(), secid, MAY_EXEC, + current_cred(), &blob, MAY_EXEC, MMAP_CHECK_REQPROT, &pcr, &template, NULL, NULL); @@ -542,15 +542,18 @@ static int ima_bprm_check(struct linux_binprm *bprm) { int ret; u32 secid; + struct lsmblob blob = { }; - security_current_getsecid_subj(&secid); - ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, - MAY_EXEC, BPRM_CHECK); + security_current_getlsmblob_subj(&blob); + ret = process_measurement(bprm->file, current_cred(), + &blob, NULL, 0, MAY_EXEC, BPRM_CHECK); if (ret) return ret; security_cred_getsecid(bprm->cred, &secid); - return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, + /* scaffolding */ + blob.scaffold.secid = secid; + return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0, MAY_EXEC, CREDS_CHECK); } @@ -566,10 +569,10 @@ static int ima_bprm_check(struct linux_binprm *bprm) */ static int ima_file_check(struct file *file, int mask) { - u32 secid; + struct lsmblob blob; - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, NULL, 0, + security_current_getlsmblob_subj(&blob); + return process_measurement(file, current_cred(), &blob, NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND), FILE_CHECK); } @@ -768,7 +771,7 @@ static int ima_read_file(struct file *file, enum kernel_read_file_id read_id, bool contents) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* * Do devices using pre-allocated memory run the risk of the @@ -788,9 +791,9 @@ static int ima_read_file(struct file *file, enum kernel_read_file_id read_id, /* Read entire file for all partial reads. */ func = read_idmap[read_id] ?: FILE_CHECK; - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, NULL, - 0, MAY_READ, func); + security_current_getlsmblob_subj(&blob); + return process_measurement(file, current_cred(), &blob, NULL, 0, + MAY_READ, func); } const int read_idmap[READING_MAX_ID] = { @@ -818,7 +821,7 @@ static int ima_post_read_file(struct file *file, char *buf, loff_t size, enum kernel_read_file_id read_id) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* permit signed certs */ if (!file && read_id == READING_X509_CERTIFICATE) @@ -831,8 +834,8 @@ static int ima_post_read_file(struct file *file, char *buf, loff_t size, } func = read_idmap[read_id] ?: FILE_CHECK; - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, buf, size, + security_current_getlsmblob_subj(&blob); + return process_measurement(file, current_cred(), &blob, buf, size, MAY_READ, func); } @@ -967,7 +970,7 @@ int process_buffer_measurement(struct mnt_idmap *idmap, int digest_hash_len = hash_digest_size[ima_hash_algo]; int violation = 0; int action = 0; - u32 secid; + struct lsmblob blob; if (digest && digest_len < digest_hash_len) return -EINVAL; @@ -990,9 +993,9 @@ int process_buffer_measurement(struct mnt_idmap *idmap, * buffer measurements. */ if (func) { - security_current_getsecid_subj(&secid); + security_current_getlsmblob_subj(&blob); action = ima_get_action(idmap, inode, current_cred(), - secid, 0, func, &pcr, &template, + &blob, 0, func, &pcr, &template, func_data, NULL); if (!(action & IMA_MEASURE) && !digest) return -ENOENT; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 40119816b848..33bdbd031673 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -557,7 +557,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, * @idmap: idmap of the mount the inode was found from * @inode: a pointer to an inode * @cred: a pointer to a credentials structure for user validation - * @secid: the secid of the task to be validated + * @blob: the secid(s) of the task to be validated * @func: LIM hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @func_data: func specific data, may be NULL @@ -567,7 +567,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, static bool ima_match_rules(struct ima_rule_entry *rule, struct mnt_idmap *idmap, struct inode *inode, const struct cred *cred, - u32 secid, enum ima_hooks func, int mask, + struct lsmblob *blob, enum ima_hooks func, int mask, const char *func_data) { int i; @@ -658,8 +658,6 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - /* scaffolding */ - blob.scaffold.secid = secid; rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, Audit_equal, lsm_rule->lsm[i].rule); @@ -723,7 +721,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * @inode: pointer to an inode for which the policy decision is being made * @cred: pointer to a credentials structure for which the policy decision is * being made - * @secid: LSM secid of the task to be validated + * @blob: LSM secid(s) of the task to be validated * @func: IMA hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE) @@ -740,8 +738,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * than writes so ima_match_policy() is classical RCU candidate. */ int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, enum ima_hooks func, - int mask, int flags, int *pcr, + const struct cred *cred, struct lsmblob *blob, + enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos) { @@ -759,7 +757,7 @@ int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode, if (!(entry->action & actmask)) continue; - if (!ima_match_rules(entry, idmap, inode, cred, secid, + if (!ima_match_rules(entry, idmap, inode, cred, blob, func, mask, func_data)) continue; diff --git a/security/security.c b/security/security.c index 6e72e678b5b4..b6e28e20ac51 100644 --- a/security/security.c +++ b/security/security.c @@ -3373,33 +3373,33 @@ int security_task_getsid(struct task_struct *p) } /** - * security_current_getsecid_subj() - Get the current task's subjective secid - * @secid: secid value + * security_current_getlsmblob_subj() - Current task's subjective LSM data + * @blob: lsm specific information * * Retrieve the subjective security identifier of the current task and return - * it in @secid. In case of failure, @secid will be set to zero. + * it in @blob. */ -void security_current_getsecid_subj(u32 *secid) +void security_current_getlsmblob_subj(struct lsmblob *blob) { - *secid = 0; - call_void_hook(current_getsecid_subj, secid); + lsmblob_init(blob); + call_void_hook(current_getlsmblob_subj, blob); } -EXPORT_SYMBOL(security_current_getsecid_subj); +EXPORT_SYMBOL(security_current_getlsmblob_subj); /** - * security_task_getsecid_obj() - Get a task's objective secid + * security_task_getlsmblob_obj() - Get a task's objective LSM data * @p: target task - * @secid: secid value + * @blob: lsm specific information * * Retrieve the objective security identifier of the task_struct in @p and - * return it in @secid. In case of failure, @secid will be set to zero. + * return it in @blob. */ -void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +void security_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob) { - *secid = 0; - call_void_hook(task_getsecid_obj, p, secid); + lsmblob_init(blob); + call_void_hook(task_getlsmblob_obj, p, blob); } -EXPORT_SYMBOL(security_task_getsecid_obj); +EXPORT_SYMBOL(security_task_getlsmblob_obj); /** * security_task_setnice() - Check if setting a task's nice value is allowed diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1b34b86426e8..af48b8f868b7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4161,14 +4161,19 @@ static int selinux_task_getsid(struct task_struct *p) PROCESS__GETSESSION, NULL); } -static void selinux_current_getsecid_subj(u32 *secid) +static void selinux_current_getlsmblob_subj(struct lsmblob *blob) { - *secid = current_sid(); + blob->selinux.secid = current_sid(); + /* scaffolding */ + blob->scaffold.secid = blob->selinux.secid; } -static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid) +static void selinux_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { - *secid = task_sid_obj(p); + blob->selinux.secid = task_sid_obj(p); + /* scaffolding */ + blob->scaffold.secid = blob->selinux.secid; } static int selinux_task_setnice(struct task_struct *p, int nice) @@ -7240,8 +7245,8 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), LSM_HOOK_INIT(task_getsid, selinux_task_getsid), - LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj), - LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj), + LSM_HOOK_INIT(current_getlsmblob_subj, selinux_current_getlsmblob_subj), + LSM_HOOK_INIT(task_getlsmblob_obj, selinux_task_getlsmblob_obj), LSM_HOOK_INIT(task_setnice, selinux_task_setnice), LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 370ca7fb1843..86a370ec54f9 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2239,30 +2239,35 @@ static int smack_task_getsid(struct task_struct *p) } /** - * smack_current_getsecid_subj - get the subjective secid of the current task - * @secid: where to put the result + * smack_current_getlsmblob_subj - get the subjective secid of the current task + * @blob: where to put the result * * Sets the secid to contain a u32 version of the task's subjective smack label. */ -static void smack_current_getsecid_subj(u32 *secid) +static void smack_current_getlsmblob_subj(struct lsmblob *blob) { struct smack_known *skp = smk_of_current(); - *secid = skp->smk_secid; + blob->smack.skp = skp; + /* scaffolding */ + blob->scaffold.secid = skp->smk_secid; } /** - * smack_task_getsecid_obj - get the objective secid of the task + * smack_task_getlsmblob_obj - get the objective data of the task * @p: the task * @secid: where to put the result * * Sets the secid to contain a u32 version of the task's objective smack label. */ -static void smack_task_getsecid_obj(struct task_struct *p, u32 *secid) +static void smack_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { struct smack_known *skp = smk_of_task_struct_obj(p); - *secid = skp->smk_secid; + blob->smack.skp = skp; + /* scaffolding */ + blob->scaffold.secid = skp->smk_secid; } /** @@ -5148,8 +5153,8 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), LSM_HOOK_INIT(task_getsid, smack_task_getsid), - LSM_HOOK_INIT(current_getsecid_subj, smack_current_getsecid_subj), - LSM_HOOK_INIT(task_getsecid_obj, smack_task_getsecid_obj), + LSM_HOOK_INIT(current_getlsmblob_subj, smack_current_getlsmblob_subj), + LSM_HOOK_INIT(task_getlsmblob_obj, smack_task_getlsmblob_obj), LSM_HOOK_INIT(task_setnice, smack_task_setnice), LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), From patchwork Sun Aug 25 19:00:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13776884 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic308-15.consmr.mail.ne1.yahoo.com (sonic308-15.consmr.mail.ne1.yahoo.com [66.163.187.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 762EF16F824 for ; Sun, 25 Aug 2024 19:04:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.187.38 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612659; cv=none; b=lPEmGGOJGNuZsfuMKjDhVUzp+Doo+g//tYPyCOEW7gFIiAMY/3sY5A1sdUOtHDPRf0Hy0oZHKQ/FmJwxVHCueFF5JCfI+kTzruCHlAcenHFcxq+0AP/OO5O1wAWrU2y6FmyMJO0lBEnGG15tL0jDcSzxGGo/WJNCwiqPwSFzxjc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612659; c=relaxed/simple; bh=wnMZ2uXte2hSLvEuyMBox5FYzBbs6pDZLwXgaeXtRhw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Zp9iquEC5Ut/VVsda5D1gQRjfejqamCs/ZKWnAqlICSgvsv+R8zDcCn4CPM+n/5mJEjaEgGTAPswjarlybNXv7t161ki7Nmsg2VjgmJtOs/nJlCChmFjB4aInzRTar71EHyRZxPU7rISxUesxsGSPSApHGB5b/mL1JcullmG3Zc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=bayzxP58; arc=none smtp.client-ip=66.163.187.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="bayzxP58" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612656; bh=2USlz2FWG0U2xJWlqZrVgsxa/b1xvrzPhqgbJ/XMA78=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=bayzxP58N3lpGvSpAWbwuK62HbY4zjUcTFUJ9V1blzDv1+C4PAc3hXrMpEXunNvIL/j7fLnfG2/O7/h7KV9c2U9iqcULLBeBd4CHy/Y0NoA5fGeB83W8IaEoT27gNFZmNRr48+f9KuGm3U2V4fxaQ7V6czSDIE4S+8LY/9U4JPnrd8ZZ8ary7C12jjCNNfdzPV/V9yZv+c2LEz/PUeufMY/4JIdImi7m4CIw/wtbPuNzOKX3WMBMLHybHSOiAIxb7dmh/j57G30EAZiZQjfRD5jNiLew4kpjDA12iaq84oGMU8QkeJyzwd13Sx72hEL8ePA4nVZQkyf1wOADE8ACLg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612656; bh=baB1Dbk+Ak3giwjt3iETu00RPUxmr8UxwUD8JXk3YNg=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=f1BHyx/CXASES6kIR/kCkq1MyNMzwUFVKPdXLNEtVh68L43shVOkus/7+Zhk+Xkd5N/j+E3pwj1It6VdeKg8X/FN87k+Ub1tDU+32fHm0CKBEsMpHioT29P2r30+d80yGrNa3hOkdiwsXOe/NtTi12BKMaNUbOsToldoFO+p1dq85qqw4WeqT3cpq3s7J1VzX+a8ifOwmtftXNIea555Ke91Zn2mLJ5owL+zQNg7tEEPZH4/AFPudR9ik/WUWYoVqnAgoe1fjEKTJIf8Il8SAGwiNp3+4uyIYhGW6M9ScZ0WMe49a0pcP+poinGRh/DAf1uZd2eI4V1hW9Dc30qIfQ== X-YMail-OSG: 1VsDCjYVM1kBhZ0hUJvKOKULwSXvHcbvh3g.GxTHcfMdKcfIsgl.SgELEHQBMeA 0qIlo3OkN6viVdyw9i9LogFirUp5bofuI_kYjdZ3QEz8hBbSjX425WMhZU.ZzAU2VuzfuGM5b7OL xHwiJ9OC899uxzcj49ZQF7xXfRDQiiv9Z7z1ar9GYGM1ETpIei7b0jqx457TIK9McYDdjYYqxezz xPeAa.6y0VORBJHq7fGRjeqSA6sNWWo8tdMYaHbJDYE5D406.ugfgh6Njxt6gq6Zh2B7CaZXHMK4 VU_iHMa04GEBs4Pobt6OzZNqVCBMMD7F.SXTziZE31Ad60V68NPmpY4lPpCHkvpbM57chkBwD7E8 3B08eq8dW.FNJjGKt8zQMUbhMgWFsRX2KoSC9izwzOG3N44n6aSW397EE13qG8a4iudYXIp6cOWM Z2jJRLOyqOlLbLJrJL98HPRFsSmlY9mtZKQs7Kd0VAPkWcJs6RYSFDce6V4UiAm4H2aY08qEptLv 6exyoselGuoOmHKJefs7MYkRw.zNYGKutq66w1Tc7hitq6N9AdmhmvEw26dA8_EzyTNMUhB8cKpk lkT2iC9JNq44acNUCBqKDma7Q3zr_ZYx7DFE9t.owsVCJfgJuJOaQrBJR8pJwLTfd2CpEvC_6k1R piLY94Bb6V2m3x.CmknFb7H9L.sYRRbdOg0gXBykH2VEfmZQG2JNQkZcpAQHmV_I1zp8rpNqtvq9 pP87u9HJiXyqWytnRJQvBHKz0n4kG9IcqLUTsKj7JbtOiKX0atdux3v5jKyG7mrU1hrOSNIVyULu NKq5U8lLJNO8M9C6lYqCMXqzWS6wa6JN5cPWiy43eKiNgVMaolZ19L7jZHbcE1_khw6o6TgtBQsm 9vxvZzeu6q0RkYDkWW2t4OgMmYZdyObJLoGTQgqhC.br3dsDDLeo1wPR8PZG_pDjuKrSl4f6Xymh vxkiBnmcxo5q2rBI2VZJt2Oq6IUE1xaKo3pJytoc5ozPO0meI8Bd02xMSur5qiLdO31rF0qtmq.m TJcQCfKROWiKbORpg1Bqh9wEkAs5CuBUACcTkd2rqWoWd8dk9xsph.G4diUINmL7OXuiYrVvkKDb 35osn3mngp.wiSVnOPirnXqi7B6a_sCRV2g7Xdet._6ZwtTD6MXe2rRZk.cj1R0HqceqwqMke30R 4rTz_P4.0yBHYBE_yR6qeELNhwa7Vt_Q3sapz56ZSNXfwq.IVz7a0a6bBLw377gUQv1xnl_iYkcL MrZu_UUcxc24kxHObvYqNSMRJn7nbsab5g.NtYKn0XEjO7NGZkCYS40S71L2qaGuQ9rqVGSh0g_V jhTyio5ZwLpfRI.sW1C.d7HgSrq4Z7s6zIqHAbKd5pEB09P08ykOGpg8yu9bwTzVCEi7TLWeBQOE rII.ORyynxR0MceX.DTi3uUm3xLVT6k6HKckwg3fRT4.TXe6UWQnugPtQf62b6jb9U2mz1NVujv2 ADUVTYXqqXnxMvCXhD2KR3iibivDwVTtR1sAUnprht6HMo6s7v1NX6Ig96iTLEYiDbrYL0lNJEfr I_hdIrHmcM0rSt3kUMiwUwOGfLck2Ka_wxXmsSCfgGxQGEQ_MLiFZqXJflzYJRr3GcRsA_9H3tyL PgQZO1i8QM9EGAcwCZ6Y7c66mE8_2FFre.hPy1a3H87DgmsS8L19sv.ZULUu8_E14e1jEB0T2lnj eNGlqBmS0Jxa68UaFy3e35zLChfukls2EZEB82JP8rZd0iCjgRH1WZlCZSETao1zsYatz7J_bzio ybhfx0EztAkX7DEG9etGsNKT.bQcSClc8HYO1lo37uQ8c.0wtewmSs53b9vC7uUlnNBJjEcvDpXc gjo_Wp7VEVlPV5svWJ8yC.12A4EF1DVqve.KNEyLNFWsNZhEjw_GqZWdWYB1WMz3_IAI3hGU962X d7dYPK_XG9CJfA5V69kO10YePmXs.Bq87voZOMNVVcHrmKFgI.kqhjarymjnWypDm9AkPTZ5TC3f JMS9twOJ5.baeHsTxIaGCGo1R27UEK0q9eMrLcFopIdXl6NzGgdzvDRA4H5hg6v6J.JkA.1R0qR_ MMHopdlKjjoitRxJOybiJGksP9TOAgSNDE_j_Tn31b5HxdwJOZg01TQtVqSk810Oe3d78d.8YEo7 nfExyB639CgbtXmSw53N8Ic7.tmPLpVcl.aS_.9i_qHsGVtCcs6fIhZ2livp4Dkjj4kT_5q_puVN vBh3wJa9bzM17IjtkmmaVjJf_B8C9YOuniIRalOo6dfHYjk.Q2x7zmeMMka0CSVtQ4jGIANMVTzi PJjqmrGUGAydND0240yolV.x8rusBq0UwFg-- X-Sonic-MF: X-Sonic-ID: 134254bf-3544-40b7-ad49-d0715c3dd6d2 Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Sun, 25 Aug 2024 19:04:16 +0000 Received: by hermes--production-gq1-5d95dc458-dxlpk (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID acda3a00d6062e816b69b20719962769; Sun, 25 Aug 2024 19:04:11 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, linux-integrity@vger.kernel.org Subject: [PATCH 08/13] LSM: Use lsmblob in security_inode_getsecid Date: Sun, 25 Aug 2024 12:00:43 -0700 Message-ID: <20240825190048.13289-9-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240825190048.13289-1-casey@schaufler-ca.com> References: <20240825190048.13289-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Change the security_inode_getsecid() interface to fill in a lsmblob structure instead of a u32 secid. This allows for its callers to gather data from all registered LSMs. Data is provided for IMA and audit. Change the name to security_inode_getlsmblob(). Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org --- include/linux/lsm_hook_defs.h | 3 ++- include/linux/security.h | 7 ++++--- kernel/auditsc.c | 6 +++++- security/integrity/ima/ima_policy.c | 3 +-- security/security.c | 11 +++++------ security/selinux/hooks.c | 15 +++++++++------ security/smack/smack_lsm.c | 12 +++++++----- 7 files changed, 33 insertions(+), 24 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 06c60f1aefa7..4fd508841a6e 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -175,7 +175,8 @@ LSM_HOOK(int, -EOPNOTSUPP, inode_setsecurity, struct inode *inode, const char *name, const void *value, size_t size, int flags) LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer, size_t buffer_size) -LSM_HOOK(void, LSM_RET_VOID, inode_getsecid, struct inode *inode, u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, inode_getlsmblob, struct inode *inode, + struct lsmblob *blob) LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new) LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, struct dentry *src, const char *name) diff --git a/include/linux/security.h b/include/linux/security.h index b28f2f7fe4ef..4fe6f64cc3b4 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -440,7 +440,7 @@ int security_inode_getsecurity(struct mnt_idmap *idmap, void **buffer, bool alloc); int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); -void security_inode_getsecid(struct inode *inode, u32 *secid); +void security_inode_getlsmblob(struct inode *inode, struct lsmblob *blob); int security_inode_copy_up(struct dentry *src, struct cred **new); int security_inode_copy_up_xattr(struct dentry *src, const char *name); int security_kernfs_init_security(struct kernfs_node *kn_dir, @@ -1046,9 +1046,10 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer, return 0; } -static inline void security_inode_getsecid(struct inode *inode, u32 *secid) +static inline void security_inode_getlsmblob(struct inode *inode, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob); } static inline int security_inode_copy_up(struct dentry *src, struct cred **new) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 1f05445978f9..eb1c64a2af31 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2276,13 +2276,17 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { + struct lsmblob blob; + name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getsecid(inode, &name->osid); + security_inode_getlsmblob(inode, &blob); + /* scaffolding */ + name->osid = blob.scaffold.secid; if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 33bdbd031673..35a8d3435507 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -649,8 +649,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_OBJ_USER: case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: - /* scaffolding */ - security_inode_getsecid(inode, &blob.scaffold.secid); + security_inode_getlsmblob(inode, &blob); rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, Audit_equal, lsm_rule->lsm[i].rule); diff --git a/security/security.c b/security/security.c index b6e28e20ac51..c2be9798c012 100644 --- a/security/security.c +++ b/security/security.c @@ -2622,16 +2622,15 @@ int security_inode_listsecurity(struct inode *inode, EXPORT_SYMBOL(security_inode_listsecurity); /** - * security_inode_getsecid() - Get an inode's secid + * security_inode_getlsmblob() - Get an inode's LSM data * @inode: inode - * @secid: secid to return + * @blob: lsm specific information to return * - * Get the secid associated with the node. In case of failure, @secid will be - * set to zero. + * Get the lsm specific information associated with the node. */ -void security_inode_getsecid(struct inode *inode, u32 *secid) +void security_inode_getlsmblob(struct inode *inode, struct lsmblob *blob) { - call_void_hook(inode_getsecid, inode, secid); + call_void_hook(inode_getlsmblob, inode, blob); } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index af48b8f868b7..f5d09beeef0f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3505,15 +3505,18 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t return len; } -static void selinux_inode_getsecid(struct inode *inode, u32 *secid) +static void selinux_inode_getlsmblob(struct inode *inode, struct lsmblob *blob) { struct inode_security_struct *isec = inode_security_novalidate(inode); - *secid = isec->sid; + + blob->selinux.secid = isec->sid; + /* scaffolding */ + blob->scaffold.secid = isec->sid; } static int selinux_inode_copy_up(struct dentry *src, struct cred **new) { - u32 sid; + struct lsmblob blob; struct task_security_struct *tsec; struct cred *new_creds = *new; @@ -3525,8 +3528,8 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new) tsec = selinux_cred(new_creds); /* Get label from overlay inode and set it in create_sid */ - selinux_inode_getsecid(d_inode(src), &sid); - tsec->create_sid = sid; + selinux_inode_getlsmblob(d_inode(src), &blob); + tsec->create_sid = blob.selinux.secid; *new = new_creds; return 0; } @@ -7211,7 +7214,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), - LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), + LSM_HOOK_INIT(inode_getlsmblob, selinux_inode_getlsmblob), LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), LSM_HOOK_INIT(path_notify, selinux_path_notify), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 86a370ec54f9..8cda7dcf30e1 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1649,15 +1649,17 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer, } /** - * smack_inode_getsecid - Extract inode's security id + * smack_inode_getlsmblob - Extract inode's security id * @inode: inode to extract the info from - * @secid: where result will be saved + * @blob: where result will be saved */ -static void smack_inode_getsecid(struct inode *inode, u32 *secid) +static void smack_inode_getlsmblob(struct inode *inode, struct lsmblob *blob) { struct smack_known *skp = smk_of_inode(inode); - *secid = skp->smk_secid; + blob->smack.skp = skp; + /* scaffolding */ + blob->scaffold.secid = skp->smk_secid; } /* @@ -5128,7 +5130,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), - LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), + LSM_HOOK_INIT(inode_getlsmblob, smack_inode_getlsmblob), LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), From patchwork Sun Aug 25 19:00:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13776885 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic308-15.consmr.mail.ne1.yahoo.com (sonic308-15.consmr.mail.ne1.yahoo.com [66.163.187.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C6EA1DFFB for ; Sun, 25 Aug 2024 19:05:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.187.38 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612753; cv=none; b=nv6CzDtViG/mcK9sipvzOwYaG8aa5SaaJrM0NciMo3P//fsBLOYuBBE6Gq8ev17FKg68N9wiu+RUHiSDqAAGIr7ciOU/a3KLPmvaGXtipLKrFEGdsLyJPJoH8/soKVHrymlCnK4svLMUgzKHbkQonnkCtggRZhkDYi579KFKH8Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612753; c=relaxed/simple; bh=tFikoX5kFjOVUKDmXz39rDjXI8MMzz/5Cjm8rtX8YBk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SvYsHTgdbxtu2ji6py6Tv2f1xGbWkxRdpbdRyrPTmkdNjTfcuedgTFXFrn+BD22iTOMF6aU+Zlzj81Ewx4iY9khE9n6/H0FCOgTNeqeYr6Nfyc20AaR7YKFvj/wf0RTRSbP0lboxtL6wjknD2KiwX/psQ2bElhdI88yMpdfmVzM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=BgZnpuGu; arc=none smtp.client-ip=66.163.187.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="BgZnpuGu" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612751; bh=7qkMoIPtgFrqJj5arTkxiMGou5Km+ArtnRYl0mFg/y8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=BgZnpuGu4AG4vI2NUJZJcK4jQTMPRb0V2VjcXe1FG16YWCBzHXlBghHk1K5yJf0Z46Jf9MMKGLlurGXxAfqiUj31/JWJxllGvSe+L9SRagA2Zy4INPLjz9Xa5SfsNde0Yd5PTmRRzXOCOfyZz6VirxxO6kUEZJp3ncpl/2/k0YFuUOGAtlfmErZgz/IhbkVErnWrzt1poVQFMDUhrdmBgeGZ6vL0T2vdxhUjk881CxGRYenvdUifHCVsn27mqrLPwDu/DmOlkSFHaEQBhJAuXL3LKbZbdK4XBMDLJPgbWxKLDQGYJCkkyKYPfBmI5iO/82YWsgM+tCnv5sA45TxjBA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612751; bh=8zYEx4OpCuImSrcyXperuvhVDNcPmCPf2xl1R8TdqbE=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=g6TyH6Fizz2CSDZwda6Oh+Z5LcrwJpaZVST3ggWNROTRvl5gdwHiiW/WM2NZh1wIaveY5UYjlOpBdeL+HgoXvfFbiOjWRO2re1FJe53xDCINQyFCEhIwO1W2eWiIEXqHzINasTMRW7hkrL9cCO4JHeKgJ/v2N2tan2QrsO5GLwSW6nRiwTr90sG565rOrJUgB2NCO8KUHpsd37pljyyF+kH09oI7UznLS7NH0qTc7GmSdzm2rBLcRX90ZXRZXDtaJv/Da3LDLyg3qTnjdvZRwFy98WSnLRKtcLg48A9zqYtDyCPtDjGmUaVOkE+U5gXTNuXys8E/KzAsOYNKy8397Q== X-YMail-OSG: Ojk6aFMVM1nAz60ByGm4oMCStqVICSNQ8rtbN8ZTPhoSBE8IqLZvd41uF6ES0f. 6n2TFAT0HerH1dbgDj01eNCIRzinF.fbQPX65ex.9Kk_aDYbsn5IeDprZqr0FXqDEZ3rmTlq3hOz i4fZuM14VRUPYQqLV9e08e0HPypEA9aOoXRPG6ZLd6clxub8NOnjlS8D9XmDFQ0kqR3KfzRP140u ioN9l2t_mtqztH.dB.7gP.d5iGof_3h.xbd6ZaWN3rb_uzqgubrZ1lQisaZ943rkwHH3dtUOIdBg LsoZqrxNl71oobzdOTsoy5_FDB1pJUqCucECP1y.M2FM8eEI4RkM3AUwu6pR0VIPHjCEyn4UgOlA juMDa06DKgVzU5YHNLHrtnscaWkU1S9z3NQP36N8TENI1XcCHRHMVWuVlrOUbdpFbgm9cyXPE7v. zGjV52s5PBtgn8LCSqSV9FWeLepeydGisnbQyuOfHGPDtPgplhziBowc566O0j7slO3g.MNgEiFn Yfp568vN.DNsVRTqbnxzxSWQCHIu69S0lqL4KojokXRBifuNWq5VJQpplUKsuCvnjxH.TgN.SVyb WS14AGApea.pLXeIQ17h5ZLojeK.Ngu9ir4inmU_BP6ZdqsqDAlwLaDaL574yT86SHZlBJVYu27V X0IN.Yd0r1k0KKgUl7qMkVeBsTMH0PN5eig_07N_zQimKeVTFWQH6D4deMn3ytSOa110kHFXyRS4 bvTfHjz.GT7db5NPv5VG5Ojo9c_wbfc9eUPv6j1Eytd6tB3boHJlGy6av3fS2J2iMFSducf1hGa5 GM80WL9_i4Bo4803H5lkZSE9ddI6rmOhdRvBIzMImqb6NgoC1MggFP9BMUHyxAWHUevgDVHuaxUP myNFt8eryx5T6eXZ0gkA44nAu_vWkIyhlELu_.sxozR5hazIae9KK3SOw5nGw1FdhSpRyztFdEQF meZtNL5.WtMd0hFyaPOpWZwqe14QZM09pnx4IFiZcHqOo1T9OclrF1IKS0_vXaiVZAbzoyTX_YMI g7WEVB_qHo8rovoppBk.8ji9IpjAktR5gx_g2736CjltmkX_YgscLdyDiLs2rLpWON17qQLTjAZl uc38FShy.TJjossw_aMZPujpk0Kk_0tHwhVcdemI7YXK4rcP80b2zpHA99UxO2fxNL3Imy9a8t_5 Z.bx.j1fsUEO2m11yST09yRivcYZvY5CmS.OnTt.1ZzoMOcYeRDRZHpeRgrZyza1b9u4bLeC912R zeDPxEVSpnjjt9BkmFEabEIu5c3S3kJPV_ZjJVN6AIYcOj7E5iaRp2_c7YDVtxFTEY._kCAgytrL 5FEJKg9KJcW9k9vmbadga_omF7RxtMrgRUj5txnGMEFseQX7mIAuypYHec_5FEeJqmzYYQm2Bdu6 7c7Q0P7JGRNdFdAS_rZ6rA2LIngxGikdqyhQ4yvKU1g307D61aRqzRI1GT6w2cJlKBdn5WohZL5p eGZLv5InZL7lKZV6NM6XmM7hNc68Owc6UCGjlHY47Rp_PHY4n98II1QenPwpZfRv4DwTdTm_sAsO fHI1gW7CPzwtAArwO.Nx9FpyRcBZROuj0D4cXNicy5D3LJIT9OAhNC7frFLMWCK5T87zJ6J6ne3t Le83oq1nfV1QBuG_i0GlzGs6AvGlOMEXtP_TjfKqRzyI.0Dvdvpax_vqbaNb9tMPYPbLE._H3i3j qhlg9Wxe.3V42cbnsxtoQjzygqedFaB3C.KHdvrKaAWQ7Bhmxrn2RmzYBg55oIflEZ1YnhJFSa7X OpmGz1FKWiJwPMRmKVC_d.8o6beCaHf2DGvMmLwyrEdi1Tex3Lnhd18hm90UDKbBJ2JbHZM3BLZn OpX336mbA.gkuF__bJAnAId6UZlyLIwKfOpMFt6njMT9_PLnD22HYBsnVUFEJzjV7Ovng3qAVXi3 Ggd6YJnnwtodN93RAGUFG76Ma6pFgvH0cU3Dx7jVBR5HCLHO5AmHqhS1rlVG9e73XUDaTrZZDPa2 5AOXwo5UyyTLJzV944pIeKceqNteVrYXQc3ivBX0sRpbh5urs5oWkfHI7sG_XPcZznSTap8JBmFn E1egnUTEGdMhonAA01W8Xr7gxRmVvH2tHMWnN6ha04.zRGRoPsRSeiZaBhoH5MdJpxG8ofnACpgy mjDTemFDACEh3AjOnoy8389iqHEdOmK9EAQmcHrGRpBxpAcLpWpL1fN5pWZVMrstPVOoxU_dOSUI msqCxdEM21KIWQFD9.Aek2ljoz7fGYcsZd9.tG_xuiPWdtPkDgcqia0OqgNWzK3FK2G7i9OqxJwm J7IDQ0FzxAPOmVjA0BWETNXp7h4SKq.6GhlE- X-Sonic-MF: X-Sonic-ID: 5cf5b26a-ef89-40d4-8053-d788474d741c Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Sun, 25 Aug 2024 19:05:51 +0000 Received: by hermes--production-gq1-5d95dc458-m8nfd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID fa6d7487ce614a4db5b8d88c90575908; Sun, 25 Aug 2024 19:05:45 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH 09/13] Audit: use an lsmblob in audit_names Date: Sun, 25 Aug 2024 12:00:44 -0700 Message-ID: <20240825190048.13289-10-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240825190048.13289-1-casey@schaufler-ca.com> References: <20240825190048.13289-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the osid field in the audit_names structure with a lsmblob structure. This accommodates the use of an lsmblob in security_audit_rule_match() and security_inode_getsecid(). Signed-off-by: Casey Schaufler --- kernel/audit.h | 2 +- kernel/auditsc.c | 20 +++++--------------- 2 files changed, 6 insertions(+), 16 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index b1f2de4d4f1e..6c664aed8f89 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -82,7 +82,7 @@ struct audit_names { kuid_t uid; kgid_t gid; dev_t rdev; - u32 osid; + struct lsmblob oblob; struct audit_cap_data fcap; unsigned int fcap_ver; unsigned char type; /* record type */ diff --git a/kernel/auditsc.c b/kernel/auditsc.c index eb1c64a2af31..886564532bbe 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -698,19 +698,15 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_rule) { /* Find files that match */ if (name) { - /* scaffolding */ - blob.scaffold.secid = name->osid; result = security_audit_rule_match( - &blob, + &name->oblob, f->type, f->op, f->lsm_rule); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { - /* scaffolding */ - blob.scaffold.secid = n->osid; if (security_audit_rule_match( - &blob, + &n->oblob, f->type, f->op, f->lsm_rule)) { @@ -1562,13 +1558,11 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, from_kgid(&init_user_ns, n->gid), MAJOR(n->rdev), MINOR(n->rdev)); - if (n->osid != 0) { + if (lsmblob_is_set(&n->oblob)) { char *ctx = NULL; u32 len; - if (security_secid_to_secctx( - n->osid, &ctx, &len)) { - audit_log_format(ab, " osid=%u", n->osid); + if (security_lsmblob_to_secctx(&n->oblob, &ctx, &len)) { if (call_panic) *call_panic = 2; } else { @@ -2276,17 +2270,13 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { - struct lsmblob blob; - name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getlsmblob(inode, &blob); - /* scaffolding */ - name->osid = blob.scaffold.secid; + security_inode_getlsmblob(inode, &name->oblob); if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; From patchwork Sun Aug 25 19:00:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13776886 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic310-30.consmr.mail.ne1.yahoo.com (sonic310-30.consmr.mail.ne1.yahoo.com [66.163.186.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 62AE32AEFB for ; Sun, 25 Aug 2024 19:05:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.186.211 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612756; cv=none; b=NR76lp4sbcZFb5cAMTYHzoY7DlzDtreMkd+ZPQnLEuOoPpEzGO3l0uWEZf8RIQXylGYMW90cNHSC6Cit6ekkBx0op0q/MGZcjB4xoA71kyuaAkDGZ0iHNsvM3rkw2S9ddaVjyseYT4yyiogZJEC5xKPYC2g4ArOOi3hQ1RSCK1A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612756; c=relaxed/simple; bh=oS4ZKgqz9//3muPGOBBnc9SqEjiXgb/+ybKxmtrL2bs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=usCKYIBh4k4kzSSD6179x9gm+A0gVJwg7HjA5X/vFagTQvN/hHCljEaxYXYGlPALfklgv1SUrvl7ei+n0Nly4umb5SNLCj/itpv1p2wllRxHYYVK1y4swmz0HEVCvmdpCwxpSXI8V2sLeTF3zSLTmHE6mZRMgnOFtotP1Iyb/X0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=QvB9dgVR; arc=none smtp.client-ip=66.163.186.211 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="QvB9dgVR" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612752; bh=zrmc58a7ZdlMz3l1WQTsW0UY2cl2P2DiPjn4O0pUS3Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=QvB9dgVRqa0D121ON1BU7S88f5PTRY2h0ixvTZILYZAKsBaCeoO9LfvWgnPZmzZDXnUFYFX3seVnEJZsNs1kayAofEolV3+ZlVIRNL2JVhOmXM0/cHgkTnL3//HboJ+3QzBG9FANP3PcLBqnnRAOM4LrSi/+W6ogq+h1086mHVJjnz0dYLJFFoR9ykmTsVdas9zrzau2SCN0LmDOISvy+jIuqJsq/dnh6DzmQgo7IqQKXxRGgLCsiq5WX90Th7oKF2ZI+5RKAZ9t95j09kqNKQt/x91iDXMbkWL0b/f5saytwwGjfHeQwE+nT9a4krBl2X3TsuOyjGBql8DIOdXMfw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612752; bh=ZJRpmjZM9x1ZsVVTsKFGJ/2jzoCkFAqRFoaCeptmDx1=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=RkKp4NIub9g5LCIPgp6AemrAEWBdrywBboxz1V5nbJYQojdCQFHuuQTp3AYEC9aJDIta1Cfi9VfJqiFST/Nqi/CtvahHXlLQPi3EFvpomnWB5LMhHyeVlWlzTg7iDuyobn/aM56lGA4C6fp4UMNVpBMvUeAp/g3mXUWFIh0CGZXRM1EFIvgCumdtMnyvdlt7PlhYxCBadBeZa/58YdbCDiny5K+8oJh+iRDqTaB4MF2MWX5c6xNyZOWbiSh+cYDdUnIJ9MIcfuDHMBy/CC+RJpEu0EyoZYqW9wYphU9CysaBPioGU0MFgI6UQLl6o8TOomeQQG04VEHeX4QRp+kKzw== X-YMail-OSG: Oai66qoVM1lat2uz2LtH7JKKiQS3emW3Gh8P5jhAE_ciinge5vGadrqRpIbWihD W37RsU1ewU1EQbf4jy2Jy39Z_UA_S9Wlu9RaLhb3PMVMw_r_qa7Qvk5w.XgsFL_EOu5sGZmwdLWb CJRiM978uQbGY4TF33qY6Dma3bOmnFzb8tKZyhtYgwTGMsbWcknoCddqsbJY5XiR7G0Gns_SCVx4 3mnx2QxFPGJMAu2v9Kq0817zZFCn4qluTCR9pbwIZKzgroa33VwexDDraLUFKai7WPzRhSkPfvk9 LeYUPqnzZhECbizEJ9illxpu74.D9qCFQekRDm14dUWtVa6YBLZXLpFvKcG2i5okP_XQANdvnkNg MFkY4VnNvcJhMjAEwxu8Hz8rfuZMxul6odU9jhx9aytA7rXuQWYbH8icMXkRCzlqEkQ9Y8tx5GDC iWmj0RvcCoo6peXDibBzcGwLim0rR0oDvavtPHMalbZ1x5blsagzR6Fk11Rp195ZCG6ob8.HEPXv brULEZcXhNtB0ZtqIwmFL9RvlB0oJ.LOQkjXEA.lCBcxlAc9M0osumIwieKoDO5MuZo4WnrjYkNj am.B_9JIpPFz96BhwTBAV2.hZjX3XVSPewvqYVtSeLJAkq9CXtgd_x9vFoUINIn20pMTVFKZPBsz jkjkONXeShATh6k9p6ULly4RuuNhp0rBVpBYuctUSrsF4kjL.AxGIDuo2X9P.j7beLAcPgnDR084 OBB2e.CQUId9eRiDnNg8smQre8FmNGicMLnQ_eBpvx9yDhA0OllzxIllcjj5ZiPHRF0F.CSQYIof WZ_gKDdy5B1_ZSxYIc91gGCd25DFryfWtQYLCBmEhUJT1fkoiwnMxSd0cVatOcO5mBw3BV7qFRhO Iq0WfxH2Y.hWIaOv17eTPai9InsgL59dwuN0FPWtZBixeAgCEs7_WhqeTVydHxZZhtrnQSFDV_z7 z1NKlnJeVez8BLe_mgfA1VoD3MfnuZdYh7SBB00.K9Q6LDZ5MoqYSOtWPQM_vYB24ErvOaSVK6_p zqPwhF5lVzWYfgoajPK3kdKFjBzcZNxg95HzR4aCUYu2zKKmBt5gvTsiEVUxdmU7h0ooj1rluMYu VWDmFZrhtgEz5l6COw6YvSFnnRc6XEg5J4vhLDaAFVgGHJey8MgCh_zrtGsktc3.W_Lle8OBOGVq NhM0GbC.dEAdLhbkt7Qb0CLrqfSrjSUY3c2IZPHcr33Va9HEN3Q1VFMBAsOa2F_usoxVb6XFues. sipC_j1gLX7V7.Neh3b6j1ucdMEzW25U4wqLFRM0h_t8AkkIfaWNCa45wkhyREMJE9CmzCWNqmjw EX_3Z58tgSOltm0uaihyCLW_TBeZ5qkHk4s0CLfS63_q_3ZSJtSpHc7liVS4Bmbm3QPCi2Mp1TyS rVwu3K6Bk1yDrkSQ8DzSSrHZjttZ3S4aBRtLSlx6R10xq0kzFrpVqfI1EU_ruqJcQfrhSA_2vAtW f2AHicYfWpUpqqnkW.KOwNZG4l1Lf.0KSkoI3g0aEKPbKZUfY49bucQW.P13Sqivmt_C4iGWk4a3 xYej.e5e.7uHkLNKwtDr1cFproMpRQWMyk98sJBv7.3P7v0tnZxgwVJ3tJ86C.TWiIdGtJPpViXU NygLZK41X8rMot4GC0nOImiaMs2gPDlsrm2ll2ew0mbDF1UKFpXCkOvWe2YDdEvKdljNhHeUulUl n06.QcNUuulCoykXOz22Gh4tBc8lmTRQYuLXMy0K2DgTpkN1xuO65zdRqA1AiEkAXvhtEEm0yVg6 0nVDEkYltqF5C0DgkpnO7nzE7MS5QJgszFuJo88o35gIidOIzRPsp9s7wJ83PKRw0qsb_Wo1iigq BnSVg_GkAMLGrAL3dTfYMff1sRT30_61KgDs7X9.W2xhLdeeWXjdoxLmPJObB1xdzE.g_3jev2VC zdfytEZ2AyWDpml7sNey.KWtfElQCQjRlcme0PuSuIdyfhJXmub3.qx.GcZ0FUN7zIjFMsdWF8Bp s6cRMSxho3s.hKCRo3WnlrOhUiD.ppdZoaq2JuPv7d1DchD3QLfVGgaiYr1jLY2dWCcjh0JDGQW6 9bioQJVIml1tynaleWnnvf276J1XqDILczqyDl7avFp5WuJd54GwGIkpxr5Fuqv.lQOw7A0c9DIt jOTK9si40UHg92JXxvUqqxGA.gnPPwb.ZaXiXuXuk.GAiOV.8QALVBpBM31jQieOSVk_5.ewpee8 NaLIO.jW2G1.XJV0T4h8EXXzVRC.NaTkzAW08HcpgW3K7p_u_J7cBir1O386YsBtGLAihuDDj8iy RkuyYHTCu13lNuIdSDNPmgMxGTU8sVvxkgPK249nDYeppphny X-Sonic-MF: X-Sonic-ID: 405856c9-7671-48b7-ab9f-f7fcc43c38db Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.ne1.yahoo.com with HTTP; Sun, 25 Aug 2024 19:05:52 +0000 Received: by hermes--production-gq1-5d95dc458-m8nfd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID fa6d7487ce614a4db5b8d88c90575908; Sun, 25 Aug 2024 19:05:47 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, linux-integrity@vger.kernel.org, audit@vger.kernel.org, Todd Kjos Subject: [PATCH 10/13] LSM: Create new security_cred_getlsmblob LSM hook Date: Sun, 25 Aug 2024 12:00:45 -0700 Message-ID: <20240825190048.13289-11-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240825190048.13289-1-casey@schaufler-ca.com> References: <20240825190048.13289-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Create a new LSM hook security_cred_getlsmblob() which, like security_cred_getsecid(), fetches LSM specific attributes from the cred structure. The associated data elements in the audit sub-system are changed from a secid to a lsmblob to accommodate multiple possible LSM audit users. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: audit@vger.kernel.org Cc: Todd Kjos --- include/linux/lsm_hook_defs.h | 2 ++ include/linux/security.h | 7 +++++++ security/integrity/ima/ima_main.c | 7 ++----- security/security.c | 15 +++++++++++++++ security/selinux/hooks.c | 8 ++++++++ security/smack/smack_lsm.c | 18 ++++++++++++++++++ 6 files changed, 52 insertions(+), 5 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 4fd508841a6e..4bdd36626633 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -215,6 +215,8 @@ LSM_HOOK(int, 0, cred_prepare, struct cred *new, const struct cred *old, LSM_HOOK(void, LSM_RET_VOID, cred_transfer, struct cred *new, const struct cred *old) LSM_HOOK(void, LSM_RET_VOID, cred_getsecid, const struct cred *c, u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, cred_getlsmblob, const struct cred *c, + struct lsmblob *blob) LSM_HOOK(int, 0, kernel_act_as, struct cred *new, u32 secid) LSM_HOOK(int, 0, kernel_create_files_as, struct cred *new, struct inode *inode) LSM_HOOK(int, 0, kernel_module_request, char *kmod_name) diff --git a/include/linux/security.h b/include/linux/security.h index 4fe6f64cc3b4..111c1fc18f25 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -473,6 +473,7 @@ void security_cred_free(struct cred *cred); int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); void security_transfer_creds(struct cred *new, const struct cred *old); void security_cred_getsecid(const struct cred *c, u32 *secid); +void security_cred_getlsmblob(const struct cred *c, struct lsmblob *blob); int security_kernel_act_as(struct cred *new, u32 secid); int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); @@ -1192,6 +1193,12 @@ static inline void security_cred_getsecid(const struct cred *c, u32 *secid) *secid = 0; } +static inline void security_cred_getlsmblob(const struct cred *c, + struct lsmblob *blob) +{ + *secid = 0; +} + static inline int security_kernel_act_as(struct cred *cred, u32 secid) { return 0; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index d408a700fe6f..8171da96a4a4 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -541,8 +541,7 @@ static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, static int ima_bprm_check(struct linux_binprm *bprm) { int ret; - u32 secid; - struct lsmblob blob = { }; + struct lsmblob blob; security_current_getlsmblob_subj(&blob); ret = process_measurement(bprm->file, current_cred(), @@ -550,9 +549,7 @@ static int ima_bprm_check(struct linux_binprm *bprm) if (ret) return ret; - security_cred_getsecid(bprm->cred, &secid); - /* scaffolding */ - blob.scaffold.secid = secid; + security_cred_getlsmblob(bprm->cred, &blob); return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0, MAY_EXEC, CREDS_CHECK); } diff --git a/security/security.c b/security/security.c index c2be9798c012..325030bc7112 100644 --- a/security/security.c +++ b/security/security.c @@ -3153,6 +3153,21 @@ void security_cred_getsecid(const struct cred *c, u32 *secid) } EXPORT_SYMBOL(security_cred_getsecid); +/** + * security_cred_getlsmblob() - Get the LSM data from a set of credentials + * @c: credentials + * @blob: destination for the LSM data + * + * Retrieve the security data of the cred structure @c. In case of + * failure, @blob will be cleared. + */ +void security_cred_getlsmblob(const struct cred *c, struct lsmblob *blob) +{ + lsmblob_init(blob); + call_void_hook(cred_getlsmblob, c, blob); +} +EXPORT_SYMBOL(security_cred_getlsmblob); + /** * security_kernel_act_as() - Set the kernel credentials to act as secid * @new: credentials diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f5d09beeef0f..076511c446bd 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4029,6 +4029,13 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid) *secid = cred_sid(c); } +static void selinux_cred_getlsmblob(const struct cred *c, struct lsmblob *blob) +{ + blob->selinux.secid = cred_sid(c); + /* scaffolding */ + blob->scaffold.secid = blob->selinux.secid; +} + /* * set the security data for a kernel service * - all the creation contexts are set to unlabelled @@ -7240,6 +7247,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), + LSM_HOOK_INIT(cred_getlsmblob, selinux_cred_getlsmblob), LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 8cda7dcf30e1..dbcf1c65da3c 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2150,6 +2150,23 @@ static void smack_cred_getsecid(const struct cred *cred, u32 *secid) rcu_read_unlock(); } +/** + * smack_cred_getlsmblob - get the Smack label for a creds structure + * @cred: the object creds + * @blob: where to put the data + * + * Sets the Smack part of the blob + */ +static void smack_cred_getlsmblob(const struct cred *cred, + struct lsmblob *blob) +{ + rcu_read_lock(); + blob->smack.skp = smk_of_task(smack_cred(cred)); + /* scaffolding */ + blob->scaffold.secid = blob->smack.skp->smk_secid; + rcu_read_unlock(); +} + /** * smack_kernel_act_as - Set the subjective context in a set of credentials * @new: points to the set of credentials to be modified. @@ -5150,6 +5167,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), + LSM_HOOK_INIT(cred_getlsmblob, smack_cred_getlsmblob), LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), From patchwork Sun Aug 25 19:00:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13776887 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic312-30.consmr.mail.ne1.yahoo.com (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1EBD916F273 for ; Sun, 25 Aug 2024 19:05:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.191.211 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612757; cv=none; b=WBNAmrgolQYw4qPXywsUdHYVrSmB3fdt9+t6YHQPKEUq/mUXQnU2pCB/L2yVPStvsLUuv1ahiTwDgnCnbx7W/C3mRLsm+4o+o/+d8KM8+kvn+zJzYyEZzX77J+c23d/VfV7LVDG1lqdp36A+ZwqNus2bVrZEpct8UP3RKXiIlnY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612757; c=relaxed/simple; bh=p4Mtb8ugz4OUlVr94IcBc1bx8DUl8mFi9fzQ6SSUejg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sqoE31G80t0qWaPyTgq2rlhQ9B5PA5SYjVyauOXKDvVJtqRHMMwmOak7bFyFwAfPZjC3C4uCgUxGG6PRGhQfO5Uu3I2Pwp67nTmoVq+InTCZ4OY3V8OH9sqiXB3nEv9EVkspgigZhBh4sa201HZCTrTBpFnpOZvxodn8hQEvGno= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=H6oopqoh; arc=none smtp.client-ip=66.163.191.211 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="H6oopqoh" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612755; bh=ZRWOmyaK2WNaXTe1s9bXbHgWg2DYHZpEUIKMfqsDMPM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=H6oopqoh8lMn/Vg28dZ9ccl8JKOx1k6bFt0Fx2A+RHbB0zlvZwpDEJAHmfkPe1T9Xkc6NPSvZ/9p8P1ldFiWAKIDXKk01LprI3tDSdrqPbu6AtEap/k3O11oHYaRsT/4Yp+tOeN0XWLvheCM3iM0doK24oOk80ydashKiiFDNdpd/Ylv5qA/jw/sb1KLF3nD4/37ZegyiLpmwyVK/yReWgyYl5r0awnWQcF1TUKDBArEX/swk2juYq1k2GoYWfbRMesf+9B0Hub9ifOzzZPZrY/lJiHjUxcbRVw91hHrxBnvbmVwhAHfRTAOKEVaKbLTFM9F4rGL6nON7uHI5XWlMA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612755; bh=tD/kKv5QIfDwvlq0rBaawh/VYjIAy1z1vh8dZ/heqFU=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=rpTOo2tvPP0n1vu3Pl26cBUNX3G33L5SmaaZv0TCASSRpFqF0U3WLOnAcT0HV06w3oDa9HsEBndvwWF/q/c7uOWHW6nsSRt+HxVH61vrxP5FJXIgFicL2+6ACQTQ8brNux4OEoNHRiKyoAr5FDr35bNHNQxNf6LSi2wM2w1ddO7aolmk950Z2QFmLRjm9ItrVobCNC9pA7WIik/Q235IHzt45j5hgiQPYnjI+yC9NWNzXKn3a4WYmecPHTj95ysy0r+Bk5hThZxFP/41R8vKVCf5wRUoXBLuKxomUKqGinVeQHqXBCEtpwBGr3DHo5A2OKm/FGFqUv6WGnW7RV5WOQ== X-YMail-OSG: vpJ9SlQVM1m646jwz68t0k3dk5JhavyPlW.cvN7mBye4cLBdoIkHu3a.fy2Tdzh 47tPfxpDNm.xhTwx9YDuZWl3ANlcPEmSOkFd9DKqLwf3N79oRB3GWdM9uHO0jsUJTQtxu41S.JfK SrJjOkw3H7xH0tGkqypmlPtKRrUoHdHDHLLkDQL9e11CWdUWlzci6DRElXsPNvLonT7FVBnjpTn5 vA6j7adzepLk7JTvCDgEikbPLwWLyecj0zqBLChdvcdIFV42ztslS03y96WPBcLj4d5GSMxwqXkG K_QOrVAhkagMQP9WPXhneCH2dQIl_.qWdEurstT9cpNEzYXq.TT6.MrVEr06mUq56TDx5GPk8a9i MvweAmasYwgnXwTcZbInf5ZjQUpQWyU6mMKX5On3hU0ZHHoYjG7hkqJLzAPIj1p6yfh8xud9QHRs PQHAhqddljHA1FV6D9XVRHnklv6XM.H.HR5FwSZvFveSfRmX417ccoZYUu4ypfsVJLPtKI2RjArW lvZBLa0C2VoG9xwxXldN1cMfJNdgLd4ooI7CuXKBAeBLgPP.iaTMiphJhYJgfhzmADT9YMRFTO_m 6VmTYeweQgTgjavoheLPMkbIk8YDj23_r4ZxMDDSJZZaXLPIpS7VGXqhEXwIiimqaLr7OB0oimG9 Rm0dlLCMSfbZQm.3qdBZrfHB2EuLcmuwpiTv_qPN5OB5Sjl9z3LutOOhEHlt0rssfARfJ72yILjJ hSbdd2OnKt_bmGcw5l8SjBk4bWLQo1p.ycGQypICLxGwhJ5eKIKZgCRfY2Yik2GrgLIPD0ZfZEuw bc879cuoI66.SfJu5bK3WmXlU1CDpF6nBshaWK42wN5_k4qKmuIgcr7UNDFR_crRk_5nuhCIeoVn RY9.flN.ACauOCFFMzgeXgQHrgcIkgvfpMXuPwS0._Ub041O91JsLLEf4r_dejOvwkoMJ4Phbfxl .udUL6AJnFGG.Fj6nBb5ZC2yadmG08rg_vW8LcNhhkYfynHaIhHooFjEUq9rU5MTuI0O0xjtAzbj vMDCbZbKtqP1AQZEfHYZzjw9_fC6o4zFssYbF0ZoUPfS9F1Ry1QcNkxpRzC0CK7xJdjAs6YVW7g3 uzNWGDUg_7SLP87amIiK4znq66XXfwGbc09KMXWMkhXSh5QPYzKnU3sNLZjIAW5D_B0T5yb2ztkS w0Fn14A84CuOVk6B_0.dfNfSVnzm7uQCFUndOtcsPMzVpME.q9JnGrSn87hhzgw.V03pTtqNwC0v aD6nn.5baStG5_2Iwtlxff6UuXdUzEuQETkLRQD0KiKzhh2cut.790LqrvN5dgBgaY_2E3efcnDg pAmM7icUzMv2hy9APJ8kcpyTR4k9JWlSGPWYOxqacPiXkvUHPJ9Q8fnKoUiq5jD.A1D0kZ_0zUc2 sRVOAAw9cedmTofIwc7VyYwnIt0bM5w2S7sTaNAlUYThDiUrTnJF5NAfK2wRBrJQyWyg7xsuh_2L S64rW1L0CiLQYKdgE_pOkcTBOamNMQtvlVw12Pqk6HgSxP1Im1VG85YGJiU4293HXdSKjkJhK0U0 fQSiRLNB6xC7Rin6UPWF.x6JKqeVLwlZcnp_GmPH_b.4RG3XSwlz0TLfFpk5HL4Q5wBXdYwG5CMv b_NRaiMAwsC_8tkUKxd2c6yaVLUJKXn9ATX3hRJbS5jTMiQBF6UaTdEtMuQmg1JU3Bjvy1iSJ5zU e.pYltKEXzBYAw5Yd7k6UnX_VsSwKnVkw4hUvoPhlBPOSm57HIgrjwVbms4I6gsTcRR8bbGcRRZr FbMRlA0DkTEsG4SMsj85yvIn6xaWmAABwBZzfStws86zDpa9TFJHakfAf9NWaT1yEnyXLNdJqmOD qCE5htY3VH66.7NlfraAKSwlvhJFl0iMi.Z9Hb5FxtKED8Q8BJN9tDiEhaeoajNfyrr3rzehyIxJ eOt3EokhbeMR6Um3j4ELMs24XBSGN.YWQx1qX_qW85c8dB6Xms4IEFlDPmPTOAXtYo5chwpllFjG _KQxGpQ7VQPTC7yH5SHOQ1HnyeQMBW99xn_X.ASaF51._c4o7jBZz1ARUiex9pvKhjuKfWeVnQIw .oJLLVT_RazrL6sB27Sg8yVZ_xTUjJ2Ptda8Nk0YyiaKhRvq.Vk0e7BlQdcfMXmMFbmyfAsDbp6m uuXSTw9M9Sa9xBTamIYVWrhbaBs135BeZjXkGQ42vCG_kRUQCOfpHcEdxiaP8hBno1DafnjLJIyf _kjmAUctDFnAlSWirnDXKPl_jnonC1lIpWF797or3AD3pDPWEF6ntDZXHGvEgRM7pa5DP2F.Gkkb hjfIyI33VHI8m.k26ZyBSGXSTS2H17ZrGJQXie4sMd1_PZA-- X-Sonic-MF: X-Sonic-ID: 7a6ec7f4-5863-453a-a7f0-2e5c74617ca6 Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Sun, 25 Aug 2024 19:05:55 +0000 Received: by hermes--production-gq1-5d95dc458-m8nfd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID fa6d7487ce614a4db5b8d88c90575908; Sun, 25 Aug 2024 19:05:49 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH 11/13] Audit: Change context data from secid to lsmblob Date: Sun, 25 Aug 2024 12:00:46 -0700 Message-ID: <20240825190048.13289-12-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240825190048.13289-1-casey@schaufler-ca.com> References: <20240825190048.13289-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Change the LSM data stored in the audit transactions from a secid to an LSM blob. This is done in struct audit_context and struct audit_aux_data_pids. Several cases of scaffolding can be removed. Signed-off-by: Casey Schaufler --- kernel/audit.h | 2 +- kernel/auditfilter.c | 1 - kernel/auditsc.c | 31 ++++++++++++------------------- 3 files changed, 13 insertions(+), 21 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index 6c664aed8f89..b413c0420c6f 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -144,7 +144,7 @@ struct audit_context { kuid_t target_auid; kuid_t target_uid; unsigned int target_sessionid; - u32 target_sid; + struct lsmblob target_blob; char target_comm[TASK_COMM_LEN]; struct audit_tree_refs *trees, *first_trees; diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 06309227a0eb..b3562e6ca081 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1370,7 +1370,6 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: if (f->lsm_rule) { - /* scaffolding */ security_current_getlsmblob_subj(&blob); result = security_audit_rule_match( &blob, f->type, f->op, diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 886564532bbe..bfe2ee3ccbe6 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -100,7 +100,7 @@ struct audit_aux_data_pids { kuid_t target_auid[AUDIT_AUX_PIDS]; kuid_t target_uid[AUDIT_AUX_PIDS]; unsigned int target_sessionid[AUDIT_AUX_PIDS]; - u32 target_sid[AUDIT_AUX_PIDS]; + struct lsmblob target_blob[AUDIT_AUX_PIDS]; char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN]; int pid_count; }; @@ -1019,7 +1019,7 @@ static void audit_reset_context(struct audit_context *ctx) ctx->target_pid = 0; ctx->target_auid = ctx->target_uid = KUIDT_INIT(0); ctx->target_sessionid = 0; - ctx->target_sid = 0; + lsmblob_init(&ctx->target_blob); ctx->target_comm[0] = '\0'; unroll_tree_refs(ctx, NULL, 0); WARN_ON(!list_empty(&ctx->killed_trees)); @@ -1093,8 +1093,9 @@ static inline void audit_free_context(struct audit_context *context) } static int audit_log_pid_context(struct audit_context *context, pid_t pid, - kuid_t auid, kuid_t uid, unsigned int sessionid, - u32 sid, char *comm) + kuid_t auid, kuid_t uid, + unsigned int sessionid, struct lsmblob *blob, + char *comm) { struct audit_buffer *ab; char *ctx = NULL; @@ -1108,8 +1109,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (sid) { - if (security_secid_to_secctx(sid, &ctx, &len)) { + if (lsmblob_is_set(blob)) { + if (security_lsmblob_to_secctx(blob, &ctx, &len)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1778,7 +1779,7 @@ static void audit_log_exit(void) axs->target_auid[i], axs->target_uid[i], axs->target_sessionid[i], - axs->target_sid[i], + &axs->target_blob[i], axs->target_comm[i])) call_panic = 1; } @@ -1787,7 +1788,7 @@ static void audit_log_exit(void) audit_log_pid_context(context, context->target_pid, context->target_auid, context->target_uid, context->target_sessionid, - context->target_sid, context->target_comm)) + &context->target_blob, context->target_comm)) call_panic = 1; if (context->pwd.dentry && context->pwd.mnt) { @@ -2722,15 +2723,12 @@ int __audit_sockaddr(int len, void *a) void __audit_ptrace(struct task_struct *t) { struct audit_context *context = audit_context(); - struct lsmblob blob; context->target_pid = task_tgid_nr(t); context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getlsmblob_obj(t, &blob); - /* scaffolding */ - context->target_sid = blob.scaffold.secid; + security_task_getlsmblob_obj(t, &context->target_blob); memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2746,7 +2744,6 @@ int audit_signal_info_syscall(struct task_struct *t) struct audit_aux_data_pids *axp; struct audit_context *ctx = audit_context(); kuid_t t_uid = task_uid(t); - struct lsmblob blob; if (!audit_signals || audit_dummy_context()) return 0; @@ -2758,9 +2755,7 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getlsmblob_obj(t, &blob); - /* scaffolding */ - ctx->target_sid = blob.scaffold.secid; + security_task_getlsmblob_obj(t, &ctx->target_blob); memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2781,9 +2776,7 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getlsmblob_obj(t, &blob); - /* scaffolding */ - axp->target_sid[axp->pid_count] = blob.scaffold.secid; + security_task_getlsmblob_obj(t, &axp->target_blob[axp->pid_count]); memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; From patchwork Sun Aug 25 19:00:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13776889 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic308-15.consmr.mail.ne1.yahoo.com (sonic308-15.consmr.mail.ne1.yahoo.com [66.163.187.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 87D283839C for ; Sun, 25 Aug 2024 19:07:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.187.38 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612849; cv=none; b=Ln1z15p5qkAn2fvW24XUXhzebhep8M0aqSm5D7GlP59LeAmT6KMRhBL3xxefYDubWYUYlHlIZ9gqL45GXahDfNu89Xt06xkM9w910JA08nj5miSZgFtvYvP+BvwwEH7B2AeNLfL6Z8ptgFdJ2mxOF+YAeOCuSm4pFeLwX6lOwa0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612849; c=relaxed/simple; bh=PTAwC388/98I60LM3CkPrj2d2gHZ63MsPbQQfXw15sU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=vDUrBbQj/Qmy03dIZd2HS3NFXuKkfXXFpv0P8MMIcOeSgsFs7wtljH6ZdsPgGOXA9ciYqB/aFti1OJMXH96OZOyz7a2UerJCk8XWJp2u1lmrrJFsnttCE8vzSYQJo3tbneMndwo0rh+RLvysyqB/SIJRptTBhOZHyYs382Z7tf8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=pdxs/bJU; arc=none smtp.client-ip=66.163.187.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="pdxs/bJU" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612846; bh=gj05YMwICVh/HhYrYO3+ZRVKA5r4wTDMC8F67pxZ08o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=pdxs/bJUTaHEjJP0GLhacOcJDo5g5RWI/d6mvLRA/S3RHdezVRcAKOcqT2bkHYIplBcPdXxlyYhvjLOsATboJNZvVDTAwzRhGXN+8Unh+X4xmDFTRIpjic1Bx0ruxaa86QwNEJqlmNi8/JSx5/EbL1vCWC9up1GBtUPca6OITZobhU3CUtrVYrHLVZfnd66IwI/uk3Sw676Rivcn7rMyKRnR0vHVAwQbyxsEFOyR4uSDUyxecx/TBnO4JO0JicqMSo44Buuo20la+Tl3CPrWt24YRO6I1tQdp+cnUQPgaHmhLwoULmU06CcSul4t2M/ugkBMMVSl1pstzwQtbjgiUw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612846; bh=mGIMI08dP3FXdy9jC0qRHzUQ7T8vFMPDnAwh7R40746=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=HlzynemZwjMKJQiTg9SW5V69bmqrsxDk8HVH6Dwhlz5X+8GRNiI7pFjJyPKgJruRBcjqLL2f7u8TD5E60ZpbsvLS7nQCA72e3kd26d77ttwVJK0tRUQgilYZP8xSoMmXwQdtxZCzuQxq8Jp4gB2MFY5oZpoQ4YMXp8LAmmrw2Zzz5w2kwMU9nyUf6Dya7hlZvUT2kKRXf2PqSn52E5d2NQwbnW12wFWWAFsTAN6YjBX7B5QCReDJdXLsuNIQ0dcLjjTzaPWSAHn7ncagA6ADH8T/MUN8JujrHAcAt1YPEkTuENWD4G0ITNngxOY3KnjKjrYkD0Hd0JzWaMQmLZKX0w== X-YMail-OSG: MWLBSNAVM1m4jxm9OZcfum5B3S6NJfO.1QA4tKCbqu8ItxJ_xLDAXYvMVqNyIHz kR7oIVQvjSb38u7k1TDvsz5kD_XdVDJlaZqrs3Ob7I19g8XlV3LoU_FhXwxM1HmCtMO3b3BsTQAc cpbu8JgAFoGUgqEjArsDGGMpgJ75EeZyk0EkseEbhAOorhP5pv3euCTdvfC0nK3TZowKxa8ANDS1 Eq6p_aep6R_rnzHCBzmo5bPTkRGmvPQiWZVrKuuxQ4uT.Y90yIip16tzqS8zfNZ1hSwp.nEgxp45 KzPF_C32nFDAnNogCxVkLfih2GUk7Mxl1sdsN3yfS3FjhYVdSBBCt87dcPYO2msrWbWMwgTlLXFW vFhybA3egmB7oq.t2Y8VsROuA_RgxLsaT5UZMXfkjBv7clqkVHXzhtWGBIpsn3lGmcQCxibteBMm 7E2STBSuct8bI0ujA7hcQmgF76wH__qtHyo_XCelUUBEpOXyxJjTIjlqVOphCn4GWLc24_rOTHPB 0xvcoQJ.LpNDDYMQdjHP9VvJSlW36bmbfXKcPYr5YkgoqXBmk51xb0qSYJbqXW2eZmbSMVqcdsp2 8wXvc0.J86G.L9n21pmvtaLyU8aU.DSeDxSpL0845_ex5pQJsFve3SeXxMX5kz2KSBnKvy.0zhKu vxCM9eS1BIMQGrXZ0vJkAdZ7CLEgf8lHtVXw3nIeNIN6zdl0XvQSE3WkFzCJfkm01lxPWgPFkYjc E1y.o4QEMesbemlUVzqNqWKCNDcYg_tLc8Se3AQUj.a6ALG6O7yF7VBIbzW76fTaIsVCAIEdmqqh tlGngpttzs_tiCY1ExcRTnbcrUwqy7heVdTio7onEXSulbFRFXgfHODYCCe8kxbYTSHnC.tRofeG GWU8IgH.rjs9P1Uf_8tQ1RF8i3egT2MLfGj1Jo2q7ydzBVYFc8CG99a6Te28OohTT9Wq2EaBdHDR q75D4ctVE6Lhmzwmoe65yjQlmVCz1bBI.h4EK5LfXL7oN5459q7p1oS2GN5qi8zwzXrZzAfpkBKw PDZ9ipuQPqGaxLRAy4_IA8ASybBoO4lQCsYy0y79Yt0zO4xcIw5DLxB1uyQjbMPwKK_HYKXCsgdY TGXkPM3pS0N2D2X_N_idgKiyHnlo2zEV5Swub14PH6H35tdj27vU1mDfHATzc7q4m3ipkU.SXjKr 1GrD0yf7X08ePKC9qcfoTlcyYNpvQk889n5LFBv_5DfG9i9MdyLx8VGxDbqoh0NnBn4w03jiMrsN hO_OOFAoYCqHIRWvo63byZylFVsWBxsb24UKgX43q_9ECFMzjcyuI7Rv2U9OE8mmve6KsvBiIweC nWcjPB9WZnteTWXSLXxfNw567nAYQrVWGCKQ1kTzRcG90A6RiHgwSvgNikzEJ3Y8M4wfMbFPHzU2 rhKLmI650QJzjEkDhT_.jJiqFfIMwsGU.p.RAm2TijS4VKRMtszJLF.BSshbWy6Mdqo1amYghQok o8HXGMI2lWcF640yfG3r_54MJam9auP99KwJGt2yUq_usckch1zO4wa_vWNLMGE_FuBFZIc6agPv 4W_3PIVhTJF7wgRgfVnIaYzdSQtMnNlGdQlw8JkL7sEZ3A0Z7D6rtgFoY84lPIKfkYHeFQ1JkB_R Lmaf.R78isA1fMbzXj1FN0Ht3Ey7tEfheWbFws2CLTMi2a6BmfqLkg2XKdhAb.lCUT6g4sf7yhJB c.LYwtXRV3gVDGwuagA78cmuyYDJxoiL_hQNzbuVz.4c.wWZHYSS6B32E0qdYUWQpS6pM6O.LE8g t7x8OWeHZsOw51U5A6Vg7jDlVIIa74oqabEKXqgyDI7F0JwTp6uHmceWHW_Ny.oxiiMq8wKJ7bTj gS0zV3XHxvJAm5hAtknQr1biewtWjIaLhndqqOo7CzLSaU39I_B8hy5F05N_Ms_OWxV50MvmQ5Ww 4dpNwSHcHIU53VQU8LsD_mwxQybLSdRvxGPXPRgHytaFh9vRJWKk2kSdkvKRmgkxwi2fNfgk5ck4 mfWq3m6GYi8aBNHHfWYYwg4odmCWXxFbgvcqYEq6NTIGq80k2XvZWBNIJTCx30ufyfXPS6hA7fsg OvBBHEK3Z5S02nGoXp6mooKzXO06WY_6S6cPEVEmhYTQPAYhaS0bWh1uvV8RkcSx3q6_dW79aT6V c3i2KUTP1WdO4CKsiIk3vWpPdoRxOykbl9M.y0dFlBnuG1Ja7gJ8m0D2mJ9LPTMsEDSlTQa_g3tc AnNPSFKOiDa6aBdZxwEW9NRvUCbsIbT9rZkCuw64fVrGaBFWs2Kq9WfYClQS2xtzKFuokL.O8NXj 84DxfniUM3v3dTDQAq1TGV5wSyuMQDPSMrkbeHkJwINWCDA-- X-Sonic-MF: X-Sonic-ID: adb486b2-0631-42c5-9811-c615e01066cd Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Sun, 25 Aug 2024 19:07:26 +0000 Received: by hermes--production-gq1-5d95dc458-jflr5 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID ed4e1fab5441326e8fd35b3239a0dd08; Sun, 25 Aug 2024 19:07:22 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH 12/13] Netlabel: Use lsmblob for audit data Date: Sun, 25 Aug 2024 12:00:47 -0700 Message-ID: <20240825190048.13289-13-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240825190048.13289-1-casey@schaufler-ca.com> References: <20240825190048.13289-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the secid in the netlbl_audit structure with an lsmblob. Remove scaffolding that was required when the value was a secid. Signed-off-by: Casey Schaufler --- include/net/netlabel.h | 2 +- net/netlabel/netlabel_unlabeled.c | 5 +---- net/netlabel/netlabel_user.c | 7 +++---- net/netlabel/netlabel_user.h | 6 +----- security/smack/smackfs.c | 4 +--- 5 files changed, 7 insertions(+), 17 deletions(-) diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 654bc777d2a7..eb6b479c5c06 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h @@ -97,7 +97,7 @@ struct calipso_doi; /* NetLabel audit information */ struct netlbl_audit { - u32 secid; + struct lsmblob blob; kuid_t loginuid; unsigned int sessionid; }; diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 7f38dc9b6b57..7bac13ae07a3 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -1534,14 +1534,11 @@ int __init netlbl_unlabel_defconf(void) int ret_val; struct netlbl_dom_map *entry; struct netlbl_audit audit_info; - struct lsmblob blob; /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_current_getlsmblob_subj(&blob); - /* scaffolding */ - audit_info.secid = blob.scaffold.secid; + security_current_getlsmblob_subj(&audit_info.blob); audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 3ed4fea2a2de..6cd1fcb3902b 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -98,10 +98,9 @@ struct audit_buffer *netlbl_audit_start_common(int type, from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); - if (audit_info->secid != 0 && - security_secid_to_secctx(audit_info->secid, - &secctx, - &secctx_len) == 0) { + if (lsmblob_is_set(&audit_info->blob) && + security_lsmblob_to_secctx(&audit_info->blob, &secctx, + &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); security_release_secctx(secctx, secctx_len); } diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index 40841d7af1d8..1a9639005d09 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -32,11 +32,7 @@ */ static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info) { - struct lsmblob blob; - - security_current_getlsmblob_subj(&blob); - /* scaffolding */ - audit_info->secid = blob.scaffold.secid; + security_current_getlsmblob_subj(&audit_info->blob); audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index e22aad7604e8..878fe44b662d 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -182,11 +182,9 @@ static inline void smack_catset_bit(unsigned int cat, char *catsetp) */ static void smk_netlabel_audit_set(struct netlbl_audit *nap) { - struct smack_known *skp = smk_of_current(); - nap->loginuid = audit_get_loginuid(current); nap->sessionid = audit_get_sessionid(current); - nap->secid = skp->smk_secid; + nap->blob.smack.skp = smk_of_current(); } /* From patchwork Sun Aug 25 19:00:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13776888 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic312-30.consmr.mail.ne1.yahoo.com (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 39C1A1DFFB for ; Sun, 25 Aug 2024 19:07:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.191.211 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612847; cv=none; b=nl4gNuPd5yQx8lcO7SgMfY05VdGSlkHWNXK5eU5uIz53XGZqGvs6m1ES6rSKNQktPfYK+tgcxb6oIkDWvBr3VTyaAZpizzTG5KL/gFn2/X5TCnfITkEA8mZF9y1ddw95TOQkrtftWArnLRJPPqdWWRXPOqmYkhKA6poOIh4xGL0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724612847; c=relaxed/simple; bh=XQyA+Zq17YKLl40zkmb3Ne7PSBvnWvxF9XksHqSs8Eg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WqWAf/fI73HsDj/RANkJdLKVAcg8Yw77Pb20kh6+VwRrqZviiqYhbtDo0S9HTfgCh3zwajh4EttSRbQKDQzzpPNfHu+406pWaHW1pX7CnQRxD06gMkZzpY7BfNGW+Vu5u5wny3X5qjWJUEduZf39FxG3TMesa9VZ4f1TKPJsoy0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=MRO1jPr7; arc=none smtp.client-ip=66.163.191.211 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="MRO1jPr7" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612845; bh=A+ujkyFJqfrbVOxajgw7izgd7QW3xgj6enPTx+tW0LQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=MRO1jPr7OvwRY/Sm2Za/+BFexZKUXw4e4pj2mwx3BNwnmfruxFPpAisyl8E4QCXSuNWn/PEHEEL4GlhvY5M2ZkjlHmarMHrAHP4i3UjUyWlSSFLhwFm5uDsCgG4mAv6apOpiZ4xUK0De6Hc1FM8HoZMXUnHH+7IFxz2woLGjjCjeDz8+kwvH47/eHwl6hVQEVa8ca6QNo/s6EfLMgtlkQ5NDjoQKI552JQpqwoRY0qkKGT53yH6h8nq8Ikml1aY8cTu2hwZAPA2oK68ihfXtudrWZnPyyr/W5ORx5tKuwgaRAU8L8+KTje1/FPDbd/PMvw/FtbVWTZOyzYeLyRvy7A== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724612845; bh=4r9IwMMt3Jg8xJzSdREPUfQYd+oA1GO6/vc2SMZqk0F=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=k7KdkP9hY4QJvqZueLV9ROQSbAKLvbEyWIyqbMpEzS5/DPOkLRkSiw2Yht6OnCElYO7bTZ0cvEXTRTRJ/pB4gLirsIaqLaF5fmlI/A5viIBh1tFHvi/nF8r7QheiC1lFCiw1YdezzaC0cWEHFYzkeIcdyQ7YtpxPJYki67NtPyVIwKi7Sh1DeVy7tF0j0h2aA1jVMIPkbssByau5xs0BMpAzS7e5QYBnfUkf9oWckiMzr0T0++QCo00iN66MJmSdry0fs9XkpRTAJSjhYX7GqE36dEX1O7eJKjJChk70Aw+wehTw57qduabccDWw7xhkIGUYt8PTYr3od3SyQbjRMg== X-YMail-OSG: 7fiqVGwVM1klGv2sRwJ6sEPajqrer9N1c3cNFyxLbVQvlVwxpjcohPgWEhUSaWq WFsxtZL8hoMxGRM4qEYw1Gioq2WD4SUGYvgcjb_6oSfm.sTJdBGWNRq5915e.aZg41tpuhAA4LtO UA6w7DYoNboOFce3AzKCkm6qBciNRsq_JZR3Yzodtf4PheIyHlZizvPe_4Cn6n9VRrLACeG0Jcwz x9Om85k27ENsggegKtweNfwcQA66HGmCuuF21vlL2mhGr4GOkXzCjO6hu07aw9sL2Omr854uYlhg o2UmQ_DS9e3G.40aLNZJDbxmrW.yF5Q7jVnYiEDgnrcLpIvb9XIdJEmiSXD8PsLJ6e1yNflcBp74 nY_6OCVX.wQYeksRFzp2Z6iZbOaZunrf6efOj2b8mO2FyAkuWaBJ4dtoCcPn17UwAyk73YV8rqXe 8Xos1wnLBGkDmd_8hsGNETT0tIs6uFtM6AwoZC1_kNPWxgWNaXQgQByNjatN_pwJ8Ffk3NBeaBzP XBvgOMb.omaX9_bgUtIqReTQxSwVfcaQpJHLIe2QPpgaMR_u9TVQkaW9eOr3OuSlwdNGxoctSCqJ g0_6IbdhKO_SqfA7v5uwWHJwUs07Bu2bzl0ZltZBkQAeEFXzKGGsZslwf.lFT2CFIMtPFVUWhbFz DxGSKAYIwizlac6MC_EUEvIC2w0BlGP3NbZCM67zu6ov0oKKvXJgPMqv42YI1.PPL5KOZgYPwGcT KboWRc2MCINm_BSWr4CTxQqWID8wcX_DQwzSH351Wf94fvNXo_37YFi841apHNEoUNiiP_NHApnJ FsX1ObNQ0i9Nl7DBbBUAvNLJPXLyZ0ugB.fmjFXZMSIa_tieN4UDs_q8vKVzkNCwbNBKgcuUFAzB ZdsRGexI36ezdijYmS_.2xQqn2bItfgqMGAxx3OVxdD2ziAdhZ4Z6miUExMijZexUNw0m1mjAiAS 0WtbzR8Zj20Lx3HpFqlg9YKwC_VQJlyULJbBWRRTwi.P6QAX0TbiCR_gCAIZsVj9ytR9GebE8GC6 ONJe6Ddhi2FReCqGdRR22Ux_Mlopt7tXyg61jW69w2AUn5ktN4Os4Krh_Y.f3CcF.Mszs7bgOESa B79dwmzWEOULpkXmPra1hP8yp.58Ht09xdQ_17HbwHYNaIgsNjj7QzF9Wzv9qUze_nbOE4G_l8at MD0HGeIJJ_03.2g1CtI2EOeukPFO25NSURgucMS4gUJtIFsH3tsVhIlZ43ySgtDrX23nN7.SuQnZ SKciTgu.jRkQPfuf6651_7De5n.7okSgZ6nnohEtrAupeJylx2ZWR8GoAP3B5jcPVDW9NfhIelRx JBE9Lx0O._CqGZqphkWfFpmvoHxzYtuxCnZ85N4f4gT6XH.gDggfmjiIO1Ux3Jz.6dPo3n4jOgRm lkgkDjGYdaykRKclmrXVk5Xqer.jTUkRcwdykiE6lNlzDLQ_jO9MNVnLFpHxBRYEDjMbh_DXXb48 5SIPIb5se7s5SqgFvAOV8SehWFIoqE_rO5ahAgjZplan6EfLOU.LJIucazGCjRarSjXA9lvTvLrE jWX9KE8aRU33e1Pj6csA66RY7t7lkcvL6omDS269nHmUdtMIZXk2kdyqOGKJLVwYVV5ZXpBVQmkg PR3KMG8Ry_Dh226pseQHawhmHEDLydfRoD65RMxAXF6RZsA3mwWEKJe1nZNRyN6Cxba7GygzsohJ 5U2BsrBpwxDoVbdDZLosDbYDQpfFigYatnKg.KJQ6Xm1EMDZyr9c.V0ZLSuN.uEi2y.v.Ch6EORV xxa22aFIBSdbDelvqQmo3P2r6FShh7uFGSyA3zG8TfsChhfWW_K9M.ugkG1j5gcnlAnCb7adP_sE jtb_gXeK.ODhKtFUd9mbZdT0Uj78KNZEyKM2UVuVT6renVn.OWSo_EjQFmwhsH.KIaEECIPLuC7o vHZQAqxUQ_nlMisw83emz4pmaTqMkz4sDbbtqVjq7gLWI8iF7NANAWmsX00owVDbZhIna89cbE1K SEPRbA96DlGFt7NdsXUt2g899xSlmjA.oA4b3EUl5Y7ypTBEepnIvtnap9w3_Zxdn_f_Zrcqj8MH Kti7xYxM4bqsLSwLa.oSBs3JigFTjgRdQCm6eMepuFo0H7uG8zGYPNHhMuj3Ipv.zu7bnq.Z2aZV 8HwcxriKM63_6IdyO_g9CRJnFhmJ1xp.Ey1OQqbxWs64ASV7TgfM3UsNJOtpDiyoOpjwHI3vJQH5 0JqHr.NKwYUk.UybOOITU1_wEhGcofH1i3szZMVaOSeBXjRAt0VRobe3aauWM3zC0X68_ X-Sonic-MF: X-Sonic-ID: 759b7bf1-2f31-4bae-8437-8582a422ca5c Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Sun, 25 Aug 2024 19:07:25 +0000 Received: by hermes--production-gq1-5d95dc458-jflr5 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID ed4e1fab5441326e8fd35b3239a0dd08; Sun, 25 Aug 2024 19:07:24 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH 13/13] LSM: Remove lsmblob scaffolding Date: Sun, 25 Aug 2024 12:00:48 -0700 Message-ID: <20240825190048.13289-14-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240825190048.13289-1-casey@schaufler-ca.com> References: <20240825190048.13289-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Remove the scaffold member from the lsmblob. Remove the remaining places it is being set. Signed-off-by: Casey Schaufler --- include/linux/security.h | 6 ------ security/apparmor/audit.c | 6 +----- security/apparmor/lsm.c | 4 ---- security/apparmor/secid.c | 6 +----- security/selinux/hooks.c | 18 +----------------- security/selinux/ss/services.c | 4 ---- security/smack/smack_lsm.c | 33 ++++----------------------------- 7 files changed, 7 insertions(+), 70 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 111c1fc18f25..ca4f3b41f344 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -144,11 +144,6 @@ enum lockdown_reason { LOCKDOWN_CONFIDENTIALITY_MAX, }; -/* scaffolding */ -struct lsmblob_scaffold { - u32 secid; -}; - /* * Data exported by the security modules */ @@ -157,7 +152,6 @@ struct lsmblob { struct lsmblob_smack smack; struct lsmblob_apparmor apparmor; struct lsmblob_bpf bpf; - struct lsmblob_scaffold scaffold; }; extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 758b75a9c1c5..120154a6d683 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -270,11 +270,7 @@ int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule) struct aa_label *label; int found = 0; - /* scaffolding */ - if (!blob->apparmor.label && blob->scaffold.secid) - label = aa_secid_to_label(blob->scaffold.secid); - else - label = blob->apparmor.label; + label = blob->apparmor.label; if (!label) return -ENOENT; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 877c4e809ae8..08fde302c9fe 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -987,8 +987,6 @@ static void apparmor_current_getlsmblob_subj(struct lsmblob *blob) struct aa_label *label = __begin_current_label_crit_section(); blob->apparmor.label = label; - /* scaffolding */ - blob->scaffold.secid = label->secid; __end_current_label_crit_section(label); } @@ -998,8 +996,6 @@ static void apparmor_task_getlsmblob_obj(struct task_struct *p, struct aa_label *label = aa_get_task_label(p); blob->apparmor.label = label; - /* scaffolding */ - blob->scaffold.secid = label->secid; aa_put_label(label); } diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c index 3c389e5810cd..2b48050f97a6 100644 --- a/security/apparmor/secid.c +++ b/security/apparmor/secid.c @@ -100,11 +100,7 @@ int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, AA_BUG(!seclen); - /* scaffolding */ - if (!blob->apparmor.label && blob->scaffold.secid) - label = aa_secid_to_label(blob->scaffold.secid); - else - label = blob->apparmor.label; + label = blob->apparmor.label; if (!label) return -EINVAL; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 076511c446bd..a81529c21517 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3510,8 +3510,6 @@ static void selinux_inode_getlsmblob(struct inode *inode, struct lsmblob *blob) struct inode_security_struct *isec = inode_security_novalidate(inode); blob->selinux.secid = isec->sid; - /* scaffolding */ - blob->scaffold.secid = isec->sid; } static int selinux_inode_copy_up(struct dentry *src, struct cred **new) @@ -4032,8 +4030,6 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid) static void selinux_cred_getlsmblob(const struct cred *c, struct lsmblob *blob) { blob->selinux.secid = cred_sid(c); - /* scaffolding */ - blob->scaffold.secid = blob->selinux.secid; } /* @@ -4174,16 +4170,12 @@ static int selinux_task_getsid(struct task_struct *p) static void selinux_current_getlsmblob_subj(struct lsmblob *blob) { blob->selinux.secid = current_sid(); - /* scaffolding */ - blob->scaffold.secid = blob->selinux.secid; } static void selinux_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob) { blob->selinux.secid = task_sid_obj(p); - /* scaffolding */ - blob->scaffold.secid = blob->selinux.secid; } static int selinux_task_setnice(struct task_struct *p, int nice) @@ -6348,8 +6340,6 @@ static void selinux_ipc_getlsmblob(struct kern_ipc_perm *ipcp, { struct ipc_security_struct *isec = selinux_ipc(ipcp); blob->selinux.secid = isec->sid; - /* scaffolding */ - blob->scaffold.secid = isec->sid; } static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) @@ -6634,13 +6624,7 @@ static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) static int selinux_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) { - u32 secid = blob->selinux.secid; - - /* scaffolding */ - if (!secid) - secid = blob->scaffold.secid; - - return security_sid_to_context(secid, secdata, seclen); + return security_sid_to_context(blob->selinux.secid, secdata, seclen); } static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 43eb1d46942c..002072912800 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3660,10 +3660,6 @@ int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, goto out; } - /* scaffolding */ - if (!blob->selinux.secid && blob->scaffold.secid) - blob->selinux.secid = blob->scaffold.secid; - ctxt = sidtab_search(policy->sidtab, blob->selinux.secid); if (unlikely(!ctxt)) { WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n", diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index dbcf1c65da3c..670050f739da 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1655,11 +1655,7 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer, */ static void smack_inode_getlsmblob(struct inode *inode, struct lsmblob *blob) { - struct smack_known *skp = smk_of_inode(inode); - - blob->smack.skp = skp; - /* scaffolding */ - blob->scaffold.secid = skp->smk_secid; + blob->smack.skp = smk_of_inode(inode); } /* @@ -2162,8 +2158,6 @@ static void smack_cred_getlsmblob(const struct cred *cred, { rcu_read_lock(); blob->smack.skp = smk_of_task(smack_cred(cred)); - /* scaffolding */ - blob->scaffold.secid = blob->smack.skp->smk_secid; rcu_read_unlock(); } @@ -2265,11 +2259,7 @@ static int smack_task_getsid(struct task_struct *p) */ static void smack_current_getlsmblob_subj(struct lsmblob *blob) { - struct smack_known *skp = smk_of_current(); - - blob->smack.skp = skp; - /* scaffolding */ - blob->scaffold.secid = skp->smk_secid; + blob->smack.skp = smk_of_current(); } /** @@ -2282,11 +2272,7 @@ static void smack_current_getlsmblob_subj(struct lsmblob *blob) static void smack_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob) { - struct smack_known *skp = smk_of_task_struct_obj(p); - - blob->smack.skp = skp; - /* scaffolding */ - blob->scaffold.secid = skp->smk_secid; + blob->smack.skp = smk_of_task_struct_obj(p); } /** @@ -3474,11 +3460,8 @@ static void smack_ipc_getlsmblob(struct kern_ipc_perm *ipp, struct lsmblob *blob) { struct smack_known **iskpp = smack_ipc(ipp); - struct smack_known *iskp = *iskpp; - blob->smack.skp = iskp; - /* scaffolding */ - blob->scaffold.secid = iskp->smk_secid; + blob->smack.skp = *iskpp; } /** @@ -4825,10 +4808,6 @@ static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) return 0; - /* scaffolding */ - if (!skp && blob->scaffold.secid) - skp = smack_from_secid(blob->scaffold.secid); - /* * No need to do string comparisons. If a match occurs, * both pointers will point to the same smack_known @@ -4889,10 +4868,6 @@ static int smack_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, { struct smack_known *skp = blob->smack.skp; - /* scaffolding */ - if (!skp && blob->scaffold.secid) - skp = smack_from_secid(blob->scaffold.secid); - if (secdata) *secdata = skp->smk_known; *seclen = strlen(skp->smk_known);