From patchwork Fri Jun 11 00:04:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314323 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A270CC48BE0 for ; Fri, 11 Jun 2021 00:05:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 884C66136D for ; Fri, 11 Jun 2021 00:05:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230083AbhFKAHu (ORCPT ); Thu, 10 Jun 2021 20:07:50 -0400 Received: from sonic312-31.consmr.mail.ne1.yahoo.com ([66.163.191.212]:39410 "EHLO sonic312-31.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230247AbhFKAHu (ORCPT ); Thu, 10 Jun 2021 20:07:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623369953; bh=19RMxIyybk30yCLApkULBDjSG+dMsAX2/yF1SvlrLZw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=Ir514KKIvaFRsYbayYLHoNZtqUglCuP3apbe3Zm11issEfn3FE1vT03Pos9KowNC/vjMOfBEB3vYajltCpuS1fTXk1yygeBw+vPf+OTbHGx2ar5jYnxz7UGDWC7j383hFY9TQmnblVTNU+Q2fLs7osv2nCXM2IjJvOnEkkX95vZHlfi8kDGnef/XVya2+sMOOfS9Ih9csGCW3yZ3wViQmWJX+TA9zAGtdcrmhmfCebfRNdNIWB9eYrXzkmcM3KkXoqr2PDoJNvTw4ntuaNU2mOqAQV6OLOhBMpF459UUkPG6epvaFeYc/x/fJOfMLxTkTDDjEjE2u9j/sfbeXEdj3w== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623369953; bh=Kmvxz6xUUm2XpzTkkUMdg62EXZFIiQG59Ieb7lp1Bui=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=U4l+vfxQyYq65b/mwJfmhG6RXtkrEQaM25xIjSVLx2HXXbv4GsOAfyPww0H8Cw8ndPd9jpORLZ75yUTVDb/AagrazbFA6UwMJowW5MErIJzS8WF1L8EHwNEvEEbwFEZ5/P1pf21qnCLbXhUtamUFvtjdCRkHR/JudRz+Ez3Cnzb78pmEd7I+m28OetjN0rDtDuuNlf4RE9mwql2C++NYLduWkZEkoJRuUNiad/RndEUlhL+N8E6spqkouHerKjG15NMPpx7Pvux1mH/tFH9BS5sDEegSEDDBau9sE4PdRRWESdgCM2dvd1hVpIVufXMpdQ08AVyqQBBBC/N9xC/HZg== X-YMail-OSG: hGxOrDYVM1lMSDPtU27ynb80GQz7pRO5SpHJvRFMy_txZCKAe.FSlEzpyb4hk6. jA0WkxTy0RcOrdK1snTZGoFDuBtvnlqbzFwBpdBq_UgLJTRCtiaRkCG_jPYw.3qcghlYQWXUmXEh S6_nS2UZAQKjDA3KwhHtsQMoQm4iXDhGzmbYAu.JdIqS8VLwKgJnLx0VKsEjRIsp8sMv11gQh6Fq StMHAAq9D5714apJzW83wV6rNNEXh3SoDTGIufM8j4GBCfr3z1ZgbnlBoGeZmBnKvYwMsAejzJOS BnIG21psRejLgZjiPvshMIrSfxeS6eYwxGxGBnGavlV5pT_qQjT8yVxeTK2zPRr6_3geI9qmIsMu ktn2WFNVHoV9Yh8p.crvyLUolBvI.Kgv1NHRUL9n3EVnxILWrQn5DN483KUwcPqPU_jx7XZZc8gz fMVXXDbLrPkhp8XNy6K6sDTHqAuqX7SCTtP_PHsfNiJA31nEjd5hfgGlDyhDOSbfDPwoa8_lSGHG 2QrG89zjRl6eVAIGulWx2__nDTVY09vA78782VH2DQGI_OpnnmS3aelU3PF9n0Yl79FE96hjFdKT LotdilmHz9MTzF.cc3H.XxJtQnkkFVdUWyW3qk61GXcy1wAlKfMAGXgZSW85sEf09IaAICVat99F E3CaawVaJ.0h_HoQlSOJ6mxLLwmEf7eCYv8BA2DcbUCDHvd2UtbGmWuY5o9LImurreQzfQpWDFOO MD53wDMCnZFjur1st5xgExxjPJbP9MrVEML9TGoVJL2.5xMnhRkHPICOBoXwLrwAw4toVFpE_YCQ g7dEiIJlkoxMYNXDYug_5SJ0McLSxM.HcxrcAsDWigD2k3tdW09_hRvsyjMfPOQfacsHo3GTVy81 BBvA8o.CtmxuUJKsg3QdYCyecv.O1Qev0setSESTRv1hHDhPwIm6.tH6_MV.2t7WgSetXhpZ9_J_ fVNaVhnTDbo10g5GztkwrY5M711Dt5VZNvQqDrn69XfwJTAnNeAoOjgPbxPOcbiM5C5dn4OrIjGr wqpUaVvakKCBruzNBSRlPO9FwFepbmgNAGmBrAVptoBWMy0CMZeq2xLczAtjW9I3DCtifJUREHs7 8bnTEOShFo27nfl3i6l5gsrFpDXzLvdujicj02TE.j8sDC07AOu.r80T0u7xfnNje6b8I7iYQQfZ RS2CKyNfDKnhGvGEhooGkREVtJpeJ2B0xX3c7LH3GNSg2H_yOoAgb4P_OXXUbTDrsDOwruNxr2kC OBM7Cbgtc46_kyhgT7aGgZMJodW3.tC65K8rYwBryK4tG2b4DshjtZLy_6Rm8VyUpjCXwrw7QByG kCEDImLtmeKV0wo8FQaC2p2lthnxfyH50ViAYAuZkd9fNsqhISeTIM56Z0CNfYg5eZIZ6EtQDtNu 0tozAnzgp3cw5BbUIxe72jJmzPi7NKDJYsIk_ylpWeJv0TZ_bs0K3XLa7Nq4SoL1u2KpvfRTJWFV AX4iFneqntvaVs940XQbaEzYZ.2bzfFyyfVWz.g9rvw_moSCPrEcj.AqqqPoTb79ZBqOcGE0.VUA vSy6i_CEO3v7z8sWB_C1IKShhOtSwYPKogV1LNO2DN93SDB94PspcMFKRi2_xnwiJq6M_DwL6Cs4 2Z_QDCqCUSL4CAvbw4fEP4JMtLy_qfGvJS0DBbQHqF2iU2eVPLxdHkF_UbLV.x2iZazeXIbG31zr ziVfNScMARZdXXNyCuAkWY4SY0n6NvJtc8csueIkQ3BMDCRY5EP6xx9tmnN_h9jUOpeiYW4Ks3wN uJ6PcxGC3rLWZGgD6WeWOCrvZQvv.n2r0e0Pp8FNmN1dgt1X4TGahtlxZXmFVZBM0x42TsMgjhLU 67jcjeh8ZjnHIkiIlqGcKc4rMyfAC08AzYCnB1zuIuiCE2oTJqMjHrjAn4l.svlLTjMHTgrNdCO_ zfLkD3V2DJHgEFKNmrw57MAoRemBxezuTSup6mxm0BUtU7Y7plzquDt1c_2D_7Bn9iPltYE2Komr uaLtgCRD083EGAh_UWlTE9vJWvVB3uhT7bEgU9niIoyOswhaTraBxMdKKhE4LGKcrDEvehrbt4tT Bo9tDoNoaSvhgzM8nJ89NS6o4B_jBrMQhhyyZi15PisVuaxL_9TzckkU5KGD8s7F3Cr_3xrx6S.0 5NRk1JBllHyqodon0yQbFJiP3pw0826bXZSSxR.ibK5_TyzrHWvF.vZ0W9ij_1Cv_L7aWbQx7a.0 .iowDTBkPWaGZbQpevLSRzfRE4FATmVErKpbAZDKwL5YGFQj6806paO4yTmWIfyusKyhev3JpRAW klD3ErjXllqvyc5inj.A4S.c20oMfsFU.7OoMgqoUmwTO.14Xbw06nRPuxRPkReB968SAxrdUqFr 1bhD24pm9Di05wTm7uHVXTh64aUhzucqOjYxNXPkEp4uD2xM7P88KWLo6_hZRRS7KLHjR3m1Rz7f CgJ0MhXDsuh8Xl.5DqJf2nF2S8Am5aM_DFEuse3qDXRxB3HnMNEs_YzAcsIu.9NvFSFtoje54BRY WY0VKQEo_9D3tnvLJX.83wA3E2fuV7iOfid6cw5NlSwO4Sdf7yvS4i5DicJpzForYxvyVas_GFYO cVR4nXrlZhcJwMtyquAhcBaR917OHZl8LF5611TavMMYLqPoxoQF5QK1Esxyb9i783VX0H9cp0CD BAOHjYkCxGSzjcqqfwm7kmd3Acw0uNGm0IB_90QQ6fxMii6a8COLQU7K4OfP4Yo6u1WNa.b5BzQh UMi3JNyr4xCDOSM7I.uvZrFohUckk5axrlB80qY.uPp8dDJoLh_zEMzrhZIpP.Cc73KgTQOqUL6P EBUUjpIdgiMIuYvhoFyOv3waHpTVmMtPEbg8kb.kK16k.tu2TgCNwW0tkQ.ek_WhbcpWt.3qPFFC pE3NlhaJdBLa5QCwB0ZzGvfgMGUndqZn8QIpwgaOcFFkDYDHSpzcGNdiXvhjm9gCQLYtulkUjiyg clyeKdOSlg5DZFjy6IXzi68n_pPCBBVqz85r2NTBWXegOaltL7xto5uyvROcVo33Hm9jh5qM3rYN uIt2JWA9Oqtz8i6pt7keY.RstljEA71_Gr1CelEJrUtHuh2FyDM_1GNR.AuIQMVVC0xRdKUeQaxq PCxV8G7W.mzzUQ8FR4z6Mg16GUrzjyT5vzg6bFhsyCv0i X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:05:53 +0000 Received: by kubenode508.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 82125988898df49302def211bb4cb2b8; Fri, 11 Jun 2021 00:05:50 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v27 01/25] LSM: Infrastructure management of the sock security Date: Thu, 10 Jun 2021 17:04:11 -0700 Message-Id: <20210611000435.36398-2-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Move management of the sock->sk_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Acked-by: Paul Moore Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/apparmor/include/net.h | 6 ++- security/apparmor/lsm.c | 38 ++++----------- security/security.c | 36 +++++++++++++- security/selinux/hooks.c | 78 +++++++++++++++---------------- security/selinux/include/objsec.h | 5 ++ security/selinux/netlabel.c | 23 ++++----- security/smack/smack.h | 5 ++ security/smack/smack_lsm.c | 66 ++++++++++++-------------- security/smack/smack_netfilter.c | 8 ++-- 10 files changed, 145 insertions(+), 121 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 5c4c5c0602cb..afd3b16875b0 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1588,6 +1588,7 @@ struct lsm_blob_sizes { int lbs_cred; int lbs_file; int lbs_inode; + int lbs_sock; int lbs_superblock; int lbs_ipc; int lbs_msg_msg; diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h index aadb4b29fb66..fac8999ba7a3 100644 --- a/security/apparmor/include/net.h +++ b/security/apparmor/include/net.h @@ -51,7 +51,11 @@ struct aa_sk_ctx { struct aa_label *peer; }; -#define SK_CTX(X) ((X)->sk_security) +static inline struct aa_sk_ctx *aa_sock(const struct sock *sk) +{ + return sk->sk_security + apparmor_blob_sizes.lbs_sock; +} + #define SOCK_ctx(X) SOCK_INODE(X)->i_security #define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \ struct lsm_network_audit NAME ## _net = { .sk = (SK), \ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index f72406fe1bf2..4113516fb62e 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -775,33 +775,15 @@ static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo return error; } -/** - * apparmor_sk_alloc_security - allocate and attach the sk_security field - */ -static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) -{ - struct aa_sk_ctx *ctx; - - ctx = kzalloc(sizeof(*ctx), flags); - if (!ctx) - return -ENOMEM; - - SK_CTX(sk) = ctx; - - return 0; -} - /** * apparmor_sk_free_security - free the sk_security field */ static void apparmor_sk_free_security(struct sock *sk) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); - SK_CTX(sk) = NULL; aa_put_label(ctx->label); aa_put_label(ctx->peer); - kfree(ctx); } /** @@ -810,8 +792,8 @@ static void apparmor_sk_free_security(struct sock *sk) static void apparmor_sk_clone_security(const struct sock *sk, struct sock *newsk) { - struct aa_sk_ctx *ctx = SK_CTX(sk); - struct aa_sk_ctx *new = SK_CTX(newsk); + struct aa_sk_ctx *ctx = aa_sock(sk); + struct aa_sk_ctx *new = aa_sock(newsk); if (new->label) aa_put_label(new->label); @@ -867,7 +849,7 @@ static int apparmor_socket_post_create(struct socket *sock, int family, label = aa_get_current_label(); if (sock->sk) { - struct aa_sk_ctx *ctx = SK_CTX(sock->sk); + struct aa_sk_ctx *ctx = aa_sock(sock->sk); aa_put_label(ctx->label); ctx->label = aa_get_label(label); @@ -1052,7 +1034,7 @@ static int apparmor_socket_shutdown(struct socket *sock, int how) */ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); if (!skb->secmark) return 0; @@ -1065,7 +1047,7 @@ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) static struct aa_label *sk_peer_label(struct sock *sk) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); if (ctx->peer) return ctx->peer; @@ -1149,7 +1131,7 @@ static int apparmor_socket_getpeersec_dgram(struct socket *sock, */ static void apparmor_sock_graft(struct sock *sk, struct socket *parent) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); if (!ctx->label) ctx->label = aa_get_current_label(); @@ -1159,7 +1141,7 @@ static void apparmor_sock_graft(struct sock *sk, struct socket *parent) static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb, struct request_sock *req) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); if (!skb->secmark) return 0; @@ -1176,6 +1158,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct aa_task_ctx *), .lbs_file = sizeof(struct aa_file_ctx), .lbs_task = sizeof(struct aa_task_ctx), + .lbs_sock = sizeof(struct aa_sk_ctx), }; static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { @@ -1212,7 +1195,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), - LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), @@ -1764,7 +1746,7 @@ static unsigned int apparmor_ip_postroute(void *priv, if (sk == NULL) return NF_ACCEPT; - ctx = SK_CTX(sk); + ctx = aa_sock(sk); if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND, skb->secmark, sk)) return NF_ACCEPT; diff --git a/security/security.c b/security/security.c index b38155b2de83..e12a7c463468 100644 --- a/security/security.c +++ b/security/security.c @@ -29,6 +29,7 @@ #include #include #include +#include #define MAX_LSM_EVM_XATTR 2 @@ -203,6 +204,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); + lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock); lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); } @@ -339,6 +341,7 @@ static void __init ordered_lsm_init(void) init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); + init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); init_debug("task blob size = %d\n", blob_sizes.lbs_task); @@ -658,6 +661,28 @@ static int lsm_msg_msg_alloc(struct msg_msg *mp) return 0; } +/** + * lsm_sock_alloc - allocate a composite sock blob + * @sock: the sock that needs a blob + * @priority: allocation mode + * + * Allocate the sock blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +static int lsm_sock_alloc(struct sock *sock, gfp_t priority) +{ + if (blob_sizes.lbs_sock == 0) { + sock->sk_security = NULL; + return 0; + } + + sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority); + if (sock->sk_security == NULL) + return -ENOMEM; + return 0; +} + /** * lsm_early_task - during initialization allocate a composite task blob * @task: the task that needs a blob @@ -2258,12 +2283,21 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram); int security_sk_alloc(struct sock *sk, int family, gfp_t priority) { - return call_int_hook(sk_alloc_security, 0, sk, family, priority); + int rc = lsm_sock_alloc(sk, priority); + + if (unlikely(rc)) + return rc; + rc = call_int_hook(sk_alloc_security, 0, sk, family, priority); + if (unlikely(rc)) + security_sk_free(sk); + return rc; } void security_sk_free(struct sock *sk) { call_void_hook(sk_free_security, sk); + kfree(sk->sk_security); + sk->sk_security = NULL; } void security_sk_clone(const struct sock *sk, struct sock *newsk) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index eaea837d89d1..84ddcec6322e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4652,7 +4652,7 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec, static int sock_has_perm(struct sock *sk, u32 perms) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; struct lsm_network_audit net = {0,}; @@ -4709,7 +4709,7 @@ static int selinux_socket_post_create(struct socket *sock, int family, isec->initialized = LABEL_INITIALIZED; if (sock->sk) { - sksec = sock->sk->sk_security; + sksec = selinux_sock(sock->sk); sksec->sclass = sclass; sksec->sid = sid; /* Allows detection of the first association on this socket */ @@ -4725,8 +4725,8 @@ static int selinux_socket_post_create(struct socket *sock, int family, static int selinux_socket_socketpair(struct socket *socka, struct socket *sockb) { - struct sk_security_struct *sksec_a = socka->sk->sk_security; - struct sk_security_struct *sksec_b = sockb->sk->sk_security; + struct sk_security_struct *sksec_a = selinux_sock(socka->sk); + struct sk_security_struct *sksec_b = selinux_sock(sockb->sk); sksec_a->peer_sid = sksec_b->sid; sksec_b->peer_sid = sksec_a->sid; @@ -4741,7 +4741,7 @@ static int selinux_socket_socketpair(struct socket *socka, static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) { struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u16 family; int err; @@ -4876,7 +4876,7 @@ static int selinux_socket_connect_helper(struct socket *sock, struct sockaddr *address, int addrlen) { struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); int err; err = sock_has_perm(sk, SOCKET__CONNECT); @@ -5055,9 +5055,9 @@ static int selinux_socket_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk) { - struct sk_security_struct *sksec_sock = sock->sk_security; - struct sk_security_struct *sksec_other = other->sk_security; - struct sk_security_struct *sksec_new = newsk->sk_security; + struct sk_security_struct *sksec_sock = selinux_sock(sock); + struct sk_security_struct *sksec_other = selinux_sock(other); + struct sk_security_struct *sksec_new = selinux_sock(newsk); struct common_audit_data ad; struct lsm_network_audit net = {0,}; int err; @@ -5089,8 +5089,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock, static int selinux_socket_unix_may_send(struct socket *sock, struct socket *other) { - struct sk_security_struct *ssec = sock->sk->sk_security; - struct sk_security_struct *osec = other->sk->sk_security; + struct sk_security_struct *ssec = selinux_sock(sock->sk); + struct sk_security_struct *osec = selinux_sock(other->sk); struct common_audit_data ad; struct lsm_network_audit net = {0,}; @@ -5132,7 +5132,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, u16 family) { int err = 0; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u32 sk_sid = sksec->sid; struct common_audit_data ad; struct lsm_network_audit net = {0,}; @@ -5165,7 +5165,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { int err; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u16 family = sk->sk_family; u32 sk_sid = sksec->sid; struct common_audit_data ad; @@ -5233,13 +5233,15 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) return err; } -static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, - int __user *optlen, unsigned len) +static int selinux_socket_getpeersec_stream(struct socket *sock, + char __user *optval, + int __user *optlen, + unsigned int len) { int err = 0; char *scontext; u32 scontext_len; - struct sk_security_struct *sksec = sock->sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sock->sk); u32 peer_sid = SECSID_NULL; if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || @@ -5299,34 +5301,27 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) { - struct sk_security_struct *sksec; - - sksec = kzalloc(sizeof(*sksec), priority); - if (!sksec) - return -ENOMEM; + struct sk_security_struct *sksec = selinux_sock(sk); sksec->peer_sid = SECINITSID_UNLABELED; sksec->sid = SECINITSID_UNLABELED; sksec->sclass = SECCLASS_SOCKET; selinux_netlbl_sk_security_reset(sksec); - sk->sk_security = sksec; return 0; } static void selinux_sk_free_security(struct sock *sk) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); - sk->sk_security = NULL; selinux_netlbl_sk_security_free(sksec); - kfree(sksec); } static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) { - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); + struct sk_security_struct *newsksec = selinux_sock(newsk); newsksec->sid = sksec->sid; newsksec->peer_sid = sksec->peer_sid; @@ -5340,7 +5335,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid) if (!sk) *secid = SECINITSID_ANY_SOCKET; else { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); *secid = sksec->sid; } @@ -5350,7 +5345,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent) { struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(parent)); - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || sk->sk_family == PF_UNIX) @@ -5365,7 +5360,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent) static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, struct sk_buff *skb) { - struct sk_security_struct *sksec = ep->base.sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(ep->base.sk); struct common_audit_data ad; struct lsm_network_audit net = {0,}; u8 peerlbl_active; @@ -5516,8 +5511,8 @@ static int selinux_sctp_bind_connect(struct sock *sk, int optname, static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, struct sock *newsk) { - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); + struct sk_security_struct *newsksec = selinux_sock(newsk); /* If policy does not support SECCLASS_SCTP_SOCKET then call * the non-sctp clone version. @@ -5534,7 +5529,7 @@ static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, struct request_sock *req) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); int err; u16 family = req->rsk_ops->family; u32 connsid; @@ -5555,7 +5550,7 @@ static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, static void selinux_inet_csk_clone(struct sock *newsk, const struct request_sock *req) { - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *newsksec = selinux_sock(newsk); newsksec->sid = req->secid; newsksec->peer_sid = req->peer_secid; @@ -5572,7 +5567,7 @@ static void selinux_inet_csk_clone(struct sock *newsk, static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) { u16 family = sk->sk_family; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); /* handle mapped IPv4 packets arriving via IPv6 sockets */ if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) @@ -5656,7 +5651,7 @@ static int selinux_tun_dev_attach_queue(void *security) static int selinux_tun_dev_attach(struct sock *sk, void *security) { struct tun_security_struct *tunsec = security; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); /* we don't currently perform any NetLabel based labeling here and it * isn't clear that we would want to do so anyway; while we could apply @@ -5800,7 +5795,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb, return NF_ACCEPT; /* standard practice, label using the parent socket */ - sksec = sk->sk_security; + sksec = selinux_sock(sk); sid = sksec->sid; } else sid = SECINITSID_KERNEL; @@ -5839,7 +5834,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, if (sk == NULL) return NF_ACCEPT; - sksec = sk->sk_security; + sksec = selinux_sock(sk); ad.type = LSM_AUDIT_DATA_NET; ad.u.net = &net; @@ -5931,7 +5926,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, u32 skb_sid; struct sk_security_struct *sksec; - sksec = sk->sk_security; + sksec = selinux_sock(sk); if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) return NF_DROP; /* At this point, if the returned skb peerlbl is SECSID_NULL @@ -5960,7 +5955,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, } else { /* Locally generated packet, fetch the security label from the * associated socket. */ - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); peer_sid = sksec->sid; secmark_perm = PACKET__SEND; } @@ -6025,7 +6020,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) unsigned int data_len = skb->len; unsigned char *data = skb->data; struct nlmsghdr *nlh; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u16 sclass = sksec->sclass; u32 perm; @@ -7051,6 +7046,7 @@ struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { .lbs_inode = sizeof(struct inode_security_struct), .lbs_ipc = sizeof(struct ipc_security_struct), .lbs_msg_msg = sizeof(struct msg_security_struct), + .lbs_sock = sizeof(struct sk_security_struct), .lbs_superblock = sizeof(struct superblock_security_struct), }; diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 2953132408bf..007d1ae7ee27 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -194,4 +194,9 @@ static inline struct superblock_security_struct *selinux_superblock( return superblock->s_security + selinux_blob_sizes.lbs_superblock; } +static inline struct sk_security_struct *selinux_sock(const struct sock *sock) +{ + return sock->sk_security + selinux_blob_sizes.lbs_sock; +} + #endif /* _SELINUX_OBJSEC_H_ */ diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index abaab7683840..6a94b31b5472 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -67,7 +68,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk) { int rc; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr; if (sksec->nlbl_secattr != NULL) @@ -100,7 +101,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr( const struct sock *sk, u32 sid) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr = sksec->nlbl_secattr; if (secattr == NULL) @@ -235,7 +236,7 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, * being labeled by it's parent socket, if it is just exit */ sk = skb_to_full_sk(skb); if (sk != NULL) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (sksec->nlbl_state != NLBL_REQSKB) return 0; @@ -273,7 +274,7 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep, { int rc; struct netlbl_lsm_secattr secattr; - struct sk_security_struct *sksec = ep->base.sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(ep->base.sk); struct sockaddr_in addr4; struct sockaddr_in6 addr6; @@ -352,7 +353,7 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family) */ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (family == PF_INET) sksec->nlbl_state = NLBL_LABELED; @@ -370,8 +371,8 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) */ void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk) { - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); + struct sk_security_struct *newsksec = selinux_sock(newsk); newsksec->nlbl_state = sksec->nlbl_state; } @@ -389,7 +390,7 @@ void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk) int selinux_netlbl_socket_post_create(struct sock *sk, u16 family) { int rc; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr; if (family != PF_INET && family != PF_INET6) @@ -504,7 +505,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock, { int rc = 0; struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr secattr; if (selinux_netlbl_option(level, optname) && @@ -542,7 +543,7 @@ static int selinux_netlbl_socket_connect_helper(struct sock *sk, struct sockaddr *addr) { int rc; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr; /* connected sockets are allowed to disconnect when the address family @@ -581,7 +582,7 @@ static int selinux_netlbl_socket_connect_helper(struct sock *sk, int selinux_netlbl_socket_connect_locked(struct sock *sk, struct sockaddr *addr) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (sksec->nlbl_state != NLBL_REQSKB && sksec->nlbl_state != NLBL_CONNLABELED) diff --git a/security/smack/smack.h b/security/smack/smack.h index c3cfbdf4944a..b5bdf947792f 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -363,6 +363,11 @@ static inline struct superblock_smack *smack_superblock( return superblock->s_security + smack_blob_sizes.lbs_superblock; } +static inline struct socket_smack *smack_sock(const struct sock *sock) +{ + return sock->sk_security + smack_blob_sizes.lbs_sock; +} + /* * Is the directory transmuting? */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 223a6da0e6dc..1ee0bf1493f6 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1429,7 +1429,7 @@ static int smack_inode_getsecurity(struct user_namespace *mnt_userns, if (sock == NULL || sock->sk == NULL) return -EOPNOTSUPP; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (strcmp(name, XATTR_SMACK_IPIN) == 0) isp = ssp->smk_in; @@ -1811,7 +1811,7 @@ static int smack_file_receive(struct file *file) if (inode->i_sb->s_magic == SOCKFS_MAGIC) { sock = SOCKET_I(inode); - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); tsp = smack_cred(current_cred()); /* * If the receiving process can't write to the @@ -2232,11 +2232,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode) static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) { struct smack_known *skp = smk_of_current(); - struct socket_smack *ssp; - - ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); - if (ssp == NULL) - return -ENOMEM; + struct socket_smack *ssp = smack_sock(sk); /* * Sockets created by kernel threads receive web label. @@ -2250,11 +2246,10 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) } ssp->smk_packet = NULL; - sk->sk_security = ssp; - return 0; } +#ifdef SMACK_IPV6_PORT_LABELING /** * smack_sk_free_security - Free a socket blob * @sk: the socket @@ -2263,7 +2258,6 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) */ static void smack_sk_free_security(struct sock *sk) { -#ifdef SMACK_IPV6_PORT_LABELING struct smk_port_label *spp; if (sk->sk_family == PF_INET6) { @@ -2276,9 +2270,8 @@ static void smack_sk_free_security(struct sock *sk) } rcu_read_unlock(); } -#endif - kfree(sk->sk_security); } +#endif /** * smack_ipv4host_label - check host based restrictions @@ -2391,7 +2384,7 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) */ static int smack_netlbl_add(struct sock *sk) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = ssp->smk_out; int rc; @@ -2423,7 +2416,7 @@ static int smack_netlbl_add(struct sock *sk) */ static void smack_netlbl_delete(struct sock *sk) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); /* * Take the label off the socket if one is set. @@ -2455,7 +2448,7 @@ static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) struct smack_known *skp; int rc = 0; struct smack_known *hkp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smk_audit_info ad; rcu_read_lock(); @@ -2528,7 +2521,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) { struct sock *sk = sock->sk; struct sockaddr_in6 *addr6; - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); struct smk_port_label *spp; unsigned short port = 0; @@ -2617,7 +2610,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, int act) { struct smk_port_label *spp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = NULL; unsigned short port; struct smack_known *object; @@ -2710,7 +2703,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, if (sock == NULL || sock->sk == NULL) return -EOPNOTSUPP; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (strcmp(name, XATTR_SMACK_IPIN) == 0) ssp->smk_in = skp; @@ -2758,7 +2751,7 @@ static int smack_socket_post_create(struct socket *sock, int family, * Sockets created by kernel threads receive web label. */ if (unlikely(current->flags & PF_KTHREAD)) { - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); ssp->smk_in = &smack_known_web; ssp->smk_out = &smack_known_web; } @@ -2783,8 +2776,8 @@ static int smack_socket_post_create(struct socket *sock, int family, static int smack_socket_socketpair(struct socket *socka, struct socket *sockb) { - struct socket_smack *asp = socka->sk->sk_security; - struct socket_smack *bsp = sockb->sk->sk_security; + struct socket_smack *asp = smack_sock(socka->sk); + struct socket_smack *bsp = smack_sock(sockb->sk); asp->smk_packet = bsp->smk_out; bsp->smk_packet = asp->smk_out; @@ -2847,7 +2840,7 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) rsp = smack_ipv6host_label(sip); if (rsp != NULL) { - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); rc = smk_ipv6_check(ssp->smk_out, rsp, sip, SMK_CONNECTING); @@ -3575,9 +3568,9 @@ static int smack_unix_stream_connect(struct sock *sock, { struct smack_known *skp; struct smack_known *okp; - struct socket_smack *ssp = sock->sk_security; - struct socket_smack *osp = other->sk_security; - struct socket_smack *nsp = newsk->sk_security; + struct socket_smack *ssp = smack_sock(sock); + struct socket_smack *osp = smack_sock(other); + struct socket_smack *nsp = smack_sock(newsk); struct smk_audit_info ad; int rc = 0; #ifdef CONFIG_AUDIT @@ -3623,8 +3616,8 @@ static int smack_unix_stream_connect(struct sock *sock, */ static int smack_unix_may_send(struct socket *sock, struct socket *other) { - struct socket_smack *ssp = sock->sk->sk_security; - struct socket_smack *osp = other->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); + struct socket_smack *osp = smack_sock(other->sk); struct smk_audit_info ad; int rc; @@ -3661,7 +3654,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; #endif #ifdef SMACK_IPV6_SECMARK_LABELING - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); struct smack_known *rsp; #endif int rc = 0; @@ -3873,7 +3866,7 @@ static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, netlbl_secattr_init(&secattr); if (sk) - ssp = sk->sk_security; + ssp = smack_sock(sk); if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { skp = smack_from_secattr(&secattr, ssp); @@ -3895,7 +3888,7 @@ static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, */ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = NULL; int rc = 0; struct smk_audit_info ad; @@ -3999,7 +3992,7 @@ static int smack_socket_getpeersec_stream(struct socket *sock, int slen = 1; int rc = 0; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (ssp->smk_packet != NULL) { rcp = ssp->smk_packet->smk_known; slen = strlen(rcp) + 1; @@ -4048,7 +4041,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock, switch (family) { case PF_UNIX: - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); s = ssp->smk_out->smk_secid; break; case PF_INET: @@ -4097,7 +4090,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent) (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) return; - ssp = sk->sk_security; + ssp = smack_sock(sk); ssp->smk_in = skp; ssp->smk_out = skp; /* cssp->smk_packet is already set in smack_inet_csk_clone() */ @@ -4117,7 +4110,7 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, { u16 family = sk->sk_family; struct smack_known *skp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct sockaddr_in addr; struct iphdr *hdr; struct smack_known *hskp; @@ -4203,7 +4196,7 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, static void smack_inet_csk_clone(struct sock *sk, const struct request_sock *req) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp; if (req->peer_secid != 0) { @@ -4697,6 +4690,7 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_inode = sizeof(struct inode_smack), .lbs_ipc = sizeof(struct smack_known *), .lbs_msg_msg = sizeof(struct smack_known *), + .lbs_sock = sizeof(struct socket_smack), .lbs_superblock = sizeof(struct superblock_smack), }; @@ -4807,7 +4801,9 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), +#ifdef SMACK_IPV6_PORT_LABELING LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), +#endif LSM_HOOK_INIT(sock_graft, smack_sock_graft), LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c index fc7399b45373..635e2339579e 100644 --- a/security/smack/smack_netfilter.c +++ b/security/smack/smack_netfilter.c @@ -28,8 +28,8 @@ static unsigned int smack_ipv6_output(void *priv, struct socket_smack *ssp; struct smack_known *skp; - if (sk && sk->sk_security) { - ssp = sk->sk_security; + if (sk && smack_sock(sk)) { + ssp = smack_sock(sk); skp = ssp->smk_out; skb->secmark = skp->smk_secid; } @@ -46,8 +46,8 @@ static unsigned int smack_ipv4_output(void *priv, struct socket_smack *ssp; struct smack_known *skp; - if (sk && sk->sk_security) { - ssp = sk->sk_security; + if (sk && smack_sock(sk)) { + ssp = smack_sock(sk); skp = ssp->smk_out; skb->secmark = skp->smk_secid; } From patchwork Fri Jun 11 00:04:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314325 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30536C48BE0 for ; Fri, 11 Jun 2021 00:07:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 07061613CF for ; Fri, 11 Jun 2021 00:07:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230470AbhFKAI6 (ORCPT ); Thu, 10 Jun 2021 20:08:58 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:36317 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230361AbhFKAI5 (ORCPT ); Thu, 10 Jun 2021 20:08:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370020; bh=QnaoMOY8J+eKImHubkn5ypq+GKjDtd1cKYZJ/5/bNss=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=hPxTbhR6l21xyUaWckimmbV79L83kLQcS5kXvqX6Xq9/da9wroqRb4a0qe1nS8AdzcKcn8ScAZSKXa0+bUreadtCArfw5K0yzEPROyD6LLMvImznGaa74cNC9GneEwaD2EzQx0/EtChnZcFj1+Ptm4Bwthuj+D9mdhwyv5LHEuu6ctODvAiM7YHOFVVMpAByR7lY5e2ivRlarIOD34rWJ+j1MwBcUTT2wJzKeOMQv9AWFVd/iMCbuKkffy/CsmBydpIv6GaOOuzWRUEJ4NnVwDCAtgDomtb7x6+NjG1ils1A7CDbbCbHIu429p1TOnbSRCjDKygRcs81nVISyOQJWg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370020; bh=f0Ytu5Y4Of4TLAKP9F36wsY/TMAKreR7qh/sB6iNrnc=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=dZw45uiN8eoRA4hbuvbbGQ93P4qF+ggOBOphXySZ+BdVmR7QsRru3syaC26ZuZ9RGNQzkfiqbei62Wy8XTKb5VbJaxX7Il9K7bXnMQ0RYkCj3YA5fSfQmQUnjebJmAawSH7QEoeKoDAzCRA7u44Z/2PvrGPDExYAiXbJF31Bc5iYJaZ7xQUA07QoEC+teKF6qw2DhjohbVuTsvNPs3Yi9gEb+GY20e7X2MwoXwb1nv6oz81wSiQK3aCpAWkRRtlNL/TU6lSxjd0LroxqnH/inZ2PysVZoaF1d5ZKuE19f4Vhs3g55WGsTJFhWif6nPo1Pf7HldUpsp1prO4HH5MdKQ== X-YMail-OSG: GB4B5j4VM1n02r1TB8u4lofDQ2gbaAvlPgAAkHeiLffuOLE2wbUbmSHWYWgEKKM ofEbsZ0Xe9Ohu32QcQM4CxjaC8814_pZa7nIQEZzKJIe7QhZe7YzeufkEx2huM._tcDcbJZvJipJ s.I6lnCDeabjpZHauOhhhvaUkKQZWZdNbJAIj3nqWyZCJZ36RWKygSwwM7zQdKT8wKu2WGe9DOdM ML_tRw7er8aaOZkeqEisS_l4MGQ1MfFpf_qlHvdCnvK0thX2hnvaMiKIjOHt2RQ9YqKDwqWSXfAS cYwxsBeur5jbbxAwcRCDHo2tXJ9qof_MBMGtNt2GBe5OTOxC7byx3FG_lKgiAXD2og8vTyOzyzhF fP6Shc.RC980T77ylusx0I.76hQVgjRZAhQWTmp9q8IEZ6IRDMhOO6P9P1YKer444q0lLUw_McqR mKRU4tUrKg6FATUbmRX1YAz15OeD8ocU4QmrUiYHgKHopP2_TKnp.Y_3.Eu5Q_aNtEKVN9vkKMLz I.gMrvs0n_ymJkSs0WKcJcD8uDkmWFzLOhFAQDrRy0VS9yTi7a0_j9rNGih.1WvJgTFvCqSOPMbZ PI3ahnucMfn9ZhIRvhTnVeNa2W7uhOX5jHjt_iw8ZFS13NJ1ozYtA8efSOgsvdACk.aaZA.ZfV4l ooR27pCkoRwleoB6nUzgKZqkwmkbCVwZ6xeXUpx3816ZlrP5u5jDC0vgl2AOifaGFH2Z8RrXP75q AjXD.YDMIOfG5no4wSXthXYxPH5Xs5GsfBnrOCpScEkGOO86FB67DVBzcooAoyECTxmUYf1l8qZO Lh3hnqAl_sqQBxFuPDVLgEIDnX_6A7GoQeJn6VtAUeYkmVVdu14zWWkAUYgwgfGstM1Wn62DteNz pn2DcuzwMYznvnuyifDNFyPsrPhO9sG.M05XZVt99ftSWVkNrjwYxsDPFwQdTk3UCX6Eq64_1UZW x4XioNmbOSSGyBkao8.gS_tMsNF4t.g2hhVlbkQjRvuUJYAleadHaHy.YNAFeKzeh5qADjg7Fbmg KLzPZetjmCA47pc042J.C_xl3npss_aa914N5aOOVTA0QHUbcs4KU29chdC9WYcrHIboSqnt795e Qh4Y0cXG4EKLxiT6ISOLWF05DW_K_QhJakVj_z8qzFp1w1u_nTAuQksnM71RES3mmxBQ00oPwdgv 09w2H6LXGcVSzI9ti5IO2ksTqtR3lNF1QGh_b_.sUT72TTbmoI2WVJJIsl6tAi.DMxiyFQslNWw2 Cs6BkG7o4mR9.9grtN3erdQtPzIT1aSZdsnz0J5goHG1fnfAALjr_kkiOn1QiOdbiH_RzKuL8bNa 33.Kt7.PUgWtNhPfVfZXwNZGzbbbwTJdSO0_kxjiYD2iCypHSlb027JcKCKrP3sTEHBJ_TXUr6_Q unWoupZB_YUxOR9ZozoeJBpI18hvDej05kH8teAjgIfcjO7Od.j1OlLOIJoPw.zFfKaI8r8vzsQ_ 9ArHEr3d.eExDuxOOqL0Yf1hSplo3S5xsrA5epAyjZQ5Wk7VjcXIgEgvU7CbCEqmFT0VElkTONT1 jzSUMhzsya96XBiqGZhcbnpwow8O7v900W8ySj_s.ww84nDk7EOnSFC9MjFVqhzZVZ2IGXGzqheY aRQmmKTXkOK_EWEkXLrimZdJyMNEVSGe49PB1VLMX6glFT2VG46fR_aP4o8vPSJYEK3hv129Hgw7 3vApjQiMe1wXCcOZmCJSXTYnvApEN4XXlsph5vrh9kNMuHL1k47IPNqW1qk5K6R2qXhuDDLR1ymw IpS1W6IX00LGBNJJLd.DiIuBlEHG3QsNgL.4sJHwZeCGPeyOpu2QKBGXdUDfwoI8SkUri9sdKkAn PkQQzWVYrFD9DKheulrIteI3scBKozDSpLhdst0jkIN2X42dBGM8mCmPlM2arCUd9Ft9j82fGXWw B99AEzyERxKbrYUwFqI_zbZUDVMrhGgNsDuTDudD8qGd0zGpSRKEMfskIcZVq_gS8XzuBLQSvHsk tPS3TqhK14p798EW8kKv_lAUR8mMsB_FV94K5mTRChV6W57RERdsCWKn26iI8wN5LZvGuSibvjCS krTf4LP55hps_HQGTtxUdYfg0Lswl0JkTJbxFjuLBJ7SVok3GcH62S.e0miE7iiODVu3jr3y2X6I XItvklhzA3O1_qqW9A2w_Ju0FHwf0hN5BJwNyRzsfv0gQwC2OfCJWVDHUvCsjPHlh3YupO98XebX nE_SZZ0QllCkOdcj8EnYiX_8jp_xQvpQzwdSpgWq4KT.8H9Uu0QuyCgrxqG07K7CRLDxgWXLQG5a 57LP_d790YwM17iuF2Yo69jju.juXQaYKAeOJOlwVrla.fy4G_w4Ko68qKLNlcqEs9kUjNCM3Cg7 ruLXlGhy3Q_3IRHTTl_lJk4iLei50TaYWoSEKYCc_Ou6MCznnmIOei.CrsBB9.RQvjMQ68c.Yk31 gKKolonJSC0sIphc8IIIkDPo8LdugOe9pXTQiJ5xJEOW1nxHKXjoTlTWT6Muld9TALSONND3.4vM SzkaWkljv6luTNIjReBsel6WXNcxWewvY565_3yMDdHqaLQEQavUm0bg_yedc3qd8WpAnMtnn.nX oBxGtJoTjq5TecSfnKw_mugPxG_BWpGNf8Dx9kSBq14HzIMzu.ytp8rl4hnuUOTGgoB.r8k_qrW1 FT5KLWFVp7MMVB95gV0u4jOvWnK3DmlkpfUtvLoyQyUW2icQfSazqLvr.Ez0ujtgsnOa69ZmaZAY _3vxqmoInwZ.I.fhTLtD9BItexUyLK_mbA.aOa4nS_4ejs9ArMQEogCx3uhN.PEwiGR4G.Z.mSD3 LOivea.kKlZjOe8cUdlXVVdqMTCC81a5gZlhtV7n6WG9RAvp_djlL.GdeV1JKrAcsEJ4CvS1Nit0 uac6SQvFqiTkTZMJAvc.Sh9Xd3JSeBNlGz2kvx77EGs9AfMbCz24BkDrqMp9afW9wGp5VV5eJMm1 kPfoVD2RkBcAVNYtwd1GMyFlOqEZIyKxLj6GNTENbwlW8GbeBgTvZV2lodEXy3Eca471C7HYNZjX ArvNy0ZiDlgfoN_109l3KM5gC1uzLXtMLjrM4MsFB.vK8D92_XstOZ6fkisYos7IIEq2N3FUqcGa dHcz3c81kLM_XrdI- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:07:00 +0000 Received: by kubenode547.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID def83d2a249c950bfe73876fdab09eba; Fri, 11 Jun 2021 00:06:56 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, bpf@vger.kernel.org Subject: [PATCH v27 02/25] LSM: Add the lsmblob data structure. Date: Thu, 10 Jun 2021 17:04:12 -0700 Message-Id: <20210611000435.36398-3-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: When more than one security module is exporting data to audit and networking sub-systems a single 32 bit integer is no longer sufficient to represent the data. Add a structure to be used instead. The lsmblob structure is currently an array of u32 "secids". There is an entry for each of the security modules built into the system that would use secids if active. The system assigns the module a "slot" when it registers hooks. If modules are compiled in but not registered there will be unused slots. A new lsm_id structure, which contains the name of the LSM and its slot number, is created. There is an instance for each LSM, which assigns the name and passes it to the infrastructure to set the slot. The audit rules data is expanded to use an array of security module data rather than a single instance. Because IMA uses the audit rule functions it is affected as well. Acked-by: Stephen Smalley Acked-by: Paul Moore Acked-by: John Johansen Signed-off-by: Casey Schaufler Cc: Cc: linux-audit@redhat.com Cc: linux-security-module@vger.kernel.org Cc: selinux@vger.kernel.org To: Mimi Zohar To: Mickaël Salaün --- include/linux/audit.h | 4 +- include/linux/lsm_hooks.h | 12 ++++- include/linux/security.h | 67 ++++++++++++++++++++++++-- kernel/auditfilter.c | 24 +++++----- kernel/auditsc.c | 13 +++-- security/apparmor/lsm.c | 7 ++- security/bpf/hooks.c | 12 ++++- security/commoncap.c | 7 ++- security/integrity/ima/ima_policy.c | 40 +++++++++++----- security/landlock/cred.c | 2 +- security/landlock/fs.c | 2 +- security/landlock/ptrace.c | 2 +- security/landlock/setup.c | 5 ++ security/landlock/setup.h | 1 + security/loadpin/loadpin.c | 8 +++- security/lockdown/lockdown.c | 7 ++- security/safesetid/lsm.c | 8 +++- security/security.c | 74 ++++++++++++++++++++++++----- security/selinux/hooks.c | 8 +++- security/smack/smack_lsm.c | 7 ++- security/tomoyo/tomoyo.c | 8 +++- security/yama/yama_lsm.c | 7 ++- 22 files changed, 265 insertions(+), 60 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 82b7c1116a85..418a485af114 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -11,6 +11,7 @@ #include #include +#include #include #include @@ -65,8 +66,9 @@ struct audit_field { kuid_t uid; kgid_t gid; struct { + bool lsm_isset; char *lsm_str; - void *lsm_rule; + void *lsm_rules[LSMBLOB_ENTRIES]; }; }; u32 op; diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index afd3b16875b0..c61a16f0a5bc 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1570,6 +1570,14 @@ struct security_hook_heads { #undef LSM_HOOK } __randomize_layout; +/* + * Information that identifies a security module. + */ +struct lsm_id { + const char *lsm; /* Name of the LSM */ + int slot; /* Slot in lsmblob if one is allocated */ +}; + /* * Security module hook list structure. * For use with generic list macros for common operations. @@ -1578,7 +1586,7 @@ struct security_hook_list { struct hlist_node list; struct hlist_head *head; union security_list_options hook; - char *lsm; + struct lsm_id *lsmid; } __randomize_layout; /* @@ -1614,7 +1622,7 @@ extern struct security_hook_heads security_hook_heads; extern char *lsm_names; extern void security_add_hooks(struct security_hook_list *hooks, int count, - char *lsm); + struct lsm_id *lsmid); #define LSM_FLAG_LEGACY_MAJOR BIT(0) #define LSM_FLAG_EXCLUSIVE BIT(1) diff --git a/include/linux/security.h b/include/linux/security.h index 06f7c50ce77f..62588bc522ba 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -133,6 +133,65 @@ enum lockdown_reason { extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; +/* + * Data exported by the security modules + * + * Any LSM that provides secid or secctx based hooks must be included. + */ +#define LSMBLOB_ENTRIES ( \ + (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0)) + +struct lsmblob { + u32 secid[LSMBLOB_ENTRIES]; +}; + +#define LSMBLOB_INVALID -1 /* Not a valid LSM slot number */ +#define LSMBLOB_NEEDED -2 /* Slot requested on initialization */ +#define LSMBLOB_NOT_NEEDED -3 /* Slot not requested */ + +/** + * lsmblob_init - initialize an lsmblob structure + * @blob: Pointer to the data to initialize + * @secid: The initial secid value + * + * Set all secid for all modules to the specified value. + */ +static inline void lsmblob_init(struct lsmblob *blob, u32 secid) +{ + int i; + + for (i = 0; i < LSMBLOB_ENTRIES; i++) + blob->secid[i] = secid; +} + +/** + * lsmblob_is_set - report if there is an value in the lsmblob + * @blob: Pointer to the exported LSM data + * + * Returns true if there is a secid set, false otherwise + */ +static inline bool lsmblob_is_set(struct lsmblob *blob) +{ + struct lsmblob empty = {}; + + return !!memcmp(blob, &empty, sizeof(*blob)); +} + +/** + * lsmblob_equal - report if the two lsmblob's are equal + * @bloba: Pointer to one LSM data + * @blobb: Pointer to the other LSM data + * + * Returns true if all entries in the two are equal, false otherwise + */ +static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb) +{ + return !memcmp(bloba, blobb, sizeof(*bloba)); +} + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); @@ -1881,8 +1940,8 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer) #ifdef CONFIG_SECURITY int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); int security_audit_rule_known(struct audit_krule *krule); -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); -void security_audit_rule_free(void *lsmrule); +int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule); +void security_audit_rule_free(void **lsmrule); #else @@ -1898,12 +1957,12 @@ static inline int security_audit_rule_known(struct audit_krule *krule) } static inline int security_audit_rule_match(u32 secid, u32 field, u32 op, - void *lsmrule) + void **lsmrule) { return 0; } -static inline void security_audit_rule_free(void *lsmrule) +static inline void security_audit_rule_free(void **lsmrule) { } #endif /* CONFIG_SECURITY */ diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index db2c6b59dfc3..a2340e81cfa7 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -74,7 +74,7 @@ static void audit_free_lsm_field(struct audit_field *f) case AUDIT_OBJ_LEV_LOW: case AUDIT_OBJ_LEV_HIGH: kfree(f->lsm_str); - security_audit_rule_free(f->lsm_rule); + security_audit_rule_free(f->lsm_rules); } } @@ -519,9 +519,10 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, goto exit_free; } entry->rule.buflen += f_val; + f->lsm_isset = true; f->lsm_str = str; err = security_audit_rule_init(f->type, f->op, str, - (void **)&f->lsm_rule); + f->lsm_rules); /* Keep currently invalid fields around in case they * become valid after a policy reload. */ if (err == -EINVAL) { @@ -774,7 +775,7 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) return 0; } -/* Duplicate LSM field information. The lsm_rule is opaque, so must be +/* Duplicate LSM field information. The lsm_rules is opaque, so must be * re-initialized. */ static inline int audit_dupe_lsm_field(struct audit_field *df, struct audit_field *sf) @@ -788,9 +789,9 @@ static inline int audit_dupe_lsm_field(struct audit_field *df, return -ENOMEM; df->lsm_str = lsm_str; - /* our own (refreshed) copy of lsm_rule */ + /* our own (refreshed) copy of lsm_rules */ ret = security_audit_rule_init(df->type, df->op, df->lsm_str, - (void **)&df->lsm_rule); + df->lsm_rules); /* Keep currently invalid fields around in case they * become valid after a policy reload. */ if (ret == -EINVAL) { @@ -842,7 +843,7 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old) new->tree = old->tree; memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); - /* deep copy this information, updating the lsm_rule fields, because + /* deep copy this information, updating the lsm_rules fields, because * the originals will all be freed when the old rule is freed. */ for (i = 0; i < fcount; i++) { switch (new->fields[i].type) { @@ -1358,11 +1359,12 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_TYPE: case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: - if (f->lsm_rule) { + if (f->lsm_isset) { security_task_getsecid_subj(current, &sid); result = security_audit_rule_match(sid, - f->type, f->op, f->lsm_rule); + f->type, f->op, + f->lsm_rules); } break; case AUDIT_EXE: @@ -1389,7 +1391,7 @@ int audit_filter(int msgtype, unsigned int listtype) return ret; } -static int update_lsm_rule(struct audit_krule *r) +static int update_lsm_rules(struct audit_krule *r) { struct audit_entry *entry = container_of(r, struct audit_entry, rule); struct audit_entry *nentry; @@ -1421,7 +1423,7 @@ static int update_lsm_rule(struct audit_krule *r) return err; } -/* This function will re-initialize the lsm_rule field of all applicable rules. +/* This function will re-initialize the lsm_rules field of all applicable rules. * It will traverse the filter lists serarching for rules that contain LSM * specific filter fields. When such a rule is found, it is copied, the * LSM field is re-initialized, and the old rule is replaced with the @@ -1436,7 +1438,7 @@ int audit_update_lsm_rules(void) for (i = 0; i < AUDIT_NR_FILTERS; i++) { list_for_each_entry_safe(r, n, &audit_rules_list[i], list) { - int res = update_lsm_rule(r); + int res = update_lsm_rules(r); if (!err) err = res; } diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 175ef6f3ea4e..392afe3e2fd6 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -665,14 +665,13 @@ static int audit_filter_rules(struct task_struct *tsk, match for now to avoid losing information that may be wanted. An error message will also be logged upon error */ - if (f->lsm_rule) { + if (f->lsm_isset) { if (need_sid) { security_task_getsecid_subj(tsk, &sid); need_sid = 0; } result = security_audit_rule_match(sid, f->type, - f->op, - f->lsm_rule); + f->op, f->lsm_rules); } break; case AUDIT_OBJ_USER: @@ -682,21 +681,21 @@ static int audit_filter_rules(struct task_struct *tsk, case AUDIT_OBJ_LEV_HIGH: /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR also applies here */ - if (f->lsm_rule) { + if (f->lsm_isset) { /* Find files that match */ if (name) { result = security_audit_rule_match( name->osid, f->type, f->op, - f->lsm_rule); + f->lsm_rules); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { if (security_audit_rule_match( n->osid, f->type, f->op, - f->lsm_rule)) { + f->lsm_rules)) { ++result; break; } @@ -707,7 +706,7 @@ static int audit_filter_rules(struct task_struct *tsk, break; if (security_audit_rule_match(ctx->ipc.osid, f->type, f->op, - f->lsm_rule)) + f->lsm_rules)) ++result; } break; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 4113516fb62e..392e25940d1f 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1161,6 +1161,11 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { .lbs_sock = sizeof(struct aa_sk_ctx), }; +static struct lsm_id apparmor_lsmid __lsm_ro_after_init = { + .lsm = "apparmor", + .slot = LSMBLOB_NEEDED +}; + static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), @@ -1862,7 +1867,7 @@ static int __init apparmor_init(void) goto buffers_out; } security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), - "apparmor"); + &apparmor_lsmid); /* Report that AppArmor successfully initialized */ apparmor_initialized = 1; diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c index e5971fa74fd7..7a58fe9ab8c4 100644 --- a/security/bpf/hooks.c +++ b/security/bpf/hooks.c @@ -15,9 +15,19 @@ static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(task_free, bpf_task_storage_free), }; +/* + * slot has to be LSMBLOB_NEEDED because some of the hooks + * supplied by this module require a slot. + */ +struct lsm_id bpf_lsmid __lsm_ro_after_init = { + .lsm = "bpf", + .slot = LSMBLOB_NEEDED +}; + static int __init bpf_lsm_init(void) { - security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks), "bpf"); + security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks), + &bpf_lsmid); pr_info("LSM support for eBPF active\n"); return 0; } diff --git a/security/commoncap.c b/security/commoncap.c index 3f810d37b71b..628685cf20e3 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -1443,6 +1443,11 @@ int cap_mmap_file(struct file *file, unsigned long reqprot, #ifdef CONFIG_SECURITY +static struct lsm_id capability_lsmid __lsm_ro_after_init = { + .lsm = "capability", + .slot = LSMBLOB_NOT_NEEDED +}; + static struct security_hook_list capability_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(capable, cap_capable), LSM_HOOK_INIT(settime, cap_settime), @@ -1467,7 +1472,7 @@ static struct security_hook_list capability_hooks[] __lsm_ro_after_init = { static int __init capability_init(void) { security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks), - "capability"); + &capability_lsmid); return 0; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index fd5d46e511f1..5c40677e881c 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -80,7 +80,7 @@ struct ima_rule_entry { bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ int pcr; struct { - void *rule; /* LSM file metadata specific */ + void *rules[LSMBLOB_ENTRIES]; /* LSM file metadata specific */ char *args_p; /* audit value */ int type; /* audit type */ } lsm[MAX_LSM_RULES]; @@ -90,6 +90,22 @@ struct ima_rule_entry { struct ima_template_desc *template; }; +/** + * ima_lsm_isset - Is a rule set for any of the active security modules + * @rules: The set of IMA rules to check + * + * If a rule is set for any LSM return true, otherwise return false. + */ +static inline bool ima_lsm_isset(void *rules[]) +{ + int i; + + for (i = 0; i < LSMBLOB_ENTRIES; i++) + if (rules[i]) + return true; + return false; +} + /* * Without LSM specific knowledge, the default policy can only be * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner @@ -335,9 +351,11 @@ static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) static void ima_lsm_free_rule(struct ima_rule_entry *entry) { int i; + int r; for (i = 0; i < MAX_LSM_RULES; i++) { - ima_filter_rule_free(entry->lsm[i].rule); + for (r = 0; r < LSMBLOB_ENTRIES; r++) + ima_filter_rule_free(entry->lsm[i].rules[r]); kfree(entry->lsm[i].args_p); } } @@ -388,8 +406,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, nentry->lsm[i].args_p, - &nentry->lsm[i].rule); - if (!nentry->lsm[i].rule) + &nentry->lsm[i].rules[0]); + if (!ima_lsm_isset(nentry->lsm[i].rules)) pr_warn("rule for LSM \'%s\' is undefined\n", nentry->lsm[i].args_p); } @@ -578,7 +596,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, int rc = 0; u32 osid; - if (!rule->lsm[i].rule) { + if (!ima_lsm_isset(rule->lsm[i].rules)) { if (!rule->lsm[i].args_p) continue; else @@ -591,14 +609,14 @@ static bool ima_match_rules(struct ima_rule_entry *rule, security_inode_getsecid(inode, &osid); rc = ima_filter_rule_match(osid, rule->lsm[i].type, Audit_equal, - rule->lsm[i].rule); + rule->lsm[i].rules); break; case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: rc = ima_filter_rule_match(secid, rule->lsm[i].type, Audit_equal, - rule->lsm[i].rule); + rule->lsm[i].rules); break; default: break; @@ -994,7 +1012,7 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, { int result; - if (entry->lsm[lsm_rule].rule) + if (ima_lsm_isset(entry->lsm[lsm_rule].rules)) return -EINVAL; entry->lsm[lsm_rule].args_p = match_strdup(args); @@ -1004,8 +1022,8 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, entry->lsm[lsm_rule].type = audit_type; result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, entry->lsm[lsm_rule].args_p, - &entry->lsm[lsm_rule].rule); - if (!entry->lsm[lsm_rule].rule) { + &entry->lsm[lsm_rule].rules[0]); + if (!ima_lsm_isset(entry->lsm[lsm_rule].rules)) { pr_warn("rule for LSM \'%s\' is undefined\n", entry->lsm[lsm_rule].args_p); @@ -1812,7 +1830,7 @@ int ima_policy_show(struct seq_file *m, void *v) } for (i = 0; i < MAX_LSM_RULES; i++) { - if (entry->lsm[i].rule) { + if (ima_lsm_isset(entry->lsm[i].rules)) { switch (i) { case LSM_OBJ_USER: seq_printf(m, pt(Opt_obj_user), diff --git a/security/landlock/cred.c b/security/landlock/cred.c index 6725af24c684..56b121d65436 100644 --- a/security/landlock/cred.c +++ b/security/landlock/cred.c @@ -42,5 +42,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { __init void landlock_add_cred_hooks(void) { security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), - LANDLOCK_NAME); + &landlock_lsmid); } diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 97b8e421f617..319e90e9290c 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -688,5 +688,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { __init void landlock_add_fs_hooks(void) { security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), - LANDLOCK_NAME); + &landlock_lsmid); } diff --git a/security/landlock/ptrace.c b/security/landlock/ptrace.c index f55b82446de2..54ccf55a077a 100644 --- a/security/landlock/ptrace.c +++ b/security/landlock/ptrace.c @@ -116,5 +116,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { __init void landlock_add_ptrace_hooks(void) { security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), - LANDLOCK_NAME); + &landlock_lsmid); } diff --git a/security/landlock/setup.c b/security/landlock/setup.c index f8e8e980454c..759e00b9436c 100644 --- a/security/landlock/setup.c +++ b/security/landlock/setup.c @@ -23,6 +23,11 @@ struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = { .lbs_superblock = sizeof(struct landlock_superblock_security), }; +struct lsm_id landlock_lsmid __lsm_ro_after_init = { + .lsm = LANDLOCK_NAME, + .slot = LSMBLOB_NOT_NEEDED, +}; + static int __init landlock_init(void) { landlock_add_cred_hooks(); diff --git a/security/landlock/setup.h b/security/landlock/setup.h index 1daffab1ab4b..38bce5b172dc 100644 --- a/security/landlock/setup.h +++ b/security/landlock/setup.h @@ -14,5 +14,6 @@ extern bool landlock_initialized; extern struct lsm_blob_sizes landlock_blob_sizes; +extern struct lsm_id landlock_lsmid; #endif /* _SECURITY_LANDLOCK_SETUP_H */ diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index b12f7d986b1e..b569f3bc170b 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -192,6 +192,11 @@ static int loadpin_load_data(enum kernel_load_data_id id, bool contents) return loadpin_read_file(NULL, (enum kernel_read_file_id) id, contents); } +static struct lsm_id loadpin_lsmid __lsm_ro_after_init = { + .lsm = "loadpin", + .slot = LSMBLOB_NOT_NEEDED +}; + static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security), LSM_HOOK_INIT(kernel_read_file, loadpin_read_file), @@ -239,7 +244,8 @@ static int __init loadpin_init(void) pr_info("ready to pin (currently %senforcing)\n", enforce ? "" : "not "); parse_exclude(); - security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin"); + security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), + &loadpin_lsmid); return 0; } diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 87cbdc64d272..4e24ea3f7b7e 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -75,6 +75,11 @@ static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), }; +static struct lsm_id lockdown_lsmid __lsm_ro_after_init = { + .lsm = "lockdown", + .slot = LSMBLOB_NOT_NEEDED +}; + static int __init lockdown_lsm_init(void) { #if defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY) @@ -83,7 +88,7 @@ static int __init lockdown_lsm_init(void) lock_kernel_down("Kernel configuration", LOCKDOWN_CONFIDENTIALITY_MAX); #endif security_add_hooks(lockdown_hooks, ARRAY_SIZE(lockdown_hooks), - "lockdown"); + &lockdown_lsmid); return 0; } diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c index 1079c6d54784..a2a2f462a821 100644 --- a/security/safesetid/lsm.c +++ b/security/safesetid/lsm.c @@ -241,6 +241,11 @@ static int safesetid_task_fix_setgid(struct cred *new, return -EACCES; } +static struct lsm_id safesetid_lsmid __lsm_ro_after_init = { + .lsm = "safesetid", + .slot = LSMBLOB_NOT_NEEDED +}; + static struct security_hook_list safesetid_security_hooks[] = { LSM_HOOK_INIT(task_fix_setuid, safesetid_task_fix_setuid), LSM_HOOK_INIT(task_fix_setgid, safesetid_task_fix_setgid), @@ -250,7 +255,8 @@ static struct security_hook_list safesetid_security_hooks[] = { static int __init safesetid_security_init(void) { security_add_hooks(safesetid_security_hooks, - ARRAY_SIZE(safesetid_security_hooks), "safesetid"); + ARRAY_SIZE(safesetid_security_hooks), + &safesetid_lsmid); /* Report that SafeSetID successfully initialized */ safesetid_initialized = 1; diff --git a/security/security.c b/security/security.c index e12a7c463468..473b49971aab 100644 --- a/security/security.c +++ b/security/security.c @@ -344,6 +344,7 @@ static void __init ordered_lsm_init(void) init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); init_debug("task blob size = %d\n", blob_sizes.lbs_task); + init_debug("lsmblob size = %zu\n", sizeof(struct lsmblob)); /* * Create any kmem_caches needed for blobs @@ -471,21 +472,38 @@ static int lsm_append(const char *new, char **result) return 0; } +/* + * Current index to use while initializing the lsmblob secid list. + */ +static int lsm_slot __lsm_ro_after_init; + /** * security_add_hooks - Add a modules hooks to the hook lists. * @hooks: the hooks to add * @count: the number of hooks to add - * @lsm: the name of the security module + * @lsmid: the identification information for the security module * * Each LSM has to register its hooks with the infrastructure. + * If the LSM is using hooks that export secids allocate a slot + * for it in the lsmblob. */ void __init security_add_hooks(struct security_hook_list *hooks, int count, - char *lsm) + struct lsm_id *lsmid) { int i; + WARN_ON(!lsmid->slot || !lsmid->lsm); + + if (lsmid->slot == LSMBLOB_NEEDED) { + if (lsm_slot >= LSMBLOB_ENTRIES) + panic("%s Too many LSMs registered.\n", __func__); + lsmid->slot = lsm_slot++; + init_debug("%s assigned lsmblob slot %d\n", lsmid->lsm, + lsmid->slot); + } + for (i = 0; i < count; i++) { - hooks[i].lsm = lsm; + hooks[i].lsmid = lsmid; hlist_add_tail_rcu(&hooks[i].list, hooks[i].head); } @@ -494,7 +512,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, * and fix this up afterwards. */ if (slab_is_available()) { - if (lsm_append(lsm, &lsm_names) < 0) + if (lsm_append(lsmid->lsm, &lsm_names) < 0) panic("%s - Cannot get early memory.\n", __func__); } } @@ -2070,7 +2088,7 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name, struct security_hook_list *hp; hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) { - if (lsm != NULL && strcmp(lsm, hp->lsm)) + if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; return hp->hook.getprocattr(p, name, value); } @@ -2083,7 +2101,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, struct security_hook_list *hp; hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) { - if (lsm != NULL && strcmp(lsm, hp->lsm)) + if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; return hp->hook.setprocattr(name, value, size); } @@ -2576,7 +2594,24 @@ int security_key_getsecurity(struct key *key, char **_buffer) int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) { - return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule); + struct security_hook_list *hp; + bool one_is_good = false; + int rc = 0; + int trc; + + hlist_for_each_entry(hp, &security_hook_heads.audit_rule_init, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + trc = hp->hook.audit_rule_init(field, op, rulestr, + &lsmrule[hp->lsmid->slot]); + if (trc == 0) + one_is_good = true; + else + rc = trc; + } + if (one_is_good) + return 0; + return rc; } int security_audit_rule_known(struct audit_krule *krule) @@ -2584,14 +2619,31 @@ int security_audit_rule_known(struct audit_krule *krule) return call_int_hook(audit_rule_known, 0, krule); } -void security_audit_rule_free(void *lsmrule) +void security_audit_rule_free(void **lsmrule) { - call_void_hook(audit_rule_free, lsmrule); + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &security_hook_heads.audit_rule_free, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.audit_rule_free(lsmrule[hp->lsmid->slot]); + } } -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) +int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule) { - return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule); + struct security_hook_list *hp; + int rc; + + hlist_for_each_entry(hp, &security_hook_heads.audit_rule_match, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.audit_rule_match(secid, field, op, + &lsmrule[hp->lsmid->slot]); + if (rc) + return rc; + } + return 0; } #endif /* CONFIG_AUDIT */ diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 84ddcec6322e..0133b142e938 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7111,6 +7111,11 @@ static int selinux_perf_event_write(struct perf_event *event) } #endif +static struct lsm_id selinux_lsmid __lsm_ro_after_init = { + .lsm = "selinux", + .slot = LSMBLOB_NEEDED +}; + /* * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: * 1. any hooks that don't belong to (2.) or (3.) below, @@ -7424,7 +7429,8 @@ static __init int selinux_init(void) hashtab_cache_init(); - security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); + security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), + &selinux_lsmid); if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) panic("SELinux: Unable to register AVC netcache callback\n"); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 1ee0bf1493f6..5c10ad27be37 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4694,6 +4694,11 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_superblock = sizeof(struct superblock_smack), }; +static struct lsm_id smack_lsmid __lsm_ro_after_init = { + .lsm = "smack", + .slot = LSMBLOB_NEEDED +}; + static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), @@ -4893,7 +4898,7 @@ static __init int smack_init(void) /* * Register with LSM */ - security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); + security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid); smack_enabled = 1; pr_info("Smack: Initializing.\n"); diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 1f3cd432d830..22f62c67f2ec 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -523,6 +523,11 @@ static void tomoyo_task_free(struct task_struct *task) } } +static struct lsm_id tomoyo_lsmid __lsm_ro_after_init = { + .lsm = "tomoyo", + .slot = LSMBLOB_NOT_NEEDED +}; + /* * tomoyo_security_ops is a "struct security_operations" which is used for * registering TOMOYO. @@ -575,7 +580,8 @@ static int __init tomoyo_init(void) struct tomoyo_task *s = tomoyo_task(current); /* register ourselves with the security framework */ - security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); + security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), + &tomoyo_lsmid); pr_info("TOMOYO Linux initialized\n"); s->domain_info = &tomoyo_kernel_domain; atomic_inc(&tomoyo_kernel_domain.users); diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 06e226166aab..a9639ea541f7 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -421,6 +421,11 @@ static int yama_ptrace_traceme(struct task_struct *parent) return rc; } +static struct lsm_id yama_lsmid __lsm_ro_after_init = { + .lsm = "yama", + .slot = LSMBLOB_NOT_NEEDED +}; + static struct security_hook_list yama_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme), @@ -477,7 +482,7 @@ static inline void yama_init_sysctl(void) { } static int __init yama_init(void) { pr_info("Yama: becoming mindful.\n"); - security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama"); + security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), &yama_lsmid); yama_init_sysctl(); return 0; } From patchwork Fri Jun 11 00:04:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314335 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76245C48BDF for ; Fri, 11 Jun 2021 00:08:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5B992613CF for ; Fri, 11 Jun 2021 00:08:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230417AbhFKAKC (ORCPT ); Thu, 10 Jun 2021 20:10:02 -0400 Received: from sonic311-31.consmr.mail.ne1.yahoo.com ([66.163.188.212]:45506 "EHLO sonic311-31.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230307AbhFKAKB (ORCPT ); Thu, 10 Jun 2021 20:10:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370084; bh=vc75HBdHrsxBmtLktLZ2z+T6Shh8g9//phefY7W7K1w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=SMdyFVvIwgjRmeyxotY+isB69LBx156QOEqD6kf/y+sz9iQaPc3jwK7r54ht7/RVg5Mp7SUWrh10w5s/7sgEu1UHPcgQEpPniw1Zjs8p7aQkA6W+8z2S61lYRqYarB1psVzdgP5e8Pc2h9q5OBmbDyGhq0dXcfe5f3MEg6NRLU7+F5bFXJcGHqMdWFSsg8A505OYoKLPNe9TQafYkUZg92Z7T7FK8V6mJoVMXQRNO1aOXUqnNkT20pflZrkdP6IHU3J1ogl+f+Q4hr14BXzB4ppPNn5vhojiUr5cPuwoSmmkwMZQ9bDHaOXM17Ezm5JlMgukSLSDom3auu5CQ1B76w== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370084; bh=UHdg3KHqipkvb0tBZwIhJM4dZvAXU8WI1JpHoQS91oC=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=bq//Xz6qWASEgnHLWLtVva6YaQyJDCMOA2kmCnFAAjYCg8/Oo4BxV6glFhH4sPGD9+01j4PSKGfOacC+DfyuUO4xi/Qhqb8WfxjYu+T1Xetn/K3Uzui8U85ON66nOau2ImEnMWmMdu8cdePBtbLFE8ID7OnADyZrbAUN02BWvt0UgOOUyHzyQSpkzL3J6RcJGKWOqHsZkdz4Hcv77F4ZqiTrMpFRNbjJp6KO0NfHqsCW1GMcOSo+eH95JIqwG/XfeZZS6RsEu/ZU6SeMSrp/iL/iQrJWIIt/MqjHo56OaCx04gbJ335E5PSCZTpWscmwDDsQa5yjE65HuUh+Laq+7A== X-YMail-OSG: uNTOlvIVM1lLbkLfAaGd.uxvIDLd0Ie4kYQEqEqvuNEufkgWoipLW0v8.3780ZI 31oKT00RFWgTbi3txI1HGm1lJh.cP.ITdxQab7b.Nvk_R6HR_LZabOrSX8cnoqUWUOlxSu6mf_lg 14xJUUyuc.qhWxEnZU38nd6lym6Q0BEL16OrFRoVLZ7KhJtyVPkQPSA9VmXmUcXLqUTvh12405p2 pc77cJDoWksislZvMOSCulzK0LpGwgEGYSFLnIijXClpN.HYnzMVcGfAm9Feqh24wM7aOQldN9UN ReyjoXHuRA7M50ehh_jG9jiAdhyIhcNX8FUWqLw1mRo6r3ahJEm6By6fB_VRSU00Z76OSsoF6V90 YOyMl0_9SMBAuZ0x91TrKqzYdAlPMVNdYzDzVkvKhnmt4XOKcsmmPhBeQ34chLE8PfntOYC9TnF2 bXM.yYItqUzMRYmP3cC4M4sAQ7p.f9CkvlpW.VvF9MBKJzPaXfRz10N26IAFe3aSTolW9h3YY.jH jT2CkROaG25ukDBc2GcTi3ayeRpH5DZHS1mwsBNjpAf7wM21f.ImVF55BBjbDjrcuIOd2.YVSNhI e.FJwlmWIIIkm_WxBSxUzH8URe.JM9aqs9byMu7KNG3s91aFUn1vhGZVI02Vu2U6wxjjdWIjTCo6 KomCKoXOnXbHnNEXbZ9p9y6UPy3ogTEwXDHqKeB6wOuLJukoYMQEWdVOMiES27fgxWTYzJSn7PAi XW7LaZI4Jo.3pHbunCsBQLXdNBf9rd_Jw4jd4RMlKH_JiT_zpM_w2eSPrZflEkTPpg1OtBM4nfx. jq58veCZkfc6iEJ.2lRjYnawOVSb3bBWE6xlCs4oFOQDbaT1_73Iefy2RIrtcqCteoAb3f5FMkcY jkhiRpxnz0Nh5zcGYRB9ygxG5OLPJhJeGeEM5gKDoLzCEOGrojM53AF0gaD0Ld3OxY02o.nWsjrK GZmmSK5gUHXu2DrR.OAr1Tv_AKo2xjSFqyBYO7LrETjRoPaQJCBQiuKbWKqSnGGHRIrD8S4fO5s4 su8XB1WaaXWqAk4rjnbTaZfPYvmMTFfa_oYHeLAlo8pCLknCfz4Hd3VLsmmmGC5prttByTFawgsg Rd_WNF6aYQX2vD7ORgvBd5tHRB8kC3Iw3v4Vp5Qd7dj8d3LzpCX2R3Dho77qCmf43uoxkkMgyUjl _lyOsVVbi50s4BXhUx2cIJhe6dejBtMv9h.fH.uxCzG.Mjv9uzQZDcncEONIuYiZi1fES9Nx41iv Gn9EGz0_.dmGB0alsLINSEWGumgQvxffXzyBVWTS5kKaoxtn2E9BVEr0ZZkvDJTwomnQ9m.vcmSU BTpvVEtAZQCyiJSfp4GVNacgz3oTIuhpSeMpH__XKqlHJ4LxFp.Ih_Q2V7Q4vuvlJ50pv2TukNyF Lp1tE77Hd6wRnK1QYnWVPUvvHv0mNyUIQH43Y7zk_PSaxLIbZNtA4I0xLGYIUI36q2MZWtOxIzZS qIur8BcGGUjYcCmcBvzHUcUsd4Ohx_PomsxLVAaTtLd6csjBHLIHmG2rgXV_XBDXE8L1pPjOXgY6 0FelaX.DdnHfBdP0XueKWBaaSwUJHz16NBMREPc21Ud_MDr9r4PkqG.NGRyCTBDvnc_9pvSOLNcz EABIT7_BwwXOeaXF8PvIqmWlR0xXR2XbJFUv1H4Jfg3tlNygqXJauo5dmBAp35jrZsZrqDy2VkMi xYpK4BL3DTwo41HDnI5xByytIz8srg0TsOQqz9bIuosu.fjfe_LgYxvItKwhs06_A6BTx04kMsbR NRFEQdws.X1_v5yLZLE7eJX0V05Ks91DnDv96XqtYV83mfHSTXVbYJXoT_bveuLVnanEdUsh2gU0 ltCbYCX3NvtIKfVMQITAdrWdt46Pt1KFf8zzPWF2qmRrwODTzlT4PBIzPUKcHcKVd.1MhTHRnHBS ifT9Uokrd.wsGml.BFeIlQiS.9OwwXNmoOw7zVeJnyMmqBmE4MnT2CUnzn0wi8fT1vU1SBx5Nuy. gtiU8C1Q9g5LYZLDnmxRTtk2sqZervGmJ_QjmsQclU7nNXPH2ufrg3Zs1Jb5NXWdsJQEukxGy1Ls m096jyqLa_k4ZVZD4Kml6U8.hiz9dwI.v32zCzRc0l3xY28NwPieDKy3J9YkOyzhFZvQ5T94yYh7 TbbFprK1L62njeRXald6X21FP9ZTHpt_sZrooPs.FURwmKqFqko_9.UtEBPNIiPsiNTA3qFX4..J 5zuzRvuCqszO1pyDVSa0hMngzl0PjXSqeLk9cgwpyudwJqn5CHB1jkNi8DYJ68FSTalYNusM6wUn o3EOIwo3lKVdMxe5YeQe38lDMCNMHGtU3YAekrAPu3KljI6Bv0O1QysTTXVHfbLJHwKnmALXMhhN OZe1M15TGJ0MefixZOSFhTiwtpfb8Lpajb06_LifIjXPz2_wlsrqVXNVpv8IcSjZbLv9xw1aYsNl 30ouS28b1OxfdLOyvFCdxL37BiuLcJiztwg.l3_m06VGj9fSQovf_b2s7DZwQmWHGldSPe_7Lifa nSLaFOd62PMtkiXY2.2KvfO5RkMClIIy0XYqG_FpjgdACVm1NAVCJrO63YrHNDX4JzP052oP3nHh yf54Wc1AppAq_o._pQPjdvqBU86s8aPlZCdyyoQmXN5kn88d90YjkA3uB_h3hx2e23d4EH5GfnPP TsChLH0AbQCO.iQ7uSWNmEH7EAST9ZPVK1QUW6gHoBQydswcgEbgj2mxzkZ2zmMIQKPz16233Xi5 gSgEX4wJfEzFm2W17L_vR1VvXWjeboXyDbuQ8kYUdPjRKY45Wjf7LTwvur3LanER2sdfTE2n8Ap5 enBBwa9WsZ8wLJqZwRc.VEtagMH8jpwJpHrIiRxXywJ.9oOle3gKNMKQpOHYoMel2rEamUGRAfjz HFfSKbNAn40XkF6NmBu8aWUrGqFxe0UDG81ZrRaf96sNdDlehCc4FIQ1iZXZPHvfUWTUEU9M6rVr akDd0JqbYj5IDP2HSU8HSZOajsPMOT_PNYFSHBtFn5Dl_O2IwApE94C_TUF4ufbsCzK.cfacZJ97 PTCVsj8PJnmxwpcWyhjO9jdk4IUa0nvQB0SmgFoKW8vMCrg-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:08:04 +0000 Received: by kubenode502.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID d27c7752e1fb9a4c4f97207b6af5182f; Fri, 11 Jun 2021 00:08:03 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v27 03/25] LSM: provide lsm name and id slot mappings Date: Thu, 10 Jun 2021 17:04:13 -0700 Message-Id: <20210611000435.36398-4-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Provide interfaces to map LSM slot numbers and LSM names. Update the LSM registration code to save this information. Signed-off-by: Casey Schaufler --- include/linux/security.h | 4 ++++ security/security.c | 45 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 62588bc522ba..ca9485105f00 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -192,6 +192,10 @@ static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb) return !memcmp(bloba, blobb, sizeof(*bloba)); } +/* Map lsm names to blob slot numbers */ +extern int lsm_name_to_slot(char *name); +extern const char *lsm_slot_to_name(int slot); + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); diff --git a/security/security.c b/security/security.c index 473b49971aab..6387107e4014 100644 --- a/security/security.c +++ b/security/security.c @@ -476,6 +476,50 @@ static int lsm_append(const char *new, char **result) * Current index to use while initializing the lsmblob secid list. */ static int lsm_slot __lsm_ro_after_init; +static struct lsm_id *lsm_slotlist[LSMBLOB_ENTRIES] __lsm_ro_after_init; + +/** + * lsm_name_to_slot - Report the slot number for a security module + * @name: name of the security module + * + * Look up the slot number for the named security module. + * Returns the slot number or LSMBLOB_INVALID if @name is not + * a registered security module name. + */ +int lsm_name_to_slot(char *name) +{ + int i; + + for (i = 0; i < lsm_slot; i++) + if (strcmp(lsm_slotlist[i]->lsm, name) == 0) + return i; + + return LSMBLOB_INVALID; +} + +/** + * lsm_slot_to_name - Get the name of the security module in a slot + * @slot: index into the interface LSM slot list. + * + * Provide the name of the security module associated with + * a interface LSM slot. + * + * If @slot is LSMBLOB_INVALID return the value + * for slot 0 if it has been set, otherwise NULL. + * + * Returns a pointer to the name string or NULL. + */ +const char *lsm_slot_to_name(int slot) +{ + if (slot == LSMBLOB_INVALID) + slot = 0; + else if (slot >= LSMBLOB_ENTRIES || slot < 0) + return NULL; + + if (lsm_slotlist[slot] == NULL) + return NULL; + return lsm_slotlist[slot]->lsm; +} /** * security_add_hooks - Add a modules hooks to the hook lists. @@ -497,6 +541,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, if (lsmid->slot == LSMBLOB_NEEDED) { if (lsm_slot >= LSMBLOB_ENTRIES) panic("%s Too many LSMs registered.\n", __func__); + lsm_slotlist[lsm_slot] = lsmid; lsmid->slot = lsm_slot++; init_debug("%s assigned lsmblob slot %d\n", lsmid->lsm, lsmid->slot); From patchwork Fri Jun 11 00:04:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314337 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10F05C48BE5 for ; Fri, 11 Jun 2021 00:09:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EDC486140F for ; Fri, 11 Jun 2021 00:09:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231217AbhFKALR (ORCPT ); Thu, 10 Jun 2021 20:11:17 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:40727 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230349AbhFKALN (ORCPT ); Thu, 10 Jun 2021 20:11:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370156; bh=wUB0iYE8Twioo5ZIk6y7nf85VKY6XjvcN02gxsSW0T0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=Dw23ITUS4KdPZ9MqhasbSd+HiTzMQIOs/UBOHZXkIhiZV8jK8+SK40cniGMC1hurXPwk0rmAtIOK3BPgKVR4wKfrCbaLtoWwnbNSd+kSXpx0jLckRa+pd/jwm+Hx8lhMvfI1e0fpjmJiQeeWeM3zO990CyJZn8Jm2vKFEfPdJ8ufNDgxPU91QwPAc1YHOuzp9S1Adx8FbbaY01/IzgWlkqvtL7ME8rZDA+vJ7ZpkjHtMkLBUw5ihwRF3oiQChr79r4/iaRDi9ym0yn2qksG+PvGqzEdjzTV8O62D/yaG57hcxu4aO8MIpM3jzkTBdaZGkl+jq4TsAa43llb44Mmdkg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370156; bh=XLYwOhYWj/8JSPDhRpNX04eUUu3Yb5/hgwwVv+F2CFK=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=MEooFJWkTqvcHbEIs6tNjxyli2cSi4Tf/+4ZzjrHyDj+XUQL9FTaCofzi8MxliEN095TUaTOAvFZJP/wJMR6hEvEzeXL8bBuSFxTmEmj6HPRt7dLYk+puoFcMPn06MUvp36wLuNM5qlhZe5ffT/ZimeMhoYrDiJ7OMdx29trJjUj1OIgTOQhqSO5lSv24e+XJUY8he1vrJw9pQeZ8SDxPbK29lsk5MQkn8wuaXLaYIN80iP/a8z2x3jbkXqSBQvC6tpgvuP3iQzfk5vbdQOwmVNjgzDGPc/0DnQZfPGNhWmfzPNJe7FCp9oPO9NuoZysral4tjxeaDlRTYfGpAH/6Q== X-YMail-OSG: SAeNjQQVM1l4FCYIfs9T4uml3Cfz_LtMOvBxnka1mQ1IueBrjdFPiupKbJgw4B9 bjCfbUj9sNlGZMwdj1MgBYaRn_U1LlTeVeC3KrD6L4fWfP7RWsW93AUyAIHDmCY4fv2nT1dCU5Ku A_d_qsLSlKTux8WvxJW_1R.ems.0XttgdHLb0F.5QVtGDJNuP.UUYACsjASFUXdb2hGa9WlsEUnV lo4nSWnRhvHc9TN7poYbgwRRvc4mvpFXe.UCcLigclQqA7w.Doms1aNq9QyXUGSeUu9NrpJa9mz0 Z25YS1h.D33VFNnEIv9Rq7Ie0jdTaNQQmkMbo2iGhwoAQesrFMC5hbk9TeLJo_kkC3N87gw48wY3 u2T40Dza5ckVDG7S2M_tggoyq27zU3Vp5gTjVgi4Hk4IbRduV6D4nXiNeZxQfR2E186lY2SgOtw5 GKhe6xMlWnOfail4EpapXfUJC5Kq.J425TrFN_xqNJhXyd3Z2h3jpST6AXuKs_ITPe7bdCdEiNCs wYWm6Z92OkTd.wzN5ii3sI9ReLGF4zRDDyBh7oLaIBmnk9ePZzVzRAOJMtnGdB5z9C30aNjn8DAR xrTPD5bMMcY63lZNMF9c3FauUuzi2seGslApSDFYwmbfitkkYF.4for5BQdfRsjicZ9yWt9mtzf1 8kk0sYhZm7u5GI1UCIFgQFYaqD7iOT4gmkaGHGatlQsC8st.8vmH2nvuq5Krk6_6VgOOxgzlmbv7 Rjai1s3pbOa0oap1Zvrhlg1uLntheV3NYzwb1R83GwLLDeRzaTanvuJraaIS35c0TTYnnTnGqlR0 xCH7niOiLJgV1RzkYW4pJJu2VllH9YtqVA3yr5eLthnOlC2NLXZMfNtRWaU5RIjyzwWPN.bjPadD 9yihWHUWSHafvWD6NhwyrFihZJICEPxHKwhhexK9IqE_YqU3sNBbarxLVNpXE7LccrGuHI5CZlND nMKxhNufkkQRKfC97Uj.Ch9cSC2FJ93cI7tL9JD_j8MVX4oNQDyKU18SbQiXVoC1Z7BD21EIK17J y6YHC74j2PYk14cl0EA_awUdYrESsUhpSRFbHkek3WgOVbnt_MBiv6U5igxvHk.XUQdq6jo9Jhh6 _zCxJimEC5jYQBzxFutaQ4IqprdM6d6V5wxTzJTQ_CtOWSa9AYQ.3cR.SfFeyodhHFkjLyHuSJkK .6gw9u7LCpur_CHvpHHC6qe_DfqRSY4LS_MLMxlrR5E5qtMxjKiwFZMiUykiiG3qJLf2IJB6DISK EXeqvt2NlmLMAw4qZBVsNABxAZLbkf3bd8wCG18BdPtbpdVwSUZSGwrISd_v0BFFTFqb0n8YZJKQ ggo3mCCkxqfCSDExmzzCVF.WoL10_OSjJ8.K6Ovd08s8IcpiFyKjzYBEJbhZsKZtVeddt4xIh0Gk T9qPfG7fTz2Dn0WbqbWQyvYSz064EqlbK56PFSN3juxm603_VzRLefMw2uFL6N8dMZTFfFfIISJX kHjtI7nzAA.VzOS5KKQIA6CgqCTyAv6Qa1azf..NdsaX6XLWezGtLiLeLFQmS7icIlDKe5IU0w63 iAAQJRwiTT.tC6c3k7NJ1lmCHQ7.aeokaLPTPB.6AURxDVNJ8muZ5GiqeI.NlFnNW2qPHPrnt... CxPDJhs97dU5kf1sBRKUKOENCFh4TQgsQbTWI0gJWDtjwddRRfA9iil09OSOumxayL4wjpWAnlhI jq6HWKVr2WPlWwqDwNJOHpx7PoU2Y64ubIkKk.5J1Ky9OhMz19eAPqCDCl55EcKaZbqVbhBfR7Vc _fMfuj9Jicme1MYGQnNVcA_s0FlFgV8LtxVIY74Myz1rX.2DJcpLSh_zYtnuCpM2KVtJgpHuS9fj qW9rQmka3GVbhDUacRlunKh9A8eqZeYZMOW.Qasn4uVIpnkoAfU0qfH9igbyVbPu80aUzuCYRyK7 bjv9w5KuCt4mIEuiig0o98BuK0kUvwrtNDbn.dBx5PgiQpj1EX6DMCEqpfXBvgYT4jQyIOH.CCAN WK.dxXluxHN_pHTM3052Q84SkrMN1X7yQsQNkb8_TXIK2o7d_VTyXzrquYEMBywMvLyuYvhoj6uu 3cNlfQufpa8jdUPkEucXAdYTG6QV3gtnFpnxV46Q.eRtgWyQOjvhtfxAb0QBWzj3c_g3XfHP1q5j 9bSXocP5wUsHlK_VVUWsUHwDYOpsIfvkvJSF42KK_7nI4W7rvi3Fgs7UcN3VPntGfW_xNHJs0t2k GyjX6Ro54GYl4MM5ATsK08kxZAlHbb1LuHGVi7_6Nil7XUiZUySSw_F5mixjMajsT7NwiUo.sfw1 2to5tuk_VjQw4QMmZBOn4.Gl2FveYR3tsKa.y0pR6lWjTHrZGVNuuveX5M_XSyBQO548F8PobqmX _Ybfu8ZEfm0enWTWzRblHBRR9k72dm7IcsL.3p1TSeU2efBMLzLNmxejs.A7dPH4aa9p58GrYGay NsB3f5thCQ_WivSFV3NKap2EuCiRDrSpkoKLIw8DdzNPrqOsJMSeefJfIENyqhnyFo84HCx7nIl9 pisFwdMRBJv18HQM34MuccoyexC8511eAZVzKtci7kWqE_Qns9Q6SGWEdZ9FWSKM0meCG0mjdS9v cYjQbVbJOx6iyPTSVZaO0h2o0m9RX0drbX_IyeRBgfy8_v8oTQQGL97oWJl1IvzD_sI5vBbH4wFA zNoe7IKrAO25.aZ9nYuCiJqk39irMqxOXqlaEkJHWXzXDCmsu.K8nOBudjBtJCmtUx4ns1.yyb60 _hg253rA6O5NJEkZTix.84q1OAe9Vw00W.YIjb9IfKXLewZtW5mOymKC41ciJOG6F.J8y3DYABdo NCCkoNLuwx8juL4.bqRTYiKwEFkEhXHnijogaex36N219U_4qF9bq8obCYCBrVtVYb16mAGAugPb xsoNKSkzmD5zbU5.8y7TZIl8FRBHJ3ztJtYeTfKjH2QMDpZIHTv5E_CA8GVsSdmrJlyWMlzXfwcT DcLWLYqAdW289b4QdagCdg48QWnsaqx2_uQXpRG7vdlTzd08PHh_J9.Q7_V3j0g.3P1G9kWecgWJ 18cfV1.RpTu5j3aMxElrTrIRgw.jlh5EsRNSk86QvakQmdt05aoOA6CkFZHIkLFF3yAHyTjp5wAt 0XA-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:09:16 +0000 Received: by kubenode533.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 255edc09bd7d50db69e2da09a8f9b69c; Fri, 11 Jun 2021 00:09:11 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v27 04/25] IMA: avoid label collisions with stacked LSMs Date: Thu, 10 Jun 2021 17:04:14 -0700 Message-Id: <20210611000435.36398-5-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Integrity measurement may filter on security module information and needs to be clear in the case of multiple active security modules which applies. Provide a boot option ima_rules_lsm= to allow the user to specify an active securty module to apply filters to. If not specified, use the first registered module that supports the audit_rule_match() LSM hook. Allow the user to specify in the IMA policy an lsm= option to specify the security module to use for a particular rule. Signed-off-by: Casey Schaufler To: Mimi Zohar To: linux-integrity@vger.kernel.org --- Documentation/ABI/testing/ima_policy | 8 ++- security/integrity/ima/ima_policy.c | 77 ++++++++++++++++++++-------- 2 files changed, 62 insertions(+), 23 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 070779e8d836..84dd19bc4344 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -25,7 +25,7 @@ Description: base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] [euid=] [fowner=] [fsname=]] lsm: [[subj_user=] [subj_role=] [subj_type=] - [obj_user=] [obj_role=] [obj_type=]] + [obj_user=] [obj_role=] [obj_type=] [lsm=]] option: [[appraise_type=]] [template=] [permit_directio] [appraise_flag=] [keyrings=] base: @@ -117,6 +117,12 @@ Description: measure subj_user=_ func=FILE_CHECK mask=MAY_READ + It is possible to explicitly specify which security + module a rule applies to using lsm=. If the security + modules specified is not active on the system the rule + will be rejected. If lsm= is not specified the first + security module registered on the system will be assumed. + Example of measure rules using alternate PCRs:: measure func=KEXEC_KERNEL_CHECK pcr=4 diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 5c40677e881c..d804b9a0dd95 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -79,8 +79,9 @@ struct ima_rule_entry { bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ int pcr; + int which_lsm; /* which of the rules to use */ struct { - void *rules[LSMBLOB_ENTRIES]; /* LSM file metadata specific */ + void *rule; /* LSM file metadata specific */ char *args_p; /* audit value */ int type; /* audit type */ } lsm[MAX_LSM_RULES]; @@ -92,17 +93,15 @@ struct ima_rule_entry { /** * ima_lsm_isset - Is a rule set for any of the active security modules - * @rules: The set of IMA rules to check + * @entry: the rule entry to examine + * @lsm_rule: the specific rule type in question * - * If a rule is set for any LSM return true, otherwise return false. + * If a rule is set return true, otherwise return false. */ -static inline bool ima_lsm_isset(void *rules[]) +static inline bool ima_lsm_isset(struct ima_rule_entry *entry, int lsm_rule) { - int i; - - for (i = 0; i < LSMBLOB_ENTRIES; i++) - if (rules[i]) - return true; + if (entry->lsm[lsm_rule].rule) + return true; return false; } @@ -282,6 +281,20 @@ static int __init default_appraise_policy_setup(char *str) } __setup("ima_appraise_tcb", default_appraise_policy_setup); +static int ima_rules_lsm __ro_after_init; + +static int __init ima_rules_lsm_init(char *str) +{ + ima_rules_lsm = lsm_name_to_slot(str); + if (ima_rules_lsm < 0) { + ima_rules_lsm = 0; + pr_err("rule lsm \"%s\" not registered", str); + } + + return 1; +} +__setup("ima_rules_lsm=", ima_rules_lsm_init); + static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) { struct ima_rule_opt_list *opt_list; @@ -351,11 +364,10 @@ static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) static void ima_lsm_free_rule(struct ima_rule_entry *entry) { int i; - int r; for (i = 0; i < MAX_LSM_RULES; i++) { - for (r = 0; r < LSMBLOB_ENTRIES; r++) - ima_filter_rule_free(entry->lsm[i].rules[r]); + if (entry->lsm[i].rule) + ima_filter_rule_free(entry->lsm[i].rule); kfree(entry->lsm[i].args_p); } } @@ -406,8 +418,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, nentry->lsm[i].args_p, - &nentry->lsm[i].rules[0]); - if (!ima_lsm_isset(nentry->lsm[i].rules)) + &nentry->lsm[i].rule); + if (!ima_lsm_isset(nentry, i)) pr_warn("rule for LSM \'%s\' is undefined\n", nentry->lsm[i].args_p); } @@ -596,7 +608,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, int rc = 0; u32 osid; - if (!ima_lsm_isset(rule->lsm[i].rules)) { + if (!ima_lsm_isset(rule, i)) { if (!rule->lsm[i].args_p) continue; else @@ -609,14 +621,14 @@ static bool ima_match_rules(struct ima_rule_entry *rule, security_inode_getsecid(inode, &osid); rc = ima_filter_rule_match(osid, rule->lsm[i].type, Audit_equal, - rule->lsm[i].rules); + rule->lsm[i].rule); break; case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: rc = ima_filter_rule_match(secid, rule->lsm[i].type, Audit_equal, - rule->lsm[i].rules); + rule->lsm[i].rule); break; default: break; @@ -966,7 +978,7 @@ enum { Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, Opt_appraise_type, Opt_appraise_flag, Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, - Opt_label, Opt_err + Opt_lsm, Opt_label, Opt_err }; static const match_table_t policy_tokens = { @@ -1004,6 +1016,7 @@ static const match_table_t policy_tokens = { {Opt_template, "template=%s"}, {Opt_keyrings, "keyrings=%s"}, {Opt_label, "label=%s"}, + {Opt_lsm, "lsm=%s"}, {Opt_err, NULL} }; @@ -1012,7 +1025,7 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, { int result; - if (ima_lsm_isset(entry->lsm[lsm_rule].rules)) + if (ima_lsm_isset(entry, lsm_rule)) return -EINVAL; entry->lsm[lsm_rule].args_p = match_strdup(args); @@ -1022,8 +1035,8 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, entry->lsm[lsm_rule].type = audit_type; result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, entry->lsm[lsm_rule].args_p, - &entry->lsm[lsm_rule].rules[0]); - if (!ima_lsm_isset(entry->lsm[lsm_rule].rules)) { + &entry->lsm[lsm_rule].rule); + if (!ima_lsm_isset(entry, lsm_rule)) { pr_warn("rule for LSM \'%s\' is undefined\n", entry->lsm[lsm_rule].args_p); @@ -1561,6 +1574,19 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) &(template_desc->num_fields)); entry->template = template_desc; break; + case Opt_lsm: + result = lsm_name_to_slot(args[0].from); + if (result == LSMBLOB_INVALID) { + int i; + + for (i = 0; i < MAX_LSM_RULES; i++) + entry->lsm[i].args_p = NULL; + result = -EINVAL; + break; + } + entry->which_lsm = result; + result = 0; + break; case Opt_err: ima_log_string(ab, "UNKNOWN", p); result = -EINVAL; @@ -1597,6 +1623,7 @@ ssize_t ima_parse_add_rule(char *rule) struct ima_rule_entry *entry; ssize_t result, len; int audit_info = 0; + int i; p = strsep(&rule, "\n"); len = strlen(p) + 1; @@ -1614,6 +1641,9 @@ ssize_t ima_parse_add_rule(char *rule) INIT_LIST_HEAD(&entry->list); + for (i = 0; i < MAX_LSM_RULES; i++) + entry->which_lsm = ima_rules_lsm; + result = ima_parse_rule(p, entry); if (result) { ima_free_rule(entry); @@ -1830,7 +1860,7 @@ int ima_policy_show(struct seq_file *m, void *v) } for (i = 0; i < MAX_LSM_RULES; i++) { - if (ima_lsm_isset(entry->lsm[i].rules)) { + if (ima_lsm_isset(entry, i)) { switch (i) { case LSM_OBJ_USER: seq_printf(m, pt(Opt_obj_user), @@ -1872,6 +1902,9 @@ int ima_policy_show(struct seq_file *m, void *v) seq_puts(m, "appraise_flag=check_blacklist "); if (entry->flags & IMA_PERMIT_DIRECTIO) seq_puts(m, "permit_directio "); + if (entry->which_lsm >= 0) + seq_printf(m, pt(Opt_lsm), + lsm_slot_to_name(entry->which_lsm)); rcu_read_unlock(); seq_puts(m, "\n"); return 0; From patchwork Fri Jun 11 00:04:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314339 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 03015C48BD1 for ; Fri, 11 Jun 2021 00:10:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D12C3613E3 for ; Fri, 11 Jun 2021 00:10:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230233AbhFKAMU (ORCPT ); Thu, 10 Jun 2021 20:12:20 -0400 Received: from sonic311-31.consmr.mail.ne1.yahoo.com ([66.163.188.212]:43414 "EHLO sonic311-31.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231286AbhFKAMQ (ORCPT ); Thu, 10 Jun 2021 20:12:16 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370220; bh=q97VNdgJJold01jpe83mBVgZBuOdQTi6Fd/jqBjN4kc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=eUpQuNrdS9+ayPKM0lZDyYsXRv2C5PqN+0nogHgnFpAdRObjSqrvcs3FaWVdrxkjkNOMrBlM35+x96dt8hfUPzdxeNdx/OHXgm2gVyuta1iSDz20dm+N2Uv4d4ViMeVMUJy8BjyxdHmv2GEH6/X+lffh5zEadqVCnhCcGm9XSRzQul244ZD+23LAG81BtQoHEQ+y4EcOcSW/Hg3HrTdFtXbiLdJvZv3ZWRjboaY+uOkVF8sDVyE7+/UGL6zC+5BU9SNYVNqBn8puyktHgtH980yOKMJzDlFEwuV2vf789QqAjeZ7Vg3cRuQ2Z/w5STlFMZRFDD8ov3BQdbIqC34lfA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370220; bh=C/3gsPf0xYOwXqFJ+exFYLhW+CP4H3iI2d1aUarfN9w=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Wzk4hE0OwUlxRR6yqAA4VH4AGtf/LeKidkAh/lGitb+3qRAlgY4WStPnev0wyZn+OQ70FVpo8qC+cFVPmZ84RzEwnc8taShpQOTtvuPKdnfPJN3dzEzn4l9xmFLn3uvefRS9r+TuCvipex85wGw4tMWs5Xzq7h/2Yj5Wj9OscVKjmr/NccaeGhWkxpm45c9Xag7jBrPHCs6KL1G6Yv584/L6aTzl6kjPABHWgAEYUzIefXxa96iyufhIeng/dXne8n3OOCT/8lCgXhTdMtJRQLGCrauHKTxk/2Iqhutvn88twfEG4u51WJ41hWH7KniSYclEc2x480q+FtJ1OlOgag== X-YMail-OSG: bqmdEDIVM1mkFbYywXWYtEOC_mgVGZft1Hs95.AhPxajYETqGoLOHfakwcTdk4_ L2WS6I8Spwz1EpBIUPY0zdioIwbKR1ClPpi1.6RckAA6Hl6p66jDrdvxHBzJ5UoHRqJT9cOw0Fk6 EVDX1aPHKbuAn__zfwHbtAguzIhdlNclyH_vL8ws10_j4PbbrsI0d31VC91MBGZGoNBrclAzVNei B75Pk0xr2.AL28f9fr2otMqPEEuZGOFS6O488oGjcaRvQvU0aSjpALERUiCwS0Ey14epyy8BXgzZ 9FUSbwJ5IBNRH4nv2cHTN.WztmM86L4NA9FckZwUbe9gT0dfcbC8xE3CGBQBqAT9TJVnDLhKJ6ma 3YCiCm4ttgrAW3y3K9YRjOXDREfSjj_qDa5ERsHDKlc5AKwE8WkoNKXyr3a4nDEHDTHrpe5Q.bco BKZKyvJ1yltByUZYAixfZfQ1F7_W69vhFfTkPKNY.p8TOYTi8_RiYz8Y5XGPAARX1g50vAyFQIZt NaYUadtHWbIEfAaBd1W2L6HKMt1abghozzwEVNIYiYjyYMdZ52OEBdP326L9cHdhK.2IJq7Natyc lHd9sGByVUEOq6i_y374XQdCtUtamk_1BD0X.Fvbo4p0TmTdzDFh9qtPiYNGKKirpsmcReBIT8rH bxSkThm1SUaD8iMt_.VeQrrIm0BkUrhULSLmGKZkBK_Ygx1rEFDMytqsGHA9LlRl11gIAhV.RRl2 GIWmpl7FvLY_nXirpJ.SFnqGSd92b7E4xDBcI2Nb1.MZ_FO4uHUKwpOuM7n2pcZNG1WR0390fmxL eQZsohdlpSRqvDFQ2j2HrW0Phd0SJej2jIN0lQ0W4U.enKY.KecE50lTKQjRQjdw0k5UXg1Q9gZY CEPHV3HfeeRxlb492OGwMwroGPP_oK1ZcPlF.gb82eq7mZlTtj0ybQq.3082_UxTTYIWn_laaPOb 9LUS2hXzpjB_e88K06WdEIDmP1cRNL1DMSnpJAEuLD2y0WOKOQ9N8.CUZ7G8GKvou9zd6.2v_Hju xEjITwtLesMWGc2IuzRJCYnvVr_c9rrDviemEtXOVPf_jk6KRAWvxlIOcAFa_bgy29WXlFREHT.m O4ZI3ryGkAnConbdHCdfGLmICgCI_bA.gXEkvfZlpyaPXdW1G2XZ15MiipDWfqLOfjsyxNDCgV81 EupcMEX3GLtLhvhNXr22eQx4q7Thd4SsZYLprEZAMF0c63b1Jf1mHMBoIx1JzUlUbhk9gLZdnuLg qJSBCHIeIBtQ0EEZAR1qSV0z6WD.BaT7DjlJvOGZX8tt5mBKbALi8mrzC5.Y1nkwsc5doD36qaQ2 5tuxwMY.4HniKe5WKGTzpjKRJ3vogCu5teIZj6q9SWCcEx87SMVt7_hIyEBl3GzYlEwMjSIz30sb d0iQRjgo.kV3QKicsGEN.._d0_WJ3KT7WfZAb4jmx9CcoJhp9oQcRXqXnkBOu93zxsIWeTwsmIkr wOFc5DS9s5sOrMZowWeaJflS3rtiiuyvns_TGKNhdlBeQlWVWDlIvXgwQZyC21dJPqhyr40aDTEa shJoWH5f8ziuE_tvtaO0HIEqJK31vNINrRzyDettrVke_X989x_oM_fVBxSB.hHEpkYaTp.vhXe0 _BvtG8ytmGYK6efoJYeGKdZw1W5fTDNDmznZfcLLvDWJjRARid3Gsx844JJ5mms4xSBGrkTwOXI0 0XiYrgNuY0zhKtRjJclsvw1OSPuiSzkzYLayATkxOzOdzPaHNCwCjQQcHH3BONXAU2z3PB2ueIEc wC9CIQ.RbUb9ZLl8Q1D.RDIAeoMLERhM4I_SnAP_27RD_6SZoDnoNdQMZdF74M7cbZoa8IIGf4qT M0P3HNbkLlUze8DV47FrCTTFcJjaFPAWDC33Gpr_Di8JWWKIE5dbtK5vN4.2JqhFc_kdkLQZYr.h fTBI.oD1x4Mqnf0gKAIL9NifMem3ah4JAH4ApXOxOpQsZJa.rI6BNrQQ0tYcCYTNjsWMyp7GLt4r N.EDjuCXl0Xfa0lf86CoRIGD.wx2rd6TU6tGGxvUSob5BX9gHycI0Ihz8BncbY9wWCLSkGNtkbZv J2JEUSAr8da3jgaIrqXIxg6a0uT.jioCIJkC5L5HjUx1vw4AymZBy5NJ9ksuTRG6.DiZIrsK50Jc bKKw5ZnoHhAscE.R0rvotz5XoAgi0pnMT7pqSinzDhbBCJwpIBjTGgbomuHpO1qYO5OMC9lMssTZ iK7K6MZJiv3856mMlDqSAPXRvZTJHGyA2NPvfVZpINT0aY3AvRUee0p8TZpV0e6pVsK4.gewmSaQ VMiX4k.uRRHMtlRLs7XBqc77JlWZlt3Zw_j1md.NfDMMe3ljBsTMzTUkMjkb2VK_azjvH0.GGD4W 2XaKrFBrNS5jNutFZ5IiHexmq_FADuN_FS5OUcAFzTpXbgUvOGo8ihl9ONtjvrJkSVgIMjZH6ina YQr5WQyDAcATV3_e3Q.odGoRiZRMja5ibcIWgmb4D2zdSAAFnNgZgjMtPWFYPeqatf2upNPb2G.8 0HcTkftUpYxgDpRO4e0aP1gJyvC6qwxh6VP7aEVr9taopevV0vabdG.OSx3I2E08HDrIYgDfRliU R21aCWRoTq7MbdoeutJjnqgeiOP.ZxP82n4b76vnTsE9Flrn.ZNfCA.My_njEy8jW_1inP.BdElc sqZT_VUSb8UXnuF9zgl.ELqZ4xG1C4v6dU6pUPevUUOAhJuitTxucpGsD9_sswHGWrbklq5X2Krt mDt4YN6qwahT7A.Lfrh3Dno5MaAb1elsU53YyugCm8D0dL44N3hzSp5gkttzmP5a4D_pyCSV01Rp y587NMxCjKWN5HMLRNYMcrWdCtjgjQBaxz_8sFlceJu2.SHuGlCFzeTH_C3MXVr5YSh42V1o8vJE I_NTtRpMXAFFO1rF2v3hnhkJovl0UWZMoW6IhPpD7IW366DruigAo3BEuqXT7Vby3JwS5AbvQa8_ 5b7BKNSZx4O.gaRxlvP7DLhY_5GMVD4fe8jy1gxXqS3cFvnACtIkrsEiy3lLx8Qxd57boxmkDUus XE8ylafKST28M9WKxVIXiEi8NlGMLaE4v1p5LFhFuwsMp59WfL7I2HkJnsZ2MucGPtnX9ZHmqYmf D93ZBIXNfpLT2vJwvihzYLg0BmVe7gpp0XOi5nZ6ZSllhaNewSv3DW0ycj4KhftdYv9aM X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:10:20 +0000 Received: by kubenode562.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 5a52879a1461170ad8caad907adee61b; Fri, 11 Jun 2021 00:10:18 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [PATCH v27 05/25] LSM: Use lsmblob in security_audit_rule_match Date: Thu, 10 Jun 2021 17:04:15 -0700 Message-Id: <20210611000435.36398-6-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change the secid parameter of security_audit_rule_match to a lsmblob structure pointer. Pass the entry from the lsmblob structure for the approprite slot to the LSM hook. Change the users of security_audit_rule_match to use the lsmblob instead of a u32. The scaffolding function lsmblob_init() fills the blob with the value of the old secid, ensuring that it is available to the appropriate module hook. The sources of the secid, security_task_getsecid() and security_inode_getsecid(), will be converted to use the blob structure later in the series. At the point the use of lsmblob_init() is dropped. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-audit@redhat.com Cc: linux-integrity@vger.kernel.org To: Mimi Zohar --- include/linux/security.h | 7 ++++--- kernel/auditfilter.c | 6 ++++-- kernel/auditsc.c | 16 +++++++++++----- security/integrity/ima/ima.h | 4 ++-- security/integrity/ima/ima_policy.c | 7 +++++-- security/security.c | 10 ++++++++-- 6 files changed, 34 insertions(+), 16 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index ca9485105f00..916a0f606035 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1944,7 +1944,8 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer) #ifdef CONFIG_SECURITY int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); int security_audit_rule_known(struct audit_krule *krule); -int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule); +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void **lsmrule); void security_audit_rule_free(void **lsmrule); #else @@ -1960,8 +1961,8 @@ static inline int security_audit_rule_known(struct audit_krule *krule) return 0; } -static inline int security_audit_rule_match(u32 secid, u32 field, u32 op, - void **lsmrule) +static inline int security_audit_rule_match(struct lsmblob *blob, u32 field, + u32 op, void **lsmrule) { return 0; } diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index a2340e81cfa7..6a04d762d272 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1331,6 +1331,7 @@ int audit_filter(int msgtype, unsigned int listtype) struct audit_field *f = &e->rule.fields[i]; pid_t pid; u32 sid; + struct lsmblob blob; switch (f->type) { case AUDIT_PID: @@ -1362,8 +1363,9 @@ int audit_filter(int msgtype, unsigned int listtype) if (f->lsm_isset) { security_task_getsecid_subj(current, &sid); - result = security_audit_rule_match(sid, - f->type, f->op, + lsmblob_init(&blob, sid); + result = security_audit_rule_match( + &blob, f->type, f->op, f->lsm_rules); } break; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 392afe3e2fd6..71d894dcdc01 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -472,6 +472,7 @@ static int audit_filter_rules(struct task_struct *tsk, const struct cred *cred; int i, need_sid = 1; u32 sid; + struct lsmblob blob; unsigned int sessionid; cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); @@ -670,8 +671,10 @@ static int audit_filter_rules(struct task_struct *tsk, security_task_getsecid_subj(tsk, &sid); need_sid = 0; } - result = security_audit_rule_match(sid, f->type, - f->op, f->lsm_rules); + lsmblob_init(&blob, sid); + result = security_audit_rule_match(&blob, + f->type, f->op, + f->lsm_rules); } break; case AUDIT_OBJ_USER: @@ -684,15 +687,17 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_isset) { /* Find files that match */ if (name) { + lsmblob_init(&blob, name->osid); result = security_audit_rule_match( - name->osid, + &blob, f->type, f->op, f->lsm_rules); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { + lsmblob_init(&blob, name->osid); if (security_audit_rule_match( - n->osid, + &blob, f->type, f->op, f->lsm_rules)) { @@ -704,7 +709,8 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - if (security_audit_rule_match(ctx->ipc.osid, + lsmblob_init(&blob, ctx->ipc.osid); + if (security_audit_rule_match(&blob, f->type, f->op, f->lsm_rules)) ++result; diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index f0e448ed1f9f..55f3bd4f0b01 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -433,8 +433,8 @@ static inline void ima_filter_rule_free(void *lsmrule) { } -static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, - void *lsmrule) +static inline int ima_filter_rule_match(struct lsmblob *blob, u32 field, + u32 op, void *lsmrule) { return -EINVAL; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index d804b9a0dd95..a05841e1012b 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -607,6 +607,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, for (i = 0; i < MAX_LSM_RULES; i++) { int rc = 0; u32 osid; + struct lsmblob lsmdata; if (!ima_lsm_isset(rule, i)) { if (!rule->lsm[i].args_p) @@ -619,14 +620,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: security_inode_getsecid(inode, &osid); - rc = ima_filter_rule_match(osid, rule->lsm[i].type, + lsmblob_init(&lsmdata, osid); + rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type, Audit_equal, rule->lsm[i].rule); break; case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - rc = ima_filter_rule_match(secid, rule->lsm[i].type, + lsmblob_init(&lsmdata, secid); + rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type, Audit_equal, rule->lsm[i].rule); break; diff --git a/security/security.c b/security/security.c index 6387107e4014..d467231342da 100644 --- a/security/security.c +++ b/security/security.c @@ -2671,11 +2671,14 @@ void security_audit_rule_free(void **lsmrule) hlist_for_each_entry(hp, &security_hook_heads.audit_rule_free, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; + if (lsmrule[hp->lsmid->slot] == NULL) + continue; hp->hook.audit_rule_free(lsmrule[hp->lsmid->slot]); } } -int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule) +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void **lsmrule) { struct security_hook_list *hp; int rc; @@ -2683,7 +2686,10 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule) hlist_for_each_entry(hp, &security_hook_heads.audit_rule_match, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; - rc = hp->hook.audit_rule_match(secid, field, op, + if (lsmrule[hp->lsmid->slot] == NULL) + continue; + rc = hp->hook.audit_rule_match(blob->secid[hp->lsmid->slot], + field, op, &lsmrule[hp->lsmid->slot]); if (rc) return rc; From patchwork Fri Jun 11 00:04:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314341 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 95786C48BDF for ; Fri, 11 Jun 2021 00:11:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 75E5A613AE for ; Fri, 11 Jun 2021 00:11:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230455AbhFKAN1 (ORCPT ); Thu, 10 Jun 2021 20:13:27 -0400 Received: from sonic311-31.consmr.mail.ne1.yahoo.com ([66.163.188.212]:40535 "EHLO sonic311-31.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230205AbhFKAN1 (ORCPT ); Thu, 10 Jun 2021 20:13:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370290; bh=8ZnnCIqabTLKWTmx25eCvkeRzHbJCxzkprcyFzNecgg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=HcJcu3ed0Pr12XCqrXWRUVbhFtsxujHC+gPanjieYflCmC39UhbMYdisttTEk2OP2mW4vnmtJrI0vqtTFANEDftccYTC8ks8/t3ldSzy4f9Igq+o+1vqmnPFJecLM47OYxxtYgdWk/pMEyrfCT3dh8hiivvOKG6Xu5KLyaVnGLZMG22aNn9pguJSH8X/FM8NivcOIYMB+u8ZYzl7x0msBUYkixVhpXBd7byJ3urfUnS6r/Zm/Q4iGC96kF4oyqNzFGLVq7ZEAdsQ/lZLZ/2X4ge9xsnl/H6RBux9fVw7FxMz5k48rS0hsob3W/C4ExoMJMihEtLNFZ7A5e3TULpjSA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370290; bh=qoe6H3Xh0zecLzigCJFBppLKzLvxNKL4/Ld8Oct6Pza=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=iexfKrjEFWKun8/Mw27lNxk6VuPSpkqXaIZWn7sqUk66Uky2voFrsFJKSaUhwDtl4CQvxfY8VSEOUh0uCb4uNr50UvG/7BuPot09U82F+UlS1cL725cqSimTHXycuASIHLsDKkRtNpwLY6/Y8PR0k/J/lAVAlXqxWJAaaUPcQHnm4X3E1EDK1bCV0dW4OGxL+c0oRKeyIEK1/rXrFHyWiFjRD5oQKn3zlfV8m6Hh5BZMJ25FRvpdP6pfVApyGeYBsmuJtj5Kj3vPS5y7FVM4KYtdnQmVuBhbWuYNpblCOC63hE/ejyIH0h0/R+PCJhJsqM+s/dWGWTLo0g01ioVn/Q== X-YMail-OSG: 6V4Uk5QVM1mxoYuxXKQ.9ySpbx6vFgbe_dHvW8uNoMDOtsQH29zokvopuzRYjsq gIMDpZ6J.eiZQoxAFYCkcgQfYcXtPI3oZdGY12hEPKbJpAaGl7pQCK5aOaDZaSaPtT1k.paQFrFZ jdFXVBF1GjU_g81FBc0mk.K5eWERecK_B_pvlHhFJRuHIXQc0bpnFkBu1Lu10EXTwY0ne.GeVaYX KNXbeDbnjQ_2KOK.SD69jBavd4i2mjXG.NgHusdTYS0YOHO5s9zYNxC0zx2phS8xcBswUQSdTzH5 hD9QTH1lJO5J8UtnPyKFGiDxDqWWWbf5wCXXY6ioy2dEVAwbaCH4_2Z.NH2vp3teM1gBcm6z6dUz 3U6_dkaCArf0uBhucKygIo0zoyQNc6ZB6dq6eHbXripnqtZhwHHHyzgjEI4FqCzHeQwww2OY6jYa ghvsx1LUCJgWOM_VBPSgi03ApFmQ9k2Lfr3yDXjkiPJWWyWaSC7dy2_j6OGV1E6zihm542D8g3Tw J1z2KWPG9iF.cI4IPZAYmQSw3H4T5f8ktvIETWEwUkVspwq33Vk4oCN_BH9Y73M3LuDqihItqtTy nzLYVrboTYMWAqKWP5gEA1GWcZSM.r3.sobw7LmiK8pw5kQMZvQrAfr9AivIV01Uy8Bc.huF8NWg 3F1Pv0Vmvaxz0kdX429SEtok363ItzUEX0QhX.mHn5wQl.NFVxDYyRWBPeeYuLD4YCMB9gRzTu2y nXuHQETHRS8Gqo.OXi4NbN8tMi25LWOhnbRJWRnG7u_Dld6TM231JpfrX_bvF450TW9bxg2z_39p GrvXR09zvHuELr9HPmDz.U3CqOpPZQLwHybnltU1GF.pIoJvM8_KBGpkzb4XQXAVbCiKaK782JnG zsXAdtnbP8l20Id1hITfLzocm9asqgjkPzeJIb_hPH2MSzNnfb.o6vOXjTCP1jWtXIYAdOUE8.Pw kkwywA.ha9gaaI9vHjaYIQCa7UQbBeOMjh86SBkP3cWGo.IpqhM1hvey4olExF_AMSRbWF65qEzf nYXv5k41lSIQ5zIFFShdzhztpwMdvpchcNraGxIMEpX.IzsWFtHtmiXUV2oIu.nY8HzxrV.k4W0G D4Kz9dKQJeZftF6BvMNrhB4sM0_IQmGsWTb7oxCAwzaB6tZ5ULWBEO9XqhIoqlgk6DnJjiHakxj8 LSfb8G8I4TkMnpczUyhQ_TeB.KeRf951qT3y9kO7WUAeIgKghtupfM1vDRwRFIFG8ntftH8p9ohy 2X8KCTAWyT1mnET6ZKbhOF3W0ryh6r502Uzzg10wUmUqCFXBPC3zsftiPryPpB_N_Rz4UxaOiI0p KkP4N_enyXPQ0P7FV2FnyQ.KTiA8pms4M7mhReqvhGFDivcxkuQW2njaPchitym8mUoQG64PKZZH VwpCUNSXOijD.aAXGNUM.Cj86pPF.AHfAllQC64RFEly_b2jp0zrfIASN_6wnb3Twi4gSS88aEZU aebdwDj.ejKK2BNRJLc8NlYrQvn2o6m4yYng3EhKEEChJEc91aaedNVd1RAQVVRE6gfP4wqtN5dF A53VDZ.S7z7Xci4JFjcx_maWP7LCwq_D34rSPm6nji8E0eDIxKGVumUne.BiuMdvqek8VOO0OSKo Z1NriWqZDoYbzbqLR5rbRTrO1cYPLEmvgUu8eJgKRh64IA1u0Y1cnvoehGPBIOkV.tcvy0eXzLiz U9utRMOKGbribcFHb1PBk9B_gbrsT2j6ZGuLWdZMOyvnWbhtGmsgA7lQN80PolxYxAc3Zef1ZQFz XohsXUPoIXca1tinbVzZ6dzcAVCXTq_hx0jAYiBf_jGbPnfuhcTZrjSrMLysHhzAwvINFgkIFWjm plrHPzu_GSCj045_nMy1_UVGndehhTPFcNH8_vKm5LkJiZ589j00sIK_xlqKkzG.._kZr9FA0A7i bbxS4j9yPianGmLyjPNSD755b1sspHAG5qJjmDauS.eLcIAKI9x5GYAtf02V8t83nt2KKdsHjJtK fa6W2r22QzH4u3XRSpto6ru2rAnACN.w7MJenQDji0ptPUM8wqH6GqiqLw5jMAP7HSygtP78H8yE cCG7l4ZQxl0Wawo9vAJgICpSo_0DjgrvgGiWGUr13nZ3eBedCMncFlGbneTYMOmaVfwgJoLuYIeF 39EVQePbsimuSv5NGGM9IbLFj6jYgmwo6zWpvDQ5fp.naJVFcbx6OFu9iHVseBUcQfu.b7Pcd5Wl EntYMnVNIbU2iPK6AO02fYmu1JHknLKmpGN.NWisfY5gxh0Ne.6TVU53XOeY3tZ5fvVrhQcfKxrt oJY0qUgen8qqm3sRvurVDPBqgUSMch1TjVKg5zTNaIXkCarhuBnlqVbIB5tB026WbLsXrCJh1K16 sZwNdgCFNMAhfarGwni8YGfe4qUFbc1w9h6gnoPhQPD6gm.keyjYZ4qVsNjgLkB_DeE11uB0_Yhp lJijpnSQmGBfq9ht5sW7rLl0_Rjw6yrNtSfvMtTP8rwZzL4PrXDQAr7a5LorV.EpzVQDX8aLt4cW mfH4qiRGMZdkbRQdj0Es59htqCTPFATipjTqigAm_OgcIloAItVM_o.JFcv2ZO0Xd_rBhvklsLx. oW0PVI6kygqGs7daTvp2_0lRz_9wbAnKmmy3okoRD2g7wl3BU5E1MOifXtDAA4c30yazTtrVwJ.E CDQR3BxDnS_pMNdSevJ.YarE6NcGyd1S_kySaEAeYt6Ee6av747pUKCTt7pLM3_QyAFYY76W3JcM e.tAw5hCxRCt5xO222QWy.nbXjmnv15T6gBzUDaXHXzPaF.ayiLEZ5YXlg0pcZmX9FHsUSNXCSzM h0i76UeQru93_6NaZ3LHmG1YUW.nrK23Py371TkOWPyzcFmZwP_kUcRFA04JZtCTkh7jPV6LgMp1 7Oowq7uInYZ5evS8m0Im4IL3xvuUXrZzQb4dGSzlg677WKSL3x20dlZoVQ.j7Ro6P3DJzEzgwQZ7 IpX41EoeFvIZ1LVblHcz5r7vRIlttgV5ZQV714mYCm5NYBCrhdBIgx30QgbNhp3mW9gGR5YF1oi9 w4nhwq1tesspL41UkTkmhbyEQsvJ1DXQ50cgZnYFnIurGDctuhPtx X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:11:30 +0000 Received: by kubenode567.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 4152b76121a5a39c38d12a14db81df6e; Fri, 11 Jun 2021 00:11:24 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v27 06/25] LSM: Use lsmblob in security_kernel_act_as Date: Thu, 10 Jun 2021 17:04:16 -0700 Message-Id: <20210611000435.36398-7-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change the security_kernel_act_as interface to use a lsmblob structure in place of the single u32 secid in support of module stacking. Change its only caller, set_security_override, to do the same. Change that one's only caller, set_security_override_from_ctx, to call it with the new parameter type. The security module hook is unchanged, still taking a secid. The infrastructure passes the correct entry from the lsmblob. lsmblob_init() is used to fill the lsmblob structure, however this will be removed later in the series when security_secctx_to_secid() is updated to provide a lsmblob instead of a secid. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler To: David Howells --- include/linux/cred.h | 3 ++- include/linux/security.h | 5 +++-- kernel/cred.c | 10 ++++++---- security/security.c | 14 ++++++++++++-- 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/include/linux/cred.h b/include/linux/cred.h index 14971322e1a0..5a3f0fc3090d 100644 --- a/include/linux/cred.h +++ b/include/linux/cred.h @@ -18,6 +18,7 @@ struct cred; struct inode; +struct lsmblob; /* * COW Supplementary groups list @@ -164,7 +165,7 @@ extern const struct cred *override_creds(const struct cred *); extern void revert_creds(const struct cred *); extern struct cred *prepare_kernel_cred(struct task_struct *); extern int change_create_files_as(struct cred *, struct inode *); -extern int set_security_override(struct cred *, u32); +extern int set_security_override(struct cred *, struct lsmblob *); extern int set_security_override_from_ctx(struct cred *, const char *); extern int set_create_files_as(struct cred *, struct inode *); extern int cred_fscmp(const struct cred *, const struct cred *); diff --git a/include/linux/security.h b/include/linux/security.h index 916a0f606035..5c664ba0fbc3 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -461,7 +461,7 @@ void security_cred_free(struct cred *cred); int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); void security_transfer_creds(struct cred *new, const struct cred *old); void security_cred_getsecid(const struct cred *c, u32 *secid); -int security_kernel_act_as(struct cred *new, u32 secid); +int security_kernel_act_as(struct cred *new, struct lsmblob *blob); int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); int security_kernel_load_data(enum kernel_load_data_id id, bool contents); @@ -1103,7 +1103,8 @@ static inline void security_transfer_creds(struct cred *new, { } -static inline int security_kernel_act_as(struct cred *cred, u32 secid) +static inline int security_kernel_act_as(struct cred *cred, + struct lsmblob *blob) { return 0; } diff --git a/kernel/cred.c b/kernel/cred.c index e1d274cd741b..ad845c99e2d1 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -733,14 +733,14 @@ EXPORT_SYMBOL(prepare_kernel_cred); /** * set_security_override - Set the security ID in a set of credentials * @new: The credentials to alter - * @secid: The LSM security ID to set + * @blob: The LSM security information to set * * Set the LSM security ID in a set of credentials so that the subjective * security is overridden when an alternative set of credentials is used. */ -int set_security_override(struct cred *new, u32 secid) +int set_security_override(struct cred *new, struct lsmblob *blob) { - return security_kernel_act_as(new, secid); + return security_kernel_act_as(new, blob); } EXPORT_SYMBOL(set_security_override); @@ -756,6 +756,7 @@ EXPORT_SYMBOL(set_security_override); */ int set_security_override_from_ctx(struct cred *new, const char *secctx) { + struct lsmblob blob; u32 secid; int ret; @@ -763,7 +764,8 @@ int set_security_override_from_ctx(struct cred *new, const char *secctx) if (ret < 0) return ret; - return set_security_override(new, secid); + lsmblob_init(&blob, secid); + return set_security_override(new, &blob); } EXPORT_SYMBOL(set_security_override_from_ctx); diff --git a/security/security.c b/security/security.c index d467231342da..5ec929f97963 100644 --- a/security/security.c +++ b/security/security.c @@ -1798,9 +1798,19 @@ void security_cred_getsecid(const struct cred *c, u32 *secid) } EXPORT_SYMBOL(security_cred_getsecid); -int security_kernel_act_as(struct cred *new, u32 secid) +int security_kernel_act_as(struct cred *new, struct lsmblob *blob) { - return call_int_hook(kernel_act_as, 0, new, secid); + struct security_hook_list *hp; + int rc; + + hlist_for_each_entry(hp, &security_hook_heads.kernel_act_as, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.kernel_act_as(new, blob->secid[hp->lsmid->slot]); + if (rc != 0) + return rc; + } + return 0; } int security_kernel_create_files_as(struct cred *new, struct inode *inode) From patchwork Fri Jun 11 00:04:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314361 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8165C48BD1 for ; Fri, 11 Jun 2021 00:12:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7C530613CA for ; Fri, 11 Jun 2021 00:12:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231272AbhFKAOc (ORCPT ); Thu, 10 Jun 2021 20:14:32 -0400 Received: from sonic312-31.consmr.mail.ne1.yahoo.com ([66.163.191.212]:40808 "EHLO sonic312-31.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231199AbhFKAOa (ORCPT ); Thu, 10 Jun 2021 20:14:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370353; bh=TK5gm+lMVKaYDHWLfXCtvkpbJfCY2THcZog91SRiGdg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=QT3xZffauioehlMjZ0VJgPx9znESnpIcK1TKrNzXWKqnz6ItNib1uVgKddwVCdZjI8qrcoBQVK/7FUATgYN1AAuBNPT83zZgo+S22/N29vsuzslA+9VM8jCDuLqAj4nJO2JJ4bJFZ7Sdsrtb9Qe97Wm4DARCMKdJsCwx2ntIUvFF+BQZ996jc1rCLz0FUEGsBerB5h5MuxaTt4DoIKAJLAm66RJsw0juLiacExa+d+c7SDBhqxVLc49B4pvmxxVxXkF4zpcS1uJ/pS9MCnm9ZDywjGi/NXX/75It/hXhpdFG7i1xsaKb6B1SC/bwnFhXgQs5YuzTDKB1cHuTL0PDrA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370353; bh=ul8OfPCs8gc2XvLhKyoTevw8I6l+9/Q7mVxJGNvZAGQ=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=TEeczlaVr9yZzJRZzz2hk4XDohEQ9Qvit1q5/vrzTKqegQ8De7p2ttGq8HIGn2bqPnsHtv/n4YCUfMhULFco9hNECdgSJZl8bilh74oSaLbCDnHBX4evFzLVsjMJUHMf36z40qgGIskkOTO2bVQUx06TSKHZvR4sHAAoHLPI+X5iP1Bcyjh/MqzVTubeIeGCRXyKtMv7Ek8/+i4paRGxZS9ew7jllfZgMpMaRv+ZBhot3Z6Hpv8KbP6SsASUF+3LTRAbYDqjznDT0GweckrGbWalMMC0n6KTWTyfiVFt+iC9Gge9e2Jkknwe7x8HkY75Cp5cuOlKTYgooOkOaRngmA== X-YMail-OSG: qgayksUVM1l39_XrPohduIczOvt_0LmTXK2LOIxufRs8w0GZZB5RPaL3iOuHrnp dL18ImoWkfHdyT.enjm839ZIs4aZejjPXrb.nH.gW.o_7SGHgStmFx3o1Iws3exLPwWK8CwSRcDp SqvII1pHOm4xIUVdWWu8e8Av_GhFTHEfikTQmCmxocol35nwJhz18O.W.1C7Pz6mu.0s3BJ5wjKa 6V62WhdMPjPP5BEIjndMB1LTZrk86hUPsIaTiemB.87esiLbKREOaZTavEZq408fnRHxWnwWii2p nmFy1Umulyi6KaMp03W_4LGDgI4yTybW8ifdASD.FojFg5y5F3GaS0GALj6pGFqGdxMYgM1OkukI HhTixDdwvLDi.S.unzRHxvNqw1P7lAYU8zZjsMXnUsWKAAE1UhSJ8whuwvyygCI7eCaPfZfiS87E sysBNvnnlEKrWoQpnqvxkyuBgNqv9yEqR9ZUZgiKadTyejdZI161b7OA31ANqdvF1ImSiPKxZer8 ps5IKqMirbvGcxMVXjGomFb03XipdQGnkGHXac0uURZvVAxLEIy3BNiCt7wDtoydJ5qEnOzuxjcg oiCAZG81JsQiVk19iAdffJgRjHfDJ4_57RlCuiH_ombcTKNAlHMs0JVo_DFwMnWhcNvyIDF3sjZq oATabOtbkwUX8fh9UX088FbJs3gHJJo4tsXPhnwCnN3H9.Ctwm8MoYzPgfR2pz.OQZHsET9IAQ5S 1B3UHcAqOwCvoDrzx.Gq37Sazn4cV9JjfBjv.XXIyUR19q6hfDjclE9YY4zuEKbnTN0S6hBT5yQy 5LN1NFFLI3gKKhT3W87oENvQ3UBUDS2CTfABzzbNSazxZZddLCYbcKfb6TIOwvM9Gggvz6p5yFSL UEZp0yZ6U0rAexOm8_KFmgRatQ6o_2O_iTklKBl5AyEt9EnN7GaPqLZyORxGrwd0AzR492CesiHG zpj.3hlEoDqe685bgbPK_gKjDqlyIkOq6gu3iLk_SlR_XNH9yg5vLxXdFcMwK4Ua4rjAu.GKopNb EcXz7bIAIzbksAH6TpcfpnkE4D9uT4HMrAlBLcao.LXGxwJ7lbNUFdbLq31lV_HRoQedoapnDj2V U_Sv6527I.HhHyzJInNPDINI_bS4ULxrj80qP9cwgRzp62i_RA7gTe6Ew1HWEBw5MEMsT7Uehh6i ri52vE_4XOkw5ra84fAGKFnBplEbXKjlmME9lEvNWTbUT3xxd1J2FCNe8USOCn9vtndSIHaOrPNw zm8CR7emBA2cHJkZ3SRkHl_eqABV2W1QanaWYTQt7eqJfpYlxmEd9hQYLj7H7GUxeOMdcilZpUYC ygPfCla2se4kZh6jC5nLV0h_t5Wnd_hbTMsb7cxFvsILlSHH1jD.2g0lx70qIE5alCbVIwMHnwW_ Ubze9ktACRkqHN6_CWimTjOlJKBMV3HKMuQAOQ0m25jIFnGivYDqwJRwt.Fr1LwKQmLYOFm7IYhV uoNLxJz5qLMtYbZ7mEw2l21GHLQTxLC5lqEhu0kzFoyo9P7cVpDFj34X0ovQzLbL6EwWfpx7hOE_ nScWjsdn.EKj4hFHOVQDk.BsKOs01mQqZYHj8LFzxu1xPxLLqJ3JVfG__3Yn4tRFBzDRZkGYh1dR q7jHS4nitW0iJr4BqCd9HfiymLrmrYeaphdjWBAdETfTT0PiVsM1Rf.FziOXcvTRlPCLsslsybWI O52h6dejvlBLCtm0ToytiDXvQfq1Bo7pErTIJJmhEYnZWjmDgLJV3ZITMXpV7S3vZhjrqOBkNyww isoLQE7NFr.GJ2HuKsVN9Xe2HTqvmNRWi4YJt0xatdh5Rx7dQkaKZBB4mr.K2nGAXjfv2Wn0tG5k 9tSPQzSWvKzK4luiNkGPAUM4lZe631ujdsjy.63dMPLMabWqVdO6eC0MMNI3CqmBfzu7FFDdv9n. U9a35YzhtnN72XJKiLfhgLACSNRmFzUnxzF0NfXtv493zFje2Qna4YaX9OUzTzSJ1KeoFB2Wmjzj 7AYDdPGxKxqEGGWAcDIwHhQnl0ZVqVZFdQ.Tl2ul.N.i5FhqriyQ2vzVftXF4DgVlqSocjmw4bOe wpGTmh7Yd_MYlsoL3MBcWhKyaMCIovjeQ.iXt5qgfNTNXivrb4nOGBAeNx2qWx_rFNE8.6mHAYi9 rHJWAvNXn.zJOkqlF.AzcttIvae7eID1yy1cfxa5TgKUJ2fdoD5H.50ROuuTaWZoDlBIiecpZmjf KUICY3gL9CrSt2ZnZ06qlYuly57JsmnBXOiV1ZIX1ubHSQlAnr.ctBBaHQT.PDBsYH3s.s_fZfRw dD75Ox2WK.kyXq2kK6DhS0ykMrnS38YQGNgUcLJ7Bh4ntqh3u.9NnGwCXd3MFBvzbRGOwE3x6pOP AWEAw.aTfZQp6A.fvuNjnDlNOLX8NjT3oaE8W1UpeWCoVrpVbmly_AerBRhvjt6aztXzqg_0Bwln gW8yEqRGFJYEg4TggamqCUXnsqFlmRy7rtmHPphip4Zasp3s9HnmcKmp8dbora6sdqXjuOHhfjwG 7rzD7Cd4sGlRDcMCZEictvKF5Uzs0gNc1PCF_eapiTvvzsuF17RmWhjsilB_ZP0FZ_NkOLMWMN_8 1j77.H0i5OtvzP_guI9stW2Cw4oweh2TFSeIykz5qyTF9LZ9GN2okqJcR13AqcollRnWhtLavY0d B4ONyvt9nb49hH1BIRO8cZ5XA2IDczRQ6KUaTmjCGT9EDQHbU8DUCVbkuEOwVGitVDJxsaU2xUcG PLObo33R6HxYWaN5X8LLZJn44Figf7PwVYofKVMjMpcRatZmkz9r5LOUdkREyhTvAvYQEr5jq.i6 HUkOk0_L_p4SFeyVJgZZWfQKCVbdbRURyEsQaaO5FMf7I1f6k8qE_W33Aaxk0cquLxwX.vwE_sLy N0JPCt3BOwfOmHsGYPmaC35pwlY_Nnw2Licb5YSZyAHHvSD6bwkFmUU_ZoQI4Qf_mGOreDOB.6KY uVo.bMy0qarw2KBSsGvuCQkKvIGYAktGnpuOIfsJ0fAn6bVo9agOWRKpo10.tcDIOYWCnY_fUuqw scBCjpp6u8M2h8sZZhoNguAElKVv7hrpGOcqeVu6Jx1prtkLaa7neoToh.ROnTvNPSHMMGzLrvvK k_p4eNX0h4uMmp8yRSUzAXGVlEe__HK_Jr9IVYq9Lp9ocH033GUjNVZIrqQqyVrXyQHwY_NWzz0O EdOSJ1dTZXwHhslWbq.zUM_Yh4RJFKObjmubNloBkYD7DSE0Wyp5Ma5kWmrDmoId4KJM_dOWm X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:12:33 +0000 Received: by kubenode517.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 7247a68cf5c5940710f416ee26210309; Fri, 11 Jun 2021 00:12:30 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v27 07/25] LSM: Use lsmblob in security_secctx_to_secid Date: Thu, 10 Jun 2021 17:04:17 -0700 Message-Id: <20210611000435.36398-8-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change the security_secctx_to_secid interface to use a lsmblob structure in place of the single u32 secid in support of module stacking. Change its callers to do the same. The security module hook is unchanged, still passing back a secid. The infrastructure passes the correct entry from the lsmblob. Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso --- include/linux/security.h | 26 ++++++++++++++++++-- kernel/cred.c | 4 +--- net/netfilter/nft_meta.c | 10 ++++---- net/netfilter/xt_SECMARK.c | 7 +++++- net/netlabel/netlabel_unlabeled.c | 23 +++++++++++------- security/security.c | 40 ++++++++++++++++++++++++++----- 6 files changed, 85 insertions(+), 25 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 5c664ba0fbc3..dbb1e5f5b591 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -196,6 +196,27 @@ static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb) extern int lsm_name_to_slot(char *name); extern const char *lsm_slot_to_name(int slot); +/** + * lsmblob_value - find the first non-zero value in an lsmblob structure. + * @blob: Pointer to the data + * + * This needs to be used with extreme caution, as the cases where + * it is appropriate are rare. + * + * Return the first secid value set in the lsmblob. + * There should only be one. + */ +static inline u32 lsmblob_value(const struct lsmblob *blob) +{ + int i; + + for (i = 0; i < LSMBLOB_ENTRIES; i++) + if (blob->secid[i]) + return blob->secid[i]; + + return 0; +} + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); @@ -527,7 +548,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value, int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); -int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); +int security_secctx_to_secid(const char *secdata, u32 seclen, + struct lsmblob *blob); void security_release_secctx(char *secdata, u32 seclen); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); @@ -1382,7 +1404,7 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle static inline int security_secctx_to_secid(const char *secdata, u32 seclen, - u32 *secid) + struct lsmblob *blob) { return -EOPNOTSUPP; } diff --git a/kernel/cred.c b/kernel/cred.c index ad845c99e2d1..b8e15dd371de 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -757,14 +757,12 @@ EXPORT_SYMBOL(set_security_override); int set_security_override_from_ctx(struct cred *new, const char *secctx) { struct lsmblob blob; - u32 secid; int ret; - ret = security_secctx_to_secid(secctx, strlen(secctx), &secid); + ret = security_secctx_to_secid(secctx, strlen(secctx), &blob); if (ret < 0) return ret; - lsmblob_init(&blob, secid); return set_security_override(new, &blob); } EXPORT_SYMBOL(set_security_override_from_ctx); diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index a7e01e9952f1..f9448e81798e 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -809,21 +809,21 @@ static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = { static int nft_secmark_compute_secid(struct nft_secmark *priv) { - u32 tmp_secid = 0; + struct lsmblob blob; int err; - err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid); + err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &blob); if (err) return err; - if (!tmp_secid) + if (!lsmblob_is_set(&blob)) return -ENOENT; - err = security_secmark_relabel_packet(tmp_secid); + err = security_secmark_relabel_packet(lsmblob_value(&blob)); if (err) return err; - priv->secid = tmp_secid; + priv->secid = lsmblob_value(&blob); return 0; } diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index 498a0bf6f044..87ca3a537d1c 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c @@ -42,13 +42,14 @@ secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info) static int checkentry_lsm(struct xt_secmark_target_info_v1 *info) { + struct lsmblob blob; int err; info->secctx[SECMARK_SECCTX_MAX - 1] = '\0'; info->secid = 0; err = security_secctx_to_secid(info->secctx, strlen(info->secctx), - &info->secid); + &blob); if (err) { if (err == -EINVAL) pr_info_ratelimited("invalid security context \'%s\'\n", @@ -56,6 +57,10 @@ static int checkentry_lsm(struct xt_secmark_target_info_v1 *info) return err; } + /* xt_secmark_target_info can't be changed to use lsmblobs because + * it is exposed as an API. Use lsmblob_value() to get the one + * value that got set by security_secctx_to_secid(). */ + info->secid = lsmblob_value(&blob); if (!info->secid) { pr_info_ratelimited("unable to map security context \'%s\'\n", info->secctx); diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 3e6ac9b790b1..dd18b259272f 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -882,7 +882,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, void *addr; void *mask; u32 addr_len; - u32 secid; + struct lsmblob blob; struct netlbl_audit audit_info; /* Don't allow users to add both IPv4 and IPv6 addresses for a @@ -906,13 +906,18 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, ret_val = security_secctx_to_secid( nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), - &secid); + &blob); if (ret_val != 0) return ret_val; + /* netlbl_unlhsh_add will be changed to pass a struct lsmblob * + * instead of a u32 later in this patch set. security_secctx_to_secid() + * will only be setting one entry in the lsmblob struct, so it is + * safe to use lsmblob_value() to get that one value. */ + return netlbl_unlhsh_add(&init_net, - dev_name, addr, mask, addr_len, secid, - &audit_info); + dev_name, addr, mask, addr_len, + lsmblob_value(&blob), &audit_info); } /** @@ -933,7 +938,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, void *addr; void *mask; u32 addr_len; - u32 secid; + struct lsmblob blob; struct netlbl_audit audit_info; /* Don't allow users to add both IPv4 and IPv6 addresses for a @@ -955,13 +960,15 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, ret_val = security_secctx_to_secid( nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), - &secid); + &blob); if (ret_val != 0) return ret_val; + /* security_secctx_to_secid() will only put one secid into the lsmblob + * so it's safe to use lsmblob_value() to get the secid. */ return netlbl_unlhsh_add(&init_net, - NULL, addr, mask, addr_len, secid, - &audit_info); + NULL, addr, mask, addr_len, + lsmblob_value(&blob), &audit_info); } /** diff --git a/security/security.c b/security/security.c index 5ec929f97963..578c3c6604f0 100644 --- a/security/security.c +++ b/security/security.c @@ -2193,10 +2193,22 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) } EXPORT_SYMBOL(security_secid_to_secctx); -int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) +int security_secctx_to_secid(const char *secdata, u32 seclen, + struct lsmblob *blob) { - *secid = 0; - return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid); + struct security_hook_list *hp; + int rc; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.secctx_to_secid(secdata, seclen, + &blob->secid[hp->lsmid->slot]); + if (rc != 0) + return rc; + } + return 0; } EXPORT_SYMBOL(security_secctx_to_secid); @@ -2347,10 +2359,26 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, optval, optlen, len); } -int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, + u32 *secid) { - return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, - skb, secid); + struct security_hook_list *hp; + int rc = -ENOPROTOOPT; + + /* + * Only one security module should provide a real hook for + * this. A stub or bypass like is used in BPF should either + * (somehow) leave rc unaltered or return -ENOPROTOOPT. + */ + hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram, + list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.socket_getpeersec_dgram(sock, skb, secid); + if (rc != -ENOPROTOOPT) + break; + } + return rc; } EXPORT_SYMBOL(security_socket_getpeersec_dgram); From patchwork Fri Jun 11 00:04:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314363 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E7C9C48BDF for ; Fri, 11 Jun 2021 00:13:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E96C4613AE for ; Fri, 11 Jun 2021 00:13:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231307AbhFKAPj (ORCPT ); Thu, 10 Jun 2021 20:15:39 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:36457 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230380AbhFKAPi (ORCPT ); Thu, 10 Jun 2021 20:15:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370421; bh=NhU/d3Db3zuCYWZxZW/jmwX6G1B94MLUPpcrS0Hvsvo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=PFMfeTNvE1uZp+5rdjwDMIX08Wm9FXfH24jHu1ekvvf0Rrym7tmpA60r2zvS338Aw+bp9ShVn2wvS9ved6zozlUViPWyA+1LAY7DCY1W1DRYZxzSXE9lfQffUQT3oygCnhQq23ouV/kirv50ikQIPjbKK8y6OZVtLdwcGG/XxGDEkcWH7VG9HcW+SgzZqlCQ5zTxky3dprniKwvCua/dq2grok3F5TR2MsD3wVou3LYyuN1bFDJy4KA8/M+5yOu4yUgaBaxgwlMoBypekLnmiV1nw0Nd1AB/IQXQ85QmDQFxe6iXI/X0yru4vqjyPGQtXvMw4cYE+/SjakFn7YU2Ew== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370421; bh=O11C2vjmtb2/+cXMGpxcWPpsnWo7vnymVp7x1AgmVq2=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=hIALXKYzYrF34GxF6V22gCVGXNXmF62dduvw8mpU/z0WZMZYOodmpFDRSLFEx5Amwir+tYdCk9NlpNv+hnpyN1nEUMVcYLXBYPmkNJLiV+2pPuwK58e2bGVP0DF6RMlyquPLNPgJomPIOQrIRo0+ziK2/u6a2qUhbfsutU17V1X2qDMe98/di3qvWY+aro+i+VnfR4aQ3PJoiIEZnoXba7L90vO7gnzG9YIv+WstgSlm8ohaagxgu/mbOiOqoq1pJ8pOh8FDr4U4820CCDph4sbWtxHq3aYGwkkbxGICbvGOLbe7khZQOicBp0iY5+yuJ4dDovVJ2v0RFChGbZUmUA== X-YMail-OSG: _D_Jq_QVM1mwmGERgeLqyJzizyn5Hs51_8rhQb9Eq3fj5Yx3H8hJ88LN8KGvDpN Lo0DQwGmkh8DiM.0gGZM200ojK1LwH8nxy3DcVSksbb6fcop1.32RGJrSfVWX66B_woVtZlfSyQp KMUtyVIMiNs_iWuPyxTKeU4kHRWA6Pl.P0AGLZuGiDL95XwA4xm.e30JSLJ.B4XZJ6V1t5xmU8xr gb.SHNWdbFfMogeQ_QqdmTPonpa2omyxRAkEnc.lTQxLmocu5hWFO9isPPEdI9Ie8neArlJGr8nC hxMz2TeeGaH5S9SXv.FwANDxGjaj_nsgd2RqiLqQRR2KSQlEdo32e1AjdH221GhwU9XFRQn6xagb BCCaKd1u8XWtfVqvUjzmNmeZGw1XAAPVH2FdLChs8grsNc5jVmbjLSC_ssUEw_y.OwqbJlf90UxB VPyv5P1pkEWJ.8sLq7OojCHl8jGHTrL3b8zEBHHSPsoxG4wNtLoVnZv1rw4LvHQn2mGWOjN.FvZe f.J0NvRejTwrlxW4r4yTml.L50vUEjg1lZOxZ2hAuS5abdHV_rcXXlRWwcNIpVH3FjIJjR9doGva f4gILceDM1qK_qsLLF1sFGr1mC5d3qLjFAFodklwcVwHjjVEpXAjqqRj6vFjF.z4a0WMGEBCDbFb p_dPcA82G6vOeudmy7js7l59.VA4ACxxI9mmtarmV42ZkpYSpiv36pePv6sVf0DaPOrCYhcANtKC F73j8Dpn.Vo_azSPNbaXqGjLmoUVJGruOm9TS0x4yHEyBuTxcwFh7eUE7nDJRedgccHUO_TXXTYp RfYq6hdZ.SP8.Z9C4Lfcb4VLwJf.CG1Ot5gH9WTVKdx8.ubz6zRjdt81nKnn9E3zLev5.BiuRSJS vOX5nLOgiBrJ_TzB1m5Ms4OBwaMZdQ9Jbc0Cs33HOSGf6.1OWyINtqD_kwS0vxCYzrIYfQkSHAip QOSeh_6M5Cpxqc7QkvNavunNY4gDC6Xml2Hmj_gr_ejnsmK.mLusk5AedjngYMWVC7pNiw2hrAoS y.2D8z4QAUWSyg3tPowR1MWqRNLJ55lcIrtS7yd6grWTaM6DkkcU1ZxpAg3fCZtsiEvrAonzJVE. IiMt2j.3fK5tQ_NAh._dwhnkRWFc2CzFL6bS4YR4okYMHlaGG1hEiAIEKpNhwu2gAxs30b6jeNFu N1cciqNJ7NMv1IYistbza7zRXWXx6u3TZaRltwBhnXpUwEzz0ZcKHJe5o5lc.YUf6LuS34xAefTV vLTQJnBhRJeXth5oIS.Zapi887InyPW65gVgTreUH5W4eysYfrvc6brIhb7nXBtUZ38GDrratOq3 EWnlYis04cu8C0jfMS35gOBQE0kgoJzpLDJwDJwkigxIm0_77m9I6hnM2IzzBPuWxVdCpfoSVmS0 jlywhh4IsH6uNt7cRlcu6YooAjg87hW9dsm5156JF3.IKDx2J1Mvs1TVXy_GIUdR7d_HOeApj4FA zWjh.tulIKp4fIDX6lIZ01OTg5OsyTodPE_NA5LuKin8s_35MWQti229FOTOPY7TWHm8ljmA.zCN fxg_QlAufFz7g.5YfWDCNaDrCgU48CTSJb77.Uhc66jGmL2m_dT4gqfjpKLoqNyMPx6zA9OjfJkE Egr_H5zF_ItKM7GWjgFhJifuhMz89WnDTQ8x_ZD3NdGQ4cww1bDLA_ixJC.g0Tr8wIbQ8ea5.gwt R2CO0Rmlz7lu2h4cNedcnN40wPaddh1DBnYFnNgpnoHoScFevD1YgfBvDsgVh3jMNnkAsmjrzwJD QJugXLzsGrRQwAW6fU0qC5LRf70eUrcGpacYnI_3vrVuZKYemRvw6E71pxZ6DVZhy2RrycGO5tXe 8Q6Rz17MOHMrqIthD0AqB1WX.VNU6xO6xYHmIsSB4aKrp.kwStPwSN_GKxKbu0BV5HjxVYeyhNJI WENR2radB1d9zeG8hnm98G6WOKyE2p.7GzYVSxNm.IUA_ilJ7gZW.gZahWoIdn7_WbVDQI9j_V0Q hzl3bHsirWngtB6ekn.puBOpsP.YZLUjwraWoEjx0GjgaMdTYeD1ns7Gc8GqLh9eMdbNCYCt9yst E0xdjMYeSkGhEfdVro56g6qiIOW0tjH8Omzb6k.o8GrLf8E594JKZEvv15x2mTajfX9foVTaZVFC fHV.s.U_hlLsR7ep0NGlEJwDLXAkTRNqgpvYPdoVMiFvzJWZqKhICzusJ51w2C0G_jP88G5n2BE1 EKe3rsI8ZDQcerx3_8TE5DA830pZhirK3BGXnj.qgQYcw8yGirQqyyEjxVCNL9Y4WjgQrjqWafT2 EOfSqDmS3aKE1j1wZ_A49FoKvEdtBlne20KqBRCHQLP9OrQsxz8T6DrcMJRTyEyPIaBYcnDqhgiQ nyHBYNQ.ysWetN8WbYtPEhFf5HjQ3mNqGsDTZE6CLpGXcPDKlGQN4xOmaWJMb64C7P9zi_Oo3Uo2 T.FNsvUvGNdyzMJMqZ_2dhTz2ZXgJ9moSIvq3DCnAqGUKjZH5mZgKgKRwwaiHT1ry3nK63iESLa0 p.N2kOs7Tohy_By.3yv7steKEEeCfC90FrIAyEtgGBDWgnlgHS6J.jzvyWbYwe.q7TCLlE2uS_PC GBUC_ruXMl4bMbc0KVvEHjQembDMHRa9S1xyBE1wpi0hKI1tE8fBZZ6apujeaINsI3QBIuz_Hv3g BBZhZ.KyeXhsk6AtuNzbccans.j3u_rUg7saPf9unxLDAR55Ium7SDl2AamZx8sR_eSmLJaMhI8n VEd8rLOCCFzvQc3ZzTMbRUiMx5c.SvwGCDk4pxV.xgQd3YN0KyyyWuLrvFi6ckB9z1Knpssr5cBu A5RJ18dM9.zxefeGrNdg3khx.2emwghpkZUM4tXunTjI4WfwMg7GTmOUncfpu9ahaEJmDmRhD3uo M_4Zfa.TkLDlKMXDVwcjFRgSA7GB6f.alSqTDp_qHlT6GFv.QAKYXWQIkKbBR7xk4b3Y55MSvAtW oAbAvyQmsl.2esCXd1Mvh8.KBwMOBgnRZ1vTc75d10r14CzWa6Tgf_YB0x7KypYmXiKPpPWoCNOg 3w5nyXgCDCus2akrkJdAjRgjy_5H3SczfA1FYlXlNfaR_kcHj2oMvcYLUS.bhOhJ8H0726GPZTBz NshOQkvKKDkmkLAWB2SIjBC0cq45O5l7Qz4CZmDl.O6GBibFb48vpraF3Zj5LkR5g9ZycFlFZPoD LO2dFI5nlf1IvlRanhy.n6C2XqtmF_dAGZseNCJTwCjMDtWP0QFKBWZbrWj6qIRqZNZOeai8TTV1 dsr81Go5Z7dNuiObvrUvw8CRixMuJn8u_rVHTQHwkUb4EJEraEW2..Q-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:13:41 +0000 Received: by kubenode557.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 58617b8d910087d304301c88d6db5406; Fri, 11 Jun 2021 00:13:35 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v27 08/25] LSM: Use lsmblob in security_secid_to_secctx Date: Thu, 10 Jun 2021 17:04:18 -0700 Message-Id: <20210611000435.36398-9-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change security_secid_to_secctx() to take a lsmblob as input instead of a u32 secid. It will then call the LSM hooks using the lsmblob element allocated for that module. The callers have been updated as well. This allows for the possibility that more than one module may be called upon to translate a secid to a string, as can occur in the audit code. Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso To: Paul Moore --- drivers/android/binder.c | 12 +++++++++- include/linux/security.h | 5 +++-- include/net/scm.h | 7 +++++- kernel/audit.c | 20 +++++++++++++++-- kernel/auditsc.c | 28 +++++++++++++++++++---- net/ipv4/ip_sockglue.c | 4 +++- net/netfilter/nf_conntrack_netlink.c | 14 ++++++++++-- net/netfilter/nf_conntrack_standalone.c | 4 +++- net/netfilter/nfnetlink_queue.c | 11 +++++++-- net/netlabel/netlabel_unlabeled.c | 30 +++++++++++++++++++++---- net/netlabel/netlabel_user.c | 6 ++--- security/security.c | 11 +++++---- 12 files changed, 123 insertions(+), 29 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 61d34e1dc59c..193397a1fece 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2711,6 +2711,7 @@ static void binder_transaction(struct binder_proc *proc, if (target_node && target_node->txn_security_ctx) { u32 secid; + struct lsmblob blob; size_t added_size; /* @@ -2723,7 +2724,16 @@ static void binder_transaction(struct binder_proc *proc, * case well anyway. */ security_task_getsecid_obj(proc->tsk, &secid); - ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); + /* + * Later in this patch set security_task_getsecid() will + * provide a lsmblob instead of a secid. lsmblob_init + * is used to ensure that all the secids in the lsmblob + * get the value returned from security_task_getsecid(), + * which means that the one expected by + * security_secid_to_secctx() will be set. + */ + lsmblob_init(&blob, secid); + ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz); if (ret) { return_error = BR_FAILED_REPLY; return_error_param = ret; diff --git a/include/linux/security.h b/include/linux/security.h index dbb1e5f5b591..5a8c50a95c46 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -547,7 +547,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); +int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); void security_release_secctx(char *secdata, u32 seclen); @@ -1397,7 +1397,8 @@ static inline int security_ismaclabel(const char *name) return 0; } -static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +static inline int security_secid_to_secctx(struct lsmblob *blob, + char **secdata, u32 *seclen) { return -EOPNOTSUPP; } diff --git a/include/net/scm.h b/include/net/scm.h index 1ce365f4c256..23a35ff1b3f2 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -92,12 +92,17 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, #ifdef CONFIG_SECURITY_NETWORK static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { + struct lsmblob lb; char *secdata; u32 seclen; int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { - err = security_secid_to_secctx(scm->secid, &secdata, &seclen); + /* There can only be one security module using the secid, + * and the infrastructure will know which it is. + */ + lsmblob_init(&lb, scm->secid); + err = security_secid_to_secctx(&lb, &secdata, &seclen); if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); diff --git a/kernel/audit.c b/kernel/audit.c index 121d37e700a6..22286163e93e 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1442,7 +1442,16 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) case AUDIT_SIGNAL_INFO: len = 0; if (audit_sig_sid) { - err = security_secid_to_secctx(audit_sig_sid, &ctx, &len); + struct lsmblob blob; + + /* + * lsmblob_init sets all values in the lsmblob + * to audit_sig_sid. This is temporary until + * audit_sig_sid is converted to a lsmblob, which + * happens later in this patch set. + */ + lsmblob_init(&blob, audit_sig_sid); + err = security_secid_to_secctx(&blob, &ctx, &len); if (err) return err; } @@ -2131,12 +2140,19 @@ int audit_log_task_context(struct audit_buffer *ab) unsigned len; int error; u32 sid; + struct lsmblob blob; security_task_getsecid_subj(current, &sid); if (!sid) return 0; - error = security_secid_to_secctx(sid, &ctx, &len); + /* + * lsmblob_init sets all values in the lsmblob to sid. + * This is temporary until security_task_getsecid is converted + * to use a lsmblob, which happens later in this patch set. + */ + lsmblob_init(&blob, sid); + error = security_secid_to_secctx(&blob, &ctx, &len); if (error) { if (error != -EINVAL) goto error_path; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 71d894dcdc01..6e977d312acb 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -671,6 +671,13 @@ static int audit_filter_rules(struct task_struct *tsk, security_task_getsecid_subj(tsk, &sid); need_sid = 0; } + /* + * lsmblob_init sets all values in the lsmblob + * to sid. This is temporary until + * security_task_getsecid() is converted to + * provide a lsmblob, which happens later in + * this patch set. + */ lsmblob_init(&blob, sid); result = security_audit_rule_match(&blob, f->type, f->op, @@ -687,6 +694,13 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_isset) { /* Find files that match */ if (name) { + /* + * lsmblob_init sets all values in the + * lsmblob to sid. This is temporary + * until name->osid is converted to a + * lsmblob, which happens later in + * this patch set. + */ lsmblob_init(&blob, name->osid); result = security_audit_rule_match( &blob, @@ -993,6 +1007,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, char *ctx = NULL; u32 len; int rc = 0; + struct lsmblob blob; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); if (!ab) @@ -1002,7 +1017,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (sid) { - if (security_secid_to_secctx(sid, &ctx, &len)) { + lsmblob_init(&blob, sid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1245,7 +1261,10 @@ static void show_special(struct audit_context *context, int *call_panic) if (osid) { char *ctx = NULL; u32 len; - if (security_secid_to_secctx(osid, &ctx, &len)) { + struct lsmblob blob; + + lsmblob_init(&blob, osid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " osid=%u", osid); *call_panic = 1; } else { @@ -1398,9 +1417,10 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, if (n->osid != 0) { char *ctx = NULL; u32 len; + struct lsmblob blob; - if (security_secid_to_secctx( - n->osid, &ctx, &len)) { + lsmblob_init(&blob, n->osid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " osid=%u", n->osid); if (call_panic) *call_panic = 2; diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index ec6036713e2c..2f089733ada7 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { + struct lsmblob lb; char *secdata; u32 seclen, secid; int err; @@ -138,7 +139,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) if (err) return; - err = security_secid_to_secctx(secid, &secdata, &seclen); + lsmblob_init(&lb, secid); + err = security_secid_to_secctx(&lb, &secdata, &seclen); if (err) return; diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 8690fc07030f..caf3ecb5a66b 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -338,8 +338,13 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) struct nlattr *nest_secctx; int len, ret; char *secctx; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + /* lsmblob_init() puts ct->secmark into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, &secctx, &len); if (ret) return 0; @@ -647,8 +652,13 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct) { #ifdef CONFIG_NF_CONNTRACK_SECMARK int len, ret; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, NULL, &len); + /* lsmblob_init() puts ct->secmark into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, NULL, &len); if (ret) return 0; diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index aaa55246d0ca..b02afa0a1516 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -175,8 +175,10 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) int ret; u32 len; char *secctx; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, &secctx, &len); if (ret) return; diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index f37a575ebd7f..bdbb0b60bf7b 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -305,13 +305,20 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) { u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) + struct lsmblob blob; + if (!skb || !sk_fullsock(skb->sk)) return 0; read_lock_bh(&skb->sk->sk_callback_lock); - if (skb->secmark) - security_secid_to_secctx(skb->secmark, secdata, &seclen); + if (skb->secmark) { + /* lsmblob_init() puts ct->secmark into all of the secids in + * blob. security_secid_to_secctx() will know which security + * module to use to create the secctx. */ + lsmblob_init(&blob, skb->secmark); + security_secid_to_secctx(&blob, secdata, &seclen); + } read_unlock_bh(&skb->sk->sk_callback_lock); #endif diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index dd18b259272f..534dee9c7b6f 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -376,6 +376,7 @@ int netlbl_unlhsh_add(struct net *net, struct audit_buffer *audit_buf = NULL; char *secctx = NULL; u32 secctx_len; + struct lsmblob blob; if (addr_len != sizeof(struct in_addr) && addr_len != sizeof(struct in6_addr)) @@ -438,7 +439,11 @@ int netlbl_unlhsh_add(struct net *net, unlhsh_add_return: rcu_read_unlock(); if (audit_buf != NULL) { - if (security_secid_to_secctx(secid, + /* lsmblob_init() puts secid into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, secid); + if (security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); @@ -475,6 +480,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct net_device *dev; char *secctx; u32 secctx_len; + struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr, @@ -494,8 +500,13 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, addr->s_addr, mask->s_addr); if (dev != NULL) dev_put(dev); + /* lsmblob_init() puts entry->secid into all of the secids + * in blob. security_secid_to_secctx() will know which + * security module to use to create the secctx. */ + if (entry != NULL) + lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(entry->secid, + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -537,6 +548,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct net_device *dev; char *secctx; u32 secctx_len; + struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list); @@ -555,8 +567,13 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, addr, mask); if (dev != NULL) dev_put(dev); + /* lsmblob_init() puts entry->secid into all of the secids + * in blob. security_secid_to_secctx() will know which + * security module to use to create the secctx. */ + if (entry != NULL) + lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(entry->secid, + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -1082,6 +1099,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, u32 secid; char *secctx; u32 secctx_len; + struct lsmblob blob; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, cb_arg->seq, &netlbl_unlabel_gnl_family, @@ -1136,7 +1154,11 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, secid = addr6->secid; } - ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len); + /* lsmblob_init() secid into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, secid); + ret_val = security_secid_to_secctx(&blob, &secctx, &secctx_len); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 3ed4fea2a2de..893301ae0131 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -86,6 +86,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct audit_buffer *audit_buf; char *secctx; u32 secctx_len; + struct lsmblob blob; if (audit_enabled == AUDIT_OFF) return NULL; @@ -98,10 +99,9 @@ struct audit_buffer *netlbl_audit_start_common(int type, from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); + lsmblob_init(&blob, audit_info->secid); if (audit_info->secid != 0 && - security_secid_to_secctx(audit_info->secid, - &secctx, - &secctx_len) == 0) { + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); security_release_secctx(secctx, secctx_len); } diff --git a/security/security.c b/security/security.c index 578c3c6604f0..b0faeee91d02 100644 --- a/security/security.c +++ b/security/security.c @@ -2174,17 +2174,16 @@ int security_ismaclabel(const char *name) } EXPORT_SYMBOL(security_ismaclabel); -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) { struct security_hook_list *hp; int rc; - /* - * Currently, only one LSM can implement secid_to_secctx (i.e this - * LSM hook is not "stackable"). - */ hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { - rc = hp->hook.secid_to_secctx(secid, secdata, seclen); + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.secid_to_secctx(blob->secid[hp->lsmid->slot], + secdata, seclen); if (rc != LSM_RET_DEFAULT(secid_to_secctx)) return rc; } From patchwork Fri Jun 11 00:04:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314365 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1557FC48BE0 for ; Fri, 11 Jun 2021 00:14:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F2A7D613AE for ; Fri, 11 Jun 2021 00:14:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230265AbhFKAQn (ORCPT ); Thu, 10 Jun 2021 20:16:43 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:45675 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230216AbhFKAQn (ORCPT ); Thu, 10 Jun 2021 20:16:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370486; bh=4CSwNt8cX8Ya250gpC4XKc9j/Fty1srcfnNURtXicmA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=Yb3YTsroJkwuq2PTZyFo4kkNSPbiGj5vPw0lgRaHBDBqbeTcwS3qb/3QUaXG4oK0867MaOK4/bn6yLosEp6HYYqw+uXEJUcR/yqYbLLiuvGftG2oms4tJ6qhz03FC8ZmNv7bd3u5jZg1W7obqMZNMdzqroxp5QJj+uRo4H1D4hWwXNFoJSKjOW6twI0jj5ekQmi4xvMqvsxjN/NnLkYOhs8HLs2oEMvg88F8RPzG1wSkAcqrAMeXJUmwcqgDBMQqk8jTzDN2Ty2i9T9QVW/VNFTubS3b8oiO4siPTfoL2VDM3+dPSBBaFHyqTK2b3xy1KvUI4lkYN5Ms1hH3nxmDiw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370486; bh=pjM15v3nnM9AHwzYmUcv77iMdUA6OVh6oQpbOhV2Z+M=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=VDapF2v7a7p8gkbsaKRf7xbS2cfmJ/iY2QgF3w3pJ9keXNdovLF67uut0j/XnMcewuczuZcs6GWhPLbBgh2xZu8VsutuGvyFz9QgogRSthyYPb4qpgo2rK1RQnXUVX+PHcqw1giahypmue2IAHtEvQg3ggiyTETQCpy9KhtceHiDUBXn0g9ABXiw1qjh73xngGaYhh+Q9LL8O7TfzUXh0r2/7E6yLZGdvWxZF1J6gPT4brpv3s8CRHsbrzN9Py1kAXBvBgM8aFZRvQSwzxCK+lo4cnr1juaErqzpGQU3TQLeeU56qUQt0+vX9qWF0m2KZRcMkTdRP4dwW6vWUO4Vlw== X-YMail-OSG: ItRF7okVM1la0KUn5yVb9tpf3baLhCVA_rJVO56yT0zAGLEf9gqUuY8sz1rc9_N 4BZS..57.40mGX81Klee1evdckNb6VLujTjY_2rwPxCkJ8Fdr1SPW3gyFm2026yf97bKEzoqAjom l1lGC_ELYu.FB4MHOEg1jf62RZKQNNen6P3.72svsNfkYKR8IIKFyfv5OA7YL72_JyOzBevMbu_8 QLcSqrNhp1AcnxYaSLnVbhYvFxg2Cno3h2DZYGtUehp4Xix5JYkZc8QdVqVsvX27f0R8uaZrYNGZ HOEmTBuOpjw3ddLY_GvnGTNt9qX9dVj4kBO7Q5YA488.66gBva_iXJDTogjpP0KwDXeBttq2sZKS O9_HsdPCZLxS2T3CCvYRiqDnOj4MhBWNEceU2Ms5vPtaK2yala3hi8XMc02blu.sHnCHC1DK71iq LLCnImv8qWO38ZSLT5GT77Czk_1Hn0K9PjgPBYCzZPzRubyFVMP9vZ4kGLPy1OaMrA1.tGiW9j6g ZDQhyX8TsFGqN.GlfQQCfE673z6kVQY1u5hxfXESpfpe0MFeYDlE7D45ew9ELWWa77cBcxvvs_yc 66PbvHFOvS.fe7C..3B_CLUGPeWhLcadVyNItzN2E.o6.Zgwx.pdaV9yhpCwDjchMOEx1_yZxxPP Zy7_ON1p2LK7uKna284CByEtePLfWDyX2.WbzpcUjG.f_UfCZecPRzQOzFvVkR8Bj9v4s1ID7Yin Bhm325.EIWjqQYmzFH94PkJLCt5E3dm3D8eJTJzv1zTmEbw.WQOAiwDuPn_AEx3z6iItR8Lt1GZ0 G4CpJDPvRqL_1YDuZVFTSFgUvb_LcExXVzlv5ihWFSH6pkXc6pOFdkvlZQFKudJ_j_AhFy9vOn9h 6E_B76ac6wPJLbg6mvRFHaD4iRUbrTH21zlg0AqNUvJG2G1RIkZziw5Gd5gjOXFWaHDywaBvpmm_ nOWrZp7UK2.GNMnKRUsYghABQN.Hba6vIK0BFk6dW8BBHypEzPd10wXU5PuntMA7gxwcQH27cjkz Ox.aZ3z31sKhMe8F7X4aoofwKpmLX3ZhvG3__Dlr_fxX_eHORYYLJb6Gk4ar_HsTYLJch5oTbVtC y5MMi.6.f6yo0n5FzKcyX4WajBn3nAXHTw0Ch4nXeDx5f6D1jYTkw7bzeRl.oEgS3nsec64lgM0U Nbmj4eVHzY0AQq8_HJ_Plwp5qv9UqEt3xYObR0YkeRw1OtklaHbVXmYTT3wQvzKl4tsJ3Iq4LJQ3 nuVy7oe942iEw.fcGwNtvgabdJy17eQt0EFCTJgG3TJrriBUB.dBeIyCjNO53IomEF8hUoH1rbKP DubnSx0J1vITB0YlBS2WXZpv6Gy3QrobwyMS86siXdWOHG59uaGKEau7EheFTr0oU9TeIqjEHuca m1HJnkbns51SJP6k9AQ4JDH74l7GdGCK94HJ5pqE_UxshR_Vamcfdmnr1V7dMnr7418VY6nyo4I_ pKbHr2vCAFQ5I0O.a8S7l9SsUEPM3_xrbwON4tT_cSqKsXVfF6a5dJ40UI.7oaeCFtcNLbe6Tq.U pfdOzcQSQId4hpJJ.qd6.eeyhZxd1Khp7s3P.aLx8tLSbw8Tlgj9OHfh.yHfAC1yPmZGOzvvBjq8 nf9sgFQ16kf.dypsRrKHIWW7sUZM1mtB0_5s3fyjzUXF_l4SbUJvCCrSUTEfvL3S8qnlUQpZ0kJt 7A6KVA8pK.KE_SM8AglhKFCV06eSwOTOj5CqfCgtvOZDYBXq6UE3cHOXolTQmGIFzU7JmBB.cTaz k3IU7lUATrhDM3vyLDnawNPjQjXsWp.HlLlm82N3QIf5fNzmkzmXroYYRp3gOJ1OIf05OXigIC2Z oPKbJuQU2kYvGsg3MiItI9WZtIvdP8XVQ5QqBTumFdeH5ZOk7ecneXToXVdTbKVZvGm84COvmLfV .MtHWzIHhsvo2JmtW.WlYC.HptHts503_zIEF1_TNDzVbaD4_GPIzx2omx4vQ1XtR5EH_ImYBm2s uX.wCEli8CGkNoFtUaVZzxpsnJhSwb3PCb3hXAtEefGJwSnR.tK0LL7UYBXdGv5MxqIdib2e6A49 _3sq461.yi7.6opRDUSfV7Lv41KrHpM48824mw5YzEpq8QYNaNjeROiFZ70HTUPwXSM.8CNtNP6B BlR6hY8M.6OoBvFSGm4hiZRomqwgUFRlxuQwfQpCrmXbs.xflCtbvlwJZrHscKsRYQcZTVevwtSp aHT_OYUUR4k1Marn6e5RmADJG7E0IgrVm94oKKt46nlS5rpb6J6NvycDQ5G68yLNqx4CD1_CP0Z3 3DNqAGVvidSnc5vjT._oNPE7vpawEmB0Dk5w5Dn2Z.S4Gw9jq5dJ9D5fEEzPpdZk.Af.rB.VguxG 5af985WeoRXPmEbq0mnso7jCjervPw5fnvPZ7NRgVEjSpNDxj159EdYeQ7hIBt_RVuO1J5eQ2joy 6i8.s0duT0xULV5vj_5R3Y4DjksR6ep8eT2dHJqawiWzNw5o7sOVx7sWa3qysFIWud7G21L_fTVT IGHxd6gDnvbVs96FIspHw_zmp6NFxyxZN4xAnWfb8qhw4U2cQTzu3ZlzUjj7HsvdRwZusoCeUcY1 AwSWbMJr5xMYiS31VIFGjbvgUJgvUMRCZ4nGgFhLK6dCHzrW4QM_Ab9zC1BFdqqZp4_oCzPpjFsW nZxg87WpzDIDaw9xxxC_evegU4UBpZr9Rf_sHQ6tAALcwpeYIa1eAOAuRUjvuV.Lk3vrfu1Yh7zI 95_3wa.1kxyFG0w2X3gKeG43SmpCGPbtggJ__Avmfi1SYJkRBpCzh_5T1Uz7UhqkSNpD3.xZG_zV s4rm2osHsu8HjLVcSrDZ0quUJnN.nw1sDu8kSuN2Qgi2_2vz2hrdfb0pCm2R9axEY73qvahkDKFh 0jUdoB.XlWfXlTVp_MenWsyXSf8Xs2io2BjqF6acMwrE_NmVIP_RSBjajLcvbAIBoHf45J2mLkMB Uxa2MWjxAuaUDsuuhG505ZT9nWJ3RFp_HHa98.iBJo.blaRkOBWW_bpAesRT1G813l90Nsy3DXHd wzVot5BPVuJkBapacFwpP5.PW7OxUwCNn2J.xtAtbN_oDKe.lNqmdcVp.2UOkjlQqb.KnSnHRvLj 4NkxibQKQgI_3sywXlMtOVh4hw6anLKmmE7E- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:14:46 +0000 Received: by kubenode502.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID e5bd28fb5138e5dfab52d7da1cc4d427; Fri, 11 Jun 2021 00:14:41 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v27 09/25] LSM: Use lsmblob in security_ipc_getsecid Date: Thu, 10 Jun 2021 17:04:19 -0700 Message-Id: <20210611000435.36398-10-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: There may be more than one LSM that provides IPC data for auditing. Change security_ipc_getsecid() to fill in a lsmblob structure instead of the u32 secid. The audit data structure containing the secid will be updated later, so there is a bit of scaffolding here. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-audit@redhat.com --- include/linux/security.h | 7 ++++--- kernel/auditsc.c | 7 ++++++- security/security.c | 12 +++++++++--- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 5a8c50a95c46..bdac0a124052 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -518,7 +518,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); void security_task_to_inode(struct task_struct *p, struct inode *inode); int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid); +void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct lsmblob *blob); int security_msg_msg_alloc(struct msg_msg *msg); void security_msg_msg_free(struct msg_msg *msg); int security_msg_queue_alloc(struct kern_ipc_perm *msq); @@ -1275,9 +1275,10 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp, return 0; } -static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } static inline int security_msg_msg_alloc(struct msg_msg *msg) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 6e977d312acb..9aeddf881e67 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2323,11 +2323,16 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) void __audit_ipc_obj(struct kern_ipc_perm *ipcp) { struct audit_context *context = audit_context(); + struct lsmblob blob; context->ipc.uid = ipcp->uid; context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - security_ipc_getsecid(ipcp, &context->ipc.osid); + security_ipc_getsecid(ipcp, &blob); + /* context->ipc.osid will be changed to a lsmblob later in + * the patch series. This will allow auditing of all the object + * labels associated with the ipc object. */ + context->ipc.osid = lsmblob_value(&blob); context->type = AUDIT_IPC; } diff --git a/security/security.c b/security/security.c index b0faeee91d02..7f722ac04d99 100644 --- a/security/security.c +++ b/security/security.c @@ -1994,10 +1994,16 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) return call_int_hook(ipc_permission, 0, ipcp, flag); } -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct lsmblob *blob) { - *secid = 0; - call_void_hook(ipc_getsecid, ipcp, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.ipc_getsecid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.ipc_getsecid(ipcp, &blob->secid[hp->lsmid->slot]); + } } int security_msg_msg_alloc(struct msg_msg *msg) From patchwork Fri Jun 11 00:04:20 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314367 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC86EC48BE5 for ; Fri, 11 Jun 2021 00:15:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8AD2F613E3 for ; Fri, 11 Jun 2021 00:15:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231315AbhFKARs (ORCPT ); Thu, 10 Jun 2021 20:17:48 -0400 Received: from sonic312-31.consmr.mail.ne1.yahoo.com ([66.163.191.212]:41097 "EHLO sonic312-31.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230493AbhFKARq (ORCPT ); Thu, 10 Jun 2021 20:17:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370549; bh=OlF33fqb8tWOkrdqEYXm4D3xeEZaVbk1tN/L/KHioSg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=AHjxJXYesLB/eqt+2oghZQvxJjdFVdEUHu3ddzx9HkxnF625W4//1Lc0xK8/RgM4uBTlPO5jWLU2H1UMbJSd/ZZCbhAvI0/g1HapWjbpdETL9FXFSSQFpnPS0GN3iLlfvxFQCKpkKJM6s19onZEZ7UBN8DqH1MCl+bbkWAzTompUM6Aj4ULq6uibnF4fja6UCPwlSMwcIbRoaMHCMEdH9bKMaSKBmCNTIyRGlq/FbevPtFm9NRGZYGVbMC7CM1snJ+39TIKdVp5RddepVwquGUWvQUnR84y4vXMfnGejvmRJ252akwkwPIrZ+wVZNE6JhMaJWcB1bBLjaLmMEEV8zQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370549; bh=rehM2rihCIFrsmcxyXH20xNTaNKRhbGfU/oem+hEQHJ=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=JvhbXEnHgvgfctLLfYix3mHYsH2H1YNn2pJqArC7xQLrRJiHM9DJdnBlWfWEN3r4U7ITkejEL7ueYlZ9OWy6iuBdgfZVLYofj9KTs0pkpvZzTszYu4UN4Fu4ewTbvcFf9YfHhY/IPYez46aBlSeCpqTW7FCkrvmMCtH1H+bSh30QiJk2oZZJN+POW5glyrqLydpbqKtQX64lcD19yfslizRr3mgdevyFZzKZIvoBGOyi60U5K9cNs6GH8OZrUkADblXnvwECt88RLSdE0YV2uUzLPdF8CmqfKBF7pu7CkXzwdUsqECTMFxYWZvIC8FH2dttMyQfELnQXAO1d3bJ8Eg== X-YMail-OSG: .lCHzwcVM1mJYvtP1wfVqQggwoHi6cnwMsj1Jj5Fgs7.5.JG9tBJRDNMQzoWRyM ayt1UmWKeBHO47K3Ro5H45.MEDZnbTvAfZfwG2GVqEnl4YENLBDhksRhr9H_HBrVw3fKVefDhGVo x9GdtvoJ2O97rlYTxz2_THRWLOFy9N50W_cue987cBhMD04BAvTIzsT5QGn0.I0REXbc1P7FZppB Dkhf9FR2Ay.5.w.c8T_0MIuvYANm8gl6grAJynne6Xi1ZvUD.kROgfsJNbmxxDlNceeRTcfgH2u9 vsMJ8HmYs6Cf96PWwaNkbDxj1rZs2s.7c24ctN52Unc8NMZ5b_dg3irLy20tokH.Jfqh8mT5kNeE nB0k7LI_yRcboKDgO63R6fxroxjYsP5Gmqar3f3.0F02oZuW9bV61Qnht8XgbovKrlZjqQ_CI4vt 6j5oLOjSd_EPQrdBuVanEWLoGs9V1_JabA5h4QdPLOip176Z.nalf4XBDDxLcALXsh32qcA39JOu SrS6W0AXlSVDMSZBc6cNCoTz08dMVD4YbSYoKNPH8Kg8NI5oQZy4ehMw7sR3DYQORC9.A0jNJJ2b mx7NOWOoPQBxBHp9lxco063TKTL3.OkvHvC0irquDluwe6kpX7j7V1NDxkuLlzSE87CPp9U17GxQ JPqbu7NPUYDjyvYFZfpN8ptv2ExSeEGTjjKrkvP6bmJybLCDXy483FhDzO9Ckom3KAcPfKEmCbIm gM1pF_Rs9l.GHKxLWibi3csm.32dEH6ffLEvmlvueYzG3WQMHOGOFM9y6GYJcnibfwM84tD8tfRR vpUBn8GaU71GuzHW0Vt0IrL8ZwlhJzTzqa.h_JD5uOXONvYCBDEd8C1S3mDP_gCdOEINz6xdEZn6 kWxJTfuFL9OJZ92gWGU96_mFTsEDzTuXkYeRpMb7KLaAGC8IaTjuWFS9OxlmpfcxhqjA.U7IEKTW Et0mR1IqEsKVOYZpstvfNzMXcGWSvc.WxdcNsARwczM4rk_Vl3.kbhJwHvTZ0ROtIjni84JbwNHx RPb9Or93e.3rCalKmrFIyiMQvjkfK_m9ag2NAQIT.ylMXT1nPJpYU5v5vgS01Hdk6CS8JNrckUmV fVu3A23T6pPcAnBqWQdZCCys81ympLESxFw0DycOW24NmbE2jS3k1zNBOr5a5Kr7V.rb7nzEJqc4 y424Gtjm2Ziu6vUalcIvTBhnTsi7wlinT8JARoKR.Dv.arXeK0vHkO7jxDBdjWfi7EwkVxt3dAx9 .GLCdMeLWMBsqr.z6Hn5RmDYOmyxCyiccKHVmDpC4RXzT6WXQR0pHA3CjMnsu2yf1eG8V_Fjxy31 HBHI0jYOwYiGZzLNYyxb7j78meDkta0dhR0DIzQ0nzbPZ3vwvxwhZOsAyZ3v_agqywOteCwFlVfk 1HEoYsjsuXbLog6FM0bOR0IpPvfGuMjziUgSsA16Zh9ch5YtHkn2S_3jphBZN3WtDc1IzbjzGCHo YFJaz75CSUkBEBJm_e2ULisl2yqYBo79aUWJKDBl.IrQRT7V9pLicgGM6ghk3kOv3NlwFfYDMq2U GO9oZY8AA57xYMhypcWAvKCRiw2SSQe_CDKsVGeoSC4EvY4bBlFUkq3Tfyd6Y824pPPX9kPgDjgj eyjWzD2Moto8bhbnQ1nmlm3JY5UgmbfqKc3e_zOEEVRb.mM2JXhglF8FEAisEb3th3ves8sDljSu 7n8HzUWoJyMG3Iib1Pf37BMQ_Vprrt76gFFBxKSEfmt8.JnplEHgyc.lObxeLSxxKPyr5Nk60bhJ wlO1PNZ3aipiqcemyBvqu8wVqt57T6fByZV0VAktkGfFqKamIqT5HUbqnFrLMz6C65cnJ1grP3bP xJGg_YF5sG5L52p9GiEpyZm9iRhDzdQlN4dOGrm3SQofgVsd2weYZf2kE.CSUO_VWuouBrkc3bwM mysfNFwsIZXyYjbQZ4SWbRmdKYJ9BvrxTMCIEw_TarlyNlX3.U5M1HOk4PR30QlNrz1aWEzwZVOu AnFqCniwGJvh7FibB97jsrJNX5e2Fae4oDnngM2gGYp1k6y65xgjo5qHVUm.CRO9QaEpLjhE9udd LnGhCbrUzqNsMBItlbWAAild201NlAO1T1Jk5.iFWTbw46clOHO9Q01MiVfGbZ2yYxkUkmWuPtNO TjQo5sXZzhpyXRF2D517Hsa_cEloJ3g.WU8mvTuLtLiHjPTONdIjwcrXObiykuJCQW90i46s14X9 HTI4pbKQIirHeNLC.aeaVkhKmKDplN03X2skuysbY7a5AZQaw05.Yf_mBPyiCwd1L5Vsz1MmWGcS _4.ClYNPlgzfcbOXxNyoMGzyNwtTDp2UGxhtkWHMcW7tymzbCC5DqGMjZVvzzAqwtr6QPNW4r8a4 spTnc.rfvG8sCQnRU63N_vfxxGOWDgBf4LjvsYo2LXg5odJ7QZjgSc6axy1XwUsN.5yBl7XvBZ55 rxKAp_l1spXis95IKuIi.WT.InLxN6E20Kwo04VUede8pIHBQwv.jp1M0yJnQIOR2i7wHhdigNLb RCo0.djQqLugqCPpm8tojpe.MNyXixv2l.kmn87lQPRaYIcmPon2t4fuantFkvzEmvMFR.dv8TqQ XrtByzPISVGs2QI8.FVExGlPV8sZ.R4v7TH543_UYg5Rq0TmZTadLwuwO9nykbu6y5g2U1I4IKcE O8UX8CKMc86re6un27sV_OG4TQCFAAo7tnmFKThZDviFhcMlnihj3O7Mmg369ML4UWXsV0SCVvdV OeWR6S1KJqrZyX9HKuENoDtWQnqOPU_bPXJlzCL41cptOTuoDvXdI5AwIk13WE_BqfwEVF3vx_oC J5dXaPIw2nA60C8YXT7.4FvvO8CO.mNBYh_cNoSqVBDiE4cxxIWGfuR_1RH3xdfYGfJuYJv922Jj OXXxdPUBlkbA9XWckKa77M15_A862pOoz6FT5qCwZKTV73w26GfRwld_3o5JV1BAmK1IQlxFqswY nrWT39bycYWAXUn5VU6jBsHJ7ZmtE_LUQ0O2ej_s6xQPiNMwCqZPJ5JneoQUFdGDY.7lHiqVP00W 7nAkWceuHKIZNgE616Xf71Rswf84FwaoSwlUokMdH6FtlJCjBdZXbJGm1RtjsFwo_HHTsa_brUf8 VFLmDX5ad_coj2YROeprQtd_Ih3K3e196TTMN6oPzXmaB5zxTzk62RBKVh9ha7pQbA9fufEvYow. AgJUMcmLoPI6SeZFL.J1JEPakp1LRmygwCPOvW6dXYagvgfRQADmsJn7z7b0S8Xmp8cBZIj.6TdL bOw8iz9hjYm1bympXXqU8_T8g7hvS4XQ_VA8- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:15:49 +0000 Received: by kubenode557.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 264b86f3300bf3b01d750e08400c1764; Fri, 11 Jun 2021 00:15:47 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH v27 10/25] LSM: Use lsmblob in security_task_getsecid Date: Thu, 10 Jun 2021 17:04:20 -0700 Message-Id: <20210611000435.36398-11-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change the security_task_getsecid_subj() and security_task_getsecid_obj() interfaces to fill in a lsmblob structure instead of a u32 secid in support of LSM stacking. Audit interfaces will need to collect all possible secids for possible reporting. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com Cc: netdev@vger.kernel.org --- drivers/android/binder.c | 12 +----- include/linux/security.h | 14 ++++--- kernel/audit.c | 16 +++----- kernel/auditfilter.c | 4 +- kernel/auditsc.c | 25 ++++++------ net/netlabel/netlabel_unlabeled.c | 5 ++- net/netlabel/netlabel_user.h | 6 ++- security/integrity/ima/ima_appraise.c | 10 +++-- security/integrity/ima/ima_main.c | 56 +++++++++++++++------------ security/security.c | 25 +++++++++--- 10 files changed, 94 insertions(+), 79 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 193397a1fece..ab55358f868b 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2710,7 +2710,6 @@ static void binder_transaction(struct binder_proc *proc, t->priority = task_nice(current); if (target_node && target_node->txn_security_ctx) { - u32 secid; struct lsmblob blob; size_t added_size; @@ -2723,16 +2722,7 @@ static void binder_transaction(struct binder_proc *proc, * here; however, it isn't clear that binder would handle that * case well anyway. */ - security_task_getsecid_obj(proc->tsk, &secid); - /* - * Later in this patch set security_task_getsecid() will - * provide a lsmblob instead of a secid. lsmblob_init - * is used to ensure that all the secids in the lsmblob - * get the value returned from security_task_getsecid(), - * which means that the one expected by - * security_secid_to_secctx() will be set. - */ - lsmblob_init(&blob, secid); + security_task_getsecid_obj(proc->tsk, &blob); ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz); if (ret) { return_error = BR_FAILED_REPLY; diff --git a/include/linux/security.h b/include/linux/security.h index bdac0a124052..60f4515b9181 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -500,8 +500,8 @@ int security_task_fix_setgid(struct cred *new, const struct cred *old, int security_task_setpgid(struct task_struct *p, pid_t pgid); int security_task_getpgid(struct task_struct *p); int security_task_getsid(struct task_struct *p); -void security_task_getsecid_subj(struct task_struct *p, u32 *secid); -void security_task_getsecid_obj(struct task_struct *p, u32 *secid); +void security_task_getsecid_subj(struct task_struct *p, struct lsmblob *blob); +void security_task_getsecid_obj(struct task_struct *p, struct lsmblob *blob); int security_task_setnice(struct task_struct *p, int nice); int security_task_setioprio(struct task_struct *p, int ioprio); int security_task_getioprio(struct task_struct *p); @@ -1197,14 +1197,16 @@ static inline int security_task_getsid(struct task_struct *p) return 0; } -static inline void security_task_getsecid_subj(struct task_struct *p, u32 *secid) +static inline void security_task_getsecid_subj(struct task_struct *p, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } -static inline void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +static inline void security_task_getsecid_obj(struct task_struct *p, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } static inline int security_task_setnice(struct task_struct *p, int nice) diff --git a/kernel/audit.c b/kernel/audit.c index 22286163e93e..d92c7b894183 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2139,19 +2139,12 @@ int audit_log_task_context(struct audit_buffer *ab) char *ctx = NULL; unsigned len; int error; - u32 sid; struct lsmblob blob; - security_task_getsecid_subj(current, &sid); - if (!sid) + security_task_getsecid_subj(current, &blob); + if (!lsmblob_is_set(&blob)) return 0; - /* - * lsmblob_init sets all values in the lsmblob to sid. - * This is temporary until security_task_getsecid is converted - * to use a lsmblob, which happens later in this patch set. - */ - lsmblob_init(&blob, sid); error = security_secid_to_secctx(&blob, &ctx, &len); if (error) { if (error != -EINVAL) @@ -2359,6 +2352,7 @@ int audit_set_loginuid(kuid_t loginuid) int audit_signal_info(int sig, struct task_struct *t) { kuid_t uid = current_uid(), auid; + struct lsmblob blob; if (auditd_test_task(t) && (sig == SIGTERM || sig == SIGHUP || @@ -2369,7 +2363,9 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - security_task_getsecid_subj(current, &audit_sig_sid); + security_task_getsecid_subj(current, &blob); + /* scaffolding until audit_sig_sid is converted */ + audit_sig_sid = blob.secid[0]; } return audit_signal_info_syscall(t); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 6a04d762d272..1ba14a7a38f7 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1330,7 +1330,6 @@ int audit_filter(int msgtype, unsigned int listtype) for (i = 0; i < e->rule.field_count; i++) { struct audit_field *f = &e->rule.fields[i]; pid_t pid; - u32 sid; struct lsmblob blob; switch (f->type) { @@ -1362,8 +1361,7 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_CLR: if (f->lsm_isset) { security_task_getsecid_subj(current, - &sid); - lsmblob_init(&blob, sid); + &blob); result = security_audit_rule_match( &blob, f->type, f->op, f->lsm_rules); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9aeddf881e67..dd902b68433e 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -471,7 +471,6 @@ static int audit_filter_rules(struct task_struct *tsk, { const struct cred *cred; int i, need_sid = 1; - u32 sid; struct lsmblob blob; unsigned int sessionid; @@ -668,17 +667,9 @@ static int audit_filter_rules(struct task_struct *tsk, logged upon error */ if (f->lsm_isset) { if (need_sid) { - security_task_getsecid_subj(tsk, &sid); + security_task_getsecid_subj(tsk, &blob); need_sid = 0; } - /* - * lsmblob_init sets all values in the lsmblob - * to sid. This is temporary until - * security_task_getsecid() is converted to - * provide a lsmblob, which happens later in - * this patch set. - */ - lsmblob_init(&blob, sid); result = security_audit_rule_match(&blob, f->type, f->op, f->lsm_rules); @@ -2422,12 +2413,15 @@ int __audit_sockaddr(int len, void *a) void __audit_ptrace(struct task_struct *t) { struct audit_context *context = audit_context(); + struct lsmblob blob; context->target_pid = task_tgid_nr(t); context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &context->target_sid); + security_task_getsecid_obj(t, &blob); + /* scaffolding - until target_sid is converted */ + context->target_sid = blob.secid[0]; memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2443,6 +2437,7 @@ int audit_signal_info_syscall(struct task_struct *t) struct audit_aux_data_pids *axp; struct audit_context *ctx = audit_context(); kuid_t t_uid = task_uid(t); + struct lsmblob blob; if (!audit_signals || audit_dummy_context()) return 0; @@ -2454,7 +2449,9 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &ctx->target_sid); + security_task_getsecid_obj(t, &blob); + /* scaffolding until target_sid is converted */ + ctx->target_sid = blob.secid[0]; memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2475,7 +2472,9 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getsecid_obj(t, &axp->target_sid[axp->pid_count]); + security_task_getsecid_obj(t, &blob); + /* scaffolding until target_sid is converted */ + axp->target_sid[axp->pid_count] = blob.secid[0]; memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 534dee9c7b6f..b08442582874 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -1564,11 +1564,14 @@ int __init netlbl_unlabel_defconf(void) int ret_val; struct netlbl_dom_map *entry; struct netlbl_audit audit_info; + struct lsmblob blob; /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_task_getsecid_subj(current, &audit_info.secid); + security_task_getsecid_subj(current, &blob); + /* scaffolding until audit_info.secid is converted */ + audit_info.secid = blob.secid[0]; audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index b9ba8112b3c5..11f6da93f31b 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -34,7 +34,11 @@ static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, struct netlbl_audit *audit_info) { - security_task_getsecid_subj(current, &audit_info->secid); + struct lsmblob blob; + + security_task_getsecid_subj(current, &blob); + /* scaffolding until secid is converted */ + audit_info->secid = blob.secid[0]; audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 4e5eb0236278..f8c7b593175f 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -71,14 +71,16 @@ bool is_ima_appraise_enabled(void) int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode, int mask, enum ima_hooks func) { - u32 secid; + struct lsmblob blob; if (!ima_appraise) return 0; - security_task_getsecid_subj(current, &secid); - return ima_match_policy(mnt_userns, inode, current_cred(), secid, func, - mask, IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL); + security_task_getsecid_subj(current, &blob); + /* scaffolding the .secid[0] */ + return ima_match_policy(mnt_userns, inode, current_cred(), + blob.secid[0], func, mask, + IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL); } static int ima_fix_xattr(struct dentry *dentry, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 906c1d8e0b71..9d1ed00eb349 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -388,12 +388,13 @@ static int process_measurement(struct file *file, const struct cred *cred, */ int ima_file_mmap(struct file *file, unsigned long prot) { - u32 secid; + struct lsmblob blob; if (file && (prot & PROT_EXEC)) { - security_task_getsecid_subj(current, &secid); - return process_measurement(file, current_cred(), secid, NULL, - 0, MAY_EXEC, MMAP_CHECK); + security_task_getsecid_subj(current, &blob); + /* scaffolding - until process_measurement changes */ + return process_measurement(file, current_cred(), blob.secid[0], + NULL, 0, MAY_EXEC, MMAP_CHECK); } return 0; @@ -419,9 +420,9 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) char *pathbuf = NULL; const char *pathname = NULL; struct inode *inode; + struct lsmblob blob; int result = 0; int action; - u32 secid; int pcr; /* Is mprotect making an mmap'ed file executable? */ @@ -429,11 +430,12 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) return 0; - security_task_getsecid_subj(current, &secid); + security_task_getsecid_subj(current, &blob); inode = file_inode(vma->vm_file); + /* scaffolding */ action = ima_get_action(file_mnt_user_ns(vma->vm_file), inode, - current_cred(), secid, MAY_EXEC, MMAP_CHECK, - &pcr, &template, 0); + current_cred(), blob.secid[0], MAY_EXEC, + MMAP_CHECK, &pcr, &template, 0); /* Is the mmap'ed file in policy? */ if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK))) @@ -469,10 +471,12 @@ int ima_bprm_check(struct linux_binprm *bprm) { int ret; u32 secid; + struct lsmblob blob; - security_task_getsecid_subj(current, &secid); - ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, - MAY_EXEC, BPRM_CHECK); + security_task_getsecid_subj(current, &blob); + /* scaffolding until process_measurement changes */ + ret = process_measurement(bprm->file, current_cred(), blob.secid[0], + NULL, 0, MAY_EXEC, BPRM_CHECK); if (ret) return ret; @@ -493,10 +497,11 @@ int ima_bprm_check(struct linux_binprm *bprm) */ int ima_file_check(struct file *file, int mask) { - u32 secid; + struct lsmblob blob; - security_task_getsecid_subj(current, &secid); - return process_measurement(file, current_cred(), secid, NULL, 0, + security_task_getsecid_subj(current, &blob); + /* scaffolding until process_measurement changes */ + return process_measurement(file, current_cred(), blob.secid[0], NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND), FILE_CHECK); } @@ -672,7 +677,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id, bool contents) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* * Do devices using pre-allocated memory run the risk of the @@ -692,8 +697,9 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id, /* Read entire file for all partial reads. */ func = read_idmap[read_id] ?: FILE_CHECK; - security_task_getsecid_subj(current, &secid); - return process_measurement(file, current_cred(), secid, NULL, + security_task_getsecid_subj(current, &blob); + /* scaffolding - until process_measurement changes */ + return process_measurement(file, current_cred(), blob.secid[0], NULL, 0, MAY_READ, func); } @@ -722,7 +728,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, enum kernel_read_file_id read_id) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* permit signed certs */ if (!file && read_id == READING_X509_CERTIFICATE) @@ -735,9 +741,10 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, } func = read_idmap[read_id] ?: FILE_CHECK; - security_task_getsecid_subj(current, &secid); - return process_measurement(file, current_cred(), secid, buf, size, - MAY_READ, func); + security_task_getsecid_subj(current, &blob); + /* scaffolding until process_measurement changes */ + return process_measurement(file, current_cred(), blob.secid[0], buf, + size, MAY_READ, func); } /** @@ -859,7 +866,7 @@ void process_buffer_measurement(struct user_namespace *mnt_userns, int digest_hash_len = hash_digest_size[ima_hash_algo]; int violation = 0; int action = 0; - u32 secid; + struct lsmblob blob; if (!ima_policy_flag) return; @@ -879,9 +886,10 @@ void process_buffer_measurement(struct user_namespace *mnt_userns, * buffer measurements. */ if (func) { - security_task_getsecid_subj(current, &secid); + security_task_getsecid_subj(current, &blob); + /* scaffolding */ action = ima_get_action(mnt_userns, inode, current_cred(), - secid, 0, func, &pcr, &template, + blob.secid[0], 0, func, &pcr, &template, func_data); if (!(action & IMA_MEASURE)) return; diff --git a/security/security.c b/security/security.c index 7f722ac04d99..ce22903ccce2 100644 --- a/security/security.c +++ b/security/security.c @@ -1904,17 +1904,30 @@ int security_task_getsid(struct task_struct *p) return call_int_hook(task_getsid, 0, p); } -void security_task_getsecid_subj(struct task_struct *p, u32 *secid) +void security_task_getsecid_subj(struct task_struct *p, struct lsmblob *blob) { - *secid = 0; - call_void_hook(task_getsecid_subj, p, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.task_getsecid_subj, + list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.task_getsecid_subj(p, &blob->secid[hp->lsmid->slot]); + } } EXPORT_SYMBOL(security_task_getsecid_subj); -void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +void security_task_getsecid_obj(struct task_struct *p, struct lsmblob *blob) { - *secid = 0; - call_void_hook(task_getsecid_obj, p, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.task_getsecid_obj, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.task_getsecid_obj(p, &blob->secid[hp->lsmid->slot]); + } } EXPORT_SYMBOL(security_task_getsecid_obj); From patchwork Fri Jun 11 00:04:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314369 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA623C48BDF for ; Fri, 11 Jun 2021 00:17:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A1B1F613CF for ; Fri, 11 Jun 2021 00:17:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231217AbhFKAS4 (ORCPT ); Thu, 10 Jun 2021 20:18:56 -0400 Received: from sonic312-31.consmr.mail.ne1.yahoo.com ([66.163.191.212]:41138 "EHLO sonic312-31.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230382AbhFKAS4 (ORCPT ); Thu, 10 Jun 2021 20:18:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370619; bh=aE67GTy+CXATARYAx3N/UHATRCEpQghw5DPhm/u2kl8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=uWWsDKdhxF3OT0EJAJ/YF5ryd286wH+GpCqVDEGMuGzLcpll6PXHxSs1A6Il7lmmoL+8bX55F2QY6klyAAY6yObYRSZ1iTIbKgSWhKGfJmYYKzk9mRgQCOey/huj91JCCcPztegCm245DJ7cWJYGBjHtBrle6CA9RVvBToYvtCWqYyHS3bwWPwlXY/E9COm7du0B4ZHoEyE1aaGBa2dfl/jffbFsHM+aY4ls5+vEhhD8Bt9nnRBg+QK3wVvZUfUGSuZvzN5hKvE3iF0JSVXHWIcs/yhuM9qaAKK2M+LoZDmc7QmVmGz7MajXFTpi8L8/4In/VH/GgvgNFu7G4sbzSg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370619; bh=1RqtYUyY2vEQ06kPiAedaAgOxH90dBEgfdiP57Wo/ug=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=A9bLTw2APY4G9YOkzFmfE0hT6Wqcz0WYAw/zIq4ZBmPPv3b0TWV/XSWhmj7HuFrL9sEhngGJCp3EyM8usbTQUMWT4biqKfNY0coaLaeojo4wXPaUuQYYkNu+/lBlcOxxa/oGTA+KhQy/F0JVuW5n36yQAahznLglFb59S//VCaOBqSJUIk0vk5F9I6BWh36FwdAgXffT9h+0+RIL6FZOoXsOu28Q7y7EGUxg9ZjHpiDBZYfHhi4uFtcGWuRThcjwXVDeIDTitbUTjQT/BcCmgViue7cyYxjeAKEraS6Cgu93WRVOk9RmGiIsCtho2NmIL+E42CJ3pXotYUKAVMk+iA== X-YMail-OSG: Lwsrww0VM1kJGSxJUmrmdWjAyq2onfoUVTDKCdOQO.LH_rnIc4E8BZYHNr8HFJN Bf_kqkzxkqTAxRpNNqf6HE5Awb56ERRkyd7zwwuZBAWu7EVmN1A9jEBXpj4z4cjBL0aDtWVZOqAN mpdfgEUJpMAJqkAB369JwYKsTQJ_V_JnIYB8IbFSp8z3wZ6PvKnSJA2Z35b1nHT1rQJIB0IQqc8G c3_6lr7vGT8_iUjhZtjgKKc1VTDv4SVXVR2Y0m8tq559Tnk6EUL8AAtMroFLxtnuy3zZYHur7qP3 CkRW1EOXcl7bHNqD_OEoMKA12C06YB3d5Wusz9sMD52lv_2EENB9Bc_04Z.PRx514fRxv871NMXK O3eNWKcw5b7YG0eg_4QNQhcKGo_HJKNU1UBLt4hsXHkFcMLxon4nTZRGpl9y2IXrnh099V8R3oSf a6YAjlXmyCoNRRmKpYdjGTgeqPXe6OH0E2O59F7TGwo2PbqJEtuaj8NEy3YCjHXDHWgVOeRgcjqT J21ETv4hiVbQQPia.MG7Ie1j1KZpgsRBXpqVxQ3f4z7YQPRleGRPLxwMvGbsgyHhx_1vfn_dVvtO GwKg4Q1CygPzGQvcyivFEkxdCLAuaeO_p.1Of8iqby8b1yurm1mJxBnU.6KgnBuShuGoFG8BNu92 6yd.rmxRo.D3KWdi0gTTZALgI4N0TUhYFGrHUJ5wDhTRVm.R_RaRK5tARlr3el81lnTPuus4Ay2P SOE_AHnMyCaaM5kUm1Fxx4yiMazXPbZx88JNo5hM6Yb8d_5gQoEteIG7idB8mixADJsn9xXaRn.6 vE03wJ_pfe6uA89S2liSKUypWBIvSi3AgH1lycXMzuFJgbF3kJlzso6qqpJNBVM35nqMBlV..JXr 0eGCwozPRononPACNS1YGxyfTx418GoyjewWfCHzK_IGpcsEU64op.3h_aHTn1xDIhDKmjb6yAO5 BuiHGKZjJFWZR5J7aRRrRpnOWZZ7CLhVZM3ooIJbAiQGZqWHKa_KzwLnRPE6G.fX2I0YyvaldoOi arobM6tWhaDP58p4hneFA0w85zZBnWTnWs0ExUw7aAvRdKyJgganX8dj_exKzn5YbhiDFW6keZFx 8kBqmDyJN2ksteXVAMbz0OO3DQI1oYQCuyvFujcRR762cVcnVqq_MJosl3KF_UsPuUgZ9BrPxuEI cx5NxRNpbPFvz2lZQI_TlrH9hv6fCdn4_Vqo.gcs5M5e8GwgyqOQIyVRQJuOA49sxQutIIHheOv6 deygtD1UxwIgJgPE1aS.WxmweXoyNCQEMoPNbILzeBy1HQIV7YX4cH43EOEK8LtrcFb1la8FHhXu yDpF8FagYfOwzjiknTblq7QCR3F3Dgyb8wtCxIJfw5G7SMOGnftCnVa84_Uy3CQxnt7TwO2iRLgg 7Qe0Tu6UrPfbUHukQnE5oH8jt2z5RYLwTA_4UjncZAkreChk71A1LqvDRwG6G0fgLwoJ0_IXj6Bn xe05WIav7vfT_vZT8fu5TMwl5xsKXfQ2AUOmQwVoAekUK_hPfJ8HJrPWfYr3JvIiOIoNd7msahuT JO7LZUeOQXuC_HKqpBimutviJOMt8ooVpRMavuErcB3clSnmyU_OKhOGui420ofPCmscL0SP83CS 6fJcUqFB2t0twvUkuFmNADRvViNW6GEwSdf.qfJHTfKsAvjAw_zJgVXrj0uHb9H1mPssIfb_mT5f G7zKfS.OPybbqlTR9Z9PHgz2tWq1whWmL.dYNcQ7uYUqpMtmVsK72viSNoAiIJ8BQcuS4mtHIskp xfq72_s7ubr_YAbKd_MSSuQpkKDJ.yyQzrgroB5Vb0iN0IRc.H90cUPPlNhTxmFOqvpgFTHun56A CP4yiEKWWEzrycixLJ0Vy8EF5GeyHo7BrKr.y7kcCGyMc_pfQMqNswVmVXzuf0iYHo6_BcOcI4gA u4pxdKmBLWNhBaa1MfjNVbD5bAXLSW7QTQ3CbQiZ7btPWimtlaSDC.FBCv81IEJrTvpxbV6jv8jN IXJt5_3EGoI1PydoGXNix9qUNVfsRxZFopM7e.xO0SBHv8ryknbUdEvcaEEaUwT45IKzRwXIFF4c vAWXNUGdjihJX.i.qKllEiTmmMlJSRFSYZZUIoyZD8NabFOpXB_OI336jN9i_WBYbwHbo72rMzVf eg.0XMxBNn2WwZsyxU.nf6DjCy6Dbzyq391hrie02TjR5bY_z35.fkSMBO3CV2NbyQ9pvxfIgbvk VHbWYRr89B_QsinDrKCyf.p8domV7BGrMubfGMdgA.n2jfiWdp7iaGSVMpTr4l3Rl7n3W4teRZTW hNx53lO0ljOh7n.wNeEuioTnsGLCvrwVQW5amPFGEXu.8slzkQJUxYGfbKgOh6B0EljeI5aW91m6 sX2R.nwsvxAT8faarosbfbVJqPJ1jYj0R9neJCcVGQ0k1KVjy5kPYOkoIjuFgSSqMfjX1NFTVq7K XKJhOB.oU8ZLXxmfQNYfgwG2Pc.U0x97ckJUwptMQNXXjgjcuZHAEGy6kTUff_yCfxJpgtLPMwdd i60h9.0dyEjRnw7CatdAtH10Bp1uBuMs2IBNfZyYGXpvPRGFEojf7HUAtFx7Ia0oYGefF_enFDdz kr4KDKA8bznau8Q538YrbhG_oGyeTOgi99nmHP454Jg5wOiRkkgRzBFIaO3CTNzWbX7ji2UcxWWU .cXe7CER081yGDji57q7JaF5kNw8qKZ6ga5kpq_gMm6amcvdcr5eBKCSzZay_4TVh9V.a4KACDX8 st_tk8rlLfstGi4cDjDtUsy8hL1fFfuvyPKnwYKu.1cpLrlKa_zOIOUpBBXTKdigUbgP6ybKIFC8 JeXqgpnouyo4Ank8Q_4EMYM.EvpTW7rDkhGLypP1qkL3WbxBiyE8Pt3RB89CYhkb.6byKAsOuNgx xV67pgizetjxGUcB_LslVFrLsy43RkVXZaJDIXMHaV62lgfgInCPzqgFQfjeT9I.Z6fNENYpx0oa EvHwINnSVXjlim0JRoiYOYzwltBK6k3miJod8n7DJ0tAxTxe.N3ezOYWe.z68mH389Ej50olnsUE BhUEZaqvNngaEPpTGWoGQCEAIWds8q12sQSxN6wCL47I6kMJunXkohWVv9k.KeBo5OdJiCxgqp_e uCnMsG0vgLjATOWqgXk3RqseHMyUuzxszbHeGrNDNDOWgHRknJPkj5BEaSSMdch8pLJSwgOsGkYD FfdG6uVKfLMbIh8HoZ_39IdHAI5aZyPgnMgMn6OW16vAcbGJE X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:16:59 +0000 Received: by kubenode557.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID b8cca2b9bf814e639aeab6157732b1f7; Fri, 11 Jun 2021 00:16:53 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [PATCH v27 11/25] LSM: Use lsmblob in security_inode_getsecid Date: Thu, 10 Jun 2021 17:04:21 -0700 Message-Id: <20210611000435.36398-12-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change the security_inode_getsecid() interface to fill in a lsmblob structure instead of a u32 secid. This allows for its callers to gather data from all registered LSMs. Data is provided for IMA and audit. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com --- include/linux/security.h | 7 ++++--- kernel/auditsc.c | 6 +++++- security/integrity/ima/ima_policy.c | 4 +--- security/security.c | 11 +++++++++-- 4 files changed, 19 insertions(+), 9 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 60f4515b9181..64f898e5e854 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -454,7 +454,7 @@ int security_inode_getsecurity(struct user_namespace *mnt_userns, void **buffer, bool alloc); int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); -void security_inode_getsecid(struct inode *inode, u32 *secid); +void security_inode_getsecid(struct inode *inode, struct lsmblob *blob); int security_inode_copy_up(struct dentry *src, struct cred **new); int security_inode_copy_up_xattr(const char *name); int security_kernfs_init_security(struct kernfs_node *kn_dir, @@ -1005,9 +1005,10 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer, return 0; } -static inline void security_inode_getsecid(struct inode *inode, u32 *secid) +static inline void security_inode_getsecid(struct inode *inode, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } static inline int security_inode_copy_up(struct dentry *src, struct cred **new) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index dd902b68433e..6684927f12fc 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1962,13 +1962,17 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { + struct lsmblob blob; + name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getsecid(inode, &name->osid); + security_inode_getsecid(inode, &blob); + /* scaffolding until osid is updated */ + name->osid = blob.secid[0]; if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index a05841e1012b..5ee7629fd782 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -606,7 +606,6 @@ static bool ima_match_rules(struct ima_rule_entry *rule, return false; for (i = 0; i < MAX_LSM_RULES; i++) { int rc = 0; - u32 osid; struct lsmblob lsmdata; if (!ima_lsm_isset(rule, i)) { @@ -619,8 +618,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_OBJ_USER: case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: - security_inode_getsecid(inode, &osid); - lsmblob_init(&lsmdata, osid); + security_inode_getsecid(inode, &lsmdata); rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type, Audit_equal, rule->lsm[i].rule); diff --git a/security/security.c b/security/security.c index ce22903ccce2..c6de5200c467 100644 --- a/security/security.c +++ b/security/security.c @@ -1548,9 +1548,16 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer } EXPORT_SYMBOL(security_inode_listsecurity); -void security_inode_getsecid(struct inode *inode, u32 *secid) +void security_inode_getsecid(struct inode *inode, struct lsmblob *blob) { - call_void_hook(inode_getsecid, inode, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.inode_getsecid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.inode_getsecid(inode, &blob->secid[hp->lsmid->slot]); + } } int security_inode_copy_up(struct dentry *src, struct cred **new) From patchwork Fri Jun 11 00:04:22 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314401 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 93F12C48BD1 for ; Fri, 11 Jun 2021 00:18:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 79E45613E9 for ; Fri, 11 Jun 2021 00:18:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231165AbhFKAUC (ORCPT ); Thu, 10 Jun 2021 20:20:02 -0400 Received: from sonic312-31.consmr.mail.ne1.yahoo.com ([66.163.191.212]:40831 "EHLO sonic312-31.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230216AbhFKAUB (ORCPT ); Thu, 10 Jun 2021 20:20:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370684; bh=QcmBvyghnNW+rToo4Rc/+kkvndAHfhPIxrKbojPolNs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=nkWfQM4PBUe9aSgS36jPS05QeRRNyakVD8fGTXUrxMcD5szytM4gKjj3z6SL1su5eKa90/gMA0yE7+XwnsA4XeF7YH0L2113x2OUfQmNkcONputa7Eslb12273Blv667OEGu2cfCC5LzB1HIqdU6IRHeRVgem50QhQcmwumYUCqeQ6hVA6jr0TW5eXDkR7z4fgf7f6TzJ1ao2VygG59NsbuBH5mSbH2rtbSMTPVenXdAqkYGC6odmlJV4CnWfrV+LjSU3gH1ak6pdvIwVL5L0ap6VOiwm/pwXqbTWay/aYnQDwp5msOzOQl5W7Ky6T2V2pAwtRC7Idn43azeyvr+8w== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370684; bh=1vpXTU8YWfpLndmGX6/qCfP/Z8tfMW76GeIxqq0An6v=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=OSLU0npdf3IVhL6ewEKJchQoaxwnzZSJWGAkD841G/u2zJP/svmUNIpoqCSrIwadQHG7pFBRL5qrXAt8ZrBewLeantJWK/XQyRkZ0ckblbRG6At+W97VIULqQFko4O3BNH9cZ1HtR9udNrv/EtWpPKWQeOK42PnnXfv3RqrlgaaRiH+gCstNyKDqbY6JhUu94vuLbs2XZ1jGrAxXCBl4sHXO7iGDfr/B7O15/SQaFQVUAFSFDrgsmk4RMoOC9qsa9qouWVPtMUES1VKb6OU//fc6fCtp3BBbi842dI9K1m8zPFA/TO1AiZCDe3DXpEmrlAV+RWat1EBRVxSbVoYRKA== X-YMail-OSG: 4vE9ieAVM1nVdHXwn3yv4.V1U9YyJrwJYiQ5hB8ljnlPxUCXK2YBMyRcINeJkUu EviPMtGvG98uNThc3elof3piZW4Rae3Y26d5CV.qKE9.oj4DlqnMPZFTnongigxwQ7wnOxbaoqMI LlUPrGdukl1i5wx6g41jCRLMvEhswqhbzKCYn5KSCqfPgSSZQwut3zGGZc00nJEeD6W3rnxli4fC 40F3jHtFruNrVamjjnt.iw0CL27vK1vItWE_Wud9JETJtBFTO7c7rsVvNIX_WFpoB9uPYjoHT00y UUKoYFWpgVNDW26QLcM8083IN3B8OP9LGXSZdYqTU8SZyebZj01GYRQVDQj7dxwdiTFWguuTzY1c 4o1vgdq2Lx.VTHCfLAEgosiziYV_vwAhp2ymFisGO8WCJTx26avQNLjZnlPNLzmJCTHWk02AvnjQ nc.wYDKL.A5f05UKWLzKqATpKQ_x671jPgX6TSsfBKdfd3yzfGl9B.0qcg6PdBlzRBpvQF8qTkrl mudrp72NszEZ0aSPmbCPXZ_9HeC9V5rDxXWHjUYSrb.SVxIXLvOspaFvkFq8powr9V_7R1mIAx4q dTq4RXY_Ck5AdwT.stf2PL2KDmmK6Bd7gZ6R.jxAkP7OYKF4jDCgC9w9prwRClcB2P2RsIMji8v8 D3115T4p7MG99KsupB8XjJRjS3gxcklEuYQmJp7Vb7FiEiC1GKZnvI20OPYi3SWX3SIlLpdAukmw d0G07U_6g.8krF1hfYWXxtoor8jOKu57Uvd8uZEdPvBjSUvQAALXQ6ck8oy2svHj0egy4PeYwJWS xM0_Qbni8Sv.M8PYiHxok_nS0aGzJHjlhjWsYK3LwYd93nHxK1yXQrZ2COL3FZpgw4K.tjXK4TIG TQw3qPCKD2_2FI0rOPVWhVeMIFvEpxat9.V2qwsw4qHk3X7Jf78JnYXU1yt5Ufkm7VCGSww3PHo. bLP.Bps4D6Xxa1E9OPMDEPvfi7eU9qOybIu.GsR_vlADDukwOCpFXbMPoIWPhtemS7iiBQf0v.wI k8T39wnRvDR0YyBwXAq8rPcWWbAJc7WkpzDpYvdLwzqE3prGvxXGEhgmqELtah3Vm3ve.FUFwBg7 poPnGiCQ4oeKQk.xGi0ji9m8o7hZzyZnqzvo0cgaAF1jylZ70EPjo7_SSgBwpv7Iobe_IiZKvmYh 1jVIoZc5BCtkiOicG1RLyPP9.QAMdm5YGAOqSFdxbfEUgAYeTX5fyIX2ciF_8DwA09jBG0X7ad1n 5deYMWQA132e.dBKnv00mXCvcBCwjSm_xA2k.FFomBvJIalfI4obfDFioIW3ekWUpmz7elEOnAGR mnWdijMqisW6J0YB2BJYEBJOVTe3uiljTVSApz.Y8U_w3wh37gjwNQFCuadG23_b5jQ5t7.mLnya JDoS76n2IkAxRRAP36oUgIFvlT8spcjx4ROITj_7t2f2zCukwhZQEoqe1s03bwmiWbTgEtYH1xoR 8qV1wHf33rDi93hiLLVwNoiWIdJJQBQGils12qfpbh4DlXbcIRo8bDtx9Nbv0KHR4yNF6B59ACXV jhXi1dxKi4KUQ5BcLV1V66di2XdcnpbUou7romH7BFrNf1RxRBZ8os7kHBvtNyJYQj4cdvSBSRuv 8LR.eaXEG4V7a6O0rcbPH9iE_wWYg0E0FfnQv6KUDxJxYf0XZRaOZcGr2RPz94s3FQpgLI.9dZMR EVPWie5ImRNU4TDTANK3Fla2TO8awIs.6Rqy_0xyE9TJ0YiqTkPBLNR65npnDJmNPHw40dIFRszc K8kwHGYhcvk1eDG_Vg.ouWaBK73Z_CRYt4typ7o1vUcNuotNF5fiuZPVSxLu1t5kBMLf4feWcuOf KiGIdicGm6sAs1e.ddkB_zRX.yDYkDd3IcLxqsWh86xwtq3HPzE8nijxryNkzI9Gmdx0NPhp7YOT 10XuM_il0itKfqFSOKnD2cVta.Q_LMdPEHi_cp8pTeCY28kTSUgX.acvFZ6UAenSa.a5dcVNkcQP XEcGOawR7jFqNDdzNQ_8sSfaOYfJF6z.rDMUOotbBhru1UlbysSr2R176uhjjW1Ul3uo2yik68Ri XcGUCmajuSW_GKhE1RfZKsFMb7a0POJNfTBHysqgndUM5qeUcEBDcmTRFqmD9vXM8NwnPE8Ey8pC mJlGfJRAQD5UPPqgHK8DWdK7sFP7_ESdvLXGcnbl_ZaT3567MLgL1N9JbiAWxXJrujpaYuthMHru QMxQ9GuTTOinlbsAxpGRwbCwCNrL77BGrYkdsBKd.eSFeNLSsb44lU2XMgqCMKihtHC_Q7v0YTSP KZ_So4jk7mQ9kPB0jkoT5lpp85NvhNA_3UHpEUqAt964jXgv6On4j37BeAGabdRKbX6rR94M8iAu 3AxRJfbLPzoCapGM51.NZHfFu2UhUh_qP636tru_3QknyME4Lax_cDHMWKznwj9pDzZ8oOzNDDaU bGkLFtbRwkpslMJWET1Wp5FlJpH5QFb80yo_bIgBP4XH0aNi5NZpM7tjSP46iwgSY3IiwF8mKaTF 6uSjcFnyYwovVlp.pYO3LkK87IFT34sRhyFc7bgztz7x_ek6fnrUZnETcNGMvDj0BBFXIK16ScLf mk3FJ8KTaOjzUcgHNXevsmFFxM4sOpuXghOKNmYUwSewwsXwTYi2p1WhCb0iIp8vhWfXDpjFLCF0 Fxo73a9NptEI3AKrPgp8WpT5eYmwMjJ.FJ8kKfIuxh3JctxwQ02JLcSX05WA0xPUOt7gqJNxS44s _QZUm.fLyKgqwQZLLFY.YrX5bRDF3zb4He3JSYwyNmA6CB5g115PP4csBQJqFT7UY_LosFs6TFH4 TXiJiP1_Ba8tdasU_Dm8sKa1pzwwYKCyWLblIX9xbtb6bexGoaqyaFVb3hR8Kxz1W1pL0oh6D9Id t.SQG7V7VXA9boP.7UJ0Vmw1PysXEcMkirgcOZ60vw_QgsjzSC2iPk9_JxOMAvo2tpCMuM9bjRl_ czZG2gE0Bao9eyocMPofG3fRBkVVYKKr.kTpPxJhbgaRzPpvgd9DKE1_g2.SC7yDVkBtwzDAHLdm rh8ekcr5IQ5avVHWkFJjdmZ1fzFc07Oua2SDmcQErjdsyJ_Stm_Dl_fG4zWXEvC8Ku5ygxwJeOJ1 hpJa.DcMcvGwuT4LQ2fRJMixwmnmKTfyhnQ3iAndct3ODFSU3nzL4ERHTsNOAzEBo0uXAmv46eG4 oCfL1g092mz_QTGSoL5Pb4zqziLE8tAztL2p2x3ax8W3YyH1y X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:18:04 +0000 Received: by kubenode505.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 518b25f8368d1c84579dcba5a91cd921; Fri, 11 Jun 2021 00:18:01 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [PATCH v27 12/25] LSM: Use lsmblob in security_cred_getsecid Date: Thu, 10 Jun 2021 17:04:22 -0700 Message-Id: <20210611000435.36398-13-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change the security_cred_getsecid() interface to fill in a lsmblob instead of a u32 secid. The associated data elements in the audit sub-system are changed from a secid to a lsmblob to accommodate multiple possible LSM audit users. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com --- include/linux/security.h | 2 +- kernel/audit.c | 25 +++++++---------------- kernel/audit.h | 3 ++- kernel/auditsc.c | 34 ++++++++++++------------------- security/integrity/ima/ima_main.c | 8 ++++---- security/security.c | 12 ++++++++--- 6 files changed, 36 insertions(+), 48 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 64f898e5e854..c1c31eb23859 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -481,7 +481,7 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp); void security_cred_free(struct cred *cred); int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); void security_transfer_creds(struct cred *new, const struct cred *old); -void security_cred_getsecid(const struct cred *c, u32 *secid); +void security_cred_getsecid(const struct cred *c, struct lsmblob *blob); int security_kernel_act_as(struct cred *new, struct lsmblob *blob); int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); diff --git a/kernel/audit.c b/kernel/audit.c index d92c7b894183..8ec64e6e8bc0 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -125,7 +125,7 @@ static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; /* The identity of the user shutting down the audit system. */ static kuid_t audit_sig_uid = INVALID_UID; static pid_t audit_sig_pid = -1; -static u32 audit_sig_sid; +struct lsmblob audit_sig_lsm; /* Records can be lost in several ways: 0) [suppressed in audit_alloc] @@ -1441,29 +1441,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } case AUDIT_SIGNAL_INFO: len = 0; - if (audit_sig_sid) { - struct lsmblob blob; - - /* - * lsmblob_init sets all values in the lsmblob - * to audit_sig_sid. This is temporary until - * audit_sig_sid is converted to a lsmblob, which - * happens later in this patch set. - */ - lsmblob_init(&blob, audit_sig_sid); - err = security_secid_to_secctx(&blob, &ctx, &len); + if (lsmblob_is_set(&audit_sig_lsm)) { + err = security_secid_to_secctx(&audit_sig_lsm, &ctx, + &len); if (err) return err; } sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); if (!sig_data) { - if (audit_sig_sid) + if (lsmblob_is_set(&audit_sig_lsm)) security_release_secctx(ctx, len); return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; - if (audit_sig_sid) { + if (lsmblob_is_set(&audit_sig_lsm)) { memcpy(sig_data->ctx, ctx, len); security_release_secctx(ctx, len); } @@ -2352,7 +2344,6 @@ int audit_set_loginuid(kuid_t loginuid) int audit_signal_info(int sig, struct task_struct *t) { kuid_t uid = current_uid(), auid; - struct lsmblob blob; if (auditd_test_task(t) && (sig == SIGTERM || sig == SIGHUP || @@ -2363,9 +2354,7 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - security_task_getsecid_subj(current, &blob); - /* scaffolding until audit_sig_sid is converted */ - audit_sig_sid = blob.secid[0]; + security_task_getsecid_subj(current, &audit_sig_lsm); } return audit_signal_info_syscall(t); diff --git a/kernel/audit.h b/kernel/audit.h index 1522e100fd17..23a85a470121 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -9,6 +9,7 @@ #include #include #include +#include #include #include @@ -134,7 +135,7 @@ struct audit_context { kuid_t target_auid; kuid_t target_uid; unsigned int target_sessionid; - u32 target_sid; + struct lsmblob target_lsm; char target_comm[TASK_COMM_LEN]; struct audit_tree_refs *trees, *first_trees; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 6684927f12fc..573c6a8e505f 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -111,7 +111,7 @@ struct audit_aux_data_pids { kuid_t target_auid[AUDIT_AUX_PIDS]; kuid_t target_uid[AUDIT_AUX_PIDS]; unsigned int target_sessionid[AUDIT_AUX_PIDS]; - u32 target_sid[AUDIT_AUX_PIDS]; + struct lsmblob target_lsm[AUDIT_AUX_PIDS]; char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN]; int pid_count; }; @@ -991,14 +991,14 @@ static inline void audit_free_context(struct audit_context *context) } static int audit_log_pid_context(struct audit_context *context, pid_t pid, - kuid_t auid, kuid_t uid, unsigned int sessionid, - u32 sid, char *comm) + kuid_t auid, kuid_t uid, + unsigned int sessionid, + struct lsmblob *blob, char *comm) { struct audit_buffer *ab; char *ctx = NULL; u32 len; int rc = 0; - struct lsmblob blob; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); if (!ab) @@ -1007,9 +1007,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (sid) { - lsmblob_init(&blob, sid); - if (security_secid_to_secctx(&blob, &ctx, &len)) { + if (lsmblob_is_set(blob)) { + if (security_secid_to_secctx(blob, &ctx, &len)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1580,7 +1579,7 @@ static void audit_log_exit(void) axs->target_auid[i], axs->target_uid[i], axs->target_sessionid[i], - axs->target_sid[i], + &axs->target_lsm[i], axs->target_comm[i])) call_panic = 1; } @@ -1589,7 +1588,7 @@ static void audit_log_exit(void) audit_log_pid_context(context, context->target_pid, context->target_auid, context->target_uid, context->target_sessionid, - context->target_sid, context->target_comm)) + &context->target_lsm, context->target_comm)) call_panic = 1; if (context->pwd.dentry && context->pwd.mnt) { @@ -1765,7 +1764,7 @@ void __audit_syscall_exit(int success, long return_code) context->aux = NULL; context->aux_pids = NULL; context->target_pid = 0; - context->target_sid = 0; + lsmblob_init(&context->target_lsm, 0); context->sockaddr_len = 0; context->type = 0; context->fds[0] = -1; @@ -2319,6 +2318,7 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp) { struct audit_context *context = audit_context(); struct lsmblob blob; + context->ipc.uid = ipcp->uid; context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; @@ -2417,15 +2417,12 @@ int __audit_sockaddr(int len, void *a) void __audit_ptrace(struct task_struct *t) { struct audit_context *context = audit_context(); - struct lsmblob blob; context->target_pid = task_tgid_nr(t); context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &blob); - /* scaffolding - until target_sid is converted */ - context->target_sid = blob.secid[0]; + security_task_getsecid_obj(t, &context->target_lsm); memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2441,7 +2438,6 @@ int audit_signal_info_syscall(struct task_struct *t) struct audit_aux_data_pids *axp; struct audit_context *ctx = audit_context(); kuid_t t_uid = task_uid(t); - struct lsmblob blob; if (!audit_signals || audit_dummy_context()) return 0; @@ -2453,9 +2449,7 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &blob); - /* scaffolding until target_sid is converted */ - ctx->target_sid = blob.secid[0]; + security_task_getsecid_obj(t, &ctx->target_lsm); memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2476,9 +2470,7 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getsecid_obj(t, &blob); - /* scaffolding until target_sid is converted */ - axp->target_sid[axp->pid_count] = blob.secid[0]; + security_task_getsecid_obj(t, &axp->target_lsm[axp->pid_count]); memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 9d1ed00eb349..b3e00340a97c 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -470,7 +470,6 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) int ima_bprm_check(struct linux_binprm *bprm) { int ret; - u32 secid; struct lsmblob blob; security_task_getsecid_subj(current, &blob); @@ -480,9 +479,10 @@ int ima_bprm_check(struct linux_binprm *bprm) if (ret) return ret; - security_cred_getsecid(bprm->cred, &secid); - return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, - MAY_EXEC, CREDS_CHECK); + security_cred_getsecid(bprm->cred, &blob); + /* scaffolding until process_measurement changes */ + return process_measurement(bprm->file, bprm->cred, blob.secid[0], + NULL, 0, MAY_EXEC, CREDS_CHECK); } /** diff --git a/security/security.c b/security/security.c index c6de5200c467..c2a5c50e913b 100644 --- a/security/security.c +++ b/security/security.c @@ -1798,10 +1798,16 @@ void security_transfer_creds(struct cred *new, const struct cred *old) call_void_hook(cred_transfer, new, old); } -void security_cred_getsecid(const struct cred *c, u32 *secid) +void security_cred_getsecid(const struct cred *c, struct lsmblob *blob) { - *secid = 0; - call_void_hook(cred_getsecid, c, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.cred_getsecid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.cred_getsecid(c, &blob->secid[hp->lsmid->slot]); + } } EXPORT_SYMBOL(security_cred_getsecid); From patchwork Fri Jun 11 00:04:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314403 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2FA14C48BE5 for ; Fri, 11 Jun 2021 00:19:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 16E49613CF for ; Fri, 11 Jun 2021 00:19:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231264AbhFKAVJ (ORCPT ); Thu, 10 Jun 2021 20:21:09 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:39632 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230331AbhFKAVI (ORCPT ); Thu, 10 Jun 2021 20:21:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370751; bh=vmPLppdW1T7Yboao5H0X3j8apQPb/Sk4zDvbIPEe/TI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=tsXxso4TIgNVEMnSOI24yvWgyNn+h3CkxOHdzeC+SpNK8ofseVXm4ZzPcLlDZPa5xAzmtmBzVxO+AYJMBURf2U4adiKObwdMk7uQU6HD2LhlkafXohunGEoky/HyCxGKKxfExgrAjvJ32tQuJbKQBlKnLpCX7oFO5LG2h864TCmsuH25CwhPuyDzVtCrJbZPAaoMku1Zsts1Mmkihk3NKXWT7J1bQYKAA6sgk/ur6b+zc5up2gszkrh7RsLo+wKoy2YsraOEgOdEs47x8zQNMtoxEYIoeBXmO0CPiH9YXinBFb2lwlqq8OdPfyfuvcbksCpoc41wmEMq3JyRof2HaA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370751; bh=A2319HHjQIY+ldn6Ez2AzMoO8MBrp9wyPN+lTn4x6xP=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=EFUcNM5YdkAOxGwxK6YtZ8MKf6K34UrTw3AwZ4qCNSufVQDgXsbjcwFMkegl2ajKIrTAqiBRwtxtpiQUoNFB5D/pnJNeA1geJv5HqQXWCEXkHRYbtlXoZ+x0flV9NxJb1ZCnrX5Xi0SZ53+LN6lAejvx7Df+zXYylwUaJt3xxonqKWyt60GzBiKWgcVHWO8m4VGB9C+pP6wbeIVQypC/TZkeecGI5V4u6kZwSrMBNnLk5iCX3Y3sfNny+/vPeFDbdh8JrIcv0uDY1Qrf+NrQcaVRwnx2nVSn4+rt35vZH2JpF8W8FKsIe9FBVyV6YLJFRf2awIUcPqm3Yn4eaPCbSQ== X-YMail-OSG: SjJxOGEVM1kOcNGzan87wsOXu2B.ulTZE2v1KqGzbyLUpZKcF8Pe7Ak0CpCPwTE vtFX7JXgXekSVnQPjiqBu4I_SLf1unpyOn1Phwoff10Pni90BYujZVuL1_kh64a6HlQy7uNWW_Ff nTxuzC62ABGvHdfO1qy_qG09wm1Z7MvNa1ucM9D78GCKglfKmZ6NH.psjxk6rVRruJV3JmV6DEmS GBHNaCOYNIlksQXx1YaZtjE1XOWzCS1eAJ69hlIOTl8x4Mn2BK3bsnuE.qZ1VUG1UZVc3CU.r970 R1AIrOsgyITgpg0GbsMz.WHL8r.FCOJHghTZdVj8GD98IFxydOh4rjrhFCI5GWjPkazjZx2ir_bn OhA8sk4eIAG1nwWG6Ybk0KsUWvG.lCX5wjoeLvTcKSKpyjyxzmScZ01JiqQXwk0pxt0DA3p8MXop RsxAG.7zDoQilG7cWnXJOuuMyUCGfG2YV2GBBH6VNf_HyePOJVBKaojJQ8lBajI72Gm4ZoHrdmOH kZKrplGIMv4CeVLna0T.h1woI2np2MiR9YnXOCFmgztBeKcS6if3IJte3E7Jl1bpGeNNOygr.jQN yuA1LtnstjL4KpIeajKAWLrsX_QulF1HPCrJGmB6klYWSZtukj7tKjNSPeymrcPTfIUTcujC70jQ 05OFZC_VlA8mFLJ9JH8GJDxaHCQISsntWRd4KFC932CbAciDt3ZWsricyVVyqn9GxNoBGmV3EZ6_ _uy9upNUtVsSQCL8NQcYauG.._K7n5kES8TYR8GgmiAX3M5dGJwrLaoouLX3IM1FhWMgAtGHgmRx otDI.4IGzeSacLZ8NR3Qyeq8k1VmkZLoWT_I_HE3jaq9NyU.bmT90v2uu2wYTpcjnfjx8ouS6Xsu HfnfYWPdSu4YQLaLHE8B6YKJUpuFlHW6QNRSeC1qGiu6KPKrq94BEo1QfLF3IK7wpQrSzI965JxT fPo8rxfaxsJKEjWl4HVI24e4kuQoY6CyFVmgMs8CKZvPQfTEIgo7PNNZGz11bz1v1wdH3G76HvQe ci0xfzdj7xCGewLwcd8ThK2AxuJlM3nzdrMaTUekkHPgZPt7kuR0LGZA17hJp3DkpqNjUKiV6jM0 5lhPZTJUfFbL17ZpKtYuz5QVTeIM.AQ_x2KJzUPWc_YIYTwNK4ngjuxuLb1h7ou5APBlnu5aCCSy 8JIzW3LNJnh4AT7bGAwSHMyK39VUvPCJQeV5gcYnROy7aOoXapK2JB47MPOYUzBQuvdA_zSyTFhG J.byCaL0L0b31FhLlBG2nZIaB1IsuS560wxDJ0KwG4HvE2jvOaSgLUk_6QkTYAdL3pAyMznwOd6l NC4OHNKwW.YRF7a9JY_tFdEpVIROGXTqqUJtiO3Rs24.B.PAyqAd77MvjayrU8xL1NYuYYEAWI8z C.Jkxde_fvDXjOpUoPcikGey6vOj0cK5A03uVOCuzk9T24dp2_6cXA2bPKTSIxXPep7mXKsKTlbK 7u5Pecu9_YdhJxxQ9xUHCWrQa7Gj6B0tw0iAURye8yai46rnN9.k2WSoHkmC85Zp0OEy96aJ_LUv 3LUrko_8p8Mm1YdAGAQtGiHi534Ab5X19ZqPnJxSVOUgVBTH2Y8pJswvZXM_Qgnr7ekAkb.CTWJa o4QXEcucCG.iXvzhVs4hgWvq3Y_S0TA5YjFbFrxkFxxD1NVzCeVwrbFaRJorO1zigFeL5rvv071q HYp63wBfUyDFfC9Cx9KJRcqsDHf7lf9LLFWHUDWxeY4FCHGteZYGchjXoTv6rM4w04DvAlhXWSwy uztINgpS0Vs6Wks_7EwkaqrHnrfOfVz_yTbF6g_e72PRZ1s8cCbxoSIsKapG7dgXV8B.souhjwNx _edvtmeA9pj32ZU7YDeiS6_39tFBj8hKdLaqw5xrUnX17.4mPVw4cTUnOsM8GGIOsCo8FAgPXX46 zHSngeG2sbdNcHJGDZ9AAj9RHYaWcug.DRINQ6NZ2BB3CO8UOfu_JKNebL08es_RiFvTkvv2L_DP dHBrrNvcz4yr1tHaLzgXtSJEXFh3ah5PXp2_tVyXIqRFGuucg7MDaponI_uA7TTZ9DpSTCNAOUB0 rZxfGq8bLvFfEdUphfGzziZ62vGrzxZZ7j6VMJhkwkJ2EYIZooy6K14v82oXzaQCmlo8kitpwdXh TXOiZBFehjc5mD.PdPtfTk1NGVh97_hm9UB_DpLyz7r5ADusqBW0BkzNGTxIUbqWyfUrUaCcQl0Q H5POlU2bfMAk_4efqZhnJmOzL5DsHnAcrFoiNYMffcOaUX0olMK.UgY2b7wBOhdw4MLve.VOrETX Hw4OzNg6veJq7hJfgXFfrLOeGC3KT.xtOeV6TiXAUs8MG9f9s8KZrkEvAOJbMvM9UOOgGrjt0Oms AgxqyesIQkMBiPZiHq8ajoh0M4D7b3g8blP6Lww6CbLcmZqvlqDvwn6Etl4ACx9rTgRtchKGF7fF wDGoYqfWin1kixU.uFsS9ZypQhEd7kwiaMsuIkxuqG._KvBj5Rut9yuPnPLnFbMoRWd9ZGdIpPHy 4A2lvZyBBIUGrqQ_BoCmTuWsmZVF.HF7rPlndkehjHh.hueTt88FnP02_DIbAVe5xsSa4pEtr7np ENxe2XE7k1kzRnYobCpiIHW61YCcm6_uHsJSoQQ04uT3i5Uoiga9q2aEbb9xnotPYaZOQnUsXTKf 5XaeWuYG3aWhhRDQ9LhtWCo1wAZr.IJI9GEQJSO.Mllo4QaynG2tvSaB32TeWmv6GLp26TB9.4yu BHi5Sdq_oNcLIvRybeG.jcXT1ihwei57BOCdFplE.CU5yawof_yfGYHngjtVyRCHF9UozhkThekF 3QHeCAuAXoN6Ex1Ru4_l2wK6U8Iz4aGBm4ecevvtJOdC63R_W4wrq7YVoDZqg2xq5wAx8MIMGhgO FmaNIdjnkN5_G1EKW9NLR4thJiBgnAXhmlD2Wxd9veJ8ErS3p_SquZ5HFNBaFsUKpY0kbKOms6BW NeIOBAbd.Ky0wgeT.UTvlpbtuNuA2C5J29yzS45onXVM65qP1seHm34pHObC6jgKKGXoBBAw1vi7 Jw0_xnO6VGX_kuMrRkgRSEgg6McvYAdXD.cFST4zR5YJkYPjPbEr0i05wNpFFhmBfm6Zor1MOe63 PJHkaFfvBEIKz1.VkpONPa_Vi.PDz.C0ePZOyVZDQwYhRG3GR8YoBSsOonxA52ORDyt9kMz0XGKh R X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:19:11 +0000 Received: by kubenode563.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID b12c21074e4f34f6f43bf842ef07319f; Fri, 11 Jun 2021 00:19:07 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [PATCH v27 13/25] IMA: Change internal interfaces to use lsmblobs Date: Thu, 10 Jun 2021 17:04:23 -0700 Message-Id: <20210611000435.36398-14-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: The IMA interfaces ima_get_action() and ima_match_policy() call LSM functions that use lsmblobs. Change the IMA functions to pass the lsmblob to be compatible with the LSM functions. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org To: Mimi Zohar --- security/integrity/ima/ima.h | 6 ++--- security/integrity/ima/ima_api.c | 6 ++--- security/integrity/ima/ima_appraise.c | 5 ++-- security/integrity/ima/ima_main.c | 36 +++++++++++---------------- security/integrity/ima/ima_policy.c | 17 ++++++------- 5 files changed, 31 insertions(+), 39 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 55f3bd4f0b01..a6b59fcaf62a 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -251,7 +251,7 @@ static inline void ima_process_queued_keys(void) {} /* LIM API function definitions */ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, - const struct cred *cred, u32 secid, int mask, + const struct cred *cred, struct lsmblob *blob, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, const char *func_data); @@ -282,8 +282,8 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); /* IMA policy related functions */ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, - const struct cred *cred, u32 secid, enum ima_hooks func, - int mask, int flags, int *pcr, + const struct cred *cred, struct lsmblob *blob, + enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, const char *func_data); void ima_init_policy(void); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index d8e321cc6936..691f68d478f1 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -165,7 +165,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * @mnt_userns: user namespace of the mount the inode was found from * @inode: pointer to the inode associated with the object being validated * @cred: pointer to credentials structure to validate - * @secid: secid of the task being validated + * @blob: LSM data of the task being validated * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC, * MAY_APPEND) * @func: caller identifier @@ -185,7 +185,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * */ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, - const struct cred *cred, u32 secid, int mask, + const struct cred *cred, struct lsmblob *blob, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, const char *func_data) @@ -194,7 +194,7 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, flags &= ima_policy_flag; - return ima_match_policy(mnt_userns, inode, cred, secid, func, mask, + return ima_match_policy(mnt_userns, inode, cred, blob, func, mask, flags, pcr, template_desc, func_data); } diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index f8c7b593175f..b2af72289f00 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -77,10 +77,9 @@ int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode, return 0; security_task_getsecid_subj(current, &blob); - /* scaffolding the .secid[0] */ return ima_match_policy(mnt_userns, inode, current_cred(), - blob.secid[0], func, mask, - IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL); + &blob, func, mask, IMA_APPRAISE | IMA_HASH, + NULL, NULL, NULL); } static int ima_fix_xattr(struct dentry *dentry, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index b3e00340a97c..b63f73d43bd2 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -194,8 +194,8 @@ void ima_file_free(struct file *file) } static int process_measurement(struct file *file, const struct cred *cred, - u32 secid, char *buf, loff_t size, int mask, - enum ima_hooks func) + struct lsmblob *blob, char *buf, loff_t size, + int mask, enum ima_hooks func) { struct inode *inode = file_inode(file); struct integrity_iint_cache *iint = NULL; @@ -218,7 +218,7 @@ static int process_measurement(struct file *file, const struct cred *cred, * bitmask based on the appraise/audit/measurement policy. * Included is the appraise submask. */ - action = ima_get_action(file_mnt_user_ns(file), inode, cred, secid, + action = ima_get_action(file_mnt_user_ns(file), inode, cred, blob, mask, func, &pcr, &template_desc, NULL); violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && (ima_policy_flag & IMA_MEASURE)); @@ -392,8 +392,7 @@ int ima_file_mmap(struct file *file, unsigned long prot) if (file && (prot & PROT_EXEC)) { security_task_getsecid_subj(current, &blob); - /* scaffolding - until process_measurement changes */ - return process_measurement(file, current_cred(), blob.secid[0], + return process_measurement(file, current_cred(), &blob, NULL, 0, MAY_EXEC, MMAP_CHECK); } @@ -434,7 +433,7 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) inode = file_inode(vma->vm_file); /* scaffolding */ action = ima_get_action(file_mnt_user_ns(vma->vm_file), inode, - current_cred(), blob.secid[0], MAY_EXEC, + current_cred(), &blob, MAY_EXEC, MMAP_CHECK, &pcr, &template, 0); /* Is the mmap'ed file in policy? */ @@ -473,16 +472,14 @@ int ima_bprm_check(struct linux_binprm *bprm) struct lsmblob blob; security_task_getsecid_subj(current, &blob); - /* scaffolding until process_measurement changes */ - ret = process_measurement(bprm->file, current_cred(), blob.secid[0], - NULL, 0, MAY_EXEC, BPRM_CHECK); + ret = process_measurement(bprm->file, current_cred(), &blob, NULL, 0, + MAY_EXEC, BPRM_CHECK); if (ret) return ret; security_cred_getsecid(bprm->cred, &blob); - /* scaffolding until process_measurement changes */ - return process_measurement(bprm->file, bprm->cred, blob.secid[0], - NULL, 0, MAY_EXEC, CREDS_CHECK); + return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0, + MAY_EXEC, CREDS_CHECK); } /** @@ -500,8 +497,7 @@ int ima_file_check(struct file *file, int mask) struct lsmblob blob; security_task_getsecid_subj(current, &blob); - /* scaffolding until process_measurement changes */ - return process_measurement(file, current_cred(), blob.secid[0], NULL, 0, + return process_measurement(file, current_cred(), &blob, NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND), FILE_CHECK); } @@ -698,9 +694,8 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id, /* Read entire file for all partial reads. */ func = read_idmap[read_id] ?: FILE_CHECK; security_task_getsecid_subj(current, &blob); - /* scaffolding - until process_measurement changes */ - return process_measurement(file, current_cred(), blob.secid[0], NULL, - 0, MAY_READ, func); + return process_measurement(file, current_cred(), &blob, NULL, 0, + MAY_READ, func); } const int read_idmap[READING_MAX_ID] = { @@ -742,9 +737,8 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, func = read_idmap[read_id] ?: FILE_CHECK; security_task_getsecid_subj(current, &blob); - /* scaffolding until process_measurement changes */ - return process_measurement(file, current_cred(), blob.secid[0], buf, - size, MAY_READ, func); + return process_measurement(file, current_cred(), &blob, buf, size, + MAY_READ, func); } /** @@ -889,7 +883,7 @@ void process_buffer_measurement(struct user_namespace *mnt_userns, security_task_getsecid_subj(current, &blob); /* scaffolding */ action = ima_get_action(mnt_userns, inode, current_cred(), - blob.secid[0], 0, func, &pcr, &template, + &blob, 0, func, &pcr, &template, func_data); if (!(action & IMA_MEASURE)) return; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 5ee7629fd782..caacd8bf0462 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -546,7 +546,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, * @mnt_userns: user namespace of the mount the inode was found from * @inode: a pointer to an inode * @cred: a pointer to a credentials structure for user validation - * @secid: the secid of the task to be validated + * @blob: the lsm data of the task to be validated * @func: LIM hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @func_data: func specific data, may be NULL @@ -556,8 +556,8 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, static bool ima_match_rules(struct ima_rule_entry *rule, struct user_namespace *mnt_userns, struct inode *inode, const struct cred *cred, - u32 secid, enum ima_hooks func, int mask, - const char *func_data) + struct lsmblob *blob, enum ima_hooks func, + int mask, const char *func_data) { int i; @@ -626,8 +626,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - lsmblob_init(&lsmdata, secid); - rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type, + rc = ima_filter_rule_match(blob, rule->lsm[i].type, Audit_equal, rule->lsm[i].rule); break; @@ -671,7 +670,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * @inode: pointer to an inode for which the policy decision is being made * @cred: pointer to a credentials structure for which the policy decision is * being made - * @secid: LSM secid of the task to be validated + * @blob: LSM data of the task to be validated * @func: IMA hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @pcr: set the pcr to extend @@ -686,8 +685,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * than writes so ima_match_policy() is classical RCU candidate. */ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, - const struct cred *cred, u32 secid, enum ima_hooks func, - int mask, int flags, int *pcr, + const struct cred *cred, struct lsmblob *blob, + enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, const char *func_data) { @@ -703,7 +702,7 @@ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, if (!(entry->action & actmask)) continue; - if (!ima_match_rules(entry, mnt_userns, inode, cred, secid, + if (!ima_match_rules(entry, mnt_userns, inode, cred, blob, func, mask, func_data)) continue; From patchwork Fri Jun 11 00:04:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314405 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CFDEC48BE5 for ; Fri, 11 Jun 2021 00:20:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F1E4C61287 for ; Fri, 11 Jun 2021 00:20:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230417AbhFKAWO (ORCPT ); Thu, 10 Jun 2021 20:22:14 -0400 Received: from sonic311-31.consmr.mail.ne1.yahoo.com ([66.163.188.212]:34020 "EHLO sonic311-31.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229578AbhFKAWN (ORCPT ); Thu, 10 Jun 2021 20:22:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370816; bh=TTickymPzNZARqMdzU3cApCmBUWmU1mgn/SxUddGPQQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=sGHfN10Z1+VcAhMgfeM2p/Ft3K8oSTgFFlJzmWUH6Ck5SgwHnoT5+D35jhffDw37RQQY8hENj8DdUussNBj4in/E874uH2pl7YuEIbwZEM8gHTbj2dOeUmQ0ZuZja1QFqf/3Z3w12uRk5FyoNG9AJc9UCqu9sys6mvvHjV57RFlb/Vtf48qMcvBgb3TGZoLI4viuu/nSAvtQzxLMaTywd+MFyCp+6T0vpWd8dT3AXgRbCHFFwY2N9Juyq919NWU/JkK59vAH/PUv6ENGULFeQ/zQS9H7uSw8xMbqKG9itQ/faGhbX7WB5/MW5DWfrifrJJlHo1z4YaOK+IntwUWdng== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370816; bh=Y+rqYzyw+8KQa5+4caIu9EC9p759Mv97rsFhUbxSDxU=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=DwTcgmgE3Q4wP4JUsLhaQhECA95fAYgNZ1oaRntO3UER/yG5/vLQoxLze7k9BItUmHb+Nr5RCxJCGjMljREW/6WfmpiQXTygwGg6F1CSGmraaAg/YVek/3wgwNc3JTgo2RCfJ73w6K87Jj1HTVkei7M+xz86iD9dv0evfDb0kT7auDfXdH5bhhuSt5aO+O70bguVFS/5gTWltxiO6Mdmyruq8yjywg+2KTIWJ+Riy5JxRBr7y2xjUDP9ITPS1AP/uNCEaX+T4vBzxRBGblcQBhnqZsliDjOt0hnoUBLe6n8U5tBNT5er+bwvYBLnjQcwRYdP8P16GZNuXpnn701/uw== X-YMail-OSG: jficeogVM1nAVXnni_ZWD40rnTdGGIn9x.Cbu1tghmFqtBkgwH46H0N3vyv1nuD h1VAg6ioiT_Ld_SumTC5BdaTFdDpBSZuLn9AE4fBVgiTZaTivkgsECRehroLTVD4zH8cVMUKP680 HIKP06AAYdQl9LbgcEHui0o.HR50RXr0YC7VIlMvc84F34MTBYHlQg698mseceUzLg7h1AS2Xoe8 gYMENkt6POgbthUVZ94BJjf5sDyqEJcNM9dOSFlU8jgf0mu4n5Lst07HD3Tp9yZ1a6OnfkafdBkR 8gmp840wIyV_8XEneKJj1oqye4sMvAzO0mZe2BD17CN7y0h51MWNia.zflkwPcSBD9rs8eQuIM6T IFxZ.M_oJry1G5zHxfCXUfgtx79OJJU4OjkdoQk3o7xnrqh87LAdE1WwP5UvKWW88QyjK3ZOqeOe bWAGMcI_DU4wq5NwhsMxjgA2FOhgYDssoYMiL9ZS5B2GAtB18gUSba6pfbHJbfpowAyjlMho.ncG 2KiPg0LDqYwsXJyXipti97ToW1MaILDpZ0js6_MZsV8I9xhxVYDU2kSuBNMGkfM_uhUjXooS5wzD DoFoWnStF1kOUljQdC3bCAikAb15Klme2loTHvdf36Q5Zd092VPbvRNnZ7XdStAinlIMhDrD5sUD UU.DK4fWTr8BJYA66vFA_pTPIA56nf6_VRfA1n8xI5oc56LGIXtf1to9eVbNVbl2.yQdQe92Un8O CljL214jF0iNIpfT7UuJ4jTXV4SfbQb6.HTwQY0v93kP3ysj6O5uprgPcyhzrRWSLbgEUFF6XUjn sMo0euj8tSra3jeWC0n05lwdF8P4HznvdslBGuYKoeyBhTiUKTbUZF_uR0PRzm1A8ZgxF92jPW_G RBpxtqdYmVTjLMhkYjGtqyhFgNTef7pTB3HNgtN9Jyu56rWsI7yUlUbrUYXxy8vHjvMs9k.7Y6uJ Zp._VbRhCPF0Hw3IKpoKC54tVUe.T8kgkwXImGk6GtqSLX2zy_FBwD6jiUU1uVXht.RKzNb2F6O0 VhBKLlwvqbOx0ytTrhouqhcTdqMINHXvP.IgB_2DvGfeXxqqeT.xWQVgThrmDASWw90VJZwPDlkz Lj5eSMcOKvRbiObULUiDmYUroSDhsTQ71nLntJX9rl_McVDBDX7TSMatYgUzRFiOvl6sxieeqeUV l5mnBANFnLS56KoDNzx.Pr4wvnPLBik0NugOj2RQLaTba0dMIpFKoXbgrMF._4hST9D0ms28qzqr T5VN4MlXuKr2eAb0tl7St1QJh5uAp1ABefpfCX4zzlaY1kgXA_02OSQ_WA4CLAsIU3zHkVsb.QFl YpY8veLDsnAmKiIO1eEx9P1nL10yTszPIW192Dsz3.u.XnA2oAm_1Fb37pFFFEAa3FOfB3xF0r0X TU83BxlMLjL2RYT4ZHHBPKC4sx384devLLvyaGTEsAV3F8u08xaKkOV3XEXJYoEIDeIOGSBlmABy SsadDyrg11SIhpYeYgnb_6Int.z643cmNHBmGYQL6I75cc14ieyeBPNApEePxHERXdTJHonrz.1g MfiHUJOTxJWc8_Q78j8CHpf_Dr4UbC0Q6PEvf6xXPOhJ_1cnX4TUzfxFlbQtcP.l0MFCCMbNLzIp cYnBSkKDZzIZY74oguLptUHTFVkNSrkZpQ4t2a.hsGbczVa8trjH3X1zFKquQhxirT71nULxrbM8 kZWNitujtwo.N7mjs.EjL9FI1tarknJYKRc0_c7pbdAQ2fzYVeju7k3PqVbLZJUd7UHH1rxms2xb 4Tiub_3FVz8vd.c1rDYS.PzuUJqSY2GY.VFxmZRp7iALF27U5JtJ8dFQ8LRQazz4emXvGqYGdfrR qIERLo6uJhQ5f_4FfMtsVc5hR8bl6lfXXymK2IwknDWOYRmlOsEnpX0tlTRWVMIG3IXdvyEFkrKm jQkAc8mWhOcSUqU5JgpeeCw9wBrm6w.V54GAccLwUoJJfAPRJhkmKlFZMZiuL2fNH5_feAs1IQmr b7Y1xO5ZdPqGhGnRdCsvnqHmIRKQXPGIKFQbCYJlAFj35MDJzdYN0f9t4VIjd92qfegJtZmqSKhi 6Sul_UNbKHKo.ILr0CRRLVo1pK8mt6ZDgYlmzXoieFQYcXn4E7GL0ZlJGqBfn1.RO6TNJe71Efgf I4v4olcpl8W.U0H3ADILDTKp5nnJ0fc0npBIR3bY.Uco36zMvi6i9QNLXZ7.6dV3itGcpY_8wvle DsYSQbXfzm8aBJJLFjt.s1aOjNy4tlaBdnRG26_U0YJttMhzepf0AJytgsFZCPHpOGApmp01K9NJ awQMzKp8pTy651J7m2cMMRMDEddixND6DX.5tsccwpu7xdUcWcgZZIzZd6DZCry9tT7OqLf5O9PR neBY8YiKymryUADTgy840Tb.kGQduqP1ysDbyaoLvLK2D.hMLNJT8learjG_bUdnihL.N9npBUUQ zl9qGA4Ick.nMbvGOOoVgxq_1y1NCp9abNCcq4GarHGc_AcH0Er3mJb2QNRK3n_Td3rYuRom5Kjq uEtYDTH61jIxK_Kj84J0RrbC52rRE7w_27iq6HCbldzcjf8beW9hghBEx2Xf_wZABVM551kc6K5F QlzqCAZF.yJOrU0kPU26D373w4DpEFoiZdR.aK6NZqnZ1wmXjEO2AOdYdtHIrelWL45BK4m2TC9N jhP.oAFk6A0ipXCFucA2RSjgo_3OR52o3PQyjLiGxWlTldv_yHaThNCsir6IcQE6xNSNF6mrPfkf 2pLCH6qAy8j3TdTWL9SEdZ2qu8t3oAwwLRYtk1My9AeXxtmxski8NX9zXtZP7oibPL_n6ELsGvZn 1k8tTcyGq9vUYwCbMVmGD4oY5jJ8wmNfS37bmW.fr2Z8MiN6mxZ2iJCEC8SUXCX3JSMh8tYPLl4f GyGVn7uokIgec3lpDYoOzb3_qTTgfvx8hfnic9MaEOLjZn2lIu6AMxFuXAwL5cw9HwdCNPfqezUk j.KhfYgJa8Fhsk17fBwbvz4E20sTnRg2_p69CGRtXstSAmQhrF.qsw0ndaqfNL1DKuTPUgzmFEa9 LoQ0lb68o44ERg.MwbnfHoIA3pdVQ1WRR9CI4skgLC0FYut0W7icdpF9jaz9Oaa_A7twnCwyxx3L bFoF3VIMAIXlWHPJVomHxFYpKNocW_8nduhg9JAx6eekiNVjKi11dogFmfEbs1659Upwklq.icGH 2rqMSPiZu0dmSYeCCMI229LdIO2mhQHh0lOF_OZhTtEtduA.HDA5QclaYqiUyaWiegOd_s4Az8YS sESs1l.KALruecR0.xbhGaIglHa69mnVDzgY7Pj52kE83.C0k.d60afQjBoGihx6n1JgHv5WUaYC 9s6f7YI5fTvKU36B_D9.XSTJCEXvo8ffVRAdX9cHDLtBJHIR96CFiTFRF49vDkeSUAOpCJel15uF VuufI3PDjfxdneu5tJw-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:20:16 +0000 Received: by kubenode580.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID d5aadcf459a8ed5c45c8831c6afdd242; Fri, 11 Jun 2021 00:20:14 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Stephen Smalley , Greg Kroah-Hartman , linux-api@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v27 14/25] LSM: Specify which LSM to display Date: Thu, 10 Jun 2021 17:04:24 -0700 Message-Id: <20210611000435.36398-15-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Create a new entry "interface_lsm" in the procfs attr directory for controlling which LSM security information is displayed for a process. A process can only read or write its own display value. The name of an active LSM that supplies hooks for human readable data may be written to "interface_lsm" to set the value. The name of the LSM currently in use can be read from "interface_lsm". At this point there can only be one LSM capable of display active. A helper function lsm_task_ilsm() is provided to get the interface lsm slot for a task_struct. Setting the "interface_lsm" requires that all security modules using setprocattr hooks allow the action. Each security module is responsible for defining its policy. AppArmor hook provided by John Johansen SELinux hook provided by Stephen Smalley Signed-off-by: Casey Schaufler Cc: Kees Cook Cc: Stephen Smalley Cc: Paul Moore Cc: John Johansen Cc: Greg Kroah-Hartman Cc: linux-api@vger.kernel.org Cc: linux-doc@vger.kernel.org --- .../ABI/testing/procfs-attr-lsm_display | 22 +++ Documentation/security/lsm.rst | 14 ++ fs/proc/base.c | 1 + include/linux/lsm_hooks.h | 17 ++ security/apparmor/include/apparmor.h | 3 +- security/apparmor/lsm.c | 32 ++++ security/security.c | 166 ++++++++++++++++-- security/selinux/hooks.c | 11 ++ security/selinux/include/classmap.h | 2 +- security/smack/smack_lsm.c | 7 + 10 files changed, 256 insertions(+), 19 deletions(-) create mode 100644 Documentation/ABI/testing/procfs-attr-lsm_display diff --git a/Documentation/ABI/testing/procfs-attr-lsm_display b/Documentation/ABI/testing/procfs-attr-lsm_display new file mode 100644 index 000000000000..0f60005c235c --- /dev/null +++ b/Documentation/ABI/testing/procfs-attr-lsm_display @@ -0,0 +1,22 @@ +What: /proc/*/attr/lsm_display +Contact: linux-security-module@vger.kernel.org, +Description: The name of the Linux security module (LSM) that will + provide information in the /proc/*/attr/current, + /proc/*/attr/prev and /proc/*/attr/exec interfaces. + The details of permissions required to read from + this interface are dependent on the LSMs active on the + system. + A process cannot write to this interface unless it + refers to itself. + The other details of permissions required to write to + this interface are dependent on the LSMs active on the + system. + The format of the data used by this interface is a + text string identifying the name of an LSM. The values + accepted are: + selinux - the SELinux LSM + smack - the Smack LSM + apparmor - The AppArmor LSM + By convention the LSM names are lower case and do not + contain special characters. +Users: LSM user-space diff --git a/Documentation/security/lsm.rst b/Documentation/security/lsm.rst index 6a2a2e973080..b77b4a540391 100644 --- a/Documentation/security/lsm.rst +++ b/Documentation/security/lsm.rst @@ -129,3 +129,17 @@ to identify it as the first security module to be registered. The capabilities security module does not use the general security blobs, unlike other modules. The reasons are historical and are based on overhead, complexity and performance concerns. + +LSM External Interfaces +======================= + +The LSM infrastructure does not generally provide external interfaces. +The individual security modules provide what external interfaces they +require. + +The file ``/sys/kernel/security/lsm`` provides a comma +separated list of the active security modules. + +The file ``/proc/pid/attr/interface_lsm`` contains the name of the security +module for which the ``/proc/pid/attr/current`` interface will +apply. This interface can be written to. diff --git a/fs/proc/base.c b/fs/proc/base.c index 3851bfcdba56..10de522f3112 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2807,6 +2807,7 @@ static const struct pid_entry attr_dir_stuff[] = { ATTR(NULL, "fscreate", 0666), ATTR(NULL, "keycreate", 0666), ATTR(NULL, "sockcreate", 0666), + ATTR(NULL, "interface_lsm", 0666), #ifdef CONFIG_SECURITY_SMACK DIR("smack", 0555, proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops), diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index c61a16f0a5bc..d2c4bc94d47f 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1686,4 +1686,21 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, extern int lsm_inode_alloc(struct inode *inode); +/** + * lsm_task_ilsm - the "interface_lsm" for this task + * @task: The task to report on + * + * Returns the task's interface LSM slot. + */ +static inline int lsm_task_ilsm(struct task_struct *task) +{ +#ifdef CONFIG_SECURITY + int *ilsm = task->security; + + if (ilsm) + return *ilsm; +#endif + return LSMBLOB_INVALID; +} + #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h index 1fbabdb565a8..b1622fcb4394 100644 --- a/security/apparmor/include/apparmor.h +++ b/security/apparmor/include/apparmor.h @@ -28,8 +28,9 @@ #define AA_CLASS_SIGNAL 10 #define AA_CLASS_NET 14 #define AA_CLASS_LABEL 16 +#define AA_CLASS_DISPLAY_LSM 17 -#define AA_CLASS_LAST AA_CLASS_LABEL +#define AA_CLASS_LAST AA_CLASS_DISPLAY_LSM /* Control parameters settable through module/boot flags */ extern enum audit_mode aa_g_audit; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 392e25940d1f..4237536106aa 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -621,6 +621,25 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, return error; } + +static int profile_interface_lsm(struct aa_profile *profile, + struct common_audit_data *sa) +{ + struct aa_perms perms = { }; + unsigned int state; + + state = PROFILE_MEDIATES(profile, AA_CLASS_DISPLAY_LSM); + if (state) { + aa_compute_perms(profile->policy.dfa, state, &perms); + aa_apply_modes_to_perms(profile, &perms); + aad(sa)->label = &profile->label; + + return aa_check_perms(profile, &perms, AA_MAY_WRITE, sa, NULL); + } + + return 0; +} + static int apparmor_setprocattr(const char *name, void *value, size_t size) { @@ -632,6 +651,19 @@ static int apparmor_setprocattr(const char *name, void *value, if (size == 0) return -EINVAL; + /* LSM infrastructure does actual setting of interface_lsm if allowed */ + if (!strcmp(name, "interface_lsm")) { + struct aa_profile *profile; + struct aa_label *label; + + aad(&sa)->info = "set interface lsm"; + label = begin_current_label_crit_section(); + error = fn_for_each_confined(label, profile, + profile_interface_lsm(profile, &sa)); + end_current_label_crit_section(label); + return error; + } + /* AppArmor requires that the buffer must be null terminated atm */ if (args[size - 1] != '\0') { /* null terminate */ diff --git a/security/security.c b/security/security.c index c2a5c50e913b..fe18c8d8bc22 100644 --- a/security/security.c +++ b/security/security.c @@ -77,7 +77,16 @@ static struct kmem_cache *lsm_file_cache; static struct kmem_cache *lsm_inode_cache; char *lsm_names; -static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init; + +/* + * The task blob includes the "interface_lsm" slot used for + * chosing which module presents contexts. + * Using a long to avoid potential alignment issues with + * module assigned task blobs. + */ +static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init = { + .lbs_task = sizeof(long), +}; /* Boot-time LSM user choice */ static __initdata const char *chosen_lsm_order; @@ -671,6 +680,8 @@ int lsm_inode_alloc(struct inode *inode) */ static int lsm_task_alloc(struct task_struct *task) { + int *ilsm; + if (blob_sizes.lbs_task == 0) { task->security = NULL; return 0; @@ -679,6 +690,15 @@ static int lsm_task_alloc(struct task_struct *task) task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL); if (task->security == NULL) return -ENOMEM; + + /* + * The start of the task blob contains the "interface" LSM slot number. + * Start with it set to the invalid slot number, indicating that the + * default first registered LSM be displayed. + */ + ilsm = task->security; + *ilsm = LSMBLOB_INVALID; + return 0; } @@ -1734,14 +1754,26 @@ int security_file_open(struct file *file) int security_task_alloc(struct task_struct *task, unsigned long clone_flags) { + int *oilsm = current->security; + int *nilsm; int rc = lsm_task_alloc(task); - if (rc) + if (unlikely(rc)) return rc; + rc = call_int_hook(task_alloc, 0, task, clone_flags); - if (unlikely(rc)) + if (unlikely(rc)) { security_task_free(task); - return rc; + return rc; + } + + if (oilsm) { + nilsm = task->security; + if (nilsm) + *nilsm = *oilsm; + } + + return 0; } void security_task_free(struct task_struct *task) @@ -2173,23 +2205,110 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name, char **value) { struct security_hook_list *hp; + int ilsm = lsm_task_ilsm(current); + int slot = 0; + + if (!strcmp(name, "interface_lsm")) { + /* + * lsm_slot will be 0 if there are no displaying modules. + */ + if (lsm_slot == 0) + return -EINVAL; + + /* + * Only allow getting the current process' interface_lsm. + * There are too few reasons to get another process' + * interface_lsm and too many LSM policy issues. + */ + if (current != p) + return -EINVAL; + + ilsm = lsm_task_ilsm(p); + if (ilsm != LSMBLOB_INVALID) + slot = ilsm; + *value = kstrdup(lsm_slotlist[slot]->lsm, GFP_KERNEL); + if (*value) + return strlen(*value); + return -ENOMEM; + } hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) { if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; + if (lsm == NULL && ilsm != LSMBLOB_INVALID && + ilsm != hp->lsmid->slot) + continue; return hp->hook.getprocattr(p, name, value); } return LSM_RET_DEFAULT(getprocattr); } +/** + * security_setprocattr - Set process attributes via /proc + * @lsm: name of module involved, or NULL + * @name: name of the attribute + * @value: value to set the attribute to + * @size: size of the value + * + * Set the process attribute for the specified security module + * to the specified value. Note that this can only be used to set + * the process attributes for the current, or "self" process. + * The /proc code has already done this check. + * + * Returns 0 on success, an appropriate code otherwise. + */ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size) { struct security_hook_list *hp; + char *termed; + char *copy; + int *ilsm = current->security; + int rc = -EINVAL; + int slot = 0; + + if (!strcmp(name, "interface_lsm")) { + /* + * Change the "interface_lsm" value only if all the security + * modules that support setting a procattr allow it. + * It is assumed that all such security modules will be + * cooperative. + */ + if (size == 0) + return -EINVAL; + + hlist_for_each_entry(hp, &security_hook_heads.setprocattr, + list) { + rc = hp->hook.setprocattr(name, value, size); + if (rc < 0) + return rc; + } + + rc = -EINVAL; + + copy = kmemdup_nul(value, size, GFP_KERNEL); + if (copy == NULL) + return -ENOMEM; + + termed = strsep(©, " \n"); + + for (slot = 0; slot < lsm_slot; slot++) + if (!strcmp(termed, lsm_slotlist[slot]->lsm)) { + *ilsm = lsm_slotlist[slot]->slot; + rc = size; + break; + } + + kfree(termed); + return rc; + } hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) { if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; + if (lsm == NULL && *ilsm != LSMBLOB_INVALID && + *ilsm != hp->lsmid->slot) + continue; return hp->hook.setprocattr(name, value, size); } return LSM_RET_DEFAULT(setprocattr); @@ -2209,15 +2328,15 @@ EXPORT_SYMBOL(security_ismaclabel); int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) { struct security_hook_list *hp; - int rc; + int ilsm = lsm_task_ilsm(current); hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; - rc = hp->hook.secid_to_secctx(blob->secid[hp->lsmid->slot], - secdata, seclen); - if (rc != LSM_RET_DEFAULT(secid_to_secctx)) - return rc; + if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) + return hp->hook.secid_to_secctx( + blob->secid[hp->lsmid->slot], + secdata, seclen); } return LSM_RET_DEFAULT(secid_to_secctx); @@ -2228,16 +2347,15 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob) { struct security_hook_list *hp; - int rc; + int ilsm = lsm_task_ilsm(current); lsmblob_init(blob, 0); hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; - rc = hp->hook.secctx_to_secid(secdata, seclen, - &blob->secid[hp->lsmid->slot]); - if (rc != 0) - return rc; + if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) + return hp->hook.secctx_to_secid(secdata, seclen, + &blob->secid[hp->lsmid->slot]); } return 0; } @@ -2245,7 +2363,14 @@ EXPORT_SYMBOL(security_secctx_to_secid); void security_release_secctx(char *secdata, u32 seclen) { - call_void_hook(release_secctx, secdata, seclen); + struct security_hook_list *hp; + int ilsm = lsm_task_ilsm(current); + + hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list) + if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) { + hp->hook.release_secctx(secdata, seclen); + return; + } } EXPORT_SYMBOL(security_release_secctx); @@ -2386,8 +2511,15 @@ EXPORT_SYMBOL(security_sock_rcv_skb); int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, int __user *optlen, unsigned len) { - return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock, - optval, optlen, len); + int ilsm = lsm_task_ilsm(current); + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_stream, + list) + if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) + return hp->hook.socket_getpeersec_stream(sock, optval, + optlen, len); + return -ENOPROTOOPT; } int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0133b142e938..dba867721336 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6510,6 +6510,17 @@ static int selinux_setprocattr(const char *name, void *value, size_t size) /* * Basic control over ability to set these attributes at all. */ + + /* + * For setting interface_lsm, we only perform a permission check; + * the actual update to the interface_lsm value is handled by the + * LSM framework. + */ + if (!strcmp(name, "interface_lsm")) + return avc_has_perm(&selinux_state, + mysid, mysid, SECCLASS_PROCESS2, + PROCESS2__SETDISPLAY, NULL); + if (!strcmp(name, "exec")) error = avc_has_perm(&selinux_state, mysid, mysid, SECCLASS_PROCESS, diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 62d19bccf3de..8f4b0dd6dd78 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -53,7 +53,7 @@ struct security_class_mapping secclass_map[] = { "execmem", "execstack", "execheap", "setkeycreate", "setsockcreate", "getrlimit", NULL } }, { "process2", - { "nnp_transition", "nosuid_transition", NULL } }, + { "nnp_transition", "nosuid_transition", "setdisplay", NULL } }, { "system", { "ipc_info", "syslog_read", "syslog_mod", "syslog_console", "module_request", "module_load", NULL } }, diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 5c10ad27be37..7aa7ea38f627 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3508,6 +3508,13 @@ static int smack_setprocattr(const char *name, void *value, size_t size) struct smack_known_list_elem *sklep; int rc; + /* + * Allow the /proc/.../attr/current and SO_PEERSEC "interface_lsm" + * to be reset at will. + */ + if (strcmp(name, "interface_lsm") == 0) + return 0; + if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) return -EPERM; From patchwork Fri Jun 11 00:04:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314407 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNWANTED_LANGUAGE_BODY, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C506AC48BD1 for ; Fri, 11 Jun 2021 00:21:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A1320613AE for ; Fri, 11 Jun 2021 00:21:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231324AbhFKAXY (ORCPT ); Thu, 10 Jun 2021 20:23:24 -0400 Received: from sonic311-31.consmr.mail.ne1.yahoo.com ([66.163.188.212]:34952 "EHLO sonic311-31.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231168AbhFKAXX (ORCPT ); Thu, 10 Jun 2021 20:23:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370886; bh=QuAc0epTafYMBXFMqan6qDl7uFPACC+4m3UbqSQqeHE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=lokW0fCqPJQMN7jxrfQ+zzfgMlthyZLPd/25Fe/w2Ex7o2QqWambRaKIm/y9nKXnj7VqA78wp0WfuaQ0/FmnW3NZhhTqdzP8Qs+zXcOolaJ2fnc8i+5hjOyngmb3nnYjO/is5KDoNjsuE7NZYC803gtswVgWiuzC8h4fpcbgni8yZSR1nCTEaRazL8DV7BxBFDT/ppeDvPzArDqX9mz9FXl1F2cqlekuN0LDjO6E6Lp4VIppQwwHdN5Bawm6IK4musJ7tXObjebwHO9Drrskhd8rRdiSZOw9WK8tNz7QNfBDYxd1ecUP0UD6k8VUVR7Iz8XDt43/Tlw3/2LhwgXfpQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370886; bh=z3LtOPBB/4364EVxbDu5uzU+tvUvVycPRNNdyPUZZlJ=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=KIM3HfxZV0flx6oamOzDqOqu4Rq9ohXu1eAa75KYKMC2F31jo/dJoe8kP37qJ/9/LLrKb4TuVFPtFO5saVgJCrtXIoVDCYRNW47xQSTDWNuO+sJqdokN1d0MjxIc6lr2PM8lvIL65YQLRdnsai35ruVGrETRPg6txg0GrKZ3q18NwL4lI8JHYJRob7NVLuL3s1G8SGaoMjHiRVImNr4jBflUHAQtjqLC4hWxs41U7I4K5uQUZgpvJBOr/5DrLkikJnJnK/KTrj8/TQF8fKW2wE2jwElxgnXKMXjVCfWwuEUwwbfsEPuS83eYWt/cZJsdMwjhKdNjSjU+G5Gw1gMHFw== X-YMail-OSG: bf1fAZcVM1lpMfhZtz.3SbQuoPWnow6a8LCzKu5Mbf2hQ58z4bTVHCkjOezKpQb WJAeahTDAgekp.hdI0CuS1jyae0rPTE8HquO3jjwEbdC5NEYkzvWdi.mTPJLIP2YtludUO7M0_7A XGqQC8VNUPAs1kOdt.CZLwRsqoTC2X7OWFqrWJmbHvV785DH0zA9g89YRX1Z.BRHaNC0iQI0AAjg cBYdxjSRGBO1zzITlK6DWhItVxyKEQNbSO6o0xrNWVEyoZUnuuunmdkAlrEY2Hqph9hcgIY7XHkT .9L.Y8anvboh81gAVGM46oucWT.Q8RGqUDl75dF241qGeHTU8y_QqYBBxDDZqw2Gi9rnuKsInGHw LQtdr5OQaxIf_Q_Ady0mKRSd3SuNS42w7nAWezJkv12kzeSil5z58_rPWGrz7b6xQDsTH0_I6pTR UEp2H3fXRowtI223K5SsY2i_M6bS1iQpSOozeveSAFIWLVD0owTgsW6to9Cvx8kFGdztCMrX6XMB .XrVCe074Nhe.6Imfckdpd5xjsc2etYVKBwGaq0hQOK_DLEU1jB8jQe0Og.YjJ944PcCSGSryBIO Y1wOU_zZVy8SfM0TV2bIl8OqpjhMe9QzEyCqcevfn3UDE8fWovUBN8a5KZToH97gN.UFzCNypWrt APOS0MIZF3cSzoNsipdTM.h.XkmRZZj7dpvFUHazavpw0oTan50_Hnaa8PK7OzkeUguKwVvIXtAM npU3pLiScckMVCc_Y5q_Cya51P4H45R4.Af7DVvkX1HwOfwULxxmNsr9IzKYKNmF7gyuT_WVC4Le 0uVohZCmqcn4zea.0mGbAQOZN.sOndGhcnGp5l7vQdaYuidpFaqG7priaBrdIGpI.MaTV0EnkT7O .fG1gM1kboCqNwChtTJIZuBRaV50Bk_bOuBUdq0Wd4DUZntqEURtvIZyO.tmlgY.iNPZaDen1PlQ fYmNpet4D53K7DdDcs8UUMojrCXNFlXlssVQgvdhPa9BXlt9bVL3A4qauf_yoQeQ1hXYQbWfbsXy cRYpYkda8jPE8vdAmKApr8ifr8t1YoKHT5wUKDkDj2N4xj4nXhajNA6XKTX.rLqin9QmvEM5aS3r wrGLQwuW8AVh3DU80Sp_nYjtKfnuOFHQy40U6_N7MIdtwXT94x_etv70B5j5hfjGuG5XgUQQ1K8m cu04QKbMgKa4u5y_2oyabKbQrv2Ikote8.qX65OH5QjFUDD3kzhJRzCZ7a5kt_msjVkSBglUGiu2 df_Vc7_6U7BUCJV.UPw.XJWoy4I7B0dy7pISN.dPUoTjEUXKl.IO8mF44LA5VbWvh894eUdA6L2v xW2Xp8VJ_AON8XPAQ2J03iLxZGhbx0pzT2SlsZtGy1Fk7G9ANstX7Jx2sS5yo1LJShii.AzhB7cM VHjHokZ_aqZRf1Xuoo.0zmMWmCVDQZ.B6hS0XGvMWnCsYi4HW39ShqGZdiYjSlKGR3Jop9XepgtH aP8nM6LmPuGQYBUAm0sC.opf40Rtf5Xn01h37v.fz1VkXFPIfaEZ5cg3zBXXreEjyBUg6gixBydB 9pwQFhF20AnnIMJTp4gDjShsa2RGfXHXFPhxUwfT8QjJN.z_m9LmUS1pgoCd90.7yrWskd_QUsBN iSYErM1GmEXtaKZSZLjdZgbCAV.4p7YYfTUzvutwVTN802m.q6MSg7IHFNyYwlnpxP0eMkeTfNEB xm26.y03UzvW93XvDAaJtpxffDKZadZwj0Uvv7521Q90o6Idnl6yVh2ecCTlJUQrWukxc4cChZUq .gkx3ERM0zdyjGe3VmTWMp781vBLj6SLtYhfUoXWno2muNO7x4wa52uhuIUyryeyU7JrjrYO25OK IKQX0AppvM53hpEjh3R0VSo2_4MZDCn_vs28nf5YGfdtbnfRI5y7NJno1d2lcSABLyGTwi8_ZtsE 79KM3aRCJdDooOMBUZJZEmqTk2t0LimpCYkole.UwLwM_xv0olkdyGTdIAoFrY_qAbWG7IHCAptx zCEXd7o7avqr0Zd.Ub96Gnp0eCkjSW2t1xh8l0KVG3JSTVIQ.L0qJ8f8SHzTb.7E_WvH6r1D54R_ 1ic.6yaza0wiKC_2FB_pxQlPC5EMRZqVtEwKs8W9u54h4bniKHDMMSE14hGaNJsHgSMVXmFyQ3X7 Hcc_vnsxj04PDksvyxQlmAbYNkLSpn2NYLxxc3F4Qxj0jZP1rdze9nH5HWyDvswzDh_3bFLUD0qB fr7LJUlFCmxHNQvJYifGDgJ6bLO.PzD7wOjtLa.Q6XOsnfx1xhJFRHaXqydCrIKW6pz_enDHUvpZ m7BOis6_9N9uEZSpNjPQzo58OOGVWtMs2oJnLwZKeZ5iyKrs2Hfoh7yJl4HId2dF2wmxstsGFgCP 2vWl..WwWDRVGM7847dty49U23btXtSmALZLmrWcMyOerf0I0hczXRJiYVdDWAjHgaF0yL54F91w ZvU9OMLUiJV3ISQCsayfmlWKIi4ARExXaUdR8wef_9lyRSU4FWAgLFITy.KJE2zec6518k0bl.qM NjGLzvCatV7AWU.OsyPbCrScEnatp52vtA22oK1z5EFoEyuzUosCNNjDznvYuA_gT_y.mjutuewy I4qP9k7tgIqPFumeovTUWm.2B4.BNdu8La2i0ldq.peXviZxU5eBGrXK29mzv5stR34L3iFp5emc FIwQXtLxJ9_ONsdei5pAYtG6FNL26.46QFRgQpvkW_O9iJf5SSc1XWNMj1s4Dd.R8_ao_6IBLKxp iA.VWG7LGZ4zLl.Cqm5p9lLXEyxDp5yHE9zTNjn3r2lN7_rNtwVBC.PGw1tqwMdczZwIgV0kSIO3 J1dmqrZH7gPIExqO80HUeGbrWjCk8uxUi0kQ_rAfKvGMWkD1x2fes5yBtQmL7Y8YRDJaOZfx.cbB Nox._EbwyCx2IYB_egsVOMiKRfYDdpSHG5m2a6IU4Vd9.88kduaQFlde1T9hF3xDe6hzOg4izfMc 7rLtNTzUm4F0Spb42Uraw7r1iZvx8NrQWOh9oyWwpPC6w1SY_xvgQTM2dBQWpJan5lP25AP5HfyH 8dHmsTArfTElb0r0f_S4ZM2agmdYJpuYmDBUBp28v8sy1KkInIwW9866xIcB.VqPsa1NYsLu1bPe mgaZKOHacvoF8USKi2c1n1MvOEDFx976s0P3bkd6ZApfmbdCvzkzDJarzDJAOWvTclVZO.bdtdC4 M75AXR3xvRaeu.G_jHGkIn_nA33OX2XmoMJcgkROMY0uz31qX1LnbMN8WcOoO0zeTfDEBKY1Z7pR X7BKiQtXaCM0JasY.l5O5mJhvjPrZC4iQnhCWjfozZchiCtpNrOlG4x0UQGWGd8pbeYdllSqzOvy I_JlG7uEEuWhYgU07lWw8f_vtXF8JMXXeyEBbdIbuCQng4ynnZ0Oi9qDAkbD1FVUu8qJg5_0a1Kx XvsuYWSn_m9ZujJ3S0nf9vRKF9xNSmUrb1R9D_YvqEgk5vQ.npBXkTVUL3xuqoJh4rJZFL3NF9q9 0tk2QuDrL X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:21:26 +0000 Received: by kubenode502.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 45e3f949d7db4fa60da3a4cc7605cd8d; Fri, 11 Jun 2021 00:21:20 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Chuck Lever , linux-integrity@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH v27 15/25] LSM: Ensure the correct LSM context releaser Date: Thu, 10 Jun 2021 17:04:25 -0700 Message-Id: <20210611000435.36398-16-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Add a new lsmcontext data structure to hold all the information about a "security context", including the string, its size and which LSM allocated the string. The allocation information is necessary because LSMs have different policies regarding the lifecycle of these strings. SELinux allocates and destroys them on each use, whereas Smack provides a pointer to an entry in a list that never goes away. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Chuck Lever Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso Cc: linux-nfs@vger.kernel.org --- drivers/android/binder.c | 10 ++++--- fs/ceph/xattr.c | 6 ++++- fs/nfs/nfs4proc.c | 8 ++++-- fs/nfsd/nfs4xdr.c | 7 +++-- include/linux/security.h | 35 +++++++++++++++++++++++-- include/net/scm.h | 5 +++- kernel/audit.c | 14 +++++++--- kernel/auditsc.c | 12 ++++++--- net/ipv4/ip_sockglue.c | 4 ++- net/netfilter/nf_conntrack_netlink.c | 4 ++- net/netfilter/nf_conntrack_standalone.c | 4 ++- net/netfilter/nfnetlink_queue.c | 13 ++++++--- net/netlabel/netlabel_unlabeled.c | 19 +++++++++++--- net/netlabel/netlabel_user.c | 4 ++- security/security.c | 11 ++++---- 15 files changed, 121 insertions(+), 35 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index ab55358f868b..eca789340ef6 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2461,6 +2461,7 @@ static void binder_transaction(struct binder_proc *proc, int t_debug_id = atomic_inc_return(&binder_last_id); char *secctx = NULL; u32 secctx_sz = 0; + struct lsmcontext scaff; /* scaffolding */ e = binder_transaction_log_add(&binder_transaction_log); e->debug_id = t_debug_id; @@ -2772,7 +2773,8 @@ static void binder_transaction(struct binder_proc *proc, t->security_ctx = 0; WARN_ON(1); } - security_release_secctx(secctx, secctx_sz); + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); secctx = NULL; } t->buffer->debug_id = t->debug_id; @@ -3114,8 +3116,10 @@ static void binder_transaction(struct binder_proc *proc, binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: err_bad_extra_size: - if (secctx) - security_release_secctx(secctx, secctx_sz); + if (secctx) { + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); + } err_get_secctx_failed: kfree(tcomplete); binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c index 1242db8d3444..b867089e1aa4 100644 --- a/fs/ceph/xattr.c +++ b/fs/ceph/xattr.c @@ -1356,12 +1356,16 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx) { +#ifdef CONFIG_CEPH_FS_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ +#endif #ifdef CONFIG_CEPH_FS_POSIX_ACL posix_acl_release(as_ctx->acl); posix_acl_release(as_ctx->default_acl); #endif #ifdef CONFIG_CEPH_FS_SECURITY_LABEL - security_release_secctx(as_ctx->sec_ctx, as_ctx->sec_ctxlen); + lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0); + security_release_secctx(&scaff); #endif if (as_ctx->pagelist) ceph_pagelist_release(as_ctx->pagelist); diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 87d04f2c9385..a179d70eeb7e 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -136,8 +136,12 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, static inline void nfs4_label_release_security(struct nfs4_label *label) { - if (label) - security_release_secctx(label->label, label->len); + struct lsmcontext scaff; /* scaffolding */ + + if (label) { + lsmcontext_init(&scaff, label->label, label->len, 0); + security_release_secctx(&scaff); + } } static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label) { diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 7abeccb975b2..089ec4b61ef1 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -2844,6 +2844,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, int err; struct nfs4_acl *acl = NULL; #ifdef CONFIG_NFSD_V4_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ void *context = NULL; int contextlen; #endif @@ -3345,8 +3346,10 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, out: #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - if (context) - security_release_secctx(context, contextlen); + if (context) { + lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/ + security_release_secctx(&scaff); + } #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ kfree(acl); if (tempfh) { diff --git a/include/linux/security.h b/include/linux/security.h index c1c31eb23859..3b2ffef65b05 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -133,6 +133,37 @@ enum lockdown_reason { extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; +/* + * A "security context" is the text representation of + * the information used by LSMs. + * This structure contains the string, its length, and which LSM + * it is useful for. + */ +struct lsmcontext { + char *context; /* Provided by the module */ + u32 len; + int slot; /* Identifies the module */ +}; + +/** + * lsmcontext_init - initialize an lsmcontext structure. + * @cp: Pointer to the context to initialize + * @context: Initial context, or NULL + * @size: Size of context, or 0 + * @slot: Which LSM provided the context + * + * Fill in the lsmcontext from the provided information. + * This is a scaffolding function that will be removed when + * lsmcontext integration is complete. + */ +static inline void lsmcontext_init(struct lsmcontext *cp, char *context, + u32 size, int slot) +{ + cp->slot = slot; + cp->context = context; + cp->len = size; +} + /* * Data exported by the security modules * @@ -550,7 +581,7 @@ int security_ismaclabel(const char *name); int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); -void security_release_secctx(char *secdata, u32 seclen); +void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); @@ -1414,7 +1445,7 @@ static inline int security_secctx_to_secid(const char *secdata, return -EOPNOTSUPP; } -static inline void security_release_secctx(char *secdata, u32 seclen) +static inline void security_release_secctx(struct lsmcontext *cp) { } diff --git a/include/net/scm.h b/include/net/scm.h index 23a35ff1b3f2..f273c4d777ec 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -92,6 +92,7 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, #ifdef CONFIG_SECURITY_NETWORK static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { + struct lsmcontext context; struct lsmblob lb; char *secdata; u32 seclen; @@ -106,7 +107,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + /*scaffolding*/ + lsmcontext_init(&context, secdata, seclen, 0); + security_release_secctx(&context); } } } diff --git a/kernel/audit.c b/kernel/audit.c index 8ec64e6e8bc0..c17ec23158c4 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1192,6 +1192,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_sig_info *sig_data; char *ctx = NULL; u32 len; + struct lsmcontext scaff; /* scaffolding */ err = audit_netlink_ok(skb, msg_type); if (err) @@ -1449,15 +1450,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); if (!sig_data) { - if (lsmblob_is_set(&audit_sig_lsm)) - security_release_secctx(ctx, len); + if (lsmblob_is_set(&audit_sig_lsm)) { + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); + } return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; if (lsmblob_is_set(&audit_sig_lsm)) { memcpy(sig_data->ctx, ctx, len); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); } audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, sizeof(*sig_data) + len); @@ -2132,6 +2136,7 @@ int audit_log_task_context(struct audit_buffer *ab) unsigned len; int error; struct lsmblob blob; + struct lsmcontext scaff; /* scaffolding */ security_task_getsecid_subj(current, &blob); if (!lsmblob_is_set(&blob)) @@ -2145,7 +2150,8 @@ int audit_log_task_context(struct audit_buffer *ab) } audit_log_format(ab, " subj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); return 0; error_path: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 573c6a8e505f..3fb9d3639123 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -996,6 +996,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; + struct lsmcontext lsmcxt; char *ctx = NULL; u32 len; int rc = 0; @@ -1013,7 +1014,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, rc = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/ + security_release_secctx(&lsmcxt); } } audit_log_format(ab, " ocomm="); @@ -1226,6 +1228,7 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) static void show_special(struct audit_context *context, int *call_panic) { + struct lsmcontext lsmcxt; struct audit_buffer *ab; int i; @@ -1259,7 +1262,8 @@ static void show_special(struct audit_context *context, int *call_panic) *call_panic = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); + security_release_secctx(&lsmcxt); } } if (context->ipc.has_perm) { @@ -1408,6 +1412,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, char *ctx = NULL; u32 len; struct lsmblob blob; + struct lsmcontext lsmcxt; lsmblob_init(&blob, n->osid); if (security_secid_to_secctx(&blob, &ctx, &len)) { @@ -1416,7 +1421,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, *call_panic = 2; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */ + security_release_secctx(&lsmcxt); } } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 2f089733ada7..a7e4c1b34b6c 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { + struct lsmcontext context; struct lsmblob lb; char *secdata; u32 seclen, secid; @@ -145,7 +146,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) return; put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */ + security_release_secctx(&context); } static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index caf3ecb5a66b..914ab6a96573 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -339,6 +339,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) int len, ret; char *secctx; struct lsmblob blob; + struct lsmcontext context; /* lsmblob_init() puts ct->secmark into all of the secids in blob. * security_secid_to_secctx() will know which security module @@ -359,7 +360,8 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) ret = 0; nla_put_failure: - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); return ret; } #else diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index b02afa0a1516..b039445f3efc 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -176,6 +176,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) u32 len; char *secctx; struct lsmblob blob; + struct lsmcontext context; lsmblob_init(&blob, ct->secmark); ret = security_secid_to_secctx(&blob, &secctx, &len); @@ -184,7 +185,8 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) seq_printf(s, "secctx=%s ", secctx); - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); } #else static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index bdbb0b60bf7b..06b7751c7668 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -397,6 +397,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, enum ip_conntrack_info ctinfo; struct nfnl_ct_hook *nfnl_ct; bool csum_verify; + struct lsmcontext scaff; /* scaffolding */ char *secdata = NULL; u32 seclen = 0; @@ -626,8 +627,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return skb; nla_put_failure: @@ -635,8 +638,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return NULL; } diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index b08442582874..8ca1e2b33dcf 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -374,6 +374,7 @@ int netlbl_unlhsh_add(struct net *net, struct net_device *dev; struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; + struct lsmcontext context; char *secctx = NULL; u32 secctx_len; struct lsmblob blob; @@ -447,7 +448,9 @@ int netlbl_unlhsh_add(struct net *net, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); audit_log_end(audit_buf); @@ -478,6 +481,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct netlbl_unlhsh_addr4 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -509,7 +513,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -546,6 +552,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct netlbl_unlhsh_addr6 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -576,7 +583,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -1095,6 +1103,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, int ret_val = -ENOMEM; struct netlbl_unlhsh_walk_arg *cb_arg = arg; struct net_device *dev; + struct lsmcontext context; void *data; u32 secid; char *secctx; @@ -1165,7 +1174,9 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, NLBL_UNLABEL_A_SECCTX, secctx_len, secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); if (ret_val != 0) goto list_cb_failure; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 893301ae0131..ef139d8ae7cd 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -84,6 +84,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct netlbl_audit *audit_info) { struct audit_buffer *audit_buf; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -103,7 +104,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, if (audit_info->secid != 0 && security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/ + security_release_secctx(&context); } return audit_buf; diff --git a/security/security.c b/security/security.c index fe18c8d8bc22..afa0b116d222 100644 --- a/security/security.c +++ b/security/security.c @@ -2361,16 +2361,17 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, } EXPORT_SYMBOL(security_secctx_to_secid); -void security_release_secctx(char *secdata, u32 seclen) +void security_release_secctx(struct lsmcontext *cp) { struct security_hook_list *hp; - int ilsm = lsm_task_ilsm(current); hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list) - if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) { - hp->hook.release_secctx(secdata, seclen); - return; + if (cp->slot == hp->lsmid->slot) { + hp->hook.release_secctx(cp->context, cp->len); + break; } + + memset(cp, 0, sizeof(*cp)); } EXPORT_SYMBOL(security_release_secctx); From patchwork Fri Jun 11 00:04:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314437 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.9 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNWANTED_LANGUAGE_BODY, URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA026C48BE8 for ; Fri, 11 Jun 2021 00:22:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C20BC613D5 for ; Fri, 11 Jun 2021 00:22:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231382AbhFKAY1 (ORCPT ); Thu, 10 Jun 2021 20:24:27 -0400 Received: from sonic312-31.consmr.mail.ne1.yahoo.com ([66.163.191.212]:38387 "EHLO sonic312-31.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230211AbhFKAY1 (ORCPT ); Thu, 10 Jun 2021 20:24:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370949; bh=kKF+K5DZga28SCN6BiWgSzj7fNCLlrdCO1nqWBsRGf8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=ZjXAWalLj9GdAIiYpyvx3XR7YnXsNGSwAXa21Oc+2RXTKBRtq2ybu3DixzkyOwp8GB+PCKHTukCn7X4zFUtcv79/b49rZ89AAwfVQusW1XeZ2gK+Eci89XC1Qu7QpBvrQRE+ZgE6/94cq6hUJlZ2zBamJvtz+Ir4niiRJ16Hu6x+5Aqm9RZKN72JP7bEBW+4uONyeMo8BwuCFthdKLh9EkLG7lBIs+iV7LS8HYFR8d5Ns1c1upbNjL1bR8hsyTxboEx5e0pa435RdkeeH76DToxJRUFRQbctUaupaNBcEETgeNi9ajI3nwmLokEjbJxk/c9y54sjLPKB4chycQJoNQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623370949; bh=5COd2NraWPQCL4Wcau4LFttTIw0apOVgQav6D8UxVhr=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=MZ8kS2VatinEES3YqMLAAV4RoD6D7NZYslkjsaiJYJP/Yycio9kSVkmF3wB0++p/BZf6PFNz3Jw4/kkwA/95KVTs/ycUTQlXyiXU6nuQvMIHsm2u0pzE8R9TIbLEKxZ85ye+d6eZvwuh5nca86D9YT7B+yfxTJbdWu+29NSleItNwrWqLywcRHnRxxI19aQ0qed/NrYCg4N98QfKKPSf6Vr6M74DmQDySWoxfyqFHhob97wJvfqMGhgTbkziRU+Y0+ec1Rl1gxZV8W7FkpBRvws17vLghkxS0tn5ZIrxYY85uFYS+t2625xmkcXN58to+w9IuuKAOq4PmeE0J69o5A== X-YMail-OSG: ZNKSY5sVM1mYYy8ZqM_0WxtDhGqmyuGit8GQDT8ykLjgkGRXeaC5eTLWyFbNoo. i0XRl45SiS0_bZWAkVEWq.RLy3eOfE2xRfERtxIJc6mmZHkaFEAcconMA8c92x5vDFKBP57L6Mhn MI583cH8yipG4cKjn3RauGiDyhiEhAfzRH3SLLfJGnqsCuTvio4c_Jdyw1InNA70dz5IBF1CUzCG 2VNt7zPE1S5uD0kewXi7gISkS9cmuOffec4Kxu5flkDo05fKFnF4_EZ4LzY.Lb4ZhadiBtBs.XjC sGlfpjukVbqrZzYQrYuvCmi.g2i87uAb88YbW4IB3KYdRSdrOKIqh8ycfCyQoyC2iS6ZlSOlA3K5 MtoOiw8L8NQlaVjiM4nkkJ36hxJ3aXgNUsoJqi_pj0MLpoG6ovfa6z2_1j4cNj0CMI.ScH2VQ0kz ZZMWRY63MXMfYtLqgUA9HF9rGswIgRIeea1_iVqad4.wGrErEyGimSBmcA4.fI7Mj1Ac2z_fWY8T tGekUobQ00mxRN7bFIC6BHpNKr6exnrxr4vQXrXJd9jLDO_LVYLvPiplGW3K.yuK4uWd3yrrEVZB NcikZzTQ.v39oMsCUVBFLkS3.bqSjYJ7.lEr77h0iZ5xCn1B2S1sTvQI7U3pJaahPPWrBF8eMvhf t1hiBdocVDwchN_oCRMgUZvOqjzzY_AuBVdwLr3BBxc_SkGv6rd4NX0R5IFvIfU61M94pqBFfxv. YWzf_8CcN3MxqkEU.bpb3KbwpKVJjjhAt4fC2RtIaaQw6LKfFVa8BbQ0iYa_oYI9VGdMMca8ZVWq MCSJCNheH6fEYHpSgwq15QqKi_VO5IVMNUzaoh0Av7dJRGMKifjOZ0XVcAJRm4SsB2qrNh5zg4nw sj8.Zgl9crt34a2J1AfnfA5FNav3j8Bj7vCzvD1uA3Kdvw7yk0r_ab.NwV_F3D8nVnzVU4Q8fePM xC5M8m8Kj.p.HChvsUeeSl8fTXyDUiN3l127NUJ7pfLFydxDYZTVbmxMzKUxnaMTJo7253mYfviZ Cr102dL1QR6flGJUuqHVdzBzbq.7.2.fY.uScNCCUIlMR6pOB.pit7YxZQ3GA1GmvA0HsnitLM1G Ozr4Wq2fomoV6CFAiRr6FWYkXJmsFO9jxvUK0ri_xu5jShnEutqzIRxJellihpUTP3t451ftoMOS bcbiEfU730_u28VxewT8DXt4py5gdLf0QXRyG_BwTnwXzBE2su6fQxswQCrLe2jQNE6bztF8dwDj rP0yM4tYlC2CmHxrTk7kVjJO.O5VbtP49yXDO4zjfN2nXwaJDq_xkD8lxFTDXtKn7B1e90sAcXHJ BbEIWAzhsjfbGfWqAZXiAQNJSfCs1zyc1w4ke7thYP9n.NGrkJdi2ZAMvG8zCNOCRTzRFDqZ0YCw Mvh0VZ.5M2F1tc3MJ4dBc8ntSEW98AzHBSSCAxLJW7lYv5EJIdrmTZSFJdSTC2drxzXm4SjArqLh TVkb7H10rAJ9Hz6u6e63TmOMOWAZjV0C1crhWLGIfxBZQzT.Oxj_Je32Tl3dUzcnSnIRxRkBhWJr Lqu.FOnQncfWzGcXU4k8CSVsCuyUMqwSjaYAyKETi64w3jCZixcJg.76iHhRGzt6b1CxL55CCbNT zO9FIhblA1iB1cPfzFBtDckJYlmeL5saUYuKGJzju5hubUuERwwALrFE7zYctixY1Fvr_hiLgJdi WFocH9i2YKW2xEq_BB31VIUweUgAK.tpdckuW_ANY1ba1kndY69LuaxYbmr20mspzpjoVnQs.80S cO2PFTx9LTsv.CGb3OdOMaVczjxXeb7852DTz8XF.2Hr_p4o9Qik_xgF7ZE9pUJZz95e7AGLG6fo uq1x1a8lgL2j3jPUAwGsleJYa7Qm.iCu7Il3c7zLj40fJubtKK2ViMWtyfGwUF5B1XKuAV_UqWNh BEaWfEzv0n4_qHqu_5m_DA26b.L76ULKTI6nEQbfFJkb0ReouFK1HsA_7oJai3pSgcJkCySK6klO vpRAqUogxp5H1GbusN4V..m5Izl48tz.11GCPnqh8kHBIFRiAcLnbskI2n3IkxoAi7bvJmf6ueNi xi0lWgthtSBpov8.mtRZok5rfW5NgPKskWQwJRyDT9I94ZF_ofWh0WQc9kjV3IVQ0QiaPUYi_bFM 7fweMuw4OPRKeG5hQHgsCLjwYORKa_Mjk2S3m0j_.2LNGexW4pEXB_Zdqs8I2J15Kfa_ptZyhYaO 8CYFj_72RLD86uELE__m5bkr0lR__Bc_LcjsAX7i4osoJMTN4LDqxvUHm_mZLhLwiNe2GZnlhfgA YPRI6tar3KFzLrVTmI4x9hcxRLbBnLWwXEVJ6qtTgb56TUTPaLGYeHeMqCtk8qzwH7zu4KzA4RHO L3YeQ8rZ91xLhWye6rNtcBxjZo8QmfeqF2HDSbErCp8xjLwE37wWMZIrX9qII.zGx3SnKQzYq_1W k_HxP1.nQ6rYxgXNaGqR2xt8DdT9AQPRoCWLrzV6MxiK8l8H8JCQJ.j1rXCQG6CS33Si9n8aRPqP njwTDsJN6chK.sxOadeJJKom5oCnXXkB1xhVdz6gOCQ0XwOg4TG7muuQuooOhmqgFGfwy92kHfXH EWaHPv47SBFgUSVhFNRhLfuzPSlUqJVvA5ENhx7InOZgVVV5V3OkKN8AA48PNbdntjF5HyE_6Co3 t0HDWUB3Ix1fC4p05BEp_E5xzYQHkNACtOIi74CDpr4aoK1eJ5q1vjzB5W2f7EXhOw83Ny4or023 jw2vkS1mfeZRKikkVythv0pV7Jjvuh89lRnBp2I.omwOYoNUaf9iWQjm6.CkhRovTEcmXLFdu6wV HGHaBMuwhi_eque0w4XmHRe41l5mfafAzjntgKL_TthxTri2ZjgydaTl43h7KhrqIihvA.PweK4T Fpf4H_e86MZUd7uizBgJeuian863IJtKQetFqL2ZgZqN.d65FvwUfuz0vu3KX4vt5dL6I5ztjna4 vqa2jS80zXPi9cQtDLfoLCnpg8tIoNVKO14kL6C9QwEuPfoUyijxQXIkg7p2WDvlf4X87YYrKDhs 952U8pJ889YYDGZgfdmXdVRe.rqsZ2HniiqtH.JqvRxu1kysRxRYctb3ykifsRZ9.5DusgKkRkV2 8O.ou1d8rqkHhm_.dKT.lJk6OiAbllbTgS6nE4I4T57a43ZNzMEzpGTUiNqGsUE78lNqESjXMFof hFDnTU6l7ZkUCytqi801TYJ__Y62Nk3zxfbwgLpbxJv3PMdHIhDoeAhIw5OtIcmiPNFuksmp1qp2 BXXVQ6g-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:22:29 +0000 Received: by kubenode549.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 4bf9dcc9735f347f0a8d94e8a0f4c8d8; Fri, 11 Jun 2021 00:22:26 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v27 16/25] LSM: Use lsmcontext in security_secid_to_secctx Date: Thu, 10 Jun 2021 17:04:26 -0700 Message-Id: <20210611000435.36398-17-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Replace the (secctx,seclen) pointer pair with a single lsmcontext pointer to allow return of the LSM identifier along with the context and context length. This allows security_release_secctx() to know how to release the context. Callers have been modified to use or save the returned data from the new structure. Reviewed-by: Kees Cook Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org --- drivers/android/binder.c | 26 +++++++--------- include/linux/security.h | 4 +-- include/net/scm.h | 9 ++---- kernel/audit.c | 39 +++++++++++------------- kernel/auditsc.c | 31 +++++++------------ net/ipv4/ip_sockglue.c | 8 ++--- net/netfilter/nf_conntrack_netlink.c | 18 +++++------ net/netfilter/nf_conntrack_standalone.c | 7 ++--- net/netfilter/nfnetlink_queue.c | 5 +++- net/netlabel/netlabel_unlabeled.c | 40 ++++++++----------------- net/netlabel/netlabel_user.c | 7 ++--- security/security.c | 10 +++++-- 12 files changed, 81 insertions(+), 123 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index eca789340ef6..f2a27bbbbe4d 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2459,9 +2459,7 @@ static void binder_transaction(struct binder_proc *proc, binder_size_t last_fixup_min_off = 0; struct binder_context *context = proc->context; int t_debug_id = atomic_inc_return(&binder_last_id); - char *secctx = NULL; - u32 secctx_sz = 0; - struct lsmcontext scaff; /* scaffolding */ + struct lsmcontext lsmctx = { }; e = binder_transaction_log_add(&binder_transaction_log); e->debug_id = t_debug_id; @@ -2724,14 +2722,14 @@ static void binder_transaction(struct binder_proc *proc, * case well anyway. */ security_task_getsecid_obj(proc->tsk, &blob); - ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz); + ret = security_secid_to_secctx(&blob, &lsmctx); if (ret) { return_error = BR_FAILED_REPLY; return_error_param = ret; return_error_line = __LINE__; goto err_get_secctx_failed; } - added_size = ALIGN(secctx_sz, sizeof(u64)); + added_size = ALIGN(lsmctx.len, sizeof(u64)); extra_buffers_size += added_size; if (extra_buffers_size < added_size) { /* integer overflow of extra_buffers_size */ @@ -2758,24 +2756,22 @@ static void binder_transaction(struct binder_proc *proc, t->buffer = NULL; goto err_binder_alloc_buf_failed; } - if (secctx) { + if (lsmctx.context) { int err; size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) + ALIGN(tr->offsets_size, sizeof(void *)) + ALIGN(extra_buffers_size, sizeof(void *)) - - ALIGN(secctx_sz, sizeof(u64)); + ALIGN(lsmctx.len, sizeof(u64)); t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset; err = binder_alloc_copy_to_buffer(&target_proc->alloc, t->buffer, buf_offset, - secctx, secctx_sz); + lsmctx.context, lsmctx.len); if (err) { t->security_ctx = 0; WARN_ON(1); } - lsmcontext_init(&scaff, secctx, secctx_sz, 0); - security_release_secctx(&scaff); - secctx = NULL; + security_release_secctx(&lsmctx); } t->buffer->debug_id = t->debug_id; t->buffer->transaction = t; @@ -2832,7 +2828,7 @@ static void binder_transaction(struct binder_proc *proc, off_end_offset = off_start_offset + tr->offsets_size; sg_buf_offset = ALIGN(off_end_offset, sizeof(void *)); sg_buf_end_offset = sg_buf_offset + extra_buffers_size - - ALIGN(secctx_sz, sizeof(u64)); + ALIGN(lsmctx.len, sizeof(u64)); off_min = 0; for (buffer_offset = off_start_offset; buffer_offset < off_end_offset; buffer_offset += sizeof(binder_size_t)) { @@ -3116,10 +3112,8 @@ static void binder_transaction(struct binder_proc *proc, binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: err_bad_extra_size: - if (secctx) { - lsmcontext_init(&scaff, secctx, secctx_sz, 0); - security_release_secctx(&scaff); - } + if (lsmctx.context) + security_release_secctx(&lsmctx); err_get_secctx_failed: kfree(tcomplete); binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); diff --git a/include/linux/security.h b/include/linux/security.h index 3b2ffef65b05..666bd85e142b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -578,7 +578,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); void security_release_secctx(struct lsmcontext *cp); @@ -1433,7 +1433,7 @@ static inline int security_ismaclabel(const char *name) } static inline int security_secid_to_secctx(struct lsmblob *blob, - char **secdata, u32 *seclen) + struct lsmcontext *cp) { return -EOPNOTSUPP; } diff --git a/include/net/scm.h b/include/net/scm.h index f273c4d777ec..b77a52f93389 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -94,8 +94,6 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc { struct lsmcontext context; struct lsmblob lb; - char *secdata; - u32 seclen; int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { @@ -103,12 +101,11 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc * and the infrastructure will know which it is. */ lsmblob_init(&lb, scm->secid); - err = security_secid_to_secctx(&lb, &secdata, &seclen); + err = security_secid_to_secctx(&lb, &context); if (!err) { - put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); - /*scaffolding*/ - lsmcontext_init(&context, secdata, seclen, 0); + put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, context.len, + context.context); security_release_secctx(&context); } } diff --git a/kernel/audit.c b/kernel/audit.c index c17ec23158c4..841123390d41 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1190,9 +1190,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_buffer *ab; u16 msg_type = nlh->nlmsg_type; struct audit_sig_info *sig_data; - char *ctx = NULL; - u32 len; - struct lsmcontext scaff; /* scaffolding */ err = audit_netlink_ok(skb, msg_type); if (err) @@ -1440,33 +1437,34 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) kfree(new); break; } - case AUDIT_SIGNAL_INFO: - len = 0; + case AUDIT_SIGNAL_INFO: { + struct lsmcontext context = { }; + int len = 0; + if (lsmblob_is_set(&audit_sig_lsm)) { - err = security_secid_to_secctx(&audit_sig_lsm, &ctx, - &len); + err = security_secid_to_secctx(&audit_sig_lsm, + &context); if (err) return err; } - sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); + sig_data = kmalloc(sizeof(*sig_data) + context.len, GFP_KERNEL); if (!sig_data) { - if (lsmblob_is_set(&audit_sig_lsm)) { - lsmcontext_init(&scaff, ctx, len, 0); - security_release_secctx(&scaff); - } + if (lsmblob_is_set(&audit_sig_lsm)) + security_release_secctx(&context); return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; if (lsmblob_is_set(&audit_sig_lsm)) { - memcpy(sig_data->ctx, ctx, len); - lsmcontext_init(&scaff, ctx, len, 0); - security_release_secctx(&scaff); + len = context.len; + memcpy(sig_data->ctx, context.context, len); + security_release_secctx(&context); } audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, sizeof(*sig_data) + len); kfree(sig_data); break; + } case AUDIT_TTY_GET: { struct audit_tty_status s; unsigned int t; @@ -2132,26 +2130,23 @@ void audit_log_key(struct audit_buffer *ab, char *key) int audit_log_task_context(struct audit_buffer *ab) { - char *ctx = NULL; - unsigned len; int error; struct lsmblob blob; - struct lsmcontext scaff; /* scaffolding */ + struct lsmcontext context; security_task_getsecid_subj(current, &blob); if (!lsmblob_is_set(&blob)) return 0; - error = security_secid_to_secctx(&blob, &ctx, &len); + error = security_secid_to_secctx(&blob, &context); if (error) { if (error != -EINVAL) goto error_path; return 0; } - audit_log_format(ab, " subj=%s", ctx); - lsmcontext_init(&scaff, ctx, len, 0); - security_release_secctx(&scaff); + audit_log_format(ab, " subj=%s", context.context); + security_release_secctx(&context); return 0; error_path: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 3fb9d3639123..67da23f6bebd 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -996,9 +996,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; - struct lsmcontext lsmcxt; - char *ctx = NULL; - u32 len; + struct lsmcontext lsmctx; int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); @@ -1009,13 +1007,12 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (lsmblob_is_set(blob)) { - if (security_secid_to_secctx(blob, &ctx, &len)) { + if (security_secid_to_secctx(blob, &lsmctx)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/ - security_release_secctx(&lsmcxt); + audit_log_format(ab, " obj=%s", lsmctx.context); + security_release_secctx(&lsmctx); } } audit_log_format(ab, " ocomm="); @@ -1228,7 +1225,6 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) static void show_special(struct audit_context *context, int *call_panic) { - struct lsmcontext lsmcxt; struct audit_buffer *ab; int i; @@ -1252,17 +1248,15 @@ static void show_special(struct audit_context *context, int *call_panic) from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); if (osid) { - char *ctx = NULL; - u32 len; + struct lsmcontext lsmcxt; struct lsmblob blob; lsmblob_init(&blob, osid); - if (security_secid_to_secctx(&blob, &ctx, &len)) { + if (security_secid_to_secctx(&blob, &lsmcxt)) { audit_log_format(ab, " osid=%u", osid); *call_panic = 1; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); + audit_log_format(ab, " obj=%s", lsmcxt.context); security_release_secctx(&lsmcxt); } } @@ -1409,20 +1403,17 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, MAJOR(n->rdev), MINOR(n->rdev)); if (n->osid != 0) { - char *ctx = NULL; - u32 len; struct lsmblob blob; - struct lsmcontext lsmcxt; + struct lsmcontext lsmctx; lsmblob_init(&blob, n->osid); - if (security_secid_to_secctx(&blob, &ctx, &len)) { + if (security_secid_to_secctx(&blob, &lsmctx)) { audit_log_format(ab, " osid=%u", n->osid); if (call_panic) *call_panic = 2; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */ - security_release_secctx(&lsmcxt); + audit_log_format(ab, " obj=%s", lsmctx.context); + security_release_secctx(&lsmctx); } } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index a7e4c1b34b6c..ae073b642fa7 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -132,8 +132,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { struct lsmcontext context; struct lsmblob lb; - char *secdata; - u32 seclen, secid; + u32 secid; int err; err = security_socket_getpeersec_dgram(NULL, skb, &secid); @@ -141,12 +140,11 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) return; lsmblob_init(&lb, secid); - err = security_secid_to_secctx(&lb, &secdata, &seclen); + err = security_secid_to_secctx(&lb, &context); if (err) return; - put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); - lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */ + put_cmsg(msg, SOL_IP, SCM_SECURITY, context.len, context.context); security_release_secctx(&context); } diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 914ab6a96573..215d3f9e9715 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -336,8 +336,7 @@ static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) { struct nlattr *nest_secctx; - int len, ret; - char *secctx; + int ret; struct lsmblob blob; struct lsmcontext context; @@ -345,7 +344,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) * security_secid_to_secctx() will know which security module * to use to create the secctx. */ lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &secctx, &len); + ret = security_secid_to_secctx(&blob, &context); if (ret) return 0; @@ -354,13 +353,12 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) if (!nest_secctx) goto nla_put_failure; - if (nla_put_string(skb, CTA_SECCTX_NAME, secctx)) + if (nla_put_string(skb, CTA_SECCTX_NAME, context.context)) goto nla_put_failure; nla_nest_end(skb, nest_secctx); ret = 0; nla_put_failure: - lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ security_release_secctx(&context); return ret; } @@ -655,15 +653,15 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct) #ifdef CONFIG_NF_CONNTRACK_SECMARK int len, ret; struct lsmblob blob; + struct lsmcontext context; - /* lsmblob_init() puts ct->secmark into all of the secids in blob. - * security_secid_to_secctx() will know which security module - * to use to create the secctx. */ - lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, NULL, &len); + ret = security_secid_to_secctx(&blob, &context); if (ret) return 0; + len = context.len; + security_release_secctx(&context); + return nla_total_size(0) /* CTA_SECCTX */ + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */ #else diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index b039445f3efc..df6043d1bc22 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -173,19 +173,16 @@ static void ct_seq_stop(struct seq_file *s, void *v) static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) { int ret; - u32 len; - char *secctx; struct lsmblob blob; struct lsmcontext context; lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &secctx, &len); + ret = security_secid_to_secctx(&blob, &context); if (ret) return; - seq_printf(s, "secctx=%s ", secctx); + seq_printf(s, "secctx=%s ", context.context); - lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ security_release_secctx(&context); } #else diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 06b7751c7668..719ec0f0f2ab 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -306,6 +306,7 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) struct lsmblob blob; + struct lsmcontext context = { }; if (!skb || !sk_fullsock(skb->sk)) return 0; @@ -317,10 +318,12 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) * blob. security_secid_to_secctx() will know which security * module to use to create the secctx. */ lsmblob_init(&blob, skb->secmark); - security_secid_to_secctx(&blob, secdata, &seclen); + security_secid_to_secctx(&blob, &context); + *secdata = context.context; } read_unlock_bh(&skb->sk->sk_callback_lock); + seclen = context.len; #endif return seclen; } diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 8ca1e2b33dcf..3daa99396335 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -375,8 +375,6 @@ int netlbl_unlhsh_add(struct net *net, struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; struct lsmcontext context; - char *secctx = NULL; - u32 secctx_len; struct lsmblob blob; if (addr_len != sizeof(struct in_addr) && @@ -444,12 +442,9 @@ int netlbl_unlhsh_add(struct net *net, * security_secid_to_secctx() will know which security module * to use to create the secctx. */ lsmblob_init(&blob, secid); - if (security_secid_to_secctx(&blob, - &secctx, - &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - /* scaffolding */ - lsmcontext_init(&context, secctx, secctx_len, 0); + if (security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", + context.context); security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); @@ -482,8 +477,6 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - char *secctx; - u32 secctx_len; struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); @@ -510,11 +503,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, if (entry != NULL) lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, - &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - /* scaffolding */ - lsmcontext_init(&context, secctx, secctx_len, 0); + security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", + context.context); security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); @@ -553,8 +544,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - char *secctx; - u32 secctx_len; struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); @@ -580,10 +569,9 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, if (entry != NULL) lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, - &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - lsmcontext_init(&context, secctx, secctx_len, 0); + security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", + context.context); security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); @@ -1106,8 +1094,6 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, struct lsmcontext context; void *data; u32 secid; - char *secctx; - u32 secctx_len; struct lsmblob blob; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, @@ -1167,15 +1153,13 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, * security_secid_to_secctx() will know which security module * to use to create the secctx. */ lsmblob_init(&blob, secid); - ret_val = security_secid_to_secctx(&blob, &secctx, &secctx_len); + ret_val = security_secid_to_secctx(&blob, &context); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, NLBL_UNLABEL_A_SECCTX, - secctx_len, - secctx); - /* scaffolding */ - lsmcontext_init(&context, secctx, secctx_len, 0); + context.len, + context.context); security_release_secctx(&context); if (ret_val != 0) goto list_cb_failure; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index ef139d8ae7cd..951ba0639d20 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -85,8 +85,6 @@ struct audit_buffer *netlbl_audit_start_common(int type, { struct audit_buffer *audit_buf; struct lsmcontext context; - char *secctx; - u32 secctx_len; struct lsmblob blob; if (audit_enabled == AUDIT_OFF) @@ -102,9 +100,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, lsmblob_init(&blob, audit_info->secid); if (audit_info->secid != 0 && - security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " subj=%s", secctx); - lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/ + security_secid_to_secctx(&blob, &context) == 0) { + audit_log_format(audit_buf, " subj=%s", context.context); security_release_secctx(&context); } diff --git a/security/security.c b/security/security.c index afa0b116d222..de7d5a9bdb76 100644 --- a/security/security.c +++ b/security/security.c @@ -2325,18 +2325,22 @@ int security_ismaclabel(const char *name) } EXPORT_SYMBOL(security_ismaclabel); -int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp) { struct security_hook_list *hp; int ilsm = lsm_task_ilsm(current); + memset(cp, 0, sizeof(*cp)); + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; - if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) + if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) { + cp->slot = hp->lsmid->slot; return hp->hook.secid_to_secctx( blob->secid[hp->lsmid->slot], - secdata, seclen); + &cp->context, &cp->len); + } } return LSM_RET_DEFAULT(secid_to_secctx); From patchwork Fri Jun 11 00:04:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314439 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CF47C48BDF for ; Fri, 11 Jun 2021 00:23:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DC486613C3 for ; Fri, 11 Jun 2021 00:23:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230349AbhFKAZe (ORCPT ); Thu, 10 Jun 2021 20:25:34 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:41813 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230230AbhFKAZe (ORCPT ); Thu, 10 Jun 2021 20:25:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371017; bh=GOgwK6pAmFYKDQPj6wpdrlaF7autK7598uc4qpJw7Co=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=SNKm/EBd3rs1jJ41Xz8WOE0jF9S3/SB0zDExLIW4Ymx58ZdzZMpUYqjTm6SeC3hMZQH4G1vnIlubdpjo0RkNtomSLhlAjypA/CsMofxwvZrPQFcHgsPzIlBM3xyGd9q4jKpV8wNoGXodmxxPP8HkbhWOPr0g6uJOHIZsHfOkk2ldNuN9nI2W05IPa6IpWORWINqBFw5BaHXmqvKXFxdheWcF5SH9QeaCOFh8hta9VmImFfvtoaeRUU7ueDx3GS0HEshAqBESvSqwyTghDQjHsaCPDB3jX7cL6rvqXg1C8TzvGMxGOYyQNxBUAOlFHfEJ4PnJwZxy1xSHT/hVEWGe+w== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371017; bh=O4ku0UD58dh8r4Yf3KZcPbwJ1Wc7Zke0PT0kT8lKcBl=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=gtX+zWNRY43/cwhqrP5hHD65kwUdndjuOP4M3CY0nlNH483madn6MIsz3o9EebDzlZ4xh3+KhhEIRF08ZXHkeLBGJ1r/E957gLR+M2jv81gN8rmZ+WNy6uHR7mcSbTfHHYjovACPGuc7qOLVUdf+vv98IPJwmQRohvl2OQ9Jw05/+nHK8OfFYysX5P+CIGA4uCQkeIgIOgOLncB4ZrLFHYkVUTdwoEiscPbwBKGqa0tn6Q6ZXEPUKkpJbvXmQEYJRvzcODblmOA/WBsfrRAoUqPQalfCHWQNdGOTHeQ9K+nlfmX3W7JwZsYeKoQCtnonebqpIVYrfa4q3DDV9knV2w== X-YMail-OSG: UoNpczYVM1mXEy3TnlCiw0FO2C36TvyAsAg.5v4F4aVzErROsAdyyqR9Lzb49Ql z5wBPM_zECHedbRiFNNH161hs_HoPYhIHn9iSDH2E5mTusMbJVlwsGBpxZp0WWr7ybkOLN2654W5 Vt7E3gvuIbnuq8aws9IiIIYzbBESL2jH6NCO3USz3Q0fyUZ6UwkgT9j5sPqIgtmFtjWRX7bFmNX0 YsZ9ZqVVoTtxNibVFTeqcHlRzJZTY_K0VVWMqCXfRNyxMOypW_YDnUV2Ir8eBUF531VB.OOjdPdo Uz1exYP7BOxyUiyZ1nB4q2Khj1.dNOCXfF1_n7HTQrEKWa43isNBLplTx6aGzZKqtIeb8H1maw5n 8ekCm4wCee_hoS7UDaUSXaS2sb89ZUKJDr4w.GFFEiKz3vawC7jz079Mf251B8nu3hpi9tnCq0m1 t0cSI1aDDruCdBko2zf89ihV2jYBCDCES8JmLjpDWkZrxEw3yTwbfD4_deUTbv7qzNqgytADK8t3 A22cALpsXKBOkLk2yqncPLRELht67bOdbLa.x04Yuw.AIU2WellqVI9c9staAaycuH8m2N9HCuTm m8YtRsv2ReeGUPffeqhuHjXcihhnOCkBxlmJ4RrHRhqzFmJn7X90y9K_2qZNLS7ITs0c_g0tLTKz DZYPXcedjICoKyMK_q7y_gbPyaj8PNqbrTB06jMIcC6kBUWzrLS512fYrhaWDdxrKBrFevO_e3MR SYjeuKhBXcuD6bvq8UX3c2RtnPUsu3dCGX.XRObhpHrOJvPq00r9.tzv6Z24LbqW2GJWbBYTkUS4 xU0Qrx1RoknPRvhjZCfIQDLe2lDMJb4X2.aRpq3daDss2xCqFOYfHdOu4TTHLobcIROYsUA8YE2i AZ.40jUVNNuGpGCeOQlIU8xbMlGaRsLPjfg18RU5a7q8iTzdfWHhKZe_RM1nx1aYZa0Ul9IwI6Yt PftM5TFV0HinFlZhthHNeS8mK_tcCnJZHrqZX3bNGwy2h7Kcuf6jL0WoEBDDTVF5wpQgmxqA7TJb ourr4oP6NcLO5sKuLlAo920bJkcfnj8RMbuNf0W6Dvi5fxLkb3Da7f8i7quhdSPByKltgWz_9KVB NsRUAIqvg.OomgxZBiNz6hVCmlOrUZMsL3l3PctDKYm9FIpT3_4pgqbXpGOowU_WDYF0l.XlCMuR VX7K2In3xR1ZBysfoJ18uHsr91S3AxsDRBrMYvge3PTJ96PhdSFi.liZAUy5Vk.tOu3CfWWsE6FI DB2zc1LuW5DoyqbnG.tfMdHzuOt_tz9YZ4jy.4cZda676PPA39Cx5zAPGSY5Wzfv4XSyE9ZCLy8M iuJqezwLttdM6BhtwSHBjJqUakjeeZ4u5KaOjWBxXaj9Gl9XRyltJvI27kMYP7FvY4X6_uqZKXU_ 7wNSjObPuDCsGUV9m6vrUvDWImIZy_AQ6Wfiw5w84FNOOz.492XdZPmAukdNIVwtT9oDdb8CIryG aIMBAYaY_6vVGZxrd.lur.0eLpNZ7wk8Baj7Jv1kYLYKzE7BXZtiAobtiKgphEbCk9v8ZbXtJiXy dFUAcD7XOjpLggk0E4Dfh8cvTWM6SzD0sLQyx62M58F6XCIkZagklmmxrv03dcbRauw2SMaIdIqo bpaI.VU6YA0Xj4xLdI0j1VjhKNHMMzTVC1pdrbmzzB3i9n0hNyo1uqitEw7nACDPj.SkjX5CAhCe 9xbYIn_On7oR2fIG6aDpqjmgvk3cr6vnp0liC12HGyTMNyjd.0CWXA.R6ddI0qvrM5LO_ekM2wEk oMtmYXDo6tv3Hpx92yJF.XclrCbykvuIMAHzAllGHlWjU73YDGd3U1W7QZcs4STrZZqrtWWtbPI1 Dc1N3XEwL4W0e_bIoNFVk57Jq.bglOqL6vDs2LLxfqKIjz1Qe1PqSJ899g5PC4pDgiiTSPMtiRd3 m3Uiyf7KauVdCYj390lXHCWjMMiGd18q24wFPeV7Itczcd.9mXbwK.pmsuh_1EuJQWsNig0YhVY9 ekGDwZXwFr5_r6AvcoCW.uQt8Zpg6V7zi31_BHKaDuWbopSrv83K7bISmfdjGVz1i4hsjIluzMu1 oYlXtUHjBjJ4Rb5ZGxZCSxBszTfNJidky7j7VVmLj6HIk.cM8Ab_15.gqfnlpRHeKJ_jAo_n6aDv EOh1ttX6S8pZosRYHg0yu0l1kza_qYdBMhl_c0xgpdTRrwqtL2kXg1HoGgBCU2ag2CnMKsECzT8e LCDWiyHcrQe5AuBoemUedLl40rI1_kFB1XTpSqLOJOVYo9o.HMqrxLA9hjI0NwAj_0YznxVao7mg QBCcOfUPZoor9D6c_LTO20WP7wqav_LRgmrgYSF1Fmlx1jzXqGJcGoisZrmUgaD7vRKJ4FgUMexi 7tr4kqyrLEomNGXwZoGAki5M14D1k80G4amww_vavELuWFYv1yW.y.DN_s6m4KsfEIe5._yyJY9n Gft4xb4KF82y_.O9zLAjhj6lb_PYKLRKmLnThdLXSbcsD.tjrBngwCPwZkz.LjKfhxlcSIAcdDHg h3BJCJiFUggNkl15YsLaCQlOV.8ZAFFymS0gauTwau4GWsN6dvfuDWEIHg.7deztLO_JzbwfG6_t ezhDDXixb9mbyciJIho505floA98qXMt6bUhIjdzzdbN6eZttvhStIH0yBjR_JBuF9MT8xDI8sAd nn9dLkJth61t5betnSBzpmyJfAFq.IwstERTHp2Qb3YaBi6rIHeASax3KcV.0Y05OHDGNRn76M3u VEod.4iHiR5PEp9Kp9mVVGaOnIOL4oMoErXEkRClCtos1GIlvLrLg_gZJkt313mm6ZVXydw06x5D AYwKgpAcpWNzq9ffek6eU3mpzq1dh9R4mw4ECwZzabCJV3xUQ_lWDhZIgmA4ihaO9F9pbE4dWhyM 2TbhIV2UDZmx.27krGHvYSfi7i8APYaOsi9zdKFxFOM88MepcJjQCTAALdBBFdsZKYv7W1G37Itz wmAXPvyA_mtF7WHVIcVLj4krlPOBUPLTkxE0FV29ghO5zxmzRUoWGfw742zN2Vm4edQgq674ccFU LlD3MkFDTfjHdWfUH4d_vajXFRbbaR7kaTXkpOvNskMWT7.eOe5OB2h67eNKP.r0VFeidKSXY.an bgSYP07QYAOpjjmr__NoG00Gm77KApN.LuBJ.9HXfIYATpc7XbeLVQccJMoFzEBFB7RzxSPzuLww Rbmqhz0dKkyZAbzx251q6pY1MQeoM4Q8J1NTT.7X5c3ijzETevexr8ieT5sU.b4D6flY6FbTD0VD 8S1yddI_X2ZzwqiUsdh1MafjlcEH1tqhZ4AbAkm.CDQ-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:23:37 +0000 Received: by kubenode504.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID aa413c6f0a8e56062a1b9755d954798d; Fri, 11 Jun 2021 00:23:33 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Chuck Lever , linux-nfs@vger.kernel.org Subject: [PATCH v27 17/25] LSM: Use lsmcontext in security_inode_getsecctx Date: Thu, 10 Jun 2021 17:04:27 -0700 Message-Id: <20210611000435.36398-18-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change the security_inode_getsecctx() interface to fill a lsmcontext structure instead of data and length pointers. This provides the information about which LSM created the context so that security_release_secctx() can use the correct hook. Acked-by: Stephen Smalley Acked-by: Paul Moore Acked-by: Chuck Lever Reviewed-by: John Johansen Signed-off-by: Casey Schaufler Cc: linux-nfs@vger.kernel.org --- fs/nfsd/nfs4xdr.c | 23 +++++++++-------------- include/linux/security.h | 5 +++-- security/security.c | 13 +++++++++++-- 3 files changed, 23 insertions(+), 18 deletions(-) diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 089ec4b61ef1..fc7ba114c298 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -2727,11 +2727,11 @@ nfsd4_encode_layout_types(struct xdr_stream *xdr, u32 layout_types) #ifdef CONFIG_NFSD_V4_SECURITY_LABEL static inline __be32 nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, - void *context, int len) + struct lsmcontext *context) { __be32 *p; - p = xdr_reserve_space(xdr, len + 4 + 4 + 4); + p = xdr_reserve_space(xdr, context->len + 4 + 4 + 4); if (!p) return nfserr_resource; @@ -2741,13 +2741,13 @@ nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, */ *p++ = cpu_to_be32(0); /* lfs */ *p++ = cpu_to_be32(0); /* pi */ - p = xdr_encode_opaque(p, context, len); + p = xdr_encode_opaque(p, context->context, context->len); return 0; } #else static inline __be32 nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, - void *context, int len) + struct lsmcontext *context) { return 0; } #endif @@ -2844,9 +2844,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, int err; struct nfs4_acl *acl = NULL; #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - struct lsmcontext scaff; /* scaffolding */ - void *context = NULL; - int contextlen; + struct lsmcontext context = { }; #endif bool contextsupport = false; struct nfsd4_compoundres *resp = rqstp->rq_resp; @@ -2904,7 +2902,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, bmval0 & FATTR4_WORD0_SUPPORTED_ATTRS) { if (exp->ex_flags & NFSEXP_SECURITY_LABEL) err = security_inode_getsecctx(d_inode(dentry), - &context, &contextlen); + &context); else err = -EOPNOTSUPP; contextsupport = (err == 0); @@ -3324,8 +3322,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, #ifdef CONFIG_NFSD_V4_SECURITY_LABEL if (bmval2 & FATTR4_WORD2_SECURITY_LABEL) { - status = nfsd4_encode_security_label(xdr, rqstp, context, - contextlen); + status = nfsd4_encode_security_label(xdr, rqstp, &context); if (status) goto out; } @@ -3346,10 +3343,8 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, out: #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - if (context) { - lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/ - security_release_secctx(&scaff); - } + if (context.context) + security_release_secctx(&context); #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ kfree(acl); if (tempfh) { diff --git a/include/linux/security.h b/include/linux/security.h index 666bd85e142b..0129400ff6e9 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -585,7 +585,7 @@ void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); -int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); +int security_inode_getsecctx(struct inode *inode, struct lsmcontext *cp); int security_locked_down(enum lockdown_reason what); #else /* CONFIG_SECURITY */ @@ -1461,7 +1461,8 @@ static inline int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 { return -EOPNOTSUPP; } -static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) +static inline int security_inode_getsecctx(struct inode *inode, + struct lsmcontext *cp) { return -EOPNOTSUPP; } diff --git a/security/security.c b/security/security.c index de7d5a9bdb76..a5150de2f3db 100644 --- a/security/security.c +++ b/security/security.c @@ -2397,9 +2397,18 @@ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) } EXPORT_SYMBOL(security_inode_setsecctx); -int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) +int security_inode_getsecctx(struct inode *inode, struct lsmcontext *cp) { - return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, ctx, ctxlen); + struct security_hook_list *hp; + + memset(cp, 0, sizeof(*cp)); + + hlist_for_each_entry(hp, &security_hook_heads.inode_getsecctx, list) { + cp->slot = hp->lsmid->slot; + return hp->hook.inode_getsecctx(inode, (void **)&cp->context, + &cp->len); + } + return -EOPNOTSUPP; } EXPORT_SYMBOL(security_inode_getsecctx); From patchwork Fri Jun 11 00:04:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314441 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNWANTED_LANGUAGE_BODY, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7CE8C48BE0 for ; Fri, 11 Jun 2021 00:24:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9BFF8613C3 for ; Fri, 11 Jun 2021 00:24:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231270AbhFKA0j (ORCPT ); Thu, 10 Jun 2021 20:26:39 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:37169 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231132AbhFKA0j (ORCPT ); Thu, 10 Jun 2021 20:26:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371082; bh=KfyRLiXkN7GzdhRBaMWAjvKTGVbL2Tujl8ObV20Uuzk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=fKy6jt9HDGPsNlooy58K9MfYcJagUCpQiVa46jD1pMJJNJELUtFcalitbOKLcdTlp6kR/45SCaiY2o9Fnjk+ye2vLFpV7Gce+2ANXv1qqOnU9Pqnq7ONnPnxoh/5xoXVJvPeLYPN0rNIM/9mrBIFQ61QLrDeBE2W2H2kBqz6cArQUI/X77G/RhZHSqotaXsTw14nmaDFAU3uo8bKi5LzXHXmKFnHxgZ0smxDWGZgqO9RpwIDHuP9J9jLsp0KT+6PGN8DJoGfwzQBckR53r/Qes3a2rkgz79S9pUft6xZdbkeLucQla+jXa5ZrkYmL6JkTjJaAjSG8HV77lEy4n+aSQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371082; bh=49nknRRuJKzlcvG7Rjq+VNddA7VGuHNfGnBUjw9dtZg=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=pQwOzHBlXp/Jcp7lIvYfkcZeR58sCOBkMZ35mj7EdYY6PHe2RxEJ4ZUPTBJHW7+y9M09Ag+IkQCk41M6wMRVIygq9EzxuEoFjdDchOj9Tb3yJJJD/fJiNuDUAHFAEBUMb/j/KU9ciF8981v2nQzGDip3lgq7RUnXVsaPoLq6UAe3JwlsdRzAM2peQ7IXycx9SROq9lE4R2zxTfaSAMkLZbN+vyCnnlRWmzUPX0KvD3yTAhDKxKEgQuH4zSt8x6CkK8qycsEYOoF1seP9CLNgBM4SAbNuKzwATLwchUMnX1LxaIc2h61xm84+koabYRLcdhv34cuv2NfWGPV3AKgA5g== X-YMail-OSG: oj8uZV4VM1nQ9NCxX0Li1ZD7GrwnXyecF5vSusm7hIoloyZDmqLFowAdRi7bxY5 v9CTa6hkV4pLi1z4ztu9LbR36aaWZvbdO1jwvLgMLqEPO7gPTo9fNv4S..280qt9BwBg2n81TAiG H8xLR_qEWSbibyR6svrhKFyx9YalKHVCYsF03If566T3ENAy_lvrZm0jnr4IkuUivtQSNpnN3LS9 ojbwzK9aR49XGRU0SXSu12Era7KNvoMrRx3Weyl2cYJzErO5ieex1RzUv1OXRH8Le1RuzwBknMXI yucLxWwVCK2JkINx4BmIc.a14yeEm.MmGNJD_n6Uf0y8e4l5CS9i7G5OUaqM9yhBbSVKqLooF7uM 4JLH_orQrBIqsCj_sc1743OqF4to3b9qgsekeAMRPttw23SIfN4N3c0Qi6s9WyBUYaMadBonG4r5 GBq6J2Lv1XWXkr1wXOsf92fKCDpP72mDtkoG9DBt3QVeYceXl3v67W_MpdWBTLsV2IQXep9Dn8Lp UP2SDd0k9ckxX23UYeJetOVj7NKUfkQFPr9hze31Z1YmkVOohVCImhF.26x2t1_5Gmn3tq_Qypn9 RIYbm6mt0WzoSdCwqLxkIFSpareNA8rI9Hbred4FaewbF8T.rYVbA5Q9YByubMHRaRTRUU_ZDcJ9 L03i4PmKcBnXq50CM9v6O8l1RnJntfpABNKJ.aWtG.fnRtZTDVR04H2APGZZWrpBsOqxrVWz8pQo uuikZ3mzVDHZRlX7524rsGac0AyMMH9LrPecENcRJl03X5XwXd0XtSyT.g5ZetZMZykPDb8b2OfG LHu0gJR5VjLNPjAikWALmvE_kW9H4DPbOw8L291XwQgL94JVRNBU1vzJMXaYqdkdKzECCcb.RP7S 5g57Gttwvyneh.QSkspTzG2rP.KJF.1LmmosZsbimjBpW5vSGRRrvEHKC9kCApO8WPzM9RstzbT_ yJvUjB7Nq7mY2aI2gr9LYr7F_nEueEaG1Gmt8XixgB1AdyjMpnqjV2vhmpVAdXEV14fpqVgy1LGW Xolx5eyctW8lAxQ1uYA0sfvYRQReK0nN.j3D._EMN.mBnMNkotcC.Ks8T7Al36AymhGPQtyR9sSy FE0V9Elb4FqDoIcc3BPSmeXA1vnufV2LDlMOzwAl9m8DCGfvRgkDfWp4zLTRrPgaAHugsAwOGLNj 6.7.Zu_dwLsx4kWElX4xWME4xKnNfNWcZ7VEKaoohp56liv.qO5wLfJxur33SEB0eOR.Rg6IIBdX hMA7okGCDDmnRWOdK9EhpnDZwZNBKLTU7O_ImtN9YZ2LfIScwXDK2jDLbmKSISAN7YCW46Qgs8El uxIC0a4_H4nDbG4VgBHSY22Hbp2pIsEz0jLaBDyO7frbau3myFZJiuZJuXPOKJkqk1FR4_mytlXH bmGX5dKePECw6lBIdMsRmwF1cM7E5BXiaIQLEGCUY4zMWVbGoy3NhjRqtVX_eoDGx4A0ecDF71n7 hKZT2LTIixlEd23JMEqjy2zj.i2W6_9Ee5R9n9uf_ezrXUFlT8.wW8v_Twvodz5x97ic1dumZjvk AgIuRvdtVfJgTVHcGYWgTz0ZjCTMndMgXdLGla94HXevqf667Rs_cmrS7Ls5y.v_Zx6war4X1s1K zMkt6IfaRVolcgTKhqfWeawucgHitcxNr0kQgkkxMJw_TU4HA71eb_TRRLiBf8Qc7_al1PrQ5b1C DseXHY3jDMhBEwOfQMs1xmLjKkgibhVggEjlADuyf5g9ixh0cQ7Co6sy.YM9e2cFBRPF2laVazmQ tNsjVA.1YRVmor7YSg_8qWnOP.Zyh08ug1Wh0QgXTZvwxDCQWzgbrpTwECEclWwidLK9zl7t3g1N EZmF7fhhI48qSLdBWnw_na3CN4it4NBdT4F7e_SWmDq3nCr_KHLCbwfaSscMbOfmDw9fJvj.PHe6 IQbcLy2q4lQZ_u3UlEjLRTvzL_FSlLcReaEKtdk2_v9V4OIapd95o_yD3jTJoCgP0YsZy1J8_lq_ wuSlPHboyniN10_3DdaT5As3a4tNZNSZz4v7gfVw0OOTruJrSttPp1RflqRrtaIYMkKs59xFj1Nw 7NIo4MBGBevoTuSTJcyI_J_rfKmLTaCc_P5Rlb7liOFI5b7I2aykG4XiZA87xaXmsr_BKOxi9x.H NxbemA2xn10ttvf8uPGx1zDtdWmR1vSEO5ZwzNuXPzgDUb.Lof_gSubnGHbMxmCWbeskDBHOVa.H BiEJzMCSs5EDDjzoGgm8xk6t4FhsbNlnhgbtjcIJFLr3RyNgtnYaQE3K6JChpZZV0Rksgy0LOzXZ HCwUpiRV7W8ipbpf15KWutIWfezgDHUg1stZr.VysNyNCUyriDC_lTV2cARZ86SVMcknA16RR7pG r3_32E0DLTvEmiBdCuoW1MN8RR2kyXCXVeiORa_ANbSvm.hKAXJMd55GQTdyXwDyTQ7HJUa.RRrx 84VwFLGc__3mrxIB8PbiXVAo9l.GVP7X6IIjEcPxSRDw8SR35GKO5O81RtDszKlv_t_Agay6Fo5K 95YaKHFvVAOKtoq0dBndufMBiqT8iLof2v3U8gTQzpNl83MYHHD5wBO0XB3KlqbgHstpE5D_tA_n HHPaEWZvCpFQ0kjIJCW9LLq0OSXYMmqWO7Jhb.QrfAIXPFQAoVuNrOUQfo1lZ4GXvh1zEWzoYqkC PbDuwZNOmUZHpe3ce90mKdv88scVpLWMkXhB5pUICnZRb5iALwQQ3QjmLVHvnRY2OZX2MDyDmaju 7XWcoENoSO2kxi3gfBtbDybqIbznSk5iioxcDX..OtAjuxN4J68SoyR4TZCn3DDea.AwINUiktHO IASu6BeBMLfnOpYWWXAQzz4Vom.2UL8j00ctT8TJfmbXmPs1udjkeEdjeexUGtG0gFPrzhyayo9B 539VfZhL7w02qWdXBwMxktwTB4rXGJ2Ivyfn2nzPR6DQ.TW1ZrTy.__DfXksExqfnYV2I3AwHcZB eHPd2YGHNY1MBsGz6q8wY80bdMvAVCNqdE1nHx56gNzzK9N8ujfnr0YQyXr7uuLcQ7ueangUUT0o FDsTPShPtd7k1upxMqJK3g7KbCQZcA1Cq6iN4xBegLsKbMRZcTIJgi3cEq7qxks7oRuB0drcEP_a RhJdoYU32nGnG59ai0j2pTAg5tnSYVTf3wFaYJrO3pvmt5iIl7UIbRYFs.8688WbiNbh.rqrukbA xU_PzqCNrQrgzd2p5ovoQLQRjdetuE0Dse4tEru5M_db7FDy48ast0QFzMJVj1xaj4uQ.kT8dIex hyE.WzmLqUrPJU7D.Be34Y5LUkb1Ls4JlzWC8Wg.pUgSoB8yIh6uOY2Z9Neml.5pfwYzjGp0gjJ8 vBMDYsTpmbk3va1hCLBwDU5KHARmLwWnY5fX._y6JlX2fr2HbhmgZJCzxyRWMTYd5ecWL X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:24:42 +0000 Received: by kubenode565.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 2ced77f2ea984a5dfbb2f085c3f4d044; Fri, 11 Jun 2021 00:24:38 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Pablo Neira Ayuso , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v27 18/25] LSM: security_secid_to_secctx in netlink netfilter Date: Thu, 10 Jun 2021 17:04:28 -0700 Message-Id: <20210611000435.36398-19-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Change netlink netfilter interfaces to use lsmcontext pointers, and remove scaffolding. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Pablo Neira Ayuso Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: netfilter-devel@vger.kernel.org --- net/netfilter/nfnetlink_queue.c | 37 +++++++++++++-------------------- 1 file changed, 14 insertions(+), 23 deletions(-) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 719ec0f0f2ab..bf8db099090b 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -301,15 +301,13 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk) return -1; } -static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) +static void nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context) { - u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) struct lsmblob blob; - struct lsmcontext context = { }; if (!skb || !sk_fullsock(skb->sk)) - return 0; + return; read_lock_bh(&skb->sk->sk_callback_lock); @@ -318,14 +316,12 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) * blob. security_secid_to_secctx() will know which security * module to use to create the secctx. */ lsmblob_init(&blob, skb->secmark); - security_secid_to_secctx(&blob, &context); - *secdata = context.context; + security_secid_to_secctx(&blob, context); } read_unlock_bh(&skb->sk->sk_callback_lock); - seclen = context.len; #endif - return seclen; + return; } static u32 nfqnl_get_bridge_size(struct nf_queue_entry *entry) @@ -397,12 +393,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, struct net_device *indev; struct net_device *outdev; struct nf_conn *ct = NULL; + struct lsmcontext context = { }; enum ip_conntrack_info ctinfo; struct nfnl_ct_hook *nfnl_ct; bool csum_verify; - struct lsmcontext scaff; /* scaffolding */ - char *secdata = NULL; - u32 seclen = 0; size = nlmsg_total_size(sizeof(struct nfgenmsg)) + nla_total_size(sizeof(struct nfqnl_msg_packet_hdr)) @@ -470,9 +464,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) { - seclen = nfqnl_get_sk_secctx(entskb, &secdata); - if (seclen) - size += nla_total_size(seclen); + nfqnl_get_sk_secctx(entskb, &context); + if (context.len) + size += nla_total_size(context.len); } skb = alloc_skb(size, GFP_ATOMIC); @@ -602,7 +596,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, nfqnl_put_sk_uidgid(skb, entskb->sk) < 0) goto nla_put_failure; - if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata)) + if (context.len && + nla_put(skb, NFQA_SECCTX, context.len, context.context)) goto nla_put_failure; if (ct && nfnl_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0) @@ -630,10 +625,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) { - lsmcontext_init(&scaff, secdata, seclen, 0); - security_release_secctx(&scaff); - } + if (context.len) + security_release_secctx(&context); return skb; nla_put_failure: @@ -641,10 +634,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) { - lsmcontext_init(&scaff, secdata, seclen, 0); - security_release_secctx(&scaff); - } + if (context.len) + security_release_secctx(&context); return NULL; } From patchwork Fri Jun 11 00:04:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314443 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 545D8C48BE0 for ; Fri, 11 Jun 2021 00:25:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 38C1A61222 for ; Fri, 11 Jun 2021 00:25:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231465AbhFKA1r (ORCPT ); Thu, 10 Jun 2021 20:27:47 -0400 Received: from sonic311-31.consmr.mail.ne1.yahoo.com ([66.163.188.212]:33650 "EHLO sonic311-31.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231448AbhFKA1n (ORCPT ); Thu, 10 Jun 2021 20:27:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371146; bh=B6/eTJ18z4eQ+mOCYA8J02+OIxRGwvinHOaRQJDorLg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=UxPfNlH4Ll+HYAFtOOrURU++m9CFus81AUTZ7jclg1eJSXAjfWBjJAvYjfS1ErkxXsxaR57mcNDv21SK1q789AEFQZcJv0v9Enwo1DoFPVSNjW+fpqZwbwaGCiMVT0s/fNssQuwQGXksRElLRrT5in9wZ0q9X8V6AROADtEjbH0mHKPQOKe1pXrs22Hgp2CgVYGvZzgAHPAkyr9vC9QrRDVgTyKUBRYkpqkx+RXygQpb7kd/0A+JFqmLzJzBn2FUIeYYx1zcZ+rEMNrZCzl47H8sqYXvOBs0RTDSf0jtaO135z4OIY69/inCeh6KDSC+1zIXBhZwlH+5io4s1p/Ptg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371146; bh=SgN8XCGj7OU65W5r9ql5GunVdtaIyDzOxSDyo6N9ayX=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=iVIsyAsAI+k0+Ze5zMdgrkXEOU+l1ckmYZbiY7ffU5PrnpiG1/IFSb/9wnjkP3b5wOXuunuaNy1cTYihL3zCIpTzKYDPrtsy+kcV39zb42L6asHBz5O0xU0N01XCbaZtlPiiCxlZ9cgo6YVA7Ylp7FojuV1tWzKNODWIyQ9g6JTeKiA94oLLn6eK12Jr+DIFtSyPU27ybt3p0pSRAXe22Jfw1A6QA+Y6oyszqe5HhITOZ/Nub1D/y7f6ODtSxWJ/RKItBK07N/nLa99JGoU2h9pmlrxnoFrJ7jVPmWxBlW6flTxuBeLMXxPyw/on5JN636F4hv4MO6XT9o/x8+ugSg== X-YMail-OSG: CP.BRq0VM1mYg7UCoXYtfxYRrQjMW7.8nECBOngBTPm50BO5xYBDBikhXKsRM0N MlOlM68Jg9xpgNGAIMvm8Xkvg7KhdbgJavBH1I0Ob6d9576WCzTMDNjbqqpBgzNm7puTYti7toKt zCad82E4U0wbtFn_p.ELN0uZls8UHKE1lP1XVQnWn8TlnroQYWscp1R9Ee0A9zhDeZN7Uy6F6IqM L6G8vJFQC0xbx_2GcAjV15ixKwvsqP_Y5nnOP0YdpoDpPbHsYw.4SDw1zwMjz9Jz2CRWC8ZHP_SL 55DlKhweRN1fIoic4z5yWwWufJ_Ke3_cMpecqkeXPkZ.n7_ctaXebt3RFSuQDUMwuH8AC7qcgNsK Ego7IYwDfbQbomh9NDFHokfgLQdN.ZX3fQof9GumY3rGTvTRlO5jcl_eJbHeoYJI4NycSogje4Hg qj9rxTbKST4wSxnp.rD66TGdeTUqKqcRtLnkaSTMTiaJfe9cukUe72O6g3CNOhQti7CzJRRa.mv_ l9WOhEfAtUOB0pgjPmhbFFTCHfyxtbaia7Sc_FVeLrormLpxBo7F1v.Qs6zKEaFY_v_Np9mxwT_U lovfLiYKWZdvztmyhCd8gTugvPrzkT27bxx5frZXjkyu0RSkfkgXW3tz7JJ0X.WzXw4zovVlHRQB AmiHTCuYfsybNG8ZI0o_Ol5cGVR37ggd.JHHfdr_dNtxnbCwFyW1dHUkclUfL9UexFW7oG_zzwQz SM3VTjqhQgq0tIeOT7GqlOzul2iGWgmLw6FZ6bCGwa06resooAcc5j0Vw8k6B42w.DfgTLSJ1tQt WSQB51_b6v10zxX0d0hiQxgsBHoLyONtAdqFV1ZkFQ_VmxiIL6ZNjrSygijK3zlbpWnJOAYzdi.u 2j1IfrLNggcrfLhC8UcWVY90kePk0YdBQYKw7R1fgfwpTzTnCx6ZXYObW4q3tTfTGVnV6RJ.EtG1 2h0tL1X_meIJSg1UOlCIjdiYo.VugnD6LLCLk9Atw76mccfy8DrOsU30HzAFWua_p3wsnKoO4rrB _J1e1A07_px_zjnXuN7Lhb8kzZNst2XdrwbqoepsD12m3qXi6Dup6EEQFmy6s7WKlplq4TLzeJLZ 5M_59BbC0sXZP_3lRCyjt1qw5TZi_2KhY005.l2L_exYP_Jt2S1QtONwfLf1E__zZ5QXGvO0WbFZ JDJ13XGf47OyU9kaRKjXWuDli.RgWmA7_SuPfjMIJzXvCQmk6LguFRcCPqEWeRdcyF1Rm9RjGtke m3F0lASX0slubhSM.9CKB2bp6mEK76kNgavlKAz_9L8N6Jt_mzq2.6Nur2pZRXUIqLVai27wNiQI _3dHcUGMeHvkTenlsmA3xg66LNtzKFxLMF908lGfzMHo6MMlfz6_Ffi47CBcKSZQF.sn4jgC.4qr TTDT0eh_bhyAbSuJOyf2barAtCc218Hu4s0ISlREbhJIVBZVZ2M6raeTdNzbNPbq2jvkn7cgHV75 Ph.ggoTuAV4iZffbuac9eyz_sgUs05f56qKrvuW792lkXygufe23SGvJ2cQ1H5YfyujT_XefUwDg kBsDSZx.le0.Cq2EsrkC9cDCiuMc1YURMpIe_y9FZ5HDQsdq_PvfsK.WDDhx0qxHRkDtoubK19MF TKRwrufiXCx6yh3YMLmlix9fII9KHpy0UOSPX9rh86OBT8GE39XwGhOSZQ184Mwu6QQaTn5Duoly eCINrTHQFVPH5cZ_3zYFJG9afAd4F16YXxMUqOsaJOoPRCgtslg_K.3Ksab20PJ7vDrBLd3HYKlO 6iJt2EcdJk8tXVg.LJoqHgZYj9llTQR_Ea2toSPusWIxLIC6Htl0xztXzHtofQM_nJqsSxme2Vqi 0tY.xWX1El8QI075t7RwljwGqSKLcGvDWRTGqnw1bvjdDTSLTFbC1hUM5zIbkLPB.0Gd6W55KEu2 2Ho.7.Wptec71xfW7rRGKLGt6TSuOLRqYN_y3FAcx9mFCYL8RN1DiNA_EbN8WtXvYuHiGKOTERuv KRrB6FA90MldqJhPCFl6MHCP90PvIjYBlpJ7ODFfHSueHS.0cVpJde1ByNSq34wnmKNF0Qgh_vQl iC6T.mAnKkJFId3M_KjPMZBQHHiGHR2kD4F3rfCp8Ha7sS7dbIsbM6YXCQNYT2ak1KkZMf2kn1gO vaKstGwjpAS5LcV6NK.mzdig3ahorVdhR32egHHzXK7tzCyvDYvQUS7bUpcvOS1g7G51rJBlUS05 qnjYQt_mkvQOiemBWFKFNoxpgEYqc_Myr_LJf019JW.qYCmjbIrfPVSYSQAJ6fJgUYvJC6Mi6osz Le.ZnYZK.ySN5NDYOfao413lKxIB65Bag99w3UHBiAvHKW6My3Gz52bLACMajjG7Hn2btscJ_bjW 1_OL2e.mheF8wg3Q71NUW4Vg4BG_NMltLiD.97hMW1oDnzuIhiu.5pkijDkzPoi79rsTqPgpEZE6 t7pORwaYkZTotssnMpsu5eeSmrro6zhuQcaTux_9ja5u4p.rchH8nI.IbPcGTI7cfVcMqHUqBq8E ELRZbJ5Wajh6BxdQC5Q.v_Q3A5g7xefboQi7lKWOA66kZ8eKiWWTQ_t7jXWMJ_yiFbo.Tv0SBgir idFXjxzzJT3rioHVny3wWpneufQVVEnDB74pVkYGOuuNXQZfmAV7Yf_4H.lCygiV8AIe3ckTH2JM LJQubaBhtbxW.izL3Z5VE5pIgEGG2._Rx1EvAkP.Z0E_3Dm5cvGMWi0GulhyoVvJCVt.hSqmJaIj 90GgOSqSRPKmcd4FEvLhgMT4vJZmzzWWXDGCpYgCXtHWOmo0OvNrm2ScBOqx3x03A3lydkbtZ.rH NUMjt9w749hM8Co48bf_xjh_fiPwyRKZMdSzQXGQbAXy5rV1AbRRq_MDXs7hs0ml7EfK06m1y_hy tvGPMk_dooLHV1YNod_LOeRM.p7Gpwj2JsYpTkhVnngzlF0hnyd0Q5OMWC7.ypDcrgHtYUJzIGuJ uN677FrWhrBM_E_j.afPbEXbYT7z5NXCufIoDL2yuVNJxN9RTLkHO6CataXB4QtnNsRAi.HUPJgX iSJ6dJdPRakEaPvXe1v2Qbm3WhYHJ1ZZJwh6TfejRiEy8LZPUP11gcwrvh0yRPzeN9TeglMtpEFy NuULUqICywDuqikCi12onUOk.1TkxUxSXxn1W23CP9fJwm.Ez07flUXSJm.EYlAItQWfWMHTGW6i GvbXmoJEb8.rNDUZPaiCwfFLL X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:25:46 +0000 Received: by kubenode541.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID b70099fafe50c312cedcf1dadbd3a2cd; Fri, 11 Jun 2021 00:25:44 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH v27 19/25] NET: Store LSM netlabel data in a lsmblob Date: Thu, 10 Jun 2021 17:04:29 -0700 Message-Id: <20210611000435.36398-20-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Netlabel uses LSM interfaces requiring an lsmblob and the internal storage is used to pass information between these interfaces, so change the internal data from a secid to a lsmblob. Update the netlabel interfaces and their callers to accommodate the change. This requires that the modules using netlabel use the lsm_id.slot to access the correct secid when using netlabel. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org --- include/net/netlabel.h | 8 +-- net/ipv4/cipso_ipv4.c | 26 ++++++---- net/netlabel/netlabel_kapi.c | 6 +-- net/netlabel/netlabel_unlabeled.c | 79 +++++++++-------------------- net/netlabel/netlabel_unlabeled.h | 2 +- security/selinux/hooks.c | 2 +- security/selinux/include/security.h | 1 + security/selinux/netlabel.c | 2 +- security/selinux/ss/services.c | 4 +- security/smack/smack.h | 1 + security/smack/smack_access.c | 2 +- security/smack/smack_lsm.c | 11 ++-- security/smack/smackfs.c | 10 ++-- 13 files changed, 68 insertions(+), 86 deletions(-) diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 43ae50337685..73fc25b4042b 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h @@ -166,7 +166,7 @@ struct netlbl_lsm_catmap { * @attr.mls: MLS sensitivity label * @attr.mls.cat: MLS category bitmap * @attr.mls.lvl: MLS sensitivity level - * @attr.secid: LSM specific secid token + * @attr.lsmblob: LSM specific data * * Description: * This structure is used to pass security attributes between NetLabel and the @@ -201,7 +201,7 @@ struct netlbl_lsm_secattr { struct netlbl_lsm_catmap *cat; u32 lvl; } mls; - u32 secid; + struct lsmblob lsmblob; } attr; }; @@ -415,7 +415,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, const void *addr, const void *mask, u16 family, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info); int netlbl_cfg_unlbl_static_del(struct net *net, const char *dev_name, @@ -523,7 +523,7 @@ static inline int netlbl_cfg_unlbl_static_add(struct net *net, const void *addr, const void *mask, u16 family, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info) { return -ENOSYS; diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index bfaf327e9d12..6f289821edb7 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -106,15 +106,17 @@ int cipso_v4_rbm_strictvalid = 1; /* Base length of the local tag (non-standard tag). * Tag definition (may change between kernel versions) * - * 0 8 16 24 32 - * +----------+----------+----------+----------+ - * | 10000000 | 00000110 | 32-bit secid value | - * +----------+----------+----------+----------+ - * | in (host byte order)| - * +----------+----------+ - * + * 0 8 16 16 + sizeof(struct lsmblob) + * +----------+----------+---------------------+ + * | 10000000 | 00000110 | LSM blob data | + * +----------+----------+---------------------+ + * + * All secid and flag fields are in host byte order. + * The lsmblob structure size varies depending on which + * Linux security modules are built in the kernel. + * The data is opaque. */ -#define CIPSO_V4_TAG_LOC_BLEN 6 +#define CIPSO_V4_TAG_LOC_BLEN (2 + sizeof(struct lsmblob)) /* * Helper Functions @@ -1460,7 +1462,11 @@ static int cipso_v4_gentag_loc(const struct cipso_v4_doi *doi_def, buffer[0] = CIPSO_V4_TAG_LOCAL; buffer[1] = CIPSO_V4_TAG_LOC_BLEN; - *(u32 *)&buffer[2] = secattr->attr.secid; + /* Ensure that there is sufficient space in the CIPSO header + * for the LSM data. */ + BUILD_BUG_ON(CIPSO_V4_TAG_LOC_BLEN > CIPSO_V4_OPT_LEN_MAX); + memcpy(&buffer[2], &secattr->attr.lsmblob, + sizeof(secattr->attr.lsmblob)); return CIPSO_V4_TAG_LOC_BLEN; } @@ -1480,7 +1486,7 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def, const unsigned char *tag, struct netlbl_lsm_secattr *secattr) { - secattr->attr.secid = *(u32 *)&tag[2]; + memcpy(&secattr->attr.lsmblob, &tag[2], sizeof(secattr->attr.lsmblob)); secattr->flags |= NETLBL_SECATTR_SECID; return 0; diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index 5e1239cef000..bbfaff539416 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -196,7 +196,7 @@ int netlbl_cfg_unlbl_map_add(const char *domain, * @addr: IP address in network byte order (struct in[6]_addr) * @mask: address mask in network byte order (struct in[6]_addr) * @family: address family - * @secid: LSM secid value for the entry + * @lsmblob: LSM data value for the entry * @audit_info: NetLabel audit information * * Description: @@ -210,7 +210,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, const void *addr, const void *mask, u16 family, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info) { u32 addr_len; @@ -230,7 +230,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net, return netlbl_unlhsh_add(net, dev_name, addr, mask, addr_len, - secid, audit_info); + lsmblob, audit_info); } /** diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 3daa99396335..0ce9bee43dd3 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -66,7 +66,7 @@ struct netlbl_unlhsh_tbl { #define netlbl_unlhsh_addr4_entry(iter) \ container_of(iter, struct netlbl_unlhsh_addr4, list) struct netlbl_unlhsh_addr4 { - u32 secid; + struct lsmblob lsmblob; struct netlbl_af4list list; struct rcu_head rcu; @@ -74,7 +74,7 @@ struct netlbl_unlhsh_addr4 { #define netlbl_unlhsh_addr6_entry(iter) \ container_of(iter, struct netlbl_unlhsh_addr6, list) struct netlbl_unlhsh_addr6 { - u32 secid; + struct lsmblob lsmblob; struct netlbl_af6list list; struct rcu_head rcu; @@ -220,7 +220,7 @@ static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex) * @iface: the associated interface entry * @addr: IPv4 address in network byte order * @mask: IPv4 address mask in network byte order - * @secid: LSM secid value for entry + * @lsmblob: LSM data value for entry * * Description: * Add a new address entry into the unlabeled connection hash table using the @@ -231,7 +231,7 @@ static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex) static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, const struct in_addr *addr, const struct in_addr *mask, - u32 secid) + struct lsmblob *lsmblob) { int ret_val; struct netlbl_unlhsh_addr4 *entry; @@ -243,7 +243,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, entry->list.addr = addr->s_addr & mask->s_addr; entry->list.mask = mask->s_addr; entry->list.valid = 1; - entry->secid = secid; + entry->lsmblob = *lsmblob; spin_lock(&netlbl_unlhsh_lock); ret_val = netlbl_af4list_add(&entry->list, &iface->addr4_list); @@ -260,7 +260,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, * @iface: the associated interface entry * @addr: IPv6 address in network byte order * @mask: IPv6 address mask in network byte order - * @secid: LSM secid value for entry + * @lsmblob: LSM data value for entry * * Description: * Add a new address entry into the unlabeled connection hash table using the @@ -271,7 +271,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface, const struct in6_addr *addr, const struct in6_addr *mask, - u32 secid) + struct lsmblob *lsmblob) { int ret_val; struct netlbl_unlhsh_addr6 *entry; @@ -287,7 +287,7 @@ static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface, entry->list.addr.s6_addr32[3] &= mask->s6_addr32[3]; entry->list.mask = *mask; entry->list.valid = 1; - entry->secid = secid; + entry->lsmblob = *lsmblob; spin_lock(&netlbl_unlhsh_lock); ret_val = netlbl_af6list_add(&entry->list, &iface->addr6_list); @@ -366,7 +366,7 @@ int netlbl_unlhsh_add(struct net *net, const void *addr, const void *mask, u32 addr_len, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info) { int ret_val; @@ -375,7 +375,6 @@ int netlbl_unlhsh_add(struct net *net, struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; struct lsmcontext context; - struct lsmblob blob; if (addr_len != sizeof(struct in_addr) && addr_len != sizeof(struct in6_addr)) @@ -408,7 +407,7 @@ int netlbl_unlhsh_add(struct net *net, const struct in_addr *addr4 = addr; const struct in_addr *mask4 = mask; - ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid); + ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, lsmblob); if (audit_buf != NULL) netlbl_af4list_audit_addr(audit_buf, 1, dev_name, @@ -421,7 +420,7 @@ int netlbl_unlhsh_add(struct net *net, const struct in6_addr *addr6 = addr; const struct in6_addr *mask6 = mask; - ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid); + ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, lsmblob); if (audit_buf != NULL) netlbl_af6list_audit_addr(audit_buf, 1, dev_name, @@ -438,11 +437,7 @@ int netlbl_unlhsh_add(struct net *net, unlhsh_add_return: rcu_read_unlock(); if (audit_buf != NULL) { - /* lsmblob_init() puts secid into all of the secids in blob. - * security_secid_to_secctx() will know which security module - * to use to create the secctx. */ - lsmblob_init(&blob, secid); - if (security_secid_to_secctx(&blob, &context) == 0) { + if (security_secid_to_secctx(lsmblob, &context) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -477,7 +472,6 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr, @@ -497,13 +491,8 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, addr->s_addr, mask->s_addr); if (dev != NULL) dev_put(dev); - /* lsmblob_init() puts entry->secid into all of the secids - * in blob. security_secid_to_secctx() will know which - * security module to use to create the secctx. */ - if (entry != NULL) - lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, &context) == 0) { + security_secid_to_secctx(&entry->lsmblob, &context) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -544,7 +533,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct audit_buffer *audit_buf; struct net_device *dev; struct lsmcontext context; - struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list); @@ -563,13 +551,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, addr, mask); if (dev != NULL) dev_put(dev); - /* lsmblob_init() puts entry->secid into all of the secids - * in blob. security_secid_to_secctx() will know which - * security module to use to create the secctx. */ - if (entry != NULL) - lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(&blob, &context) == 0) { + security_secid_to_secctx(&entry->lsmblob, &context) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -923,14 +906,8 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, if (ret_val != 0) return ret_val; - /* netlbl_unlhsh_add will be changed to pass a struct lsmblob * - * instead of a u32 later in this patch set. security_secctx_to_secid() - * will only be setting one entry in the lsmblob struct, so it is - * safe to use lsmblob_value() to get that one value. */ - - return netlbl_unlhsh_add(&init_net, - dev_name, addr, mask, addr_len, - lsmblob_value(&blob), &audit_info); + return netlbl_unlhsh_add(&init_net, dev_name, addr, mask, addr_len, + &blob, &audit_info); } /** @@ -977,11 +954,8 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, if (ret_val != 0) return ret_val; - /* security_secctx_to_secid() will only put one secid into the lsmblob - * so it's safe to use lsmblob_value() to get the secid. */ - return netlbl_unlhsh_add(&init_net, - NULL, addr, mask, addr_len, - lsmblob_value(&blob), &audit_info); + return netlbl_unlhsh_add(&init_net, NULL, addr, mask, addr_len, &blob, + &audit_info); } /** @@ -1093,8 +1067,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, struct net_device *dev; struct lsmcontext context; void *data; - u32 secid; - struct lsmblob blob; + struct lsmblob *lsmb; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, cb_arg->seq, &netlbl_unlabel_gnl_family, @@ -1132,7 +1105,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, if (ret_val != 0) goto list_cb_failure; - secid = addr4->secid; + lsmb = (struct lsmblob *)&addr4->lsmblob; } else { ret_val = nla_put_in6_addr(cb_arg->skb, NLBL_UNLABEL_A_IPV6ADDR, @@ -1146,14 +1119,10 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, if (ret_val != 0) goto list_cb_failure; - secid = addr6->secid; + lsmb = (struct lsmblob *)&addr6->lsmblob; } - /* lsmblob_init() secid into all of the secids in blob. - * security_secid_to_secctx() will know which security module - * to use to create the secctx. */ - lsmblob_init(&blob, secid); - ret_val = security_secid_to_secctx(&blob, &context); + ret_val = security_secid_to_secctx(lsmb, &context); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, @@ -1512,7 +1481,7 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb, &iface->addr4_list); if (addr4 == NULL) goto unlabel_getattr_nolabel; - secattr->attr.secid = netlbl_unlhsh_addr4_entry(addr4)->secid; + secattr->attr.lsmblob = netlbl_unlhsh_addr4_entry(addr4)->lsmblob; break; } #if IS_ENABLED(CONFIG_IPV6) @@ -1525,7 +1494,7 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb, &iface->addr6_list); if (addr6 == NULL) goto unlabel_getattr_nolabel; - secattr->attr.secid = netlbl_unlhsh_addr6_entry(addr6)->secid; + secattr->attr.lsmblob = netlbl_unlhsh_addr6_entry(addr6)->lsmblob; break; } #endif /* IPv6 */ diff --git a/net/netlabel/netlabel_unlabeled.h b/net/netlabel/netlabel_unlabeled.h index 058e3a285d56..168920780994 100644 --- a/net/netlabel/netlabel_unlabeled.h +++ b/net/netlabel/netlabel_unlabeled.h @@ -211,7 +211,7 @@ int netlbl_unlhsh_add(struct net *net, const void *addr, const void *mask, u32 addr_len, - u32 secid, + struct lsmblob *lsmblob, struct netlbl_audit *audit_info); int netlbl_unlhsh_remove(struct net *net, const char *dev_name, diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index dba867721336..b7800fa55a34 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7122,7 +7122,7 @@ static int selinux_perf_event_write(struct perf_event *event) } #endif -static struct lsm_id selinux_lsmid __lsm_ro_after_init = { +struct lsm_id selinux_lsmid __lsm_ro_after_init = { .lsm = "selinux", .slot = LSMBLOB_NEEDED }; diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index ac0ece01305a..9f856f2cd277 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -73,6 +73,7 @@ struct netlbl_lsm_secattr; extern int selinux_enabled_boot; +extern struct lsm_id selinux_lsmid; /* * type_datum properties diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 6a94b31b5472..d8d7603ab14e 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -108,7 +108,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr( return NULL; if ((secattr->flags & NETLBL_SECATTR_SECID) && - (secattr->attr.secid == sid)) + (secattr->attr.lsmblob.secid[selinux_lsmid.slot] == sid)) return secattr; return NULL; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 0a5ce001609b..b6071e977cdf 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3883,7 +3883,7 @@ int security_netlbl_secattr_to_sid(struct selinux_state *state, if (secattr->flags & NETLBL_SECATTR_CACHE) *sid = *(u32 *)secattr->cache->data; else if (secattr->flags & NETLBL_SECATTR_SECID) - *sid = secattr->attr.secid; + *sid = secattr->attr.lsmblob.secid[selinux_lsmid.slot]; else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { rc = -EIDRM; ctx = sidtab_search(sidtab, SECINITSID_NETMSG); @@ -3960,7 +3960,7 @@ int security_netlbl_sid_to_secattr(struct selinux_state *state, if (secattr->domain == NULL) goto out; - secattr->attr.secid = sid; + secattr->attr.lsmblob.secid[selinux_lsmid.slot] = sid; secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID; mls_export_netlbl_lvl(policydb, ctx, secattr); rc = mls_export_netlbl_cat(policydb, ctx, secattr); diff --git a/security/smack/smack.h b/security/smack/smack.h index b5bdf947792f..0eaae6b3f935 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -303,6 +303,7 @@ int smack_populate_secattr(struct smack_known *skp); * Shared data. */ extern int smack_enabled; +extern struct lsm_id smack_lsmid; extern int smack_cipso_direct; extern int smack_cipso_mapped; extern struct smack_known *smack_net_ambient; diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 7eabb448acab..fccd5da3014e 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -522,7 +522,7 @@ int smack_populate_secattr(struct smack_known *skp) { int slen; - skp->smk_netlabel.attr.secid = skp->smk_secid; + skp->smk_netlabel.attr.lsmblob.secid[smack_lsmid.slot] = skp->smk_secid; skp->smk_netlabel.domain = skp->smk_known; skp->smk_netlabel.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); if (skp->smk_netlabel.cache != NULL) { diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 7aa7ea38f627..e65497a5c095 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3720,11 +3720,12 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) return (struct smack_known *)sap->cache->data; + /* + * Looks like a fallback, which gives us a secid. + */ if ((sap->flags & NETLBL_SECATTR_SECID) != 0) - /* - * Looks like a fallback, which gives us a secid. - */ - return smack_from_secid(sap->attr.secid); + return smack_from_secid( + sap->attr.lsmblob.secid[smack_lsmid.slot]); if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { /* @@ -4701,7 +4702,7 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_superblock = sizeof(struct superblock_smack), }; -static struct lsm_id smack_lsmid __lsm_ro_after_init = { +struct lsm_id smack_lsmid __lsm_ro_after_init = { .lsm = "smack", .slot = LSMBLOB_NEEDED }; diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 22ded2c26089..e592e10397af 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -1140,6 +1140,7 @@ static void smk_net4addr_insert(struct smk_net4addr *new) static ssize_t smk_write_net4addr(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { + struct lsmblob lsmblob; struct smk_net4addr *snp; struct sockaddr_in newname; char *smack; @@ -1271,10 +1272,13 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf, * this host so that incoming packets get labeled. * but only if we didn't get the special CIPSO option */ - if (rc == 0 && skp != NULL) + if (rc == 0 && skp != NULL) { + lsmblob_init(&lsmblob, 0); + lsmblob.secid[smack_lsmid.slot] = snp->smk_label->smk_secid; rc = netlbl_cfg_unlbl_static_add(&init_net, NULL, - &snp->smk_host, &snp->smk_mask, PF_INET, - snp->smk_label->smk_secid, &audit_info); + &snp->smk_host, &snp->smk_mask, PF_INET, &lsmblob, + &audit_info); + } if (rc == 0) rc = count; From patchwork Fri Jun 11 00:04:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314445 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 266E8C48BDF for ; Fri, 11 Jun 2021 00:27:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 08DA56128A for ; Fri, 11 Jun 2021 00:27:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231383AbhFKA2y (ORCPT ); Thu, 10 Jun 2021 20:28:54 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:35002 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231185AbhFKA2y (ORCPT ); Thu, 10 Jun 2021 20:28:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371217; bh=0ocsldoX5aiLd/U7MOpua/oUOKyqWZuadpgQ3p8PIps=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=LpLDluwvN0RvGIUTq/zO8CcgnuxbAQSg5yq0iW3Cu29B2uKfiwTN5Dl0bNE+o0PKkk8zN7tyW0B0MywVCCRGfZgvmtOYiwlzTZRj9L98jJ11qHwGa57ggxX5BG1rZcAMPAxx7RU8PbfM7fY9UwkSgSe8kuz4yW1L9LAt0FyLCge2kEm64FBs9ztzGBH223zyNzJ7+t0mACVjHLzI4DgTvcl9Ism8J5OuO8rl1awF+5OoPTf/mwlHijAQ/8zjQHD6RjsdqYmcHjqV7PJHGikos3mgtP+x2zanSjf57tXz44lzjAdLg6E7N3DoZKXJGpSPEllAnJm4u9BmUQDHj98Trg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371217; bh=zigjhW536bXbp/QKnE0Eyan8mUFMv14n6w9ydJODVcM=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=GohfLFBOVea50i+YMYCOojkRM6NFhtoclCxcpF864gPmmr+eBE6ykocQo19mrLe59PpU8ssIcH733O3kRdAgOyIRo/CHx9sxuwPnUtcvL+a3yDexJ1hHpmwBBBUZ3cuE/lutnn1NcLDJEg4Q+uR4Enq8IVd1fnLXotdzjNm6PCFHmAC5C67hIUlLzwUtb59wPJ2rGaNEAmGwxFyIeFMCZbWukkejGQNPBt66N7gdYQ7bndw39/AiK0CDcB35BCERysjZ0jh3HOdwLaiM4ukZxOqq+MJzuYaEpNA2B5VHc+oaaCdI1ozTLPaTXTTELNWz7Z+xxEeJU0j6LsJ3nPv6xg== X-YMail-OSG: xZsLNEsVM1kjFd.vEYoaVog4gMExSvAnbpjo_tQG9Cl9knBqvyxRmv_.XtTQyTm l5An0EDksR7G4NXdlVr_ZLQ.3e1Z8eisHZoaG5yB8iDVabm61DLnJeuNwNWDAvnLWmR0JZaoSfSS xGIqpXdW3MwzSL_gMGEPvC8nWng9liNRetO5hfSX7aFFVh22GEWwfgPaq5HjU12Ob58R4T_8j4Jq X7.6LB05dGmwYnZsEpaTPZx0bItT7NqJKb_LEzBRSBbjfPz3Sqx7wkx_vHLqdZJNX3skN1zUGfhP ZcagTmihlDZEmOeHDGk8V9hnZMCP0Q2sSp3U1NaGSnk_2SfwuhgOMyNxZggxVWsa_T5MawaND6JT OiRezwYkL_HPDIk.Or3Je4bZ0wRbR8zp6ldrUAAlAuA7umC3L.nNMpLjQoCYmsspK99Ah5qPOlMP TwaOGDiGotdb2a972eQLKtr_ynI_EmrjNN_f1WHh0_uASRS9ey.cFiv62yIuCLttEXDl5jewm.nS PFqF5dHHfIydiSJAZeD7HDHYoKs5tkq1cFgPkDVZwIgAi_r.fCUWCzSm5OUslAeojC7KWAPxwYO2 Nk7eB7HCCtXxenQjHJ04vNTRNlX7P.WwW4cdzmgM_tMC2B2WuPRRNQqiZZk..D842HNTGE0v_q05 _Cj6ebLCw55UleGSHDhIEgLtACALPY9gYRi2YyVfWU2r7cDcxmliykiYEMs__5qFOxFtepj11x7F y6bWR9DChD7Hum4VEpcC8mlF6ylTr9XE26xbXI7Er9vsY0_AU5pTOx9Obdf6BelQ7F0JrgjqIwIB b4RtCnHpyELV1MhjQJSBbvlw1UX5dk1i6OI91QoIqJPD0KRnNnj6tnsAD2a9i9Sw0yfHhsQgV4LC 0PB1H3dG6qPdjx_zhqdie85S7FH5A9QXHstot.gUcA05xV9aP9oCJlPwDa8fM6A7tXsMGJS0RTFt vG1GUwZYiepU6Oj0rPmDBp.tUHrvp6Pr7wQEhB8lUqoDi2dEuHqK.QC21Q8iZhoKkcHusAgXwdWZ 9gRjLrqdTWHo8LaX0a3IYfo2W4Coh9iGdiDAXjOm6_2Ksq_c3v5zo_JcSFGHEa4TXnxrP6mZbV2y v9dYQBgUY7UedNcWXeKrlCv30IKrII38UfuKfTGBJ1TLxPfXZI1DxOTFNY5JvX7yfO2obBMQydVE 0xOtDqOkmt0DSRMVxPfG0JaAhwonVKZcxDFbMiUfMD3oVcOwGr_xN7TAymVPVEaC6vUUVUaJzaCr 1N6W1TYXB2Od0U29.i.byNILOnnXAjGtoyOdGpHYXQ3BqMZ.XcruBWnwhvVYtiqLpwjWgS.Q4NzH 8nBVqur3qEs.zMvI_vDiPoe_B0HyW6Oef3KH0j_7t9W2FSFpJcDFgxMQ6xA4iHsIF_DNpecU1dzu pw319LYRXxKvnb1wfEIclhvuPWD5NA5.QckSsi66.gnrzHJ0z6CoO93PRrwjPFNp6swUlzR5N0uG eQ6MVw0ymh_Txb_Vq3nOwwqCVgZWY6ycLd6YEpYL.0lzGgE08Cgw2hjhP9kNyeEHGCqVDAdiilgs wZak0UQfjjb8CMzwjQjqPtyhHZtfTEqKU5GhLKVdlcPXO4k0XLHbxcOeIpdvfPR2LBjpEh8zizne oFAXU2lpdrjz5eLxrdEvySuq9QWYhEu0ehqANJpPRFE.jss1x9MR2p5dBGpK_a6REQClNsZ3eabW 7N5pMo0jNR6MmrgUJDjzK_BZ99pVkuAFKGeHToi3oMyymVXYuC.hzWvaqEPOahgy1j.dHerdkUq0 O_LAAeJp4kvDUJhJEmspdKjdDzz06eF.7O6aHH2XQ8bVYgnc9d7J3d0XeQBRjVV_ORNqbbccIfhj FQd3nj4MHzuo3_4YYecNxDYjxmzoD3kme2AnMiPh9O1gp95hRJOKDQb8rAjoOwAAl5AQPm_0HwrN UbdjOMyNU9sZ1yu66GU.8taDAbrFqBlcmlhpYTaZJyavpemZ4QL7MAF5UqkmamxXd7m7NflA72JE 79jCHy4.59vs1M1sVtCtNyXFsjdW4voteEQJFaKhlylkXn9i9sOx6OMMX6uzScLHFW4740_eVbAz ouegnLXNLtWlozMk_DOxlGLlc.0n.Y7xPSyPx4zmXJBgemeFY3k_4xryDXwAlMjynJOQJUsoMNJy 2IKjpJsaV4ERIy_uCiAPDh0Bbmrly7feOUbr4h_hOVi.j2fm672MkrreOEPraxG5Z4tcCg7KvWeo patKwNEhObZZKgO2vI_vFyNvUg6qoY56otUEBe5EP55eEy8ZFB2o853P76XbP_PSIxEoECiuRvCM wRcAZgxHhcgKzeZyZ0.gaq1xb5fI79n35nTEN.wc0uoIhT04a85OEASeD5KkOrV3hv0tkw.kE8jy WvmDCk5We5AC_zAjtovtVQyUG4_aL62uPLGo4.y0vipvdnc9m2vqIdPDeZytNVEwIvFsVKv04lr9 TgwPoinphwZ8UqVCvhwPZit6JIyAhEg6EkC8MnVYzXiSbgfn2VQWkov4cLQ5kosfKYSy_wHAxymO ObfhKBgfKX3vDxMnyeJbdOUAUqbSr1S7ujmVwNGIp1PCYn1JRHHBhr9u7e.VuDLhvbMEu3KXXA1u dcu4REaIPkLGJfW4zet9LJBUHR9nAKnJnxlrd7JiB.CtO11KqELJ7bIWgkqPGhZQ7pDULwIeuYUr L8T9STLev00TO3Wy3WNHxGZDPj1o6jfYhHsoV7.kn57XzH.avXpDR4Oel254vohQXQDztDd4qrJ2 .jtOxtn0k4LGwlS.QDGS44gRC2jMHWK5YK0JWYwNisXZi9pcI2SivMLH3i9ltvgM4gaevR37v6li 88GvzNJKB81jZaDQY6DyZSz0_lryBYM1b6v.8m4Pm_QKJvmWM7p4erZe7ye0gTeWs2nEgJz5eTUd 9Le.8cEcV7fkdbukV28D8.rxgg39a14iT0CETZUS.a5K4s1ltPy9Ah8iZRR8gCh6z5s6Wu.BmrdS yep.kayPATDwbVOb409VyEZ5QEkA4GXQBCkqJl66nPj5X7CZq5f7imynilMiDWNMjdotZoK04Wgq nxFAAuyIdKLijSTiQQbxdustnf0D4c6thoRGrUA1k25_jFiUQH_EV7fYz7qmTeFGDZ0.P7uyj3pE Ln7OJ5Uz808hJpmp1YYEp1UJeUzT3BYSaPw-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:26:57 +0000 Received: by kubenode528.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 765bae9a76b99cccc78663309335f09c; Fri, 11 Jun 2021 00:26:51 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v27 20/25] LSM: Verify LSM display sanity in binder Date: Thu, 10 Jun 2021 17:04:30 -0700 Message-Id: <20210611000435.36398-21-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Verify that the tasks on the ends of a binder transaction use the same "interface_lsm" security module. This prevents confusion of security "contexts". Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler --- security/security.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/security/security.c b/security/security.c index a5150de2f3db..ae23b5a8fe87 100644 --- a/security/security.c +++ b/security/security.c @@ -859,9 +859,38 @@ int security_binder_set_context_mgr(struct task_struct *mgr) return call_int_hook(binder_set_context_mgr, 0, mgr); } +/** + * security_binder_transaction - Binder driver transaction check + * @from: source of the transaction + * @to: destination of the transaction + * + * Verify that the tasks have the same LSM "display", then + * call the security module hooks. + * + * Returns -EINVAL if the displays don't match, or the + * result of the security module checks. + */ int security_binder_transaction(struct task_struct *from, struct task_struct *to) { + int from_ilsm = lsm_task_ilsm(from); + int to_ilsm = lsm_task_ilsm(to); + + /* + * If the ilsm is LSMBLOB_INVALID the first module that has + * an entry is used. This will be in the 0 slot. + * + * This is currently only required if the server has requested + * peer contexts, but it would be unwieldly to have too much of + * the binder driver detail here. + */ + if (from_ilsm == LSMBLOB_INVALID) + from_ilsm = 0; + if (to_ilsm == LSMBLOB_INVALID) + to_ilsm = 0; + if (from_ilsm != to_ilsm) + return -EINVAL; + return call_int_hook(binder_transaction, 0, from, to); } From patchwork Fri Jun 11 00:04:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314481 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 087A3C48BDF for ; Fri, 11 Jun 2021 00:28:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D7FF761376 for ; Fri, 11 Jun 2021 00:28:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230508AbhFKAaC (ORCPT ); Thu, 10 Jun 2021 20:30:02 -0400 Received: from sonic312-31.consmr.mail.ne1.yahoo.com ([66.163.191.212]:35216 "EHLO sonic312-31.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229578AbhFKAaC (ORCPT ); Thu, 10 Jun 2021 20:30:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371285; bh=7V2RZ/HRpW1AoAp/Iq1XcaU0GNuu+Wd9ZV/RFltAMkg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=G0f2JDj9OdpNMHRJKcMyh5PZLlqsiyIr/IqEyK2prB7qunHnf1YAU20IxMf2KZlfEH3T9epstFxLKRaN4BVr4y571gtsYEth4yfWWxXJt27APLi5Lcx7xrB6V8naJiYgk0nPO6aUuF6kBt4OiKskr+De8X+IAYxI9hRBWlRnXDboQdCM6YhPIItg5FcqWFFI8T/Hc/rDB1od8Gkr0VVMLBsy0juimXY66//bGU56XnPCqr+1/28NwkrpMMXuEOeLvPBMgi9bnU39ZAVVdoi8tG7v7a2n8X+YzCKSfHnA80axuAw7tCClTuUim7MFncIDPn3piCtp5mEfd6GP1qjEkQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371285; bh=vJxgvEmJ50fqSZZQUpBsn1288uDgaGKP4jySsukHIgJ=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Haainc8GXLFWrjQYZHXiCFJf57+GcmXpV2j/4CbgzxyZPK7zTXGQl7O7y2sM1QBkkJM4GJDcM8zJ+vAj061PU4nIz3Xx8j1zbBAYci+Khl0c6HzBJ9cXyUjHF5vZqaPqVWKrQ9vT54LzGiqy30I9EgLU/olioeHqmZ+WNW+x9LoWrr3Usb6xOuh9jHxNITKQP+xj6WCdB6WPvguVv32/adFquP0XSxqj4SFk3zTUOuSdwDxR0aIHoorzezWuzIQXv6EZznP+jEQ9wX7IC4Pk/x5kNlfYwvs1L2+dHEBSXbh7amQX2vJx4zc+pDcmLhS/BJZoGdLfKmc/hpmclF7mgQ== X-YMail-OSG: jHyRJOUVM1nfLGTW2Md_ZjNO6VRfXLCt_w8x.tnfXCj2eVQoAMbsyc3XRgZM7.O GWGYoDrxgOo0GhHvc2Nw05opUWUvuC4kldArZEOHsGz8h22f1byFlcJziikmTela4zgXOBQQmzpe LP6CMuh77l6Mgs5zVH9gG.BLnmYUpw2rqa8avEnf2tISMMFffKaXOLbZ6I4wdbkp5fAmglohYp7c 0NY7k0R3ajR7TdZlA.sap4O.e2Rt_lzG8XKpV6CH9MB6WCnuJCrtJlum7bRWZA_Z37tBIw4rHBJZ VOw804rTUF_eeDIz2t6vZG0FBiU27Y9381KleCTgcE.y.YLwjhuyieEhOA_t8votaTh2BnibNn0M 38Yjvl1G9ysZNDp4h7Ea9tO4xFCVnBLgqVokQOJ391_tvgsbTff3PVjtggvptEQnodmIxHpSqPGQ UT57qJf9WFB_TkyxwFU1cPKa5QuSxTI61pd3_dn7OJWFYlVOdFBXa18ZyEAOFcdpv4zFuxnHCiyZ A43QQvemMpFm.bUgRlp3hIL66jMlTVGrduZNqBTgqarExQctIRefRLdtdqofNqIDE7jclshvhhh2 7eoyadS6nqkdJ0olKfb7uNnqD_Yr740V3CEAt2wwpSHiZXmDNAqEvP_M.P6PlTw3KUKjxdyq8DjX v0gmma_1A0tQVOy_Rdp0ia7ItUCULwXaaAw7dVOyutYZwWWfitAb6UQpKrSM5oGTgpfYGSEljq0_ RfsBD6xE7wyxjpDLgHGk8TvOzCSUjntMkYtTQN1jd9YUxYCECBQ4zseEugvb1fBLDL8iNpJrlrBp hXEDUB9p0DazJ0a4QvJ83pRfAYFASR0rS3nhLSGgxdkS2N6xoK1uF2i97h.7PMY2L0J23g9GoYT6 exZ3ozLBpZ1rdi4l6hTvGrlImXCQHRRE.A.HpzyK0y6Qb5BHoIyo8rrugCVgeQhfBVLV0zrgYoXA NHNoRntKvMIdkh8ZG0M40TmbbeArpmEM5U1PIerXRiUA3FUBHQNI0SEDschnYYacvkE599sW4FcA Tn_K217A..e0CbYgwZFpv21NcrrKr3kpbSsV7DX_PEXn14sD0GXfypQtlLVtnfkR7xEYsmuSOCf9 jre51x7XYxzEjDo9EiQUscYZzzC62iW79dJJtg9ukfi9P.F4YZpKzckWmDQjYarST4RrqZ6HRTeq RtyGDBF.I_KritetrziT4SLcYydFzMjl91gmyh.7rtRZkQs8eCYdpi0.a_.4s.EqXZQ0oXTwqdkH avTqmC1o27LU1wvKX2LKw4d3Va8cY8J5pnh5i5qEqX.ysjNnCxo8FddtFke8Sdx0PGmr0FV8LxlW niblF2rMMX.XzJe.ak2LwyVyw4rIXJYVOvOz2ARMP.doEuSkN7wyS6pmizxCmSxUlpoCG_FtDqRC HfMuE9DFk.4LPKJbrZr.i2QCXA6l1MBQT103Jro_3NX7jU0bHl_54COfCMsf1cZjbZshga5pO8OT uBrGw2ieMc_gXL42VqdakwjM2Ze5eOnVEbaJL6afUT8IwV1rU1269bX1hP6O.KWfUBNyMokdu2Hl Jh353DVFVSXiRptfeu_t_Ix_fkozMHvy08QkbF61ZdKfe9Q1.BmPrRvEHafJKfU13ztWHwokBI5W TBfg0Y0R3USfB_7U3P2PeVp3CAxy_tb92gZrn6IidsB_iw7.X89boyoXx_wmhuv0aaeAsV0LXXRn o.NdBhreWBo87T8Erl2F8V9ooSStP1MS22CdwbQzklE7ddP9sVh3c3PrcPeqocoy4bPx6rMUxmQ5 3pTxXKt3v9uY5PCcdeH96KO2qYafp9rMxQNT1Ahi5jrGnZMfYe4fR3TkytWwhaEBsSP8XgWQVHgA BO_vvvTvYo_Q8LK76pGHPtFEeZF3FWRb9kkALy6SzOJs_qfVtvgWfZLqaPgFVcpBcKjzFQgyrNKz yMafqWidZVC7SCVgnUxBqVEmhy.6Vn4PSIn1_43Cu1sbBTRTb8E8u7RuIafQtfB2Gjik9znNIjMq fexWuxedlizmcVyLWxWjb_w_eb241YzDY3er7.GPaveJLkcf0rW2PC9CBXnmX0db.RVKMXbS8cRT 4NqmFt6oqs0MfU5UoioQwwuSx_LoW2SOrqq1SZca_Eg3VYtbhIkIgD88g.HLPrGy8ac_RCgZPb0s .t4l2Hf2y_rBVYYtQqoE4wzR.9GZXOETfXh9SCxBIUwajk7rX6cL5E5.cumTNZwnI.y9hKM9VjlW IrWTtnyiJ2m_PcWLx3xlyuGNHY6tq7JSql9YMtq1pUHUTl1SJhb8tgGuHe9qwFKiP8mEWGSTObyV UDBln4X8RRrt_RFr6lFGltLBGGkoZadY6j6t1RO00UaD1V7VQuLcoluXjNlNZ9t8eL8_43fRPUrb TtQKUeFjwaMgpjQRqvv0LD.8DBoZoUBvIE8GkOA7LkNMY2M_d5I5Eo4MevOHraxQWHeIvu00pV6N YMnSqfwa_5_DCf0x_n0IQSB3DmyTQ9x.pRuEcoBJxfxl8BrcwlwHJSynAQeJyWv1o3G_mRyFBvNO YIlHYu3KXyU2YfubAbTXbcvVWck8YVbTglfKZczi3ENt8vBIob.S_MQMDpcnq35JSbVZNk9cU.Dp K_Vdsd4lbGW53SogZJy8RumSdT4ECFskivCkh5SC1o5lHs2kTZ_77QBuBn4jmQJxwLSK3Qm.PL_L 0sQQ.tyUVEK3thwTpo2bAQExA2FL4GniCtK5iyH.9zedoK7aSrJwfyhlxli6oGaTQ2WeAruqa58e wDsXcypO.nM.bK4YBJwc5yGvmRgII9MBfRbPVbnut0GujR28KFbkaoNK3LH18_2gm8zyKTne6j54 96YxdpT74ASYxrBrkuq.7uLHgkNGSyhFiSll7ioQzQ.GsL3Q3GcXP3X7OyyzFP3rGxdiEqQfsNDC XCT9uS14prnPvZuQk1vV5.5GBcvQHOxA8ODEVIzXBlHJ80.riSOw5XD5Zm3GoLZLD5hG7NWlxB4D tZiFA8q9ZbNueXMUEq1YGRqExMeNZyoJhEKKoKBmjTiMm1S6a4MQrI4CfjDldNZSW4YymewgBKDP QmZcoIKcGoOlfTFbNF5S1z9kZlh9vL_KBEjnlDAE6eJgWg4R55gJ3LNjxUQqs8nb_WvwHj5Psg9w Xsfqmh9KJQzsF8eq1wo06mEHkzSD91fHDBxMViCSfma63FpwOk5GjCvlXMT4- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:28:05 +0000 Received: by kubenode560.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 03105bb17edb9375c7f9fde1dbc1d821; Fri, 11 Jun 2021 00:27:59 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Richard Guy Briggs Subject: [PATCH v27 21/25] audit: add support for non-syscall auxiliary records Date: Thu, 10 Jun 2021 17:04:31 -0700 Message-Id: <20210611000435.36398-22-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Standalone audit records have the timestamp and serial number generated on the fly and as such are unique, making them standalone. This new function audit_alloc_local() generates a local audit context that will be used only for a standalone record and its auxiliary record(s). The context is discarded immediately after the local associated records are produced. Signed-off-by: Richard Guy Briggs Signed-off-by: Casey Schaufler Cc: linux-audit@redhat.com To: Richard Guy Briggs Reported-by: kernel test robot Reported-by: kernel test robot --- include/linux/audit.h | 8 ++++++++ kernel/audit.h | 1 + kernel/auditsc.c | 33 ++++++++++++++++++++++++++++----- 3 files changed, 37 insertions(+), 5 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 418a485af114..97cd7471e572 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -289,6 +289,8 @@ static inline int audit_signal_info(int sig, struct task_struct *t) /* Public API */ extern int audit_alloc(struct task_struct *task); extern void __audit_free(struct task_struct *task); +extern struct audit_context *audit_alloc_local(gfp_t gfpflags); +extern void audit_free_context(struct audit_context *context); extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, unsigned long a2, unsigned long a3); extern void __audit_syscall_exit(int ret_success, long ret_value); @@ -552,6 +554,12 @@ static inline void audit_log_nfcfg(const char *name, u8 af, extern int audit_n_rules; extern int audit_signals; #else /* CONFIG_AUDITSYSCALL */ ++static inline struct audit_context *audit_alloc_local(gfp_t gfpflags) +{ + return NULL; +} +static inline void audit_free_context(struct audit_context *context) +{ } static inline int audit_alloc(struct task_struct *task) { return 0; diff --git a/kernel/audit.h b/kernel/audit.h index 23a85a470121..27ef690afd30 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -99,6 +99,7 @@ struct audit_proctitle { struct audit_context { int dummy; /* must be the first element */ int in_syscall; /* 1 if task is in a syscall */ + bool local; /* local context needed */ enum audit_state state, current_state; unsigned int serial; /* serial number for record */ int major; /* syscall number */ diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 67da23f6bebd..d4e061f95da8 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -925,11 +925,13 @@ static inline void audit_free_aux(struct audit_context *context) } } -static inline struct audit_context *audit_alloc_context(enum audit_state state) +static inline struct audit_context *audit_alloc_context(enum audit_state state, + gfp_t gfpflags) { struct audit_context *context; - context = kzalloc(sizeof(*context), GFP_KERNEL); + /* We can be called in atomic context via audit_tg() */ + context = kzalloc(sizeof(*context), gfpflags); if (!context) return NULL; context->state = state; @@ -965,7 +967,8 @@ int audit_alloc(struct task_struct *tsk) return 0; } - if (!(context = audit_alloc_context(state))) { + context = audit_alloc_context(state, GFP_KERNEL); + if (!context) { kfree(key); audit_log_lost("out of memory in audit_alloc"); return -ENOMEM; @@ -977,8 +980,27 @@ int audit_alloc(struct task_struct *tsk) return 0; } -static inline void audit_free_context(struct audit_context *context) +struct audit_context *audit_alloc_local(gfp_t gfpflags) { + struct audit_context *context = NULL; + + context = audit_alloc_context(AUDIT_RECORD_CONTEXT, gfpflags); + if (!context) { + audit_log_lost("out of memory in audit_alloc_local"); + goto out; + } + context->serial = audit_serial(); + ktime_get_coarse_real_ts64(&context->ctime); + context->local = true; +out: + return context; +} +EXPORT_SYMBOL(audit_alloc_local); + +void audit_free_context(struct audit_context *context) +{ + if (!context) + return; audit_free_module(context); audit_free_names(context); unroll_tree_refs(context, NULL, 0); @@ -989,6 +1011,7 @@ static inline void audit_free_context(struct audit_context *context) audit_proctitle_free(context); kfree(context); } +EXPORT_SYMBOL(audit_free_context); static int audit_log_pid_context(struct audit_context *context, pid_t pid, kuid_t auid, kuid_t uid, @@ -2210,7 +2233,7 @@ EXPORT_SYMBOL_GPL(__audit_inode_child); int auditsc_get_stamp(struct audit_context *ctx, struct timespec64 *t, unsigned int *serial) { - if (!ctx->in_syscall) + if (!ctx->in_syscall && !ctx->local) return 0; if (!ctx->serial) ctx->serial = audit_serial(); From patchwork Fri Jun 11 00:04:32 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314483 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 765C9C48BE0 for ; Fri, 11 Jun 2021 00:29:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 57E5E613C3 for ; Fri, 11 Jun 2021 00:29:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231437AbhFKAbE (ORCPT ); Thu, 10 Jun 2021 20:31:04 -0400 Received: from sonic311-31.consmr.mail.ne1.yahoo.com ([66.163.188.212]:40127 "EHLO sonic311-31.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231422AbhFKAbD (ORCPT ); Thu, 10 Jun 2021 20:31:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371346; bh=STIbxkicnE7xrqxJMIgYjDC4jP2LqKZLYR2SQhbHGU8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=G3lNbl/V/c/DE08gd4+ufZ4jA0P5DVLp1YTcaedks6u7/JEZcyx3ss7NcU+CdITOWxeH3bZ25Nt6qv8uDZ+HfU7eYC9BR3mwX+enWg47ucb8/BjWX4xG0Xuy7bW+rVBQW79oFIJTemvtgU82tsSKOgXq6Yl1VjCYOHIj6czr3fide3ITEMERG3mK/YHY2sBMH4xWFTGO3A05hHFBmPi9T4iesfUN9KvNWTFMkQ5XZBtJb0bTOBT1jmZjSm9SL2yPIjt4Os4sB2k4YvS7avHEKJmH1+ThkfMFKmj31+3/zDh0lzSLHpQm37mMWEgy6DxPvkvowQseGqShdEwwV0/wcg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371346; bh=LL3DzLjQ1BYcbO6M7k18DteVsjRBF3KwOQMKe5jdkEK=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Muhv7G/CXMILQA2PFgotMtkj+mEk8qMsOCU6/1fR6RNqpp+sov0juQweLsSiJWJSC4UwmT/bmeTbXdX7+Lya/9K6++CKqc8eOcXCBCqDqfIsh4TpibyoB6y67KHpPqWDEgc+mrGHuOo/qT8T0iW9UHIHfmF8bSPy+i8FkV+h3rI+AivD42faCbibtqMZhSoazxDycSdVP16qY0A7zLdNjSybiX8btiYJzp5SGdZAmQwrKTO6yAnptIzj8esUpOxoU5jFOFsPuDH7b4iv26uQzOi5ExKl/0fKjOaij8g7jxcU4psNND5idd6dJsNX+bBOgExFG+n59+jVUWYXbBbuMw== X-YMail-OSG: 03RhpfUVM1nKhjuFOgbR8b_CoMdFEmnqi7TYy7ma7VeAsAvEDK95KCVGgCkkjkE 9gZQoewDDBs5nBDTplxHpJZGsbqLCBf173LA79h5LviBn.gAw5CwGHubh2AcrYIkK8Ryj_AeqEAX WdQWkgflUCKVR6vL5KT1CTtdprKY6jeZzGSCFvZgutQ0ly6curApKJRDU_iuPz8Fi7IfFG8bUSSB GzRCxaaprtz9k9KLxoE9ddtyTMGcKPBmDp60DLsXn4kXEpvFSvxHe7iZzl82jJqidfg7F0EDg5oC 8aPAelMQ31bRDfyw34D6I3SLz.luwYlTGDi4Do3WgQteVR8oGIDrT.DcSAFMBI.q.VmurDfNWvlb I3XagYmrP1fFhjqD7JdRu6JGYv1_3gzGx.CSCIr.urXz0KsQkRnYDMMVYvrxAOOsRs5etn78BxEf k5ig6rAPAFScjSxITRIdkMRdSq5IfMzx9ZWiqq03Jlp0HTT_QaPo924q6lQwPo9v0fJkouryaAHw lRSTXqKsnI9a852NVFCpnZIv6ckhLay4bE8f34cyjVdQ21Q3V1RVHrDX087s4gI0erq_xOVGYNeX j6qBG2XmRPJH_PGFB.ZLqTHk7GecdvzY90aQIl7aJABjKiVE2jtXYFMGW1guyqAa03d3aqscGrsa 9GT3FIAgJIMF9DP3k1lKJPWkC3QaeN_qf8DAselF63yRAg5m5rtMLlYhKitUaknLpqSSPpCttGFd Dd3YCCFkJOqPn8N5wHIGQqzCS7CwZl8xoXbJo.fctxohBhkS2qgeCSKN9sLrhcg5Hlen0ZHoKnKF mBK.2gnSj5JtSAQZFzUNQeQ39h2fWJkHgWMphos3zUzQ5aWfktt8n6PDcRjUjg0NqGT.7LR1Uiqz CnzATvcJ2Qvvyt8MCLNwm3T7xfZzh5DMQlrPs46tZm_lyTHPxuWVBVNMTEInlC5RRoJ8msNOrCyH LNbMPWBvxK8AeuxRwolsWOQ_kjGYyQD12kXQuzuX5pbyhsaX9t3K9aToR71A0F1Gd.xSUZkpcqOF 3_LA.x380hk9uKYLopsy1K_XP_BtxFGDoZKlxLph2LBTJTROUBoMOmcawGthVrgVDJ0nzQf74Vrh fMGHYkwtQpKVIM7BGhd_44.4BpylQ0KS8H8uCj1u0h7dGjZpj1Y3sSRnKferdh9aJO0YB6wC9uKk jC3Cy3uTi5njBgPZXaSJngSGrCrGDklwTV_93.xKQDd9lzkW_pce__MoL7cdvlJbo859BfjmiMCj 9ftUPLN2iRm2qMgG94y7HhzyZFgg9sRSGjgNVsriIEW.yEW5T.vw2n6rHc6nRezEkmd6F0iplCt7 py.oJfLJvOQRGi.qL.S_bb9NsdMkKUpl1exUVt3QzVlZnaz20zkUciHqy3Xbk19IJ.fsz_GdEEi0 eb2KgwMBuntzsotcvd1HScZdg3RLZer6_vxIi1aFCWgKCwIZB7QxMbsHKWIAmnwkAjn7nae.AxEy UUOFBdujcln6WAs6KJQGBp4l.sW54ESNjesgn9mzDihUWMUJMEEPc2C5nPQ3Q549xzz0j6.meHEe NbyWcdwaEM3eH.opmGm0uULW7MDeFyd.D2uIKk68phQzr9so4oPgFxW1AE4WEcDE84.BEaZJ5K9d ZM6TBtdP73UKM5NuWZYz3i4Zj3xRmz_oYqBJgi7XywmqWR4m4KpqL7Wd8E46ydrjtw184NDLgJll dU4s22lUXkdJehhxjU3cy_aTG4Oos0W6SIMIewDJ3h0jrL5gf3G.LQChOa87iSzAQkZcpVKJfG1F UlKxGW_sN_NAF.iLAOCuOEgBoIMmK16RAUFy9AT9Hv2nz2raTOlwuOpQ.bcox_vgR07y4.S4m.B7 nBuvn1OjxLo3CXt2HmCxk9P3R4lRuuWdWMU72.HuVUtJCjzxAzyV1f6h9RE6kV2ihB_vRJUE.knQ 0P5nIoGZJ9DoVizHKRQBoC.c6yKBPI9CNLq2RjuvrcKgcja0kIgZy0ZbpjCGnIwlCFrXfLEWgCVJ TwTq8dWc3I1E10gAHf7CTqmUBllNA6HmJ9n96VpqGcUKYip0R0KquKhm_PxaBPv7G9OsXU4T9Np6 9ZZV_ln4DjyC3OM4i87JM3wDl3JT2GtZQT9XM22__P2jEf31V6mGogZMwljMxWAjAo3G8QHC.n_x a5h3QF4QY0dzEb17VgluaOSaaqSW5C2EySphWNkDZrS56U_ZXr8.yTRUnDHPc40mkmTxYq7uPUnM tkDIcsVNVQZzn4pQ.cG84mu4AR6Vu0XOEphrfvyWtfSKv6d0Pr.lig9RaCccGAIZAtPL.p9JE.3t v1U2.Z0z8kYwone7mZ5HfUGp7pyAtlWmyS9fZrodS69hz0fK5pCrBjpCdF8f4HYBV3GrOfi6k3S2 k4zfDQj7qCTqQru1IfqnKJvRWnLj6tpHOQr_qWLgcrktwG5tzHepuSYBDncss2MQRCRyBy9O89Gd h4aZkhLh6.GEErOTrguJhSROvGmp.mpHq7B4tGD0D7McShSG8Z5Z9yrU8sI7YP8axBs1UnYMrZwd pKFX0GKmp0TwapeLCJ08VzUpWEfnrItk2YNWgF13Hv9X0Mds0dwFauUaVxh3AliIgxeCKBynSGAk 3_0DCcK81TAQQ.HEydJVCS5gkYTb7.qS4Io_VKV60njpvEuV2Fi98qYj_jY2c8wRBXu0__1YxLJk 3p4cPQD6dHpGdqdnIBrajzOk0SOFjDo1oP6NGrpEYqbJjOLvtN1dgOJs_BtSWId48rwaN5Bp6vdV bDdqrVgNWvaHkLmbE5_N2RoUrrBIb9w0tTvnOspwFsVmzDyXQEzhLgM6FZqYDNfesVRCxmcr_HXs Z3TDxNVmrBJBptGYZmSPX6eH13RaoSUiHbT9EuM54Kqoku7YsHm0HoWkukC66TzJZpQi.WEX7u45 G2yPA1dil4339lfTEpppEUFhPjnMdEQ4Iox1YjoYpvPxwdcFt7eha9zmo2H2DTtayErBA3dGwJXx 4yLCEQQPwhWSXDcdMxByO0Y1RK3GOZAu_lLVCKxhNiUISO.ABDSPhl.NVpx6f69I93kVv8V7p4I7 Ithtrja8fCz4MXe6qZeYU0xfjQBJLXLS9j.QYC97NZWqUu3h0bJPaanZUEJsfmgnnhzHq9YLxF35 UkqrecIw8.SGweek_taP4bPNdgEj9DJd5adsmui5bi7eK4cWIQTDVog-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:29:06 +0000 Received: by kubenode541.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID d56ccfb1d1290dfeb1ea823a34bab5ff; Fri, 11 Jun 2021 00:29:05 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH v27 22/25] Audit: Add record for multiple process LSM attributes Date: Thu, 10 Jun 2021 17:04:32 -0700 Message-Id: <20210611000435.36398-23-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Create a new audit record type to contain the subject information when there are multiple security modules that require such data. This record is linked with the same timestamp and serial number using the audit_alloc_local() mechanism. The record is produced only in cases where there is more than one security module with a process "context". In cases where this record is produced the subj= fields of other records in the audit event will be set to "subj=?". An example of the MAC_TASK_CONTEXTS (1420) record is: type=UNKNOWN[1420] msg=audit(1600880931.832:113) subj_apparmor==unconfined subj_smack=_ There will be a subj_$LSM= entry for each security module LSM that supports the secid_to_secctx and secctx_to_secid hooks. The BPF security module implements secid/secctx translation hooks, so it has to be considered to provide a secctx even though it may not actually do so. Signed-off-by: Casey Schaufler To: paul@paul-moore.com To: linux-audit@redhat.com To: rgb@redhat.com Cc: netdev@vger.kernel.org --- drivers/android/binder.c | 2 +- include/linux/audit.h | 16 +++++ include/linux/security.h | 16 ++++- include/net/netlabel.h | 2 +- include/net/scm.h | 2 +- include/net/xfrm.h | 13 +++- include/uapi/linux/audit.h | 1 + kernel/audit.c | 90 +++++++++++++++++++------ kernel/auditfilter.c | 5 +- kernel/auditsc.c | 27 ++++++-- net/ipv4/ip_sockglue.c | 2 +- net/netfilter/nf_conntrack_netlink.c | 4 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nfnetlink_queue.c | 2 +- net/netlabel/netlabel_unlabeled.c | 21 +++--- net/netlabel/netlabel_user.c | 14 ++-- net/netlabel/netlabel_user.h | 6 +- net/xfrm/xfrm_policy.c | 8 ++- net/xfrm/xfrm_state.c | 18 +++-- security/integrity/ima/ima_api.c | 6 +- security/integrity/integrity_audit.c | 5 +- security/security.c | 46 ++++++++----- security/smack/smackfs.c | 3 +- 23 files changed, 221 insertions(+), 90 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index f2a27bbbbe4d..7818c0fe0f38 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2722,7 +2722,7 @@ static void binder_transaction(struct binder_proc *proc, * case well anyway. */ security_task_getsecid_obj(proc->tsk, &blob); - ret = security_secid_to_secctx(&blob, &lsmctx); + ret = security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_DISPLAY); if (ret) { return_error = BR_FAILED_REPLY; return_error_param = ret; diff --git a/include/linux/audit.h b/include/linux/audit.h index 97cd7471e572..85eb87f6f92d 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -291,6 +291,7 @@ extern int audit_alloc(struct task_struct *task); extern void __audit_free(struct task_struct *task); extern struct audit_context *audit_alloc_local(gfp_t gfpflags); extern void audit_free_context(struct audit_context *context); +extern void audit_free_local(struct audit_context *context); extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, unsigned long a2, unsigned long a3); extern void __audit_syscall_exit(int ret_success, long ret_value); @@ -386,6 +387,19 @@ static inline void audit_ptrace(struct task_struct *t) __audit_ptrace(t); } +static inline struct audit_context *audit_alloc_for_lsm(gfp_t gfp) +{ + struct audit_context *context = audit_context(); + + if (context) + return context; + + if (lsm_multiple_contexts()) + return audit_alloc_local(gfp); + + return NULL; +} + /* Private API (for audit.c only) */ extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); @@ -560,6 +574,8 @@ extern int audit_signals; } static inline void audit_free_context(struct audit_context *context) { } +static inline void audit_free_local(struct audit_context *context) +{ } static inline int audit_alloc(struct task_struct *task) { return 0; diff --git a/include/linux/security.h b/include/linux/security.h index 0129400ff6e9..ddab456e93d3 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -182,6 +182,8 @@ struct lsmblob { #define LSMBLOB_INVALID -1 /* Not a valid LSM slot number */ #define LSMBLOB_NEEDED -2 /* Slot requested on initialization */ #define LSMBLOB_NOT_NEEDED -3 /* Slot not requested */ +#define LSMBLOB_DISPLAY -4 /* Use the "display" slot */ +#define LSMBLOB_FIRST -5 /* Use the default "display" slot */ /** * lsmblob_init - initialize an lsmblob structure @@ -248,6 +250,15 @@ static inline u32 lsmblob_value(const struct lsmblob *blob) return 0; } +static inline bool lsm_multiple_contexts(void) +{ +#ifdef CONFIG_SECURITY + return lsm_slot_to_name(1) != NULL; +#else + return false; +#endif +} + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); @@ -578,7 +589,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp); +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp, + int display); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); void security_release_secctx(struct lsmcontext *cp); @@ -1433,7 +1445,7 @@ static inline int security_ismaclabel(const char *name) } static inline int security_secid_to_secctx(struct lsmblob *blob, - struct lsmcontext *cp) + struct lsmcontext *cp, int display) { return -EOPNOTSUPP; } diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 73fc25b4042b..216cb1ffc8f0 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h @@ -97,7 +97,7 @@ struct calipso_doi; /* NetLabel audit information */ struct netlbl_audit { - u32 secid; + struct lsmblob lsmdata; kuid_t loginuid; unsigned int sessionid; }; diff --git a/include/net/scm.h b/include/net/scm.h index b77a52f93389..f4d567d4885e 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -101,7 +101,7 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc * and the infrastructure will know which it is. */ lsmblob_init(&lb, scm->secid); - err = security_secid_to_secctx(&lb, &context); + err = security_secid_to_secctx(&lb, &context, LSMBLOB_DISPLAY); if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, context.len, diff --git a/include/net/xfrm.h b/include/net/xfrm.h index c58a6d4eb610..f8ad20d34498 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -669,13 +669,22 @@ struct xfrm_spi_skb_cb { #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0])) #ifdef CONFIG_AUDITSYSCALL -static inline struct audit_buffer *xfrm_audit_start(const char *op) +static inline struct audit_buffer *xfrm_audit_start(const char *op, + struct audit_context **lac) { + struct audit_context *context; struct audit_buffer *audit_buf = NULL; if (audit_enabled == AUDIT_OFF) return NULL; - audit_buf = audit_log_start(audit_context(), GFP_ATOMIC, + context = audit_context(); + if (lac != NULL) { + if (lsm_multiple_contexts() && context == NULL) + context = audit_alloc_local(GFP_ATOMIC); + *lac = context; + } + + audit_buf = audit_log_start(context, GFP_ATOMIC, AUDIT_MAC_IPSEC_EVENT); if (audit_buf == NULL) return NULL; diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index cd2d8279a5e4..2a63720e56f6 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -139,6 +139,7 @@ #define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */ #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ +#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM contexts */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/kernel/audit.c b/kernel/audit.c index 841123390d41..36249dab3280 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -386,10 +386,12 @@ void audit_log_lost(const char *message) static int audit_log_config_change(char *function_name, u32 new, u32 old, int allow_changes) { + struct audit_context *context; struct audit_buffer *ab; int rc = 0; - ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE); if (unlikely(!ab)) return rc; audit_log_format(ab, "op=set %s=%u old=%u ", function_name, new, old); @@ -399,6 +401,7 @@ static int audit_log_config_change(char *function_name, u32 new, u32 old, allow_changes = 0; /* Something weird, deny request */ audit_log_format(ab, " res=%d", allow_changes); audit_log_end(ab); + audit_free_local(context); return rc; } @@ -1072,12 +1075,6 @@ static void audit_log_common_recv_msg(struct audit_context *context, audit_log_task_context(*ab); } -static inline void audit_log_user_recv_msg(struct audit_buffer **ab, - u16 msg_type) -{ - audit_log_common_recv_msg(NULL, ab, msg_type); -} - int is_audit_feature_set(int i) { return af.features & AUDIT_FEATURE_TO_MASK(i); @@ -1190,6 +1187,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_buffer *ab; u16 msg_type = nlh->nlmsg_type; struct audit_sig_info *sig_data; + struct audit_context *lcontext; err = audit_netlink_ok(skb, msg_type); if (err) @@ -1357,7 +1355,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (err) break; } - audit_log_user_recv_msg(&ab, msg_type); + lcontext = audit_alloc_for_lsm(GFP_KERNEL); + audit_log_common_recv_msg(lcontext, &ab, msg_type); if (msg_type != AUDIT_USER_TTY) { /* ensure NULL termination */ str[data_len - 1] = '\0'; @@ -1371,6 +1370,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) audit_log_n_untrustedstring(ab, str, data_len); } audit_log_end(ab); + audit_free_local(lcontext); } break; case AUDIT_ADD_RULE: @@ -1378,13 +1378,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (data_len < sizeof(struct audit_rule_data)) return -EINVAL; if (audit_enabled == AUDIT_LOCKED) { - audit_log_common_recv_msg(audit_context(), &ab, + lcontext = audit_alloc_for_lsm(GFP_KERNEL); + audit_log_common_recv_msg(lcontext, &ab, AUDIT_CONFIG_CHANGE); audit_log_format(ab, " op=%s audit_enabled=%d res=0", msg_type == AUDIT_ADD_RULE ? "add_rule" : "remove_rule", audit_enabled); audit_log_end(ab); + audit_free_local(lcontext); return -EPERM; } err = audit_rule_change(msg_type, seq, data, data_len); @@ -1394,10 +1396,11 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) break; case AUDIT_TRIM: audit_trim_trees(); - audit_log_common_recv_msg(audit_context(), &ab, - AUDIT_CONFIG_CHANGE); + lcontext = audit_alloc_for_lsm(GFP_KERNEL); + audit_log_common_recv_msg(lcontext, &ab, AUDIT_CONFIG_CHANGE); audit_log_format(ab, " op=trim res=1"); audit_log_end(ab); + audit_free_local(lcontext); break; case AUDIT_MAKE_EQUIV: { void *bufp = data; @@ -1425,14 +1428,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) /* OK, here comes... */ err = audit_tag_tree(old, new); - audit_log_common_recv_msg(audit_context(), &ab, - AUDIT_CONFIG_CHANGE); + lcontext = audit_alloc_for_lsm(GFP_KERNEL); + audit_log_common_recv_msg(lcontext, &ab, AUDIT_CONFIG_CHANGE); audit_log_format(ab, " op=make_equiv old="); audit_log_untrustedstring(ab, old); audit_log_format(ab, " new="); audit_log_untrustedstring(ab, new); audit_log_format(ab, " res=%d", !err); audit_log_end(ab); + audit_free_local(lcontext); kfree(old); kfree(new); break; @@ -1443,7 +1447,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (lsmblob_is_set(&audit_sig_lsm)) { err = security_secid_to_secctx(&audit_sig_lsm, - &context); + &context, LSMBLOB_FIRST); if (err) return err; } @@ -1498,13 +1502,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) old.enabled = t & AUDIT_TTY_ENABLE; old.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD); - audit_log_common_recv_msg(audit_context(), &ab, - AUDIT_CONFIG_CHANGE); + lcontext = audit_alloc_for_lsm(GFP_KERNEL); + audit_log_common_recv_msg(lcontext, &ab, AUDIT_CONFIG_CHANGE); audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d" " old-log_passwd=%d new-log_passwd=%d res=%d", old.enabled, s.enabled, old.log_passwd, s.log_passwd, !err); audit_log_end(ab); + audit_free_local(lcontext); break; } default: @@ -1550,6 +1555,7 @@ static void audit_receive(struct sk_buff *skb) /* Log information about who is connecting to the audit multicast socket */ static void audit_log_multicast(int group, const char *op, int err) { + struct audit_context *context; const struct cred *cred; struct tty_struct *tty; char comm[sizeof(current->comm)]; @@ -1558,7 +1564,8 @@ static void audit_log_multicast(int group, const char *op, int err) if (!audit_enabled) return; - ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_EVENT_LISTENER); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, GFP_KERNEL, AUDIT_EVENT_LISTENER); if (!ab) return; @@ -1577,6 +1584,7 @@ static void audit_log_multicast(int group, const char *op, int err) audit_log_d_path_exe(ab, current->mm); /* exe= */ audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op, !err); audit_log_end(ab); + audit_free_local(context); } /* Run custom bind function on netlink socket group connect or bind requests. */ @@ -2128,6 +2136,36 @@ void audit_log_key(struct audit_buffer *ab, char *key) audit_log_format(ab, "(null)"); } +static void audit_log_lsm(struct audit_context *context, struct lsmblob *blob) +{ + struct audit_buffer *ab; + struct lsmcontext lsmdata; + bool sep = false; + int error; + int i; + + ab = audit_log_start(context, GFP_ATOMIC, AUDIT_MAC_TASK_CONTEXTS); + if (!ab) + return; /* audit_panic or being filtered */ + + for (i = 0; i < LSMBLOB_ENTRIES; i++) { + if (blob->secid[i] == 0) + continue; + error = security_secid_to_secctx(blob, &lsmdata, i); + if (error && error != -EINVAL) { + audit_panic("error in audit_log_lsm"); + return; + } + + audit_log_format(ab, "%ssubj_%s=%s", sep ? " " : "", + lsm_slot_to_name(i), lsmdata.context); + sep = true; + + security_release_secctx(&lsmdata); + } + audit_log_end(ab); +} + int audit_log_task_context(struct audit_buffer *ab) { int error; @@ -2138,7 +2176,18 @@ int audit_log_task_context(struct audit_buffer *ab) if (!lsmblob_is_set(&blob)) return 0; - error = security_secid_to_secctx(&blob, &context); + /* + * If there is more than one security module that has a + * subject "context" it's necessary to put the subject data + * into a separate record to maintain compatibility. + */ + if (lsm_multiple_contexts()) { + audit_log_format(ab, " subj=?"); + audit_log_lsm(ab->ctx, &blob); + return 0; + } + + error = security_secid_to_secctx(&blob, &context, LSMBLOB_FIRST); if (error) { if (error != -EINVAL) goto error_path; @@ -2274,6 +2323,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, unsigned int oldsessionid, unsigned int sessionid, int rc) { + struct audit_context *context; struct audit_buffer *ab; uid_t uid, oldloginuid, loginuid; struct tty_struct *tty; @@ -2281,7 +2331,8 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, if (!audit_enabled) return; - ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_LOGIN); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, GFP_KERNEL, AUDIT_LOGIN); if (!ab) return; @@ -2297,6 +2348,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, oldsessionid, sessionid, !rc); audit_put_tty(tty); audit_log_end(ab); + audit_free_local(context); } /** diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 1ba14a7a38f7..fd71c6bac200 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1098,12 +1098,14 @@ static void audit_list_rules(int seq, struct sk_buff_head *q) /* Log rule additions and removals */ static void audit_log_rule_change(char *action, struct audit_krule *rule, int res) { + struct audit_context *context; struct audit_buffer *ab; if (!audit_enabled) return; - ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE); if (!ab) return; audit_log_session_info(ab); @@ -1112,6 +1114,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re audit_log_key(ab, rule->filterkey); audit_log_format(ab, " list=%d res=%d", rule->listnr, res); audit_log_end(ab); + audit_free_local(context); } /** diff --git a/kernel/auditsc.c b/kernel/auditsc.c index d4e061f95da8..c3e3749328aa 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -987,12 +987,11 @@ struct audit_context *audit_alloc_local(gfp_t gfpflags) context = audit_alloc_context(AUDIT_RECORD_CONTEXT, gfpflags); if (!context) { audit_log_lost("out of memory in audit_alloc_local"); - goto out; + return NULL; } context->serial = audit_serial(); ktime_get_coarse_real_ts64(&context->ctime); context->local = true; -out: return context; } EXPORT_SYMBOL(audit_alloc_local); @@ -1013,6 +1012,13 @@ void audit_free_context(struct audit_context *context) } EXPORT_SYMBOL(audit_free_context); +void audit_free_local(struct audit_context *context) +{ + if (context && context->local) + audit_free_context(context); +} +EXPORT_SYMBOL(audit_free_local); + static int audit_log_pid_context(struct audit_context *context, pid_t pid, kuid_t auid, kuid_t uid, unsigned int sessionid, @@ -1030,7 +1036,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (lsmblob_is_set(blob)) { - if (security_secid_to_secctx(blob, &lsmctx)) { + if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1275,7 +1281,8 @@ static void show_special(struct audit_context *context, int *call_panic) struct lsmblob blob; lsmblob_init(&blob, osid); - if (security_secid_to_secctx(&blob, &lsmcxt)) { + if (security_secid_to_secctx(&blob, &lsmcxt, + LSMBLOB_FIRST)) { audit_log_format(ab, " osid=%u", osid); *call_panic = 1; } else { @@ -1430,7 +1437,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, struct lsmcontext lsmctx; lsmblob_init(&blob, n->osid); - if (security_secid_to_secctx(&blob, &lsmctx)) { + if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) { audit_log_format(ab, " osid=%u", n->osid); if (call_panic) *call_panic = 2; @@ -2619,10 +2626,12 @@ void __audit_ntp_log(const struct audit_ntp_data *ad) void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, enum audit_nfcfgop op, gfp_t gfp) { + struct audit_context *context; struct audit_buffer *ab; char comm[sizeof(current->comm)]; - ab = audit_log_start(audit_context(), gfp, AUDIT_NETFILTER_CFG); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, gfp, AUDIT_NETFILTER_CFG); if (!ab) return; audit_log_format(ab, "table=%s family=%u entries=%u op=%s", @@ -2633,6 +2642,7 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, audit_log_format(ab, " comm="); audit_log_untrustedstring(ab, get_task_comm(comm, current)); audit_log_end(ab); + audit_free_local(context); } EXPORT_SYMBOL_GPL(__audit_log_nfcfg); @@ -2667,6 +2677,7 @@ static void audit_log_task(struct audit_buffer *ab) */ void audit_core_dumps(long signr) { + struct audit_context *context; struct audit_buffer *ab; if (!audit_enabled) @@ -2675,12 +2686,14 @@ void audit_core_dumps(long signr) if (signr == SIGQUIT) /* don't care for those */ return; - ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, GFP_KERNEL, AUDIT_ANOM_ABEND); if (unlikely(!ab)) return; audit_log_task(ab); audit_log_format(ab, " sig=%ld res=1", signr); audit_log_end(ab); + audit_free_local(context); } /** diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index ae073b642fa7..5c0029a3a595 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -140,7 +140,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) return; lsmblob_init(&lb, secid); - err = security_secid_to_secctx(&lb, &context); + err = security_secid_to_secctx(&lb, &context, LSMBLOB_DISPLAY); if (err) return; diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 215d3f9e9715..60539221e023 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -344,7 +344,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) * security_secid_to_secctx() will know which security module * to use to create the secctx. */ lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &context); + ret = security_secid_to_secctx(&blob, &context, LSMBLOB_DISPLAY); if (ret) return 0; @@ -655,7 +655,7 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct) struct lsmblob blob; struct lsmcontext context; - ret = security_secid_to_secctx(&blob, &context); + ret = security_secid_to_secctx(&blob, &context, LSMBLOB_DISPLAY); if (ret) return 0; diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index df6043d1bc22..861106a5f605 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -177,7 +177,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) struct lsmcontext context; lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &context); + ret = security_secid_to_secctx(&blob, &context, LSMBLOB_DISPLAY); if (ret) return; diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index bf8db099090b..90ecf03b35ba 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -316,7 +316,7 @@ static void nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context) * blob. security_secid_to_secctx() will know which security * module to use to create the secctx. */ lsmblob_init(&blob, skb->secmark); - security_secid_to_secctx(&blob, context); + security_secid_to_secctx(&blob, context, LSMBLOB_DISPLAY); } read_unlock_bh(&skb->sk->sk_callback_lock); diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 0ce9bee43dd3..061b0c04740b 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -437,7 +437,8 @@ int netlbl_unlhsh_add(struct net *net, unlhsh_add_return: rcu_read_unlock(); if (audit_buf != NULL) { - if (security_secid_to_secctx(lsmblob, &context) == 0) { + if (security_secid_to_secctx(lsmblob, &context, + LSMBLOB_FIRST) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -492,7 +493,8 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, if (dev != NULL) dev_put(dev); if (entry != NULL && - security_secid_to_secctx(&entry->lsmblob, &context) == 0) { + security_secid_to_secctx(&entry->lsmblob, &context, + LSMBLOB_FIRST) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -552,7 +554,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, if (dev != NULL) dev_put(dev); if (entry != NULL && - security_secid_to_secctx(&entry->lsmblob, &context) == 0) { + security_secid_to_secctx(&entry->lsmblob, &context, + LSMBLOB_FIRST) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -738,11 +741,10 @@ static void netlbl_unlabel_acceptflg_set(u8 value, netlabel_unlabel_acceptflg = value; audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, audit_info); - if (audit_buf != NULL) { + if (audit_buf != NULL) audit_log_format(audit_buf, " unlbl_accept=%u old=%u", value, old_val); - audit_log_end(audit_buf); - } + audit_log_end(audit_buf); } /** @@ -1122,7 +1124,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, lsmb = (struct lsmblob *)&addr6->lsmblob; } - ret_val = security_secid_to_secctx(lsmb, &context); + ret_val = security_secid_to_secctx(lsmb, &context, LSMBLOB_FIRST); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, @@ -1528,14 +1530,11 @@ int __init netlbl_unlabel_defconf(void) int ret_val; struct netlbl_dom_map *entry; struct netlbl_audit audit_info; - struct lsmblob blob; /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_task_getsecid_subj(current, &blob); - /* scaffolding until audit_info.secid is converted */ - audit_info.secid = blob.secid[0]; + security_task_getsecid_subj(current, &audit_info.lsmdata); audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 951ba0639d20..9c43c3cb2088 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -85,7 +85,6 @@ struct audit_buffer *netlbl_audit_start_common(int type, { struct audit_buffer *audit_buf; struct lsmcontext context; - struct lsmblob blob; if (audit_enabled == AUDIT_OFF) return NULL; @@ -98,11 +97,14 @@ struct audit_buffer *netlbl_audit_start_common(int type, from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); - lsmblob_init(&blob, audit_info->secid); - if (audit_info->secid != 0 && - security_secid_to_secctx(&blob, &context) == 0) { - audit_log_format(audit_buf, " subj=%s", context.context); - security_release_secctx(&context); + if (lsmblob_is_set(&audit_info->lsmdata)) { + if (!lsm_multiple_contexts() && + security_secid_to_secctx(&audit_info->lsmdata, &context, + LSMBLOB_FIRST) == 0) { + audit_log_format(audit_buf, " subj=%s", + context.context); + security_release_secctx(&context); + } } return audit_buf; diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index 11f6da93f31b..bc1f0cd824d5 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -34,11 +34,7 @@ static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, struct netlbl_audit *audit_info) { - struct lsmblob blob; - - security_task_getsecid_subj(current, &blob); - /* scaffolding until secid is converted */ - audit_info->secid = blob.secid[0]; + security_task_getsecid_subj(current, &audit_info->lsmdata); audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index ce500f847b99..18a0a7be7230 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -4173,30 +4173,34 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp, void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid) { + struct audit_context *context; struct audit_buffer *audit_buf; - audit_buf = xfrm_audit_start("SPD-add"); + audit_buf = xfrm_audit_start("SPD-add", &context); if (audit_buf == NULL) return; xfrm_audit_helper_usrinfo(task_valid, audit_buf); audit_log_format(audit_buf, " res=%u", result); xfrm_audit_common_policyinfo(xp, audit_buf); audit_log_end(audit_buf); + audit_free_local(context); } EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, bool task_valid) { + struct audit_context *context; struct audit_buffer *audit_buf; - audit_buf = xfrm_audit_start("SPD-delete"); + audit_buf = xfrm_audit_start("SPD-delete", &context); if (audit_buf == NULL) return; xfrm_audit_helper_usrinfo(task_valid, audit_buf); audit_log_format(audit_buf, " res=%u", result); xfrm_audit_common_policyinfo(xp, audit_buf); audit_log_end(audit_buf); + audit_free_local(context); } EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete); #endif diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 4496f7efa220..a2ba060af6f1 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -2747,29 +2747,33 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family, void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid) { + struct audit_context *context; struct audit_buffer *audit_buf; - audit_buf = xfrm_audit_start("SAD-add"); + audit_buf = xfrm_audit_start("SAD-add", &context); if (audit_buf == NULL) return; xfrm_audit_helper_usrinfo(task_valid, audit_buf); xfrm_audit_helper_sainfo(x, audit_buf); audit_log_format(audit_buf, " res=%u", result); audit_log_end(audit_buf); + audit_free_local(context); } EXPORT_SYMBOL_GPL(xfrm_audit_state_add); void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid) { + struct audit_context *context; struct audit_buffer *audit_buf; - audit_buf = xfrm_audit_start("SAD-delete"); + audit_buf = xfrm_audit_start("SAD-delete", &context); if (audit_buf == NULL) return; xfrm_audit_helper_usrinfo(task_valid, audit_buf); xfrm_audit_helper_sainfo(x, audit_buf); audit_log_format(audit_buf, " res=%u", result); audit_log_end(audit_buf); + audit_free_local(context); } EXPORT_SYMBOL_GPL(xfrm_audit_state_delete); @@ -2779,7 +2783,7 @@ void xfrm_audit_state_replay_overflow(struct xfrm_state *x, struct audit_buffer *audit_buf; u32 spi; - audit_buf = xfrm_audit_start("SA-replay-overflow"); + audit_buf = xfrm_audit_start("SA-replay-overflow", NULL); if (audit_buf == NULL) return; xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); @@ -2797,7 +2801,7 @@ void xfrm_audit_state_replay(struct xfrm_state *x, struct audit_buffer *audit_buf; u32 spi; - audit_buf = xfrm_audit_start("SA-replayed-pkt"); + audit_buf = xfrm_audit_start("SA-replayed-pkt", NULL); if (audit_buf == NULL) return; xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); @@ -2812,7 +2816,7 @@ void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family) { struct audit_buffer *audit_buf; - audit_buf = xfrm_audit_start("SA-notfound"); + audit_buf = xfrm_audit_start("SA-notfound", NULL); if (audit_buf == NULL) return; xfrm_audit_helper_pktinfo(skb, family, audit_buf); @@ -2826,7 +2830,7 @@ void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, struct audit_buffer *audit_buf; u32 spi; - audit_buf = xfrm_audit_start("SA-notfound"); + audit_buf = xfrm_audit_start("SA-notfound", NULL); if (audit_buf == NULL) return; xfrm_audit_helper_pktinfo(skb, family, audit_buf); @@ -2844,7 +2848,7 @@ void xfrm_audit_state_icvfail(struct xfrm_state *x, __be32 net_spi; __be32 net_seq; - audit_buf = xfrm_audit_start("SA-icv-failure"); + audit_buf = xfrm_audit_start("SA-icv-failure", NULL); if (audit_buf == NULL) return; xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 691f68d478f1..3481990a25a6 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -342,6 +342,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, void ima_audit_measurement(struct integrity_iint_cache *iint, const unsigned char *filename) { + struct audit_context *context; struct audit_buffer *ab; char *hash; const char *algo_name = hash_algo_name[iint->ima_hash->algo]; @@ -358,8 +359,8 @@ void ima_audit_measurement(struct integrity_iint_cache *iint, hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]); hash[i * 2] = '\0'; - ab = audit_log_start(audit_context(), GFP_KERNEL, - AUDIT_INTEGRITY_RULE); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, GFP_KERNEL, AUDIT_INTEGRITY_RULE); if (!ab) goto out; @@ -369,6 +370,7 @@ void ima_audit_measurement(struct integrity_iint_cache *iint, audit_log_task_info(ab); audit_log_end(ab); + audit_free_local(context); iint->flags |= IMA_AUDITED; out: diff --git a/security/integrity/integrity_audit.c b/security/integrity/integrity_audit.c index 29220056207f..c3b313886e15 100644 --- a/security/integrity/integrity_audit.c +++ b/security/integrity/integrity_audit.c @@ -38,13 +38,15 @@ void integrity_audit_message(int audit_msgno, struct inode *inode, const char *cause, int result, int audit_info, int errno) { + struct audit_context *context; struct audit_buffer *ab; char name[TASK_COMM_LEN]; if (!integrity_audit_info && audit_info == 1) /* Skip info messages */ return; - ab = audit_log_start(audit_context(), GFP_KERNEL, audit_msgno); + context = audit_alloc_for_lsm(GFP_KERNEL); + ab = audit_log_start(context, GFP_KERNEL, audit_msgno); audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u", task_pid_nr(current), from_kuid(&init_user_ns, current_uid()), @@ -64,4 +66,5 @@ void integrity_audit_message(int audit_msgno, struct inode *inode, } audit_log_format(ab, " res=%d errno=%d", !result, errno); audit_log_end(ab); + audit_free_local(context); } diff --git a/security/security.c b/security/security.c index ae23b5a8fe87..81baa94092f4 100644 --- a/security/security.c +++ b/security/security.c @@ -2309,7 +2309,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) { rc = hp->hook.setprocattr(name, value, size); - if (rc < 0) + if (rc < 0 && rc != -EINVAL) return rc; } @@ -2354,13 +2354,31 @@ int security_ismaclabel(const char *name) } EXPORT_SYMBOL(security_ismaclabel); -int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp) +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp, + int ilsm) { struct security_hook_list *hp; - int ilsm = lsm_task_ilsm(current); memset(cp, 0, sizeof(*cp)); + /* + * ilsm either is the slot number use for formatting + * or an instruction on which relative slot to use. + */ + if (ilsm == LSMBLOB_DISPLAY) + ilsm = lsm_task_ilsm(current); + else if (ilsm == LSMBLOB_FIRST) + ilsm = LSMBLOB_INVALID; + else if (ilsm < 0) { + WARN_ONCE(true, + "LSM: %s unknown interface LSM\n", __func__); + ilsm = LSMBLOB_INVALID; + } else if (ilsm >= lsm_slot) { + WARN_ONCE(true, + "LSM: %s invalid interface LSM\n", __func__); + ilsm = LSMBLOB_INVALID; + } + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; @@ -2390,7 +2408,7 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, return hp->hook.secctx_to_secid(secdata, seclen, &blob->secid[hp->lsmid->slot]); } - return 0; + return -EOPNOTSUPP; } EXPORT_SYMBOL(security_secctx_to_secid); @@ -2884,23 +2902,17 @@ int security_key_getsecurity(struct key *key, char **_buffer) int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) { struct security_hook_list *hp; - bool one_is_good = false; - int rc = 0; - int trc; + int ilsm = lsm_task_ilsm(current); hlist_for_each_entry(hp, &security_hook_heads.audit_rule_init, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; - trc = hp->hook.audit_rule_init(field, op, rulestr, - &lsmrule[hp->lsmid->slot]); - if (trc == 0) - one_is_good = true; - else - rc = trc; + if (ilsm != LSMBLOB_INVALID && ilsm != hp->lsmid->slot) + continue; + return hp->hook.audit_rule_init(field, op, rulestr, + &lsmrule[hp->lsmid->slot]); } - if (one_is_good) - return 0; - return rc; + return 0; } int security_audit_rule_known(struct audit_krule *krule) @@ -2932,6 +2944,8 @@ int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, continue; if (lsmrule[hp->lsmid->slot] == NULL) continue; + if (lsmrule[hp->lsmid->slot] == NULL) + continue; rc = hp->hook.audit_rule_match(blob->secid[hp->lsmid->slot], field, op, &lsmrule[hp->lsmid->slot]); diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index e592e10397af..d56e55c04aa4 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -185,7 +185,8 @@ static void smk_netlabel_audit_set(struct netlbl_audit *nap) nap->loginuid = audit_get_loginuid(current); nap->sessionid = audit_get_sessionid(current); - nap->secid = skp->smk_secid; + lsmblob_init(&nap->lsmdata, 0); + nap->lsmdata.secid[smack_lsmid.slot] = skp->smk_secid; } /* From patchwork Fri Jun 11 00:04:33 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314485 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 034BFC48BE0 for ; Fri, 11 Jun 2021 00:30:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D69206128A for ; Fri, 11 Jun 2021 00:30:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231288AbhFKAcT (ORCPT ); Thu, 10 Jun 2021 20:32:19 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:45389 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230265AbhFKAcP (ORCPT ); Thu, 10 Jun 2021 20:32:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371417; bh=DLyTN6qRJ8a2Jzf9cfjEe8DgIe412JHa9YBX8HYiEsw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=JnCGuRYtfmSE7Hlz/snOd47Iqn6qh8oBhaUy0r4byEJvvQwP+7llPRPO33pqcb/VbVN2DnvNqm33f5ZGqV+4Mj6TqofHj9SAS2k4Sc8n/yiKneiykLUxUTTt74/H1OecApdkAzPs7eVBmQ3hBRsdtjH35d8dbo0z5KndYbbCc3jjf1XXupX6s+mMEb9uuAx6ZPRbbLQ7QXSNBTZ+zkSekIg1XA2U3JvuOPZqmGndUYURMRFg7dSC5MxRb0l/e36MjONcCEQ24zyEKgEwWZR0RcTdgrBd/xPLYXwQBZA4PlbvmSEG2ZS+rCDKjsnPE/ElB/3PlmsgZgf9MzNZh37uOQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371417; bh=Oj7hFWSEYMFHi6xmTHjAZIdst9tw/pQx09p7RQU77jS=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=PfACD1aO5GIvQ+mFMQ9CtVFp4qjvagT4UTqKLYB4Wd0FuvWrPIuG3VrEcZnOVIOe+2zgK/51oXKzVoJW7b7eaCl0PgKlCO54rHhsGvIx87eSNVvSG2Ke17Mmt9S20EjWSP0oDwj/i21qf/+Ql2uteE9OKvEGm9XzFXAxOpa66aXvM2YZwtmJJuIy8iJPYgXGSWxMbq5/ODx1Tfk1UrVyPVSdvjZsKU0XqD/fyQpSfF8MOpuYreE36pf1FpSj0rzMegSQZ8S0vDMS5xz6xzrWwSWvWYLdjJolwR5JEDTb18rbbZBkaOcspkU5RUIcVjn7Wt0VCO5qBcE0/GX4sdpvXQ== X-YMail-OSG: znTwACMVM1kVQg_3RCWSJYODOfGLO6E_C8j.RJxx4cqEa2ujND_FRR60wQZXVUq uG.NydUqvdV6ld_sZpz.iPzBKD3vDdUgmlPXagDiXkKx9cZBNr0MkjD_asPm_Byle3bWA4xuG5LS OrLsqYA9D_CMFbCO5zBNnfxxGrTnm3zKeSxFHFvHUpBxF.Y46GOXqA4gpZ7LCW7iVCuz6xIptPMz Lk80BxBkfRqEWP8BGZ71KABxyLW_ROFPOzyBpld.r8Y8GqQgXxMazDwT4_PglIm09kum.er1A1BQ UUVyCNFKPMTtDJoalEWOKj.1BXTo9Oblfw0xSEC9XQ3lLHZHkP32vOgRoUWnGRGvrC9KlOqwgRg6 Hshz61czsQ6DnS8vyfoNd.XLTIrJKSgnxQnSkFE6Z09wKbocTfS8_.zK02bPeiQey.5lWor9LhsM _OoikTNYzX9eH6mIgtqsmwy4Zjl2zoq2bGPhNQ9v0UvYOEWRZRysf49jTU9UqgZzt82aEr68UqQB sbrLimJ19._LZ_9m0cnH030DkFrqOTqHoo_h58NAEbxWwELd1zXVet1DSBjRGOTGeFCcznHPJnfl 9QgOWjvcr4lPNHq_BPX6Aoq5Z.L7fBZCiA3SNAlBsZdBNVjdi4TkqZgoxZLd_VlHkjEdjaNMPNHN gjQ5Txfc7Aen2Pt0768KUwjXBZgzDoO0L9EMjCwEz9I85oalQS3Q3JKjBOlJTShafz_C6.g97ZoW d85X8nta24kOKtjkEQ090jj5z6faGG.J9qxutEowtSCdBI9smc02q3_zay_8XcTpYkldweFm_tRQ WHdR267X18xmKmCRqqB3vaezg8HcY7L1hIasHZCopQqy0lN.35XlsiIGhdm6HTr8Z2IPSTvfcBPf wfYF6KH3hcmg5svJmQveF2njS6n1RN1xAv0Q0zkoWt7AIxOCKSkkjqvjn53M3hgkuCxMQuEuAcD9 Z_qT_xM2hRVcKstJU8QVWMLrfAeqBJoDP7KWZvIaW8n_2vzyJd4IoBiHyw48Vb.ZfV4B_DWqI8K4 8TGYLvPheSvfBmsprmIZ5yB2fbt2UYdOJ7A5dD89XhKXHAG548UoZhi6mbxDRZGBIIqCS5Rj1HtH ETQoFK6c3fWGOKR8RgEpgkFXxybvK4kZU_QzzbZrqLEUTU_oYiq6gWbkAr.Mnxx9Rj_JnXgeWPQV X6rB56kNsSzHSDigYu_WM.M4i3AC8ORY8jJUlhSnxtgWW3KEM7UGeWguJCkS1FarHQmIgn2RfAFu Eozk83EQ9crjn33Fws5Jn3Z8yvZkZv3.AToepa_wPXwBma5GPL8TzXB_KsLGo2qj1NXr8jVW_8pv gD62EC5cATHWFQDV38bDQ7Gpwe4gjTba5dQ3HYoGM8oQfN_g3BFQJSobjMOtDLgY9OYZGw9WmdCU ZD7JJZdCJurDdj_.GJGeqs3Wtf.AxohgetEh6QYceBd2iZE8jZ1cttsBLXqEQSUN5duO5pKJmt7b pGaMHLghZK_J7IIM_oGyv_o5yh6g4yu_oR5ZBXbCxo7PmfvT7PQyXMrU74ZG3OsBlN9nsU8qPZ6v AZAZ6.hksZ651QkUTFHpFusgDxR_ScxgjTzVNjIvewLKmWLyl8Ikk5eLij0ITF4NhTHx.ieq98GM FC0gBm.JNwkPw1ILtSjq3PoZnqdJfsWPCd5ESO1UOfUnkBLokYTbO2wiFnWQpeZ5YkOCxIQ6jFIL Atx5KKIbCPRhotvPL5Sozj7AcM4AEZNClXavqUgORiBvmwOYJhGWGOq13S4eL9DvrQLVd40BoolM wQlYDKbFI6trrs8IwBWF40L0ltMuq8PLwTaI6hQcn0UDYIXsYoKQom1jI.qcbNy3bxCgsfYE6OUc 3H8iZ.yaqR4WntXGY61ZxGL3kkZLmF8wjD3GmEj9d3QLb7qqccDABiJvkr.qTlE9B7aEUlFPNitp iexWzwN8.3xHs_D4q7jKHrIWoGJeIVYT8KTgoyvFOgFjIVQktOSL_3g4cxLdj4Z3oFdsmi62zQfU 2O.62Zh.Mo2jzvVQcnObqPvrXRWGl5URgxsH.eqYdfNnQS4yjC3OQjqWosWW7Bx01hiOtyZopXG4 3pKB3XtPNW6Rau1pNqGbZgm6IbO9.Rho55QllYE_4zPDNb_23PuBusNqhEcNio87PlbzEVm6NdMl Ri9L6X.bqFmkqEyvX.G6CEuS9fDXksQTxDn1fotzj7YZ6XXj28eTBJfFgBg3_RfKIuMO_gAaIfHr zQ0rgd3KHRT4aYKOrKM5.4R33N7sFRwWv5SbZnYpuvfWsObVMz.g0WE2._lBRVS4FmEpOGFvKwak UXeZWb7m8rSW0Ys.TZH57aII3b4hl7bcwOLktj_GcExDUw2itC4641vc95i8QfDkW59I8zxfdqea RD.zjzvTiBvPgq_Cn.gcXpodpv5283wCLhVg.bqFkrouhYYCu0gueNL5jzbvAd9r5Jj52L890.hE nb59nzkRYfvtjIoKziSEvdNQ99hJExxRC1YV60qzLWWe1Ynk_oktMO7spGxJ_SV8pfzG3DfYeXnD rgB6zsaRv93QrTkgkt8c7vmYOeNgGPar0eo6Dr9cgY3xQttxY5WW0JAJ0S1sbhUEjiCxnOMs.s9X uCjzivDsmg2q__bmtvp7SD5gpY4BPp5B9sidg26V2V2JmejFXQlrO0x_8o4XmIc1E.Z1VhPEvCyY ydvE1j5RayZAMIHPDZp7U6EZ6QLXbEL3yJYmK98c84nXotQj8VeDAAc1FjzUiJgV5xVq7I4t_mfZ BGCNGA6jb7_.6zKMXHS9pzd5uCgXo7jZowB.V4GRunokZ28jnltkbeIZrc9nH.6hMs00x8oKvnGj qogw_AB0.nS3Qf6Tmyc9MJC7d5VdVkKpjcY6KzNvhqkFtj7_gz1icFH7GgF462EBQ3kPDqOuF2Qy qUmJIrKMJcm_a0aBvVz1QlWx_K19eJmzPD5eT8PTryCfKed9puxBA5rdsnvfxFd6T6d4mVAkLWme LMjWzhoyuTS6SGu97tp8XKCz8dAUyclNrAW2VDrggr6Tpmq4Q40Qe1uybCG_j.jxHR1PowZhY2cW 1ezUX.sPdm30IHJqskt6fYWF66_RCLby0gUJteU4FcLtoO987W4UPLWQKfvxcAokbDr16 X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:30:17 +0000 Received: by kubenode502.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 963fc3bd50f67d356f670f88d3348815; Fri, 11 Jun 2021 00:30:12 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v27 23/25] Audit: Add record for multiple object LSM attributes Date: Thu, 10 Jun 2021 17:04:33 -0700 Message-Id: <20210611000435.36398-24-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Create a new audit record type to contain the object information when there are multiple security modules that may require such data. This record is linked with the same timestamp and serial number. An example of the MAC_OBJ_CONTEXTS (1421) record is: type=UNKNOWN[1421] msg=audit(1601152467.009:1050): obj_selinux=unconfined_u:object_r:user_home_t:s0 Not all security modules that can provide object information do so in all cases. It is possible that a security module won't apply an object attribute in all cases. Signed-off-by: Casey Schaufler Cc: linux-audit@redhat.com To: Paul Moore --- include/linux/audit.h | 7 ++++ include/uapi/linux/audit.h | 1 + kernel/audit.c | 54 ++++++++++++++++++++++++++++ kernel/audit.h | 4 +-- kernel/auditsc.c | 73 +++++++------------------------------- 5 files changed, 76 insertions(+), 63 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 85eb87f6f92d..6bf0c86fcbc9 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -187,6 +187,8 @@ extern void audit_log_path_denied(int type, extern void audit_log_lost(const char *message); extern int audit_log_task_context(struct audit_buffer *ab); +extern int audit_log_object_context(struct audit_buffer *ab, + struct lsmblob *blob); extern void audit_log_task_info(struct audit_buffer *ab); extern int audit_update_lsm_rules(void); @@ -250,6 +252,11 @@ static inline int audit_log_task_context(struct audit_buffer *ab) { return 0; } +static inline int audit_log_object_context(struct audit_buffer *ab, + struct lsmblob *blob) +{ + return 0; +} static inline void audit_log_task_info(struct audit_buffer *ab) { } diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 2a63720e56f6..dbb1dce16962 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -140,6 +140,7 @@ #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ #define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM contexts */ +#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multiple LSM object contexts */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/kernel/audit.c b/kernel/audit.c index 36249dab3280..481b26770328 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2204,6 +2204,60 @@ int audit_log_task_context(struct audit_buffer *ab) } EXPORT_SYMBOL(audit_log_task_context); +int audit_log_object_context(struct audit_buffer *ab, + struct lsmblob *blob) +{ + int i; + int error; + bool sep = false; + struct lsmcontext lsmdata; + struct audit_buffer *lsmab = NULL; + struct audit_context *context = NULL; + + /* + * If there is more than one security module that has a + * object "context" it's necessary to put the object data + * into a separate record to maintain compatibility. + */ + if (lsm_multiple_contexts()) { + audit_log_format(ab, " obj=?"); + context = ab->ctx; + if (context) + lsmab = audit_log_start(context, GFP_KERNEL, + AUDIT_MAC_OBJ_CONTEXTS); + WARN_ONCE(!context, "Context not set for object\n"); + } + + for (i = 0; i < LSMBLOB_ENTRIES; i++) { + if (blob->secid[i] == 0) + continue; + error = security_secid_to_secctx(blob, &lsmdata, i); + if (error && error != -EINVAL) { + audit_panic("error in audit_log_object_context"); + return error; + } + + if (context) { + audit_log_format(lsmab, "%sobj_%s=%s", + sep ? " " : "", + lsm_slot_to_name(i), + lsmdata.context); + sep = true; + } else + audit_log_format(ab, " obj=%s", lsmdata.context); + + security_release_secctx(&lsmdata); + if (!context) + break; + } + + if (context) + audit_log_end(lsmab); + + return 0; +} +EXPORT_SYMBOL(audit_log_object_context); + void audit_log_d_path_exe(struct audit_buffer *ab, struct mm_struct *mm) { diff --git a/kernel/audit.h b/kernel/audit.h index 27ef690afd30..43a42dd2a08c 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -78,7 +78,7 @@ struct audit_names { kuid_t uid; kgid_t gid; dev_t rdev; - u32 osid; + struct lsmblob oblob; struct audit_cap_data fcap; unsigned int fcap_ver; unsigned char type; /* record type */ @@ -153,7 +153,7 @@ struct audit_context { kuid_t uid; kgid_t gid; umode_t mode; - u32 osid; + struct lsmblob oblob; int has_perm; uid_t perm_uid; gid_t perm_gid; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index c3e3749328aa..a480b30a14dd 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -685,14 +685,6 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_isset) { /* Find files that match */ if (name) { - /* - * lsmblob_init sets all values in the - * lsmblob to sid. This is temporary - * until name->osid is converted to a - * lsmblob, which happens later in - * this patch set. - */ - lsmblob_init(&blob, name->osid); result = security_audit_rule_match( &blob, f->type, @@ -700,7 +692,6 @@ static int audit_filter_rules(struct task_struct *tsk, f->lsm_rules); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { - lsmblob_init(&blob, name->osid); if (security_audit_rule_match( &blob, f->type, @@ -714,8 +705,7 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - lsmblob_init(&blob, ctx->ipc.osid); - if (security_audit_rule_match(&blob, + if (security_audit_rule_match(&ctx->ipc.oblob, f->type, f->op, f->lsm_rules)) ++result; @@ -1025,7 +1015,6 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; - struct lsmcontext lsmctx; int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); @@ -1035,15 +1024,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (lsmblob_is_set(blob)) { - if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) { - audit_log_format(ab, " obj=(none)"); - rc = 1; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + if (lsmblob_is_set(blob)) + rc = audit_log_object_context(ab, blob); audit_log_format(ab, " ocomm="); audit_log_untrustedstring(ab, comm); audit_log_end(ab); @@ -1270,26 +1252,15 @@ static void show_special(struct audit_context *context, int *call_panic) context->socketcall.args[i]); break; } case AUDIT_IPC: { - u32 osid = context->ipc.osid; + struct lsmblob *oblob = &context->ipc.oblob; audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho", from_kuid(&init_user_ns, context->ipc.uid), from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); - if (osid) { - struct lsmcontext lsmcxt; - struct lsmblob blob; - - lsmblob_init(&blob, osid); - if (security_secid_to_secctx(&blob, &lsmcxt, - LSMBLOB_FIRST)) { - audit_log_format(ab, " osid=%u", osid); - *call_panic = 1; - } else { - audit_log_format(ab, " obj=%s", lsmcxt.context); - security_release_secctx(&lsmcxt); - } - } + if (lsmblob_is_set(oblob) && + audit_log_object_context(ab, oblob)) + *call_panic = 1; if (context->ipc.has_perm) { audit_log_end(ab); ab = audit_log_start(context, GFP_KERNEL, @@ -1432,20 +1403,9 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, from_kgid(&init_user_ns, n->gid), MAJOR(n->rdev), MINOR(n->rdev)); - if (n->osid != 0) { - struct lsmblob blob; - struct lsmcontext lsmctx; - - lsmblob_init(&blob, n->osid); - if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) { - audit_log_format(ab, " osid=%u", n->osid); - if (call_panic) - *call_panic = 2; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + if (lsmblob_is_set(&n->oblob) && + audit_log_object_context(ab, &n->oblob) && call_panic) + *call_panic = 2; /* log the audit_names record type */ switch (n->type) { @@ -1988,17 +1948,13 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { - struct lsmblob blob; - name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getsecid(inode, &blob); - /* scaffolding until osid is updated */ - name->osid = blob.secid[0]; + security_inode_getsecid(inode, &name->oblob); if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; @@ -2344,17 +2300,12 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) void __audit_ipc_obj(struct kern_ipc_perm *ipcp) { struct audit_context *context = audit_context(); - struct lsmblob blob; context->ipc.uid = ipcp->uid; context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - security_ipc_getsecid(ipcp, &blob); - /* context->ipc.osid will be changed to a lsmblob later in - * the patch series. This will allow auditing of all the object - * labels associated with the ipc object. */ - context->ipc.osid = lsmblob_value(&blob); + security_ipc_getsecid(ipcp, &context->ipc.oblob); context->type = AUDIT_IPC; } From patchwork Fri Jun 11 00:04:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314487 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E144CC48BE5 for ; Fri, 11 Jun 2021 00:31:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C840B6128A for ; Fri, 11 Jun 2021 00:31:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230470AbhFKAdX (ORCPT ); Thu, 10 Jun 2021 20:33:23 -0400 Received: from sonic312-31.consmr.mail.ne1.yahoo.com ([66.163.191.212]:46788 "EHLO sonic312-31.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231157AbhFKAdW (ORCPT ); Thu, 10 Jun 2021 20:33:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371485; bh=PYOxDvZGvzLc0GWEGWLW6Y18A54vIQSomE5t+mL3eD4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=TZyQb68La8iT7O1/axZec9QoF2VVJI+4MdVYbSKoM5PnHdRJk/RsPbhI7kH3y4MZCB5s1F85TiJPZnGSrI3Dt28xOmgrSGy3eZRjwnvalZ8v6njQD3Xl5xB9n+Nvgkh8FJj8BZ6Lmqymj6ptx7azrhLQS1tS6nJCN/YFjdRPS24nXW32+5ccCdHPzptDKAPiuCYkVpUFlAojI4B7a5guB+nF1KdHeVtMpzlJHuNlDS6mUJTaiyvbFxLoO6/sJty0d+hd/I7XFbPiLDS2yrGKFxADYb0JufMt69xob5XF4dTq2wibg7w9z38OmDYtVkSDPvVfsCvWw+LZRLZhUsW3GQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371485; bh=HqFEuIrit4ts+ebfOiOPOt/iEbG8+IRrQVMNTRLF97q=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=qJ5lcI2t1IM41VWaW7x6JRUoSAZNAgD3UqdpepuJ9zwYbU4VsmSqQE9gOrValagR7LZgJJbHg7qTDa2aR7ZqJIygSu2r+WmT/1Cu/yjcLKrxZafeD0lVw1lh5zPFp0EArJxBkLXZr0Q/WE4ig/4wmEqcBXX5f3nFmH31UgFk54KlFmq/6CGf7tqYdIKwwCGzDog8tdb0qGbg8pvxc8fcEbOTnWe5OXjKwyU7s6N6kLLaIznNZZ0q+mZxpBDCmLABWh3jmeEOvRexKrOE6ZL32+DsiLH0Scn7Uv1gUd8ZE05I7Gjo+YWR+tYco/aLJHoF4w7Dq0J1/EXRYFSxpubIAw== X-YMail-OSG: sDlG9xQVM1kx_dBvpHrDYmEGbyXdSm_5fGskrH4nj_dZRRPKM96fIpLQZ4UbAif Ja6fYJUTzVqYo6uXDlX0Oct1Fd74XuoX8jlLepD9qRXgePfWQSbZeIr4jFNeaXXcjVz6TdtrT6ZY vQmT2V9wJcGvZ2k.MOR3vk2Dg.Sd1P_DTZloQvcLvJ2gZfiw2aWNy0bzfDHAAtnX5eRWJiSXRLWk ddZ2PNbzqzf3irQ5eo37vjmYB18AV2XZ9N9jibH46ksTE4YQALuOtkoCq4eouu8O2Vr4yNpPXF2N ZtbufjuDibgEW6xLjFaaxYTaNjlugUXMuouugJhuY9gmgdDXVYl6e9BEtqfUqxzbMr7TnGqZ8aO. Om3HbxIbwZglyLgbWjDOOtFWHzXN8ED2hsIwLgi9Llytmk_thlDrOyGRlrCgulNkQGTRaiGqF.MH AQj4oW0GGJZ.OVO2A6KWTHy31YBNsIycOiIfcTVfRurTQeDPKo7khS_AMmCo9hfPPErdmIwcjkP2 mMCV4iyvMDiLN75TpmYeRgJHfI0REOb9ylFa3uQL16tSFlfilnWojYaGCN0vbel1EbVbi81dVJa6 8.0jyMvbUhsKLT6E7joemVE1rkr77PTBWAhJGBaVb0uGBU91F56fRlXevWk8apoeWVUq4q_BGoec LLA7BvM66TojL85.7bGUQNwGq7bTNmUu5PpUWh0OfU7T5GfpZfeOH2xYxx0PXN.7fMdJIHosjJW7 rmJyLIlJbDPIFs.lHekPO6j75_DigFNz85hAYr9E7V_EY_ncFqi3bzXCVOrjpln6kAYCwzqdxcwx Fz.5H6YPwRDzbFBqrMBC0k6arx0.tSAY33Fe5yrm2FjUCJXLMBUv013XvMm9AyHJxcsrJu0gnw3y iEH64_U22m3rwJrKvXw2lS2tJrnJiyIlWl2b7LKv6NCWh980sQfuxU2ggVxciqGWvCR4ZbnzE74T jvM12Nohzrkl4kJ7VNNy8DqnGsvgnP9l0bB.F4oS22kHxNB_sD.sED_SbdntjjkUKSxdK8AtizO0 VW3RJhB6RgCUTdr6o.shC_DC_PlaeHoQKWx0HceNE92fBkgaz.K7cn2vl8TqX1vug7q0Gghe5qlR IfwqdNnfPMrjBkVgG6KWfWIkWKSRGeyPqaMA6fIiPa0c8PE4KNCVif3Lz0zFE4SNCNixWnIasKHS DsMGd2hnXiIvlgTHf2qLrt.ysYrj25JMrMEZ_dKg9fFGCN7kZdICTPuI6MYn2fgWrXnwpaOfIN64 oNoBrsQO9I4Dbchf5IdyILf4cSic2dQMJd1nRKiuv54NhCEts5HMudi3woCaBg_G3svXUt7f_Xhb 3o47_jzl18EmdAdsUmWolScmViMVbIDgN47nxHqDQBs61xrUq6ktOEh3oLV82GGx1att.E6asNSC 2ysUWxBlx3pbGATXlp1bxL42vITZ_tciewznBxsa0DuONxr4c1OZznagnw7KeHvSD5NFu5AK.HbI B86PaqJF8QsVgARfdJD0pBONGTrBTvM4TNRYDb44D.6B0eQBx6no9dOk7JdD8pAQwZBPRW6oOMQL eujchl6_IYkRyzt87Yehm9hVk9a4iqRq0AmX1JOtMLYIRIw20vej37U8Dnb7harSMOB5Ht7kiiq6 4tEu6jvnuPB14TD7Zzzq95xdbn6gnjEjBQudEvFGWen7rJ3C6AS6gFypBoIZUz.jhHnI3xFjgDwP BWWOP8tliU5TNVd6n59QkyHQ9jv2n_92iWcsXy3f_qwrI_a.rxZBNxRsveeM.OO8Gng9ylLaHUog 891A4FxqdR768Kpn.cPIiGIusKERzG031wPteQjI82GUGDbYibKJ.Dk7bizUKUFguEX65aYC8jMC tUkxCNw0eEPr_RI5BO16LbTjvYX60bblbbH3KeUTWJMx7455bRpQg1Xy3VkjIRmUllWAbBXVck7B ljQQZeWZPptCZ5kMDV1RUkEdHUivWnrZwayITb3Ac2KJSeSJ6fICeXKpE1XIKDgfhlShh21FoGoj 0yPl.h3iTEZrtIOD8neQoU1h7EtXaR2iyR7OiFvSN0QxF7Cnq_35oshtnr.MqJ8D_mWMW3IdJv3s irov0ZdoYESW8u7PVjCHAdMeo.QFCqrMaUOwcePDPX4Bq_.Cal.AbsJWRSk8CZRkqo_tnepI.UP7 2Cl5IZJTw4qpk5kPMYKFMI23RBdwZb7TIVrK8qai4ccjO8plwIjbQIyMaaEzktu7tBAWTW7rh44C pzXK7SOSeiUqSs68XpHKi4nEt918lOAzMeBps4tCXpk7TEaOaxlC8qON34GyZcotqqLp25ovbQKh PLC_sVcLTcX_o.2Q0GWiRGavACUnNggLfW0mYIkBuAGyg2rzQlZH3cdVZ8msY1ei3RA2.N1nFgAX 1HQYvA_jGkq4TfE3UZE28BPKg0.OHauASNy3qskMIWUsbHOfUBR215e3TzBbU8XYSc9lN0P6zWGQ ltEiMTTzL6EUzBeeLsP8jhZJEiYdrVC5Yv7cPYFxdoqH9aXZetwVja2TwlmhXMkJyGroJxQQf.aZ FPUbEOw5.YuvSuSDwxTh9f02RYWPXu8WjDYHIFerhCUR_YU3XkQKp3iyfE6SagKQ9tSYBvwtykD7 tmMOjKpXi2u5z98IuVFtgBG5cY.xBgKBYYtM2dZpNivj5tzE77P3HODH65DfWpqMXKswhhPzRIZr K9x2fGrzuNnNyqAP.eCnV.E.6gz1l1MlEks8Cd2V.oY9h0i8paDelG.jXUgNmKa1BDtLPAB5wpvn DQAUk8lIiDrb4FSA1mZvhk_lqf3Cjx7E_pqJrZjPiqVhYepdk8WskQwFAoRzMI3KgTyW3.SFtMGK P_iQGMhxBSgu5Vh1NR.ozkf1Wt_gJsGoQ9IJY3p_qdqI2HPmT63MllZOADJ3rT1l0c_SXtgz8VVb vzbdKgcghUjerz.c0Aj5yBp0eR3fgHWJq7NvhHLs4h8l7JcPe4ZWOJNab7O8CfrF2dwoQmVNG35L V4PjAZ2tpjtV_AE.gSzscpOrMc7s5qiImziBbGOpcyNTo3He.opkf4ti0uV9GbmkulMYrcTFeIf2 LhZfxOqH.YR2GVbY2nrPjxBdxejCQOacC66OWWuG.rbAu.l6aitjiHjZZfFVdmlB2.hnLV8s8AHp U_sOfhzgVxt_uGzw_tlvRz0nzTDLiB8Vie6_Y3Hoyowxd7cWpVz90AvEQP9KJrRD_FQQyNN6pd7G Cr0lfmJeZWtT3l3Ib79119NlpX3wYGPJUlnbRaREzFBMKJltRSCFX7FW3HzbFAKAP.Dpw2mWBqCb oZWYDlpLMsktSkDzcWMPjDLGv60Q- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:31:25 +0000 Received: by kubenode549.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 9f0be996b7250d367351c85ca65abf5a; Fri, 11 Jun 2021 00:31:20 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v27 24/25] LSM: Add /proc attr entry for full LSM context Date: Thu, 10 Jun 2021 17:04:34 -0700 Message-Id: <20210611000435.36398-25-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: Add an entry /proc/.../attr/context which displays the full process security "context" in compound format: lsm1\0value\0lsm2\0value\0... This entry is not writable. A security module may decide that its policy does not allow this information to be displayed. In this case none of the information will be displayed. Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler Cc: linux-api@vger.kernel.org Cc: linux-doc@vger.kernel.org --- Documentation/ABI/testing/procfs-attr-context | 14 ++++ Documentation/security/lsm.rst | 14 ++++ fs/proc/base.c | 1 + include/linux/lsm_hooks.h | 6 ++ security/apparmor/include/procattr.h | 2 +- security/apparmor/lsm.c | 8 +- security/apparmor/procattr.c | 22 +++--- security/security.c | 79 +++++++++++++++++++ security/selinux/hooks.c | 2 +- security/smack/smack_lsm.c | 2 +- 10 files changed, 135 insertions(+), 15 deletions(-) create mode 100644 Documentation/ABI/testing/procfs-attr-context diff --git a/Documentation/ABI/testing/procfs-attr-context b/Documentation/ABI/testing/procfs-attr-context new file mode 100644 index 000000000000..40da1c397c30 --- /dev/null +++ b/Documentation/ABI/testing/procfs-attr-context @@ -0,0 +1,14 @@ +What: /proc/*/attr/context +Contact: linux-security-module@vger.kernel.org, +Description: The current security information used by all Linux + security module (LSMs) that are active on the system. + The details of permissions required to read from + this interface and hence obtain the security state + of the task identified is dependent on the LSMs that + are active on the system. + A process cannot write to this interface. + The data provided by this interface will have the form: + lsm_name\0lsm_data\0[lsm_name\0lsm_data\0]... + where lsm_name is the name of the LSM and the following + lsm_data is the process data for that LSM. +Users: LSM user-space diff --git a/Documentation/security/lsm.rst b/Documentation/security/lsm.rst index b77b4a540391..070225ae6ceb 100644 --- a/Documentation/security/lsm.rst +++ b/Documentation/security/lsm.rst @@ -143,3 +143,17 @@ separated list of the active security modules. The file ``/proc/pid/attr/interface_lsm`` contains the name of the security module for which the ``/proc/pid/attr/current`` interface will apply. This interface can be written to. + +The infrastructure does provide an interface for the special +case where multiple security modules provide a process context. +This is provided in compound context format. + +- `lsm\0value\0lsm\0value\0` + +The `lsm` and `value` fields are NUL-terminated bytestrings. +Each field may contain whitespace or non-printable characters. +The NUL bytes are included in the size of a compound context. +The context ``Bell\0Secret\0Biba\0Loose\0`` has a size of 23. + +The file ``/proc/pid/attr/context`` provides the security +context of the identified process. diff --git a/fs/proc/base.c b/fs/proc/base.c index 10de522f3112..23ebfc35435c 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2808,6 +2808,7 @@ static const struct pid_entry attr_dir_stuff[] = { ATTR(NULL, "keycreate", 0666), ATTR(NULL, "sockcreate", 0666), ATTR(NULL, "interface_lsm", 0666), + ATTR(NULL, "context", 0444), #ifdef CONFIG_SECURITY_SMACK DIR("smack", 0555, proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops), diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index d2c4bc94d47f..f6ffe8b069e2 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1397,6 +1397,12 @@ * @pages contains the number of pages. * Return 0 if permission is granted. * + * @getprocattr: + * Provide the named process attribute for display in special files in + * the /proc/.../attr directory. Attribute naming and the data displayed + * is at the discretion of the security modules. The exception is the + * "context" attribute, which will contain the security context of the + * task as a nul terminated text string without trailing whitespace. * @ismaclabel: * Check if the extended attribute specified by @name * represents a MAC label. Returns 1 if name is a MAC diff --git a/security/apparmor/include/procattr.h b/security/apparmor/include/procattr.h index 31689437e0e1..03dbfdb2f2c0 100644 --- a/security/apparmor/include/procattr.h +++ b/security/apparmor/include/procattr.h @@ -11,7 +11,7 @@ #ifndef __AA_PROCATTR_H #define __AA_PROCATTR_H -int aa_getprocattr(struct aa_label *label, char **string); +int aa_getprocattr(struct aa_label *label, char **string, bool newline); int aa_setprocattr_changehat(char *args, size_t size, int flags); #endif /* __AA_PROCATTR_H */ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 4237536106aa..65a004597e53 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -602,6 +602,7 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, const struct cred *cred = get_task_cred(task); struct aa_task_ctx *ctx = task_ctx(current); struct aa_label *label = NULL; + bool newline = true; if (strcmp(name, "current") == 0) label = aa_get_newest_label(cred_label(cred)); @@ -609,11 +610,14 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, label = aa_get_newest_label(ctx->previous); else if (strcmp(name, "exec") == 0 && ctx->onexec) label = aa_get_newest_label(ctx->onexec); - else + else if (strcmp(name, "context") == 0) { + label = aa_get_newest_label(cred_label(cred)); + newline = false; + } else error = -EINVAL; if (label) - error = aa_getprocattr(label, value); + error = aa_getprocattr(label, value, newline); aa_put_label(label); put_cred(cred); diff --git a/security/apparmor/procattr.c b/security/apparmor/procattr.c index c929bf4a3df1..be3b083d9b74 100644 --- a/security/apparmor/procattr.c +++ b/security/apparmor/procattr.c @@ -20,6 +20,7 @@ * aa_getprocattr - Return the profile information for @profile * @profile: the profile to print profile info about (NOT NULL) * @string: Returns - string containing the profile info (NOT NULL) + * @newline: Should a newline be added to @string. * * Returns: length of @string on success else error on failure * @@ -30,20 +31,21 @@ * * Returns: size of string placed in @string else error code on failure */ -int aa_getprocattr(struct aa_label *label, char **string) +int aa_getprocattr(struct aa_label *label, char **string, bool newline) { struct aa_ns *ns = labels_ns(label); struct aa_ns *current_ns = aa_get_current_ns(); + int flags = FLAG_VIEW_SUBNS | FLAG_HIDDEN_UNCONFINED; int len; if (!aa_ns_visible(current_ns, ns, true)) { aa_put_ns(current_ns); return -EACCES; } + if (newline) + flags |= FLAG_SHOW_MODE; - len = aa_label_snxprint(NULL, 0, current_ns, label, - FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | - FLAG_HIDDEN_UNCONFINED); + len = aa_label_snxprint(NULL, 0, current_ns, label, flags); AA_BUG(len < 0); *string = kmalloc(len + 2, GFP_KERNEL); @@ -52,19 +54,19 @@ int aa_getprocattr(struct aa_label *label, char **string) return -ENOMEM; } - len = aa_label_snxprint(*string, len + 2, current_ns, label, - FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | - FLAG_HIDDEN_UNCONFINED); + len = aa_label_snxprint(*string, len + 2, current_ns, label, flags); if (len < 0) { aa_put_ns(current_ns); return len; } - (*string)[len] = '\n'; - (*string)[len + 1] = 0; + if (newline) { + (*string)[len] = '\n'; + (*string)[++len] = 0; + } aa_put_ns(current_ns); - return len + 1; + return len; } /** diff --git a/security/security.c b/security/security.c index 81baa94092f4..89ac9cdf8005 100644 --- a/security/security.c +++ b/security/security.c @@ -801,6 +801,57 @@ static int lsm_superblock_alloc(struct super_block *sb) return 0; } +/** + * append_ctx - append a lsm/context pair to a compound context + * @ctx: the existing compound context + * @ctxlen: size of the old context, including terminating nul byte + * @lsm: new lsm name, nul terminated + * @new: new context, possibly nul terminated + * @newlen: maximum size of @new + * + * replace @ctx with a new compound context, appending @newlsm and @new + * to @ctx. On exit the new data replaces the old, which is freed. + * @ctxlen is set to the new size, which includes a trailing nul byte. + * + * Returns 0 on success, -ENOMEM if no memory is available. + */ +static int append_ctx(char **ctx, int *ctxlen, const char *lsm, char *new, + int newlen) +{ + char *final; + size_t llen; + size_t nlen; + size_t flen; + + llen = strlen(lsm) + 1; + /* + * A security module may or may not provide a trailing nul on + * when returning a security context. There is no definition + * of which it should be, and there are modules that do it + * each way. + */ + nlen = strnlen(new, newlen); + + flen = *ctxlen + llen + nlen + 1; + final = kzalloc(flen, GFP_KERNEL); + + if (final == NULL) + return -ENOMEM; + + if (*ctxlen) + memcpy(final, *ctx, *ctxlen); + + memcpy(final + *ctxlen, lsm, llen); + memcpy(final + *ctxlen + llen, new, nlen); + + kfree(*ctx); + + *ctx = final; + *ctxlen = flen; + + return 0; +} + /* * The default value of the LSM hook is defined in linux/lsm_hook_defs.h and * can be accessed with: @@ -2234,6 +2285,10 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name, char **value) { struct security_hook_list *hp; + char *final = NULL; + char *cp; + int rc = 0; + int finallen = 0; int ilsm = lsm_task_ilsm(current); int slot = 0; @@ -2261,6 +2316,30 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name, return -ENOMEM; } + if (!strcmp(name, "context")) { + hlist_for_each_entry(hp, &security_hook_heads.getprocattr, + list) { + rc = hp->hook.getprocattr(p, "context", &cp); + if (rc == -EINVAL) + continue; + if (rc < 0) { + kfree(final); + return rc; + } + rc = append_ctx(&final, &finallen, hp->lsmid->lsm, + cp, rc); + kfree(cp); + if (rc < 0) { + kfree(final); + return rc; + } + } + if (final == NULL) + return -EINVAL; + *value = final; + return finallen; + } + hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) { if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b7800fa55a34..0a9af748f77c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6468,7 +6468,7 @@ static int selinux_getprocattr(struct task_struct *p, goto bad; } - if (!strcmp(name, "current")) + if (!strcmp(name, "current") || !strcmp(name, "context")) sid = __tsec->sid; else if (!strcmp(name, "prev")) sid = __tsec->osid; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index e65497a5c095..1618d7d6154b 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3477,7 +3477,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value) char *cp; int slen; - if (strcmp(name, "current") != 0) + if (strcmp(name, "current") != 0 && strcmp(name, "context") != 0) return -EINVAL; cp = kstrdup(skp->smk_known, GFP_KERNEL); From patchwork Fri Jun 11 00:04:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12314499 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B936BC48BE0 for ; Fri, 11 Jun 2021 00:32:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A042261285 for ; Fri, 11 Jun 2021 00:32:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231270AbhFKAeZ (ORCPT ); Thu, 10 Jun 2021 20:34:25 -0400 Received: from sonic314-27.consmr.mail.ne1.yahoo.com ([66.163.189.153]:36212 "EHLO sonic314-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230265AbhFKAeY (ORCPT ); Thu, 10 Jun 2021 20:34:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371547; bh=r5+vPGElNosZcu2Wj41BSjkDKQjGL3hvS42vlbA9dA4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=PCfwjUY+IDdCJymlRKYG1fKbUXSaA/zMlO8/tDbzT4fxHpi6VI13wIarAmUNL2Ac6hSfLbRcdH99TRBmoHbC5kxbl2FSK85WJEaR01dYy+VZ+zSPTdE0DkZNcYmSX4nxb8n7MvyBQEOvBbqjwqeCM0mu2owFaUhWNllvdC4NyvC8GZIN+tr0CDc1fTqUc64B/q7ygI+Wf2W2cVAdoiTKkHO/4xM/eVxzXgK8Fc+RN88stsENyJQ6BylyCxbYkF2xFrioNdWLMFdsT191zPscpAeo/nQUmf5pobyZkE+BRKxl74Kt2il3os9NJBqaooE+pYBhxa0ZRVPIF/C3XpVgbA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623371547; bh=gUxEqZ/1gtQU3X/e5s0GM0Q4rAJE8kYs49/Y9RczkID=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=bQcmKTV2l//uj4/5B+0StHI6m7sL1z97be9QJv/u8fzhin7rxA2/FhE+OI59fpH3T9GPrl65OYsNIdRyCiZdayQwoFdbSpkbmnYkm1mxyCIbR9lkMKTA334Sd+13i9kbKwg8qzXRnpyNJyUfLGxuA78LK62jyjDwWSqWby2w4ODA9JaNgfLApMx5VYFpJKmgwUK/FARn2URZ3rPKdCuRurjvmsn1z7Hcvuqoc/83/91HcCOe442hFlDgZKug9NzfPv/2f/DGvPntjsu9iy892Kg9bKhrww3RYdAzqzBLmqFSxuX3iyqukTkCuGRmfhuMfN5Ohg6GrnB+FwzIwb1szA== X-YMail-OSG: e15eTF8VM1kiM41nhzlfDZj4tbTwInqz3_7WL6fM79zvIfHtPiScRkoxgBP4vhX _0WnaO8u7v17b5C0ucgZcGCR1bV3NuHu7hqY9q3W0fM7CbAT0kJpklWcXhue8ozqVAGXNply_dVI lmwnol64zbqYA23GV.1U2TBHlYqKA9LecAQGeOgJpQhx61fePMLl2oBw91.c9BjRDFK_0nCDyXzf .XytAnhTSDb90vY1GX3W_AyT7WJlNcW1iljuqz7YLCRUeHY06u_809vCnDmpOFJIieB84seYietN t8us4Cw08l6LjBWarobMoWOXw9bZ3L7dLTPO_9gbSMYRYPUlDxj_coTT4ekqacsAqym.oKtuiQWT 5eMGDGJ1iB7x0j87taTcyjhJmfRngKq6YP87YyztP5nv2MmCXSnQ8YIZbAg7fJ9BXOBcTNg_3zL1 xOjC8UU_.WyNevSvZ1q65vKFGn20ZIU.GDfilDL8UtJg7UaK1VxdTYbThjpHRQGiW6sSZh7HBv5. zi6SQZmnzM6c0j7Lp1skvw9M0JmJPnHw4nW8YWm3l_pRzcPz1zVKpm7L2oVeqt3dY8MQ.uphT97e Y7Hsf3BkpfJAvXOss4t0pnlYmV2VtzwN3Onql.2V44OEi0_3Wt8EBPcCzg5n5LE5b5_q80AAsW7v SQsgELeLF9nbDWSE5cGVXYt69Ay4KShMBuAnyYuxZVCahbq173R.wQJiR2AKm3wcInFpBmNXSQh7 7iQgmE9hefx3f_yJi3IuygmvWJ21Hdo_ZoVXsV0LV4EQtVpZLrO.FC7kmUm6fRqNguEcUzK4wnDd jc3.SRk83LqM6edbGeHroyh1QZJRFl_bfqgp15jRE0LM_vO.CmqrnJ_CzIhYCh_EbrwdraBDaBoJ fOaOqwn7jwzn8JjlLOQ0u1Y3WtaQLzv3FCFA4Z_uSOfeEdDStz1GgBeTKbj4Ej3hVvDVZwBzEnN5 CDdL8AqCH2jinPLdpcYTxZkIgtt03oK1r8ZUJu4O..AsdyJIHsE2nyVwGdXkN9ABVWwYGi_rpIQa H3HIhSv.ZgpFuMtRPBenXWv8pCH.Bht3Q1rZhc6OxARq0AUZmpixMOW7zwfnOYCcETCoHOgTmD2t VDsfT.wJLijZ2Rtx2qRQxXmq.y9lxoBnvRwOXqBv1GRA.X_dT2g2S8iK7vu41Id44DIao_kg6iF7 _lDGrv_bZdTlemOG8nW1jiN.fgaLnCBSmVIPlUywEbgYjQ.aCpDPMyJYWYkz2AfSEtuOrTbGP7y6 X_6WI.o1JaXAk6A3c7eZtaylDD7QeC_1awhUo9qmwU1gEqTA9JfIjANLpR1.KWsQdm.ZGgTR6oHb DUNgM3KfwpWZvfKR0PiJ6pVvk69mTEfLvUOK6YuVcyT4jhMBEF9TQtSY7qX6sQGIFOGcTgmNpZDK UI2HwEj555.Ghoh9a32eFyfXz7PbLlpC2iSoZsYmT1zahMI1nH8oiI2pUmOcbcoGakIf_hrXuwGj Y7.BZnBWnZUbUS1oy_OHSKMo0RrKioJIA8HcWecdpm6Pn0RwITOVO_jPfh5irX3ba4pXUp6WY1GL KfgI_DsPURVT2tSOYma_RGewdxhl5xYDcy0fNodA4ZSUUJZowU1FOOgK_HVLTeF1uF.ENgEAkcYS bKtzxvkDLJu8eodK3qvxlBRKKieFI8x69PwA.8VRflosanYnYiet5V4NSYbZp9mIiWTs4aDTJcbj Dl6cZ4MFIZEFsjHC_mX2HAqsjUi5xUIPdpvobGbURB3qYViBXh8mjzJtBf0PLRK.fudKsktsbkOR cJcR3ZHCas45rvNuxVFUGeQP893J.ASwU3T04iFnG06sg4cdBKHUEWcbtkJFO8uq6aZ.zIW8d_Uj VvfzfXgspVqXfWNYm6QbVxFmGKT3l2FGKnBZ0H1IO18HTDJ8i2St5p7meYvkdBwJs8wqRYf9a9bS lGRkGofVgz2Ntl0k18NsC0NxL1tsxdw9rMGsH1848Wa7l_PCMmYnFUALP4tpwd3lEHlufWoeB1Oi YoyOeuQrcV20o3U.luIRB_GkoC1nb9zSNwom9ceXxucQ3H6lNZGQbQy_lEKv4l76b_KGmLdq6Yet AJlL7ibt_1.SEPc495_SenISx79JXGVuXUYDuRMEhEoWlI5yBVMaQHcsurc9lp8nlsv5z5ZA2vB7 NBC4.3d3meNXEe9RiU9PIpmALqlbJVKGzcTBg1vUk_ycF10BCHEe7b8aS_mLF7Ag.Wue8vPR2FTk 8hDqPvGi4erLRpRGQM_Hh5MB4MGyPUpjnEOmY062WDZDXqghS.zWCisboEHZ73d08V70H7bMhhRO rz4_0yfZxJTYtApYcbnX6nJlKsSb_OcTajFEPDz5jaDwsOnVxiFpSbvrbmLdvp4awgl2CvQKsUGa nb5Eb9W.khk6WY3ZIv6bo7TUsIa_VXZ78xZkgp7wWw2ecvmaDSuv3i_hKWIDjseWoI59sXksfm98 ZVO32kAb5c172BWCvDGRFRkVmCc2yVr2Qvb4dQ83_PFoz0Qr.0faFhNdgOZsA1he_h4FD9o.Am5C sAAdIYSiuXq.oi48nXNHSA0SiHM2d6xjMcAZHozoUTIBZmroiQ4HN_rTUD3yrcXlg9DsPk0zobWO r1IUNz_QV5r6j..tJEpKn534UkNa0jOwOv3RFjx7naQ4pM0PDNhVbLkFucySNcbQKq5M4Q03WVHG ela0zC_ucQQAtK3VVFV8V_hDKomogjJlwLnOc3qqYtvUNIyphfDSj8xOpkx_uCiCbw46cw8mocoF 05PLnVrNtpvoGsowgcrxmEbagiLh5FNNAhru5xtAdh8mfScyebGugs4XK6QElfxMUnkgXOiV2kLO 8NEqbs_NyfhxTJGF3euwZZjiaqr2cnOnSAU0BORo3IPot76hr8SJ.qdE_Y5HR5YxxRYLeCKrFIs_ gfrrB53CwPY0iqLFFSVUjN1BJAh2R8EJYAmb.ERFPStmTTDIM49egM4_73o5CPDpJycm8j9F3nxZ n6AnzF.ziYzoUFyvYTsPH.NarXhYAHnhIxNsDTsK8nFhwDUMCKXgXNwIfFo92ZSDzMU.IJHLwu77 aYhVz.zpgM5buYISfqFAg2qsKNiBrzJ_5JC0vjvEPz92lg27MNT0- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Fri, 11 Jun 2021 00:32:27 +0000 Received: by kubenode511.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 7f010b3ca93a8cf4ccbaab7ca7bd7cbb; Fri, 11 Jun 2021 00:32:26 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v27 25/25] AppArmor: Remove the exclusive flag Date: Thu, 10 Jun 2021 17:04:35 -0700 Message-Id: <20210611000435.36398-26-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210611000435.36398-1-casey@schaufler-ca.com> References: <20210611000435.36398-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: With the inclusion of the interface LSM process attribute mechanism AppArmor no longer needs to be treated as an "exclusive" security module. Remove the flag that indicates it is exclusive. Remove the stub getpeersec_dgram AppArmor hook as it has no effect in the single LSM case and interferes in the multiple LSM case. Acked-by: Stephen Smalley Acked-by: John Johansen Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler --- security/apparmor/lsm.c | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 65a004597e53..15af5a5cb0c0 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1138,22 +1138,6 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock, return error; } -/** - * apparmor_socket_getpeersec_dgram - get security label of packet - * @sock: the peer socket - * @skb: packet data - * @secid: pointer to where to put the secid of the packet - * - * Sets the netlabel socket state on sk from parent - */ -static int apparmor_socket_getpeersec_dgram(struct socket *sock, - struct sk_buff *skb, u32 *secid) - -{ - /* TODO: requires secid support */ - return -ENOPROTOOPT; -} - /** * apparmor_sock_graft - Initialize newly created socket * @sk: child sock @@ -1257,8 +1241,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { #endif LSM_HOOK_INIT(socket_getpeersec_stream, apparmor_socket_getpeersec_stream), - LSM_HOOK_INIT(socket_getpeersec_dgram, - apparmor_socket_getpeersec_dgram), LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), #ifdef CONFIG_NETWORK_SECMARK LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request), @@ -1928,7 +1910,7 @@ static int __init apparmor_init(void) DEFINE_LSM(apparmor) = { .name = "apparmor", - .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, + .flags = LSM_FLAG_LEGACY_MAJOR, .enabled = &apparmor_enabled, .blobs = &apparmor_blob_sizes, .init = apparmor_init,