From patchwork Fri Dec  8 04:24:23 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sargun Dhillon <sargun@sargun.me>
X-Patchwork-Id: 10101613
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	665B460329
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Fri,  8 Dec 2017 04:24:30 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 54C8628A26
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Fri,  8 Dec 2017 04:24:30 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 4838728A2C; Fri,  8 Dec 2017 04:24:30 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3720528A26
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Fri,  8 Dec 2017 04:24:29 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752681AbdLHEY2 (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Thu, 7 Dec 2017 23:24:28 -0500
Received: from mail-it0-f65.google.com ([209.85.214.65]:32790 "EHLO
	mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752661AbdLHEY0 (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Thu, 7 Dec 2017 23:24:26 -0500
Received: by mail-it0-f65.google.com with SMTP id o130so3402626itg.0
	for <linux-security-module@vger.kernel.org>;
	Thu, 07 Dec 2017 20:24:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google;
	h=from:date:to:cc:subject:message-id:references:mime-version
	:content-disposition:in-reply-to:user-agent;
	bh=v+YrD8v06YQLyaG+4myDO8I4bf93kbxBVFQZHDNyjuI=;
	b=GthaPS3w6SB9/FlHWWmdZKlHgbhWFtO98p9VaUUr5L1cYXRYsgXzxVquiK8qY5SYJD
	JNuu7LIKXT9/+JdlgtXY/TTF+M5Dma8Kbhp9QjitrrLC4jKlYUWaop/5BrxqDkgI4qC7
	afqRxTv9VhtlfJlREx8xlNlI1xlGrlYnMP4+M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:date:to:cc:subject:message-id:references
	:mime-version:content-disposition:in-reply-to:user-agent;
	bh=v+YrD8v06YQLyaG+4myDO8I4bf93kbxBVFQZHDNyjuI=;
	b=K69oAZkYSIq74mZ1CySur2pNfRw4LXy7T6DhJazJzC8SrMe5TT2ykgTD422Iqg3ysn
	PIJ0GAwYZ+dEKaW3mIpl7/e4Rh05s6zyzxU1engtSC19t3Hl8K5MjGRhF6QC5rdzZ8yt
	E+C/DE6RoJ8YjHH8UcWD8lAussRfYzUipWj2hW1Pi5ZFccpyCTEMGo9KGQ+s5i7JvzaB
	dVxUpemBSraIwgNrWFTl6whlt0sn+bk7bHGmcXkirKimI69l0yD1zu9hn7/60w8dKFa3
	4AcCVi4uiKN+LA+md2z57e/RRAb9FVJMxevwi3qYM5qUjvWYOnedwZrH36YVAt5AcI7a
	agKg==
X-Gm-Message-State: AKGB3mK02F7rWr/jRHE9OWCXmpriOMAc6gcfVBZWNC9lLeHddsH2Cqc8
	SjGysSQkS7/8p3O6NPZIwuRAHpCdHNM=
X-Google-Smtp-Source: 
 AGs4zMZOnAAuQQFXDkoxnsFQMfVmWpJJclxrsYFC710cgeygRcIbX+Nc1w4hAVEIIjJvItmIUDwCNA==
X-Received: by 10.107.142.148 with SMTP id
	q142mr20711761iod.174.1512707065074;
	Thu, 07 Dec 2017 20:24:25 -0800 (PST)
Received: from ircssh-2.c.rugged-nimbus-611.internal
	(80.60.198.104.bc.googleusercontent.com. [104.198.60.80])
	by smtp.gmail.com with ESMTPSA id
	h19sm371426iod.85.2017.12.07.20.24.24
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 07 Dec 2017 20:24:24 -0800 (PST)
From: Sargun Dhillon <sargun@sargun.me>
X-Google-Original-From: Sargun Dhillon <sargun@netflix.com>
Date: Fri, 8 Dec 2017 04:24:23 +0000
To: linux-security-module@vger.kernel.org
Cc: keescook@chromium.org, igor.stoppa@huawei.com,
	casey@schaufler-ca.com, linux-kernel@vger.kernel.org
Subject: [RFC v2 3/3] LSM: Add an example sample dynamic LSM
Message-ID: 
 <f8974bb41f326effbe0d15d9b04dc15e281023ec.1512704909.git.sargun@netflix.com>
References: <cover.1512704909.git.sargun@netflix.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1512704909.git.sargun@netflix.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

This adds an example LSM that utilizes the features added by the
dynamically loadable LSMs patch. Once the module is unloaded, the
command is once again allowed. It prevents the user from running:
date --set="October 21 2015 16:29:00 PDT

The behaviour can be verified by looking at:
/sys/kernel/security/dynamic_hooks/settime

Signed-off-by: Sargun Dhillon <sargun@sargun.me>
---
 samples/Kconfig           |  6 ++++++
 samples/Makefile          |  2 +-
 samples/lsm/Makefile      |  4 ++++
 samples/lsm/lsm_example.c | 39 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 samples/lsm/Makefile
 create mode 100644 samples/lsm/lsm_example.c

diff --git a/samples/Kconfig b/samples/Kconfig
index c332a3b9de05..283f44252ca4 100644
--- a/samples/Kconfig
+++ b/samples/Kconfig
@@ -117,4 +117,10 @@ config SAMPLE_STATX
 	help
 	  Build example userspace program to use the new extended-stat syscall.
 
+config SAMPLE_DYNAMIC_LSM
+	tristate "Build LSM examples -- loadable modules only"
+	depends on SECURITY_DYNAMIC_HOOKS_FS && m
+	help
+	  This builds an example dynamic LSM
+
 endif # SAMPLES
diff --git a/samples/Makefile b/samples/Makefile
index db54e766ddb1..9d23835d6e6d 100644
--- a/samples/Makefile
+++ b/samples/Makefile
@@ -3,4 +3,4 @@
 obj-$(CONFIG_SAMPLES)	+= kobject/ kprobes/ trace_events/ livepatch/ \
 			   hw_breakpoint/ kfifo/ kdb/ hidraw/ rpmsg/ seccomp/ \
 			   configfs/ connector/ v4l/ trace_printk/ blackfin/ \
-			   vfio-mdev/ statx/
+			   vfio-mdev/ statx/ lsm/
diff --git a/samples/lsm/Makefile b/samples/lsm/Makefile
new file mode 100644
index 000000000000..d4ccb940f18b
--- /dev/null
+++ b/samples/lsm/Makefile
@@ -0,0 +1,4 @@
+# builds the loadable LSM example kernel modules;
+# then to use one (as root):  insmod <module_name.ko>
+# and to unload: rmmod module_name
+obj-$(CONFIG_SAMPLE_DYNAMIC_LSM) += lsm_example.o
diff --git a/samples/lsm/lsm_example.c b/samples/lsm/lsm_example.c
new file mode 100644
index 000000000000..7c36ca231e77
--- /dev/null
+++ b/samples/lsm/lsm_example.c
@@ -0,0 +1,39 @@
+/*
+ * This sample hooks into the "path_chroot"
+ *
+ * Once you run it, the following will not be allowed:
+ * date --set="October 21 2015 16:29:00 PDT"
+ */
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/lsm_hooks.h>
+
+static const char lsm_name[] = "example";
+
+static int settime_cb(const struct timespec *ts, const struct timezone *tz)
+{
+	/* We aren't allowed to travel to October 21 2015 16:29 PDT */
+	if (ts->tv_sec >= 1445470140 && ts->tv_sec < 1445470200)
+		return -EPERM;
+
+	return 0;
+}
+
+DYNAMIC_SECURITY_HOOK(my_hook, lsm_name, settime, settime_cb);
+
+static int __init lsm_init(void)
+{
+	int ret;
+
+	ret = security_add_dynamic_hook(&my_hook);
+	if (!ret)
+		pr_info("Successfully installed example dynamic LSM\n");
+	else
+		pr_err("Unable to install dynamic LSM - %d\n", ret);
+
+	return ret;
+}
+
+module_init(lsm_init)
+MODULE_LICENSE("GPL");