From patchwork Fri Aug 30 00:33:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784060 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic315-27.consmr.mail.ne1.yahoo.com (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AED384C9F for ; Fri, 30 Aug 2024 00:44:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.190.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978671; cv=none; b=fq2Ve2QYuH46xvQutABV7f5o8GfzgYkOdrmWWRhcRuXt34RAxPtZ396mSg4ofH2oTjwSM87PoXTbzIu93jPgVgzwjMlrMvkr5BXQjDo3YuQw7+F10RfM7XI460LoxwMYCb2fP64IXSYkuzzIp0ZCdtkbacANuWAbyc/tf1Z1uJI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978671; c=relaxed/simple; bh=5i/utsKdzmAP/kmD3J3bFCcoRqBsiuWXAxRyrMgYleg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DIuv0aHgHoQk4viJtvoFo8Gy4EUAUVMMvkiZn5jZzfw3HUzzYQRZSl67Cf05fy98kYp/sr9Uu7gEblS76+fspNfMzBzCU1Qkn1FJbEPoE9IOIK2mSJ1GHstO4nCvoYbacQtY4jcj4eci5bBW7eDwRQfSQ0ZEv6xl7FwRCpBbZic= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=X3LJeTR8; arc=none smtp.client-ip=66.163.190.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="X3LJeTR8" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978668; bh=2QisATgn2zatcIkI+LrtVFsk+P4khN+6xkfTqAVDMTM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=X3LJeTR8RT1ovoVr8bB15XTe7pEFxrHrH3iEGEb+JR9ixjVvqbozISBY6LUca6AYVyraV7idDqDPvbLZ+nNBzx4W6sluoRtq6yeWcMItdcnHK/zKUudX7xi1U9THABvm8/oZNHl3fXnpRaCcEAUzc6z2VOxdvj+tv9ODiHmWo3q5QwH56PWBkFGVA3oOxFRG327pSTyGl3p750Ah0xjHYWCNC2ta47PHZJAL4H/Zfe1OOen/BkZHqIi4SXxfrI96bL79iryCcHEjKwynpm1AXvAcQ6XjQtMUKOU/YI865oRZFSFQBRG6fMDRVUq06ULPowuiV0rTxDONSKEd7o9/dw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978668; bh=885xLkXH2i2LWzHlie5WXjpBq/3ht3rUhNcXQornxli=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=V/RdB94EQD2mawSTQpd/VZYpsLir7DyT8KMVbo9IponmLQOOPRFpbDvwRWdyq2ya53Nj2W8k1SS0UiZ94MfgGFJuMYdkxJCIx8rNYYgcqS/TC5frkElZgdP1+p7DEZpMykmQ31WBMTPd8al9lALZA4Nct4kEVNilEqWTbwd1v2JzPmVYuUscWj6j++B/DTzaqxO6Cu6as7lDvCbA9xERBtNuj+TGTeURmg3TXHAtttkzsCds2tr1kCTi8I/TTGUS7lYnt5xqmNhD4kLygSw/WVSwRLn39YYUpoS93vZA0TfTMnf/0K+PWUOTJGi1S0qNhQcvwOGsC5WaokhTjbPx5w== X-YMail-OSG: YYVzUfkVM1lfwkcIV7TZJMCj0TIWYKu9LJGTja0XxOX3y6CfLcHG30Ugl7TkK9w WMuNWgYNGVpy57EfD1IZdeLxN7TBSEew7AyGNRYxjdrZpLet3jWZ6JMiJeNuWiOXjXgQ1Ikd6ZOD GUdzbQHcOtrY3RycDWoNCl3v9XHYaOaaOclEKoa6HO4TnJe9EmJaPOu5I6lrsHizti.scApxO1Ga 8cEbtBthLeNCq.aklDmPYLj4OYmtOAGU6u65lQZt7LlIO.1Mz8sy2GAmXdebHVjpRq3RJUubWEeW 6gq1eJyssQXPqUjjtJn1FPrHTZwB_eA41JeamkxOkU85yR47JDZh4uJSTOzJqNMCv_vfBLDa61kj Q2GtY2aaMNgDUDkGzECZV9UBJrHxqhIyH8.NrZSn4JBkhQvbDPzaA_Qr1nEeZ5zVp.tFz7BjYS1u icA83xKlbg4B.ZvERoREjf2KcmFwnC9_TB00U.YOBdGLirHcvMVtUQZpMxztHf8Dla3JlZ7VV09u RSfplnS6iFF8gPCvW0_aSl9vxpx_LaeMB6PcSt_IkdRBnwhqTxbx7.dFZzafAMNY3bCjJCOh.AcE 3V6od4znnHkRpeqqSw6oLJHqaYY1iYAb9ik_6dtQx6x_m1txi0FNfG_8gvs2Nd.IEzKkUweABIuL D3ZGPXQmvGxItT3NVKhh5PX3W2joiN6ZtxL6pWzQeoYG82LTwpmPdB15JQbhTF5VfgB1IDNYPVHI 2hQgM9X2O3vmQl3in.ySXZdRu1RPBiMPdlC.7DiliUWlsK3GMZ5kRDQZPzAOKgE1EsZTgQFsKXk. TmkTAnT57xUT3zX5x9if_0WPNinmsv_nP.jzNrzt8i5sFOpHQ0eBFZkHK0IA0S1sjWS.csIoc.7R pbxv_hhZMcY4nPl1AdMfQx36XR1qEYX2SSxJoM31N9MwHQcUK1SfB5k7ytmLrB1qJbqgQqKwocL3 ep4FNVotZbE93Pgtiv8Xg90a4JUXCzTIOMOxSUIw_sTEpAu67fjfzgr8MAJ3ih6sgJb13XC_nAl1 Y02KoHNwlMKhrTBS8G6tRhT2UHZiKCjpqAi4KiGf6gWdDi9rxrMP5yAYxVg_ExjiCveAObVyEZ8x KO9Yn9fSEHMOmgyr4GARqtVicF7_t4AKTGGOieZJQFY9R7YqY9X644mM2sJct5ebDTPaWHc4Mceh 1NoRfm9vCRfmVxXy7_YwQ9FB8RZW9fE9zmlP6oFadpvKIKpe1sg74QM17CaOmMGCNjn3OzspBxaA 6_SafJsfAzEp8YDd0TrRII7x57_tHk591nZBOaQY2Z0SKLaGF3sCVgToo0fSfMrCIHU0AZ0Dlg5A edciza5.ggLQaW041IkCzKFp0.C8xygzX.I2XTRcS849BSkMhcbVL6Y0VvBMoblgdk8SEloN9dXE u8pVOTFUpZQh7ap.ov_HUUZNktFzccMdjSko2HWLzV_.nfGk85kzBpHoIlqg4OU4U6WLd2cv4aBd HBcOUVa61P8EV8cLqhvNG5fh8k38o4DsJd9K8p24g6kCRwGttyz7oTdfq8LdEACWZZsjtMXXKbnA FCWc74r1oBmVxNmaMZzxRCYoL341ziMXYr_3R3CvazxrA.3ZlWlJwMWwMWIbTzOteWFDQQYDZ4yk EoShXUFy0rKXH9uALENk1X46mRHJYF4ELOHN8s7S5CxcWNU7eNnFE6DTE0XO8yq0R6aTNG4Hnwgj I00zFQGZXdxB8gWv8hL8UYYDYBSGo8xSjUE7ZmahJPPTQSzfmyfFWQgArz7keC9mEcSBKoFoAFtC X3KBoJkCQDPZ0Agr0RtPtpQKujX8fHGCscndW0Ds7HiJo6ADLs8xiPBJ5i0zGA2mQFkP8Z214zcv tlfVeG_SOKQzPF2urDrtCw1q5XPuvRahxYIUDrRAVNBN_9Oy7593FXDI6dnnZDvdt9wmkqBpAmKZ K.Jj03MfK1C0DQitNcOkvONnNB5YBCduXgL9P33fnUz9wloROwdemhQ2nKDGYpa48Wt8tBRRKXgB EHi1xQfw5KtmRTwYlWXmmWRznPcteZEqKPVBZY2EPcGBMb0OPgtOug2A3YafjfnYlMBPP.0i_.Ff I92tlvoaz5F9YpNIH_kAqAdX6qv4YSMOyHsNcWCwJKT4cn4n3DGkUY6FPcjEbKFPiEqGHMSgHoGm ZYqtPYF7xgdfmUcogk4I5FLuxKoZS7jWXZ4BU5HgmsitA7yuhvA5AOC.kiOkBPTWXJbL4NCFUyjR tEM780FbkStD1Qd79C2xOJKigg2kCFMMn8WR29cv0Pfx2A1tEZD_IzYS84SOYwb1cj7YHXvI2Jsd ZMh_jymxXVM0BZHXwJTZVdKU4vb_8BTRM4w-- X-Sonic-MF: X-Sonic-ID: 053e8715-dae5-4eff-baae-808d9e5b2d56 Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:44:28 +0000 Received: by hermes--production-gq1-5d95dc458-gnv6n (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 5da78dbe3e0c562970426cfb16ce357c; Fri, 30 Aug 2024 00:34:16 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net, apparmor@lists.ubuntu.com, bpf@vger.kernel.org Subject: [PATCH v2 01/13] LSM: Add the lsmblob data structure. Date: Thu, 29 Aug 2024 17:33:59 -0700 Message-ID: <20240830003411.16818-2-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 When more than one security module is exporting data to audit and networking sub-systems a single 32 bit integer is no longer sufficient to represent the data. Add a structure to be used instead. The lsmblob structure definition is intended to keep the LSM specific information private to the individual security modules. The module specific information is included in a new set of header files under include/lsm. Each security module is allowed to define the information included for its use in the lsmblob. SELinux includes a u32 secid. Smack includes a pointer into its global label list. The conditional compilation based on feature inclusion is contained in the include/lsm files. Suggested-by: Paul Moore Signed-off-by: Casey Schaufler Cc: apparmor@lists.ubuntu.com Cc: bpf@vger.kernel.org Cc: selinux@vger.kernel.org Cc: linux-security-module@vger.kernel.org --- include/linux/lsm/apparmor.h | 17 +++++++++++++++++ include/linux/lsm/bpf.h | 16 ++++++++++++++++ include/linux/lsm/selinux.h | 16 ++++++++++++++++ include/linux/lsm/smack.h | 17 +++++++++++++++++ include/linux/security.h | 20 ++++++++++++++++++++ 5 files changed, 86 insertions(+) create mode 100644 include/linux/lsm/apparmor.h create mode 100644 include/linux/lsm/bpf.h create mode 100644 include/linux/lsm/selinux.h create mode 100644 include/linux/lsm/smack.h diff --git a/include/linux/lsm/apparmor.h b/include/linux/lsm/apparmor.h new file mode 100644 index 000000000000..11521f66d548 --- /dev/null +++ b/include/linux/lsm/apparmor.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Linux Security Module interface to other subsystems. + * AppArmor presents single pointer to an aa_label structure. + */ +#ifndef __LINUX_LSM_APPARMOR_H +#define __LINUX_LSM_APPARMOR_H + +struct aa_label; + +struct lsmblob_apparmor { +#ifdef CONFIG_SECURITY_APPARMOR + struct aa_label *label; +#endif +}; + +#endif /* ! __LINUX_LSM_APPARMOR_H */ diff --git a/include/linux/lsm/bpf.h b/include/linux/lsm/bpf.h new file mode 100644 index 000000000000..48abdcd82ded --- /dev/null +++ b/include/linux/lsm/bpf.h @@ -0,0 +1,16 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Linux Security Module interface to other subsystems. + * BPF may present a single u32 value. + */ +#ifndef __LINUX_LSM_BPF_H +#define __LINUX_LSM_BPF_H +#include + +struct lsmblob_bpf { +#ifdef CONFIG_BPF_LSM + u32 secid; +#endif +}; + +#endif /* ! __LINUX_LSM_BPF_H */ diff --git a/include/linux/lsm/selinux.h b/include/linux/lsm/selinux.h new file mode 100644 index 000000000000..fd16456b36ac --- /dev/null +++ b/include/linux/lsm/selinux.h @@ -0,0 +1,16 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Linux Security Module interface to other subsystems. + * SELinux presents a single u32 value which is known as a secid. + */ +#ifndef __LINUX_LSM_SELINUX_H +#define __LINUX_LSM_SELINUX_H +#include + +struct lsmblob_selinux { +#ifdef CONFIG_SECURITY_SELINUX + u32 secid; +#endif +}; + +#endif /* ! __LINUX_LSM_SELINUX_H */ diff --git a/include/linux/lsm/smack.h b/include/linux/lsm/smack.h new file mode 100644 index 000000000000..2018f288302f --- /dev/null +++ b/include/linux/lsm/smack.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Linux Security Module interface to other subsystems. + * Smack presents a pointer into the global Smack label list. + */ +#ifndef __LINUX_LSM_SMACK_H +#define __LINUX_LSM_SMACK_H + +struct smack_known; + +struct lsmblob_smack { +#ifdef CONFIG_SECURITY_SMACK + struct smack_known *skp; +#endif +}; + +#endif /* ! __LINUX_LSM_SMACK_H */ diff --git a/include/linux/security.h b/include/linux/security.h index 1390f1efb4f0..0057a22137e8 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -34,6 +34,10 @@ #include #include #include +#include +#include +#include +#include struct linux_binprm; struct cred; @@ -140,6 +144,22 @@ enum lockdown_reason { LOCKDOWN_CONFIDENTIALITY_MAX, }; +/* scaffolding */ +struct lsmblob_scaffold { + u32 secid; +}; + +/* + * Data exported by the security modules + */ +struct lsmblob { + struct lsmblob_selinux selinux; + struct lsmblob_smack smack; + struct lsmblob_apparmor apparmor; + struct lsmblob_bpf bpf; + struct lsmblob_scaffold scaffold; +}; + extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; extern u32 lsm_active_cnt; extern const struct lsm_id *lsm_idlist[]; From patchwork Fri Aug 30 00:34:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784061 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic310-31.consmr.mail.ne1.yahoo.com (sonic310-31.consmr.mail.ne1.yahoo.com [66.163.186.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C94E612B71 for ; Fri, 30 Aug 2024 00:44:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.186.212 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978673; cv=none; b=iJMRLSdfGlzy24GS2hVmlj1r0ON02AdKlZ7GE8iqFrMRZRQ/uTA4bZAm2Zvg/H9g4Zf9Qz6oDOCOQK7ZjBU5cCUL0QQ74lLPuggy+ztHT9ZOnMRfBy4/pPZCSf4p5RipaSNYANKo9KCSeUsmwSrkn48ysTYvUZkOtaPYeDFCoy4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978673; c=relaxed/simple; bh=QCnWlrmiO+vpGz6umOAjYsHnufaGaApdJ15R98gx+0M=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=N49TussLk1w4WZRJR2TPGhFMGC+Om1vnaDst1jJS+W/ib92MCaYjflZU8XI6rL2LDwyFLEokAqPSBcjATkR4hhRTTnB9dmEiwra1sH34uuyYDfUMy/oba/WDl6WPGTAJeRvYcIMkDJnpxYj8UyCTGdxL5skjc+4Ias3mtqEAS2Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=fPVZyGVg; arc=none smtp.client-ip=66.163.186.212 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="fPVZyGVg" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978670; bh=ami00LGpMvU4beTg/vfyDHWjTsQNNUSgMQ0zod8cCc8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=fPVZyGVgoBist3zN5SkGpq5ad3ycK04xMAzqsGg1tX0Q+h6fkyE3BemCH4KhGR2tpc5HAibl4/bU/ZoxGcTrnGnuFb3YSeeFQ9jEj6pfcKj4G5HDz74BkvOUPAg6iOiHQcxDeb9gk6EMyKzjGyMsxwyL3VtZjBAKM36yvbGclq6+anun9mcLr1DmiHW3G3sKZd0ohEWZ/tj8bmMJHn8vGGtvkp1+mzBk6YGYiaKM8MsYp1icM2Cx08iIR68Q0zzhKZg01g30P9hF8ji6UJk78qOFbUW3FKXi0QYJLQH+0H0PDOybpc8BP3qq5e/uMWSNoZwqKB7m6VrQYWfdru8tYQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978670; bh=OXaPlggv2I9D4kWtJ+5fhJqG9WtOKCeYv8b+WAwEI5M=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=M/9uAYx7e3ofnOTVCn3odXIP8cQr8FHIJJL4T7jWdD+2AnxbXCT1kWbKhMBYstpcJ1cXJlPWkxpq9SDmzKEHPXGvV7TT+9r9cZVjzVpaQQpqmSFyZUcetGEICpa/YVbCWcKdatv+XCB7e857ig9vQuUdUlLc7CkmFKje/4KHYhEpJWaTUGxQMnjuEKFzIWzZLyLJRnttxlV02K2FDvXBqUS9zlewuVv6OpYPUo2jFTTmILbVMyNv470466B0+E0LV0BvQWlv6ztLJroaF+0N+Pj2XC9+cJOmV1E1i/GOjzisAdBlcYVbPTDss+CatwywU4s/GL0YH9iMMt8q0rC6TQ== X-YMail-OSG: gluS_kgVM1noljVvoasNApEUSyxnB5iodHEC8x3vSesyyBdyX2r72P2IyrLmTcR JnjzDiCTSkKxAql1int2mLv_6WAjaPAJoBitINZQOuleUldAWW9CK_reMzQtS1TF7kMi6dCwQRc8 PS_T9zY0FLL6iE1InUOR8ZXCBgWpPXM.V9wSZoMzwSbDYTGpcQEyp_vZKsSKL5Sm5E8ocdtUf4lH NCrbmoXGgTJzDQyxN6xDsRNgy9i_Ow2Q6Ke5nLWN98Vvdx1MWlrKF82j591rlhTwvyl0kdeoPrSW AyPkt4mYNGszxAsVL7aLUWPkKbKPN06H_CVZW60TKJ1.WAbSKwe.G2RwRrfseWk9MbjBDmZVLVuO I01apig1_JrPXrlTeRLrhY8du79avH_lykUjLGJrSKBRAiBoVv3Nl450_OPBlTNXPAymLjhs1kf0 NiIEyf.XFk3iV5R8xyCQXS58n5gUsR5bmEnma32AaueOjK34nxr3vCQDzk1po0exhCj6d1ad1dm4 sz4G5McOS1TbB0tw77t19uk9Tk0lJ3FIy.eBLfYN2r3UM4fipyImosF90pJHvnF_YEpU1mNZyMRW i3S5m85uLRgPzW.q5GTAvi72sWnhXeKcLsuhRrdsiRgNlTRBFIOwc.zbk.7_rQcdKEu2OCQfZPeT owVIPZh5spqfH3VwbFbH6ER9C6dXZkja1TaRuT19JC8g.czTxqUMRULAVGPHS6MF53cdeyfvHgby M3ihLWg8SlJVG.thDW_8PHjtQOswjxM2BRpyfj66ZS3aP_9D90lUwlQp5.N_vdp8an2W6IyUHK4A 6VhKTszv8mjTo77.RotyVuRkWPmcUy_RMC6xWoulXdK4DKx7_.ujMl8JCleEzVnH3132VZ35nwru 5Bab5u3UE8LBtvyJI1JLJ0Ct_4cHzvwiloX1PoCh9n5bJclJ3E.DDoKjCldK_2ZtRXZnQY.vQiu5 dnRwDfnPnI1GxR9z6tOXpqXqdvdN2ywp.Cffn2uyUUpCLO8VgXiVAFM_OoInl6Xr710G9ICK0VXz YvpJXhGBUbRISMdRKXUlLAtrKmfq1UMnZWI2imsrxv4o05JZEAdNnj2jRRfpWNEmAQxz8mbDFC9x LNhduV7fAKLgk4G9_WpyUsQoOBPFxCyutw184i8d9aw1WJtFJHo_9EvlaTdbfOuLe9ACE_oWK8YO dBaSD0MhTcWagCrRX0ClOvrZP3cP6TFs3i83Atm9PpvxigQpTaTXbrYe6PEhecDd.5haNbO5r8yp 5n4VR4NFSjjTofRq8yFFu9feQ5Bv_nUMAAF89JiM9hxWMwLqhUvVuqUddHPeKxpQvhzwoLqso0XH s9tHVgq2RtHElNdPYwL2jF6hF9fE6mmP7qmE4MffGXk5jTJUn9Xy_oZr6h3gzg7S8i7YkJzOiRBq YdaJMxAkWqPbxTbDSD6m7sYYL1mv5OwrwmC1BE3hL9_MShoEWuD_LDBjP4yIesUwx0e13DFzYyFW xr2v.dd8SvjX5fwlWXVOp6ZBUCUfZflemj455WcDj65__BBbzZGyrOdGUE0O8GreiJZUzYsMocHH slxnHgqgWD4bxgB855gMcIUAwIzTRPs1L7CnDL2HkQpmej57vd8wqn6V6k.l5KDYjZ1QWnmRChyj gGJ9lG3PjpJFY5t8jlOmwGf8y4VVUFu.a3qc4QfhAvSjPLtC7Nr1Cy3deZ8Zq_CgJe6xFgafgkFc J8ScJ8iUJFcJbE6eyvU76nWtaNlpnffKZNOfFKkDCv.1PwJ06IC31USzgBI.I64u8QLeZB6FJutn fSsQ21onC4.QUCMzhpzvJ_hocBi5_OqhRWe2QtVT8II8vaUi1H8LmIyXJMuUb.kguWkYbjg8m8pW 5VEtIcZK_wft0DHtubYQn4P25rphHFJuP3_l1Q.tQzslbbGkWNiYBdWBqd4PWIS6oxu7ZBaxeMmj dBu2o_4ZBRLpeVxx2w_LvjlXd3UiImQ6pplE4dT64cKlkkzHzb7YqQjAnAWs2OVWshd.KJMe7uio UEsoCAgLVqxxudUO55RPfxSS1q1j0indypvaI7QGMVnBOPdwq6ioDlLwofHQ2exUMFzHDiXA4.2r pkZFJjM6UZeauV_L_4Sf.0CQf5PIYdLspXplDbAYES6NciwbgLOL4QWwujwAe4zAdeGQirTEWNRN B368dWLLXA2UPRtOPABmmU7tXsMEaSI0uHbyjOxojfEWxRoT8pf0GN1J8j8dBaXcEPO4orqvj..d l.XaDOtljg21od9iUs4AwcAyq7VfCL5qS4gyvsCab9vSZ0dTLVTaZZrZfjLbqKjtYGwE0tc8p2oz 1wddFjy2t3D4Aw.YlwQFV1jqM2_6RGxki.lY- X-Sonic-MF: X-Sonic-ID: eceda524-66c5-44e8-9a5b-569566a78d06 Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:44:30 +0000 Received: by hermes--production-gq1-5d95dc458-gnv6n (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 5da78dbe3e0c562970426cfb16ce357c; Fri, 30 Aug 2024 00:34:17 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net Subject: [PATCH v2 02/13] LSM: Use lsmblob in security_audit_rule_match Date: Thu, 29 Aug 2024 17:34:00 -0700 Message-ID: <20240830003411.16818-3-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Change the secid parameter of security_audit_rule_match to a lsmblob structure pointer. Pass the entry from the lsmblob structure for the approprite slot to the LSM hook. Change the users of security_audit_rule_match to use the lsmblob instead of a u32. The scaffolding function lsmblob_init() fills the blob with the value of the old secid, ensuring that it is available to the appropriate module hook. The sources of the secid, security_task_getsecid() and security_inode_getsecid(), will be converted to use the blob structure later in the series. At the point the use of lsmblob_init() is dropped. Signed-off-by: Casey Schaufler --- include/linux/lsm_hook_defs.h | 3 ++- include/linux/security.h | 7 ++++--- kernel/auditfilter.c | 11 +++++++---- kernel/auditsc.c | 18 ++++++++++++++---- security/apparmor/audit.c | 8 ++++++-- security/apparmor/include/audit.h | 2 +- security/integrity/ima/ima_policy.c | 11 +++++++---- security/security.c | 7 ++++--- security/selinux/include/audit.h | 5 +++-- security/selinux/ss/services.c | 11 ++++++++--- security/smack/smack_lsm.c | 11 ++++++++--- 11 files changed, 64 insertions(+), 30 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 855db460e08b..1d3bdf71109e 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -416,7 +416,8 @@ LSM_HOOK(void, LSM_RET_VOID, key_post_create_or_update, struct key *keyring, LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, void **lsmrule, gfp_t gfp) LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) -LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) +LSM_HOOK(int, 0, audit_rule_match, struct lsmblob *blob, u32 field, u32 op, + void *lsmrule) LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule) #endif /* CONFIG_AUDIT */ diff --git a/include/linux/security.h b/include/linux/security.h index 0057a22137e8..c0ed2119a622 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2071,7 +2071,8 @@ static inline void security_key_post_create_or_update(struct key *keyring, int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, gfp_t gfp); int security_audit_rule_known(struct audit_krule *krule); -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *lsmrule); void security_audit_rule_free(void *lsmrule); #else @@ -2087,8 +2088,8 @@ static inline int security_audit_rule_known(struct audit_krule *krule) return 0; } -static inline int security_audit_rule_match(u32 secid, u32 field, u32 op, - void *lsmrule) +static inline int security_audit_rule_match(struct lsmblob *blob, u32 field, + u32 op, void *lsmrule) { return 0; } diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index d6ef4f4f9cba..c4c7cda3b846 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1339,8 +1339,8 @@ int audit_filter(int msgtype, unsigned int listtype) for (i = 0; i < e->rule.field_count; i++) { struct audit_field *f = &e->rule.fields[i]; + struct lsmblob blob = { }; pid_t pid; - u32 sid; switch (f->type) { case AUDIT_PID: @@ -1370,9 +1370,12 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: if (f->lsm_rule) { - security_current_getsecid_subj(&sid); - result = security_audit_rule_match(sid, - f->type, f->op, f->lsm_rule); + /* scaffolding */ + security_current_getsecid_subj( + &blob.scaffold.secid); + result = security_audit_rule_match( + &blob, f->type, f->op, + f->lsm_rule); } break; case AUDIT_EXE: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 6f0d6fb6523f..23adb15cae43 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -471,6 +471,7 @@ static int audit_filter_rules(struct task_struct *tsk, const struct cred *cred; int i, need_sid = 1; u32 sid; + struct lsmblob blob = { }; unsigned int sessionid; if (ctx && rule->prio <= ctx->prio) @@ -681,7 +682,10 @@ static int audit_filter_rules(struct task_struct *tsk, security_current_getsecid_subj(&sid); need_sid = 0; } - result = security_audit_rule_match(sid, f->type, + /* scaffolding */ + blob.scaffold.secid = sid; + result = security_audit_rule_match(&blob, + f->type, f->op, f->lsm_rule); } @@ -696,15 +700,19 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_rule) { /* Find files that match */ if (name) { + /* scaffolding */ + blob.scaffold.secid = name->osid; result = security_audit_rule_match( - name->osid, + &blob, f->type, f->op, f->lsm_rule); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { + /* scaffolding */ + blob.scaffold.secid = n->osid; if (security_audit_rule_match( - n->osid, + &blob, f->type, f->op, f->lsm_rule)) { @@ -716,7 +724,9 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - if (security_audit_rule_match(ctx->ipc.osid, + /* scaffolding */ + blob.scaffold.secid = ctx->ipc.osid; + if (security_audit_rule_match(&blob, f->type, f->op, f->lsm_rule)) ++result; diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 6b5181c668b5..758b75a9c1c5 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -264,13 +264,17 @@ int aa_audit_rule_known(struct audit_krule *rule) return 0; } -int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) +int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule) { struct aa_audit_rule *rule = vrule; struct aa_label *label; int found = 0; - label = aa_secid_to_label(sid); + /* scaffolding */ + if (!blob->apparmor.label && blob->scaffold.secid) + label = aa_secid_to_label(blob->scaffold.secid); + else + label = blob->apparmor.label; if (!label) return -ENOENT; diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index 0c8cc86b417b..c5a516e61318 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h @@ -202,6 +202,6 @@ static inline int complain_error(int error) void aa_audit_rule_free(void *vrule); int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp); int aa_audit_rule_known(struct audit_krule *rule); -int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); +int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule); #endif /* __AA_AUDIT_H */ diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 09da8e639239..40119816b848 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -635,7 +635,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, return false; for (i = 0; i < MAX_LSM_RULES; i++) { int rc = 0; - u32 osid; + struct lsmblob blob = { }; if (!lsm_rule->lsm[i].rule) { if (!lsm_rule->lsm[i].args_p) @@ -649,15 +649,18 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_OBJ_USER: case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: - security_inode_getsecid(inode, &osid); - rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type, + /* scaffolding */ + security_inode_getsecid(inode, &blob.scaffold.secid); + rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, Audit_equal, lsm_rule->lsm[i].rule); break; case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type, + /* scaffolding */ + blob.scaffold.secid = secid; + rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, Audit_equal, lsm_rule->lsm[i].rule); break; diff --git a/security/security.c b/security/security.c index 8cee5b6c6e6d..64a6d6bbd1f4 100644 --- a/security/security.c +++ b/security/security.c @@ -5399,7 +5399,7 @@ void security_audit_rule_free(void *lsmrule) /** * security_audit_rule_match() - Check if a label matches an audit rule - * @secid: security label + * @lsmblob: security label * @field: LSM audit field * @op: matching operator * @lsmrule: audit rule @@ -5410,9 +5410,10 @@ void security_audit_rule_free(void *lsmrule) * Return: Returns 1 if secid matches the rule, 0 if it does not, -ERRNO on * failure. */ -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *lsmrule) { - return call_int_hook(audit_rule_match, secid, field, op, lsmrule); + return call_int_hook(audit_rule_match, blob, field, op, lsmrule); } #endif /* CONFIG_AUDIT */ diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index 29c7d4c86f6d..104165e4c931 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -41,7 +41,7 @@ void selinux_audit_rule_free(void *rule); /** * selinux_audit_rule_match - determine if a context ID matches a rule. - * @sid: the context ID to check + * @blob: includes the context ID to check * @field: the field this rule refers to * @op: the operator the rule uses * @rule: pointer to the audit rule to check against @@ -49,7 +49,8 @@ void selinux_audit_rule_free(void *rule); * Returns 1 if the context id matches the rule, 0 if it does not, and * -errno on failure. */ -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule); +int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *rule); /** * selinux_audit_rule_known - check to see if rule contains selinux fields. diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index e33e55384b75..43eb1d46942c 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3633,7 +3633,8 @@ int selinux_audit_rule_known(struct audit_krule *rule) return 0; } -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) +int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *vrule) { struct selinux_state *state = &selinux_state; struct selinux_policy *policy; @@ -3659,10 +3660,14 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) goto out; } - ctxt = sidtab_search(policy->sidtab, sid); + /* scaffolding */ + if (!blob->selinux.secid && blob->scaffold.secid) + blob->selinux.secid = blob->scaffold.secid; + + ctxt = sidtab_search(policy->sidtab, blob->selinux.secid); if (unlikely(!ctxt)) { WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n", - sid); + blob->selinux.secid); match = -ENOENT; goto out; } diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 4164699cd4f6..52d5ef986db8 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4776,7 +4776,7 @@ static int smack_audit_rule_known(struct audit_krule *krule) /** * smack_audit_rule_match - Audit given object ? - * @secid: security id for identifying the object to test + * @blob: security id for identifying the object to test * @field: audit rule flags given from user-space * @op: required testing operator * @vrule: smack internal rule presentation @@ -4784,7 +4784,8 @@ static int smack_audit_rule_known(struct audit_krule *krule) * The core Audit hook. It's used to take the decision of * whether to audit or not to audit a given object. */ -static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) +static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *vrule) { struct smack_known *skp; char *rule = vrule; @@ -4797,7 +4798,11 @@ static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) return 0; - skp = smack_from_secid(secid); + /* scaffolding */ + if (!blob->smack.skp && blob->scaffold.secid) + skp = smack_from_secid(blob->scaffold.secid); + else + skp = blob->smack.skp; /* * No need to do string comparisons. If a match occurs, From patchwork Fri Aug 30 00:34:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784037 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic308-16.consmr.mail.ne1.yahoo.com (sonic308-16.consmr.mail.ne1.yahoo.com [66.163.187.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 433DC1D12EC for ; Fri, 30 Aug 2024 00:35:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.187.39 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978157; cv=none; b=T4BlONjG/rxq6cqvVhl9j3wx6wH5+tUUNVjj7ATVwLdFvUbK4eQevrFyocRAAPE2AT6UuFeCIMosDuGh1YsxS9QD7kxKLCeyktDC1tICrXFOUJniTJw1YlWvLZp0XEhk3Os3ONol/B2IAejk17SDfNyFNESQqzgLkU/FidhWNnE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978157; c=relaxed/simple; bh=EZUDxoCQrzm9VGnrEbahDMcaHF1LFwaiWE8p5L/BFNE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=T9jzOA3Mwc2ii39Z6d5YTiBPWAvJNXsvTFv2EbJwaZRBA40+oPebBnYEN6HELJ/m+h7Bu2s2ueu9LWs3y3p4Bog0EcHTdK/NvD3K1aQYN+7e7lVE00x61YZ5BRgYL6ofcGQPlDBsOUk7+p2GzXp3OHZbcIjqMK7CvmVBb5cQOXw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=kpSuxjGu; arc=none smtp.client-ip=66.163.187.39 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="kpSuxjGu" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978153; bh=XDwO5eCdnCbant6watoaEBsfpZtEzGaW1rexfAGzvhc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=kpSuxjGufVDm2nlH9mfpDR76l1bn4s97+1CavGyNyUWJTo0cWwxYvXppEMetULtWyU1TKNr+QeZpGHa+Ie/hMZNXAlWtihGmF7FSfSRgFkTPM5dtcPXBc7TV/vnegNVxpMREXKrPlspUxWoHExBdGLKhSXpIFjRLxY0+l+PJj4ozf/a0gwCwIN9ZNdiAY8AebWqaerJkC9OVDNKTku6UaRhhA7qHyAd1iuWdNJjZnp7zUH3SR0qE/W94cs+Qp7ZiMWIwvBgIJUt4PtYnjcKZcrpf/2htjGdO7/1+44D0I3ejhbKmPpA/gGOYP0M9J/w5vuwbHYEk9ASdWyhuuD2viw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978153; bh=XkmAKqfT6XlDHHBGB7EKonHSrSOEmhbhalOzo7dN/GT=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=AKso5P3wwsoK3w582ei1G9jdvdcIduQ40HToFFbKHS9xpKw1IKW0oYJYJA95C6AwokzfJYhDvGAz4CE5Be0QldZ1wgxM3Vej+lrlZ4+WhVzpoR8qTEIfA3taHFeWbXl9svyU5Z0nqCS5O04QXOt1y6PmEBiBf6Ne24fCwbgqjpM/WmSGmEMOEXF8YOHx6fhn+y/S6kcvvU7No2Ck0+2/bZvQ/pWm5LiafYDQ3R4A6LKP/zVVlF/gK3BD59miGGrxfR7MYFOtEkLS441RvvfibTRrolMcq8JkmDxdCa8w46BfgszL1g8+sWOlelKkqNf/zZAGIoovvJF6TXLNGCBoDQ== X-YMail-OSG: C4CLAycVM1kdywleGFVQP42Baxlbobp9SomyIYcSvc8GxCfSUla9fQOYiX9D0Qk _a9l0OnUU0DZwQVfME_yfwu9sH_QCGm1BAYcofcqNs1b76Hcix8ZvZCehbcsW7Cwl4XOYeirvYlk fqiFg8x0g4WlDpOHkutG5qN0uJ0Koj_uuXbOrmR4JHYz8.UoIfqC_N7u9d1USuDB0dyrvc7LILO_ Jpo_wo9yGAWkiry2BdvkWW45bNcaIM6ucSQDmZHpxFsbGBkHWOL5ogjgbAm.PeP7zW5yx5oQID1s gNzr4QIKNSQfQjj8pWscRSOQFZEsvYaR_uv8ZwOKJ5msIO8BelfDfAHavCyhbqXKInRFcu_nGKx0 j67uALZmap0WNRx.gRfDl8.Q6sQTNVCalzX4acVtYVeP2eU4vrrxXrrtcOTeBxuaw83U6T2yBTti otr_rnFJd.BcTlpLfcUMlS_A3N84AA40fxEZaN.ibsCwj7cyYFtIU7wy6ZJMZH.c9ZKp6XcahFkI oPxZtukq8D8ol5x0yDxXKRKbdAvBrtB9AYctnVTtHX7_Gxdomwjn5Hi0OHadUqBS7bZNEc_LDr2Z 5Js9pWazH0oJT250lTAPIefZA9JJeIsilzQ3a.heUg1mrsfBdMSUTgnYHzydNSFLfMfFtoiPiXpq TPAm9tOPkoOsPn4fFRYLlPhmg4qpsEemk.QjoFrZzFGsdgpC8i7KWWRY9sqDVxr5Mopr8Opc03RP 6bwL8bK_oWgaTagamZb32O4CaldYNoXcPEMwSoTNu9vF9iNM8SmhuZmLqv1dlp_PVoZizqW6mNzl TogJAAnjtouuSIZA2rnR0hL4r.064c73krDH0Jpe3lE255hAeH1fHIkxP4XwbqpSRT3QtFxUDTNl Vr5SIG.e_ZK8Ju33H5vHXBtjTtmQwJMVHHx.x1TiXueP3QSaUhlBXwJG0ZWx07l7hwm1wzA1Mgy. ud2X6taKxqTUl3YxAiOjhqJnIwq_43_MRyXOYKE.e27hjkmaNy9b_tg7tFIi6LaJEQnnX5RdWac4 D_bAKssTSoRbMAgMyUouO01hdBkhTZneFTdSF6v1hyAwl7YYkVzKz53ZIfEfcpXbeO8nSZLP2w18 m.HSjmgYpMK92qv0hvVPQVhXnIM86EQvt9yp2YoK14Ub0eDSJ6igif87AZ9VzXFIlAFwDR0StIdT 7rf2Ah2OIyZbQHy3abhtn3tN5KFMLSzfag6wm0NVimoD3fykBYUEZHSEkIEz1wMTfJmZdlT_EwFW pjNCotQPNSG2flDekTDN6QEgYMhxOcH5pXoQX.OObqVZ6a9jXLXCfvCwuC3BWkOJYV8G0p21Pg1. ob1TCbJdCh3x5fEIZLWvhfCeae5LuD97RCgGl0d2BWK8XDCBYtyAW2xCdTmtl86XT.lPbmKRy3tY wMjozufnA_V5d9BDhvsBL9v5i6ny2ajtUd0xaJToIlDBJ1.P.wPu41nEvz1ERuaQ0q6Ahvu9KAku VUb66r5_CiHGL7w1aQ_gfvQk9_k5KXkSlUgQWTzIy.Utgp4oRU9v7JM9_B7t4vlBRpAQ3BPQ60JT evIXxv2_xMUcRqMrjtkvbr4RAiGxuRHipEj9fiRxPwQErfOcMrSdLClxkgbMlVMp_fKhqjnKSBoN 0Qo4tT30OD4zVae3H83afqRhFR0QVQCyyl8jhdWmg4ym3.hweAJ.LqWB0T7p_chsusn.FtX7YIvs zZgGpEMCE5O5.HLwL7o3zB.AlqCtsmSd1PkGeyDhrcGNzQa9gO0anTH5i1gjk6WER8cWQF1OGLIP 5EovHKTPjeaXPPDwAReGHlfdvfZkxldGJ3RIa57qQaIDLKH5rvjy7Kih3o0Bce7Yqf1K6CPfy2AF FsZIdDyeZS7_4lvnKDnWwquZFr.d4KDfEAU5oUtGiOqCyKjbj3HWDrSI_Nc2UfOzI_ceg.25CB.i AR15qF156zTs95w6cymTVxkIO0e.erRFM8NEEuaj2oZEv2PwQVJrpEbctc0oHKaHPk3kNFTlyZrp O1GhugPTyD.3dvHsggCls2HfQ6cryV0MtyJshZVcXw6sR5krS2NU36eCbbrrlidpJiXJR1BSZaGK 3s.WKCm4LIWsWsoRvuzIO7oc8kFNs2lD6qh4Magry9lA4lPMihWyPmJQwp4iRanOzCUdddCo7VLL 8eZNNJYpOd.CTe2zQ7zP89zflwYt3UsBxFk5kwXYiCOmei217f._WE61VgmqVtzp8CTzL6oUR9oK mdr5QSXkg1QFOTmYCwu4tf1HZRJTCuRubB.HuDs0Qm_SPIFecvVuWupvJGngXI7.Ifp1wWIfWMBn EhAVop95UxSLnmAqHyuZBY426JdpCpT8Pnuw- X-Sonic-MF: X-Sonic-ID: 1a08c073-917d-4015-abff-2c1f0f4a5b6c Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:35:53 +0000 Received: by hermes--production-gq1-5d95dc458-24x88 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID dffbd785ee8ecfc4db9f25ae20a43d90; Fri, 30 Aug 2024 00:35:51 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net Subject: [PATCH v2 03/13] LSM: Add lsmblob_to_secctx hook Date: Thu, 29 Aug 2024 17:34:01 -0700 Message-ID: <20240830003411.16818-4-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add a new hook security_lsmblob_to_secctx() and its LSM specific implementations. The LSM specific code will use the lsmblob element allocated for that module. This allows for the possibility that more than one module may be called upon to translate a secid to a string, as can occur in the audit code. Signed-off-by: Casey Schaufler --- include/linux/lsm_hook_defs.h | 2 ++ include/linux/security.h | 11 ++++++++++- security/apparmor/include/secid.h | 2 ++ security/apparmor/lsm.c | 1 + security/apparmor/secid.c | 25 +++++++++++++++++++++++-- security/security.c | 30 ++++++++++++++++++++++++++++++ security/selinux/hooks.c | 16 ++++++++++++++-- security/smack/smack_lsm.c | 31 ++++++++++++++++++++++++++----- 8 files changed, 108 insertions(+), 10 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 1d3bdf71109e..3e5f6baa7b9f 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -291,6 +291,8 @@ LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size) LSM_HOOK(int, 0, ismaclabel, const char *name) LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata, u32 *seclen) +LSM_HOOK(int, -EOPNOTSUPP, lsmblob_to_secctx, struct lsmblob *blob, + char **secdata, u32 *seclen) LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid) LSM_HOOK(void, LSM_RET_VOID, release_secctx, char *secdata, u32 seclen) LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode) diff --git a/include/linux/security.h b/include/linux/security.h index c0ed2119a622..457fafc32fb0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -520,6 +520,8 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); +int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); void security_release_secctx(char *secdata, u32 seclen); void security_inode_invalidate_secctx(struct inode *inode); @@ -1461,7 +1463,14 @@ static inline int security_ismaclabel(const char *name) return 0; } -static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +static inline int security_secid_to_secctx(u32 secid, char **secdata, + u32 *seclen) +{ + return -EOPNOTSUPP; +} + +static inline int security_lsmblob_to_secctx(struct lsmblob *blob, + char **secdata, u32 *seclen) { return -EOPNOTSUPP; } diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h index a912a5d5d04f..816a425e2023 100644 --- a/security/apparmor/include/secid.h +++ b/security/apparmor/include/secid.h @@ -26,6 +26,8 @@ extern int apparmor_display_secid_mode; struct aa_label *aa_secid_to_label(u32 secid); int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); +int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen); int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); void apparmor_release_secctx(char *secdata, u32 seclen); diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 808060f9effb..050d103f5ca5 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1532,6 +1532,7 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = { #endif LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx), + LSM_HOOK_INIT(lsmblob_to_secctx, apparmor_lsmblob_to_secctx), LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid), LSM_HOOK_INIT(release_secctx, apparmor_release_secctx), diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c index 83d3d1e6d9dc..7ba48d0b3ee8 100644 --- a/security/apparmor/secid.c +++ b/security/apparmor/secid.c @@ -61,10 +61,10 @@ struct aa_label *aa_secid_to_label(u32 secid) return xa_load(&aa_secids, secid); } -int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +static int apparmor_label_to_secctx(struct aa_label *label, char **secdata, + u32 *seclen) { /* TODO: cache secctx and ref count so we don't have to recreate */ - struct aa_label *label = aa_secid_to_label(secid); int flags = FLAG_VIEW_SUBNS | FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT; int len; @@ -90,6 +90,27 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) return 0; } +int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +{ + struct aa_label *label = aa_secid_to_label(secid); + + return apparmor_label_to_secctx(label, secdata, seclen); +} + +int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen) +{ + struct aa_label *label; + + /* scaffolding */ + if (!blob->apparmor.label && blob->scaffold.secid) + label = aa_secid_to_label(blob->scaffold.secid); + else + label = blob->apparmor.label; + + return apparmor_label_to_secctx(label, secdata, seclen); +} + int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) { struct aa_label *label; diff --git a/security/security.c b/security/security.c index 64a6d6bbd1f4..bb541a3be410 100644 --- a/security/security.c +++ b/security/security.c @@ -4192,6 +4192,36 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) } EXPORT_SYMBOL(security_secid_to_secctx); +/** + * security_lsmblob_to_secctx() - Convert a lsmblob to a secctx + * @blob: lsm specific information + * @secdata: secctx + * @seclen: secctx length + * + * Convert a @blob entry to security context. If @secdata is NULL the + * length of the result will be returned in @seclen, but no @secdata + * will be returned. This does mean that the length could change between + * calls to check the length and the next call which actually allocates + * and returns the @secdata. + * + * Return: Return 0 on success, error on failure. + */ +int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen) +{ + struct security_hook_list *hp; + int rc; + + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { + rc = hp->hook.lsmblob_to_secctx(blob, secdata, seclen); + if (rc != LSM_RET_DEFAULT(secid_to_secctx)) + return rc; + } + + return LSM_RET_DEFAULT(secid_to_secctx); +} +EXPORT_SYMBOL(security_lsmblob_to_secctx); + /** * security_secctx_to_secid() - Convert a secctx to a secid * @secdata: secctx diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 55c78c318ccd..102489e6d579 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6610,8 +6610,19 @@ static int selinux_ismaclabel(const char *name) static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) { - return security_sid_to_context(secid, - secdata, seclen); + return security_sid_to_context(secid, secdata, seclen); +} + +static int selinux_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen) +{ + u32 secid = blob->selinux.secid; + + /* scaffolding */ + if (!secid) + secid = blob->scaffold.secid; + + return security_sid_to_context(secid, secdata, seclen); } static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) @@ -7388,6 +7399,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), + LSM_HOOK_INIT(lsmblob_to_secctx, selinux_lsmblob_to_secctx), LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 52d5ef986db8..5d74d8590862 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4787,7 +4787,7 @@ static int smack_audit_rule_known(struct audit_krule *krule) static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule) { - struct smack_known *skp; + struct smack_known *skp = blob->smack.skp; char *rule = vrule; if (unlikely(!rule)) { @@ -4799,10 +4799,8 @@ static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, return 0; /* scaffolding */ - if (!blob->smack.skp && blob->scaffold.secid) + if (!skp && blob->scaffold.secid) skp = smack_from_secid(blob->scaffold.secid); - else - skp = blob->smack.skp; /* * No need to do string comparisons. If a match occurs, @@ -4833,7 +4831,6 @@ static int smack_ismaclabel(const char *name) return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); } - /** * smack_secid_to_secctx - return the smack label for a secid * @secid: incoming integer @@ -4852,6 +4849,29 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) return 0; } +/** + * smack_lsmblob_to_secctx - return the smack label + * @blob: includes incoming Smack data + * @secdata: destination + * @seclen: how long it is + * + * Exists for audit code. + */ +static int smack_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen) +{ + struct smack_known *skp = blob->smack.skp; + + /* scaffolding */ + if (!skp && blob->scaffold.secid) + skp = smack_from_secid(blob->scaffold.secid); + + if (secdata) + *secdata = skp->smk_known; + *seclen = strlen(skp->smk_known); + return 0; +} + /** * smack_secctx_to_secid - return the secid for a smack label * @secdata: smack label @@ -5208,6 +5228,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), + LSM_HOOK_INIT(lsmblob_to_secctx, smack_lsmblob_to_secctx), LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), From patchwork Fri Aug 30 00:34:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784036 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic305-28.consmr.mail.ne1.yahoo.com (sonic305-28.consmr.mail.ne1.yahoo.com [66.163.185.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E0D1120EB for ; Fri, 30 Aug 2024 00:35:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.185.154 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978157; cv=none; b=oWnAzxY/yOTpyGD6L/AEXp8cXG87+rnec3SLP0kCvV03pFapd0J1J9QmQch5jM6NIg0nOKTMZ2rt6muAhIvjlXBbzkpb57qGSQBRFDYSgc9nG4M5QFTcrTejqszHy6/o5FWnweLi3ueaKAlbRXOU0MZgX7dydCcha95ZGM2pQUw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978157; c=relaxed/simple; bh=phU8pKeh6p7o5ScZsi1BEJtdlQy4iq/UIYHsfl6XcXI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WLCSRiBRlHA6SUcZmq74aM3b72ZCsOSoTVPFhmjaSCOEFct44yKk3vj2ft5jYBmfjher4yauf0zsvCe4V8sxfg7Yuwvififj0678eYvqObbu23GTeJVxc3HX4t6nwaloB0JAJbHJ7l6oWElBsHZU92vYyoH1cjP/xqhnzsxV+As= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=ITJEOGTf; arc=none smtp.client-ip=66.163.185.154 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="ITJEOGTf" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978155; bh=69InFlsfk6vDVq6FRMomS3FCfOYk+0BgDCIOhifz0HE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=ITJEOGTf3std/VcHSx3djvoqjbiS8hwTfv40sxqi4feACE2OFEIzwU3ZawMuoCuW80aadLqy827uAbsAiaP63L1yyHeRTYoJ9l3uOtieC4dPZWPBGWZ/v5DKpeNUIn3E9hVJX63dVRdRGG4sz657dLKoH150k0YntgvNSOBv8IIGnKYhvbpCSo5HE6jVcYkbnzzf4MgPFkoCm9VIEV4aQM2gDKBFuip1zY6szaBjtYdeZpryh0ZqR/MEgEdz9JGtM34Qs+ICsP4i4X4zDIrdNqbvNtHO9SkYob/IwajFZaj5Cml2THBbVfrJs44EnU65+6DtxRII1ZhczGtSysR0xQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978155; bh=9e133hUSuI5T1nE5JR6lnlZTd8ov0H8v+Z4DGVH6zxa=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=GitzyQzWYTsS3owX8I5hIdJxci+3/BehlHqQg9s2Fymrc6PZismzv/FLlcYU2hoim1cW57IWaHRUc2+rNqNYPFswnu0i8gUvG86mg66ouvzR57Cr4lpeR0+U529ECfpcE3k6p/MmYTg+ufmRbgOeyFmx8de43hcPKR47V2awdxK8j6cvzXjQ+hALgD0gscpydK69eezIJYuz6qTRemxIiZHmupkDDUriOthzhQD5o73wXMKZMHFuIO365ZIi9DzYRK8ECNw3O/fPqLz0a1Vq8i6REhSU6mF9KNwQ9bLMH5boUmITL7OEsWOylLmp80sJvFM57wk51mAL0WlecTMc9Q== X-YMail-OSG: Q_ZJ05gVM1lwoXP7hRnqm.uYjVrgJXZMDzgrPRHF7g49LX2rDAH2AtH51NMvvmG JN9upaK_hU2HOyNbT2ep4OnGl2JW.vlmYj5EBRzXBQd2hpnwSPLHdDyZsWW0lODlbBpcLL9L20mT vxaOAKPd7BIEqbe.ULqvbyoxVH8Tm3PbFA7G1VJhnGC64nSzQAN0DjkaTJ4RkxyxjvZf9NEfQAsO lJMT2PNx.q237WGzC0Ylc69l.g7uCoSs0Cw3S_m2TkkiLnI.78Wc4W79N9wBHxFaIK.6MIUNQ1x5 oGn8dFgA4VZ0zxroHia7H0Ht3X9E8hX8z3dMhDLdfuGT7UF2yIzVeOZBVPLw3qhdINlzao9ha_ta GcyAJ5uZkOdZKAhd.gzPy2k53eqAkCgvaOMWrcu0g9ujZO5GMgFryWGxsrZRmMBz5Jqu.sQlf134 Y9yMTTZrbdcSUiJgVlp8189dzKQ4ExlsqzS4Zju8PT4NC_JwyCpUxv0qlw79qgZ9rGvb5B9MUAVX G2f_wUJNxNLb_Fy8Na1PNRUcodlUenZZejVgMJXMFpUUe7R3xM7JMEUFJ0sImwiFALYdIKVJQxTW 3wY707PkVHMCKSRw3JD7k5EYEG3gjpntikVQUgjp.tyebGXUiLWQJkm6EB_nfjGkGRpGumSLalLT ZefXRWFOZkHf2LG04n9yDmaPxvkqoGsSpNMoUc0rFD62yd0YE3tWa6wGBVUQ7esN6gVGJqz668VX 4lZnTGXyzHoB6zx9RpuPn5RYB_Xy56ADxw5LXB.n3Veq6VbBeiXY09rVLMmvEzKoLzuvz.3By5BL MkFl5APmD2Xnqbo3BTcf_0AJYBUGEp3h5m0xZok4Z4uNe3t.KLCgbyCvnhsPOqZXTwrPpKDYyCMu Tw7X8.IjqtjcuakBlnKRj0FsVkEU_CSumHHyWEPIjOhGRkJU70aRuL7sslZDPLoIBOGet7KNbwfe zeasziTbAE1XgRUccHn22oUZ0BI0cClg6fPm4ul.F1sTr3hh7j2chYgxTBWoV94DfRyTVPmAWZ2W ZBoGawf5_yeP305NJS5mCXemJk5LY4EcFJWk1eV1gp_fUHY4.kHZqurBNCB72vhMCY6k8x3RMR_9 HdgA0oa4YUXEFvVP6em30D8FuUSU82XFzJ2d.BAmgwqlXWFvVUKTrpoj7OmO5uRAsqfOeHUWT.SS LmPeQx5EJ3hab1VFlLbhb8ssRQvFtdt7zF7x3lpPAh0jN1jBIZIVCy4YNFL74LE5DHECUWluXeS4 QtaZWuYIZx1T9sR00qqPtsEBhiVNCLEGtDNy1gWKgPTUwnkfe94xwImkYyE7ez6eghRFHv_PXRR. tc1Lkgc00QuQJFAFdDpaQGBCOcLCzEu610vDaTvHI8unIZknR3.U2W6hGe4P3WoH5WXDTXdmwcey 9K6i2YI.MxQL6fWexGwyeeWk.HpWBOrnO93WlfqMfwQqvnAPqAUNgqRVm5pORtKEnTmaoOhXfYfh 2csabUxhLMHuFWlzT00WkynGY2WnXRV_fHnrDhdRx9ACuHbKz4iJL94qJl8uYZ2yZv1QM6a4S.dd 6dP7kpPfqPr9yMYw.l8wVYnpM8Acup_Nxy1mkCXJY8qQRfqLDhilQhJtCZVewvIipvRrL8P9o2ek v5tw5PgCrIK1NkiKqw4HFbN1rrHjpjwxUHDczy6bp6GFY19Vk1Sy9D0FLopFdPTAlxdzWYPj6v4o sh2PqAkoXz0YNVbWqBCaM_LlJ4ba08cx4FCWLZyfYzxeLQbBw4Eunc0HRrI7EsKFobEekW8gp0kY Dc1h6.fbn3mkrbe_3LgrNXi3KeNKJStnEaIrvILM4BGV7UsyyDN5Cstf06Ev4yUsowy64HyyX._e RQQCrO5FgOonwaeBOhYV7eE7q9AijHX370SQ7hu3eIxX9crLBZIFUDRrmzwsuEZpHOMjd5UkhSTG Czagrdn5nttZEhyL89T3o1mTM5LW5nMQJ2pqjTKYWUvm_kzzIT9csF9_oUludrAIbCyyMj.fpMKF t4L9VUVBUpVqf6CFdC6YAFhDO3b4nBxBLAecD1cUzk9LFAnCuluJkeppaNyOUamnCwIAVZH2PCyr mr6hfjSlPnItqZ162lD8Xk83TIPeA9rcgpsyA.xlK8R9_ypzB3X1ybsPEQqFwRY4rD62.anN4B45 tLF7OSh4HMSWTRwPY6y8OAiuM1oNYNskoIv4XNU4fjMva9Jj8d53Nx5Fa9px1IiNsELKhJJSsjr. EEG.ld8FBGk3hQOG4xLJjcLA4F2uf9JowB.wRJPaeQ560qCrSFYfhmU4- X-Sonic-MF: X-Sonic-ID: 014f01e8-783b-452f-95db-6c125a354d78 Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:35:55 +0000 Received: by hermes--production-gq1-5d95dc458-24x88 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID dffbd785ee8ecfc4db9f25ae20a43d90; Fri, 30 Aug 2024 00:35:52 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net Subject: [PATCH v2 04/13] Audit: maintain an lsmblob in audit_context Date: Thu, 29 Aug 2024 17:34:02 -0700 Message-ID: <20240830003411.16818-5-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the secid value stored in struct audit_context with a struct lsmblob. Change the code that uses this value to accommodate the change. security_audit_rule_match() expects a lsmblob, so existing scaffolding can be removed. A call to security_secid_to_secctx() is changed to security_lsmblob_to_secctx(). The call to security_ipc_getsecid() is scaffolded. A new function lsmblob_is_set() is introduced to identify whether an lsmblob contains a non-zero value. Signed-off-by: Casey Schaufler --- include/linux/security.h | 13 +++++++++++++ kernel/audit.h | 3 ++- kernel/auditsc.c | 19 ++++++++----------- 3 files changed, 23 insertions(+), 12 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 457fafc32fb0..a0b23b6e8734 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -277,6 +277,19 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id) return kernel_load_data_str[id]; } +/** + * lsmblob_is_set - report if there is a value in the lsmblob + * @blob: Pointer to the exported LSM data + * + * Returns true if there is a value set, false otherwise + */ +static inline bool lsmblob_is_set(struct lsmblob *blob) +{ + const struct lsmblob empty = {}; + + return !!memcmp(blob, &empty, sizeof(*blob)); +} + #ifdef CONFIG_SECURITY int call_blocking_lsm_notifier(enum lsm_event event, void *data); diff --git a/kernel/audit.h b/kernel/audit.h index a60d2840559e..b1f2de4d4f1e 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -11,6 +11,7 @@ #include #include +#include #include #include #include @@ -160,7 +161,7 @@ struct audit_context { kuid_t uid; kgid_t gid; umode_t mode; - u32 osid; + struct lsmblob oblob; int has_perm; uid_t perm_uid; gid_t perm_gid; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 23adb15cae43..84f6e9356b8f 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -724,9 +724,7 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - /* scaffolding */ - blob.scaffold.secid = ctx->ipc.osid; - if (security_audit_rule_match(&blob, + if (security_audit_rule_match(&ctx->ipc.oblob, f->type, f->op, f->lsm_rule)) ++result; @@ -1394,19 +1392,17 @@ static void show_special(struct audit_context *context, int *call_panic) audit_log_format(ab, " a%d=%lx", i, context->socketcall.args[i]); break; } - case AUDIT_IPC: { - u32 osid = context->ipc.osid; - + case AUDIT_IPC: audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho", from_kuid(&init_user_ns, context->ipc.uid), from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); - if (osid) { + if (lsmblob_is_set(&context->ipc.oblob)) { char *ctx = NULL; u32 len; - if (security_secid_to_secctx(osid, &ctx, &len)) { - audit_log_format(ab, " osid=%u", osid); + if (security_lsmblob_to_secctx(&context->ipc.oblob, + &ctx, &len)) { *call_panic = 1; } else { audit_log_format(ab, " obj=%s", ctx); @@ -1426,7 +1422,7 @@ static void show_special(struct audit_context *context, int *call_panic) context->ipc.perm_gid, context->ipc.perm_mode); } - break; } + break; case AUDIT_MQ_OPEN: audit_log_format(ab, "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld " @@ -2642,7 +2638,8 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp) context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - security_ipc_getsecid(ipcp, &context->ipc.osid); + /* scaffolding */ + security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid); context->type = AUDIT_IPC; } From patchwork Fri Aug 30 00:34:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784062 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic312-31.consmr.mail.ne1.yahoo.com (sonic312-31.consmr.mail.ne1.yahoo.com [66.163.191.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 72AFE4409 for ; Fri, 30 Aug 2024 00:46:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.191.212 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978765; cv=none; b=NhoN5fCir4d/DDkKrdxe7fuYMreAM+0dtRXOxo2wBGha2mCHQa8YUU8bsmEmXjnuM4ou2RYWPxXG5dWfa+4t8PVXAzDf8nQWU+UMyzCXhQoxkXovzm7s1ZTJELDFdbsa6BJ4nbvpOzuWUVzLhaRJ2F07rL2Yw2CJSER57kyJP5o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978765; c=relaxed/simple; bh=WIo7RjfjzCM4PfItxYsF071hSZlJ4WcjUQz1IlE93Aw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=MjASjU7DGOorb6ClH2MiTanid1wZLWsrNtIzXliKKENJZkV+C/j/CmS3r+c+RxnnfZR9vpw1emGKO1QJHfsmHGtR2a4DAsXQ4Z8lMfZ5NvS6GTDMNK73TmFN7m71tSxj9rX3ZV5+XFKO0yk6W7rTel6oMBge5HxuN3XG0Rb+pPU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=LikXcZGg; arc=none smtp.client-ip=66.163.191.212 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="LikXcZGg" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978763; bh=DLpXQa4JsJkIRpfEAEc+Y9Ht1T3bHoWaYdhrtE7A5pE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=LikXcZGgvzyuT9KAhRwaazYvTiplziBIrWRAr4XYjlrjrqqkTCfYYF+AJkVpL6LPB/415+1cepLTtMbcfNZyR6jbcMlAMrKmi+wfajzhDOC2g2SqYpOOhiTgJCpfL/JTv+dobKXTyZFjEW/b2n1zxKoW7tSBqHQOA+/QvDIW2VlJ804GU8Mn7+NnnKwxxGSQGDUcltFX4QO6TFEkynRo7IFMub5ORYSs/AcN3I0BbXQkm9pj/8mgE49U9skW8SRuzvnDd2LvEPT+Pqc6TT0i8fxhzQClsh88s4QSeS4hJhRqXjdj4NQAhhg2AiVXH9e27+G5tF9ZvgW6AhvOFaD2vg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978763; bh=xPWhEDXcA8IUTSkUCkbq9S5VjcEihENv4rhvqjfcYbE=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=g/2LL+RA1sLa1Dbw0TrR9ZWKSvZDwqRzblVE+fKJduvr80BQEPF5YiIDIPKOsSQvJEDqNoH0rh139XRy2ChoZnQ9o47vxvyYFFOWG8tkXz1kk81M8/I3nIyEkDli5h1byxjINRl5xaAGqySPrvnBtuHMrSaahZjYMneTJ7V4cdc3Qt9qyif83flwZeTbKzOuRvnkw2k/C9fhRpAQKQcqCCaA8IM/O74WuVBZz+2MczOyzud6xidXSmEH2lFEB4N+NsiCE2GKhplX/nj3WQ8Umi4My+Vci7bxkifXzOGkuxrRGz6HBvGQimN/Xawddqqn4rrmAH7QVwb8dWg8SJkwIA== X-YMail-OSG: eMiopRkVM1laUH7VVDiEDoU2jqapbZfnNKduWhzBETG0YwJzQ9zW59VABv7l.9p gdYMnReLgGjaLNhH1bGRvyDu1ceeh_zMCXY67bMxzGVJ4_qMPIWA7.R8BPbmrR0Kvwduyb1bUAws UqhpVxDDtUTnx2AWJ0Is_uUSNaypRWcnPmR_.xnWXnTQ1pd_4xpWVLLLA95dxnkAEndegs9DoTBA .RubWGDNfgCUW9Y_qHw9SjTeZDDZBgf96ASMS7ovn_P5bQdnTYwLlu_hR1y2zNiSMsylBzEqyq2. amNXfiMTIBAOEwqpU9GDhY96HVLf6WXuvjFq4Fl52R3ABhuguQ07qxlzB4hhI9RrZjipgOJ8UZdL 1TjvclCV4KbC9MW5g3Flbtnyu_ZIxJ6KO3IfJFof5TCDTn.YeYOtyFygYxnjggiZ8oFgMnk7jrOo YDZdz2v7G6xAJ.dmzWbFu5mKII3pjyXL_C2dYpwBj8T5U2e.3qQ.cyka2xyA_IJxpDXEDHz.HV7l ZHoO0sRJH_avG.GHR3z_JrCz1nKm5unQaw7PsDvqkeWkTW8VB2Un7r6e2.ZMnyVGZg8agTc.x48Z mnWbupoh3j_AckEmO725sRQE8rnMAeT.03c1cmxH_py_CvhHHFQSFyIXtpqxLM55EH8NgxvMy_UB PrhdOF9SBddqTCixhpEc4yZdxNBucXEQMy7.y2XvkkMLEflXWKBaSwzAlKCFVuSJtOw9DUb7YaFq .J8Nh_034PiMuP.l3hZmRRFW9YuHW.hv3ieJCHdiBts4GdQoGJF9ebP.d8.485LoYK7MonE6wC_S ZcYoe1sRQB.P_gmUVXAR3TGV7RkRTUllZLLGtDUJ3dw.UtJiII1j14khGxve73cl_obIWDO8s9Qq k3nDv_btKa8idmiOucEegvkpsXn0qeajzx826uxUjexjWml9per7anGwxHAzKVQRCbMT_LV5HAzc kv9d85ybs4K_IwvGlgsZOaaWycxAovue5tMBFWvFnE5Ce2UMTer6FDXSfZ7d.0_myTTd6kteiWDl h5IGAGvG_xvFxKON37Gxj0_mP2oRPvOyVz9OVsNtA8FGT2pVq2R3tdK39RNNAkvKtVcbFEm9aeaA apY71L.u87xNDI07vyzNWRD25IHlPLCjweo0xSbpatyMgApC_Odq_veDYH7GluJsRiVROAhntfTe r9Oijf.e7qDb4jyNcuHvddqkc3BNkWa5E2a1vBkKjYwJ67qbSsoHlnnbHiL9QDcYok4zsqc53qdN xA3Y85ukjqkh5cfTVQd3OdC2UgnAnQ06Bv.K6YwjY0Uo.1dNsUIqcXIC.4V8xMisNerg0rrRPaDY Tys95H_P1._IfqujNF1z4nLPcU05oT5wCeh3WtLAYXlC1YxLfwX6l5fkQTR.T9S09yRJwyf6Rm8j 0LeecgR6vej4WsvuhD41sPCPh0q2qp6IWKIwrZ7omTaKVa32BBtVXH5e8SoqOOTf84bg0FZvDbFL 8coFrB29Lth71rEgL_lqReY_lnhjuaZkNTKFH_VkOXIm6T3v1fmybVzQY7aqbrvR6hN92KZs68Wu xw34jGEpMqrBONs6XpnK2zyFcPsSx1buOzSR7odajbkV.3xx3EZ8ZmkeJGbXbPbHVpg1nqlFU9Ci 6W72TUCPR1m1F1GCOW9M.NYlnX96HvwfryKIrJtyxqmK7ZrH2897JdVyHVqQRFQ2VQZ3ALJoAiY0 HXUIn3KxbajB_xHUNzfnyAw9PWroP9FtiNngH2nhMggiBW_Bz89l5NKjeINLTuJzfCDZR__hwIJm tetXDq.F4mb0IkyLV73im7xL_d3UM4J3ampD6SbXr08LygKzU5eJuIztxwPqIAbHicGyPvI6oTZU rLHvBaDk9sqi9uuNM6Tm7TYCzXVAff1p1_WxHuzFnnDwrkJpbOA1gaVqrraYvLHOyBg6qOmy_5Zf B7ZmO21BgtsV.t4h722hDBUWVlCUivaXiBtGKrwb59Z8l7a_2ppCEEOvj4RKSqOuhMWZrpgrPdwn 8JaVdxVwypsVI.q27.4oSlvSm34kvubC0puM_C5VHtqgNCI2pt__IDES7chlV03H2UO5k9eCfQPp HGnV4TDEUGiQovGxNYl_RwepUGzzGz30GOWW0PerAEggU35qXH85ggjA_plw12eDmmqGY4bdLmVK Vu2B6sxf4sHoi.dvL3OT20Uf5eIoUnIbouL99m3NoaB0MqW2CqJN3OQlraYq8EKHivOEdQKmok0B RYN.cqoCkBZuBrXPD3E75z52k1H_UEB86Q14vPINwm9_PPBjvA9FR8Rly1Q-- X-Sonic-MF: X-Sonic-ID: 4afc0cf6-54f5-461d-aff2-58a225cbb2d5 Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:46:03 +0000 Received: by hermes--production-gq1-5d95dc458-24x88 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID dffbd785ee8ecfc4db9f25ae20a43d90; Fri, 30 Aug 2024 00:35:53 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net, audit@vger.kernel.org Subject: [PATCH v2 05/13] LSM: Use lsmblob in security_ipc_getsecid Date: Thu, 29 Aug 2024 17:34:03 -0700 Message-ID: <20240830003411.16818-6-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 There may be more than one LSM that provides IPC data for auditing. Change security_ipc_getsecid() to fill in a lsmblob structure instead of the u32 secid. Change the name to security_ipc_getlsmblob() to reflect the change. The audit data structure containing the secid will be updated later, so there is a bit of scaffolding here. Signed-off-by: Casey Schaufler Cc: audit@vger.kernel.org Cc: linux-security-module@vger.kernel.org Cc: selinux@vger.kernel.org --- include/linux/lsm_hook_defs.h | 4 ++-- include/linux/security.h | 18 +++++++++++++++--- kernel/auditsc.c | 3 +-- security/security.c | 14 +++++++------- security/selinux/hooks.c | 9 ++++++--- security/smack/smack_lsm.c | 17 ++++++++++------- 6 files changed, 41 insertions(+), 24 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 3e5f6baa7b9f..c3ffc3f98343 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -253,8 +253,8 @@ LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p, struct inode *inode) LSM_HOOK(int, 0, userns_create, const struct cred *cred) LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag) -LSM_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp, - u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, ipc_getlsmblob, struct kern_ipc_perm *ipcp, + struct lsmblob *blob) LSM_HOOK(int, 0, msg_msg_alloc_security, struct msg_msg *msg) LSM_HOOK(void, LSM_RET_VOID, msg_msg_free_security, struct msg_msg *msg) LSM_HOOK(int, 0, msg_queue_alloc_security, struct kern_ipc_perm *perm) diff --git a/include/linux/security.h b/include/linux/security.h index a0b23b6e8734..ebe8edaae953 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -290,6 +290,17 @@ static inline bool lsmblob_is_set(struct lsmblob *blob) return !!memcmp(blob, &empty, sizeof(*blob)); } +/** + * lsmblob_init - initialize a lsmblob structure + * @blob: Pointer to the data to initialize + * + * Set all secid for all modules to the specified value. + */ +static inline void lsmblob_init(struct lsmblob *blob) +{ + memset(blob, 0, sizeof(*blob)); +} + #ifdef CONFIG_SECURITY int call_blocking_lsm_notifier(enum lsm_event event, void *data); @@ -500,7 +511,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, void security_task_to_inode(struct task_struct *p, struct inode *inode); int security_create_user_ns(const struct cred *cred); int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid); +void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob); int security_msg_msg_alloc(struct msg_msg *msg); void security_msg_msg_free(struct msg_msg *msg); int security_msg_queue_alloc(struct kern_ipc_perm *msq); @@ -1340,9 +1351,10 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp, return 0; } -static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +static inline void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob); } static inline int security_msg_msg_alloc(struct msg_msg *msg) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 84f6e9356b8f..94b7ef89da2e 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2638,8 +2638,7 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp) context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - /* scaffolding */ - security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid); + security_ipc_getlsmblob(ipcp, &context->ipc.oblob); context->type = AUDIT_IPC; } diff --git a/security/security.c b/security/security.c index bb541a3be410..6e72e678b5b4 100644 --- a/security/security.c +++ b/security/security.c @@ -3611,17 +3611,17 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) } /** - * security_ipc_getsecid() - Get the sysv ipc object's secid + * security_ipc_getlsmblob() - Get the sysv ipc object LSM data * @ipcp: ipc permission structure - * @secid: secid pointer + * @blob: pointer to lsm information * - * Get the secid associated with the ipc object. In case of failure, @secid - * will be set to zero. + * Get the lsm information associated with the ipc object. */ -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) + +void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob) { - *secid = 0; - call_void_hook(ipc_getsecid, ipcp, secid); + lsmblob_init(blob); + call_void_hook(ipc_getlsmblob, ipcp, blob); } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 102489e6d579..1b34b86426e8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6328,10 +6328,13 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) return ipc_has_perm(ipcp, av); } -static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +static void selinux_ipc_getlsmblob(struct kern_ipc_perm *ipcp, + struct lsmblob *blob) { struct ipc_security_struct *isec = selinux_ipc(ipcp); - *secid = isec->sid; + blob->selinux.secid = isec->sid; + /* scaffolding */ + blob->scaffold.secid = isec->sid; } static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) @@ -7252,7 +7255,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(userns_create, selinux_userns_create), LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), - LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), + LSM_HOOK_INIT(ipc_getlsmblob, selinux_ipc_getlsmblob), LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 5d74d8590862..370ca7fb1843 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3442,16 +3442,19 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) } /** - * smack_ipc_getsecid - Extract smack security id + * smack_ipc_getlsmblob - Extract smack security data * @ipp: the object permissions - * @secid: where result will be saved + * @blob: where result will be saved */ -static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) +static void smack_ipc_getlsmblob(struct kern_ipc_perm *ipp, + struct lsmblob *blob) { - struct smack_known **blob = smack_ipc(ipp); - struct smack_known *iskp = *blob; + struct smack_known **iskpp = smack_ipc(ipp); + struct smack_known *iskp = *iskpp; - *secid = iskp->smk_secid; + blob->smack.skp = iskp; + /* scaffolding */ + blob->scaffold.secid = iskp->smk_secid; } /** @@ -5157,7 +5160,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), - LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), + LSM_HOOK_INIT(ipc_getlsmblob, smack_ipc_getlsmblob), LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), From patchwork Fri Aug 30 00:34:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784063 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic308-16.consmr.mail.ne1.yahoo.com (sonic308-16.consmr.mail.ne1.yahoo.com [66.163.187.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED2534409 for ; Fri, 30 Aug 2024 00:47:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.187.39 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978859; cv=none; b=YeFB/yOihZTM489YZwmFwan+hYzUec5zHCj/BoQl0bzaZnpqQEgoIu6eFLRkSwnfHFpAmBhOLYQgyGdFE726y13C5uaY18Vh9BdM9OnOy+y1SDGyR9fbj76feTh03BmEmjvCL+iBqmbJixa2H7vBeBGFbTcEhPS+TWUi6v9/XGk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978859; c=relaxed/simple; bh=WS8QAWly8kiJ0RF1HvQg45anT2QXh0FKMqlLtzIGCcA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qY8b6ECaOTHNbGQKscdB5CNwsjH4+tJvO2Snavk23+3BCTMGNonNyJyPXI/QZWhbJ0oA3GliCwCrFZAXkCl+An5OLjKUa6cM8UhWcqao3GfwScQS0Axe0R4R9Z2zU8JNjo6JhGkDUjYiJ5Oo+Ca8uJUOA2pGBPdypOa1a1earvE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=hQEFA0Cw; arc=none smtp.client-ip=66.163.187.39 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="hQEFA0Cw" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978856; bh=VOzWcKc9GRYTzUpdik4/VaiykO3Ylp7IgQbo8C0Nu0s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=hQEFA0CwcxHuBUVIg8o2rjzhCl6nXeWGcrJNDaAmS8w19+uXmJdMM35qcl4oy2QqVIu41t5QlWmbrPLFS+b3ncdZi7+OgZYv9X8JzLYrUmbLyNdaY9vdIsQyzlh5DAwe4FSCJSYLpm+VbIKsHt119oHwaOtFyhxMqGZdmVDZosXvioBU2ad39yOts1U3owxISevWjKupYsFxWA2lHNr2ZxmuEjA6PRJ8jNFUQZ7Zdbste8cGQkIE3mQ/n7aUfp4zFkZMcDNo7/6cuCxUL0t2+B4gfqbwnQTXyBtoie6voDuSg/uBlhvtj6JfoZAH1XPjx7j1WedwpTsTW48JyWX5mw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978856; bh=pAPNftYok+uS7yLXtoOXQMMV/9v4MyRv0JHylHlEp/+=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=ibQShaw1pmL/DKcvbe3ec4Dz7HaZ0ShpO8urpW2HR0EaUNsX0PKkhGuQAAGEymlO1LucSv18kHqJjSZoseA/EuMVoeEjoAYo2fjpYN3D7yT13TINK7ZHCNOT7AlftCNJR2K71sJa5tq3NpbclLwQRMW0hJJN+kDG1iR5yGeEl+mDgCPcZXXsL9GXHKawIuCW2Txa+11Wu3wJCQY+X0Es0DF/mJccDWrLaq4MWkt8y/xdf7Wft1Fu+JidtEgC2xBBMHpEdvcpwrDW27pexNOl1h0ULAVvrxe8h6R1cqjwi51C2mAs+159S+m+lApnZZ0gMNAvzboGZtO9b65uYfLdNw== X-YMail-OSG: eCI25mcVM1lmyNy1AuxM_JnsfBPOVyGVl2wrBn4.G0sTT7l_w3fCSR0Kgnfto9i jOeCk_NpemJ9zUpFfsnUodsuam6XFtT3NE9LPM1sglAQvFneGoIln6z3jtNa6jEL.KsFDHaxB6jo ZiIM8DhOgImSAbysQ98e4GRKSJSOtbWPUfhtcZKkTVdbq0FWCGaGCXPKAp2kqTFuR6ctWQPpKJC0 1g6A2kRiyhKOcXqhNOW3j6EYeInlG9WTIYclVjufNG2IH4oOByP1agh1rvJ2ZGhLwAnNdXa.dtzV LQH8D7c656FJ3KNCXASljWWwbdyE8auY0TP8imjNZXwmPaNRrJyJ8Ogfn_ITY74pLUf6cA2ZQuI0 fYyTFOvqry9M1RlLuzrHVmc2G24x7wlpwfRpzfQ9.kEDDK5n1h.8wMkJ4Mysh7R8Duc6L8rpuLgK 6ZEbHRqZQtQTJ4dP3Vz5SFG5R0euKEUerliDoV0qHO.2uk7oNIasnnI5QgfBCEVzdLWxEWbdJb7j 4qAC_r0F7WL3K6M5w0dWV7JZDuWfAlSe3lKp68a1RvG4MTXeTwPwTvIWYc7c81dEhzetlYeS1l8t v4BETvVGeNgW5IhKLlMw7rWpY_XZZied5fQdL1Pr4p7FhIQDPXHvC4.oj7d8IR.HoRQMly0keTJM bfK1chk.QzxbsA6hEi.ImJq4UQ_tlHKNb3rG1Ms29TY.dpM3yw2bhHmWLnw7w7NPNq3Y2T5tU0._ c4XzDYOTKnxTxeHFSGwYce1IybopkEUOXaKF4jrlBfcwscbjM4FWiqO2ygoFJZOF3j6ui.qeIf8k 9fUatAChBNtpiKfziaSovCAk.Z99mWR64KlOaF0q5W_80TSwus3eqUFICm.CF1XJgukOACWCThc5 YzJcueYK4D.4mIjYGO72B_Q9SSH4NRT7jjlbBYvBzs_bZRp0letDQVxtw3YratzE9qT6ztyEiFmW MH9nDP2lf3_Q_ayXu4X781Veedc5jhoAvW8LYWzpVHncyQtuJvB8pjkWOQJU5QSfJdJ51J55V3o1 VwStyd3gMT9XTHqCaVB_ip4_wehn9FklQ9Oi3Z20Uog8enEw2Rgu6oo3sKDfngFru_x5ENQrOHDa TI.YrYSR69pAbD.UTye4IN311R6Hshnt6LOrdCh8vU2fSC0KFmlmy1vt3DOqIgVyyI4ufq5SozwP aqgAfpn7DaqQBWu9HXNNdgQil3hbYysUv0Wcc75X3FozcOkaFwjS8gT8rRLsdXs0AAFyOd50sl45 4QZQ4ctv6mwroNtMoXi5GbI2E.5T7nOHjsrg1A_wfxagK_qdV4I5H9xoVMZhnPr0ZBFS.ZIypp6_ YJKU6IJX0zQvGESLuk6xb2sKP3KXHN8LBufA4C6HDfl_JVZqW_O5xUM.P5.TJyv5O59AP55fcyNj gDdXbEwD3qsABf0doQP6knp2O.udqimK9wRrkKbcbpsFPlua0j6b5H5GO3HNO2i.a.NJ.brCUXqr 39TTF6UG74qR_A1CnnkoJiMBeQ7v.Rum59xVOWT55l1e49_DZmHo7_N_ly5Bo9fOAGcRAsUu2QMJ AaK3Oi3XSL0oLfUL2MdyQy41RCBzgOLGTVQmkTh_trIxAs7gjMkLJ0DtpSEu4KrExH_4HDdnyOZJ 5_3YhDaDBq00tBcGxDX7naED6BOl8DPMkMGB10KmXU_PBc1I0jLmzVYprGX8VcgKZx61y.HgHCfY I4E_Fii4.NmGsOVyD0piYmogiLlNWYN2z0D37IZibyFfOxJBiVeClovu5ZJzWK3ruDE7d_SAVBOJ 002iupEPn.Rc5s_AvbFmmgDGoILnGlNrdl5mNYTwK8SEyrkL9vx4JQ_EcZ9j2udy3KRSgZ73SxFC vs2.Ox8Z.WCrLZ2sGWTa8EV6bsLpTOCZB7yOWLiq0mWfVsvRq9qHOuKHIliz4tLSCnyD0Lk0zKlE yPXMKpTuL7hMbLpNbqEyZ05Cc3x1vj_8ykZ_LnSRkFg23pWH0b5hDnvziVF3czgdZwOzYFQvlm91 BdGLXT4lnu4sQ01HlYCmzz62Nz8BYrQmsvQTOEIFFbKLW7au.PSPpnyad2NrpfLlA2snsg4UJp_S XM2qX22e9R8Bv06hDP5ZIB0_P.cAtS3uREnR24cAH0n_ei9WwAwIhnPESN525jDcIRandNeFi8an BAYQNX60LQsM.UFdmXbvLbnlDvjci3EgtYE1Z3oUstRSQASosiUe0kN37.qwquCMmEYb7O8T5whz 6y7OGEDRv4pK32RiQNY1pBlHrfjW4VHaRWZq4BQMRQNIZO21_barp8xJzloD.xFQTihbuJNaWGOL DH6eKRacqdFB_cdIwQfUlVx.G6Sjf8jsTFg-- X-Sonic-MF: X-Sonic-ID: 53548d59-98d6-478a-8812-6e400e37d0f7 Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:47:36 +0000 Received: by hermes--production-gq1-5d95dc458-jflr5 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID f4d7fb0b22ad2b46e66df0183031cfdb; Fri, 30 Aug 2024 00:37:27 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net Subject: [PATCH v2 06/13] Audit: Update shutdown LSM data Date: Thu, 29 Aug 2024 17:34:04 -0700 Message-ID: <20240830003411.16818-7-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The audit process LSM information is changed from a secid audit_sig_sid to an lsmblob in audit_sig_lsm. Update the users of this data appropriately. Calls to security_secid_to_secctx() are changed to use security_lsmblob_to_secctx() instead. security_current_getsecid_subj() is scaffolded. It will be updated in a subsequent patch. Signed-off-by: Casey Schaufler --- kernel/audit.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index e7a62ebbf4d1..9dac776b60a7 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -123,7 +123,7 @@ static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; /* The identity of the user shutting down the audit system. */ static kuid_t audit_sig_uid = INVALID_UID; static pid_t audit_sig_pid = -1; -static u32 audit_sig_sid; +static struct lsmblob audit_sig_lsm; /* Records can be lost in several ways: 0) [suppressed in audit_alloc] @@ -1473,20 +1473,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh, } case AUDIT_SIGNAL_INFO: len = 0; - if (audit_sig_sid) { - err = security_secid_to_secctx(audit_sig_sid, &ctx, &len); + if (lsmblob_is_set(&audit_sig_lsm)) { + err = security_lsmblob_to_secctx(&audit_sig_lsm, &ctx, + &len); if (err) return err; } sig_data = kmalloc(struct_size(sig_data, ctx, len), GFP_KERNEL); if (!sig_data) { - if (audit_sig_sid) + if (lsmblob_is_set(&audit_sig_lsm)) security_release_secctx(ctx, len); return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; - if (audit_sig_sid) { + if (lsmblob_is_set(&audit_sig_lsm)) { memcpy(sig_data->ctx, ctx, len); security_release_secctx(ctx, len); } @@ -2404,7 +2405,8 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - security_current_getsecid_subj(&audit_sig_sid); + /* scaffolding */ + security_current_getsecid_subj(&audit_sig_lsm.scaffold.secid); } return audit_signal_info_syscall(t); From patchwork Fri Aug 30 00:34:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784039 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic308-16.consmr.mail.ne1.yahoo.com (sonic308-16.consmr.mail.ne1.yahoo.com [66.163.187.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3D2504409 for ; Fri, 30 Aug 2024 00:37:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.187.39 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978258; cv=none; b=kpJrPbNWJ4oU2CJtDXQARWOaVpeLnFKvHBfRhM/as7Kj5LAOxPZIrCaqyDjks6Jp+LgwrZ1TIb8XW/k7Mr5MLXEwcQy/LhGragB8kGv27dcmbP8El6VwAwayyYYav5UTH6vSDSa4ei2FSx0r0Fz+LxMWgGLeGsXBT/Ig85YF9nc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978258; c=relaxed/simple; bh=g0IbyVcXzElD46BdZgUbwao4FNE+T2asoW1w/oO2hMU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TysIZA9cIVjr1RXxhCZp1iAYCOTda0RbBSbhLm024asXbPlrTCKRRWW+g3r8XBp2tM7cdypQf3MnxPDB/dxF5XAUU54OeKj/lZ40AJsAl+Jgaoi2Q4U70OCjDO1YiEBgXkj2OV3qgzrCnTnFJk8l+3STiEDlOsYAPCKLsJuoqys= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=fjINa+IM; arc=none smtp.client-ip=66.163.187.39 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="fjINa+IM" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978253; bh=NaArIe63sY9q+u/KXmksG/ULfNEUdomxSXmKu+yH4Z4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=fjINa+IMKfV/KSBPoi8FxwQ3Tpbw/hTjSLkx9VsXhL2RgQlwqQzlugZtH7TqDQXma1ugjCXtAZ1ta+tgsG/JXsAGM7MEOCQEzkyC+CrSBKzFn/ZXeLD71+sEeCFFB50W3cDL+nsUeNdbK7Ig9adh3TrhonsgvsEbr1xudHpwQemgKYjubJ8ACA9lNCtvPfoC/uv8lv+v2lntOoU37aAaOtZpLkPRGaJq2Tj6skO/oWY1urhMRxghBCNHA0zMQfKt5R91IGKjS867JkcJ7cwsmk0VTLc71SqvHk8RCoSh8C35yM8W61crRRazphZW00LjaXzU5OVl6SbeVfKMqkHegw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978253; bh=gI2eqUBpoLQ83XiDtZlVQd0tsaggeW2Ev8z4VGvS1fR=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=l5YydsWndkQY9OqojBM6m9tKYwuPKiwkXgLVT2vRwGk8KxHma7yLyebqi3cTwtYoDipP5CYtUaZVHkekWYn1EzRwZGlkm8+JorfN7Q9FG4gIwGYg8WVVmPoKWKiOeY/XNsCrm74BpVopTCOOoJkDNEOCbletpwZ82ukd2J4dNOHS6cwfxBHBJnsZWTXrcfJg3gskKT4kmLjsiZ0SZpmpiJSzxJLSYIdi47OHRLsEg8schHDb1YXtWODZNWpYfwG5Tlynm+QlJ6uMaevloLqu3UzJVFCfAP3v68w2+userRs7QApOK2+pGS/+pUfKIhx2tL9vItMt3YJex2oB3/6rEQ== X-YMail-OSG: 1wEW6rUVM1nbikoZohQppaOpKqy_NKPc5WaLPUDL6BKOi_moqho4uQfsfwxfM9A WK3Cz4U56tCvXOsPDCGtJT._CkHFDiRcCJBNiWKghSF6Pb9SWE_ISWlMS8HBsf8MhtfCPzFFOVDO 2jse_D2pAtT6HGIS.GzhEpwYfJjt84ha7t80VOSr.4I8sJpzlKmKVWpdX3CO45TKanDC7eK.XH4k 4ZCCwaaKbEJf9LHwN146BWV6MHfGzoXKsDlV.iiYZCjCpO09HcyGzJeExA_ZI.XcuoGBmd4kbIxE xNfmLyz0DCLcoQDu.rtdNOBc5_YOhPsjBlHZCQbTTnr57c3jx6gUshClf9JYY6CxUmb5wcWuts7z IWvhl8SZ02q_pe8cgaeM3Oj4h4YIRA0okwoX23c85A6eu95bE1T_D1MeldK_iz_R.L9BkPWrU8oc C6bBKFCniFxd5pLgTy4GMMsqqEgfVxtq.IgIoyJxGVAIWebxG_.iJ4SQtu94tbrdiRDez1jtFW8n 7pJCqEwUdVtGk46OdBl53N4x26f03IyIPaopeiM_x4u9rXMsWYCViG9Vz4TM3KV5NuXTHN6MGl.u fsAH2hEiyExg26h2ibccEMo1Kjj6AzA_tHRPcr_MekqUxbLjkTYe2yujJ.ObjLnSTrspxcV5lwoB 1PQQiJN8HYU7f_1zRTR9DZZha4UK9NLEVYh9XVTCj_OBQfjJWmdMFMyaKLl7bAQmxG9Byh8KQNo4 VcRLjZJN5e8faeNhSqnBACQ3T2q_k.A81wrOVNyT6KDuyoqpQZuDCKzrSIv1vhhL0IfwiyPSN2ou Gg0.ge5STjvgHL91XyUYxlnr6J7M.NYhrZ47iwYOZxAUMUV4u3HKorEEV0tA99xSqbpFyBhgdxyu AhNsnFwLjPWIzoA8CBhBRan7ofL75QqkVI2cQJftOmGmbDPHj2VnWgxBIy3u61ckcME8aQOVhCdE mXtQiaFWsWoBMMH0cVLijvIiegH09hf0xBBKdkIvZWimTo0mmFa4lZC0yLCH6lRVpkSh2xyflEyU JHlLhxIFHFIOtsaxES.jRFKIytWUyz_0EXDUoJzPKVGm0QpB8zaigwxuvd3zviSM4CDDsYTBaKww ltjIxEx2ImVoXoP6hcpjcDNEKhg.DqQ2IWNZ0FvsgfZQ7WRoe5nwrGzzPgBLffHrGJvXC.gj_YJY ST2CHNYDXVCpo3.eD1cmAM0AenDcPKf76K6rbFqJuqznLX8G1L.vhGwaSjnCUKcA7DmI5xVSi63V vppXBdTuJSGuqjRwJ0VlECShw4i9RlNXohpXppFE2DzG05HMaSdzn8WSbWZBG1SfUydk0tQlOKhp bUV0ZuujoDxo0Oh.saghh1DEYX4NOPBW2S_0SzRzAh0uvJ831XPxHHs8bVjZ2S88cycyTZi3wkX6 VZ04Th4_wiNmIHPtpMAn.0OI1JG7AV0WEcYAWox4.SwKXN6Ycc69B8mcR6HKMs0B_MIvVQYoByiL 2eElNHyGhuBZ0wt6dTvaymC.M7_w0W6pd7xpXQTpaqjOFkV7xRTSgcRMUg41bxdzpSj7w0os.FHZ xtSGR6d_P26GBGuIzlDyCxFb9kjDjT98opnvnEFFy130poj8HkoI4JgrDKF3dowMC0U_7QIM3EFO wPQ5B8GJrRRTyA.rFy7lkYxzaxCOYd7dEgxUFV0rtr3wXv3iPCSZgg56siImVFE_pkL5C4oNi2wm JP4RwnC2e7VcX5bJ6GfHlpsXu.N_mgkr7Ny.tWpW_d9tQM58aWMYegSalII2m03e43vJ52ZiV5Ay LMxCKsi8khYVSw5._4xqULEs.PNb9Gigr6iB4BtYifDt.tt6dR8JDel0MfE21riPnh1GxcqB_KW6 DbrGaFjA44xDL2OGO5l2BFtcx9S18GLSMLm4XmlG24mKx3vC3TXmRm6JME4hLX.r4kdacGL09XNJ mRUjWH53N4iUpvSiMTZp9dG00ZSLAWaaFUq3Zd.P1bBEwk32hMFm.cJ1OTWRUaRdOR3VCRoI8muG nGpJ.rKJgeJ78F8OtrRcM5Man7ztFypnnYhgAgn49CFEelZb3Dvq2LJC7YCO2NvZh1odgz8cCN5y IbfE5w_uDcLFJMCWzw58.dZBSzHwG3qTaYNQo2MrDVD8ehp0KfRI_eT_4kxX8wK7I5SwGQj8TkiO .gETpBhuXxvzqrfr2lOfq9UPgDw9414wJN8KQ7oXuJ9PSpxSY3cjEQpgxoF5r9EpwJZDoqm0N3nS L8kzuLBrbsCS1MeE3l5_jjV_RZskMuBeUlMZEa7sHBsL.c.FJBjU9jH3q9T.4jZrJ_5DSjL279oy rr9jG82T3phdcQ3AX6siNGYTfsBxuGAm2fRw- X-Sonic-MF: X-Sonic-ID: b54358f2-c6e7-4040-a8ca-a6b1a30e7f7f Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:37:33 +0000 Received: by hermes--production-gq1-5d95dc458-jflr5 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID f4d7fb0b22ad2b46e66df0183031cfdb; Fri, 30 Aug 2024 00:37:29 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net, linux-integrity@vger.kernel.org, audit@vger.kernel.org Subject: [PATCH v2 07/13] LSM: Use lsmblob in security_current_getsecid Date: Thu, 29 Aug 2024 17:34:05 -0700 Message-ID: <20240830003411.16818-8-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Change the security_current_getsecid_subj() and security_task_getsecid_obj() interfaces to fill in a lsmblob structure instead of a u32 secid. Audit interfaces will need to collect all possible security data for possible reporting. Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: audit@vger.kernel.org Cc: selinux@vger.kernel.org --- include/linux/lsm_hook_defs.h | 6 +-- include/linux/security.h | 13 +++--- kernel/audit.c | 11 +++-- kernel/auditfilter.c | 3 +- kernel/auditsc.c | 22 ++++++---- net/netlabel/netlabel_unlabeled.c | 5 ++- net/netlabel/netlabel_user.h | 6 ++- security/apparmor/lsm.c | 20 ++++++--- security/integrity/ima/ima.h | 6 +-- security/integrity/ima/ima_api.c | 6 +-- security/integrity/ima/ima_appraise.c | 6 +-- security/integrity/ima/ima_main.c | 59 ++++++++++++++------------- security/integrity/ima/ima_policy.c | 14 +++---- security/security.c | 28 ++++++------- security/selinux/hooks.c | 17 +++++--- security/smack/smack_lsm.c | 25 +++++++----- 16 files changed, 139 insertions(+), 108 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index c3ffc3f98343..06c60f1aefa7 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -232,9 +232,9 @@ LSM_HOOK(int, 0, task_fix_setgroups, struct cred *new, const struct cred * old) LSM_HOOK(int, 0, task_setpgid, struct task_struct *p, pid_t pgid) LSM_HOOK(int, 0, task_getpgid, struct task_struct *p) LSM_HOOK(int, 0, task_getsid, struct task_struct *p) -LSM_HOOK(void, LSM_RET_VOID, current_getsecid_subj, u32 *secid) -LSM_HOOK(void, LSM_RET_VOID, task_getsecid_obj, - struct task_struct *p, u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, current_getlsmblob_subj, struct lsmblob *blob) +LSM_HOOK(void, LSM_RET_VOID, task_getlsmblob_obj, + struct task_struct *p, struct lsmblob *blob) LSM_HOOK(int, 0, task_setnice, struct task_struct *p, int nice) LSM_HOOK(int, 0, task_setioprio, struct task_struct *p, int ioprio) LSM_HOOK(int, 0, task_getioprio, struct task_struct *p) diff --git a/include/linux/security.h b/include/linux/security.h index ebe8edaae953..b28f2f7fe4ef 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -492,8 +492,8 @@ int security_task_fix_setgroups(struct cred *new, const struct cred *old); int security_task_setpgid(struct task_struct *p, pid_t pgid); int security_task_getpgid(struct task_struct *p); int security_task_getsid(struct task_struct *p); -void security_current_getsecid_subj(u32 *secid); -void security_task_getsecid_obj(struct task_struct *p, u32 *secid); +void security_current_getlsmblob_subj(struct lsmblob *blob); +void security_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob); int security_task_setnice(struct task_struct *p, int nice); int security_task_setioprio(struct task_struct *p, int ioprio); int security_task_getioprio(struct task_struct *p); @@ -1268,14 +1268,15 @@ static inline int security_task_getsid(struct task_struct *p) return 0; } -static inline void security_current_getsecid_subj(u32 *secid) +static inline void security_current_getlsmblob_subj(struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob); } -static inline void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +static inline void security_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob); } static inline int security_task_setnice(struct task_struct *p, int nice) diff --git a/kernel/audit.c b/kernel/audit.c index 9dac776b60a7..97c0dea0e3a1 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2179,16 +2179,16 @@ void audit_log_key(struct audit_buffer *ab, char *key) int audit_log_task_context(struct audit_buffer *ab) { + struct lsmblob blob; char *ctx = NULL; unsigned len; int error; - u32 sid; - security_current_getsecid_subj(&sid); - if (!sid) + security_current_getlsmblob_subj(&blob); + if (!lsmblob_is_set(&blob)) return 0; - error = security_secid_to_secctx(sid, &ctx, &len); + error = security_lsmblob_to_secctx(&blob, &ctx, &len); if (error) { if (error != -EINVAL) goto error_path; @@ -2405,8 +2405,7 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - /* scaffolding */ - security_current_getsecid_subj(&audit_sig_lsm.scaffold.secid); + security_current_getlsmblob_subj(&audit_sig_lsm); } return audit_signal_info_syscall(t); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index c4c7cda3b846..06309227a0eb 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1371,8 +1371,7 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_CLR: if (f->lsm_rule) { /* scaffolding */ - security_current_getsecid_subj( - &blob.scaffold.secid); + security_current_getlsmblob_subj(&blob); result = security_audit_rule_match( &blob, f->type, f->op, f->lsm_rule); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 94b7ef89da2e..1f05445978f9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -470,7 +470,6 @@ static int audit_filter_rules(struct task_struct *tsk, { const struct cred *cred; int i, need_sid = 1; - u32 sid; struct lsmblob blob = { }; unsigned int sessionid; @@ -675,15 +674,14 @@ static int audit_filter_rules(struct task_struct *tsk, * fork()/copy_process() in which case * the new @tsk creds are still a dup * of @current's creds so we can still - * use security_current_getsecid_subj() + * use + * security_current_getlsmblob_subj() * here even though it always refs * @current's creds */ - security_current_getsecid_subj(&sid); + security_current_getlsmblob_subj(&blob); need_sid = 0; } - /* scaffolding */ - blob.scaffold.secid = sid; result = security_audit_rule_match(&blob, f->type, f->op, @@ -2730,12 +2728,15 @@ int __audit_sockaddr(int len, void *a) void __audit_ptrace(struct task_struct *t) { struct audit_context *context = audit_context(); + struct lsmblob blob; context->target_pid = task_tgid_nr(t); context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &context->target_sid); + security_task_getlsmblob_obj(t, &blob); + /* scaffolding */ + context->target_sid = blob.scaffold.secid; memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2751,6 +2752,7 @@ int audit_signal_info_syscall(struct task_struct *t) struct audit_aux_data_pids *axp; struct audit_context *ctx = audit_context(); kuid_t t_uid = task_uid(t); + struct lsmblob blob; if (!audit_signals || audit_dummy_context()) return 0; @@ -2762,7 +2764,9 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &ctx->target_sid); + security_task_getlsmblob_obj(t, &blob); + /* scaffolding */ + ctx->target_sid = blob.scaffold.secid; memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2783,7 +2787,9 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getsecid_obj(t, &axp->target_sid[axp->pid_count]); + security_task_getlsmblob_obj(t, &blob); + /* scaffolding */ + axp->target_sid[axp->pid_count] = blob.scaffold.secid; memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 9996883bf2b7..7f38dc9b6b57 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -1534,11 +1534,14 @@ int __init netlbl_unlabel_defconf(void) int ret_val; struct netlbl_dom_map *entry; struct netlbl_audit audit_info; + struct lsmblob blob; /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_current_getsecid_subj(&audit_info.secid); + security_current_getlsmblob_subj(&blob); + /* scaffolding */ + audit_info.secid = blob.scaffold.secid; audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index d6c5b31eb4eb..40841d7af1d8 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -32,7 +32,11 @@ */ static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info) { - security_current_getsecid_subj(&audit_info->secid); + struct lsmblob blob; + + security_current_getlsmblob_subj(&blob); + /* scaffolding */ + audit_info->secid = blob.scaffold.secid; audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 050d103f5ca5..877c4e809ae8 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -982,17 +982,24 @@ static void apparmor_bprm_committed_creds(const struct linux_binprm *bprm) return; } -static void apparmor_current_getsecid_subj(u32 *secid) +static void apparmor_current_getlsmblob_subj(struct lsmblob *blob) { struct aa_label *label = __begin_current_label_crit_section(); - *secid = label->secid; + + blob->apparmor.label = label; + /* scaffolding */ + blob->scaffold.secid = label->secid; __end_current_label_crit_section(label); } -static void apparmor_task_getsecid_obj(struct task_struct *p, u32 *secid) +static void apparmor_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { struct aa_label *label = aa_get_task_label(p); - *secid = label->secid; + + blob->apparmor.label = label; + /* scaffolding */ + blob->scaffold.secid = label->secid; aa_put_label(label); } @@ -1518,8 +1525,9 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_free, apparmor_task_free), LSM_HOOK_INIT(task_alloc, apparmor_task_alloc), - LSM_HOOK_INIT(current_getsecid_subj, apparmor_current_getsecid_subj), - LSM_HOOK_INIT(task_getsecid_obj, apparmor_task_getsecid_obj), + LSM_HOOK_INIT(current_getlsmblob_subj, + apparmor_current_getlsmblob_subj), + LSM_HOOK_INIT(task_getlsmblob_obj, apparmor_task_getlsmblob_obj), LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), LSM_HOOK_INIT(task_kill, apparmor_task_kill), LSM_HOOK_INIT(userns_create, apparmor_userns_create), diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index c51e24d24d1e..64bd77aa28e9 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -369,7 +369,7 @@ static inline void ima_process_queued_keys(void) {} /* LIM API function definitions */ int ima_get_action(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, int mask, + const struct cred *cred, struct lsmblob *blob, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos); @@ -400,8 +400,8 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); /* IMA policy related functions */ int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, enum ima_hooks func, - int mask, int flags, int *pcr, + const struct cred *cred, struct lsmblob *blob, + enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos); void ima_init_policy(void); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 984e861f6e33..896cf716dd6d 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -165,7 +165,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * @idmap: idmap of the mount the inode was found from * @inode: pointer to the inode associated with the object being validated * @cred: pointer to credentials structure to validate - * @secid: secid of the task being validated + * @blob: secid(s) of the task being validated * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC, * MAY_APPEND) * @func: caller identifier @@ -187,7 +187,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * */ int ima_get_action(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, int mask, + const struct cred *cred, struct lsmblob *blob, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos) @@ -196,7 +196,7 @@ int ima_get_action(struct mnt_idmap *idmap, struct inode *inode, flags &= ima_policy_flag; - return ima_match_policy(idmap, inode, cred, secid, func, mask, + return ima_match_policy(idmap, inode, cred, blob, func, mask, flags, pcr, template_desc, func_data, allowed_algos); } diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 656c709b974f..b0db2f38efc6 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -73,13 +73,13 @@ bool is_ima_appraise_enabled(void) int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode, int mask, enum ima_hooks func) { - u32 secid; + struct lsmblob blob; if (!ima_appraise) return 0; - security_current_getsecid_subj(&secid); - return ima_match_policy(idmap, inode, current_cred(), secid, + security_current_getlsmblob_subj(&blob); + return ima_match_policy(idmap, inode, current_cred(), &blob, func, mask, IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL, NULL); } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index f04f43af651c..d408a700fe6f 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -206,8 +206,8 @@ static void ima_file_free(struct file *file) } static int process_measurement(struct file *file, const struct cred *cred, - u32 secid, char *buf, loff_t size, int mask, - enum ima_hooks func) + struct lsmblob *blob, char *buf, loff_t size, + int mask, enum ima_hooks func) { struct inode *real_inode, *inode = file_inode(file); struct ima_iint_cache *iint = NULL; @@ -232,7 +232,7 @@ static int process_measurement(struct file *file, const struct cred *cred, * bitmask based on the appraise/audit/measurement policy. * Included is the appraise submask. */ - action = ima_get_action(file_mnt_idmap(file), inode, cred, secid, + action = ima_get_action(file_mnt_idmap(file), inode, cred, blob, mask, func, &pcr, &template_desc, NULL, &allowed_algos); violation_check = ((func == FILE_CHECK || func == MMAP_CHECK || @@ -443,23 +443,23 @@ static int process_measurement(struct file *file, const struct cred *cred, static int ima_file_mmap(struct file *file, unsigned long reqprot, unsigned long prot, unsigned long flags) { - u32 secid; + struct lsmblob blob; int ret; if (!file) return 0; - security_current_getsecid_subj(&secid); + security_current_getlsmblob_subj(&blob); if (reqprot & PROT_EXEC) { - ret = process_measurement(file, current_cred(), secid, NULL, + ret = process_measurement(file, current_cred(), &blob, NULL, 0, MAY_EXEC, MMAP_CHECK_REQPROT); if (ret) return ret; } if (prot & PROT_EXEC) - return process_measurement(file, current_cred(), secid, NULL, + return process_measurement(file, current_cred(), &blob, NULL, 0, MAY_EXEC, MMAP_CHECK); return 0; @@ -488,9 +488,9 @@ static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, char *pathbuf = NULL; const char *pathname = NULL; struct inode *inode; + struct lsmblob blob; int result = 0; int action; - u32 secid; int pcr; /* Is mprotect making an mmap'ed file executable? */ @@ -498,13 +498,13 @@ static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) return 0; - security_current_getsecid_subj(&secid); + security_current_getlsmblob_subj(&blob); inode = file_inode(vma->vm_file); action = ima_get_action(file_mnt_idmap(vma->vm_file), inode, - current_cred(), secid, MAY_EXEC, MMAP_CHECK, + current_cred(), &blob, MAY_EXEC, MMAP_CHECK, &pcr, &template, NULL, NULL); action |= ima_get_action(file_mnt_idmap(vma->vm_file), inode, - current_cred(), secid, MAY_EXEC, + current_cred(), &blob, MAY_EXEC, MMAP_CHECK_REQPROT, &pcr, &template, NULL, NULL); @@ -542,15 +542,18 @@ static int ima_bprm_check(struct linux_binprm *bprm) { int ret; u32 secid; + struct lsmblob blob = { }; - security_current_getsecid_subj(&secid); - ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, - MAY_EXEC, BPRM_CHECK); + security_current_getlsmblob_subj(&blob); + ret = process_measurement(bprm->file, current_cred(), + &blob, NULL, 0, MAY_EXEC, BPRM_CHECK); if (ret) return ret; security_cred_getsecid(bprm->cred, &secid); - return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, + /* scaffolding */ + blob.scaffold.secid = secid; + return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0, MAY_EXEC, CREDS_CHECK); } @@ -566,10 +569,10 @@ static int ima_bprm_check(struct linux_binprm *bprm) */ static int ima_file_check(struct file *file, int mask) { - u32 secid; + struct lsmblob blob; - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, NULL, 0, + security_current_getlsmblob_subj(&blob); + return process_measurement(file, current_cred(), &blob, NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND), FILE_CHECK); } @@ -768,7 +771,7 @@ static int ima_read_file(struct file *file, enum kernel_read_file_id read_id, bool contents) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* * Do devices using pre-allocated memory run the risk of the @@ -788,9 +791,9 @@ static int ima_read_file(struct file *file, enum kernel_read_file_id read_id, /* Read entire file for all partial reads. */ func = read_idmap[read_id] ?: FILE_CHECK; - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, NULL, - 0, MAY_READ, func); + security_current_getlsmblob_subj(&blob); + return process_measurement(file, current_cred(), &blob, NULL, 0, + MAY_READ, func); } const int read_idmap[READING_MAX_ID] = { @@ -818,7 +821,7 @@ static int ima_post_read_file(struct file *file, char *buf, loff_t size, enum kernel_read_file_id read_id) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* permit signed certs */ if (!file && read_id == READING_X509_CERTIFICATE) @@ -831,8 +834,8 @@ static int ima_post_read_file(struct file *file, char *buf, loff_t size, } func = read_idmap[read_id] ?: FILE_CHECK; - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, buf, size, + security_current_getlsmblob_subj(&blob); + return process_measurement(file, current_cred(), &blob, buf, size, MAY_READ, func); } @@ -967,7 +970,7 @@ int process_buffer_measurement(struct mnt_idmap *idmap, int digest_hash_len = hash_digest_size[ima_hash_algo]; int violation = 0; int action = 0; - u32 secid; + struct lsmblob blob; if (digest && digest_len < digest_hash_len) return -EINVAL; @@ -990,9 +993,9 @@ int process_buffer_measurement(struct mnt_idmap *idmap, * buffer measurements. */ if (func) { - security_current_getsecid_subj(&secid); + security_current_getlsmblob_subj(&blob); action = ima_get_action(idmap, inode, current_cred(), - secid, 0, func, &pcr, &template, + &blob, 0, func, &pcr, &template, func_data, NULL); if (!(action & IMA_MEASURE) && !digest) return -ENOENT; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 40119816b848..33bdbd031673 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -557,7 +557,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, * @idmap: idmap of the mount the inode was found from * @inode: a pointer to an inode * @cred: a pointer to a credentials structure for user validation - * @secid: the secid of the task to be validated + * @blob: the secid(s) of the task to be validated * @func: LIM hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @func_data: func specific data, may be NULL @@ -567,7 +567,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, static bool ima_match_rules(struct ima_rule_entry *rule, struct mnt_idmap *idmap, struct inode *inode, const struct cred *cred, - u32 secid, enum ima_hooks func, int mask, + struct lsmblob *blob, enum ima_hooks func, int mask, const char *func_data) { int i; @@ -658,8 +658,6 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - /* scaffolding */ - blob.scaffold.secid = secid; rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, Audit_equal, lsm_rule->lsm[i].rule); @@ -723,7 +721,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * @inode: pointer to an inode for which the policy decision is being made * @cred: pointer to a credentials structure for which the policy decision is * being made - * @secid: LSM secid of the task to be validated + * @blob: LSM secid(s) of the task to be validated * @func: IMA hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE) @@ -740,8 +738,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * than writes so ima_match_policy() is classical RCU candidate. */ int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, enum ima_hooks func, - int mask, int flags, int *pcr, + const struct cred *cred, struct lsmblob *blob, + enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos) { @@ -759,7 +757,7 @@ int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode, if (!(entry->action & actmask)) continue; - if (!ima_match_rules(entry, idmap, inode, cred, secid, + if (!ima_match_rules(entry, idmap, inode, cred, blob, func, mask, func_data)) continue; diff --git a/security/security.c b/security/security.c index 6e72e678b5b4..b6e28e20ac51 100644 --- a/security/security.c +++ b/security/security.c @@ -3373,33 +3373,33 @@ int security_task_getsid(struct task_struct *p) } /** - * security_current_getsecid_subj() - Get the current task's subjective secid - * @secid: secid value + * security_current_getlsmblob_subj() - Current task's subjective LSM data + * @blob: lsm specific information * * Retrieve the subjective security identifier of the current task and return - * it in @secid. In case of failure, @secid will be set to zero. + * it in @blob. */ -void security_current_getsecid_subj(u32 *secid) +void security_current_getlsmblob_subj(struct lsmblob *blob) { - *secid = 0; - call_void_hook(current_getsecid_subj, secid); + lsmblob_init(blob); + call_void_hook(current_getlsmblob_subj, blob); } -EXPORT_SYMBOL(security_current_getsecid_subj); +EXPORT_SYMBOL(security_current_getlsmblob_subj); /** - * security_task_getsecid_obj() - Get a task's objective secid + * security_task_getlsmblob_obj() - Get a task's objective LSM data * @p: target task - * @secid: secid value + * @blob: lsm specific information * * Retrieve the objective security identifier of the task_struct in @p and - * return it in @secid. In case of failure, @secid will be set to zero. + * return it in @blob. */ -void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +void security_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob) { - *secid = 0; - call_void_hook(task_getsecid_obj, p, secid); + lsmblob_init(blob); + call_void_hook(task_getlsmblob_obj, p, blob); } -EXPORT_SYMBOL(security_task_getsecid_obj); +EXPORT_SYMBOL(security_task_getlsmblob_obj); /** * security_task_setnice() - Check if setting a task's nice value is allowed diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1b34b86426e8..af48b8f868b7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4161,14 +4161,19 @@ static int selinux_task_getsid(struct task_struct *p) PROCESS__GETSESSION, NULL); } -static void selinux_current_getsecid_subj(u32 *secid) +static void selinux_current_getlsmblob_subj(struct lsmblob *blob) { - *secid = current_sid(); + blob->selinux.secid = current_sid(); + /* scaffolding */ + blob->scaffold.secid = blob->selinux.secid; } -static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid) +static void selinux_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { - *secid = task_sid_obj(p); + blob->selinux.secid = task_sid_obj(p); + /* scaffolding */ + blob->scaffold.secid = blob->selinux.secid; } static int selinux_task_setnice(struct task_struct *p, int nice) @@ -7240,8 +7245,8 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), LSM_HOOK_INIT(task_getsid, selinux_task_getsid), - LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj), - LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj), + LSM_HOOK_INIT(current_getlsmblob_subj, selinux_current_getlsmblob_subj), + LSM_HOOK_INIT(task_getlsmblob_obj, selinux_task_getlsmblob_obj), LSM_HOOK_INIT(task_setnice, selinux_task_setnice), LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 370ca7fb1843..fcacc59faf33 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2239,30 +2239,35 @@ static int smack_task_getsid(struct task_struct *p) } /** - * smack_current_getsecid_subj - get the subjective secid of the current task - * @secid: where to put the result + * smack_current_getlsmblob_subj - get the subjective secid of the current task + * @blob: where to put the result * * Sets the secid to contain a u32 version of the task's subjective smack label. */ -static void smack_current_getsecid_subj(u32 *secid) +static void smack_current_getlsmblob_subj(struct lsmblob *blob) { struct smack_known *skp = smk_of_current(); - *secid = skp->smk_secid; + blob->smack.skp = skp; + /* scaffolding */ + blob->scaffold.secid = skp->smk_secid; } /** - * smack_task_getsecid_obj - get the objective secid of the task + * smack_task_getlsmblob_obj - get the objective data of the task * @p: the task - * @secid: where to put the result + * @blob: where to put the result * * Sets the secid to contain a u32 version of the task's objective smack label. */ -static void smack_task_getsecid_obj(struct task_struct *p, u32 *secid) +static void smack_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { struct smack_known *skp = smk_of_task_struct_obj(p); - *secid = skp->smk_secid; + blob->smack.skp = skp; + /* scaffolding */ + blob->scaffold.secid = skp->smk_secid; } /** @@ -5148,8 +5153,8 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), LSM_HOOK_INIT(task_getsid, smack_task_getsid), - LSM_HOOK_INIT(current_getsecid_subj, smack_current_getsecid_subj), - LSM_HOOK_INIT(task_getsecid_obj, smack_task_getsecid_obj), + LSM_HOOK_INIT(current_getlsmblob_subj, smack_current_getlsmblob_subj), + LSM_HOOK_INIT(task_getlsmblob_obj, smack_task_getlsmblob_obj), LSM_HOOK_INIT(task_setnice, smack_task_setnice), LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), From patchwork Fri Aug 30 00:34:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784038 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic308-16.consmr.mail.ne1.yahoo.com (sonic308-16.consmr.mail.ne1.yahoo.com [66.163.187.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A5443224 for ; Fri, 30 Aug 2024 00:37:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.187.39 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978256; cv=none; b=X3xiQI+15iRBCqFRaYpzOiVzEoR4V4nO/8f0Srl74CBEXzvfZNPngIidiV1Fh8LeTC/G2DbS+qb/Hh/JpHCzIzkQ9354EG9j2KlxHKnQa3Icm1ebfvIEd+BUv6GyTFX0GpoE/GedqTxN6uy/NWP1LX8G7+LcgTXYYoQ/2ko/r04= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978256; c=relaxed/simple; bh=97NwEi/HLiTvn4HtJu8laGSoEHnPmQULTM6fH20IBnc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=n2xBzLRfpnWzCcJo/Aj8MpacJ6nzheoJ40M5F9HU5cFp3EVvYQo+2FbBxaQuroUG9Ek6ZPlExYfH4v/JyjnLOlvWP0O8PQ5SauNw1VyRsYKTKeMLHzRAwKbTK+pgmm/PWyMi6fpTO3DGgrwQRqdAriMb3d3bdRMXxr09+ZkSA1I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=CyM0juYX; arc=none smtp.client-ip=66.163.187.39 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="CyM0juYX" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978253; bh=/mjQGqO0ODaV6PNm1DLRoitVFkvqws60YMTQzri2i30=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=CyM0juYXAtctLGqnxq2wrt0GQoHHckVDNNeX4hPIf3cn7M5cV8JZ5Qore1qnWi6YUFyChVPqOpgOPkwB0NWEsRh8BfN+AOrg9Y/a5vpZew4OqVPSSPQ/zaYnF+krrGj90N/0sx3Pk8K9zMCnjQdXQFFMRe+Ch6cTx02JmvMfuHpfTIyQDWQgl5tlTnURbvn3wzu9CZ3PzY4Cv3t+v1pXYghVX79BdLF7iTDuyzqSclkJnrbnl36eliR10j2gx7VvrOeXa4EG3tdWxlBMnQ0PHWFPW9STNM1iXFLFx/Qu+XT9Do6r11HBkhFn/5G+hNwZ8HJEflKuC4CKGOa+6huB6A== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978253; bh=jBNw2ic06F5C1Kg9IntO5T1gZOc8fHtGVkbcjeUmikL=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=lo3XfDK58RQlXh0HKMNcMw+17U4jbRuNV6oYeHBuLbwS84zQqjxx9jTIvLXZvibfVhTv3zKzPEyYkRJOAeNUAUihvA8m3dEu9F49hXGamhX7eSmkR0IU9SkBbrNeBKU8qlnCRj77xc9rpy41n1/wS85qMQ4/QIsdKu5cfkINkcXRhKElu1jErd72sz9UvOFHvCQ5MWk5kgA/YAKhIxssGkP2aAKwI3uBEukQelj6ygR70ZOETaUXJDF5uke+YP6wLnJo7WIRG2L6t/LsTBjIpzPib+F5g4rs4upoiZ3UI9wMr78ZZjMC5l5M0gowmT1A/anomVvHRgTfzbSzE9ZO1Q== X-YMail-OSG: 9gwFqNAVM1nd2E2A31esWDjNyrjZmYbtVeTlRz5aOeqqMWMyZN1pVDA6.ezRgay 9h8CMGNCaMTDX8SJGtP99qFtWrMvSU8n_s6wbdebIDPdOMneM0QKlYc36IOuA4MUH1uS347BveCL 12.tUQuk6Tg2ZLA3lIeTvDWll.zwr2pk3boqXXIcR.7iUzmmdGri8SQE_Gxut8xdI9Ug.H.JyLaW CI6sGCtZinrAG0obJjU7qy7tfIBKrQOgzeLNCrVNl8NF2SDtunb0R9eyMfSeSzYIB5pnMED3lQWF pN6Dyt88UwnxgjZJKiAru4LH85_FxT7rYb9a7xvAqccJ4YPPtsJHUv1rFsmBw3BUGcNJ_tjOViPd 9PMpgrl4Fhwo3HvSm9J813UshbKwPOgQp2.rfiICaf1jTidmDSeoRWKpFXkwaipy51sX3DA8yLJN DbogqYV510uld0P.aLXLXKOuKfcueOaZYe9MPLAZlHJ1JfaZBOV1vyha92rCX.hmJ8YNncqpWI1K WJdU7cvs2aZ_xij8sEh59BpGqH2ghbqzyIfCSqOqmDQ51t.7d3kaTmS76bmG8z2sCkQaeyK7Wp4_ 0d9B9qFYZoQGkx7uH_43Qdxcw_NE6gMQZJu.i1O6CHGJgURJaD1ay64wLhkNS2JlXPfth_5u1wIO LvWgsqH5ZJdusq43b82K5FCtKjHMSd_nkvfhIuJzHm2bfP.8bc5o4kPdsiJWFSz26FHn1pUa5l5S hVhNCwai6NGAsqmbwlMQdfBb0HCpOfoiUwGO8CezpiW1V3gdfSlK1PHnjCXAEpBNQR9h23P.RcJg 9bhvMj2HvjZQMYUPbakO0P7VXap8hgPve.IftfTkHvrp.sCgg_vK0wWijIUjljFrX8dIT8X4xMzW jtDvs416ZGmAVUeieWhktuF1FEpgpDrPQJEx3zxFnmJYXEF2Rjwc1aGrsrVrhE54ss7Q6ak8eAdt 4ImFTjTuL63SWnmf6KtfZpjPoxFVUmk7OHgcAswyawCY2MJkkx9eT1dym1EsZCW0cMqLdxLsrI25 6ZLN4i6oWMLbOnvJ.qofSutLMhVbqZg_lPNNIbW0et6j6wj.qplNc8jKT7hO3yepywM.zuqCM435 vT0DnWeGN7fjmbjQUkLd2VrDmnU704g559lf6XS.f6.5JNNAYqRc1cw5l51uVBNbv9sEcXlMdZxT .NRi66TlnSVWalU95oyI7BazZKmU.BUKlA1LKVd10w6asC8Ec8lpM65P.EpEKl4kku09xfmclbF_ 8Og9y.st4Ala2656uc6F_OviishCJBD2jNjs8i3Ff9Glnn002u3RR4Wqe54w16UOT44vMLwQ_.3g p6dnDkU1LNXiMOC.Aqu73CWN7GiGIx2qTT7hHQTvRQqBrqmQYiw4XNfesAaVq44oedanGCB5Ip2g D8yGJs1b8RQ2T4dqCrqqRijOaJ2jMcc_4xkmMGLLi16_MFNdFEWkbAIKIYFuIk_XiRKJPDvAJpDS amPqh.NpALm4gj4ed0LL.jvpJMlppnloe0c5nm6RPi2sAgV.PO5fRFB7O78eItUZfvYpqzY1GVZ_ EWz1fmh5uIXnXfpnw6sy3GVzeYIUuznweC40vqXq7TZBCpLqw5zNwtkj5SD4L0E_VvdxS0.e6O0Q apvT5g3nRsftfr_seMozHl7QZjxQ4earJ7ICHYDvlm7rx3mnC.LV5IN7O8ytEA1VTR3dZ1Nk1hsR igt_qvMrnyxIjUMhrXZrId..9Sb_NxiUS3jz9yqP3_d9Qy.t_K0FsLcz1kNu9YwUK2fAJNvZbpnN ofDVMR35hqL1xs8duNaQiG4ioUb.1K0zIdfw5mBIhMVsH9byXy9rRyF5rDM5PJ5TJ62qUfzNm7j3 bDZ3kEtb_TNWR4V4aUc7TeMQOhq9dQ_B.Zo4SzLmqUz1fZ_wlFG001bHFEzmX9VN0QzV7s9HlfAM 7NxZ2jQrnitZzmwsxxw89i6Xc7umg6T4EyMv4.WUaEG1frrGP3PV7h21UCM_RLCfFoyg6SOLrLhV .mHSXppGiTQSOb2mk6KguT33oA1mxRDQ_9YiwvthMrGl6FbKcwtR7QP048thaTAAbnI0clSuIM8c 0ijKF_yXVEsw65tWwZE2_EGFnDDIuz1IUbWA87dNPd5kTdPP2Z8Z21T.cEM34hqQ47aWHda5qA0b Mr7X.E4BjF8XWP_Es_8UcUfOhtLHr3D6WUQgWswU1gEo_J5BkUZNdkTDShfcbvH9nEJphwzUnjZz 2B2BfRiD7TI6Im.Yahe5S.7XJy_lSSFKifdVO9376GTf7Ybka4UyhbqBDYxQgj4KxxWO4OvsGLqX nL33qydMv1PO8C1Dg91nYIG1hl8oHsqv9rQ-- X-Sonic-MF: X-Sonic-ID: 47e835f7-f3de-48a1-9acf-0c4e25ad667a Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:37:33 +0000 Received: by hermes--production-gq1-5d95dc458-jflr5 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID f4d7fb0b22ad2b46e66df0183031cfdb; Fri, 30 Aug 2024 00:37:30 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net, linux-integrity@vger.kernel.org Subject: [PATCH v2 08/13] LSM: Use lsmblob in security_inode_getsecid Date: Thu, 29 Aug 2024 17:34:06 -0700 Message-ID: <20240830003411.16818-9-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Change the security_inode_getsecid() interface to fill in a lsmblob structure instead of a u32 secid. This allows for its callers to gather data from all registered LSMs. Data is provided for IMA and audit. Change the name to security_inode_getlsmblob(). Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: selinux@vger.kernel.org --- include/linux/lsm_hook_defs.h | 3 ++- include/linux/security.h | 7 ++++--- kernel/auditsc.c | 6 +++++- security/integrity/ima/ima_policy.c | 3 +-- security/security.c | 11 +++++------ security/selinux/hooks.c | 15 +++++++++------ security/smack/smack_lsm.c | 12 +++++++----- 7 files changed, 33 insertions(+), 24 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 06c60f1aefa7..4fd508841a6e 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -175,7 +175,8 @@ LSM_HOOK(int, -EOPNOTSUPP, inode_setsecurity, struct inode *inode, const char *name, const void *value, size_t size, int flags) LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer, size_t buffer_size) -LSM_HOOK(void, LSM_RET_VOID, inode_getsecid, struct inode *inode, u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, inode_getlsmblob, struct inode *inode, + struct lsmblob *blob) LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new) LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, struct dentry *src, const char *name) diff --git a/include/linux/security.h b/include/linux/security.h index b28f2f7fe4ef..4fe6f64cc3b4 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -440,7 +440,7 @@ int security_inode_getsecurity(struct mnt_idmap *idmap, void **buffer, bool alloc); int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); -void security_inode_getsecid(struct inode *inode, u32 *secid); +void security_inode_getlsmblob(struct inode *inode, struct lsmblob *blob); int security_inode_copy_up(struct dentry *src, struct cred **new); int security_inode_copy_up_xattr(struct dentry *src, const char *name); int security_kernfs_init_security(struct kernfs_node *kn_dir, @@ -1046,9 +1046,10 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer, return 0; } -static inline void security_inode_getsecid(struct inode *inode, u32 *secid) +static inline void security_inode_getlsmblob(struct inode *inode, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob); } static inline int security_inode_copy_up(struct dentry *src, struct cred **new) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 1f05445978f9..eb1c64a2af31 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2276,13 +2276,17 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { + struct lsmblob blob; + name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getsecid(inode, &name->osid); + security_inode_getlsmblob(inode, &blob); + /* scaffolding */ + name->osid = blob.scaffold.secid; if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 33bdbd031673..35a8d3435507 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -649,8 +649,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_OBJ_USER: case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: - /* scaffolding */ - security_inode_getsecid(inode, &blob.scaffold.secid); + security_inode_getlsmblob(inode, &blob); rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, Audit_equal, lsm_rule->lsm[i].rule); diff --git a/security/security.c b/security/security.c index b6e28e20ac51..c2be9798c012 100644 --- a/security/security.c +++ b/security/security.c @@ -2622,16 +2622,15 @@ int security_inode_listsecurity(struct inode *inode, EXPORT_SYMBOL(security_inode_listsecurity); /** - * security_inode_getsecid() - Get an inode's secid + * security_inode_getlsmblob() - Get an inode's LSM data * @inode: inode - * @secid: secid to return + * @blob: lsm specific information to return * - * Get the secid associated with the node. In case of failure, @secid will be - * set to zero. + * Get the lsm specific information associated with the node. */ -void security_inode_getsecid(struct inode *inode, u32 *secid) +void security_inode_getlsmblob(struct inode *inode, struct lsmblob *blob) { - call_void_hook(inode_getsecid, inode, secid); + call_void_hook(inode_getlsmblob, inode, blob); } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index af48b8f868b7..f5d09beeef0f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3505,15 +3505,18 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t return len; } -static void selinux_inode_getsecid(struct inode *inode, u32 *secid) +static void selinux_inode_getlsmblob(struct inode *inode, struct lsmblob *blob) { struct inode_security_struct *isec = inode_security_novalidate(inode); - *secid = isec->sid; + + blob->selinux.secid = isec->sid; + /* scaffolding */ + blob->scaffold.secid = isec->sid; } static int selinux_inode_copy_up(struct dentry *src, struct cred **new) { - u32 sid; + struct lsmblob blob; struct task_security_struct *tsec; struct cred *new_creds = *new; @@ -3525,8 +3528,8 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new) tsec = selinux_cred(new_creds); /* Get label from overlay inode and set it in create_sid */ - selinux_inode_getsecid(d_inode(src), &sid); - tsec->create_sid = sid; + selinux_inode_getlsmblob(d_inode(src), &blob); + tsec->create_sid = blob.selinux.secid; *new = new_creds; return 0; } @@ -7211,7 +7214,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), - LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), + LSM_HOOK_INIT(inode_getlsmblob, selinux_inode_getlsmblob), LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), LSM_HOOK_INIT(path_notify, selinux_path_notify), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index fcacc59faf33..88e7ac15ca62 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1649,15 +1649,17 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer, } /** - * smack_inode_getsecid - Extract inode's security id + * smack_inode_getlsmblob - Extract inode's security id * @inode: inode to extract the info from - * @secid: where result will be saved + * @blob: where result will be saved */ -static void smack_inode_getsecid(struct inode *inode, u32 *secid) +static void smack_inode_getlsmblob(struct inode *inode, struct lsmblob *blob) { struct smack_known *skp = smk_of_inode(inode); - *secid = skp->smk_secid; + blob->smack.skp = skp; + /* scaffolding */ + blob->scaffold.secid = skp->smk_secid; } /* @@ -5128,7 +5130,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), - LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), + LSM_HOOK_INIT(inode_getlsmblob, smack_inode_getlsmblob), LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), From patchwork Fri Aug 30 00:34:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784046 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic308-16.consmr.mail.ne1.yahoo.com (sonic308-16.consmr.mail.ne1.yahoo.com [66.163.187.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1EEF023BE for ; Fri, 30 Aug 2024 00:39:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.187.39 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978351; cv=none; b=EHUqZ9tn6wIPcrQ9ymV3Sc2D5SNQemcx3zsbGjqE3uiu++8wFGvJEeB640isGTBi8mif+PU/iKnkwNwTqDFI3k8rDc3U2nBS9tDk/x6bbSt1erLDu9T5NFLlXTEq33ayPje7+5h+612y/Ny0y31SlG6wcVhWaR7/gn4nWcxGN84= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978351; c=relaxed/simple; bh=pJHWjaiTkXt7S881LFOol1koX7x6cURvzQhGiG2TnJw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FSGrr4gfK0MAQi8SGESpDzdKOJP6fQPhPioQDL40eNgKpAFLY7K2ERn2H0oAn1cavneunQH/JDr+yzu9o+9jQqGD6e7kFi4ySvqkSx/Ik6M8G4vjE0qSMVwNL7+Oh8Tp3U7+6RLGR6Sbd7sv/nZygMmqP8o99AWJYqWw9kr1sTA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=S2E4hCKJ; arc=none smtp.client-ip=66.163.187.39 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="S2E4hCKJ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978348; bh=2a9n7n90q8lbb8Znd4oPOhNXPgdgICjDBwLf6y4cXd0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=S2E4hCKJTYsRSTVB7o2Fnkq429rAiX5BubaFNT9cN78yucqa10Rgn+SSxuwOv3D6A8c0TKkfYA/EvP/RNFherdubhVRa/2uAN3khLMKiNJu5RrbAxeMrXQKmiP0i7bvh/BLgV+WrCtQQ7Hq+9kffn7fowJGZshU3lRScovpWi7in4eYqYvCD71hCqrxHrmL44JmNQvup5CDJE5x4AYqgdb6FvDQP5knuL9bOSF+7wQBUdZvxzf+t8eoltYUe8fWM+g/m5clowe0l4jtlC9jZkU/kFCVIttY6e+h7Zjya/f1MiX19oDDteGTbodgVfFG9OPnz3L10SFEC/C0p9Y04gQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978348; bh=WBqc7csfuYkXjYkQqnY26fmaes7RIrzBBocMd8ci4MY=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=TLMiJjW6fMgT6SbGqr4rbIFdS6uhx5hDC8hwi1nS2rkJW1j0Km+8KlEnteh3dBJkaQEL7OjegHu/wyVCbUrt4G/LjLrGFkyMnU8/INiLj7MO6uCpoELHNQ94MxVrVUekcTC3Y0HIOa9jczTIH4yRhtl5WaBGljY0tGxiHQ0EVjPG8ss8+ZAIENn6qX/Pb0UaURN/5LgbxAtRYgxxvAZ40sse+wfZ3TkOuRRiITFrANNeWHl3DLifWX7u0l6rQA0I5WeifEPoDoz5LqgS7EO8lmxWs2Ybh6ANHYrFY8hkgooa3biTOna0247Cmb2VIaIQeklDwy/jAIrOyewiHS8A7w== X-YMail-OSG: k8nbyVMVM1k1Wx383cE6.UWnuhZ2Ru6iRZXuEmL5qHMIdQ5iwjbk3Gl2WG2uppw C0fFE95.TVqyCDpSIhD2dZOwW7CfBwhgz0Pq87CiMgD5DcNM7X5pU51fHoFFBsfIfjuuCP8IH2O2 xicOZclVgFgNDPHWw7zuZgMmg9jpf8Du5Ymc5YwAtW6r1h5DquYnhFQzArPkjTPIYmbJFJUfA5i3 UOMP_eiOwg7JZclP1bKIEeveXPktg1VHxI5ITZk5FeO1xTtJ7ay2YBr7vQbmPVfw.2XkW52Mn4Em TbwRbyzakuhD2ml3CT_Tb3bfpy9cvTz2W6K3PDst4qiJ4twnvmjW_JuoizElXIeKPbEmf7oit3mR CwFhA2F6iwrDQj29dxNw.83.nYWNyExr10PU0AOSAOnqkcyF5F_oxHn5VvgUQ_h1QUc9UBrLIh7v h1.4zYRlxDb0vvUP5B6n_EAAqFt839IEFj_rk0UlLYWsj2ih.EUijkWnUhCGBI5TKQnjqdqyI_mJ j6KIXmgseCRIVv9yFHGsUJJlhxQc5._nKADkT_Q6An_Z.8.tomH0h9VC.kut2ELOVbwqNHWU0FMq yWhJD22jtfk5dqYQwWx0FPtCr3kSTFHCHoJROY8nXEH3AKPHEK585fdcOTqFbY5qSDTXZME4RetC jcAx8yCriAtlTwlwSXccwvq9v8e4.7Mz8EPJjzpte.HzDL.HmZhaaO1eLv9890gibN9toORL1L5W 58nENx4xNFVVRVT41y20XG6vB3Q0gO9VcyYOCTU0jY2Z8z1LiNJD1WVJpUF3zLjL_KKozVeX6LB5 LDclAoRhZHOwMGbpeQW6qmhYONlZ17OxVUJeeu4YybPNQHpMiOZkPO5x.uFAUvtMWIyO6KIH4g9s xGfi5bnkbYrKCgM0IAekF.lxYDgZ0LFZouaZalOg7VpJunFs3y4vZzbXtSJDFyRPdNlliRMv2yIZ hg9Eo4bZNkAsPzNyzC3Uk_7J3e._HtAg17xPeZYiK9F64GAjBl_qc9Xwh58Abt7UR0CYx6Ljuyri 9gXwxBtx23CQSecfqYnKfdirAQnWzkDgjaReFT3N_eR0TsfTFFTtNHyF8uKkBOsGumVOWC41pT2V ._AY9i1caUJgM43MNYHAKtgyUrAByy5A5imgq7GAqShrF4pyVLsh4FOeEvmWmPRxFGSX9VTBY2o. u4cvvh71neY9UzOSXl8dXEkeLvxmANwxTAuHSbWEtahiUAibCVSDuYQUXrIITpgf2RuhRhEG2wC. L_QEJ.jbTttTBDCUoHEqhL67njn2kgKU4EtJOSWUdolowrq3aaMM4kfrkgm5Rerf_krSOCLKMLPZ lOG13i0STtPiVoFfffD.eVYCfr0alZzOONLgn6Bxs2f_RfAdgx25oZDBe8MpR3KlFfZi1IFRIsTs Yr7i3gW4CehUL23ToHkCwqsbSaWA.1.BcD_YeGdm03Ci56KC6cUsj1rDQ1BTB3Q.To6NQe.cI.r_ eoLxmeNR8XNVlb5oPS5M5uXn2Wg6kFRvzckl8qytX182xGHEShg1FneX0WGMXjxGko2VuenoCwOX Qaa5AhQoTbr8v_RQQ1tFcwLSXbcVM7.teyx2tmSTBjbcY7AjQ8psDRaNJ5rdjfF9MJleUkU71OSR hNBFdtRlQfhEDKqsOsCWn.zik5gCnlkz5h7cklctrjoDNbVuIOAW6oBlIuGuOXRcNPHoJCksqeyP r9S5.lwsdxDyMYSmvAVnRtcTNW2_4J_gfMwf9rSP99yhsKgaQ._zQfKsA3JnDYYAmn5adt7e.U5m .tD8dIcFlRM6h6BfNFV6LiOg61k9NP5efKSoW7H8vZCyynIqEzQmzDJuylm4MwjiRU5pVB0pCbGl gOhId0IoAbSoc4pxD.hluqP7SvGRm6.Ko4bl9cjLkdUVQhxiwDpaoTnf3MBTC.HK46aJtRrBmll9 lBeWRnwHVn0SHWo_f3UW9yVmdWGAtOMkQOsdn1BOlWHYkoLBf3x8Npsc8GujPfN0w6Z1bSM22glW abTMSjQYeipvkAgWudWDEW35tGtt4b5Pbgk4bC1ic.QptgDG92TzmzlJ_l.fRQEDiDLEtP8.6RVK 4xq5ep4F14uLVP7Q.8RUT5ve_5.wb4pqyMqWluvbrUadkOV4mlbwqWzqaHv.3.BZshuTY7CFA61C e9e3SEV5rq9W6VOedp6lm5bl2sa39Vd4UMasGIzoH24H3_lFCc4PDTjKEUkDKfz3qJyUp2Ro.oGI YIeaFY8jpm9cKCeFGKw1We667h7PbMnchD2M_X.h10CR568XgoYv2L98rp8141H7X0azZYKB2Ntt M3tXooysq5g80iXpKj3oBYa3peTTRoBn6_D3tIA-- X-Sonic-MF: X-Sonic-ID: f53caa68-4b28-49c0-9c20-d7287074aed0 Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:39:08 +0000 Received: by hermes--production-gq1-5d95dc458-jflr5 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 35a934a1749a25fd4473b6654327c16f; Fri, 30 Aug 2024 00:39:04 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net Subject: [PATCH v2 09/13] Audit: use an lsmblob in audit_names Date: Thu, 29 Aug 2024 17:34:07 -0700 Message-ID: <20240830003411.16818-10-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the osid field in the audit_names structure with a lsmblob structure. This accommodates the use of an lsmblob in security_audit_rule_match() and security_inode_getsecid(). Signed-off-by: Casey Schaufler --- kernel/audit.h | 2 +- kernel/auditsc.c | 20 +++++--------------- 2 files changed, 6 insertions(+), 16 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index b1f2de4d4f1e..6c664aed8f89 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -82,7 +82,7 @@ struct audit_names { kuid_t uid; kgid_t gid; dev_t rdev; - u32 osid; + struct lsmblob oblob; struct audit_cap_data fcap; unsigned int fcap_ver; unsigned char type; /* record type */ diff --git a/kernel/auditsc.c b/kernel/auditsc.c index eb1c64a2af31..886564532bbe 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -698,19 +698,15 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_rule) { /* Find files that match */ if (name) { - /* scaffolding */ - blob.scaffold.secid = name->osid; result = security_audit_rule_match( - &blob, + &name->oblob, f->type, f->op, f->lsm_rule); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { - /* scaffolding */ - blob.scaffold.secid = n->osid; if (security_audit_rule_match( - &blob, + &n->oblob, f->type, f->op, f->lsm_rule)) { @@ -1562,13 +1558,11 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, from_kgid(&init_user_ns, n->gid), MAJOR(n->rdev), MINOR(n->rdev)); - if (n->osid != 0) { + if (lsmblob_is_set(&n->oblob)) { char *ctx = NULL; u32 len; - if (security_secid_to_secctx( - n->osid, &ctx, &len)) { - audit_log_format(ab, " osid=%u", n->osid); + if (security_lsmblob_to_secctx(&n->oblob, &ctx, &len)) { if (call_panic) *call_panic = 2; } else { @@ -2276,17 +2270,13 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { - struct lsmblob blob; - name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getlsmblob(inode, &blob); - /* scaffolding */ - name->osid = blob.scaffold.secid; + security_inode_getlsmblob(inode, &name->oblob); if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; From patchwork Fri Aug 30 00:34:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784047 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic308-16.consmr.mail.ne1.yahoo.com (sonic308-16.consmr.mail.ne1.yahoo.com [66.163.187.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4AE452595 for ; Fri, 30 Aug 2024 00:39:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.187.39 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978352; cv=none; b=W1+2ZnOr17rf+qFMbbkNM64M53i781MPwHLQnT2NJ8P2qojGZ/oYgHGJ/AST0zkL7SOwafNjZ2VC2zjCE4nWSMMNtrMEasmqMz35wriMvseojD/qCorLUsnhqqinYgtIHHvlzl7panwdWTlqsbAcaBQ9DFQW92bedSxbTtZLD2w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978352; c=relaxed/simple; bh=yWQqcFo2VEeVFJdxVNiXAR71ak83CpaL8hJJ1XCkjVU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=eMXgjRAF+FbEBN1lyPgOCBPb1Q+7cjuXHEspz/Xfv9nz8NE5XRncZY1lfE2vvggFJPI1mKcnu6PawHmDsTA6/RKeyAKaTEObRoyCaWYds8eYW7/rKQIw8jcbQIHDfb+A9WiKJo7NNeYl/BTuCUmCLxiF8fNRq6DYN/ROffBUw0s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=QkycgU1r; arc=none smtp.client-ip=66.163.187.39 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="QkycgU1r" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978348; bh=XdNW91Iw22TanKU9ECNSOgSNyH2hI8Zx0Ag2V/vlglw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=QkycgU1ruNsM4HQ1BTaaAGLHW2Dn3jMERm6gBCGFMWszqf/efCgAXl0Dd7NtwkJpTce8U/xFhZ7VvUagoGGob56ReQg8fhqI5F3zu9vddrgmcz9SPAjBlTUlT1iIDmYf7jDOKq3JHKnbpNj0pw8ugLrEgrp8295Jm+K5lDJlXSU8ao283pA/nNgBB7M1isfz2EcYSxuLuZMD/yJJiQBiJdBI9P17KNa8BhdSIKh817dPUPTeU58TMkUs+Hj+bnBTwS0Gy1AjPocG6LFKXaQPgMGsANQ7Y0xft3YKRG2r/5k5t1CT3CntHoTUXGpQzE9yKHqTTWlXSm7KneE29GJdZw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978348; bh=isLss5h1k+6Q90jLFkNSNmtW+zUiXCDB6SCRyILYX28=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=YgpwR/tjKIKcolmbAbqf34wq941zejzQOfdZaXQhLXrVq8xkd6FcT7sxj4O1A+Ummv4QZJe+Fl0ft58XsYy58UfQIO403T+uHYTPlbgYPrZy3ozBpWObRQOPCY0Ntwti5vcOXZ+AZZotSHZCW2tzISIm3jZGIAlR8be+S/+bUz6u1WtlbKMVQMWWXEWbEbLw3ouDw0fq3IKN2BhtjIELaXxW5du1Va8SL5WfCSdcdso3nb2iRWmO22/uUpFm7DNdfegjX7cOMLkgfu4baPdb3dTRv8AWbFYFJ/D8LQgxZ90rPSaPkOxhVDqPjqYAbrZxRLOPM4Wq49/BivWuQHcRXw== X-YMail-OSG: Lt5i.OsVM1n9aFZwNhpK_s10Wq3.DVuC_RQcIkkdLGmqFMji7vIZCcU5yO30nB3 IYN2F4qOSj.5nAUqgyqcDxyFUllHSOVjXq27C5aWf0.9lqf2YDwBNAb4vswOzaXqrwQjwLNHUraG 2DOz_CH5hKyR5kbPedT1DDZ43coXgEW0wYQg8u7xdpYxum19Pf75UPm_xzAEq9Ov0NhZlnJKT6fF 9wUtzlQYHGXNUYkV74hW7a_CwVKuZNcuBYPWtKK_DtmO7sxsCBASy9le4WjMeEt3eKVGSgUtEuO4 2kt4Ijh6SyQ2qCy0TYlTfd_Ixatk5ptvzrb9G5lSLD8YIPmAXD25rLOA7wgmjbBJKJZehXLuRuKQ On.W6vdBnJ4PwsAg8X31g9EK1M3xERuSuGrRGba3txHcvxECNjmxAc5gbrINZ1hE4D3ndTOUuTe7 r9AwjMlgR5WKrUFUM6v7aZrzlkHRqYTNZFRrtVAHAokFb.PBAaYG6I7C7DTOOhjMYGa2MiBOzJhc oWduv97PrB_x8P5gZ5JN1rPJQWxYGalW2LjSJ2.wWeS5cwnRDX1t5_Gx1dhhdWGbnHBZpd66Qs3s C4DYXQsEgkM52BbpUAIMKJugalsSIDFlttR9xllNiR7nL7z80Ess9hleGnqb_gEm6uwRsqu6VXay s8ZqfW9GowbibQa5NGZtEdTTCrPXbFKwo2b_F3bkMtMC8cdiW7PRMUEjV0bMB9uaXYX5E89AI99w IFWchKolWiV4Bf2Q6yf5tNUh3c9bHb7VaSpilAii.arDe7IqxGZfAzqAts6AkxpY23RkkGAF5JWt pdzo7AZW3MtlN1AdM6bT6ISK72uo8bpk2LnK4NumXL4TL1p2YfCw_Fk_2HNfTcsN35Mfhq1YnUIm VZ7lcVxU4y7R2sFGB73D3MPw1c0d_RaWIu3vrP5WyVEp9KesQ8hpeeH0fAS039oLOaUP3GkFHyJc smX585yvFvpq3Cdo.8VSfzsI.Eh6x5g5sIUY0GRYE0lf6Mmo846zaXMaKRPCxkgCUx9Y1H9tpXdE XZE4Zni3DgkKwawwNjzp1GN9OuVyj4w1PDU6nMpwqkMxOap.qT2O.Fo2x4kQVYaRAIotwaDD0rDu JcIlxu0ermU.e630uzmZv.OYaUK9V9eRDhCljuTuuFxbN3nh8Wwjbvsygouo2YkSTqBiVSxvttt. BREXEYnOi5EVc96pT8DggxnTmXZBNB_sfBwDNWW2TISjvH8qeAYbVpd13AOuJSSW1sCM_sUoj8dF olRmkHn3h0Uf_WJaAL_PcDOhncIVbeQmIDdxGySsbIBcbpi_t6C0xtZtqwpgdN4D_dn9zJKfnthK iHyo92tkRl8BanmYo4NeGhuG0urPRd4e752GzzkJvc1EoDn0plv4gsczFeI_TQtsQHQhcODzSeXU dOrK0Bqnh7oG9.d7GuQDHK34VC8j5qUYMSMT4_LfNblZkq.CqIa80iDAtyUn33yZZkUugkepzusN LeFojrNPfqBDnGdBcRS0UA9gTHyY9YelgyPoEyIpbzcYBlB3WiMz1IUvThZ2ot1woaG.PJoB31_U 2ADbDgJV0iJayLC_VBhr9QcMHhp1pLr3dl4udrE9OBQop0uc3zpWY3SsFyimL64ApT9LerxYj7tL fewRMEXFBQ.U4Lv42PTVZkdqfNJAlvuhWSkk07zOqMPTMFKkxLpwUaQYH1dcJ_Tss7XAJNKC2r15 eR8Re1g133M2R_6D6uouhFOcr2aSNgVphtot6JSbRMLPAQPf4BVL8VgTB4Yoq6O5N6nO7P5V0bmA u9ROlFLj9KKCk.VvLcTm8UBkFyiRJmJ9E0VBGiv67oCqo9dfaehcmJ42CcdbYrD.0IgKXQsCt0iD z8aWzG_.j5E1TCG0_hSeRPvqfjadSwbqy5fMsRRu_Zv8WGla_0cWQVDxQWH5LCzpEBmg.rjB_W9t JyRc5sltc0Irc2IFH1sio4vyej8rsHJUVVjaubZXtTz.zDW18mVTGZJM9kwRsx15PM5aPdzQL_ad GuOVLxdW3WaFbeeZs7CRlhxgOET0UmhUlRokwIkAckQMNu.S6.M.gv.R0nVNrboiZvGIjTPk208v AGHnzROcX_nGnsOQ.9xFzC40XoSWupF9pluIytxMCGQLB1sMo13F9_0.c.TZ9DCxKUAN.PB6quPj PjGHuqJmFWhmapaJETVH_01qXFl8shIhRjZTc98RhyZtQ0v2D6pPjKcYtFabYAK6hx_oFmYjooKn UTSddVMekls.3YUmcM7fjhH_oQDCwgGGO9o.wtgltk.roAmsWjWGbzGGY3NnE_hPVzPqFLoqMsYj M4tDbywDjSl2QZwac41Ea.gPrfsCXijE1W8eYB7d23QowfpE- X-Sonic-MF: X-Sonic-ID: 1e72a095-b931-4a33-b88b-0ef8d1725ace Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:39:08 +0000 Received: by hermes--production-gq1-5d95dc458-jflr5 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 35a934a1749a25fd4473b6654327c16f; Fri, 30 Aug 2024 00:39:05 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net, linux-integrity@vger.kernel.org, audit@vger.kernel.org, Todd Kjos Subject: [PATCH v2 10/13] LSM: Create new security_cred_getlsmblob LSM hook Date: Thu, 29 Aug 2024 17:34:08 -0700 Message-ID: <20240830003411.16818-11-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Create a new LSM hook security_cred_getlsmblob() which, like security_cred_getsecid(), fetches LSM specific attributes from the cred structure. The associated data elements in the audit sub-system are changed from a secid to a lsmblob to accommodate multiple possible LSM audit users. Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: audit@vger.kernel.org Cc: selinux@vger.kernel.org Cc: Todd Kjos --- include/linux/lsm_hook_defs.h | 2 ++ include/linux/security.h | 7 +++++++ security/integrity/ima/ima_main.c | 7 ++----- security/security.c | 15 +++++++++++++++ security/selinux/hooks.c | 8 ++++++++ security/smack/smack_lsm.c | 18 ++++++++++++++++++ 6 files changed, 52 insertions(+), 5 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 4fd508841a6e..4bdd36626633 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -215,6 +215,8 @@ LSM_HOOK(int, 0, cred_prepare, struct cred *new, const struct cred *old, LSM_HOOK(void, LSM_RET_VOID, cred_transfer, struct cred *new, const struct cred *old) LSM_HOOK(void, LSM_RET_VOID, cred_getsecid, const struct cred *c, u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, cred_getlsmblob, const struct cred *c, + struct lsmblob *blob) LSM_HOOK(int, 0, kernel_act_as, struct cred *new, u32 secid) LSM_HOOK(int, 0, kernel_create_files_as, struct cred *new, struct inode *inode) LSM_HOOK(int, 0, kernel_module_request, char *kmod_name) diff --git a/include/linux/security.h b/include/linux/security.h index 4fe6f64cc3b4..111c1fc18f25 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -473,6 +473,7 @@ void security_cred_free(struct cred *cred); int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); void security_transfer_creds(struct cred *new, const struct cred *old); void security_cred_getsecid(const struct cred *c, u32 *secid); +void security_cred_getlsmblob(const struct cred *c, struct lsmblob *blob); int security_kernel_act_as(struct cred *new, u32 secid); int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); @@ -1192,6 +1193,12 @@ static inline void security_cred_getsecid(const struct cred *c, u32 *secid) *secid = 0; } +static inline void security_cred_getlsmblob(const struct cred *c, + struct lsmblob *blob) +{ + *secid = 0; +} + static inline int security_kernel_act_as(struct cred *cred, u32 secid) { return 0; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index d408a700fe6f..8171da96a4a4 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -541,8 +541,7 @@ static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, static int ima_bprm_check(struct linux_binprm *bprm) { int ret; - u32 secid; - struct lsmblob blob = { }; + struct lsmblob blob; security_current_getlsmblob_subj(&blob); ret = process_measurement(bprm->file, current_cred(), @@ -550,9 +549,7 @@ static int ima_bprm_check(struct linux_binprm *bprm) if (ret) return ret; - security_cred_getsecid(bprm->cred, &secid); - /* scaffolding */ - blob.scaffold.secid = secid; + security_cred_getlsmblob(bprm->cred, &blob); return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0, MAY_EXEC, CREDS_CHECK); } diff --git a/security/security.c b/security/security.c index c2be9798c012..325030bc7112 100644 --- a/security/security.c +++ b/security/security.c @@ -3153,6 +3153,21 @@ void security_cred_getsecid(const struct cred *c, u32 *secid) } EXPORT_SYMBOL(security_cred_getsecid); +/** + * security_cred_getlsmblob() - Get the LSM data from a set of credentials + * @c: credentials + * @blob: destination for the LSM data + * + * Retrieve the security data of the cred structure @c. In case of + * failure, @blob will be cleared. + */ +void security_cred_getlsmblob(const struct cred *c, struct lsmblob *blob) +{ + lsmblob_init(blob); + call_void_hook(cred_getlsmblob, c, blob); +} +EXPORT_SYMBOL(security_cred_getlsmblob); + /** * security_kernel_act_as() - Set the kernel credentials to act as secid * @new: credentials diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f5d09beeef0f..076511c446bd 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4029,6 +4029,13 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid) *secid = cred_sid(c); } +static void selinux_cred_getlsmblob(const struct cred *c, struct lsmblob *blob) +{ + blob->selinux.secid = cred_sid(c); + /* scaffolding */ + blob->scaffold.secid = blob->selinux.secid; +} + /* * set the security data for a kernel service * - all the creation contexts are set to unlabelled @@ -7240,6 +7247,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), + LSM_HOOK_INIT(cred_getlsmblob, selinux_cred_getlsmblob), LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 88e7ac15ca62..a2445e4f906d 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2150,6 +2150,23 @@ static void smack_cred_getsecid(const struct cred *cred, u32 *secid) rcu_read_unlock(); } +/** + * smack_cred_getlsmblob - get the Smack label for a creds structure + * @cred: the object creds + * @blob: where to put the data + * + * Sets the Smack part of the blob + */ +static void smack_cred_getlsmblob(const struct cred *cred, + struct lsmblob *blob) +{ + rcu_read_lock(); + blob->smack.skp = smk_of_task(smack_cred(cred)); + /* scaffolding */ + blob->scaffold.secid = blob->smack.skp->smk_secid; + rcu_read_unlock(); +} + /** * smack_kernel_act_as - Set the subjective context in a set of credentials * @new: points to the set of credentials to be modified. @@ -5150,6 +5167,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), + LSM_HOOK_INIT(cred_getlsmblob, smack_cred_getlsmblob), LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), From patchwork Fri Aug 30 00:34:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784068 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic312-31.consmr.mail.ne1.yahoo.com (sonic312-31.consmr.mail.ne1.yahoo.com [66.163.191.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E3DEFD2FA for ; Fri, 30 Aug 2024 00:49:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.191.212 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978961; cv=none; b=hDvsKe4AuYrrsIkwwktkrR3kreXojRrqG0IWKVGcw1ZzjIMOgAkAjU+x1YcgjJDTu//dfSGy6LfG+SXUr9gVpiMYfKfdWVi4hGee9arOxiDnZlM4VtjLzHfTimZeoEETmjOQecf4nVF9MKg8ZE5NjDJd0/iW6G+1IrMzO162Aa4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978961; c=relaxed/simple; bh=WOgb0l3+mNTEJgc9hmsiRiCiiWeY0qj2It6RPDfGCMI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YDEECcsVJ9TMt88OGiW0hNiTWrJ/J4T+W9LPAxqHbtUyajWSdDXlkdxufXyqtkp0gOC82wrMeYg+7Z4cPTy8axlAYmlIwWeuPdc+mMxtxR9b3lx/hcpkmHK5ItfjBzZRjj6WIYUEIvZ0pXCIOa/j2eOwrHrd2qmWj8SNtXik91k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=EOZ3/oJM; arc=none smtp.client-ip=66.163.191.212 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="EOZ3/oJM" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978959; bh=2r/dWdCbRvU4etEW6v9mydXKfVO+AeWq12qn+jOgxk4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=EOZ3/oJMq57vaSx0BpugqKY9Oa0huNqQa3yyBjnl/qroQz+mnz3A4izfF//n6gZUL8rHHmjY8YuJjFiuJqiz87p56bRkzxxwoYqkEi8N9p8hIlor3ovujLr5N+YsVvtrfJdwl+mhmJTb5h2jF1uBYx1EgH7pw/+kwgv58gP4cgZ84sFFRxgf3+EaFzvBndwoLO3E8s9L5fLJBOLmlx47qXLP9oG2/AbQyOBl7L/VF5i+3k914LxKM4Yaz2YZ9g/BM0Y/GTmjuGyFyPkxO7e79FEjjJr5xP1j3qQF7yi2MNwPktPVvyzkItKs+fZCHENFb1FiWSU4ByQpzU4uf/Ndvw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978959; bh=oXCDCBykpToqKHKSSJQOvjb5ldR3xGPzo9Ko+As/zO0=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=iXyYhSclHMsSXjKHl9/N0aUwLnkJU4h2Dq5aHYJkDhqH6VkARHKe1AMBebQbVixRp33fexuHVcvstXD2L7fAsTydws0c0jZDk7JwZgdkLPnqBfAjKachn/VVq6WKfU+1cse3ccfoPhiqzJ8AV++H5HwDN0dkWzwtWD7ifBsPW17B+6zF1coqjsMqdzsM0T2vx14+zJqvorgRH45kZKHax1BPPRY9mD1SU1KbIXLibtnKWMeT+hP/wsu/zqj3/jIS6CpV7kT8HK6IxyS/wbPQvsvqa444K6uC04Z2xnEqoHsE1q9w5gz5L/ELD9P2ZPuK1IFy1D6Sp+zioDqzCAUVaw== X-YMail-OSG: sbHVq2EVM1kj_I5b8rvftmXOnBJ_IPiiE.gCBDeRXeJTE8L4RRRpNcmHUdUeCpR wftLbSWU6J_6AxGcq4rSebQS8C5q069CR.cC_HUiLA5OM_9jNj5yIoLwfWOM8IfRtnPbj1kBrltA UyARgnXcpu5arEAOTm84BLxFKUA3OoFsPtnGetIH2EwcjDXLRZy3NRzgWVtIP9ZVlaWsHbzb1MAl 2KN5q393M1lK2ov_7Xo.3j9TJOBdcoGz5vMHg3wspSI9cJoL5_8FkAl4_F3O5r.hygvSzHh5Qh8s FTuatcgIBJWw8VNHr3voZO262l1Bz7pZyEPD_Oq_0z9HU0Pyo1regh8FhmCuJyjZimzc0Pk2yplv zVbnln1j4if7PKQGSgxCQQErD_UAtEiADNZ.rlR4vrbmqKwNpau1HaM4ynY77KMiCtxyESIIZFZe LkzYI_nhybFC5qRoGa4pZmr3ZwWgheo0xENl0uSNM7WcmJJJFS84nC86YUxVhiynyKZ0jmcQYC5Z RYMdFqPDJX9XFhoRJzkQ6qpDASkpg8_Qg7Bwg6R3saHcPl0mnuHODMds1v_iuFk9pF5Lkbj0aPWn kLCTv9BBCYPBVidp_REZ7L6qE2chUEAH5HHJxDMiM0iXSI5XmuBlIfMvsCdpPN_2ZpqbZ2LETNzU Ixm3510bEigf9Duu3gZHJBtKnIpZDAoavPQmccgnexPb8oT6ibquPww.8U5rzv8_g8Smpu7eKFOp ywCzpilPZLcm7Km_mWaqnjCG_R.y1fWjff7xl782FlLka5.iUSpO0aaZs1j6xjXGFfUZWvX20DRt AXjsiVXs7Ev_xM14.V.8VxbwmNbH2jWpiTPH_TEI73qcU.Dl8blixt98wfkbDcFn9_bRysl5up4Y PHWu1Eyo2Kl3x1uOkmQdoPIBsO2Y7MUB8adKntATuO_3xKJV156LLCLyybfiqxd283BIrw0SZWYw 2wLkrr08y1nm_aGz8fO89xWYa2OjXwztFMS814fKUz1Gvz1wom0_hBom7JGYgVjLiSmyegPiNHeA wHmkbrw56_u9GwbzOznl8fout4RxETYyHgXQ6o18hQBN4EqBgSI9Ha08EhybK3UNh7DPRuCOB2Pj NcBCVNlF5XbTXtdoRDhdWNtur6nvjZRpQ3Z4uG9m3JWN7s7SudDRcXTIed3Kvv7Jkj6qEpdIoNU4 kAhr7JNh6kqjG9NN5kVFNW1ZrUnWwYzMWowYqwlKbkCBbkpKOmaEadLRzqix9w2h9bv5g7YULu2. 9v18fumsidoUhXM56buA_JIj2VRw1SGYD810hAGNnkkkWtFECyRfHOSxQegRiu7cEc92Shp6tkfA QLPZQlJPNFgABxTZLoq9L_npZAB6wP_Yf0hwCRz2.5R1lg12QmD7J4aUnTjHLDicTLlvE2GYZckr eEZWMnoyEWnp.QCUMnHQJFfdtD16WqKxcLf87VHMLPHS4_KNRHhomwxOGS1VuRY8LXipFqoTQ__A hn3KbP5V_abYw96gF.vkvZfX9DxriIw.Vc0tZncLMlJ48i1TpD2K._dg1yNzuI046FfiK4hlrTsK rKdQKNu8k9Zde85OEhlxWj.hxlJvuSKSwWUM4cP6F1G4rFbCEyL2Y4U8i3OAXiGnzt0yPygDdmIk TCGCjF2neQh12IkLj767Z59Gnw_zNBF._oMgDsYJpW9MfcOIhwkqLCrC17Svg0AbuU5YA90.GgL2 Kq_QDCH.34Zy7ZPqTbSLr_7yvnufCTIbZYZlTsGMWnbxTnLA611t29dei3j_j749u1J15otj5zpL ULxaXDL0ZxokEzCO6HUr0F.muKnWXMsi7Im_DZjx5poyjyxuPvfbf6UDdoTzyic52LfEp0xQW1db LKwxXx39nwjBCrwZK0jJQjp4HddVGpzfS_S1hOE28r312XpN_dwQtTJotPxTwVRhePXFl4vrcHhB 8RmqOdV.3rdZmojwmPiu.eAaaUc.LrY.o20R.tBTQjjGsjtJrY464mUDhxi1R36v5OCkA9TPlUX. AzxT3MUeDKvWdfg.rk6w88fneRxfm2mG.dOt.udgCIt0XI0xAZLP7AfRuovPimuw1YVKpJTDzwb0 QM9RdOtU.pJYYPn92zAF7C9W5uBdk8jOhgvuMZJak39J_r0r4oPUz8zksA7y9YdhCqsjqjRHW1AF 8uAc8t9xrNr1rqJYzn8mRGFCiJHk.qRmrp3uTlp_zxUud_kYHd0Kv9H52aDmbfHklzenNQM_CgSP 0m0VZJL4_cZ.MsoYyBVvYkbtDTdUxdFSigucNQOkr2sQv2vJPdoTzxrMf5eigNskO6KYLz6Jy3z0 kfJS9SK6U3N7MSiz868zIinuq71rQKVHkMs5K70V97wE- X-Sonic-MF: X-Sonic-ID: 967549dc-f23a-49d0-b828-58a830707dfd Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:49:19 +0000 Received: by hermes--production-gq1-5d95dc458-jflr5 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 35a934a1749a25fd4473b6654327c16f; Fri, 30 Aug 2024 00:39:07 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net Subject: [PATCH v2 11/13] Audit: Change context data from secid to lsmblob Date: Thu, 29 Aug 2024 17:34:09 -0700 Message-ID: <20240830003411.16818-12-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Change the LSM data stored in the audit transactions from a secid to an LSM blob. This is done in struct audit_context and struct audit_aux_data_pids. Several cases of scaffolding can be removed. Signed-off-by: Casey Schaufler --- kernel/audit.h | 2 +- kernel/auditfilter.c | 1 - kernel/auditsc.c | 31 ++++++++++++------------------- 3 files changed, 13 insertions(+), 21 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index 6c664aed8f89..b413c0420c6f 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -144,7 +144,7 @@ struct audit_context { kuid_t target_auid; kuid_t target_uid; unsigned int target_sessionid; - u32 target_sid; + struct lsmblob target_blob; char target_comm[TASK_COMM_LEN]; struct audit_tree_refs *trees, *first_trees; diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 06309227a0eb..b3562e6ca081 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1370,7 +1370,6 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: if (f->lsm_rule) { - /* scaffolding */ security_current_getlsmblob_subj(&blob); result = security_audit_rule_match( &blob, f->type, f->op, diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 886564532bbe..bfe2ee3ccbe6 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -100,7 +100,7 @@ struct audit_aux_data_pids { kuid_t target_auid[AUDIT_AUX_PIDS]; kuid_t target_uid[AUDIT_AUX_PIDS]; unsigned int target_sessionid[AUDIT_AUX_PIDS]; - u32 target_sid[AUDIT_AUX_PIDS]; + struct lsmblob target_blob[AUDIT_AUX_PIDS]; char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN]; int pid_count; }; @@ -1019,7 +1019,7 @@ static void audit_reset_context(struct audit_context *ctx) ctx->target_pid = 0; ctx->target_auid = ctx->target_uid = KUIDT_INIT(0); ctx->target_sessionid = 0; - ctx->target_sid = 0; + lsmblob_init(&ctx->target_blob); ctx->target_comm[0] = '\0'; unroll_tree_refs(ctx, NULL, 0); WARN_ON(!list_empty(&ctx->killed_trees)); @@ -1093,8 +1093,9 @@ static inline void audit_free_context(struct audit_context *context) } static int audit_log_pid_context(struct audit_context *context, pid_t pid, - kuid_t auid, kuid_t uid, unsigned int sessionid, - u32 sid, char *comm) + kuid_t auid, kuid_t uid, + unsigned int sessionid, struct lsmblob *blob, + char *comm) { struct audit_buffer *ab; char *ctx = NULL; @@ -1108,8 +1109,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (sid) { - if (security_secid_to_secctx(sid, &ctx, &len)) { + if (lsmblob_is_set(blob)) { + if (security_lsmblob_to_secctx(blob, &ctx, &len)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1778,7 +1779,7 @@ static void audit_log_exit(void) axs->target_auid[i], axs->target_uid[i], axs->target_sessionid[i], - axs->target_sid[i], + &axs->target_blob[i], axs->target_comm[i])) call_panic = 1; } @@ -1787,7 +1788,7 @@ static void audit_log_exit(void) audit_log_pid_context(context, context->target_pid, context->target_auid, context->target_uid, context->target_sessionid, - context->target_sid, context->target_comm)) + &context->target_blob, context->target_comm)) call_panic = 1; if (context->pwd.dentry && context->pwd.mnt) { @@ -2722,15 +2723,12 @@ int __audit_sockaddr(int len, void *a) void __audit_ptrace(struct task_struct *t) { struct audit_context *context = audit_context(); - struct lsmblob blob; context->target_pid = task_tgid_nr(t); context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getlsmblob_obj(t, &blob); - /* scaffolding */ - context->target_sid = blob.scaffold.secid; + security_task_getlsmblob_obj(t, &context->target_blob); memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2746,7 +2744,6 @@ int audit_signal_info_syscall(struct task_struct *t) struct audit_aux_data_pids *axp; struct audit_context *ctx = audit_context(); kuid_t t_uid = task_uid(t); - struct lsmblob blob; if (!audit_signals || audit_dummy_context()) return 0; @@ -2758,9 +2755,7 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getlsmblob_obj(t, &blob); - /* scaffolding */ - ctx->target_sid = blob.scaffold.secid; + security_task_getlsmblob_obj(t, &ctx->target_blob); memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2781,9 +2776,7 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getlsmblob_obj(t, &blob); - /* scaffolding */ - axp->target_sid[axp->pid_count] = blob.scaffold.secid; + security_task_getlsmblob_obj(t, &axp->target_blob[axp->pid_count]); memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; From patchwork Fri Aug 30 00:34:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784048 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic305-28.consmr.mail.ne1.yahoo.com (sonic305-28.consmr.mail.ne1.yahoo.com [66.163.185.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2C2BC23B1 for ; Fri, 30 Aug 2024 00:40:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.185.154 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978448; cv=none; b=cBkrtU1i0l284qgP3tK8PV61J98ITSyjdCGzb11zaNYqokBH8svlEPaDPw+oONDH6D/0yVsPmr2kkJ5HUinYUWY+ehACd3FQ4zMBsNq8JxJpwrv35bafNBfetMFYYoHDZhgAOyRWaFPwJm2hsar7hh2LfdWfe0OLHioKH2as98c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978448; c=relaxed/simple; bh=FL6znwNfNmLTIievZ6yYX4zZUxHKkY23sxHlr1oXvvI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=W2IdQSyF7/yR29OJYSwA8BglI0FDokL9jmG9m8KT1V8xJGYlg0SCbJBoTSD4XF5WAok23nqZL9MVl5qdcfFTzNWbvefvKIvRUqyXVo+yetpKTCCD00WkGUCCLECS9MpR01f8uGvH8A7YeBddyoPwf86OQL3PXhbO7EiB7TX8LF8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=U4DfTmz2; arc=none smtp.client-ip=66.163.185.154 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="U4DfTmz2" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978445; bh=eO4eL80ngcC1hROEhIhIXT5qfCo94qcR0hL+3TSmK6M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=U4DfTmz21IZMXHf3yjFvP234WgSNOT6nkgQPhNYbC+RnC/g4U8oqimwoxghe4MNdf4/sLzq0/1RGCoYiF+PdCh0P1NK02evvblfDyLgtlt/sOTQU+KkPBUqQIgueuSZf0Bnf0ZBC/kPeIQ81iXok05laTVqW2nb7OicTjaZqaTJLsYXOr4/CHAPecIYzGhxUUq0ARViUKKp6Aih3FTkMR7/ANvC8oBANUznoRFDaMW1ujtGUDc29rkKASkMbjA8/T+Sjkrix/dbGDmLChsH19lXfWaVWlotjVZ/NFtKWCZYOOrOb8ciyScsOl5tetxBZLj7+LeA/D3Ft/LeJYYFSWg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978445; bh=he0/FrvQBE09nbWTK8aS5XL7Eq2YBhnXLRdRS0b/rtL=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Xzjzn5f+eZomGPKxQfIvIk4WXHWWr10XvhXNlit33JV3KFXSvBfAdsrZv1W9OJBX/8g3fOwTHl79qpn9Drn1vAlZ8ZL6B+B979PYvjvTEYghUXegO3Un5V+3IE7YmB2UV0wz78WuI3Np1vhpQrMlv8jN9g5LSgOn6l0IlXkmIINVt+aEZ2ler2qZzfSw/XUt5fXslTcDkRzSfctJEgyquHCJYT45WcQEQtyvqRenly0TcNGV1yznqAYsLtDQO7jp1ivYEnQPdwFpXZFZcfkkH1oiETAzJG5awTgqNTgdJR+E42lM+SmPObDhB3DrmOTz3EgedaNxSwtue1JrOGzIqA== X-YMail-OSG: wZh__BkVM1luhSvokpLpENVOZndFk2P00YWle.jsjeT5HjRTHXgRFeb12bL34mU J4lNlPIhODCp7hRLWj5vnTqdtoM6nZ8ECzP.jybIRso1xSdZd64ii83K.P7xsbAW8wilDrVG9jPu RNgtqxXET2eRhnC8zbpVRKpEKYg_q9ds_Tu_yeAXyDN3fUp_VOwaBIuiY1oc.2a22YRfuZZmVPgH TN1ePNP_bdUOKZGiQZNaa8v9fux_xlOIOgW0vrJ47eSERY62TX1lsWo5SjGw1hG2boR0RGo1X5R0 mdHlMucbp0.JRiTZyCNiZ_q2uZQNuD9xDxCuqoaqU3RfUQZo6PR8nhZhwK2au11hWKS7IwANfGO3 58VHUU4zk7W.qeno3eI6E4EAnwPqGe.Thmb7JxRgalbW.Bt6fuDOj0m82HQDKw.S7BZPpd4Z90cx pVIUPyKIWFyzouVevMXbpCmptj6BzIK_oxFWlJTKtg0115wful9sgpFowttu0O2vxXejT5XkpJKE BtbyiqY0gh.B_qA0yJ6gDwoFII8w4JeNHr4eidwlsmVdeBmUjyCMAz2MXwZhNuWMbX8DsyApK5qY eF2Q5v6Ta6IPpNc1ecH3bjkf5vPiETzw2ym3rmW6GsrpptQ0BsnBYHEuxftzSH7wfihYa.7YnZDw WLjem3S35D4tvBOlszNuahdDa2laM33pME0M55o_cW5t79NFi0WqLItMaGLPANHnv8m2q.FIv9dr zMnX5kbD0HiBHGl13RkZnqZdQEi_6NRG7rH2EyRiREwPXWEt36dBMlLq7abW0YZqxJLZvhHUHm5i JbIjDkk5_YJjWVAq2duKKn7JFbjkwPMfv36ucsDrcAP0vsV9zxXnrghiS77y_bpFI6AIWt1OU7fD VyEQ1QCvp5wxU17GnPhXnIf5pRnAUfc5J_ZYKVjpsiWS78NqibvJNOBdotgzNJaGyUaOy_2nPRNx .NkUNGStvieDvCvK2lm_rgHQHoNUYtLoDPJh9syn0txNe5PiFAE5awOAaWRKw4nZ27lstQ7oIubH SPYbChfiSoZ0uvneLAe7oFhi.2EUwlqksOoXVTwHVpqwVcK2.HN2GWTk42Htegra4u3WI87mbXU9 rSiwcM8XYXWT16e1bjKNrwAYmE1rLPs1cX8MT.zd9QdS90YBk07j3JB2L32.3.bBYrHbGuLLa_pO BQhIewv2lCEK2SxuAAMf_PvFC0Kfi_86_lgjwWSPfQwgfRbgh8wyjcSisDRjH_2y6s3xyxRazOT. rn8YqcKF6EZVjGzSu2jLEgOLTTnDnU7E8bfqHB66mWRrTHSEVQxthYiYuJmDi89ywVDS1qrP0aL9 v6JmnTzxIKPxMkV5iIprc5qyfnahLobM7Hzg1dfusxWHKrC1_bak0LfMi4ZT9hDlQTOHzarz3VIN GRXj4664n.GQYwXke60hDHVaSrkxEkDqzfY4rRztudO0JrUtadqm7TrChGwnAymgVMvbgDZJ5fMe VLpYfsO4jaZaJjkZ0F_ZvGtzI6NdQQ9F_Gej7QpeHPamXhsIW5Bg040bTKZnXxujO2O3RTXlKx3Y KiKtrDCJIY8BiwNm5qmpNqw8_.DIKBo5h2iz8KpPON5FSQlvHsMs6P.ioHaNh.QjabDVDyw.blFm urudtPwV3x1xLqZxErVGe8UQobRXMxPP43UH7ZMdUAQ5TQwBI.38EOaTSKdHhzJVezIAzLpHkdvo CKPNdmBqvAoQyC0X_ndk2lXtbMfKGeBodGjfkgzKme.DKc7PCjc1uxO72O3omJOEJWLLeV3nR6Y3 .tLvCLpqCl8i.rgRqQnEV8DRRKtFvA7BgppcvOtmbUSL00t0RFYilVDK3.pr.xKoi152ZjvrR1XY q0xNP1tKsdezBMrNsJ1xg2WkjTxA18zFV30dMbXqk97HPRbLuvz48wY5AieK4G2D0rRzNULfqc.U 1J1oVHqSPO0CixSHkVN0gtAzn8c.wHwnXYZ0phcg1cZxRT5Alz8txmswfCWNXyWkOzNHpPNDNWRy Y3q2vjrCVfkHcBSVyxQvxfWL1VHFAb.TawvCxZiJvLwdmc.oE.RmJYlHeQCkEpv_ygYVTsusgVXV cnOQcwdSqpPWelyzMh4fFCSceC2cAiHzc8KO.7FGSQtrNLxZsyfM1R.K0uM8U_Ii57vG1gcykMD9 InlmeUoZEnrVwcaljgix7bvnPJzBsQnrufbSHBVycIwPsTIEv5qHkWQk9z6GaNeT377frlZVfRXC EFgJ23pIPFF3ZAeon6bXh1HQM3gHtvPSu5r6Hm3w0YQZwrcXValE5Lt0TPsS9Fa9jqtSKzfMou6a t..VSEKK1qrC_x47_0GpWVv_ZgIV9wRwOj_AOyTT52jOe X-Sonic-MF: X-Sonic-ID: 3d18e569-5ab7-4ff2-a88a-2e6ffa56d4ce Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:40:45 +0000 Received: by hermes--production-gq1-5d95dc458-dxlpk (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID cc2d6a8057ac7b246e10bf9aa95792e4; Fri, 30 Aug 2024 00:40:41 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net Subject: [PATCH v2 12/13] Netlabel: Use lsmblob for audit data Date: Thu, 29 Aug 2024 17:34:10 -0700 Message-ID: <20240830003411.16818-13-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the secid in the netlbl_audit structure with an lsmblob. Remove scaffolding that was required when the value was a secid. Signed-off-by: Casey Schaufler --- include/net/netlabel.h | 2 +- net/netlabel/netlabel_unlabeled.c | 5 +---- net/netlabel/netlabel_user.c | 7 +++---- net/netlabel/netlabel_user.h | 6 +----- security/smack/smackfs.c | 4 +--- 5 files changed, 7 insertions(+), 17 deletions(-) diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 654bc777d2a7..eb6b479c5c06 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h @@ -97,7 +97,7 @@ struct calipso_doi; /* NetLabel audit information */ struct netlbl_audit { - u32 secid; + struct lsmblob blob; kuid_t loginuid; unsigned int sessionid; }; diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 7f38dc9b6b57..7bac13ae07a3 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -1534,14 +1534,11 @@ int __init netlbl_unlabel_defconf(void) int ret_val; struct netlbl_dom_map *entry; struct netlbl_audit audit_info; - struct lsmblob blob; /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_current_getlsmblob_subj(&blob); - /* scaffolding */ - audit_info.secid = blob.scaffold.secid; + security_current_getlsmblob_subj(&audit_info.blob); audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 3ed4fea2a2de..6cd1fcb3902b 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -98,10 +98,9 @@ struct audit_buffer *netlbl_audit_start_common(int type, from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); - if (audit_info->secid != 0 && - security_secid_to_secctx(audit_info->secid, - &secctx, - &secctx_len) == 0) { + if (lsmblob_is_set(&audit_info->blob) && + security_lsmblob_to_secctx(&audit_info->blob, &secctx, + &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); security_release_secctx(secctx, secctx_len); } diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index 40841d7af1d8..1a9639005d09 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -32,11 +32,7 @@ */ static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info) { - struct lsmblob blob; - - security_current_getlsmblob_subj(&blob); - /* scaffolding */ - audit_info->secid = blob.scaffold.secid; + security_current_getlsmblob_subj(&audit_info->blob); audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index e22aad7604e8..878fe44b662d 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -182,11 +182,9 @@ static inline void smack_catset_bit(unsigned int cat, char *catsetp) */ static void smk_netlabel_audit_set(struct netlbl_audit *nap) { - struct smack_known *skp = smk_of_current(); - nap->loginuid = audit_get_loginuid(current); nap->sessionid = audit_get_sessionid(current); - nap->secid = skp->smk_secid; + nap->blob.smack.skp = smk_of_current(); } /* From patchwork Fri Aug 30 00:34:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784049 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic315-27.consmr.mail.ne1.yahoo.com (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DBD403FF1 for ; Fri, 30 Aug 2024 00:40:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.190.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978449; cv=none; b=GVx9z8SM4pmXyuO8vIHnNkElSZaRwPKZp8z3zVSoj1n2YR9hxTsl+GLuxpW0+f+XLL24kyjh1nRZSlxbbUHVlo69lYI8gTW9HZ+yNqzgZq4Ihrq1PlTujR70XcWk+VoFsT3G7/x9v80hKJzTjxMp+qTBlUMytwQ37NqxAPQq2/Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978449; c=relaxed/simple; bh=4/KZFWecS5zb5lJZnHM/E62AqJJUQdgTitz88DVye2E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=bhb3ZjGUox3FbDq2VMA3Wpo4+bqQ3tgJ2E0gR3Xf2GN7VZPUHCy4LApyg/yinUd6nMivf35g3jf8u5q+JU05Wh0wc/D80D6QKaCkv6gY6o1rjze+MVJ+CXw+tdPDwf95Y8ogZoZ3ATuy2udsLVIraje9fR49O2k/S5uFmyfFdCA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=Gr4ZDVGz; arc=none smtp.client-ip=66.163.190.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="Gr4ZDVGz" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978447; bh=TxWTsCJSCiKurwEk4rkgIxrG9GNsiF7/jFX3EOhTndo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=Gr4ZDVGzNxvNsHLfMibxHLYnI/nbwP9DSXaajaHCuOGqkCGH3LVloUtEO50RYjUUAbqg8fEMSVMekSsPF2582N7JptVYhUZ5Xb3yxb4P13ITJd/1xFV1yoJXz5ZYIY8lKjTE3zypr9eWp5EOXOPsha6kCfXBss0mogcjqVLrxGfLe/aS7xmbEP3JTRuEcaCxEGQ90l0BBXC3W3gIC5n672PS7LHriSfyesrIeM+zPSzYg1Xz2YIEsw0f5Vu00KQV6pWYEB0u1XVF/FRdjRXMSH3N1ZyBp87WzbWptv1CkDMrNQjqyV9+aSsKmCocgfBmaCcivV60bzbky1Q3XcIVnQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978447; bh=NReIMNrfK2TB8oDJumvVk2r4FNqk5DUHbaErczf/XOw=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Xw3X+l8oN5ZnpNVshb1RXlKpy4kozXcp8eoXok0Sdn61ZUDb7kZ/fKiIfo7fvlxE+lzNyw/b8hJ6mwVMgaIqVbiOnNqaBzjAzxiT9nT+/A5oUow1X36L3XdQmZP77AzpNCHrd9L2jXBmia7JRjPENCEilaOpDRmDIc3lOLIGJQ7PNK0AfGGNOO7C40nCrXAKpvKUh6j1MR+GpF1WEJrVeWtLjWPJow2r8YNL22DOpviLum1/BRX4WfNlKK7TnrV6v7H7s5xsYt/apv6CVfakyzRNy1ET/iSMes2V+Wotqx9dHZDLeAn4kEWax/Kca5JdVtqg4UI4a2HTNMCJXeXlkA== X-YMail-OSG: Eb96Yd4VM1mJVQTfmoWWfgMg11s.1i2FPP3NSlUyU2f05VLewVu6GtlnuSninTU r1vk9.XaZKSEJpO.2AkHh7IdFwu0ErkwHZZFv_sXpiwiMGq16HOofula7QDgr24LbXLijqkbof50 yDgoWKNQPWGTU.EhU.gyckMqiSxMTjJYtB3ANoBx_qjQV858wGf76ex.YjzV59SkuFpUcVUT6siT K9QtDkcUZOURBvxM9kSiaf70VpGncryJwsXTZSmUyltw93_.T54_9rwc8_tPBOmOZyoQQvPY4gSI UrqKqNH.vQRxacXRpX64leSdkNCzwUTOyNaphLIPZMi9shHXLrn0iEVRGrVqv5ADZjbgb0_QvdkG hXXt3Ewp4B8z4NqZlkrnpxaywEHcARSDj5MXyF22fqTKcppoJquTS6cwADaEyZVEzLWG3UmIPmKr AODumtjleSOG3epQFnoW1QYOr71jfFre9L3n9t5glyLTkQIBeevfn5zwaSPyqB.Zxt9fCMeEm1dO iV7ZxjORRpdlBh_10rWQCebQi2ISu7rP3kX750HyVO3CkAd628wMZJdmDUSXr0vVF8Myw4T8RmUh qwj.GEK.02W.k2vX4Kk2j0R7ZAV9LXvVl8hprRu1KOgY0GBguCKbiJxgrjolai3S0quNzsA5BDsA tgwi9UUlqKZhhfguReW3TaBFZ1LnouD9A1qJ_A1tYwildrbcEJJLWXNsDa8jjT8HY5wOd.UvNjvg ax.2B6HNRkCcObPBF0Dqe5bdFnBBS_.0jOwU7WVCLVG9hOnif_5fbIxpqn4vB9ByrqHOnYn4237M 2iKGZiJ8kM7MKDZ795.24O.zTwM4ZplMZh.EjVyKytFIsCSxjQx8p21a2nTAmaB.qcgZdEVkp2LZ 7KN5UWMa3Dlkbv9g6Eg23x3bgSfIz5l8t9pVLH0jxEpXd0Kv7xa00cpb2ruZElzMUQWnWrcE.def gDo6QgW6dh3qXyZvetClyzPQoGhCtqR0MRtifWjyfxvR4qiirwupMFndbqcFS8ncS0QXzGoffM7s QN5..NItAXGO9ZBiEQTyl5OCEWWjdveLNMvIzo0guL35X41ymm1XX0dK5Hf1xGlwS1eHwV4y02vi kbsFdD0FuDK4z11tXsgqXqa6vOkcdMOoR_aRl2XSthH0ryUbttRkhdzOeE0MbyxzAPZ69yi1igr1 2yaYRCslog.hDEE5hcL5iHuv0T1sbCRgxIani6nATwAzbEVDka2zfQowLH38Qv7ZY4oV7I94WTJ4 QxLf1SrfygX5KSu5eKtJ4s2CyaWGy8lziJ9.DVwOM932_VNFzq7YyMnWJ00UsXc.973XoSAhdqkL 1Usy8vmqgv8Aylz0q5FkAzczgbfD8yMd1gi5oct0PyUYv32cRYVVF9SuAoBkjvg_asL6hsC3BNuQ 4F_AnORhqrtmtQvFbiXoMqEf_YaU3x3Ic87o4amyDbZkO9r5Q_DdSBp_8Z0Kx8LXgYxeGWv8xv_u udV0PpmKzfqpxl2.6Bpf0LX59FKIyNBLA76hfpqlnxzEDSW.PRemv49ArhFjToem7KAzviKwLx2f C2dpERQUPElbQDjtE5z1iTler7b.YHyhZbxavQmcuLQ8T7N0RoGpUgIzXplLmwuHyfxig0kLRQPb YSL_iwKqBMeaVWHc6n7P23tVV_MWm9fyrS157kQQvO25bw2rXx81SPN2KiFHnOoIOkB5cmQzGb_L JME1a7vcmwgsJ7JJfI49G6Ys32SOy6JpePbhmOXAo2o8ySdI3CeMxFibCJxky8iuDUqixKKM5CLY 7EWM9dnvgrrFdFTI71lG58vQl9K3Lz8xov4x7F0Q6BnJe8FiP0PNHrw447vhVA40T01nnJudvXWv ozi0LP_FHc22KWyKpYZoKf3QW7QRMYHeVwLibMzVtt_.KOCet4cfA4c9D_iJcDUbp3Fle5YDOADr 36XzevmXZBI0T086Yc5BIuWjfDOTdAG2BU885a4nTyztg0NPN8wtPhxg8O6kl9phEeP1B6z9qesR 6Hu.KHC6MTi4TgCYRf147FOfAuvMwHn0c8neFs2qEMZ.eMkwoXqveTfmTkpN5QhCZV2sWUOIOCzn NotZYos7J3kCxR.DYnEBqQmV26lZCPgD1ij1uXz5P.AeeUpc3ezo4Eq1eAr11_L6I7PK_b1bwg3Y 4jMsjA5gYw9hVvfLYgUza31sHHaqtq4pN6YMd8cD6YqF0xqiHqRsfojdeObnZq65DTKPPnS3o6pR Eq2LhcQSGsJEfgGNVFf_eF.iztYMF_c8nmWq3INSHc8WWEUmOWmq_2tXmku7EujXPQBU9PsmRglz s87cZ1IvvZWFaQc7pmgsa_B19sLAtFke3keiiMeUenyON0g-- X-Sonic-MF: X-Sonic-ID: 569b8181-139a-4e63-a74e-34808d97d88c Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:40:47 +0000 Received: by hermes--production-gq1-5d95dc458-dxlpk (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID cc2d6a8057ac7b246e10bf9aa95792e4; Fri, 30 Aug 2024 00:40:42 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net Subject: [PATCH v2 13/13] LSM: Remove lsmblob scaffolding Date: Thu, 29 Aug 2024 17:34:11 -0700 Message-ID: <20240830003411.16818-14-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Remove the scaffold member from the lsmblob. Remove the remaining places it is being set. Signed-off-by: Casey Schaufler --- include/linux/security.h | 6 ------ security/apparmor/audit.c | 6 +----- security/apparmor/lsm.c | 4 ---- security/apparmor/secid.c | 6 +----- security/selinux/hooks.c | 18 +----------------- security/selinux/ss/services.c | 4 ---- security/smack/smack_lsm.c | 33 ++++----------------------------- 7 files changed, 7 insertions(+), 70 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 111c1fc18f25..ca4f3b41f344 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -144,11 +144,6 @@ enum lockdown_reason { LOCKDOWN_CONFIDENTIALITY_MAX, }; -/* scaffolding */ -struct lsmblob_scaffold { - u32 secid; -}; - /* * Data exported by the security modules */ @@ -157,7 +152,6 @@ struct lsmblob { struct lsmblob_smack smack; struct lsmblob_apparmor apparmor; struct lsmblob_bpf bpf; - struct lsmblob_scaffold scaffold; }; extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 758b75a9c1c5..120154a6d683 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -270,11 +270,7 @@ int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule) struct aa_label *label; int found = 0; - /* scaffolding */ - if (!blob->apparmor.label && blob->scaffold.secid) - label = aa_secid_to_label(blob->scaffold.secid); - else - label = blob->apparmor.label; + label = blob->apparmor.label; if (!label) return -ENOENT; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 877c4e809ae8..08fde302c9fe 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -987,8 +987,6 @@ static void apparmor_current_getlsmblob_subj(struct lsmblob *blob) struct aa_label *label = __begin_current_label_crit_section(); blob->apparmor.label = label; - /* scaffolding */ - blob->scaffold.secid = label->secid; __end_current_label_crit_section(label); } @@ -998,8 +996,6 @@ static void apparmor_task_getlsmblob_obj(struct task_struct *p, struct aa_label *label = aa_get_task_label(p); blob->apparmor.label = label; - /* scaffolding */ - blob->scaffold.secid = label->secid; aa_put_label(label); } diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c index 7ba48d0b3ee8..301a98d7cc6f 100644 --- a/security/apparmor/secid.c +++ b/security/apparmor/secid.c @@ -102,11 +102,7 @@ int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, { struct aa_label *label; - /* scaffolding */ - if (!blob->apparmor.label && blob->scaffold.secid) - label = aa_secid_to_label(blob->scaffold.secid); - else - label = blob->apparmor.label; + label = blob->apparmor.label; return apparmor_label_to_secctx(label, secdata, seclen); } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 076511c446bd..a81529c21517 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3510,8 +3510,6 @@ static void selinux_inode_getlsmblob(struct inode *inode, struct lsmblob *blob) struct inode_security_struct *isec = inode_security_novalidate(inode); blob->selinux.secid = isec->sid; - /* scaffolding */ - blob->scaffold.secid = isec->sid; } static int selinux_inode_copy_up(struct dentry *src, struct cred **new) @@ -4032,8 +4030,6 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid) static void selinux_cred_getlsmblob(const struct cred *c, struct lsmblob *blob) { blob->selinux.secid = cred_sid(c); - /* scaffolding */ - blob->scaffold.secid = blob->selinux.secid; } /* @@ -4174,16 +4170,12 @@ static int selinux_task_getsid(struct task_struct *p) static void selinux_current_getlsmblob_subj(struct lsmblob *blob) { blob->selinux.secid = current_sid(); - /* scaffolding */ - blob->scaffold.secid = blob->selinux.secid; } static void selinux_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob) { blob->selinux.secid = task_sid_obj(p); - /* scaffolding */ - blob->scaffold.secid = blob->selinux.secid; } static int selinux_task_setnice(struct task_struct *p, int nice) @@ -6348,8 +6340,6 @@ static void selinux_ipc_getlsmblob(struct kern_ipc_perm *ipcp, { struct ipc_security_struct *isec = selinux_ipc(ipcp); blob->selinux.secid = isec->sid; - /* scaffolding */ - blob->scaffold.secid = isec->sid; } static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) @@ -6634,13 +6624,7 @@ static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) static int selinux_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) { - u32 secid = blob->selinux.secid; - - /* scaffolding */ - if (!secid) - secid = blob->scaffold.secid; - - return security_sid_to_context(secid, secdata, seclen); + return security_sid_to_context(blob->selinux.secid, secdata, seclen); } static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 43eb1d46942c..002072912800 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3660,10 +3660,6 @@ int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, goto out; } - /* scaffolding */ - if (!blob->selinux.secid && blob->scaffold.secid) - blob->selinux.secid = blob->scaffold.secid; - ctxt = sidtab_search(policy->sidtab, blob->selinux.secid); if (unlikely(!ctxt)) { WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n", diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index a2445e4f906d..f462051e683f 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1655,11 +1655,7 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer, */ static void smack_inode_getlsmblob(struct inode *inode, struct lsmblob *blob) { - struct smack_known *skp = smk_of_inode(inode); - - blob->smack.skp = skp; - /* scaffolding */ - blob->scaffold.secid = skp->smk_secid; + blob->smack.skp = smk_of_inode(inode); } /* @@ -2162,8 +2158,6 @@ static void smack_cred_getlsmblob(const struct cred *cred, { rcu_read_lock(); blob->smack.skp = smk_of_task(smack_cred(cred)); - /* scaffolding */ - blob->scaffold.secid = blob->smack.skp->smk_secid; rcu_read_unlock(); } @@ -2265,11 +2259,7 @@ static int smack_task_getsid(struct task_struct *p) */ static void smack_current_getlsmblob_subj(struct lsmblob *blob) { - struct smack_known *skp = smk_of_current(); - - blob->smack.skp = skp; - /* scaffolding */ - blob->scaffold.secid = skp->smk_secid; + blob->smack.skp = smk_of_current(); } /** @@ -2282,11 +2272,7 @@ static void smack_current_getlsmblob_subj(struct lsmblob *blob) static void smack_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob) { - struct smack_known *skp = smk_of_task_struct_obj(p); - - blob->smack.skp = skp; - /* scaffolding */ - blob->scaffold.secid = skp->smk_secid; + blob->smack.skp = smk_of_task_struct_obj(p); } /** @@ -3474,11 +3460,8 @@ static void smack_ipc_getlsmblob(struct kern_ipc_perm *ipp, struct lsmblob *blob) { struct smack_known **iskpp = smack_ipc(ipp); - struct smack_known *iskp = *iskpp; - blob->smack.skp = iskp; - /* scaffolding */ - blob->scaffold.secid = iskp->smk_secid; + blob->smack.skp = *iskpp; } /** @@ -4825,10 +4808,6 @@ static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) return 0; - /* scaffolding */ - if (!skp && blob->scaffold.secid) - skp = smack_from_secid(blob->scaffold.secid); - /* * No need to do string comparisons. If a match occurs, * both pointers will point to the same smack_known @@ -4889,10 +4868,6 @@ static int smack_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, { struct smack_known *skp = blob->smack.skp; - /* scaffolding */ - if (!skp && blob->scaffold.secid) - skp = smack_from_secid(blob->scaffold.secid); - if (secdata) *secdata = skp->smk_known; *seclen = strlen(skp->smk_known);