From patchwork Mon Jul 16 18:23:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10527505 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8748660348 for ; Mon, 16 Jul 2018 18:24:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 79A46219AC for ; Mon, 16 Jul 2018 18:24:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6D9AA2832B; Mon, 16 Jul 2018 18:24:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9C66B219AC for ; Mon, 16 Jul 2018 18:24:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728522AbeGPSwo (ORCPT ); Mon, 16 Jul 2018 14:52:44 -0400 Received: from sonic308-15.consmr.mail.gq1.yahoo.com ([98.137.68.39]:42881 "EHLO sonic308-15.consmr.mail.gq1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727618AbeGPSwn (ORCPT ); Mon, 16 Jul 2018 14:52:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1531765446; bh=K3faEMpjoT0yIT+hjTC+Hc8UfBnvQ/CmJCHPkG00jeI=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=L7eZ07D9TUoMJ2EEyJAYl84wGXIyVce+4vxo2HthohoVUmLNG1qXipiCD8rkJymeGtrGodq3YERLEyi8iZzpP/tg2VGuma0cJWqtq/YziE389UTv29P1zlmP57Zoq9RqSvV1n6vyzgVOxqCjZC7ZqdF63HLte6weAofcWZgXT13f6O4ZpcuT6oCBdOmQKbzt5P3kHMPn9137ZbwyzAhCKw2ZlegLuPkKyuzSpoz2qtdhuAqlWlai6Zir3VSfYG/aAwU8vfYEHN7f6ZW8icRZIwR2c7n4EbRfR3J/8MuKyxyPg8kj2VIIB6paXfmCxZTM+Fx6Wmp2uWeaa5H4yrrEQQ== X-YMail-OSG: AQUQ3xoVM1ludED.M4dtr7UAuxMwkMX6poFPtzketMqM9wSYi2AeRU9zZtUmOHQ j9Zx2LIR8sX11GK3TlgyJ_miusdYAgUG5JG7YR.0tM88VJfSVlnWtL3eGfuzY1FIigmE.BWSK7rq PGntJNzfQojGrxqdIxm49xTpt4CMEI.u.Kr1fm35nZgvTTgmPn04cp9Ob6yD3LbtBKAMKOi67.DN 47sMvJUC_8GefHqMjOn27755YMNcLazSKffzosQ6vXnELUllxon29siIXHvGfDWKXvA0qflixuKS gG4uhYvy9U3nHBzXFFoWZXFwXQ71weaLPWX0hNZUW.CfWXjGuDfqirFg1C0qypQmC3t8Hp8aF3_Y rsgXbnZ17b3P3y483Pubo3lvNwhMpt3ABk89Elu3Xp9fnI84w1M0uAaE6W0VyHec.NMOyICvsJLf mo01EpjT5NFpP_Ui0slJmibB4QDLaDDC8dEC1q72lrsIbVitQjsLqrsIcytmrit5gBmoG3xPhOur yBeWgfLLxCtQO_oXEv5SzbytwqawoIve5GbiMdGIITvcQbga2eej2sDru0jphJoJQuAD_Bh3wP5f T1EJ7qvue2Rubg5k3bLUL.OYCExfI7PPvHbW1K1_1ZxYySq5t9SKfF_TwNpGA_K_PI3mnb_gbFSB diQtnfZj_Gd3GlttDjw99jHk..IU0uOnMArPRO7BnsxYFf.uGXSm1Fr2XePlqqH9il2s8RMNB27G fFhc1b8vwKmlWjJU3WkhapmEN1poHXroswaEKLvf4XRwhrsIHZK1Q8uAF952Z4LCwR03Jbntr6fk 2ma8awbyb9L07Lc_kYSJEU0otgomsbDfdAooZYgEui0zgoVHHG7x.3A7BC03XgFN6CABoI2vvNVS a49Un2kaDtnbLMuKKAc3l_F7ZReSpFh7QhZZk5Nnm.qIUGVbviXrETg2aCMjJHNzj7XoAljk.1qj YMj6udHykjIgymJR5TJC3lhW9K7o.pGlSsATj_3H13.6luBt5OGQMvlbhDMAR3B.hndSr3UP9WmX lL_UY1KEIw3TXzATkB09KU2hywWjcNeM- Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.gq1.yahoo.com with HTTP; Mon, 16 Jul 2018 18:24:06 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.100]) ([67.169.65.224]) by smtp428.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 1e0f0a8cbf320a1753bef11666eff08e; Mon, 16 Jul 2018 18:24:02 +0000 (UTC) Subject: [PATCH v1 14/22] LSM: Infrastructure management of the key security blob To: LSM , LKLM , Paul Moore , Stephen Smalley , SE Linux , "SMACK-discuss@lists.01.org" , John Johansen , Kees Cook , Tetsuo Handa , James Morris Cc: "Schaufler, Casey" , Casey Schaufler References: <8a325db8-e7eb-9581-2b77-fc987a165df7@schaufler-ca.com> From: Casey Schaufler Message-ID: <73337db4-af36-0007-63a0-9e5a6fb7a43e@schaufler-ca.com> Date: Mon, 16 Jul 2018 11:23:59 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <8a325db8-e7eb-9581-2b77-fc987a165df7@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP [PATCH 14/22] LSM: Infrastructure management of the key security blob Move management of the key->security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/security.c | 40 ++++++++++++++++++++++++++++++- security/selinux/hooks.c | 23 +++++------------- security/selinux/include/objsec.h | 7 ++++++ security/smack/smack.h | 7 ++++++ security/smack/smack_lsm.c | 33 ++++++++++++------------- 6 files changed, 75 insertions(+), 36 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 6e6967abc5b7..fe14a86c6df0 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2026,6 +2026,7 @@ struct lsm_blob_sizes { int lbs_file; int lbs_inode; int lbs_ipc; + int lbs_key; int lbs_msg_msg; int lbs_sock; int lbs_superblock; diff --git a/security/security.c b/security/security.c index 500fb19d5aea..b95a151f7347 100644 --- a/security/security.c +++ b/security/security.c @@ -117,6 +117,9 @@ int __init security_init(void) pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file); pr_info("LSM: inode blob size = %d\n", blob_sizes.lbs_inode); pr_info("LSM: ipc blob size = %d\n", blob_sizes.lbs_ipc); +#ifdef CONFIG_KEYS + pr_info("LSM: key blob size = %d\n", blob_sizes.lbs_key); +#endif /* CONFIG_KEYS */ pr_info("LSM: msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); pr_info("LSM: sock blob size = %d\n", blob_sizes.lbs_sock); pr_info("LSM: superblock blob size = %d\n", blob_sizes.lbs_superblock); @@ -297,6 +300,9 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed) lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred); lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file); lsm_set_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); +#ifdef CONFIG_KEYS + lsm_set_size(&needed->lbs_key, &blob_sizes.lbs_key); +#endif lsm_set_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); lsm_set_size(&needed->lbs_sock, &blob_sizes.lbs_sock); lsm_set_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); @@ -432,6 +438,29 @@ int lsm_ipc_alloc(struct kern_ipc_perm *kip) return 0; } +#ifdef CONFIG_KEYS +/** + * lsm_key_alloc - allocate a composite key blob + * @key: the key that needs a blob + * + * Allocate the key blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +int lsm_key_alloc(struct key *key) +{ + if (blob_sizes.lbs_key == 0) { + key->security = NULL; + return 0; + } + + key->security = kzalloc(blob_sizes.lbs_key, GFP_KERNEL); + if (key->security == NULL) + return -ENOMEM; + return 0; +} +#endif /* CONFIG_KEYS */ + /** * lsm_msg_msg_alloc - allocate a composite msg_msg blob * @mp: the msg_msg that needs a blob @@ -2143,12 +2172,21 @@ EXPORT_SYMBOL(security_skb_classify_flow); int security_key_alloc(struct key *key, const struct cred *cred, unsigned long flags) { - return call_int_hook(key_alloc, 0, key, cred, flags); + int rc = lsm_key_alloc(key); + + if (unlikely(rc)) + return rc; + rc = call_int_hook(key_alloc, 0, key, cred, flags); + if (unlikely(rc)) + security_key_free(key); + return rc; } void security_key_free(struct key *key) { call_void_hook(key_free, key); + kfree(key->security); + key->security = NULL; } int security_key_permission(key_ref_t key_ref, diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ede12c1720a4..452d0c774c75 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6441,11 +6441,7 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred, unsigned long flags) { const struct task_security_struct *tsec; - struct key_security_struct *ksec; - - ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); - if (!ksec) - return -ENOMEM; + struct key_security_struct *ksec = selinux_key(k); tsec = selinux_cred(cred); if (tsec->keycreate_sid) @@ -6453,18 +6449,9 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred, else ksec->sid = tsec->sid; - k->security = ksec; return 0; } -static void selinux_key_free(struct key *k) -{ - struct key_security_struct *ksec = k->security; - - k->security = NULL; - kfree(ksec); -} - static int selinux_key_permission(key_ref_t key_ref, const struct cred *cred, unsigned perm) @@ -6482,7 +6469,7 @@ static int selinux_key_permission(key_ref_t key_ref, sid = cred_sid(cred); key = key_ref_to_ptr(key_ref); - ksec = key->security; + ksec = selinux_key(key); return avc_has_perm(&selinux_state, sid, ksec->sid, SECCLASS_KEY, perm, NULL); @@ -6490,7 +6477,7 @@ static int selinux_key_permission(key_ref_t key_ref, static int selinux_key_getsecurity(struct key *key, char **_buffer) { - struct key_security_struct *ksec = key->security; + struct key_security_struct *ksec = selinux_key(key); char *context = NULL; unsigned len; int rc; @@ -6715,6 +6702,9 @@ struct lsm_blob_sizes selinux_blob_sizes = { .lbs_file = sizeof(struct file_security_struct), .lbs_inode = sizeof(struct inode_security_struct), .lbs_ipc = sizeof(struct ipc_security_struct), +#ifdef CONFIG_KEYS + .lbs_key = sizeof(struct key_security_struct), +#endif /* CONFIG_KEYS */ .lbs_msg_msg = sizeof(struct msg_security_struct), .lbs_sock = sizeof(struct sk_security_struct), .lbs_superblock = sizeof(struct superblock_security_struct), @@ -6925,7 +6915,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { #ifdef CONFIG_KEYS LSM_HOOK_INIT(key_alloc, selinux_key_alloc), - LSM_HOOK_INIT(key_free, selinux_key_free), LSM_HOOK_INIT(key_permission, selinux_key_permission), LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), #endif diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 848ba24921c9..96cecdbcd3fb 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -193,6 +193,13 @@ static inline struct ipc_security_struct *selinux_ipc( return ipc->security; } +#ifdef CONFIG_KEYS +static inline struct key_security_struct *selinux_key(const struct key *key) +{ + return key->security; +} +#endif /* CONFIG_KEYS */ + static inline struct sk_security_struct *selinux_sock(const struct sock *sock) { return sock->sk_security; diff --git a/security/smack/smack.h b/security/smack/smack.h index 42c36e37b0bd..e50ed4945a40 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -393,6 +393,13 @@ static inline struct smack_known **smack_ipc(const struct kern_ipc_perm *ipc) return ipc->security; } +#ifdef CONFIG_KEYS +static inline struct smack_known **smack_key(const struct key *key) +{ + return key->security; +} +#endif /* CONFIG_KEYS */ + /* * Is the directory transmuting? */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index f8c4b3e95e67..319450174c17 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4153,23 +4153,13 @@ static void smack_inet_csk_clone(struct sock *sk, static int smack_key_alloc(struct key *key, const struct cred *cred, unsigned long flags) { + struct smack_known **blob = smack_key(key); struct smack_known *skp = smk_of_task(smack_cred(cred)); - key->security = skp; + *blob = skp; return 0; } -/** - * smack_key_free - Clear the key security blob - * @key: the object - * - * Clear the blob pointer - */ -static void smack_key_free(struct key *key) -{ - key->security = NULL; -} - /** * smack_key_permission - Smack access on a key * @key_ref: gets to the object @@ -4182,6 +4172,8 @@ static void smack_key_free(struct key *key) static int smack_key_permission(key_ref_t key_ref, const struct cred *cred, unsigned perm) { + struct smack_known **blob; + struct smack_known *skp; struct key *keyp; struct smk_audit_info ad; struct smack_known *tkp = smk_of_task(smack_cred(cred)); @@ -4195,7 +4187,9 @@ static int smack_key_permission(key_ref_t key_ref, * If the key hasn't been initialized give it access so that * it may do so. */ - if (keyp->security == NULL) + blob = smack_key(keyp); + skp = *blob; + if (skp == NULL) return 0; /* * This should not occur @@ -4215,8 +4209,8 @@ static int smack_key_permission(key_ref_t key_ref, request = MAY_READ; if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) request = MAY_WRITE; - rc = smk_access(tkp, keyp->security, request, &ad); - rc = smk_bu_note("key access", tkp, keyp->security, request, rc); + rc = smk_access(tkp, skp, request, &ad); + rc = smk_bu_note("key access", tkp, skp, request, rc); return rc; } @@ -4231,11 +4225,12 @@ static int smack_key_permission(key_ref_t key_ref, */ static int smack_key_getsecurity(struct key *key, char **_buffer) { - struct smack_known *skp = key->security; + struct smack_known **blob = smack_key(key); + struct smack_known *skp = *blob; size_t length; char *copy; - if (key->security == NULL) { + if (skp == NULL) { *_buffer = NULL; return 0; } @@ -4520,6 +4515,9 @@ struct lsm_blob_sizes smack_blob_sizes = { .lbs_file = sizeof(struct smack_known *), .lbs_inode = sizeof(struct inode_smack), .lbs_ipc = sizeof(struct smack_known *), +#ifdef CONFIG_KEYS + .lbs_key = sizeof(struct smack_known *), +#endif /* CONFIG_KEYS */ .lbs_msg_msg = sizeof(struct smack_known *), .lbs_sock = sizeof(struct socket_smack), .lbs_superblock = sizeof(struct superblock_smack), @@ -4639,7 +4637,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { /* key management security hooks */ #ifdef CONFIG_KEYS LSM_HOOK_INIT(key_alloc, smack_key_alloc), - LSM_HOOK_INIT(key_free, smack_key_free), LSM_HOOK_INIT(key_permission, smack_key_permission), LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), #endif /* CONFIG_KEYS */