From patchwork Fri Oct 27 21:45:16 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 10030681
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	693CB6032C
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Fri, 27 Oct 2017 21:45:25 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 592D028D67
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Fri, 27 Oct 2017 21:45:25 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 4E22828FE3; Fri, 27 Oct 2017 21:45:25 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DCF6128D67
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Fri, 27 Oct 2017 21:45:24 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932446AbdJ0VpY (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Fri, 27 Oct 2017 17:45:24 -0400
Received: from sonic310-28.consmr.mail.ne1.yahoo.com ([66.163.186.209]:40558
	"EHLO sonic310-28.consmr.mail.ne1.yahoo.com"
	rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S932360AbdJ0VpX (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Fri, 27 Oct 2017 17:45:23 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
	t=1509140723; bh=LfhxGmaHAr5BO+an87WpZk0u3v9hAhXbsvjWFwQV2k4=;
	h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject;
	b=OcWSN4u90A1Mpmc7xQcEaqhBN7FqAEmDfihfUkpRzdxPHAyVrZq4iTqatS4LkSms4l+mHGYrTslbVtOI93D8t2OfZQyv1Ssuz3JZ8VT0Jf3wDaU/XRvuhu5NQOBwBsirmYidyji8tbTIlvKkOcuel0pgzK6i9v1Ke7g0oHv2+1orRfvUfJ8TnvBLPJp9t6Zk8YJaTxTY5XhlUhosraV561kPT7xFXQ+vrhQ2tTxU/ipODzK87gT8fhKLNouJqDrSzuzYgMoiiGv8pQT7/eqbOpWtGanVeEb+3+s37VVkAAYG49ZsaHGVrcuxdw1gKN97Ms3iBO5iuK+L/6v5KKihMA==
X-YMail-OSG: E6ePqq8VM1n7ArQ87tDgM43CN41UzGKlFnZfLWg_o.PXfMXFeTymBYaS1QUFzdG
	2UKTRudsKtHwSSSjwTebzdKk6FBdgV5zYlq4dy8MsdFacMMcsWeIomoDhW9a27zmWH4MLXCuD.VX
	yHO3J1ASm3r.hWcGgbXONXNL6K1YC245ICXcgNUCfkp8mIeWfgmSiWSmvRjnAF7iou_UrBGM8245
	oPEfD8W1LankrD7QtZ_F9u0i.m4ThGV.7GkB0rKJ06.3PJvU5SaXGPHqh7wDVG3kHi_KRx_82jTw
	oB92Rry6u8FjTOcLQaMTrjlIQjHmsOBEvPj.eYkLJI4AJ3pMOlvdYFuC3XAt1R1eFMHQfy4B51pU
	kKXiA30FIhc81rLi15z79Ifxyj7z7aRytROj8qa_vB3VePYoXrtceM5NgBtgpRUiReo5dXOXLS6K
	1xwoTza9wc5gn_uff_OkcgrXoWce8NJop67Sf_nEJ3_VisL5WnibrUheDIFV00fi3yAhnGwUgqEY
	KI1l2KCfeKstuuE8JifYzSU0G4f7e9J5MbJo-
Received: from sonic.gate.mail.ne1.yahoo.com by
	sonic310.consmr.mail.ne1.yahoo.com with HTTP;
	Fri, 27 Oct 2017 21:45:23 +0000
Received: from [127.0.0.1] by smtp202.mail.ne1.yahoo.com with NNFMP;
	27 Oct 2017 21:45:19 -0000
X-Yahoo-Newman-Id: 258532.35241.bm@smtp202.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: E6ePqq8VM1n7ArQ87tDgM43CN41UzGKlFnZfLWg_o.PXfMX
	FeTymBYaS1QUFzdG2UKTRudsKtHwSSSjwTebzdKk6FBdgV5zYlq4dy8MsdFa
	cMMcsWeIomoDhW9a27zmWH4MLXCuD.VXyHO3J1ASm3r.hWcGgbXONXNL6K1Y
	C245ICXcgNUCfkp8mIeWfgmSiWSmvRjnAF7iou_UrBGM8245oPEfD8W1Lank
	rD7QtZ_F9u0i.m4ThGV.7GkB0rKJ06.3PJvU5SaXGPHqh7wDVG3kHi_KRx_8
	2jTwoB92Rry6u8FjTOcLQaMTrjlIQjHmsOBEvPj.eYkLJI4AJ3pMOlvdYFuC
	3XAt1R1eFMHQfy4B51pUkKXiA30FIhc81rLi15z79Ifxyj7z7aRytROj8qa_
	vB3VePYoXrtceM5NgBtgpRUiReo5dXOXLS6K1xwoTza9wc5gn_uff_OkcgrX
	oWce8NJop67Sf_nEJ3_VisL5WnibrUheDIFV00fi3yAhnGwUgqEYKI1l2KCf
	eKstuuE8JifYzSU0G4f7e9J5MbJo-
X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw--
Subject: [PATCH 4/9] LSM: Manage task security blobs
To: LSM <linux-security-module@vger.kernel.org>,
	James Morris <jmorris@namei.org>
Cc: John Johansen <john.johansen@canonical.com>,
	Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
	Paul Moore <paul@paul-moore.com>, Kees Cook <keescook@chromium.org>,
	Stephen Smalley <sds@tycho.nsa.gov>
References: <1473402e-a714-7ace-2698-b65d73e3f17e@schaufler-ca.com>
From: Casey Schaufler <casey@schaufler-ca.com>
Message-ID: <bd9c85cd-69ba-11b4-feff-80b65a60d3b9@schaufler-ca.com>
Date: Fri, 27 Oct 2017 14:45:16 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
	Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <1473402e-a714-7ace-2698-b65d73e3f17e@schaufler-ca.com>
Content-Language: en-US
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Subject: [PATCH 4/9] LSM: Manage task security blobs

Move management of task security blobs into the security
infrastructure. Modules are required to identify the space
they require. At this time there are no modules that use
task blobs.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/lsm_hooks.h |  1 +
 security/security.c       | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index e5d0f1e01b81..44f8619d93d6 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1920,6 +1920,7 @@ struct security_hook_list {
 struct lsm_blob_sizes {
 	int	lbs_cred;
 	int	lbs_file;
+	int	lbs_task;
 };
 
 /*
diff --git a/security/security.c b/security/security.c
index 4d8e702fa22f..70740b902e16 100644
--- a/security/security.c
+++ b/security/security.c
@@ -101,6 +101,7 @@ int __init security_init(void)
 #ifdef CONFIG_SECURITY_LSM_DEBUG
 	pr_info("LSM: cred blob size       = %d\n", blob_sizes.lbs_cred);
 	pr_info("LSM: file blob size       = %d\n", blob_sizes.lbs_file);
+	pr_info("LSM: task blob size       = %d\n", blob_sizes.lbs_task);
 #endif
 
 	return 0;
@@ -278,6 +279,7 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed)
 {
 	lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
 	lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
+	lsm_set_size(&needed->lbs_task, &blob_sizes.lbs_task);
 }
 
 /**
@@ -299,6 +301,29 @@ int lsm_file_alloc(struct file *file)
 	return 0;
 }
 
+/**
+ * lsm_task_alloc - allocate a composite task blob
+ * @task: the task that needs a blob
+ *
+ * Allocate the task blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_task_alloc(struct task_struct *task)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+	if (task->security)
+		pr_info("%s: Inbound task blob is not NULL.\n", __func__);
+#endif
+	if (blob_sizes.lbs_task == 0)
+		return 0;
+
+	task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
+	if (task->security == NULL)
+		return -ENOMEM;
+	return 0;
+}
+
 /*
  * Hook list operation macros.
  *
@@ -1102,12 +1127,19 @@ int security_file_open(struct file *file, const struct cred *cred)
 
 int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
 {
+	int rc = lsm_task_alloc(task);
+
+	if (rc)
+		return rc;
 	return call_int_hook(task_alloc, 0, task, clone_flags);
 }
 
 void security_task_free(struct task_struct *task)
 {
 	call_void_hook(task_free, task);
+
+	kfree(task->security);
+	task->security = NULL;
 }
 
 int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)