| Message ID | 20191127213718.18267-21-casey@schaufler-ca.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | LSM: Module stacking for AppArmor | expand |
On Wed, Nov 27, 2019 at 01:37:13PM -0800, Casey Schaufler wrote: > Verify that the tasks on the ends of a binder transaction > use the same "display" security module. This prevents confusion > of security "contexts". > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > --- > security/security.c | 29 +++++++++++++++++++++++++++++ > 1 file changed, 29 insertions(+) > > diff --git a/security/security.c b/security/security.c > index 101063b00aeb..0e8c61cceecd 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -738,9 +738,38 @@ int security_binder_set_context_mgr(struct task_struct *mgr) > return call_int_hook(binder_set_context_mgr, 0, mgr); > } > > +/** > + * security_binder_transaction - Binder driver transacton check nit - mis-spelled transaction > + * @from: source of the transaction > + * @to: destination of the transaction > + * > + * Verify that the tasks have the same LSM "display", then > + * call the security module hooks. > + * > + * Returns -EINVAL if the displays don't match, or the > + * result of the security module checks. > + */ > int security_binder_transaction(struct task_struct *from, > struct task_struct *to) > { > + int from_display = lsm_task_display(from); > + int to_display = lsm_task_display(to); > + > + /* > + * If the display is LSMBLOB_INVALID the first module that has > + * an entry is used. This will be in the 0 slot. > + * > + * This is currently only required if the server has requested > + * peer contexts, but it would be unwieldly to have too much of > + * the binder driver detail here. > + */ > + if (from_display == LSMBLOB_INVALID) > + from_display = 0; > + if (to_display == LSMBLOB_INVALID) > + to_display = 0; > + if (from_display != to_display) > + return -EINVAL; > + > return call_int_hook(binder_transaction, 0, from, to); > } > > -- > 2.20.1
diff --git a/security/security.c b/security/security.c index 101063b00aeb..0e8c61cceecd 100644 --- a/security/security.c +++ b/security/security.c @@ -738,9 +738,38 @@ int security_binder_set_context_mgr(struct task_struct *mgr) return call_int_hook(binder_set_context_mgr, 0, mgr); } +/** + * security_binder_transaction - Binder driver transacton check + * @from: source of the transaction + * @to: destination of the transaction + * + * Verify that the tasks have the same LSM "display", then + * call the security module hooks. + * + * Returns -EINVAL if the displays don't match, or the + * result of the security module checks. + */ int security_binder_transaction(struct task_struct *from, struct task_struct *to) { + int from_display = lsm_task_display(from); + int to_display = lsm_task_display(to); + + /* + * If the display is LSMBLOB_INVALID the first module that has + * an entry is used. This will be in the 0 slot. + * + * This is currently only required if the server has requested + * peer contexts, but it would be unwieldly to have too much of + * the binder driver detail here. + */ + if (from_display == LSMBLOB_INVALID) + from_display = 0; + if (to_display == LSMBLOB_INVALID) + to_display = 0; + if (from_display != to_display) + return -EINVAL; + return call_int_hook(binder_transaction, 0, from, to); }
Verify that the tasks on the ends of a binder transaction use the same "display" security module. This prevents confusion of security "contexts". Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- security/security.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+)