From patchwork Thu Jun 23 21:11:48 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 9196037 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B23556077D for ; Thu, 23 Jun 2016 21:12:08 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9F1322846A for ; Thu, 23 Jun 2016 21:12:08 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9318528477; Thu, 23 Jun 2016 21:12:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CD3712846A for ; Thu, 23 Jun 2016 21:12:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752003AbcFWVLt (ORCPT ); Thu, 23 Jun 2016 17:11:49 -0400 Received: from nm44-vm7.bullet.mail.bf1.yahoo.com ([216.109.115.31]:50933 "EHLO nm44-vm7.bullet.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750980AbcFWVLs (ORCPT ); Thu, 23 Jun 2016 17:11:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1466716307; bh=SRt7vokII1W4/hr8w0rdi6p3YODkORfMwgTxAsKG2Js=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From:Subject; b=KUWVD1az1hCxSd7lcDxNm1cjechzy+DUcGDrkozPebPNavRgIrtE28jsxPOGgsiz7gUS7yLRlTlqxwPlPX8X1PQIwgly0f32vGYfXjFmheHVllwwYIMgM/VBTl0zLNn/LfD9qS6UwzEor1E7PwoD5AuAQ+qycbuJvh9uonRoRNJECe28JG2aKGlOaEIrpCprUHyJjp+FnfiVukbROVaxQ2kyalJ6ShGARBrqYjR5fwhcoe6IvLoXGPnSzbPz7bsnPMe7pYBI0cUx2CaoTBbrbEuDtob3cIoSsW1bplgbwvrFpdUhhDXUg9m7/aStQVzf4gRsnFyTrvldLSNMqbXRuQ== Received: from [98.139.215.140] by nm44.bullet.mail.bf1.yahoo.com with NNFMP; 23 Jun 2016 21:11:47 -0000 Received: from [98.139.211.206] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 23 Jun 2016 21:11:46 -0000 Received: from [127.0.0.1] by smtp215.mail.bf1.yahoo.com with NNFMP; 23 Jun 2016 21:11:46 -0000 X-Yahoo-Newman-Id: 967906.69782.bm@smtp215.mail.bf1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: 887AOr0VM1kNynFST.LCUF0eSBnV6ISW87LTvdS0DhN4upX QHzizotHz5xi5HfBlO6xBhlVocl9jaWJyrFl9WHsBkh5xpG9djagNFFOwqqB IsleLVwGM6HGLQKPopOYIvfY_F0JcL.MpX5BA2rSp0BKq8C5mosKWQKssaAd _pTSI27SFn_NKTF8YsaKI55VXK20BhyE0kSH8gQOiNa6XzbyC434JH69SZVb H1yPzXm5GU3Rf7Z_WIx3KoUeImbU_xSfuKbyBgL2VMYX4xJke739y.WiRjmj yiRg6oGExex19o0Ecr107VZA1HN7N.lagdKMYn.BOY3mU60rsc71kaWkpDZI L.DOUWQwIepW6K2Xk3yjD46U5_x1FoVZ8RTk3KcNBxj3tyqjfBHLK9clwM4E AB2XjlbTOay6A218JT6ycleuRmDyGt6DhgUTmFlKJMrxp1k4BSYIcPPk142J IIMMIdCkOYnp1H6yGF2q7w_FgdEM1KFNPuKuzM7YdJo9U5VLAWJL5CiXc4xJ _qWxQgJYizAp49MQS3vMMfHAnV4TGkeO.4HBzDk53vRoTybzXPxDC6WGKEqs - X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: [PATCH v4 3/3] LSM: Add context interface for proc attrs To: LSM , James Morris References: <599d0a80-0838-2baa-8ee2-7eefafc10cec@schaufler-ca.com> Cc: John Johansen , Stephen Smalley , Paul Moore , Tetsuo Handa , Kees Cook , LKLM From: Casey Schaufler Message-ID: <5767eed4-78ec-cc4c-2ece-c1fec4d752af@schaufler-ca.com> Date: Thu, 23 Jun 2016 14:11:48 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <599d0a80-0838-2baa-8ee2-7eefafc10cec@schaufler-ca.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Subject: [PATCH v4 3/3] LSM: Add context interface for proc attrs The /proc/.../attr/current interface is used by all three Linux security modules (SELinux, Smack and AppArmor) to report and modify the process security attribute. This is all fine when there is exactly one of these modules active and the userspace code knows which it module it is. It would require a major change to the "current" interface to provide information about more than one set of process security attributes. Instead, a "context" attribute is added, which identifies the security module that the information applies to. The format is: lsmname='context-value' When multiple concurrent modules are supported the /proc/.../attr/context interface will include the data for all of the active modules. lsmname1='context-value1'lsmname2='context-value2' The module specific subdirectories under attr contain context entries that report the information for that specific module in the same format. Signed-off-by: Casey Schaufler --- fs/proc/base.c | 4 ++ security/apparmor/lsm.c | 34 +++++++++++++-- security/security.c | 100 +++++++++++++++++++++++++++++++++++++++++++++ security/selinux/hooks.c | 22 +++++++++- security/smack/smack_lsm.c | 21 ++++++---- 5 files changed, 167 insertions(+), 14 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/fs/proc/base.c b/fs/proc/base.c index 182bc28..df94f26 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2532,6 +2532,7 @@ static const struct pid_entry selinux_attr_dir_stuff[] = { ATTR("selinux", "fscreate", S_IRUGO|S_IWUGO), ATTR("selinux", "keycreate", S_IRUGO|S_IWUGO), ATTR("selinux", "sockcreate", S_IRUGO|S_IWUGO), + ATTR("selinux", "context", S_IRUGO|S_IWUGO), }; LSM_DIR_OPS(selinux); #endif @@ -2539,6 +2540,7 @@ LSM_DIR_OPS(selinux); #ifdef CONFIG_SECURITY_SMACK static const struct pid_entry smack_attr_dir_stuff[] = { ATTR("smack", "current", S_IRUGO|S_IWUGO), + ATTR("smack", "context", S_IRUGO|S_IWUGO), }; LSM_DIR_OPS(smack); #endif @@ -2548,6 +2550,7 @@ static const struct pid_entry apparmor_attr_dir_stuff[] = { ATTR("apparmor", "current", S_IRUGO|S_IWUGO), ATTR("apparmor", "prev", S_IRUGO), ATTR("apparmor", "exec", S_IRUGO|S_IWUGO), + ATTR("apparmor", "context", S_IRUGO|S_IWUGO), }; LSM_DIR_OPS(apparmor); #endif @@ -2559,6 +2562,7 @@ static const struct pid_entry attr_dir_stuff[] = { ATTR(NULL, "fscreate", S_IRUGO|S_IWUGO), ATTR(NULL, "keycreate", S_IRUGO|S_IWUGO), ATTR(NULL, "sockcreate", S_IRUGO|S_IWUGO), + ATTR(NULL, "context", S_IRUGO|S_IWUGO), #ifdef CONFIG_SECURITY_SELINUX DIR("selinux", S_IRUGO|S_IXUGO, proc_selinux_attr_dir_inode_ops, proc_selinux_attr_dir_ops), diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index fb0fb03..3790a7d 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -479,6 +479,8 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, if (strcmp(name, "current") == 0) profile = aa_get_newest_profile(cxt->profile); + else if (strcmp(name, "context") == 0) + profile = aa_get_newest_profile(cxt->profile); else if (strcmp(name, "prev") == 0 && cxt->previous) profile = aa_get_newest_profile(cxt->previous); else if (strcmp(name, "exec") == 0 && cxt->onexec) @@ -486,8 +488,29 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, else error = -EINVAL; - if (profile) - error = aa_getprocattr(profile, value); + if (profile) { + if (strcmp(name, "context") == 0) { + char *vp; + char *np; + + error = aa_getprocattr(profile, &vp); + if (error > 0) { + error += 12; + *value = kzalloc(error, GFP_KERNEL); + if (*value == NULL) + error = -ENOMEM; + else { + sprintf(*value, "apparmor='%s'", vp); + np = strchr(*value, '\n'); + if (np != NULL) { + np[0] = '\''; + np[1] = '\0'; + } + } + } + } else + error = aa_getprocattr(profile, value); + } aa_put_profile(profile); put_cred(cred); @@ -530,7 +553,7 @@ static int apparmor_setprocattr(struct task_struct *task, char *name, return -EINVAL; arg_size = size - (args - (char *) value); - if (strcmp(name, "current") == 0) { + if (strcmp(name, "current") == 0 || strcmp(name, "context") == 0) { if (strcmp(command, "changehat") == 0) { error = aa_setprocattr_changehat(args, arg_size, !AA_DO_TEST); @@ -552,7 +575,10 @@ static int apparmor_setprocattr(struct task_struct *task, char *name, else goto fail; } else - /* only support the "current" and "exec" process attributes */ + /* + * only support the "current", context and "exec" + * process attributes + */ return -EINVAL; if (!error) diff --git a/security/security.c b/security/security.c index 1e9cb55..fec70b4 100644 --- a/security/security.c +++ b/security/security.c @@ -1186,8 +1186,47 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name, char **value) { struct security_hook_list *hp; + char *vp; + char *cp = NULL; int rc = -EINVAL; + int trc; + /* + * "context" requires work here in addition to what + * the modules provide. + */ + if (strcmp(name, "context") == 0) { + *value = NULL; + list_for_each_entry(hp, + &security_hook_heads.getprocattr, list) { + if (lsm != NULL && strcmp(lsm, hp->lsm)) + continue; + trc = hp->hook.getprocattr(p, "context", &vp); + if (trc == -ENOENT) + continue; + if (trc <= 0) { + kfree(*value); + return trc; + } + rc = trc; + if (*value == NULL) { + *value = vp; + } else { + cp = kasprintf(GFP_KERNEL, "%s%s", *value, vp); + if (cp == NULL) { + kfree(*value); + kfree(vp); + return -ENOMEM; + } + kfree(*value); + kfree(vp); + *value = cp; + } + } + if (rc > 0) + return strlen(*value); + return rc; + } list_for_each_entry(hp, &security_hook_heads.getprocattr, list) { if (lsm != NULL && strcmp(lsm, hp->lsm)) @@ -1204,7 +1243,68 @@ int security_setprocattr(struct task_struct *p, const char *lsm, char *name, { struct security_hook_list *hp; int rc = -EINVAL; + char *local; + char *cp; + int slen; + int failed = 0; + /* + * If lsm is NULL look at all the modules to find one + * that processes name. If lsm is not NULL only look at + * that module. + * + * "context" is handled directly here. + */ + if (strcmp(name, "context") == 0) { + /* + * First verify that the input is acceptable. + * lsm1='v1'lsm2='v2'lsm3='v3' + * + * A note on the use of strncmp() below. + * The check is for the substring at the beginning of cp. + * The kzalloc of size + 1 ensures a terminated string. + */ + local = kzalloc(size + 1, GFP_KERNEL); + memcpy(local, value, size); + cp = local; + list_for_each_entry(hp, &security_hook_heads.setprocattr, + list) { + if (lsm != NULL && strcmp(lsm, hp->lsm)) + continue; + slen = strlen(hp->lsm); + if (strncmp(cp, hp->lsm, slen)) + goto free_out; + cp += slen; + if (cp[0] != '=' || cp[1] != '\'' || cp[2] == '\'') + goto free_out; + for (cp += 2; cp[0] != '\''; cp++) + if (cp[0] == '\0') + goto free_out; + cp++; + } + cp = local; + list_for_each_entry(hp, &security_hook_heads.setprocattr, + list) { + if (lsm != NULL && strcmp(lsm, hp->lsm)) + continue; + cp += strlen(hp->lsm) + 2; + for (slen = 0; cp[slen] != '\''; slen++) + ; + cp[slen] = '\0'; + + rc = hp->hook.setprocattr(p, "context", cp, slen); + if (rc < 0) + failed = rc; + cp += slen + 1; + } + if (failed != 0) + rc = failed; + else + rc = size; +free_out: + kfree(local); + return rc; + } list_for_each_entry(hp, &security_hook_heads.setprocattr, list) { if (lsm != NULL && strcmp(lsm, hp->lsm)) continue; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ed3a757..3a21c2b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5711,6 +5711,8 @@ static int selinux_getprocattr(struct task_struct *p, if (!strcmp(name, "current")) sid = __tsec->sid; + else if (!strcmp(name, "context")) + sid = __tsec->sid; else if (!strcmp(name, "prev")) sid = __tsec->osid; else if (!strcmp(name, "exec")) @@ -5728,7 +5730,21 @@ static int selinux_getprocattr(struct task_struct *p, if (!sid) return 0; - error = security_sid_to_context(sid, value, &len); + if (strcmp(name, "context")) { + error = security_sid_to_context(sid, value, &len); + } else { + char *vp; + + error = security_sid_to_context(sid, &vp, &len); + if (!error) { + *value = kzalloc(len + 10, GFP_KERNEL); + if (*value == NULL) + error = -ENOMEM; + else + sprintf(*value, "selinux='%s'", vp); + } + } + if (error) return error; return len; @@ -5768,6 +5784,8 @@ static int selinux_setprocattr(struct task_struct *p, error = current_has_perm(p, PROCESS__SETSOCKCREATE); else if (!strcmp(name, "current")) error = current_has_perm(p, PROCESS__SETCURRENT); + else if (!strcmp(name, "context")) + error = current_has_perm(p, PROCESS__SETCURRENT); else error = -EINVAL; if (error) @@ -5827,7 +5845,7 @@ static int selinux_setprocattr(struct task_struct *p, tsec->keycreate_sid = sid; } else if (!strcmp(name, "sockcreate")) { tsec->sockcreate_sid = sid; - } else if (!strcmp(name, "current")) { + } else if (!strcmp(name, "current") || !strcmp(name, "context")) { error = -EINVAL; if (sid == 0) goto abort_change; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 3577009..d2d8624 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3576,16 +3576,21 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value) char *cp; int slen; - if (strcmp(name, "current") != 0) + if (strcmp(name, "current") == 0) { + cp = kstrdup(skp->smk_known, GFP_KERNEL); + if (cp == NULL) + return -ENOMEM; + } else if (strcmp(name, "context") == 0) { + slen = strlen(skp->smk_known) + 9; + cp = kzalloc(slen, GFP_KERNEL); + if (cp == NULL) + return -ENOMEM; + sprintf(cp, "smack='%s'", skp->smk_known); + } else return -EINVAL; - cp = kstrdup(skp->smk_known, GFP_KERNEL); - if (cp == NULL) - return -ENOMEM; - - slen = strlen(cp); *value = cp; - return slen; + return strlen(cp); } /** @@ -3622,7 +3627,7 @@ static int smack_setprocattr(struct task_struct *p, char *name, if (value == NULL || size == 0 || size >= SMK_LONGLABEL) return -EINVAL; - if (strcmp(name, "current") != 0) + if (strcmp(name, "current") != 0 && strcmp(name, "context") != 0) return -EINVAL; skp = smk_import_entry(value, size);