From patchwork Thu Jun 8 20:49:56 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 9776487 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8B72860393 for ; Thu, 8 Jun 2017 20:51:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7BB8D285C4 for ; Thu, 8 Jun 2017 20:51:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7016C285AD; Thu, 8 Jun 2017 20:51:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1409328567 for ; Thu, 8 Jun 2017 20:51:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751763AbdFHUvN (ORCPT ); Thu, 8 Jun 2017 16:51:13 -0400 Received: from nm1-vm4.bullet.mail.ne1.yahoo.com ([98.138.91.161]:59582 "EHLO nm1-vm4.bullet.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751758AbdFHUvM (ORCPT ); Thu, 8 Jun 2017 16:51:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1496955060; bh=xvwCpmZT/5PpNf+aZmDBfG4oC5RLdhlRGg0PSBcKJTg=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=J5KeMVQ0myiZdomV3ucIz2BGkdQeOvMTec6YZEGOe2AxmsF6eW8Lcq5P9gbGdyvpGJI+SkoO1O+Zy34IdBcMILVtuCgs+iQIbAL2yEC+wrhEwxYw7PxO0JCEgwwuFc3N0kEcU9aSClKWGzFn+B+27ZxcgIiOZoyUHOEJEyDLPJhANXNjw/bD1CMJwbzro3nVF911OU2AAbvoCVxNwpnGyhjaz5BPeAUx0xTJmExiGoHzF0wsYaerrFWHJbsaTI6UAPz0ygOwRSYeKHHkVENpVmsOF8zLMGS4jAD07maaflTaSNCh3Bx8aoUbpPgDDvJqe323jrFng7XaNHLQxDoBsA== Received: from [98.138.100.111] by nm1.bullet.mail.ne1.yahoo.com with NNFMP; 08 Jun 2017 20:51:00 -0000 Received: from [98.138.226.58] by tm100.bullet.mail.ne1.yahoo.com with NNFMP; 08 Jun 2017 20:50:00 -0000 Received: from [127.0.0.1] by smtp209.mail.ne1.yahoo.com with NNFMP; 08 Jun 2017 20:50:00 -0000 X-Yahoo-Newman-Id: 904313.40426.bm@smtp209.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: asrltN4VM1nwAyurSsivNyW_4jrhrUVXatvctZWz1tLo8Al 8DkHYjufet4SAMYGwdfe2lkm_MtU8IAvHJ_ov5jytlDQyVpdUiCS9RU1V.U1 xQFLM8mPNMe4kMDw.cezRzpnYDlMczrO99OzHuDWz8fcbe1tRFlfiYIVqgoV jF0HFOXSZnDplwOSjrO355qVmDR8_GIhu.UzIAlz_hg01A4yhHas_w4mD07z FVm.aNJUN7FT.CkLGntQNwWiEru_LzZCRkoGwV7uR4EWBR9TCcq4xuXyFG8g HoL70dKC25ieLz4kE9pIvWCQHvl5o_sW80QNDHCx5L5kGGczZqFy9_LNBBES Jp_x2O3xME_qKUYD3j5KVoGWA7lZhVzryhQjSQzJ9LX2mT_otMuOzgFlZdjV yXo8AdAqd3K.T.mVcPA15Mxrw0NEi6fxmKdRyn0eapX1vthV85Bgx8BNQ8Mj oflc3z2PxhPIsV4fbI41BJriPx8sCJPsRAdHrTRqLFPLWlvMwG67_DK4e49u PDrc81oTVIvKnQxuSYUG5dLn75vcoC1NetazCGnkWzlC43hBl9jxQ2DXDxkU Yn9c6xJ7fO7O9pbcAH4W7dg-- X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: [PATCH 4/6] LSM: manage task security blobs To: LSM , James Morris Cc: John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , Kees Cook , "kernel-hardening@lists.openwall.com" , LKLM References: <59cec608-608e-6de6-21d9-bdec7b0ded3b@schaufler-ca.com> From: Casey Schaufler Message-ID: <3630c42a-2944-0dcf-5053-e9afd598018e@schaufler-ca.com> Date: Thu, 8 Jun 2017 13:49:56 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: <59cec608-608e-6de6-21d9-bdec7b0ded3b@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Subject: [PATCH 4/6] LSM: manage task security blobs Move management of task security blobs into the security infrastructure. Modules are required to identify the space they require. At this time there are no modules that use task blobs. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/security.c | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index dc012eb..feb78e4 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1895,6 +1895,7 @@ struct security_hook_list { struct lsm_blob_sizes { int lbs_cred; int lbs_file; + int lbs_task; }; /* diff --git a/security/security.c b/security/security.c index 3c22fb1..bdf8c04 100644 --- a/security/security.c +++ b/security/security.c @@ -89,6 +89,7 @@ int __init security_init(void) #ifdef CONFIG_SECURITY_LSM_DEBUG pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred); pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file); + pr_info("LSM: task blob size = %d\n", blob_sizes.lbs_task); #endif return 0; @@ -248,6 +249,7 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed) { lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred); lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file); + lsm_set_size(&needed->lbs_task, &blob_sizes.lbs_task); } /** @@ -273,6 +275,29 @@ int lsm_file_alloc(struct file *file) return 0; } +/** + * lsm_task_alloc - allocate a composite task blob + * @task: the task that needs a blob + * + * Allocate the task blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +int lsm_task_alloc(struct task_struct *task) +{ +#ifdef CONFIG_SECURITY_LSM_DEBUG + if (task->security) + pr_info("%s: Inbound task blob is not NULL.\n", __func__); +#endif + if (blob_sizes.lbs_task == 0) + return 0; + + task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL); + if (task->security == NULL) + return -ENOMEM; + return 0; +} + /* * Hook list operation macros. * @@ -1083,6 +1108,9 @@ int security_task_alloc(struct task_struct *task, unsigned long clone_flags) void security_task_free(struct task_struct *task) { call_void_hook(task_free, task); + + kfree(task->security); + task->security = NULL; } int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)