[62/97] LSM: Special handling for secctx lsm hooks

Message ID	20190228221933.2551-63-casey@schaufler-ca.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: Casey Schaufler <casey@schaufler-ca.com> To: jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com Subject: [PATCH 62/97] LSM: Special handling for secctx lsm hooks Date: Thu, 28 Feb 2019 14:18:58 -0800 Message-Id: <20190228221933.2551-63-casey@schaufler-ca.com> In-Reply-To: <20190228221933.2551-1-casey@schaufler-ca.com> References: <20190228221933.2551-1-casey@schaufler-ca.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk
Series	LSM: Complete module stacking \| expand [00/97] LSM: Complete module stacking [01/97] LSM: Infrastructure management of the superblock [02/97] LSM: Infrastructure management of the sock security [03/97] LSM: Infrastructure management of the key security blob [04/97] SCAFFOLD: Move sock_graft out of sock.h [05/97] LSM: Create an lsm_export data structure. [06/97] LSM: Use lsm_export in the inode_getsecid hooks [07/97] SCAFFOLD: Move security.h out of route.h [08/97] LSM: Use lsm_export in the cred_getsecid hooks [09/97] LSM: Use lsm_export in the ipc_getsecid and task_getsecid hooks [10/97] LSM: Use lsm_export in the sk_getsecid hooks [11/97] LSM: Use lsm_export in the kernel_ask_as hooks [12/97] LSM: Use lsm_export in the getpeersec_dgram hooks [13/97] LSM: Use lsm_export in the audit_rule_match hooks [14/97] LSM: Fix logical operation in lsm_export checks [15/97] LSM: Use lsm_export in the secid_to_secctx hooks [16/97] LSM: Use lsm_export in the secctx_to_secid hooks [17/97] LSM: Use lsm_export in security_audit_rule_match [18/97] LSM: Use lsm_export in security_kernel_act_as [19/97] LSM: Use lsm_export in security_socket_getpeersec_dgram [20/97] LSM: Use lsm_export in security_secctx_to_secid [21/97] LSM: Use lsm_export in security_secid_to_secctx [22/97] LSM: Use lsm_export in security_ipc_getsecid [23/97] LSM: Use lsm_export in security_task_getsecid [24/97] LSM: FIXUP - security_secctx_to_secid [25/97] LSM: FIXUP - security_secid_to_secctx [26/97] LSM: Use lsm_export in security_inode_getsecid [27/97] LSM: Use lsm_export in security_cred_getsecid [28/97] LSM: REVERT Use lsm_export in the sk_getsecid hooks [29/97] Audit: Change audit_sig_sid to audit_sig_lsm [30/97] Audit: Convert target_sid to an lsm_export structure [31/97] Audit: Convert osid to an lsm_export structure [32/97] IMA: Clean out lsm_export scaffolding [33/97] NET: Store LSM access information in the socket blob for UDS [34/97] NET: Remove scaffolding on secmarks [35/97] NET: Remove scaffolding on new secmarks [36/97] NET: Remove netfilter scaffolding for lsm_export [37/97] Netlabel: Replace secids with lsm_export [38/97] LSM: Remove lsm_export scaffolding functions [39/97] IMA: FIXUP prototype using lsm_export [40/97] Smack: Restore the release_secctx hook [41/97] AppArmor: Remove unnecessary hook stub [42/97] LSM: Limit calls to certain module hooks [43/97] LSM: Create a data structure for a security context [44/97] LSM: Use lsm_context in secid_to_secctx hooks [45/97] LSM: Use lsm_context in secctx_to_secid hooks [46/97] LSM: Use lsm_context in inode_getsecctx hooks [47/97] LSM: Use lsm_context in inode_notifysecctx hooks [48/97] LSM: Use lsm_context in dentry_init_security hooks [49/97] LSM: Use lsm_context in security_dentry_init_security [50/97] LSM: Use lsm_context in security_inode_notifysecctx [51/97] LSM: Use lsm_context in security_inode_getsecctx [52/97] LSM: Use lsm_context in security_secctx_to_secid [53/97] LSM: Use lsm_context in release_secctx hooks [54/97] LSM: Use lsm_context in security_release_secctx [55/97] LSM: Use lsm_context in security_secid_to_secctx [56/97] fs: remove lsm_context scaffolding [57/97] LSM: Add the release function to the lsm_context [58/97] LSM: Use lsm_context in inode_setsecctx hooks [59/97] LSM: Use lsm_context in security_inode_setsecctx [60/97] kernfs: remove lsm_context scaffolding [61/97] LSM: Remove unused macro [62/97] LSM: Special handling for secctx lsm hooks [63/97] SELinux: Use blob offset in current_sid [64/97] LSM: Specify which LSM to display with /proc/self/attr/display [65/97] AppArmor: Remove the exclusive flag [66/97] LSM: Add secmark_relabel_packet to the set of one call hooks [67/97] LSM: Make getting the secmark right cleaner with lsm_export_one_secid [68/97] netfilter: Fix memory leak introduced with lsm_context [69/97] Smack: Consolidate secmark conversions [70/97] netfilter: Remove unnecessary NULL check in lsm_context

Message ID

20190228221933.2551-63-casey@schaufler-ca.com (mailing list archive)

State

New, archived

Headers

From: Casey Schaufler <casey@schaufler-ca.com>
To: jmorris@namei.org, linux-security-module@vger.kernel.org,
        selinux@vger.kernel.org
Cc: keescook@chromium.org, john.johansen@canonical.com,
        penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com
Subject: [PATCH 62/97] LSM: Special handling for secctx lsm hooks
Date: Thu, 28 Feb 2019 14:18:58 -0800
Message-Id: <20190228221933.2551-63-casey@schaufler-ca.com>
In-Reply-To: <20190228221933.2551-1-casey@schaufler-ca.com>
References: <20190228221933.2551-1-casey@schaufler-ca.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Series

LSM: Complete module stacking | expand

Commit Message

Casey Schaufler Feb. 28, 2019, 10:18 p.m. UTC

Create a special set of LSM hooks for the translation
to human readable security data.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/lsm_hooks.h | 10 ++++++++++
 security/security.c       | 32 ++++++++++++++++++++++++--------
 2 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 84035aea5a2e..fc2a44e04d8e 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -2020,6 +2020,16 @@  struct security_hook_list {
 	char				*lsm;
 } __randomize_layout;
 
+/*
+ * The set of hooks that may be selected for a specific module.
+ */
+struct lsm_one_hooks {
+	char *lsm;
+	union security_list_options secid_to_secctx;
+	union security_list_options secctx_to_secid;
+	union security_list_options socket_getpeersec_stream;
+};
+
 /*
  * Security blob size or offset data.
  */
diff --git a/security/security.c b/security/security.c
index 257b7ff4b434..217fa9d98699 100644
--- a/security/security.c
+++ b/security/security.c
@@ -431,6 +431,9 @@  static int lsm_append(char *new, char **result)
 	return 0;
 }
 
+/* Base list of once-only hooks */
+struct lsm_one_hooks lsm_base_one;
+
 /**
  * security_add_hooks - Add a modules hooks to the hook lists.
  * @hooks: the hooks to add
@@ -447,6 +450,25 @@  void __init security_add_hooks(struct security_hook_list *hooks, int count,
 	for (i = 0; i < count; i++) {
 		hooks[i].lsm = lsm;
 		hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);
+
+		/*
+		 * Check for the special hooks that are restricted to
+		 * a single module to create the base set. Use the hooks
+		 * from that module for the set, which may not be complete.
+		 */
+		if (lsm_base_one.lsm && strcmp(lsm_base_one.lsm, hooks[i].lsm))
+			continue;
+		if (hooks[i].head == &security_hook_heads.secid_to_secctx)
+			lsm_base_one.secid_to_secctx = hooks[i].hook;
+		else if (hooks[i].head == &security_hook_heads.secctx_to_secid)
+			lsm_base_one.secctx_to_secid = hooks[i].hook;
+		else if (hooks[i].head ==
+				&security_hook_heads.socket_getpeersec_stream)
+			lsm_base_one.socket_getpeersec_stream = hooks[i].hook;
+		else
+			continue;
+		if (lsm_base_one.lsm == NULL)
+			lsm_base_one.lsm = kstrdup(hooks[i].lsm, GFP_KERNEL);
 	}
 	if (lsm_append(lsm, &lsm_names) < 0)
 		panic("%s - Cannot get early memory.\n", __func__);
@@ -725,14 +747,8 @@  int lsm_superblock_alloc(struct super_block *sb)
 
 #define call_one_int_hook(FUNC, IRC, ...) ({			\
 	int RC = IRC;						\
-	do {							\
-		struct security_hook_list *P;			\
-								\
-		hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \
-			RC = P->hook.FUNC(__VA_ARGS__);		\
-			break;					\
-		}						\
-	} while (0);						\
+	if (lsm_base_one.FUNC.FUNC)				\
+		RC = lsm_base_one.FUNC.FUNC(__VA_ARGS__);	\
 	RC;							\
 })

[62/97] LSM: Special handling for secctx lsm hooks

Commit Message

Patch