From patchwork Wed Apr 5 21:54:30 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 9665807 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 87C57602B5 for ; Wed, 5 Apr 2017 21:54:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7949128173 for ; Wed, 5 Apr 2017 21:54:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6E53F2856D; Wed, 5 Apr 2017 21:54:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1583228173 for ; Wed, 5 Apr 2017 21:54:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933942AbdDEVyh (ORCPT ); Wed, 5 Apr 2017 17:54:37 -0400 Received: from nm30-vm1.bullet.mail.ne1.yahoo.com ([98.138.90.46]:56084 "EHLO nm30-vm1.bullet.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933475AbdDEVyg (ORCPT ); Wed, 5 Apr 2017 17:54:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1491429276; bh=9Zfy2dIJqrNvgi2WV3GrnDeXfV4ArXMUG9947kpmijU=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From:Subject; b=VlFGLd1bhFdF7DfyjPiDaTEmNfCwm3FhidZtesIv3kJn/721lVerf6CNR4GxwAqn1Q4khVCVnq64g1Vf7kMAhmv8Q5mrYLzDQrO2l+8MJrWUce/pGdl+LgswhuyvG0djVdm/1YULHP4bmxuE0qAAz+F1s9/nV1Des30GjGfJOyCf83aH7MnBqV8GDELCjRR8Y8t4Zpihkm1rfSn+lgBKJAtKL0Ha2BmRtS0N7stuYy0VQEYlXtWNZDCB7Kp5DnL8Nxx76e1MzrDJ8s8LNV990fccYu3xe4FFpY/UK/04cNKJ3K5JRmJ6l9NqIiovU+mciffDw0YVB/VoBj0z7HCqUw== Received: from [98.138.100.112] by nm30.bullet.mail.ne1.yahoo.com with NNFMP; 05 Apr 2017 21:54:36 -0000 Received: from [98.138.226.63] by tm103.bullet.mail.ne1.yahoo.com with NNFMP; 05 Apr 2017 21:54:36 -0000 Received: from [127.0.0.1] by smtp214.mail.ne1.yahoo.com with NNFMP; 05 Apr 2017 21:54:36 -0000 X-Yahoo-Newman-Id: 118417.98962.bm@smtp214.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: 4zfRFjsVM1n1bPe64MsOpc5ii9uVQqmx7qySH12zeyVPPXJ .DehAE65ZtgrMxcvmXCvb6IJYUe4.Nrsm2OjDkSHcMeJj1KABDQUlcfyr.Wk 50Kn4T4VmJIqYEXwCCPcEHdFFgLaxY_3HIprMYUuyy9ddQluIwYjMP_1i5rI Q.XOZ4aRCLWDh7C96WdYLc3GAELsfowR14f1slQR0sOgQ519yRLTIphXb..U VKMJXAE18IvdR9jbd4hapJzOzfQu9CWuwCEV.aT0Nw8ze0R1_2.A79nxVavZ 1wllJXOlBaR7Lkw8FxR8IiO5_1dICi0U.gp08NGP_LaRyD70QMiBe9vbxGSQ dQR9W2DO6YSN_6QhjwErNkIYa.UMUPezqC6EhfYe0KBgkHUeoqicIhp20aR8 UwyaXyU606tIzaN.x37XBLMedfJDIILltbXul5jZ.fvepOq8iQSqJJeC337h cZoRDSsYnFt2O3geSR9GyQJ9LQesEdTOQr9pZEUlsR6zF74kyN8UD0TWLVwB 9SD21EPOwGOE8v5aarGkg2rBuTM9J8SMxi.SeaeZY9lPfDTY.eAceOIZMfSK b8y4EdzxakA-- X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: [PATCH RFC 11/11] LSM: manage task security blobs To: LSM , James Morris References: <509e0281-9f8a-83c2-f9d6-5532903cda46@schaufler-ca.com> Cc: John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , Kees Cook , Casey Schaufler From: Casey Schaufler Message-ID: <94362ac4-9c2a-eeec-ee33-a209d0c37a38@schaufler-ca.com> Date: Wed, 5 Apr 2017 14:54:30 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <509e0281-9f8a-83c2-f9d6-5532903cda46@schaufler-ca.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Subject: [PATCH RFC 11/11] LSM: manage task security blobs Move management of task security blobs into the security infrastructure. Modules are required to identify the space they require. At this time there are no modules that use task blobs. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/security.c | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index d848a0a..f36b73f 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1907,6 +1907,7 @@ struct lsm_blob_sizes { int lbs_msg_msg; int lbs_sock; int lbs_superblock; + int lbs_task; }; /* diff --git a/security/security.c b/security/security.c index 5cf3214..f8943da 100644 --- a/security/security.c +++ b/security/security.c @@ -104,6 +104,7 @@ int __init security_init(void) pr_info("LSM: msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); pr_info("LSM: sock blob size = %d\n", blob_sizes.lbs_sock); pr_info("LSM: superblock blob size = %d\n", blob_sizes.lbs_superblock); + pr_info("LSM: task blob size = %d\n", blob_sizes.lbs_task); pr_info("LSM: secid size = %zu\n", sizeof(struct secids)); #endif /* CONFIG_SECURITY_LSM_DEBUG */ @@ -268,6 +269,7 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed) lsm_set_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); lsm_set_size(&needed->lbs_sock, &blob_sizes.lbs_sock); lsm_set_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); + lsm_set_size(&needed->lbs_task, &blob_sizes.lbs_task); /* * The inode blob gets an rcu_head in addition to * what the modules might need. @@ -460,6 +462,29 @@ int lsm_superblock_alloc(struct super_block *sb) return 0; } +/** + * lsm_task_alloc - allocate a composite task blob + * @task: the task that needs a blob + * + * Allocate the task blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +int lsm_task_alloc(struct task_struct *task) +{ +#ifdef CONFIG_SECURITY_LSM_DEBUG + if (task->security) + pr_info("%s: Inbound task blob is not NULL.\n", __func__); +#endif + if (blob_sizes.lbs_task == 0) + return 0; + + task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL); + if (task->security == NULL) + return -ENOMEM; + return 0; +} + /* * A secids structure contains all of the modules specific * secids and the secmark used to represent the combination @@ -1422,6 +1447,9 @@ int security_task_alloc(struct task_struct *task, unsigned long clone_flags) void security_task_free(struct task_struct *task) { call_void_hook(task_free, task); + + kfree(task->security); + task->security = NULL; } int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)