From patchwork Fri Dec 15 22:15:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495105 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic312-30.consmr.mail.ne1.yahoo.com (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 06E0318EA9 for ; Fri, 15 Dec 2023 22:16:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="m1m3Yf9c" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678606; bh=FmMcsVVDLGfPaI0hFOy8AYrMrLRvj34ZN+ckuE1msOk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=m1m3Yf9ciOM+tToNpqpK7z3qn2dnhZjs6lQVTgz0JD2oPdjAlYO3+eQR9OB7yJDlXfQqsfzqVh5npgvn1dlF24mkydf70HNMhPj2Pq3VesF7Z19Yummk0DRCsuwGshwPPA3PafoNuHDTsaIAFEPmaFJD8Ygw11LH9Mu/AXCOjLYDlwg4Y53SRDdNFNSSs0CRqcTtOUON1RwMUxdrYiqlJiLq/kzj5P1qW7Bhksjq4NjFIWszyxK0HhhbCXRTn/lxHV9MkzciEsrnO16W4O8xG6r9SM/ji9lZleXsFuw9pz7uw6sNYiH158oLvNTcxkPoxhzlgN9z5nLSJ3NpltwPHw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678606; bh=rhXq6UaWj3lymorjt1SjraObFjPjZaSh7yi8ccPuT+9=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=mXNGDMh0LBTGw+XTniM1m7qNGTst9CF6/iGsd40kdssv790dpumHcGYr8JtN0F5qJiJcEMXorIDPjRzJm01twSHAMmYnslMxVlvvxN06+2OL5zJfYniy8op33kU0yVt8IA2hOtLWWOkL39g9jjx5BbnL7KvfcH+sNijsAPLIaemex4g6bv6dF0E02MhiTRtuNORWNCe/77EDpir1AyHC/iZQDL3Ou2ScFtC3k18jc1T/Dv/n7LboeLGiLJmjcMY+LV0tsc/vIlUxysp66NcAV88POes0vnh1KSa42lT8WsTWVYZSkLeiA1u8j1g/GwC++BxGPsnxOKori8MgTGMToA== X-YMail-OSG: O2HtxKcVM1mb_7stTd9ZNKZ7qkd_vxRRuArVX4xEflH6EQ.OY.yFXfjCgI1UwjP tkkFAUYdFJJpupA9pp5fyvTgO49M9yMGMS2up.KPYE1z.2Rj1bwA0fXsBJBoDf4uf3sdXHoo.aFY oY2qL9C1Wvz1NOGxLeMPEFQuV88s.BmVCyJV3et9XB0jAUriPUYn7ND9gATf80kYpq3pA_Pcz.sH 7cgC8pUXx1qMI7QTrLwxpbuSJCB6yuaRoq8NlzAf8ZU5F43HvdLlBTrwdM7OXwA9jrD4hpCKpMhW hJCmmw6zWNhy71FXsa64FAmA7RhDg_G61ZQlEkJyNGSoVqqHLwx1uJ66KqVuA67DCcplNR45cdSU TGSUIiC6JqtCrgC6cIOkclWDbaeRM5SdfUOfwcXDh326Xyzc_rL7kOMp5a5MvW0CgP4RWlp6HJlh GwrYZEzf66Rhht2TG3wwg8H07rHyhVVCnzInfebsMEJ3F6tZlEemvmZ2HzsLN60Ys26F6WBHqqSj WlujBflq5c5v4pWooEBKYaTSDhjNa4G7tuZtRROqdtlI7dSAxHgZCyeGY623EAK58KHuKG671M4t PbWr4X5vExVHAcjVc3E2jKvzDUWb9SyqKM2dPkLPU1OtimmEt8nu0vBkK32KHlZFqn3vSejF0F1b LUPwgyRPqlvVZfAMqDxPcry9XSbgk4GGpLenPtpPN.bvGri3lLRB1jgVo53j3LS14m3fCKXVS306 K0R9nVaBDrzwfQFiJqcQ30oZWf_WLnsF30ZIKWpDd6XPhqE5VlF8BIVy7.qK4Ex8l8_7riMjBuNe riIUAW1jpmoTeJzljNcYWhxm4IKbropoAf0C6I.kPuZmxT.v.GIN7gbQnPiZbrWSWvlLHKoOw9SJ K8pj6LVqIrgk2V55DNUbbS8i_O9hbAy5bE6NkyXztgNueDGdz.ucqYwVu6dE2sfstwYTp5y1N4d6 CONHksJUnOS62CTnS1bRh1G11UylfveCcMF78zsvLWAjG5R1Umtig_Fz9RCsi65dbh03osMdD9QD BzYkJfVHu_r4B6QP6JBQVtNJDIH3zrrx53obYcPi3pMWuQyX59ZW_hZKT_e6haYB9UObbVsvyo_s 1zlKts5piDGRBG7.rjg.Hsni2vRkQl8rAN99S3VlYN3toSqDFTKjEgSgQjzOV8Bb.LgA9jwMQM5M h_5DXuuRlhZzyTSANd6FDJUtwaWDqwR3iNub.fLKgAbnCYf2ylWuTM_m2QWaAYfB0hQsHzdve906 .b6b7IFBXuchobanW5iHCNtBaQ4LWvisPOpBfVz2u5Bk4molBf4V4g7ivQI5RHjv_S89zasgQT_q JX0l9Zs_CwfkOBCELPSjt.OphzypDe985doTAdvTuanjdocJSl.8MHWaD5TaotVagvXX.Dl1DLhL n65oggb7nzUMHlHccBlqghusyBtD_9tiUK_Jk.ln7xmsdKn6r4a7DUpvjz82c4eyvjtaZbdsDDuH CAkLEKJoR9U_T5oaQjEROv94lFXSJYEx5_ow6CpiuCGIVXCdeYwNKWu2FnPO00NAEI3Q5euWrxs3 OV3Aap5EM78W7Q8jlTxHWHqlwTsy0zhKMyyb_CRzL.gICEhda4jU4RJyIwG51D6RZL2Xq0TolO.X XbT29E.0DC7o5FsS8Twa7QqaE0_l59Lqy0NsnO731DhiyKwDHvaq6aK_E7JQUm8Drg0H5bS1G2EC 9LjZPxEeCoqXhxVPDBqnnuGOQFuxIpN2eb4oiLksMUikldRpDI9SQu74355ms3dI6QNQUL.uw3D6 GLHsAxh7QseICmelTDb2kJIMxhlIZ_g7ofSEiPeUbXADtmLzz0Xd0XMQh5usq7f5IYrhRtUMktvy x8VMXgKup1iqPJy0wahF11ApM7gPaJBVt52IJFKI2.aDnvPqBksTT1vjPzv2.ZGjmg2hpsBsvAi6 bOeAQDLBhWCd7dp89QkvTNelQyrAB854EUEmSmID1TrMGdoqdxT_ZByUHMyt.A190WmV9.5T9PnE hyYqWP5iPrEK8UAKK_kYW.CmaPfuy59K7ldkqQO1CQOZnS_Nv_VtEJk9aeyeapcBP5.xAeD2LIZy elAOnU_tAWJ_1wU6UOAhcs0_t10PjP7Ya6M9nHEmU8XsMuVfXjsP8LReK1lvwl1S3U9yMWyZLIBJ O7u4aGXYc_uKC.uh2JuvKWMjzSKW8Q_gF2hBtodIZYEib19LTznnxgJBVfivR.M.rSU4fCqCeioE Bx1oNnI7BugXQ83w9C2UWJK0l4D4CeLmNPV4yjd4J0z0d.O8C8POxEt6JMl8DdOEPstJzoFfCF3Y K5NijeCAaTIOUhMCv1Q-- X-Sonic-MF: X-Sonic-ID: dab07133-ca5a-4854-a152-4a9956023969 Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:16:46 +0000 Received: by hermes--production-gq1-6949d6d8f9-k52jv (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID af526ee8ff178a31e5a49e4e8cc011a6; Fri, 15 Dec 2023 22:16:44 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, linux-integrity@vger.kernel.org Subject: [PATCH v39 01/42] integrity: disassociate ima_filter_rule from security_audit_rule Date: Fri, 15 Dec 2023 14:15:55 -0800 Message-ID: <20231215221636.105680-2-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Create real functions for the ima_filter_rule interfaces. These replace #defines that obscure the reuse of audit interfaces. The new functions are put in security.c because they use security module registered hooks that we don't want exported. Acked-by: Paul Moore Reviewed-by: John Johansen Signed-off-by: Casey Schaufler To: Mimi Zohar Cc: linux-integrity@vger.kernel.org Acked-by: Roberto Sassu --- include/linux/security.h | 24 ++++++++++++++++++++++++ security/integrity/ima/ima.h | 26 -------------------------- security/security.c | 21 +++++++++++++++++++++ 3 files changed, 45 insertions(+), 26 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 750130a7b9dd..4790508818ee 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2009,6 +2009,30 @@ static inline void security_audit_rule_free(void *lsmrule) #endif /* CONFIG_SECURITY */ #endif /* CONFIG_AUDIT */ +#if defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) +int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); +int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); +void ima_filter_rule_free(void *lsmrule); + +#else + +static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, + void **lsmrule) +{ + return 0; +} + +static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, + void *lsmrule) +{ + return 0; +} + +static inline void ima_filter_rule_free(void *lsmrule) +{ } + +#endif /* defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) */ + #ifdef CONFIG_SECURITYFS extern struct dentry *securityfs_create_file(const char *name, umode_t mode, diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index c29db699c996..560d6104de72 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -420,32 +420,6 @@ static inline void ima_free_modsig(struct modsig *modsig) } #endif /* CONFIG_IMA_APPRAISE_MODSIG */ -/* LSM based policy rules require audit */ -#ifdef CONFIG_IMA_LSM_RULES - -#define ima_filter_rule_init security_audit_rule_init -#define ima_filter_rule_free security_audit_rule_free -#define ima_filter_rule_match security_audit_rule_match - -#else - -static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, - void **lsmrule) -{ - return -EINVAL; -} - -static inline void ima_filter_rule_free(void *lsmrule) -{ -} - -static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, - void *lsmrule) -{ - return -EINVAL; -} -#endif /* CONFIG_IMA_LSM_RULES */ - #ifdef CONFIG_IMA_READ_POLICY #define POLICY_FILE_FLAGS (S_IWUSR | S_IRUSR) #else diff --git a/security/security.c b/security/security.c index d7b15ea67c3f..8e5379a76369 100644 --- a/security/security.c +++ b/security/security.c @@ -5350,6 +5350,27 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) } #endif /* CONFIG_AUDIT */ +#ifdef CONFIG_IMA_LSM_RULES +/* + * The integrity subsystem uses the same hooks as + * the audit subsystem. + */ +int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) +{ + return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule); +} + +void ima_filter_rule_free(void *lsmrule) +{ + call_void_hook(audit_rule_free, lsmrule); +} + +int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) +{ + return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule); +} +#endif /* CONFIG_IMA_LSM_RULES */ + #ifdef CONFIG_BPF_SYSCALL /** * security_bpf() - Check if the bpf syscall operation is allowed From patchwork Fri Dec 15 22:15:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495116 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6402C18ED0 for ; Fri, 15 Dec 2023 22:18:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="I1tRGW0v" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678704; bh=DnwPkOYZraIIhFEbNt5Wju9rOS7ndRvvMLf58bGhDCY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=I1tRGW0vmxhhvIh6UrZ6UaWoeGYSbgTl1vxc8/G4RDR0jcPwPurXsL5H/94oKRhdyIF/TXl+dZ/nACryUTOxAb4k1aTBnw+wBnaqkmzMDI1c7DBXmqMl17eItPLHeBwzmR5nS4xL9GsEWjnSSBfNuZJYunwkmZGc/6OjA2Db3FDFty7T7Ub1F9YcYuPBKUashxamATo6QR/HVMm2OFjfmVjl5gfGXp35w6S+TqftrR4rMmZ8RYJUiswwAn3TF9n7+oUXOHyHN/1has2TAvMESZ88/cGjSUhrQvDlw52zLl84IeOZeApZP1NvU3AEnyei0+gkM/8gV0cRazAMTxlLmw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678704; bh=0EF/uQY77fW47L/zanuKc52hNgOFFesyhMuWU/QQ6ys=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=WR6TFvVYBOUG/bD+aeRe3yqVsJ36QSpzYWxON/desqZGrLVvTQk14J78duyvkEf4SiUhNg0c8icYjGbT0fwaF+X7+YAUjatBl+qNBJ/MctQNOqvzU4n4IDtMD7mD3IEfOTlUqN4I/GlDJmwjfallT6iEilmenwBkGgg7j03oAGA5ZNlVlFEQScuw8pKT/LKq2n2qq4shoDVab5rUBHqFaV3iBFAD5xURy2bSCY6+SYjU67xGikX7BY7+Kc/6D+3lwOiSkTJdPRogAcAtLnOL7hOVcP5iat27P6sDKxKzzdSMGWTxXodoxUBuiyWe4sZuhEwZ69v7TrXOz7TPDzC7Vw== X-YMail-OSG: 92CbLl4VM1m_S56aS.Q1V7aDv.lw2pScJBAFIF0.M4NScuLtPChQPQfb8V4u1gX zTuwnglMGNwMWNXim6W0UPyAXxJ3AXE8BPfLtLKXWtCWiXRWVwJ7Lj1nAWJfJaig218gV2pQi0OV SnxlBXFwYQkjcUFRrjJHk6RlvuEmt9mLhXftg1rI8O6yUaViBLSFsWbf3NMJvJN5tl7UdntdR6Fd xzRUhRPHroNL0j0DC6sYRakM9ej7.JbrWoBkFOvpD4i6S1U.Yt4h8S6ITknZ3SulrIW2eDm7gPbD mFrCFPjoEfK9HFFqbBUDZpAU5AeIM7spWtQA8AMxcWGRddvy8tzDOasf2Cobfo.3xOAbjqxsWMpw lZ6GdgVFefOifxeiIbJomZyLnxKig3FAcxCzPT3poJF5cTAAhKcM8TV6wva0Xn2yjk4ACrRmpCnJ TMKZnqe_IGhT2v3JC_Dpp5y0_YaQuu3UCAQHRUY4lYMQPWEAPwSY9Ci4r_kqtC9_vSITbBVF7pPn sj9tHnILl_RcIDFiJnBo2MbcSqV2KieihZJ4M5jI2KXFlyVC2E3c_6DEFFeB2vYqoUgzUPaBYyf1 0wFvuNqTPySeN2Sl.8qBvNu47BasHUWXul53LEz3kcRyB3rLoYDbbQTuVHysqyfFOclHlhgsYV8N KE0QEgdGT0DNjD7QOIG9oOPTfiswdDBBGIn34hemi2bchoLU4TIFlREu6BG9Hb9uZQfVAbYiDTnp 77WwjKQKMkzAuT8XklsqEKuntyRyTxUL7aeK0Y2RLrJxqoIeY5.1ObXHZ6fxmR3IM6Jn7KmQx9XC tGPsbQB0CjT7lmhaZfRfk2J_44LEHEEJRt0P0hjyV.1caWCWbe_8gepIDDRKZpak6kytx9z2KHrR 2wPhLc3bFdM62RFfFd2NsxOymIFOWj6O6OrQB4Q2QFeV3Wtg.2_KUh_5GebsspTh3UgfMuYbDJaK .WTW.8Vev0mEKixLBpQsvXjduWsj4k6iDY_Ij01FYIOyxXZBJK9Z2acd9RRUQU4AzYD_nNX90ZDM CnWXlncRyxrxt92gvlfzBesrWhYeyWpWB21itSQdZKClgD6ZlFUtvcBBP.o3k7AZzV885tULrmCB fN6fyGbsA6pOPJLGuZ44IZQ20BcnaabeIFVUnU2WCOFT0eGPTlCUN8gG_NR2gPKidQmpcCQMlamH aiiG4bGQ95b3lgs_TLSDt7p90bJ6KDHxQVrn8VEDDsvr_kS02cXvi9nOoFhbcR9Q66culMPd5u30 htNPXYLPgxn7dOX179VU2Cg2CErtS..tOX_bVmbAApWvv6YSAsOnYrK2CX_tzsNbZBrh8CDAGexd xnchwbflqxQ9DWAkijPJNH9gC1DbQerWeqFT3IF09FkeSSq85UKtt_wBNMjrIbfQx3YknncvpFmL Pgnf6.FUZi3hfk5cr4NyPa9kBjNb4irEr69WMYhr29H6uWoWVeld8ogmwIxIIZkXcsC.0kzWTRuj LTw9m.l3QLtipPIbjhAZSLfW60aPY4qietdKwrBNXExgkT2vdQS10roCEabLBhywB7KSYH7CClwF ZiV2k4ALgEWRsAnDR2UtmuCOQ1zrFyg9rE47pPoRFl4tiXp1AUfvwJEen6QGhsICku_B6CKxkROz YVm1y99Ycopaihopv9Yai6qZOGn90G0jkoCEb5Nzk.FoiVrpLsHhAfxjy6Ml.Nn15YCXXtpExfaY K42IFfOoenJPC_1Mh46hkSusPfS5bta.xsRtifPW5fSTVds_3ZqbNCu3RyFmUhxj5EY_uQ1GDXXK slUPHPXx7Atc6lqU9ciffHW7LYdFX4tgDNqb4oh9gOZVe2wNhgz5p_bObaREsfD_JF6Gsw_VsyOe _9r07lFbVIDbBpcCQeRsWrcOFvjRvHZGc0QF7UrVgRihuKJ6iLKT4GOHvlgWiO6A6S2RbDFwV_me QVOInMkX6oe4Ff24QnmyFasL9bLCt3xjclQIehkMxtaIPJHFlmhYsMRyrI0CE8VFZ0WDzv7qRZWq D1cgdHUhwl5b1cPTGaJA8m9sxjJazPYlKiqtkC9YWKLUvUs5hzOhCjuIhxJC7H_m7LRV7fc8HK53 37lL4YC.UHj9K7DgkpekjKYVMYl7AMBhRFnzkEdsL9aak4xUWYlyY2BvnmkKL8mDzuBdFRKQbacO bHmKnzA2_IlqybXP01xNC4F_ipb8f2zTZawSSIv396jvY.jg09IiH00C8MzkAgC4VwLlTs57SxlB s0QAf7GfjkjPrKpLGlunnTN7tBwJbaj6J2ptzo3.ujA-- X-Sonic-MF: X-Sonic-ID: 24a17b18-0db7-4e1c-b805-ac479274476e Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:18:24 +0000 Received: by hermes--production-gq1-6949d6d8f9-c9pk7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID f3cc26e4d12b933f3b6c85ffc86b5c01; Fri, 15 Dec 2023 22:18:18 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 02/42] SM: Infrastructure management of the sock security Date: Fri, 15 Dec 2023 14:15:56 -0800 Message-ID: <20231215221636.105680-3-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Move management of the sock->sk_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Acked-by: Paul Moore Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/apparmor/include/net.h | 3 +- security/apparmor/lsm.c | 20 +------- security/apparmor/net.c | 2 +- security/security.c | 36 ++++++++++++++- security/selinux/hooks.c | 76 ++++++++++++++----------------- security/selinux/include/objsec.h | 5 ++ security/selinux/netlabel.c | 23 +++++----- security/smack/smack.h | 5 ++ security/smack/smack_lsm.c | 70 ++++++++++++++-------------- security/smack/smack_netfilter.c | 4 +- 11 files changed, 131 insertions(+), 114 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index a2ade0ffe9e7..efd4a0655159 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -73,6 +73,7 @@ struct lsm_blob_sizes { int lbs_cred; int lbs_file; int lbs_inode; + int lbs_sock; int lbs_superblock; int lbs_ipc; int lbs_msg_msg; diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h index 67bf888c3bd6..c42ed8a73f1c 100644 --- a/security/apparmor/include/net.h +++ b/security/apparmor/include/net.h @@ -51,10 +51,9 @@ struct aa_sk_ctx { struct aa_label *peer; }; -#define SK_CTX(X) ((X)->sk_security) static inline struct aa_sk_ctx *aa_sock(const struct sock *sk) { - return sk->sk_security; + return sk->sk_security + apparmor_blob_sizes.lbs_sock; } #define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index e490a7000408..8af5f458e218 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1056,22 +1056,6 @@ static int apparmor_userns_create(const struct cred *cred) return error; } -/** - * apparmor_sk_alloc_security - allocate and attach the sk_security field - */ -static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) -{ - struct aa_sk_ctx *ctx; - - ctx = kzalloc(sizeof(*ctx), flags); - if (!ctx) - return -ENOMEM; - - sk->sk_security = ctx; - - return 0; -} - /** * apparmor_sk_free_security - free the sk_security field */ @@ -1079,10 +1063,8 @@ static void apparmor_sk_free_security(struct sock *sk) { struct aa_sk_ctx *ctx = aa_sock(sk); - sk->sk_security = NULL; aa_put_label(ctx->label); aa_put_label(ctx->peer); - kfree(ctx); } /** @@ -1452,6 +1434,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = { .lbs_cred = sizeof(struct aa_label *), .lbs_file = sizeof(struct aa_file_ctx), .lbs_task = sizeof(struct aa_task_ctx), + .lbs_sock = sizeof(struct aa_sk_ctx), }; static const struct lsm_id apparmor_lsmid = { @@ -1497,7 +1480,6 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = { LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), - LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), diff --git a/security/apparmor/net.c b/security/apparmor/net.c index 87e934b2b548..77413a519117 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -151,7 +151,7 @@ static int aa_label_sk_perm(const struct cred *subj_cred, const char *op, u32 request, struct sock *sk) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); int error = 0; AA_BUG(!label); diff --git a/security/security.c b/security/security.c index 8e5379a76369..0a51e3d23570 100644 --- a/security/security.c +++ b/security/security.c @@ -30,6 +30,7 @@ #include #include #include +#include /* How many LSMs were built into the kernel? */ #define LSM_COUNT (__end_lsm_info - __start_lsm_info) @@ -226,6 +227,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); + lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock); lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); lsm_set_blob_size(&needed->lbs_xattr_count, @@ -400,6 +402,7 @@ static void __init ordered_lsm_init(void) init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); + init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); init_debug("task blob size = %d\n", blob_sizes.lbs_task); init_debug("xattr slots = %d\n", blob_sizes.lbs_xattr_count); @@ -4626,6 +4629,28 @@ int security_socket_getpeersec_dgram(struct socket *sock, } EXPORT_SYMBOL(security_socket_getpeersec_dgram); +/** + * lsm_sock_alloc - allocate a composite sock blob + * @sock: the sock that needs a blob + * @priority: allocation mode + * + * Allocate the sock blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +static int lsm_sock_alloc(struct sock *sock, gfp_t priority) +{ + if (blob_sizes.lbs_sock == 0) { + sock->sk_security = NULL; + return 0; + } + + sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority); + if (sock->sk_security == NULL) + return -ENOMEM; + return 0; +} + /** * security_sk_alloc() - Allocate and initialize a sock's LSM blob * @sk: sock @@ -4639,7 +4664,14 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram); */ int security_sk_alloc(struct sock *sk, int family, gfp_t priority) { - return call_int_hook(sk_alloc_security, 0, sk, family, priority); + int rc = lsm_sock_alloc(sk, priority); + + if (unlikely(rc)) + return rc; + rc = call_int_hook(sk_alloc_security, 0, sk, family, priority); + if (unlikely(rc)) + security_sk_free(sk); + return rc; } /** @@ -4651,6 +4683,8 @@ int security_sk_alloc(struct sock *sk, int family, gfp_t priority) void security_sk_free(struct sock *sk) { call_void_hook(sk_free_security, sk); + kfree(sk->sk_security); + sk->sk_security = NULL; } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b340425ccfae..aa15acd344ea 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4547,7 +4547,7 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec, static int sock_has_perm(struct sock *sk, u32 perms) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; struct lsm_network_audit net; @@ -4600,7 +4600,7 @@ static int selinux_socket_post_create(struct socket *sock, int family, isec->initialized = LABEL_INITIALIZED; if (sock->sk) { - sksec = sock->sk->sk_security; + sksec = selinux_sock(sock->sk); sksec->sclass = sclass; sksec->sid = sid; /* Allows detection of the first association on this socket */ @@ -4616,8 +4616,8 @@ static int selinux_socket_post_create(struct socket *sock, int family, static int selinux_socket_socketpair(struct socket *socka, struct socket *sockb) { - struct sk_security_struct *sksec_a = socka->sk->sk_security; - struct sk_security_struct *sksec_b = sockb->sk->sk_security; + struct sk_security_struct *sksec_a = selinux_sock(socka->sk); + struct sk_security_struct *sksec_b = selinux_sock(sockb->sk); sksec_a->peer_sid = sksec_b->sid; sksec_b->peer_sid = sksec_a->sid; @@ -4632,7 +4632,7 @@ static int selinux_socket_socketpair(struct socket *socka, static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) { struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u16 family; int err; @@ -4765,7 +4765,7 @@ static int selinux_socket_connect_helper(struct socket *sock, struct sockaddr *address, int addrlen) { struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); int err; err = sock_has_perm(sk, SOCKET__CONNECT); @@ -4943,9 +4943,9 @@ static int selinux_socket_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk) { - struct sk_security_struct *sksec_sock = sock->sk_security; - struct sk_security_struct *sksec_other = other->sk_security; - struct sk_security_struct *sksec_new = newsk->sk_security; + struct sk_security_struct *sksec_sock = selinux_sock(sock); + struct sk_security_struct *sksec_other = selinux_sock(other); + struct sk_security_struct *sksec_new = selinux_sock(newsk); struct common_audit_data ad; struct lsm_network_audit net; int err; @@ -4974,8 +4974,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock, static int selinux_socket_unix_may_send(struct socket *sock, struct socket *other) { - struct sk_security_struct *ssec = sock->sk->sk_security; - struct sk_security_struct *osec = other->sk->sk_security; + struct sk_security_struct *ssec = selinux_sock(sock->sk); + struct sk_security_struct *osec = selinux_sock(other->sk); struct common_audit_data ad; struct lsm_network_audit net; @@ -5012,7 +5012,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, u16 family) { int err = 0; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u32 sk_sid = sksec->sid; struct common_audit_data ad; struct lsm_network_audit net; @@ -5041,7 +5041,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { int err, peerlbl_active, secmark_active; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u16 family = sk->sk_family; u32 sk_sid = sksec->sid; struct common_audit_data ad; @@ -5109,7 +5109,7 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, int err = 0; char *scontext = NULL; u32 scontext_len; - struct sk_security_struct *sksec = sock->sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sock->sk); u32 peer_sid = SECSID_NULL; if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || @@ -5167,34 +5167,27 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) { - struct sk_security_struct *sksec; - - sksec = kzalloc(sizeof(*sksec), priority); - if (!sksec) - return -ENOMEM; + struct sk_security_struct *sksec = selinux_sock(sk); sksec->peer_sid = SECINITSID_UNLABELED; sksec->sid = SECINITSID_UNLABELED; sksec->sclass = SECCLASS_SOCKET; selinux_netlbl_sk_security_reset(sksec); - sk->sk_security = sksec; return 0; } static void selinux_sk_free_security(struct sock *sk) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); - sk->sk_security = NULL; selinux_netlbl_sk_security_free(sksec); - kfree(sksec); } static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) { - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); + struct sk_security_struct *newsksec = selinux_sock(newsk); newsksec->sid = sksec->sid; newsksec->peer_sid = sksec->peer_sid; @@ -5208,7 +5201,7 @@ static void selinux_sk_getsecid(const struct sock *sk, u32 *secid) if (!sk) *secid = SECINITSID_ANY_SOCKET; else { - const struct sk_security_struct *sksec = sk->sk_security; + const struct sk_security_struct *sksec = selinux_sock(sk); *secid = sksec->sid; } @@ -5218,7 +5211,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent) { struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(parent)); - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || sk->sk_family == PF_UNIX) @@ -5235,7 +5228,7 @@ static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, { struct sock *sk = asoc->base.sk; u16 family = sk->sk_family; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; struct lsm_network_audit net; int err; @@ -5290,7 +5283,7 @@ static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, static int selinux_sctp_assoc_request(struct sctp_association *asoc, struct sk_buff *skb) { - struct sk_security_struct *sksec = asoc->base.sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); u32 conn_sid; int err; @@ -5323,7 +5316,7 @@ static int selinux_sctp_assoc_request(struct sctp_association *asoc, static int selinux_sctp_assoc_established(struct sctp_association *asoc, struct sk_buff *skb) { - struct sk_security_struct *sksec = asoc->base.sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); if (!selinux_policycap_extsockclass()) return 0; @@ -5422,8 +5415,8 @@ static int selinux_sctp_bind_connect(struct sock *sk, int optname, static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, struct sock *newsk) { - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); + struct sk_security_struct *newsksec = selinux_sock(newsk); /* If policy does not support SECCLASS_SCTP_SOCKET then call * the non-sctp clone version. @@ -5455,7 +5448,7 @@ static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk) static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, struct request_sock *req) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); int err; u16 family = req->rsk_ops->family; u32 connsid; @@ -5476,7 +5469,7 @@ static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, static void selinux_inet_csk_clone(struct sock *newsk, const struct request_sock *req) { - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *newsksec = selinux_sock(newsk); newsksec->sid = req->secid; newsksec->peer_sid = req->peer_secid; @@ -5493,7 +5486,7 @@ static void selinux_inet_csk_clone(struct sock *newsk, static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) { u16 family = sk->sk_family; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); /* handle mapped IPv4 packets arriving via IPv6 sockets */ if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) @@ -5574,7 +5567,7 @@ static int selinux_tun_dev_attach_queue(void *security) static int selinux_tun_dev_attach(struct sock *sk, void *security) { struct tun_security_struct *tunsec = security; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); /* we don't currently perform any NetLabel based labeling here and it * isn't clear that we would want to do so anyway; while we could apply @@ -5697,7 +5690,7 @@ static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, return NF_ACCEPT; /* standard practice, label using the parent socket */ - sksec = sk->sk_security; + sksec = selinux_sock(sk); sid = sksec->sid; } else sid = SECINITSID_KERNEL; @@ -5720,7 +5713,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, sk = skb_to_full_sk(skb); if (sk == NULL) return NF_ACCEPT; - sksec = sk->sk_security; + sksec = selinux_sock(sk); ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf); if (selinux_parse_skb(skb, &ad, NULL, 0, &proto)) @@ -5809,7 +5802,7 @@ static unsigned int selinux_ip_postroute(void *priv, u32 skb_sid; struct sk_security_struct *sksec; - sksec = sk->sk_security; + sksec = selinux_sock(sk); if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) return NF_DROP; /* At this point, if the returned skb peerlbl is SECSID_NULL @@ -5838,7 +5831,7 @@ static unsigned int selinux_ip_postroute(void *priv, } else { /* Locally generated packet, fetch the security label from the * associated socket. */ - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); peer_sid = sksec->sid; secmark_perm = PACKET__SEND; } @@ -5881,7 +5874,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) unsigned int data_len = skb->len; unsigned char *data = skb->data; struct nlmsghdr *nlh; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u16 sclass = sksec->sclass; u32 perm; @@ -6915,6 +6908,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { .lbs_inode = sizeof(struct inode_security_struct), .lbs_ipc = sizeof(struct ipc_security_struct), .lbs_msg_msg = sizeof(struct msg_security_struct), + .lbs_sock = sizeof(struct sk_security_struct), .lbs_superblock = sizeof(struct superblock_security_struct), .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, }; diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 8159fd53c3de..ca12d4d7cfc6 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -194,4 +194,9 @@ static inline struct superblock_security_struct *selinux_superblock( return superblock->s_security + selinux_blob_sizes.lbs_superblock; } +static inline struct sk_security_struct *selinux_sock(const struct sock *sock) +{ + return sock->sk_security + selinux_blob_sizes.lbs_sock; +} + #endif /* _SELINUX_OBJSEC_H_ */ diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 8f182800e412..e8832726bd86 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -68,7 +69,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk) { int rc; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr; if (sksec->nlbl_secattr != NULL) @@ -100,7 +101,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr( const struct sock *sk, u32 sid) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr = sksec->nlbl_secattr; if (secattr == NULL) @@ -240,7 +241,7 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, * being labeled by it's parent socket, if it is just exit */ sk = skb_to_full_sk(skb); if (sk != NULL) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (sksec->nlbl_state != NLBL_REQSKB) return 0; @@ -277,7 +278,7 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_association *asoc, { int rc; struct netlbl_lsm_secattr secattr; - struct sk_security_struct *sksec = asoc->base.sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); struct sockaddr_in addr4; struct sockaddr_in6 addr6; @@ -356,7 +357,7 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family) */ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (family == PF_INET) sksec->nlbl_state = NLBL_LABELED; @@ -374,8 +375,8 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) */ void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk) { - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); + struct sk_security_struct *newsksec = selinux_sock(newsk); newsksec->nlbl_state = sksec->nlbl_state; } @@ -393,7 +394,7 @@ void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk) int selinux_netlbl_socket_post_create(struct sock *sk, u16 family) { int rc; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr; if (family != PF_INET && family != PF_INET6) @@ -507,7 +508,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock, { int rc = 0; struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr secattr; if (selinux_netlbl_option(level, optname) && @@ -545,7 +546,7 @@ static int selinux_netlbl_socket_connect_helper(struct sock *sk, struct sockaddr *addr) { int rc; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr; /* connected sockets are allowed to disconnect when the address family @@ -584,7 +585,7 @@ static int selinux_netlbl_socket_connect_helper(struct sock *sk, int selinux_netlbl_socket_connect_locked(struct sock *sk, struct sockaddr *addr) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (sksec->nlbl_state != NLBL_REQSKB && sksec->nlbl_state != NLBL_CONNLABELED) diff --git a/security/smack/smack.h b/security/smack/smack.h index 041688e5a77a..297f21446f45 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -355,6 +355,11 @@ static inline struct superblock_smack *smack_superblock( return superblock->s_security + smack_blob_sizes.lbs_superblock; } +static inline struct socket_smack *smack_sock(const struct sock *sock) +{ + return sock->sk_security + smack_blob_sizes.lbs_sock; +} + /* * Is the directory transmuting? */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 53336d7daa93..cd44f7f3f393 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1572,7 +1572,7 @@ static int smack_inode_getsecurity(struct mnt_idmap *idmap, if (sock == NULL || sock->sk == NULL) return -EOPNOTSUPP; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (strcmp(name, XATTR_SMACK_IPIN) == 0) isp = ssp->smk_in; @@ -1960,7 +1960,7 @@ static int smack_file_receive(struct file *file) if (inode->i_sb->s_magic == SOCKFS_MAGIC) { sock = SOCKET_I(inode); - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); tsp = smack_cred(current_cred()); /* * If the receiving process can't write to the @@ -2380,11 +2380,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode) static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) { struct smack_known *skp = smk_of_current(); - struct socket_smack *ssp; - - ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); - if (ssp == NULL) - return -ENOMEM; + struct socket_smack *ssp = smack_sock(sk); /* * Sockets created by kernel threads receive web label. @@ -2398,11 +2394,10 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) } ssp->smk_packet = NULL; - sk->sk_security = ssp; - return 0; } +#ifdef SMACK_IPV6_PORT_LABELING /** * smack_sk_free_security - Free a socket blob * @sk: the socket @@ -2411,7 +2406,6 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) */ static void smack_sk_free_security(struct sock *sk) { -#ifdef SMACK_IPV6_PORT_LABELING struct smk_port_label *spp; if (sk->sk_family == PF_INET6) { @@ -2424,9 +2418,8 @@ static void smack_sk_free_security(struct sock *sk) } rcu_read_unlock(); } -#endif - kfree(sk->sk_security); } +#endif /** * smack_sk_clone_security - Copy security context @@ -2437,8 +2430,8 @@ static void smack_sk_free_security(struct sock *sk) */ static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk) { - struct socket_smack *ssp_old = sk->sk_security; - struct socket_smack *ssp_new = newsk->sk_security; + struct socket_smack *ssp_old = smack_sock(sk); + struct socket_smack *ssp_new = smack_sock(newsk); *ssp_new = *ssp_old; } @@ -2554,7 +2547,7 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) */ static int smack_netlbl_add(struct sock *sk) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = ssp->smk_out; int rc; @@ -2586,7 +2579,7 @@ static int smack_netlbl_add(struct sock *sk) */ static void smack_netlbl_delete(struct sock *sk) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); /* * Take the label off the socket if one is set. @@ -2618,7 +2611,7 @@ static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) struct smack_known *skp; int rc = 0; struct smack_known *hkp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smk_audit_info ad; rcu_read_lock(); @@ -2691,7 +2684,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) { struct sock *sk = sock->sk; struct sockaddr_in6 *addr6; - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); struct smk_port_label *spp; unsigned short port = 0; @@ -2779,7 +2772,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, int act) { struct smk_port_label *spp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = NULL; unsigned short port; struct smack_known *object; @@ -2873,7 +2866,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, if (sock == NULL || sock->sk == NULL) return -EOPNOTSUPP; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (strcmp(name, XATTR_SMACK_IPIN) == 0) ssp->smk_in = skp; @@ -2921,7 +2914,7 @@ static int smack_socket_post_create(struct socket *sock, int family, * Sockets created by kernel threads receive web label. */ if (unlikely(current->flags & PF_KTHREAD)) { - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); ssp->smk_in = &smack_known_web; ssp->smk_out = &smack_known_web; } @@ -2946,8 +2939,8 @@ static int smack_socket_post_create(struct socket *sock, int family, static int smack_socket_socketpair(struct socket *socka, struct socket *sockb) { - struct socket_smack *asp = socka->sk->sk_security; - struct socket_smack *bsp = sockb->sk->sk_security; + struct socket_smack *asp = smack_sock(socka->sk); + struct socket_smack *bsp = smack_sock(sockb->sk); asp->smk_packet = bsp->smk_out; bsp->smk_packet = asp->smk_out; @@ -3010,7 +3003,7 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) rsp = smack_ipv6host_label(sip); if (rsp != NULL) { - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); rc = smk_ipv6_check(ssp->smk_out, rsp, sip, SMK_CONNECTING); @@ -3805,9 +3798,9 @@ static int smack_unix_stream_connect(struct sock *sock, { struct smack_known *skp; struct smack_known *okp; - struct socket_smack *ssp = sock->sk_security; - struct socket_smack *osp = other->sk_security; - struct socket_smack *nsp = newsk->sk_security; + struct socket_smack *ssp = smack_sock(sock); + struct socket_smack *osp = smack_sock(other); + struct socket_smack *nsp = smack_sock(newsk); struct smk_audit_info ad; int rc = 0; #ifdef CONFIG_AUDIT @@ -3853,8 +3846,8 @@ static int smack_unix_stream_connect(struct sock *sock, */ static int smack_unix_may_send(struct socket *sock, struct socket *other) { - struct socket_smack *ssp = sock->sk->sk_security; - struct socket_smack *osp = other->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); + struct socket_smack *osp = smack_sock(other->sk); struct smk_audit_info ad; int rc; @@ -3891,7 +3884,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; #endif #ifdef SMACK_IPV6_SECMARK_LABELING - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); struct smack_known *rsp; #endif int rc = 0; @@ -4103,7 +4096,7 @@ static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, netlbl_secattr_init(&secattr); if (sk) - ssp = sk->sk_security; + ssp = smack_sock(sk); if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { skp = smack_from_secattr(&secattr, ssp); @@ -4125,7 +4118,7 @@ static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, */ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = NULL; int rc = 0; struct smk_audit_info ad; @@ -4229,7 +4222,7 @@ static int smack_socket_getpeersec_stream(struct socket *sock, u32 slen = 1; int rc = 0; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (ssp->smk_packet != NULL) { rcp = ssp->smk_packet->smk_known; slen = strlen(rcp) + 1; @@ -4279,7 +4272,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock, switch (family) { case PF_UNIX: - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); s = ssp->smk_out->smk_secid; break; case PF_INET: @@ -4328,7 +4321,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent) (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) return; - ssp = sk->sk_security; + ssp = smack_sock(sk); ssp->smk_in = skp; ssp->smk_out = skp; /* cssp->smk_packet is already set in smack_inet_csk_clone() */ @@ -4348,7 +4341,7 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, { u16 family = sk->sk_family; struct smack_known *skp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct sockaddr_in addr; struct iphdr *hdr; struct smack_known *hskp; @@ -4434,7 +4427,7 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, static void smack_inet_csk_clone(struct sock *sk, const struct request_sock *req) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp; if (req->peer_secid != 0) { @@ -5002,6 +4995,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { .lbs_inode = sizeof(struct inode_smack), .lbs_ipc = sizeof(struct smack_known *), .lbs_msg_msg = sizeof(struct smack_known *), + .lbs_sock = sizeof(struct socket_smack), .lbs_superblock = sizeof(struct superblock_smack), .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, }; @@ -5124,7 +5118,9 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), +#ifdef SMACK_IPV6_PORT_LABELING LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), +#endif LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), LSM_HOOK_INIT(sock_graft, smack_sock_graft), LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c index b945c1d3a743..bad71b7e648d 100644 --- a/security/smack/smack_netfilter.c +++ b/security/smack/smack_netfilter.c @@ -26,8 +26,8 @@ static unsigned int smack_ip_output(void *priv, struct socket_smack *ssp; struct smack_known *skp; - if (sk && sk->sk_security) { - ssp = sk->sk_security; + if (sk) { + ssp = smack_sock(sk); skp = ssp->smk_out; skb->secmark = skp->smk_secid; } From patchwork Fri Dec 15 22:15:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495115 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic312-30.consmr.mail.ne1.yahoo.com (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA22D13B137 for ; Fri, 15 Dec 2023 22:18:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="aU7oB6Lb" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678701; bh=FWuDNgdpCAWOPQ8pKENu3D4KD/v4ITCKXFqzF8c2TZc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=aU7oB6Lb6iP0yRjijZgDLrdJMMoo2694H3uQOuUQs3j5bGN+Hl8rm6Ok0ua/wCtClxpifru0VGRtlKL/zxbLhXRA38G7k4XoCHRzLLpwBWy0Cr4nGVaBCYTl8YDgKm+TR58piXRTa8/zxiO0gMuiQSbOFwcN5JUhRhomZarMusTHohiK93TtAzSQ2tx3lozavHoEHntomvad9BMM1qgs2tAiChedHR3/xrR3SU7auXXtV+Iq/e8y5cDvUhqi+Ze6uZ0//O/b2MXt+C3w04EErZ0ScG5G4q/CzgOQNjO4XCqyaufzRTrpPBOw7iyytA5vsU26gt8yD46OIvfr2Ks1kw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678701; bh=OoxX26JW+NchuXGVZv3GGkGMlzlO1isaAVCjJ1Ui5qc=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=qTvZtOQ0H6CU0fKfahLPxANvk1F6ZXFDWITw4DlQ1B2ClPU/x9GBn1gMlolBRgkbGL1F2O8XyXaY9V6BrX+JgT6ANhWDu/8c/hAz1kG41pU6GgHdHhNx0KV2JmgM269x5ZizO2xbMmRNskxh7X/NNjSlC4fb0l7t+9h+891uGu9hyNNjlGX0oSBdrihdtqtAEYGqdcbB66ahc8GPYZwXzIXVUTpudMqXhU+kkhwwdlgRzBo8h2VHhv7tIOTezYEXpF83jhPCMkhpq9BSov/945efVfiUZDYEFEOlY453Ho/2Id/EPh5v0tmJ3O7lF0D8lNbPA0uUitT6r7PODMSS6Q== X-YMail-OSG: ver.UiQVM1mWsJ__gOg3uxzsQ8W_x7_5GYYrD2NTVkpyRaIwO7EwZn3j4XaxQpV Agm.FDvMcyUplmhdSEC8fb9ZOPb5ky4KHNk0RmWo.Fxm6yIWmbYw09Kk9AIGCrkCs2Z2h_W_uerG VRty4aljvVa1T8TQDeKynOc2aXJo4yFIiGfPNlykmoxhtUQ.vGU_wGwXEx9lL2LkzUK5S0K5PCYo zGJTJ9yQ2MM91R7LdkuU8fsrFWKLnt5xFBTnmt6jthVGi5nLSF_Je65lS.7z1RVav2eB2fMkMDVe BHK4e0KjXChO5lWp3ohJ6YRW8j.xS5IR7e0wg_veyefYmIzi3_u02cWXlWity6Zd0Nmt_V.XKutT UCveMB0J39wtLr2nYyRe8h_rgG6P5N.idEU8s3bkOjbexF1bV_Nuzr8M.72Fr4cE13pAzgdg5Kg4 KFsh5e30xE1BvzY.WI6ItsIkEi1ODIU_pcHAKRUDz7ki.zgRclYr_N31YV.FfP0UHkMNOEGOXM.9 SttQ6FP0vaO1A5mSmmXbmJdcfq2l3xSO3DU8f0XddtHnqnCiAs24uVciBla7QjLBvLEEUtxlubyn D1WaCLB_9PZmJY3CKRjVmCHblQ_cQXm.rBdIrjj4LauZ0AKfiNNNsC_5QxVQZ8PkA91.Y_dlGzE1 BsO.0WEQA5YdqGOFp9Fqfh0w2QlBVOZlArBP8qQZ5vlaho1IzV9x7R_gtdXDGSPcxHKZdXfA7UiX Er3EXews6o0j8An0wAAfF.tqBeyeGDLU.d0uHmLYSQVm9KzrU4FEHfNL.YVT.prLOHia4vCrxN5j EiswHFwh0.ShFxjTPh4CU2oKronWPMm_DLpBl8Bk95UEL2aiKPmOsQQDzhXAXN1_5gxlPoZgRN5w G7xBnkgfKtWGPh1ZeWAtOlvUjeXla8qa_0CBpmK5qsulRhodPqBtqAvYr8LJESi.MzYDLSnLDsyv jNyQQlza2fGngDd7wtHF3WRlZIKnoHigquFpeaF5bA2Fw3vkdhKH1gGyzc83EliOdRmIkFOf6OyB gRrce9.TlmkbxeWSO8EUKsbTQ.GWrfYPpCojN_msH_rOBpGNcLaJjeXOhj8EDVadbvgLhsRazgEl .xwjw9Gpd_S2ocRYAJqQ.GpeZuwvqPfhp7bk51krHkZoBNrV4d8.ux.kbvGeTw90d6kCNpGJ6XT1 lgP4kS4hgSJNgv1BaqWDSCLgM5SneWhPJHA0eURaKWFx_TTKcqiI.IPu0Zw1T9FJQlryiWKcMcgt 9RkjoYs1odqhTx9GH5N6KYd.UpnJZ8DBu4T_.vrX2jRn4br4sNkJ2hLeXNQschEZHW6vdd6HzTFK OzN08O822xjyYVE9WK6Zmoy.29EIADfsx.L._Ta0Dx18sk6sTE4JiDkEQB2aHrIG1nV5SnJi2dPv e128_X2v588nDVGQF.F8deBnpuvPiLsS.Jv9njp0zBN1u.ocF_JATd_KViSnJ5ynV07Doix_HLdL ZqI52bBqBQzKpOrSE1C5embIr66VufC5XDdwk.BFWqZFoSOkdfS9AkLPZr24Z5tffe0.NqFOBLUJ 3zl2PFL0_05tT.KVFvcAo2bIb9smvqB4PZQnJ7YmFr1.McUguemF8TFV3olUjJyR7Og52m5l7pUY lKje97cKwpSnflEd2SQvKpmdSBlcFqtG1x_ArgKwl3D4jWbaveUvnWrEAtCakC1kPDU8q_YFjO9G aFbCRqFWVkxW.C4RFEePZ84YLlD9wI_weU8eHGQmuVUzWi9dQcJfLB3W4ZJlIkKKz6YocaVJj7NR yc7CfpNke.rRrJv5J4l25F4KYRGucwt.5s43yhDsgUjGwxiwFt7n.PWPXadQrupwd_WFcOWW.jE4 3cZrF5mGnDMhWD2LXMvmmhDbG60P2ghQGNz0wGP.W81fzv5NlJh5wt8tqgGT5uy9UclLWL4_ngD3 _gvhINRPB5mk2gv0Q3fJ3nV_JDpT6ObGKbqPMq26hUOavogmV9KMCz.IpMpUN.2u0_N7xaC3HUX9 ga7FX_5fPM9DZwUnlSMYnbqiycnsvBWRmxWbic0dIphxJ5IXiKb3n69bQdQ0SlMsyX0m9_hKVGZt uT.goRB0sOcC.5lEkdfezfLDw9uta0F2HxeQK6Pn_4uo7AvKF87NbPivi4m7BNzUYCxBqD5t0Fkc QWw3q9pl.1MlqQkNVuuEXuG5sQkn4yzye5MNt0DADcucI213c25u4zAP5AF2EW2vYhVhlDqJKDMF HG8Qcb_XcbF8RXUZMXPHpYqsNO95CXFHZuAYZ9YtPkY7O_5ICzwytzIKwE2MfN1fh8BQ5iLVhh45 0OYEQh3mJXMmaeB7eI6I- X-Sonic-MF: X-Sonic-ID: 0df143bb-7cfd-4c6e-9191-144d8b00e699 Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:18:21 +0000 Received: by hermes--production-gq1-6949d6d8f9-c9pk7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID f3cc26e4d12b933f3b6c85ffc86b5c01; Fri, 15 Dec 2023 22:18:20 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 03/42] LSM: Add the lsmblob data structure. Date: Fri, 15 Dec 2023 14:15:57 -0800 Message-ID: <20231215221636.105680-4-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 When more than one security module is exporting data to audit and networking sub-systems a single 32 bit integer is no longer sufficient to represent the data. Add a structure to be used instead. The lsmblob structure definition is intended to keep the LSM specific information private to the individual security modules. The module specific information is included in a new set of header files under include/lsm. Each security module is allowed to define the information included for its use in the lsmblob. SELinux includes a u32 secid. Smack includes a pointer into its global label list. The conditional compilation based on feature inclusion is contained in the include/lsm files. Suggested-by: Paul Moore Signed-off-by: Casey Schaufler --- include/linux/lsm/apparmor.h | 17 +++++++++++++++++ include/linux/lsm/bpf.h | 16 ++++++++++++++++ include/linux/lsm/selinux.h | 16 ++++++++++++++++ include/linux/lsm/smack.h | 17 +++++++++++++++++ include/linux/security.h | 20 ++++++++++++++++++++ 5 files changed, 86 insertions(+) create mode 100644 include/linux/lsm/apparmor.h create mode 100644 include/linux/lsm/bpf.h create mode 100644 include/linux/lsm/selinux.h create mode 100644 include/linux/lsm/smack.h diff --git a/include/linux/lsm/apparmor.h b/include/linux/lsm/apparmor.h new file mode 100644 index 000000000000..8ff1cd899a20 --- /dev/null +++ b/include/linux/lsm/apparmor.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Linux Security Module interface to other subsystems. + * AppArmor presents a single u32 value which is known as a secid. + */ +#ifndef __LINUX_LSM_APPARMOR_H +#define __LINUX_LSM_APPARMOR_H + +struct aa_label; + +struct lsmblob_apparmor { +#ifdef CONFIG_SECURITY_APPARMOR + struct aa_label *label; +#endif +}; + +#endif /* ! __LINUX_LSM_APPARMOR_H */ diff --git a/include/linux/lsm/bpf.h b/include/linux/lsm/bpf.h new file mode 100644 index 000000000000..48abdcd82ded --- /dev/null +++ b/include/linux/lsm/bpf.h @@ -0,0 +1,16 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Linux Security Module interface to other subsystems. + * BPF may present a single u32 value. + */ +#ifndef __LINUX_LSM_BPF_H +#define __LINUX_LSM_BPF_H +#include + +struct lsmblob_bpf { +#ifdef CONFIG_BPF_LSM + u32 secid; +#endif +}; + +#endif /* ! __LINUX_LSM_BPF_H */ diff --git a/include/linux/lsm/selinux.h b/include/linux/lsm/selinux.h new file mode 100644 index 000000000000..fd16456b36ac --- /dev/null +++ b/include/linux/lsm/selinux.h @@ -0,0 +1,16 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Linux Security Module interface to other subsystems. + * SELinux presents a single u32 value which is known as a secid. + */ +#ifndef __LINUX_LSM_SELINUX_H +#define __LINUX_LSM_SELINUX_H +#include + +struct lsmblob_selinux { +#ifdef CONFIG_SECURITY_SELINUX + u32 secid; +#endif +}; + +#endif /* ! __LINUX_LSM_SELINUX_H */ diff --git a/include/linux/lsm/smack.h b/include/linux/lsm/smack.h new file mode 100644 index 000000000000..2018f288302f --- /dev/null +++ b/include/linux/lsm/smack.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Linux Security Module interface to other subsystems. + * Smack presents a pointer into the global Smack label list. + */ +#ifndef __LINUX_LSM_SMACK_H +#define __LINUX_LSM_SMACK_H + +struct smack_known; + +struct lsmblob_smack { +#ifdef CONFIG_SECURITY_SMACK + struct smack_known *skp; +#endif +}; + +#endif /* ! __LINUX_LSM_SMACK_H */ diff --git a/include/linux/security.h b/include/linux/security.h index 4790508818ee..d4103b6cd3fc 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -33,6 +33,10 @@ #include #include #include +#include +#include +#include +#include struct linux_binprm; struct cred; @@ -139,6 +143,22 @@ enum lockdown_reason { LOCKDOWN_CONFIDENTIALITY_MAX, }; +/* stacking scaffolding */ +struct lsmblob_scaffold { + u32 secid; +}; + +/* + * Data exported by the security modules + */ +struct lsmblob { + struct lsmblob_selinux selinux; + struct lsmblob_smack smack; + struct lsmblob_apparmor apparmor; + struct lsmblob_bpf bpf; + struct lsmblob_scaffold scaffold; +}; + extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; extern u32 lsm_active_cnt; extern const struct lsm_id *lsm_idlist[]; From patchwork Fri Dec 15 22:15:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495117 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic312-30.consmr.mail.ne1.yahoo.com (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3258A18EB2 for ; Fri, 15 Dec 2023 22:19:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="RL7sxK5X" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678796; bh=XOlmqRunZBVq69sGk0g7ZhZDA5Y8IFDjB0qmCPPOv+Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=RL7sxK5XKP+pCKAfL0V6kIOA8Aswnp6h0G0KzMu2a2N9HAJKpLVnv7zEglUcrsQGIN1VRKR/GMuJYR602d5+FP3p9pHm15aBI525ChtW2bqFAA3WmkoAjRKoDTj5/jjxc6zAXoyxQL+PGm2CMgkEgWPxKI8lS5lUox078ETF1cNB6WN3seI56mmASWY9BF+GlaVsPBpENm6qoPAIxhyWPf4d+b9LJiE/0OLqzDdj12p+sQN/hQzAmildKqun4iJrEdCli/Rwt8K9eJY/KWsvo3Mq1iExFaA1iiCLhDtv//H4mnmsau8YWkoy/hgs6fbNAutUAlvsz0KYhZutUa7vFA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678796; bh=4NC1BO5KnAdWf/dQfq5XAYyV3FGUafFUG4ppzmG8zjw=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=TpdcX3G0YaS8vdpDfPmqzJ/UX89EYvt1Q2+UCq0jPx5embcm3WaQ1/9UXHCg0brADx1DVzFyncsmZfVqg01TNWPmkdRaJLZx4fNmrK0toKITet0sPuxoeJii1ZtrKEtlNsQSBMDNoucYX83qC73SCYknqSbeVg887g/X1atncMHrkCr8A7fsqKXiE6HbUiVDl8F3JDumCEVhmZFVpSGrvT06vJE2XPo1pyutfKPOJ8AqwZmVh34iwdoKLrip/P1tSojjLj1F8SO/Bx8nGFA9cgKzSmC4SqtsztSsH2l9NO6QbuQ+TpPaT00rpzG/h3cKE3vk3Tlvo527fNo5eENSzA== X-YMail-OSG: ZGVZ5kAVM1nj88ra0SQfghUzLilFc_PpE6NURBwJD0OjiHzauBAx6dxvXesC3Gz MC2wMW.UD5qW2pfa5MCTLJcmLPySaviX2Mf1Qf43oHm3D6ZjBLdnovDDJuX7xuZs.JNBAKKOByET Khd40O7j.1voqlE8l29siyWrBK7ZwFq.AWHa4Guo2KX5tNw9VAJ4.wIoLaHikvasFAk_4rK9CmOM Tfs3xn.vasMRxnc8AyW0OVt6ZuhBgi69VbeWHFFEhVJDFPG6S7gYINUVfROwo9s8hAfibMdGbDuI zIqcXbpTbvfLGVRRJSvXUU7hJPcZw2qcNFgzTkBIPyP7vr6f8GDW837tYRFE_u0KiZU9vkcaMvXs tqxH7sA66ZRIcQtWF34SlhhkFn0i.IiCzlbSnOQ0VOWpFdObE7XN2Cfkn3c_hZS8WoV2GtB5mjSn w.rHGdviEVYHW2yMS5wKygcozWDvbtiY7yHGhowqfg61Uv..EZ2RLOIrSGFPJrNH1bpRE3LfzP.f NEwDYbEBfB3SegWNOCN_T_M0XQvM5fnFUp9trOqwkfmxYyz08of9e1J5Ya4hdRfAvOlFDvjUL2WH HRj71IW4ZHzmExSM3LRHFgWJhanfgHr3te9VIHpXlxTVBQLxgwQzmcFU_OERXaNstYA67ZyzGejv GxYtD2cUgNi10lxwaXnDXDfUi1Ub34F.gkP7UtBj097JjXqP2HX7jU7l_K4qAWzVEHeLhoplYQBS 78ZKalgCUyl8ugKyvDyjbA_vKK2xzJdUjRBR6KJrPKU5WZws8PhEEwM6u_OrwTpHQl7s2tjN74wB eCkMiEc7w57QXouEmj8bmicf8j7k10_EC8bisulQMvmG_ge264MiB.2Nrp_l5LmsUFVNj_plGDmT yF7FaU4nwq86uSM2HckLss5hmWhnW.Tu1Mo1wAfW0JL6RArso8HacSu11.EVA4EzWaTHYU9ylR8H _KDXdzMGQz5uRO1R3D22gXKL6eN0_ZfVhmoi69msQpbY9v9ijdVmmkuro0_SMpav5vAkbOigZTuP FF9hUOrrDylt9ihKN6IFPJglT.VhRIzOKNDXmfZZOffqAtsDgkffcEq4r5pjnESCPvGf8baExUKf gNP4TrQgFlc54l.X_lI0lT8coKXPBfdHeIxAQvSKTrM_WuRWvEOS8fHtsAy8pu2yZBH.b5PcwBOi omGiDFJnAtUtO7iLihwRrLXWQINrRAPzSfnp.H6c4k66vt9oM9vdStBqflyxw7eKPfjR9G2GNjmR vaJj_C72f6sxWXc_bwxAY8O6eq7wAQ67gN4G5yXEnNkzlJA4xfvdv9qylgAlkPRPXlN3xofZxinA eRP3Gvk4frks6j5nVKgbWiu9Yj9LF5Cq4b.L9Fik8PmlUBkUCgMsAPv7fg2nNDwinZPzNdBfxhrY ItrMInjW1tITcREDsV52rRE9m7APzmuzIOoXDftnTcAaXG_jEhP8fw9y9rZ6ZFRJzhNA1rt2KJcz YqYrujfvI.Qjfkz0l6JDm.TWpsrGvsGVl8SbHgHB.zVZapOQGDZ8jcQ4YYpa_sijP7s0nFG7thyT bOA4eaR_IAN0Yqrxf5z4dMyaAIhqn0oEu67W5rQQ.B7JIf_QaTGu7JZYrMc7VY8SqJbBQVwOq2Uz aHi3YH67q78lTft2E75kVBQu.J0C.0ZZGfbpeVE0o4_TKdays7tPO17vnfULEehaxRG02iabybIb LmIIgBvUuSc.da1hyBUpyG8Bu9OWtnoWK3qOMzCjy5svGC2HEn3UTVO8lOkD3q9AJ9APN9jGEW2Z tH.8QkZPni3PpvhoHNehMyBY403N472U2IbSBfcoEi5DQRGev9pOv2i7plnpyvczdhWBSj9VBvm0 VA8Ee2CAn30jF.yaJg7C4iFj8ezryjEGwBgdj0EqI.L6JTPvyHRpiWKdFlrZGduUrkA_44wOXPj7 Ssl2zvCxYzbnRAZknN9wlXMXIWoc4hFG8eoprp1MlZds0GSbWFeLN.Hk7IFK7JxXYbzGW4uEV_Xa edsnq2BTdULNSnJu.Ba3qIVOWM4Yf73CGqPPj7LwkY3JM8EznDCgi1ons6Jdc0AHXglij.dNEP8F iGU2jY4fFYSTx3Yp55S6WXZgEgcfyO680.NA3uFR4Qvu8_7QwwXtCH9OZHO4gH6PNqQ33LPHJaDU UlJ559yMtmZ0XroFeojpYMV3Ivi4.eDaymWM1aSPNmDYKIkcgUIJZ8c4qYpJtuhxq_o2n2XzucaW qqYPKM0nrCF4sYgZmWOkxdfA59.DtRjE9lW0HIt9NsYZxAx.QF5bn.FiurPtUghW5hbrezf_vCNO 3mv9G_trOfp_HRJw.GkdQEQ-- X-Sonic-MF: X-Sonic-ID: 79e56a49-4da7-479e-8958-3704ffa427a2 Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:19:56 +0000 Received: by hermes--production-gq1-6949d6d8f9-pmzmd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 015b8086b2cbbee47da79b085b628701; Fri, 15 Dec 2023 22:19:53 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 04/42] IMA: avoid label collisions with stacked LSMs Date: Fri, 15 Dec 2023 14:15:58 -0800 Message-ID: <20231215221636.105680-5-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Integrity measurement may filter on security module information and needs to be clear in the case of multiple active security modules which applies. Provide a boot option ima_rules_lsm= to allow the user to specify an active security module to apply filters to. If not specified, use the first registered module that supports the audit_rule_match() LSM hook. Allow the user to specify in the IMA policy an lsm= option to specify the security module to use for a particular rule. This requires adding the LSM of interest as a parameter to three of the audit hooks. Signed-off-by: Casey Schaufler To: Mimi Zohar To: linux-integrity@vger.kernel.org To: audit@vger.kernel.org --- Documentation/ABI/testing/ima_policy | 8 +++- include/linux/lsm_hook_defs.h | 7 +-- include/linux/security.h | 26 +++++++--- security/apparmor/audit.c | 15 ++++-- security/apparmor/include/audit.h | 7 +-- security/integrity/ima/ima_policy.c | 71 ++++++++++++++++++++++++---- security/security.c | 64 +++++++++++++++++++++---- security/selinux/include/audit.h | 10 ++-- security/selinux/ss/services.c | 15 ++++-- security/smack/smack_lsm.c | 12 ++++- 10 files changed, 192 insertions(+), 43 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index c2385183826c..a59291b97c24 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -26,7 +26,7 @@ Description: [uid=] [euid=] [gid=] [egid=] [fowner=] [fgroup=]] lsm: [[subj_user=] [subj_role=] [subj_type=] - [obj_user=] [obj_role=] [obj_type=]] + [obj_user=] [obj_role=] [obj_type=] [lsm=]] option: [digest_type=] [template=] [permit_directio] [appraise_type=] [appraise_flag=] [appraise_algos=] [keyrings=] @@ -138,6 +138,12 @@ Description: measure subj_user=_ func=FILE_CHECK mask=MAY_READ + It is possible to explicitly specify which security + module a rule applies to using lsm=. If the security + module specified is not active on the system the rule + will be rejected. If lsm= is not specified the first + security module registered on the system will be assumed. + Example of measure rules using alternate PCRs:: measure func=KEXEC_KERNEL_CHECK pcr=4 diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index c925a0d26edf..2159013890aa 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -392,10 +392,11 @@ LSM_HOOK(int, 0, key_getsecurity, struct key *key, char **buffer) #ifdef CONFIG_AUDIT LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, int lsmid) LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) -LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) -LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule) +LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule, + int lsmid) +LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule, int lsmid) #endif /* CONFIG_AUDIT */ #ifdef CONFIG_BPF_SYSCALL diff --git a/include/linux/security.h b/include/linux/security.h index d4103b6cd3fc..2320ed78c4de 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -286,6 +286,8 @@ int unregister_blocking_lsm_notifier(struct notifier_block *nb); extern int security_init(void); extern int early_security_init(void); extern u64 lsm_name_to_attr(const char *name); +extern u64 lsm_name_to_id(const char *name); +extern const char *lsm_id_to_name(u64 id); /* Security operations */ int security_binder_set_context_mgr(const struct cred *mgr); @@ -536,6 +538,16 @@ static inline u64 lsm_name_to_attr(const char *name) return LSM_ATTR_UNDEF; } +static inline u64 lsm_name_to_id(const char *name) +{ + return LSM_ID_UNDEF; +} + +static inline const char *lsm_id_to_name(u64 id) +{ + return NULL; +} + static inline void security_free_mnt_opts(void **mnt_opts) { } @@ -2030,25 +2042,27 @@ static inline void security_audit_rule_free(void *lsmrule) #endif /* CONFIG_AUDIT */ #if defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) -int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); -int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); -void ima_filter_rule_free(void *lsmrule); +int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, + int lsmid); +int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, + int lsmid); +void ima_filter_rule_free(void *lsmrule, int lsmid); #else static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, - void **lsmrule) + void **lsmrule, int lsmid) { return 0; } static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, - void *lsmrule) + void *lsmrule, int lsmid) { return 0; } -static inline void ima_filter_rule_free(void *lsmrule) +static inline void ima_filter_rule_free(void *lsmrule, int lsmid) { } #endif /* defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) */ diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 45beb1c5f747..0a9f0019355a 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -206,10 +206,12 @@ struct aa_audit_rule { struct aa_label *label; }; -void aa_audit_rule_free(void *vrule) +void aa_audit_rule_free(void *vrule, int lsmid) { struct aa_audit_rule *rule = vrule; + if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_APPARMOR) + return; if (rule) { if (!IS_ERR(rule->label)) aa_put_label(rule->label); @@ -217,10 +219,13 @@ void aa_audit_rule_free(void *vrule) } } -int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, + int lsmid) { struct aa_audit_rule *rule; + if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_APPARMOR) + return 0; switch (field) { case AUDIT_SUBJ_ROLE: if (op != Audit_equal && op != Audit_not_equal) @@ -240,7 +245,7 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) GFP_KERNEL, true, false); if (IS_ERR(rule->label)) { int err = PTR_ERR(rule->label); - aa_audit_rule_free(rule); + aa_audit_rule_free(rule, LSM_ID_APPARMOR); return err; } @@ -264,12 +269,14 @@ int aa_audit_rule_known(struct audit_krule *rule) return 0; } -int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) +int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid) { struct aa_audit_rule *rule = vrule; struct aa_label *label; int found = 0; + if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_APPARMOR) + return 0; label = aa_secid_to_label(sid); if (!label) diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index acbb03b9bd25..a75c45dd059f 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h @@ -199,9 +199,10 @@ static inline int complain_error(int error) return error; } -void aa_audit_rule_free(void *vrule); -int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); +void aa_audit_rule_free(void *vrule, int lsmid); +int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, + int lsmid); int aa_audit_rule_known(struct audit_krule *rule); -int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); +int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid); #endif /* __AA_AUDIT_H */ diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index f69062617754..a563e0478cc6 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -117,6 +117,8 @@ struct ima_rule_entry { void *rule; /* LSM file metadata specific */ char *args_p; /* audit value */ int type; /* audit type */ + int lsm_id; /* which LSM rule applies to */ + bool lsm_specific; /* true if lsm is specified */ } lsm[MAX_LSM_RULES]; char *fsname; struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ @@ -309,6 +311,25 @@ static int __init default_appraise_policy_setup(char *str) } __setup("ima_appraise_tcb", default_appraise_policy_setup); +static int default_rules_lsm __ro_after_init = LSM_ID_UNDEF; + +static int __init ima_rules_lsm_init(char *str) +{ + int newdrl; + + newdrl = lsm_name_to_id(str); + if (newdrl >= 0) { + default_rules_lsm = newdrl; + return 1; + } + + pr_err("default ima rule lsm \"%s\" not registered, value unchanged.", + str); + + return 1; +} +__setup("ima_rules_lsm=", ima_rules_lsm_init); + static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) { struct ima_rule_opt_list *opt_list; @@ -380,7 +401,8 @@ static void ima_lsm_free_rule(struct ima_rule_entry *entry) int i; for (i = 0; i < MAX_LSM_RULES; i++) { - ima_filter_rule_free(entry->lsm[i].rule); + ima_filter_rule_free(entry->lsm[i].rule, + entry->lsm[i].lsm_id); kfree(entry->lsm[i].args_p); } } @@ -425,7 +447,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, nentry->lsm[i].args_p, - &nentry->lsm[i].rule); + &nentry->lsm[i].rule, + entry->lsm[i].lsm_id); if (!nentry->lsm[i].rule) pr_warn("rule for LSM \'%s\' is undefined\n", nentry->lsm[i].args_p); @@ -451,7 +474,8 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry) * be owned by nentry. */ for (i = 0; i < MAX_LSM_RULES; i++) - ima_filter_rule_free(entry->lsm[i].rule); + ima_filter_rule_free(entry->lsm[i].rule, + entry->lsm[i].lsm_id); kfree(entry); return 0; @@ -650,14 +674,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule, security_inode_getsecid(inode, &osid); rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type, Audit_equal, - lsm_rule->lsm[i].rule); + lsm_rule->lsm[i].rule, + lsm_rule->lsm[i].lsm_id); break; case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type, Audit_equal, - lsm_rule->lsm[i].rule); + lsm_rule->lsm[i].rule, + lsm_rule->lsm[i].lsm_id); break; default: break; @@ -680,7 +706,8 @@ static bool ima_match_rules(struct ima_rule_entry *rule, out: if (rule_reinitialized) { for (i = 0; i < MAX_LSM_RULES; i++) - ima_filter_rule_free(lsm_rule->lsm[i].rule); + ima_filter_rule_free(lsm_rule->lsm[i].rule, + lsm_rule->lsm[i].lsm_id); kfree(lsm_rule); } return result; @@ -1073,7 +1100,7 @@ enum policy_opt { Opt_digest_type, Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos, Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, - Opt_label, Opt_err + Opt_lsm, Opt_label, Opt_err }; static const match_table_t policy_tokens = { @@ -1121,6 +1148,7 @@ static const match_table_t policy_tokens = { {Opt_pcr, "pcr=%s"}, {Opt_template, "template=%s"}, {Opt_keyrings, "keyrings=%s"}, + {Opt_lsm, "lsm=%s"}, {Opt_label, "label=%s"}, {Opt_err, NULL} }; @@ -1140,7 +1168,8 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, entry->lsm[lsm_rule].type = audit_type; result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, entry->lsm[lsm_rule].args_p, - &entry->lsm[lsm_rule].rule); + &entry->lsm[lsm_rule].rule, + entry->lsm[lsm_rule].lsm_id); if (!entry->lsm[lsm_rule].rule) { pr_warn("rule for LSM \'%s\' is undefined\n", entry->lsm[lsm_rule].args_p); @@ -1878,6 +1907,23 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) &(template_desc->num_fields)); entry->template = template_desc; break; + case Opt_lsm: { + int i; + + result = lsm_name_to_id(args[0].from); + if (result < 0) { + for (i = 0; i < MAX_LSM_RULES; i++) + entry->lsm[i].args_p = NULL; + result = -EINVAL; + break; + } + for (i = 0; i < MAX_LSM_RULES; i++) { + entry->lsm[i].lsm_id = result; + entry->lsm[i].lsm_specific = true; + } + result = 0; + break; + } case Opt_err: ima_log_string(ab, "UNKNOWN", p); result = -EINVAL; @@ -1923,6 +1969,7 @@ ssize_t ima_parse_add_rule(char *rule) struct ima_rule_entry *entry; ssize_t result, len; int audit_info = 0; + int i; p = strsep(&rule, "\n"); len = strlen(p) + 1; @@ -1940,6 +1987,11 @@ ssize_t ima_parse_add_rule(char *rule) INIT_LIST_HEAD(&entry->list); + for (i = 0; i < MAX_LSM_RULES; i++) { + entry->lsm[i].lsm_id = default_rules_lsm; + entry->lsm[i].lsm_specific = false; + } + result = ima_parse_rule(p, entry); if (result) { ima_free_rule(entry); @@ -2251,6 +2303,9 @@ int ima_policy_show(struct seq_file *m, void *v) entry->lsm[i].args_p); break; } + if (entry->lsm[i].lsm_specific) + seq_printf(m, pt(Opt_lsm), + lsm_id_to_name(entry->lsm[i].lsm_id)); seq_puts(m, " "); } } diff --git a/security/security.c b/security/security.c index 0a51e3d23570..cdf9ee12b064 100644 --- a/security/security.c +++ b/security/security.c @@ -271,6 +271,46 @@ static void __init initialize_lsm(struct lsm_info *lsm) u32 lsm_active_cnt __ro_after_init; const struct lsm_id *lsm_idlist[LSM_CONFIG_COUNT]; +/** + * lsm_name_to_id - get the LSM ID for a registered LSM + * @name: the name of the LSM + * + * Returns the LSM ID associated with the named LSM or + * LSM_ID_UNDEF if the name isn't recongnized. + */ +u64 lsm_name_to_id(const char *name) +{ + int i; + + for (i = 0; i < LSM_CONFIG_COUNT; i++) { + if (!lsm_idlist[i]->name) + return LSM_ID_UNDEF; + if (!strcmp(name, lsm_idlist[i]->name)) + return lsm_idlist[i]->id; + } + return LSM_ID_UNDEF; +} + +/** + * lsm_id_to_name - get the LSM name for a registered LSM ID + * @id: the ID of the LSM + * + * Returns the LSM name associated with the LSM ID or + * NULL if the ID isn't recongnized. + */ +const char *lsm_id_to_name(u64 id) +{ + int i; + + for (i = 0; i < LSM_CONFIG_COUNT; i++) { + if (!lsm_idlist[i]->name) + return NULL; + if (id == lsm_idlist[i]->id) + return lsm_idlist[i]->name; + } + return NULL; +} + /* Populate ordered LSMs list from comma-separated LSM name list. */ static void __init ordered_lsm_parse(const char *order, const char *origin) { @@ -5336,7 +5376,8 @@ int security_key_getsecurity(struct key *key, char **buffer) */ int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) { - return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule); + return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule, + LSM_ID_UNDEF); } /** @@ -5362,7 +5403,7 @@ int security_audit_rule_known(struct audit_krule *krule) */ void security_audit_rule_free(void *lsmrule) { - call_void_hook(audit_rule_free, lsmrule); + call_void_hook(audit_rule_free, lsmrule, LSM_ID_UNDEF); } /** @@ -5380,7 +5421,8 @@ void security_audit_rule_free(void *lsmrule) */ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) { - return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule); + return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule, + LSM_ID_UNDEF); } #endif /* CONFIG_AUDIT */ @@ -5389,19 +5431,23 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) * The integrity subsystem uses the same hooks as * the audit subsystem. */ -int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) +int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, + int lsmid) { - return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule); + return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule, + lsmid); } -void ima_filter_rule_free(void *lsmrule) +void ima_filter_rule_free(void *lsmrule, int lsmid) { - call_void_hook(audit_rule_free, lsmrule); + call_void_hook(audit_rule_free, lsmrule, lsmid); } -int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) +int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, + int lsmid) { - return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule); + return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule, + lsmid); } #endif /* CONFIG_IMA_LSM_RULES */ diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index d5495134a5b9..59468baf0c91 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -21,21 +21,24 @@ * @op: the operator the rule uses * @rulestr: the text "target" of the rule * @rule: pointer to the new rule structure returned via this + * @lsmid: the relevant LSM * * Returns 0 if successful, -errno if not. On success, the rule structure * will be allocated internally. The caller must free this structure with * selinux_audit_rule_free() after use. */ -int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule); +int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule, + int lsmid); /** * selinux_audit_rule_free - free an selinux audit rule structure. * @rule: pointer to the audit rule to be freed + * @lsmid: which LSM this rule relates to * * This will free all memory associated with the given rule. * If @rule is NULL, no operation is performed. */ -void selinux_audit_rule_free(void *rule); +void selinux_audit_rule_free(void *rule, int lsmid); /** * selinux_audit_rule_match - determine if a context ID matches a rule. @@ -43,11 +46,12 @@ void selinux_audit_rule_free(void *rule); * @field: the field this rule refers to * @op: the operator the rule uses * @rule: pointer to the audit rule to check against + * @lsmid: the relevant LSM * * Returns 1 if the context id matches the rule, 0 if it does not, and * -errno on failure. */ -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule); +int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule, int lsmid); /** * selinux_audit_rule_known - check to see if rule contains selinux fields. diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 1eeffc66ea7d..a9fe8d85acae 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3487,17 +3487,20 @@ struct selinux_audit_rule { struct context au_ctxt; }; -void selinux_audit_rule_free(void *vrule) +void selinux_audit_rule_free(void *vrule, int lsmid) { struct selinux_audit_rule *rule = vrule; + if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_SELINUX) + return; if (rule) { context_destroy(&rule->au_ctxt); kfree(rule); } } -int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, + int lsmid) { struct selinux_state *state = &selinux_state; struct selinux_policy *policy; @@ -3511,6 +3514,8 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) *rule = NULL; + if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_SELINUX) + return 0; if (!selinux_initialized()) return -EOPNOTSUPP; @@ -3592,7 +3597,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) err: rcu_read_unlock(); - selinux_audit_rule_free(tmprule); + selinux_audit_rule_free(tmprule, LSM_ID_SELINUX); *rule = NULL; return rc; } @@ -3622,7 +3627,7 @@ int selinux_audit_rule_known(struct audit_krule *rule) return 0; } -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) +int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid) { struct selinux_state *state = &selinux_state; struct selinux_policy *policy; @@ -3631,6 +3636,8 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) struct selinux_audit_rule *rule = vrule; int match = 0; + if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_SELINUX) + return 0; if (unlikely(!rule)) { WARN_ONCE(1, "selinux_audit_rule_match: missing rule\n"); return -ENOENT; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index cd44f7f3f393..4342947f51d8 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4672,16 +4672,20 @@ static int smack_post_notification(const struct cred *w_cred, * @op: required testing operator (=, !=, >, <, ...) * @rulestr: smack label to be audited * @vrule: pointer to save our own audit rule representation + * @lsmid: the relevant LSM * * Prepare to audit cases where (@field @op @rulestr) is true. * The label to be audited is created if necessay. */ -static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, + int lsmid) { struct smack_known *skp; char **rule = (char **)vrule; *rule = NULL; + if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_SMACK) + return 0; if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) return -EINVAL; @@ -4726,15 +4730,19 @@ static int smack_audit_rule_known(struct audit_krule *krule) * @field: audit rule flags given from user-space * @op: required testing operator * @vrule: smack internal rule presentation + * @lsmid: the relevant LSM * * The core Audit hook. It's used to take the decision of * whether to audit or not to audit a given object. */ -static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) +static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, + int lsmid) { struct smack_known *skp; char *rule = vrule; + if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_SMACK) + return 0; if (unlikely(!rule)) { WARN_ONCE(1, "Smack: missing rule\n"); return -ENOENT; From patchwork Fri Dec 15 22:15:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495118 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7BBCE18EA7 for ; Fri, 15 Dec 2023 22:20:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="hTnkUEkj" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678799; bh=PTIMd+egNKmt7pb1HPXpAuOoq8vFOuUgx1vm0aUiDzI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=hTnkUEkj18EyV6z1Xnc1tLqdXqDTJNRptD3oHrf0i/lPUip2fiYgfBsMWzqjurHHSq+JSJhvO8Q7cznP4gSPf7Bs8LOWWo1JQUpWREerPHeaml3U4HF5HZsVxjVIicRfEyGHScr86ymNiHB7uxZHsK+Ps0oDZsKwPhcpaSUp2QY4aqEHFbyGRN/EGFZNI3wxHOGeLRlPIxY5M0jC8duaYvN/y+3XTowrUK4qHg6uYqP/60zMTVicIeUROOjqQWHZpR9rU8rEFHPFPxRpiIHmqzZv47/o3PbblU/EUX1isxA9lj0R1nrDlE9pxZB5FkURBtu9KgJ4xemQz4jg7vqfXw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678799; bh=hV/pZR27iBooGLF539XutgsypFvYkVA8nGKEUbz4S91=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=qtrqBqn66M5c2Ly1isBSIPwYP6MMUlq2i/JAM2Jv4PJtiAoMyqWkkoIYFlVWFhLkGjSAhbJCJh7uI7Ylm6wQjTYdUZTziJMX6ITefGq9H97hOIaNMLWWNn93P8vzOtuOS/kmRHd/U+pMAopSajDFIZdubjXj2wrvOiNrg4Dp1Gya0uJhQWjnUP708hahEITXQHug5ELNS1U9A+KZWQ+tC/c6BIHTK9+AP+dzjKXi99PXONzvexiraeBouBWzFXUnIyyv+HleLzv9wYOEJALNK9m+6FQvZZKEmYXju65R0I94407tmRtVxcGilYOUxg4I884dTEqbANQZEDPoL5L0Dg== X-YMail-OSG: 4QAj2FwVM1lommx4rdIU9JNyciqzLySONrfykdnGjujlATa6JO.WG0c.gplS2Xr OHrNZ3Ae8RvSJxT2jcMBf35CTFbuphDmPJRedYw2XzPkeVPcrSdjfPKdWGErcIai3HyxySXuUH3I VMKc2ms3gcjO6xhaRA1C7kHce3C5DebM8sYhB6wUe7nEkF1K8JHD2yfKi563EVBE.JLw8DfNu4tO LPZL0J58plS_HSPIgR65jxdJVp_uZk6vB1fOTJWjAouhOlp3tGnk6cbu2bU7cbYKp3ooZ9vzgPGk rp.MOzKOSXRWFGAC5Xo1M6.sp9KUtYEh7k1SH5.3Jys4oHlkd7cwtEltIF4Hu.F3VZjCExNHvAGS I3aEwP4dugL7NI2ujSt.GwxtW_w6qybVDi7XZBty5zkbTBBSSSn4e0_EAVNTU0i3IE3LswDg0nuY DazVh0zWkr5ZC103b_jNX0wporJYFBR35enF0mTsjvGoTMoBuZ7rg8GcUP3_zfjyFpKoVe98_eMr JSFyboZUgbe7LAZN2b2BPw8v8YodgaIJQorPT.Vc7lK_MatGcBk6DYJyFA4epdto9GBXl0.hP619 Hg6_ge.SSTYESxtwMIGx23pj90OvA68VMoTVh9ejHpI5RF74VrtoGHRelZP8glpdsqOSnDYt5FGA 8Kmiplu.RB7KhylwJgITlRSeWGDOAlIQoYZn8d1nc14PYEe9HrBxTy4iVUA.6oRWUnJ5r6mnl.kG MiO.899uIfzEKTVpifpzYtEhVuUGttaIct8aBrPND715AdZkILh5EzJ3YX5xoILWY1HgxgQ0iCGY L00JPnQtho_gfOoBX8FZZvthlHyrLkGIgRZUy4ZQZFCnQVLBykhj4nuGgJvpjhUVXAQ9kpAPnJfF 6ejItIUuvrXTTqnFuuvFotcNmRLewB_FzVTVdq9F5_mYDMOtSxHrACRlMUmjA6TtJwmaB7r16oXm R4lVvCCvLlMc_ysTXq_XFrrTBofmbupyptmEwJxDwD2LAncipHiivuXr4Ew_j8hc5QWtCXmB2FFq 9Vi_YKJhBtIcCJ5Gwnw3Tl4KdqVJKrNztNO7MvIRl0Ycvx3R8wzoqEP6NLEHAKu7psXUX8Ag09yE pYicFyhOmJJhnEs40FDlJCFCTUlfXwglxllVmbk.o.T.ZJScx.nDmaJvFthiqrqv3lG8u1tk.8s1 eCU_R37aSeHQSMwh9iFh_bT1KkTZwOtv30tUhct4oybsSyxHEsRdfBXOrOxhMy2qmBGBJeFTYEBO nrMRl6dfHAXD2xQzeOQSSEblk8PGh_a93KhNC6RQjg0FzEh9U0LQpFj74N6j6vnXWQB7DEVrbPkf v2u78JAjymEv2HINRAS1sh8jWuaieohGAijWFbr9FZYNKKjA_mvzWgErZj9vmAE1kfIXxQBBn.iU ZPzx5..Ig2CnI8zfPoPWz0VU1kW2BJYWuMxrxKq_AugcSEYjW.vTFduX7M3u3eFvNpxvTpzNyu0g oXpMpo9qEM8J0hv6RdKxxFRN34zTqPdCbd71tQsGW_cidxQ0aJ36sEbvNvERK6Qz_mdfFKrvpK_r ogeKjP9IH0MPPX2ctTMTDY426udF_yH2q2K7vex2tA0KlPHiKb28P_bdR0nkV30peJLmRPincYsN LHSGd1b2QfBpPlICS.FHxt1_xdxGPNJlk_pDclrUsitznwqKuKwwBwv7.NYqu_xDETkbZm5nvmgT 7OAjmYqLl0G_EP.vRgTxJeEkmfitsqyiAXmLCMYwa3Stx.y8fZYHPEfbV3cN5v4VBQQW5c2fh0f. LwF6OwvryVxbe2EN_A5eI3Z7xELOkc03lpLgkgF3o25H.H_weaFJTX5VWxcWu8ayuBvf6hIIIm5k p_S0ts3knYAmYGC83XL2KQsSNlZ.C4zPA8Q.V4tJMmkFuVWyq3p1zDQT1PNC1mLi4yI2D5aFt_RY bHwVCb1D7DVdYI1bo_9hcf2aN6QC7LrUFKB67eiX8l0e9cziwbeJZwPjTCSboDerkSM4W5YH1AHL LD0Hrywrgdc_jICZ3HFi9QtWKGtpE1izq16G9CFn7nRob81A.WjUf5N5zTzXd1M2XTJvuK9YPYMP VAqHSfoxO8QSrXUah.NR0GBRLOBBonfeWZ.eUC_MnaBuICtfiMBkxscWgy6Bkdj3Ruxtzg.UnvWE AupHduPf.rRi3UvcDrWqnbl.7QZo269FkDSJX.5JnCTtiW.PIGq00Hv2bOYhFtBe2BaMOntjwZ2g 9a3iRsqMKG6_NU4vgFwCMf1icJbwYRG31GgJiiiJr2puRU2xJk4KhnCCZNj3GlK.mJKRlTbbD.XF eg0pT3TZeNy92Ys_Pe0WA X-Sonic-MF: X-Sonic-ID: 1aad6597-2ff4-4b0b-9299-7f93af5445b2 Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:19:59 +0000 Received: by hermes--production-gq1-6949d6d8f9-pmzmd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 015b8086b2cbbee47da79b085b628701; Fri, 15 Dec 2023 22:19:54 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, linux-audit@redhat.com Subject: [PATCH v39 05/42] LSM: Use lsmblob in security_audit_rule_match Date: Fri, 15 Dec 2023 14:15:59 -0800 Message-ID: <20231215221636.105680-6-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Change the secid parameter of security_audit_rule_match to a lsmblob structure pointer. Pass the entry from the lsmblob structure for the approprite slot to the LSM hook. Change the users of security_audit_rule_match to use the lsmblob instead of a u32. The scaffolding function lsmblob_init() fills the blob with the value of the old secid, ensuring that it is available to the appropriate module hook. The sources of the secid, security_task_getsecid() and security_inode_getsecid(), will be converted to use the blob structure later in the series. At the point the use of lsmblob_init() is dropped. Signed-off-by: Casey Schaufler Acked-by: Paul Moore Reviewed-by: John Johansen Cc: linux-audit@redhat.com --- include/linux/lsm_hook_defs.h | 4 ++-- include/linux/security.h | 13 +++++++------ kernel/auditfilter.c | 10 +++++++--- kernel/auditsc.c | 18 ++++++++++++++---- security/apparmor/audit.c | 10 ++++++++-- security/apparmor/include/audit.h | 3 ++- security/integrity/ima/ima_policy.c | 11 +++++++---- security/security.c | 12 ++++++------ security/selinux/include/audit.h | 5 +++-- security/selinux/ss/services.c | 11 ++++++++--- security/smack/smack_lsm.c | 12 ++++++++---- 11 files changed, 72 insertions(+), 37 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 2159013890aa..24c588b87412 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -394,8 +394,8 @@ LSM_HOOK(int, 0, key_getsecurity, struct key *key, char **buffer) LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, void **lsmrule, int lsmid) LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) -LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule, - int lsmid) +LSM_HOOK(int, 0, audit_rule_match, struct lsmblob *blob, u32 field, u32 op, + void *lsmrule, int lsmid) LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule, int lsmid) #endif /* CONFIG_AUDIT */ diff --git a/include/linux/security.h b/include/linux/security.h index 2320ed78c4de..6ded4f04f117 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2013,7 +2013,8 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer) #ifdef CONFIG_SECURITY int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); int security_audit_rule_known(struct audit_krule *krule); -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *lsmrule); void security_audit_rule_free(void *lsmrule); #else @@ -2029,8 +2030,8 @@ static inline int security_audit_rule_known(struct audit_krule *krule) return 0; } -static inline int security_audit_rule_match(u32 secid, u32 field, u32 op, - void *lsmrule) +static inline int security_audit_rule_match(struct lsmblob *blob, u32 field, + u32 op, void *lsmrule) { return 0; } @@ -2044,8 +2045,8 @@ static inline void security_audit_rule_free(void *lsmrule) #if defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, int lsmid); -int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, - int lsmid); +int ima_filter_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *lsmrule, int lsmid); void ima_filter_rule_free(void *lsmrule, int lsmid); #else @@ -2056,7 +2057,7 @@ static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, return 0; } -static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, +static inline int ima_filter_rule_match(struct lsmblob *blob, u32 field, u32 op, void *lsmrule, int lsmid) { return 0; diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 8317a37dea0b..0a6a1c4c3507 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1338,6 +1338,7 @@ int audit_filter(int msgtype, unsigned int listtype) for (i = 0; i < e->rule.field_count; i++) { struct audit_field *f = &e->rule.fields[i]; + struct lsmblob blob = { }; pid_t pid; u32 sid; @@ -1369,9 +1370,12 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: if (f->lsm_rule) { - security_current_getsecid_subj(&sid); - result = security_audit_rule_match(sid, - f->type, f->op, f->lsm_rule); + /* stacking scaffolding */ + security_current_getsecid_subj( + &blob.scaffold.secid); + result = security_audit_rule_match( + &blob, f->type, f->op, + f->lsm_rule); } break; case AUDIT_EXE: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 6f0d6fb6523f..fb001300f0c2 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -471,6 +471,7 @@ static int audit_filter_rules(struct task_struct *tsk, const struct cred *cred; int i, need_sid = 1; u32 sid; + struct lsmblob blob = { }; unsigned int sessionid; if (ctx && rule->prio <= ctx->prio) @@ -681,7 +682,10 @@ static int audit_filter_rules(struct task_struct *tsk, security_current_getsecid_subj(&sid); need_sid = 0; } - result = security_audit_rule_match(sid, f->type, + /* stacking scaffolding */ + blob.scaffold.secid = sid; + result = security_audit_rule_match(&blob, + f->type, f->op, f->lsm_rule); } @@ -696,15 +700,19 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_rule) { /* Find files that match */ if (name) { + /* stacking scaffolding */ + blob.scaffold.secid = name->osid; result = security_audit_rule_match( - name->osid, + &blob, f->type, f->op, f->lsm_rule); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { + /* stacking scaffolding */ + blob.scaffold.secid = n->osid; if (security_audit_rule_match( - n->osid, + &blob, f->type, f->op, f->lsm_rule)) { @@ -716,7 +724,9 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - if (security_audit_rule_match(ctx->ipc.osid, + /* stacking scaffolding */ + blob.scaffold.secid = ctx->ipc.osid; + if (security_audit_rule_match(&blob, f->type, f->op, f->lsm_rule)) ++result; diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 0a9f0019355a..72c414d00ba6 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -269,7 +269,8 @@ int aa_audit_rule_known(struct audit_krule *rule) return 0; } -int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid) +int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule, + int lsmid) { struct aa_audit_rule *rule = vrule; struct aa_label *label; @@ -277,7 +278,12 @@ int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid) if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_APPARMOR) return 0; - label = aa_secid_to_label(sid); + + /* stacking scaffolding */ + if (!blob->apparmor.label && blob->scaffold.secid) + label = aa_secid_to_label(blob->scaffold.secid); + else + label = blob->apparmor.label; if (!label) return -ENOENT; diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index a75c45dd059f..ae3fc4089b00 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h @@ -203,6 +203,7 @@ void aa_audit_rule_free(void *vrule, int lsmid); int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, int lsmid); int aa_audit_rule_known(struct audit_krule *rule); -int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid); +int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule, + int lsmid); #endif /* __AA_AUDIT_H */ diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index a563e0478cc6..d24205aa1beb 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -657,7 +657,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, return false; for (i = 0; i < MAX_LSM_RULES; i++) { int rc = 0; - u32 osid; + struct lsmblob blob = { }; if (!lsm_rule->lsm[i].rule) { if (!lsm_rule->lsm[i].args_p) @@ -671,8 +671,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_OBJ_USER: case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: - security_inode_getsecid(inode, &osid); - rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type, + /* stacking scaffolding */ + security_inode_getsecid(inode, &blob.scaffold.secid); + rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, Audit_equal, lsm_rule->lsm[i].rule, lsm_rule->lsm[i].lsm_id); @@ -680,7 +681,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type, + /* stacking scaffolding */ + blob.scaffold.secid = secid; + rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, Audit_equal, lsm_rule->lsm[i].rule, lsm_rule->lsm[i].lsm_id); diff --git a/security/security.c b/security/security.c index cdf9ee12b064..b3d150b6248e 100644 --- a/security/security.c +++ b/security/security.c @@ -5408,7 +5408,7 @@ void security_audit_rule_free(void *lsmrule) /** * security_audit_rule_match() - Check if a label matches an audit rule - * @secid: security label + * @lsmblob: security label * @field: LSM audit field * @op: matching operator * @lsmrule: audit rule @@ -5419,9 +5419,9 @@ void security_audit_rule_free(void *lsmrule) * Return: Returns 1 if secid matches the rule, 0 if it does not, -ERRNO on * failure. */ -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *lsmrule) { - return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule, + return call_int_hook(audit_rule_match, 0, blob, field, op, lsmrule, LSM_ID_UNDEF); } #endif /* CONFIG_AUDIT */ @@ -5443,10 +5443,10 @@ void ima_filter_rule_free(void *lsmrule, int lsmid) call_void_hook(audit_rule_free, lsmrule, lsmid); } -int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, - int lsmid) +int ima_filter_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *lsmrule, int lsmid) { - return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule, + return call_int_hook(audit_rule_match, 0, blob, field, op, lsmrule, lsmid); } #endif /* CONFIG_IMA_LSM_RULES */ diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index 59468baf0c91..61a396c9d9ae 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -42,7 +42,7 @@ void selinux_audit_rule_free(void *rule, int lsmid); /** * selinux_audit_rule_match - determine if a context ID matches a rule. - * @sid: the context ID to check + * @blob: includes the context ID to check * @field: the field this rule refers to * @op: the operator the rule uses * @rule: pointer to the audit rule to check against @@ -51,7 +51,8 @@ void selinux_audit_rule_free(void *rule, int lsmid); * Returns 1 if the context id matches the rule, 0 if it does not, and * -errno on failure. */ -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule, int lsmid); +int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *rule, int lsmid); /** * selinux_audit_rule_known - check to see if rule contains selinux fields. diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index a9fe8d85acae..eef6655f7730 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3627,7 +3627,8 @@ int selinux_audit_rule_known(struct audit_krule *rule) return 0; } -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid) +int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *vrule, int lsmid) { struct selinux_state *state = &selinux_state; struct selinux_policy *policy; @@ -3655,10 +3656,14 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid) goto out; } - ctxt = sidtab_search(policy->sidtab, sid); + /* stacking scaffolding */ + if (!blob->selinux.secid && blob->scaffold.secid) + blob->selinux.secid = blob->scaffold.secid; + + ctxt = sidtab_search(policy->sidtab, blob->selinux.secid); if (unlikely(!ctxt)) { WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n", - sid); + blob->selinux.secid); match = -ENOENT; goto out; } diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 4342947f51d8..9851d56dff69 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4726,7 +4726,7 @@ static int smack_audit_rule_known(struct audit_krule *krule) /** * smack_audit_rule_match - Audit given object ? - * @secid: security id for identifying the object to test + * @blob: security id for identifying the object to test * @field: audit rule flags given from user-space * @op: required testing operator * @vrule: smack internal rule presentation @@ -4735,8 +4735,8 @@ static int smack_audit_rule_known(struct audit_krule *krule) * The core Audit hook. It's used to take the decision of * whether to audit or not to audit a given object. */ -static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, - int lsmid) +static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, + void *vrule, int lsmid) { struct smack_known *skp; char *rule = vrule; @@ -4751,7 +4751,11 @@ static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) return 0; - skp = smack_from_secid(secid); + /* stacking scaffolding */ + if (!blob->smack.skp && blob->scaffold.secid) + skp = smack_from_secid(blob->scaffold.secid); + else + skp = blob->smack.skp; /* * No need to do string comparisons. If a match occurs, From patchwork Fri Dec 15 22:16:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495120 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic315-27.consmr.mail.ne1.yahoo.com (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9212F13B138 for ; Fri, 15 Dec 2023 22:21:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="EzqDWxXQ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678893; bh=lBi3k2ICfoYFWhBJYrFpICQoyPO6may1y/R8xZSsEgQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=EzqDWxXQQDo91wTVg8AgyVbgcwHZOH54+QvMk0ikHbHZ1I8nZCl7W0qxbaX4rku3GPkfyov+UdnjhhpD77Q724BPfwTn7hz/3XrJb4zC1IBOSqXl8vQl3ABQ/xsgsjRO2XkV5v8IuntG6MbGZxM1dPJRMsYqkhGq17C0jVwd6LqGpOiM7ZHKkvgX/hXDbF0V3bveEnpgQwOmU2sUBcYeQ0ydKLg8ovLY5j4e1tvNsoa2NUYr3ewRgIDQfTgtyAC5gP2aJ4TN0JD/pLcfVgj1BwBxFncqWZgPvsDIsSs8crf++XU8Wgf2klOHdoADKY1noKiZPgitlJcBqN2z2i/KjQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678893; bh=KQh7kwWXMhkLV2D8r40HzsA2QJD/rfuVKZN7A7sSF68=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=th8w8bfGVuKpnNY0HSrdvMYFOoytmt7YZZsB++n1NhBvAHK+Jd2ovlpuFgvvSLIZSSvD09C0f18qOKF1uUDtr09ZRh1h60pTUVprytry0BVkRKJ7T3VEPxEYTnPCa68Na1w21P2vXYRV+FB3W3vfGNihzO8xvLyyo9n+vMYRfFdUmbej8bYECLjaZhOxKZ9dhl37uhxk7AoodnPp9aIfkMoEp4KHyoLHQoZKFbX2figQ2NK8kFVptZld+bt8XrotrvVhzfegTuG+n3Kz7g3zEaxekOl/HJPaAuVeR3/2tuVg9DBAi9Magr0FA4dXinKKG53emtTQot1E8Q10Cwyc5A== X-YMail-OSG: IXqotckVM1n85PzG8jhgr7f2n7hZP8jAtRfQBwFXaCeD4keWtEMwubghUYBoJAS Z8.vzDy9Cp7dE1925CuCVkvDC.MdXLMS2CnCxqJpGAktr02Mmwoc09MfbCF7JQJQGsvcr8hm9plY JA1SILk.2425c3GYkbVi0X9UeuTG8mQ1VcVgX906DTWr79BDV7Smy1tNdrEtATGrAePS7sz46keh VNoH2_ZBJQZMlHAYPR7OFPdax6Z_wB6iQBlQ_EsyNUsb_Z1lHvAvSFOXz28n1BFo0Ryb2LrsHqa. ZhP1D18IpsAMhLLH14URQdLkTYX1yVDd4HY.pXfwjnNoaBMmowClSHg7rYkKEXtAZFC_wghKRZrP Njqph1c0psKiAKgxwFJPntX0.18TOaj4NesJfUVhAoArdzUeub3KMVY9RhPms_7CU8tsjq1E1TJy 7Gzmw2WucTkIpYgRUobwA3aAfUNnZZ68rTMeRx27yj_UGbsnuiGHCZIZFVTCk6G2LezH4RsKjGl0 dxaaDjDdIHlJZwqe8JuKpHkUesQXO_uafefjMqIHNhkouMiISmTQUJe2uWXQEKpnNQMAQ2mwr_4V RGtA8HRdafAYhJsQlzXP822evjFLcYapfIZvmLYU35AglWGr1dQpZv6SiJqIeuFBUqZn9EGTZmrJ 6qPHNQCvXz.2DQ2DuJnWRBSjGaJ8.0bPG0uasUUmmHDorY3Yl04ds9PgjdBF.kYBCWrlRBhRhqtc qGKSuVa358.s2Mx1RoFdOiGfl5MNT8RgvDLncZp2MUk0yay3pxs2a4XPckGIfdEj7XRbiz9C20Fn zj9kj8VsL7VzqRn1yGbuBGqSWTdeMSMSaHSTszOJTMLPGyunqTJ_R1rVMBxmpl9f_JkRggV8J92W IefzLRe.FZJTG0Qsq.RrM4St3KUZA4IK1dje3r_OmR8O_vNqVM1M23vRyoIrnORUzFJfC8Xt0KO6 RtZLBiLQgenR0ylh7kdQQ2CERPxYNpde8a8ZNz0Iq.CIQzns138G0s__YgSlXB4vD5p21rseKYUE N_2Dzi8iS2N40OG3iK59hhbuvkSMfXXY24YYS84clhljbFgq301EYILUnSfJRDM6zlsWupLyECqT kpPuZOvk9Dh9pn_MbSRwI42xer09NXkC.xRlo5fZpAfYTkL0q62zaPouuqyYeePKHaiQ7qUTZBKI xlIiZfD8j6SN0H1gb.RAXhjFvr36j9A3sBmDDP32YFTtdUsUPPlsfCOFCbJNbOJytoTjA7aYSQ4X KqSvjZMTWM3IndAE.yD4d787LBt3ZAOxrXip9eNdan989OD3WNJGXNM0F1L0AfhMwAuoCLZcuSQ2 Yegg8WIKmf.Ui28fcpocRkUtgxd_cSeUZeT._Nq.q1gKVCX8rOIG70D7yw069ok7GJnv_nc8JueX bkyW_FiyIKFrHjcIopRouvg9f6.unx1nJB9T_EcK59NGeRTe1FX9GkHUmKS0OmMHica3N8RB3_TS droRhXBsB2nIoDFte3iJvneL0IpC5YzKXm60X70xtjRUD6T1UXmpAGDfhzrSWZcWo2L1Po.3XTE4 QeHQJiCZi4nA9Klj._IYSc3xagRwyVlxOUCLt9Q59Qmr4LjAt05tS7HgJitB9BIlr9xhlb1p49uT gslNuX0fatowK024B.a5OvGOF_Lu8vnvms3KHxm6m4mX0FPeZYY8YQW6_noec0E10VXLD9BvehBb ULEH473X7arMn7wrUZsb9aHsIlMTU_y5OCs6txZcmUTv1oYodQnnpvGmU0691UtKZIDSez9yGUC1 iXI_SK3UyL1bkaU0wwXSJSzuPkWsOF2E7oWvUgiL1gF9Dk6gx7R.0A5gdKoOotshNNwVcnGkry2. sj3k81h3V7z3uQ_V7.JLWcsteArfgX2njZpZwtzY_kBDWs1aRRy3ZMHF5QTIasLj7YWb3OIDOvwl aHGnOS9GXYwIjc0xkC8stoLja4NrhKDY4os21qF0Y_EK0glmtah.u0mdFahJhZa5k09RVFNoUVfq eL5rTm3YTKvY_thf2iYtwIujPpNEdA.MG_PCkTOpyZtZ5dF3v8qzmm_OkEzOgY4jXLPgHHL0k.zs _3niSTV0XsL0YNVknWcx1x8SUsf_B64wmRjYpsqpFTcal2p9KPElCF4vFIuX3EToAcibr4iyWbyI qEbHRIFwn2j.OGZ9THwbEWdUHWhGFoX2C29IWQ4PcbEZQcdQ8wN5gpLz4KimnYVhZDnvwFuZXewn MeSiw1jaeI_qxzV1e1Uu6IEh.f05GOosfV7nKKJYvdPOFpQRJwFrqylJoDyJqvdjEo41yBcC6ctA 5ic64s9dUT9GQe2hidgXAjw-- X-Sonic-MF: X-Sonic-ID: 3dd58605-0086-4829-9451-8c281b363c15 Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:21:33 +0000 Received: by hermes--production-gq1-6949d6d8f9-bvfr7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 53259725741f313dacdbfffb86fd7fff; Fri, 15 Dec 2023 22:21:28 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 06/42] LSM: Add lsmblob_to_secctx hook Date: Fri, 15 Dec 2023 14:16:00 -0800 Message-ID: <20231215221636.105680-7-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add a new hook security_lsmblob_to_secctx() and its LSM specific implementations. The LSM specific code will use the lsmblob element allocated for that module. This allows for the possibility that more than one module may be called upon to translate a secid to a string, as can occur in the audit code. Signed-off-by: Casey Schaufler --- include/linux/lsm_hook_defs.h | 2 ++ include/linux/security.h | 11 +++++++++- kernel/auditfilter.c | 1 - security/apparmor/include/secid.h | 2 ++ security/apparmor/lsm.c | 1 + security/apparmor/secid.c | 36 +++++++++++++++++++++++++++++++ security/security.c | 30 ++++++++++++++++++++++++++ security/selinux/hooks.c | 16 ++++++++++++-- security/smack/smack_lsm.c | 31 +++++++++++++++++++++----- 9 files changed, 121 insertions(+), 9 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 24c588b87412..52d090d1957c 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -272,6 +272,8 @@ LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size) LSM_HOOK(int, 0, ismaclabel, const char *name) LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata, u32 *seclen) +LSM_HOOK(int, -EOPNOTSUPP, lsmblob_to_secctx, struct lsmblob *blob, + char **secdata, u32 *seclen) LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid) LSM_HOOK(void, LSM_RET_VOID, release_secctx, char *secdata, u32 seclen) LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode) diff --git a/include/linux/security.h b/include/linux/security.h index 6ded4f04f117..7e4b31b771c1 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -507,6 +507,8 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); +int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); void security_release_secctx(char *secdata, u32 seclen); void security_inode_invalidate_secctx(struct inode *inode); @@ -1420,7 +1422,14 @@ static inline int security_ismaclabel(const char *name) return 0; } -static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +static inline int security_secid_to_secctx(u32 secid, char **secdata, + u32 *seclen) +{ + return -EOPNOTSUPP; +} + +static inline int security_lsmblob_to_secctx(struct lsmblob *blob, + char **secdata, u32 *seclen) { return -EOPNOTSUPP; } diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 0a6a1c4c3507..08dc64bb8496 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1340,7 +1340,6 @@ int audit_filter(int msgtype, unsigned int listtype) struct audit_field *f = &e->rule.fields[i]; struct lsmblob blob = { }; pid_t pid; - u32 sid; switch (f->type) { case AUDIT_PID: diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h index a912a5d5d04f..816a425e2023 100644 --- a/security/apparmor/include/secid.h +++ b/security/apparmor/include/secid.h @@ -26,6 +26,8 @@ extern int apparmor_display_secid_mode; struct aa_label *aa_secid_to_label(u32 secid); int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); +int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen); int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); void apparmor_release_secctx(char *secdata, u32 seclen); diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 8af5f458e218..1b230ade84fc 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1533,6 +1533,7 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = { #endif LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx), + LSM_HOOK_INIT(lsmblob_to_secctx, apparmor_lsmblob_to_secctx), LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid), LSM_HOOK_INIT(release_secctx, apparmor_release_secctx), diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c index 83d3d1e6d9dc..a7c6f5061882 100644 --- a/security/apparmor/secid.c +++ b/security/apparmor/secid.c @@ -90,6 +90,42 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) return 0; } +int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen) +{ + /* TODO: cache secctx and ref count so we don't have to recreate */ + struct aa_label *label; + int flags = FLAG_VIEW_SUBNS | FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT; + int len; + + AA_BUG(!seclen); + + /* stacking scaffolding */ + if (!blob->apparmor.label && blob->scaffold.secid) + label = aa_secid_to_label(blob->scaffold.secid); + else + label = blob->apparmor.label; + + if (!label) + return -EINVAL; + + if (apparmor_display_secid_mode) + flags |= FLAG_SHOW_MODE; + + if (secdata) + len = aa_label_asxprint(secdata, root_ns, label, + flags, GFP_ATOMIC); + else + len = aa_label_snxprint(NULL, 0, root_ns, label, flags); + + if (len < 0) + return -ENOMEM; + + *seclen = len; + + return 0; +} + int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) { struct aa_label *label; diff --git a/security/security.c b/security/security.c index b3d150b6248e..4b78bface040 100644 --- a/security/security.c +++ b/security/security.c @@ -4187,6 +4187,36 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) } EXPORT_SYMBOL(security_secid_to_secctx); +/** + * security_lsmblob_to_secctx() - Convert a lsmblob to a secctx + * @blob: lsm specific information + * @secdata: secctx + * @seclen: secctx length + * + * Convert a @blob entry to security context. If @secdata is NULL the + * length of the result will be returned in @seclen, but no @secdata + * will be returned. This does mean that the length could change between + * calls to check the length and the next call which actually allocates + * and returns the @secdata. + * + * Return: Return 0 on success, error on failure. + */ +int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen) +{ + struct security_hook_list *hp; + int rc; + + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { + rc = hp->hook.lsmblob_to_secctx(blob, secdata, seclen); + if (rc != LSM_RET_DEFAULT(secid_to_secctx)) + return rc; + } + + return LSM_RET_DEFAULT(secid_to_secctx); +} +EXPORT_SYMBOL(security_lsmblob_to_secctx); + /** * security_secctx_to_secid() - Convert a secctx to a secid * @secdata: secctx diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index aa15acd344ea..83ce496e8ef6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6549,8 +6549,19 @@ static int selinux_ismaclabel(const char *name) static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) { - return security_sid_to_context(secid, - secdata, seclen); + return security_sid_to_context(secid, secdata, seclen); +} + +static int selinux_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen) +{ + u32 secid = blob->selinux.secid; + + /* stacking scaffolding */ + if (!secid) + secid = blob->scaffold.secid; + + return security_sid_to_context(secid, secdata, seclen); } static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) @@ -7300,6 +7311,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), + LSM_HOOK_INIT(lsmblob_to_secctx, selinux_lsmblob_to_secctx), LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 9851d56dff69..a4ace6ea2ab0 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4738,7 +4738,7 @@ static int smack_audit_rule_known(struct audit_krule *krule) static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule, int lsmid) { - struct smack_known *skp; + struct smack_known *skp = blob->smack.skp; char *rule = vrule; if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_SMACK) @@ -4752,10 +4752,8 @@ static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, return 0; /* stacking scaffolding */ - if (!blob->smack.skp && blob->scaffold.secid) + if (!skp && blob->scaffold.secid) skp = smack_from_secid(blob->scaffold.secid); - else - skp = blob->smack.skp; /* * No need to do string comparisons. If a match occurs, @@ -4786,7 +4784,6 @@ static int smack_ismaclabel(const char *name) return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); } - /** * smack_secid_to_secctx - return the smack label for a secid * @secid: incoming integer @@ -4805,6 +4802,29 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) return 0; } +/** + * smack_lsmblob_to_secctx - return the smack label + * @blob: includes incoming Smack data + * @secdata: destination + * @seclen: how long it is + * + * Exists for audit code. + */ +static int smack_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, + u32 *seclen) +{ + struct smack_known *skp = blob->smack.skp; + + /* stacking scaffolding */ + if (!skp && blob->scaffold.secid) + skp = smack_from_secid(blob->scaffold.secid); + + if (secdata) + *secdata = skp->smk_known; + *seclen = strlen(skp->smk_known); + return 0; +} + /** * smack_secctx_to_secid - return the secid for a smack label * @secdata: smack label @@ -5162,6 +5182,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), + LSM_HOOK_INIT(lsmblob_to_secctx, smack_lsmblob_to_secctx), LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), From patchwork Fri Dec 15 22:16:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495119 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic312-30.consmr.mail.ne1.yahoo.com (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5E3A818EBA for ; Fri, 15 Dec 2023 22:21:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="iu6zT0cu" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678891; bh=r4sv6r1Tr6ohOGlxHLuy3Yttmx0SO3JcXgN2XVd1JEQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=iu6zT0cuHdfJDJ6T0Hgcxgd8VjwbeNYpCQAIod7PuuUjYHkuQ0cdjFl/v37RJUaFTYQRnncyCasGjHSgBeyeeuCwNZaK8B4YSJY2b8+l+H3L0b1oe2D6a9aaB/hlMxSYZonfHhRCCJKJ/PQWU4ueQ/8wVhn4Jxc2x06a+qry5Jug2XiUxgwrSGfHQOf6wv2rfrnZatTT9pEvTFvzP5VWR/QEbfZp5yXmzOtzKWEe6en/N+U/PZNK8X9baXVAtVXDgN8ArT1VPTPWoTtwvv+5a/xw4VY46X3cRTUwVbCuQLdZsGr76m3pSzu+Kl7zB2nMe4GATp4MQxkJC6r0ZLPyXw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678891; bh=FbWzL3LnCJaSNO4au1TSsAw4G5Vl+MLv7Tk7jzgz83V=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=IT9DB9mWGFN/PLrHpbVaNeWJPDIkABYpTr4biFXJwiB6W39mDyAVYiS7mjvn7GBitxiGm3HGidfyYn64JaLvUv9LWgYiS7s1V1XlWoyqlJF8O8CoCfxAAB97J0CDYnfJ1Hj0SwIt6JhnepIX4w3dvSwxPQLdCfgI+/gtf3ZURb3dAXjRHLcUXjg/BW1svhzOhXJzSadMPagXZbRToyXGnIkZrnXoTSJ8GLIlQYEd38ZAipgxuzSyVMbWDZvDS2wdV+x4du9lt5FEpCNS4kW0Pj+nXXqzQeu3hqhi+cmJr3qRrXTXaj2PIX3RxMBejxm2RQQjFKchmIQcGwX399fm9g== X-YMail-OSG: lneyKBUVM1n0tAl.3lbmcDViRn1NZB4wLS61.xpg4tIs9jEH9Wl27J_pAuDfNdM rKL.zK3wPg8zm77CfdgUZLBpJQVe3QKy47u65jA_gQNvd9sqgWO81fJxc0MroEb78TObprmXI3U4 9Ie01xUMycu1QwjA_FE1wge1I3gDbAcFKNhUL0T16xzGoAED_C7CfmXrpVA8YYemeaG_AYY74d.a fVy5Ky09LOyKh31uUm9WTV7Gt3V8aZ3scdIMVBdZDDt8CL79hEOM8mHrVeJYH9faDogx0s2sJwnV unxH2BYBFBL7Hq11j4UuCTNV3J0sQ1C0YTejQieGWln_CbgbpaNHIqJiRyjT7cJBfU1005xLmNAt 9ngKzGmuC.NsaxxgqkG6nweGY_Eec6cLvrIKn3VoScjdXtHmi3euX1PiJwfOuigJFNHqX.OMzaOd FeUHxTixwzyH.wmO1mojG_2g8yCo1MoYfUS9d92EXZcs33QcF.3NBEgKUbpFoPjHwMifkHYKNp0Q xn.0nb0Q6IkEhM0DLBvi3PvyKvDjTUWWZEmeW32wKM0sWJo5ot9tapJ4cQTpS.zSaOu1TiF9NtWf QkQcc0Lny8ayB_J2wGgbMXPvUThZ0PgKWZgc0DNlFV4VpD9NojmzpFBUtna.79b7yWVg8YjvA3iF IAkeMzsBzfQ0lPUnhh96FzR2QhVdsIx7Umsgr_o26wtaQ1aUnlt1eKCKVI6wfHRGFqm2VmbOxq9o XCA_pHAGrvRCAtRK6afaTuirgVgtPC7ACwITZ.X64INn4CxyJAidXX.i4_YhaA5pNqL8AKNoVcPn oIqdM_Q5UZkO5MUwOrEC_oLaju0vvQW4N0OENVsin2iclZijPEs4rYp8yVdHA47P1p1uveSTy7IJ U3vETKdJWrXilXJ.YBzgVTJapX3bUwOxuhIkm4adeTBIsh1ueMHQSJnIWIcBFRxW9XxQ.Wks.Jyo cI9ei2o1mPNaDsswPOjR3BHFb0U8bWVqhYEBAevMV3dih34TjobK2I5yMuQKbTz1S3390sSGu7Su 9dQ0gVuq40KYLJXPVAWUMhRQHr3ODU4rg6vxb4QmqxcADz7l4jEkUdIING6IJr6x5SlwSjYBtGj_ ua9cSvyrj_kBMO0DGK..HxS6q.31t78.NhFP1WJ1rbmqz5SpLB2RtiLclFf_4mV9tt2bjpfmjbti xVUWjHqLEcXsYnUNhOH.2LGyciKtppBs9pC6BmzXcyPVnb4KpLTkA.vs.ySwE8LqdThvXaGwAr1N ItU_MuvOrytmApjSs8PriPBtf1XEZEISla6pkEM.og.xGhmLDIHqY64bkKXASSgo95Z7ZKszIBvD 3PuRnWuiR7.NB7sjd_ofuug5sgtS0uchdjxYi2olxgJxgm71cXNmR0_.00iB0HaFTeRD3bsNVz_q BslDNT0t_hzrVqMdCtaXLDyXsOtqe0bUgeoz74slkaAYJDJ_7rPSx_VN8BuKKtZIkZINWiOfF09m Y6.sbHzoqZIaGXeIJ_ASHYJU9H2U0ijrsSOSlmPpVq4VbC5l2B9onO_WLm2FZV0ZQdF2P3QrncLP H5Lv02O8XF_EwxswUziZ7pLji8QERX7FYLJcAMO_231cSwqJi9Y_krwjPkdiIByccI2SuZlgVDD8 qvTmWKnIzk1jQeP8tdg7l80b8CNPHF0XCTUZTc3fGRkps2xfNfGQMhn9z9e6X2Fph_dULGUOz3nT jugd30_.sxYj9aNR1W94TNWGMaS8uMKg.S2k5z5J1X_orsMD4qaXhxn8xSEeL1QYx2EbwVblr0yn dDNNsU_f9QkCh77OXYfaaxeEQsASMQhaEMJAcOwt1Q2MXqwZswN8NYFCq1JquEI7DuTPuCIweUmh 2RZiuV8L4mCOdYDhmPnTEixAcATUlFjQSA4.GnNUJt3vOLCgMqawHcR_nUNWZ.igFffj7Y3abihY zKg_fybf5MZJ3PJ30rXwhLsD38wxQsjBSx0JBEPNeki1QON3qTgfn5_xv16XIjKPk1SNNg6FUPdm n_kdAlHPTdKzONnvNvlfszIvux6NwXC1BHZMIxgD64yRvwuFEEQ_rU2BmPcPjhpFBfbSkQtYJJnz FCksVjAj.ixTQTeBpvSnFPiXOih91OIZUE0xOgHBUdW6LCp.N3mHBsL8cjfQBUMG6uRHwYPU9uNZ AOubAhOVDjtfz8OT.pww3_zIwXkBjLMGDV2MIl4o2lKbqBOIZk9C1c8mahfFr494ybUWxEs.sM16 LifJFAAHBCugFy_gbq.2ULiJAr6kP_ak_csVel8_K6CSN0SiqbNgGeZ6_xfnOrcEfpAsp89KvZXz qs6PQHcwp60J2lM0B56DCgQ-- X-Sonic-MF: X-Sonic-ID: 971399df-9dab-4e22-a79f-53d4c0fe7e57 Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:21:31 +0000 Received: by hermes--production-gq1-6949d6d8f9-bvfr7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 53259725741f313dacdbfffb86fd7fff; Fri, 15 Dec 2023 22:21:29 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 07/42] Audit: maintain an lsmblob in audit_context Date: Fri, 15 Dec 2023 14:16:01 -0800 Message-ID: <20231215221636.105680-8-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the secid value stored in struct audit_context with a struct lsmblob. Change the code that uses this value to accommodate the change. security_audit_rule_match() expects a lsmblob, so existing scaffolding can be removed. A call to security_secid_to_secctx() is changed to security_lsmblob_to_secctx(). The call to security_ipc_getsecid() is scaffolded. A new function lsmblob_is_set() is introduced to identify whether an lsmblob contains a non-zero value. Signed-off-by: Casey Schaufler --- include/linux/security.h | 13 +++++++++++++ kernel/audit.h | 3 ++- kernel/auditsc.c | 19 ++++++++----------- 3 files changed, 23 insertions(+), 12 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 7e4b31b771c1..029cf071148b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -276,6 +276,19 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id) return kernel_load_data_str[id]; } +/** + * lsmblob_is_set - report if there is a value in the lsmblob + * @blob: Pointer to the exported LSM data + * + * Returns true if there is a value set, false otherwise + */ +static inline bool lsmblob_is_set(struct lsmblob *blob) +{ + const struct lsmblob empty = {}; + + return !!memcmp(blob, &empty, sizeof(*blob)); +} + #ifdef CONFIG_SECURITY int call_blocking_lsm_notifier(enum lsm_event event, void *data); diff --git a/kernel/audit.h b/kernel/audit.h index a60d2840559e..b1f2de4d4f1e 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -11,6 +11,7 @@ #include #include +#include #include #include #include @@ -160,7 +161,7 @@ struct audit_context { kuid_t uid; kgid_t gid; umode_t mode; - u32 osid; + struct lsmblob oblob; int has_perm; uid_t perm_uid; gid_t perm_gid; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index fb001300f0c2..52b4697d938c 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -724,9 +724,7 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - /* stacking scaffolding */ - blob.scaffold.secid = ctx->ipc.osid; - if (security_audit_rule_match(&blob, + if (security_audit_rule_match(&ctx->ipc.oblob, f->type, f->op, f->lsm_rule)) ++result; @@ -1394,19 +1392,17 @@ static void show_special(struct audit_context *context, int *call_panic) audit_log_format(ab, " a%d=%lx", i, context->socketcall.args[i]); break; } - case AUDIT_IPC: { - u32 osid = context->ipc.osid; - + case AUDIT_IPC: audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho", from_kuid(&init_user_ns, context->ipc.uid), from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); - if (osid) { + if (lsmblob_is_set(&context->ipc.oblob)) { char *ctx = NULL; u32 len; - if (security_secid_to_secctx(osid, &ctx, &len)) { - audit_log_format(ab, " osid=%u", osid); + if (security_lsmblob_to_secctx(&context->ipc.oblob, + &ctx, &len)) { *call_panic = 1; } else { audit_log_format(ab, " obj=%s", ctx); @@ -1426,7 +1422,7 @@ static void show_special(struct audit_context *context, int *call_panic) context->ipc.perm_gid, context->ipc.perm_mode); } - break; } + break; case AUDIT_MQ_OPEN: audit_log_format(ab, "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld " @@ -2642,7 +2638,8 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp) context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - security_ipc_getsecid(ipcp, &context->ipc.osid); + /* stacking scaffolding */ + security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid); context->type = AUDIT_IPC; } From patchwork Fri Dec 15 22:16:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495125 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B4B9A18EAE for ; Fri, 15 Dec 2023 22:23:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="DKhPVw4U" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678985; bh=3K2HpHNKhJjYC/jlHqs8c4QospmLiwGAijJoid6Lhnc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=DKhPVw4UDyUBJVlvdOCbp4QubI/rR98eR1dqQde7ANvmLh1KkmxNjMqzTAhO1tw/ZFV64fXnB9vCHMd2NPL94Dll8OdPOgOsZ5+wZ4nGzhNQ71Oo2xXoD1aBkkn1O/eOHigxp+IeiC6UW3FWKNu5hjWC7dNieXy7cs1ZjrA1vi3lisfv4zEjEjFEu+v319rn+pv595OEedznkehTNmi4QA5AoPnOyzPRdWrEWPZS2Z0oIguG/F1qmglG3HEBVe+AKTCvKvG2OgKBeI7pJlfXxEIfpQMRozLJr+as4jxHzsjYPR0xs6cPf2/QZ2nJiM/hk8mdggwl29j59Mf6YPhdkg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678985; bh=MZlb38rYf8W/vHI2h+PHatLwwFEtf+RcJsUCjZNVPSg=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=UGEnKkw9Wxb1IltArVG+6nPj8eZ3iJn1NlS1mayB9y8lLNKwE/sw+HkhHHTfyAT4OBsZb8s9AGw7oSH7dM2sxP4XzHINCzVK5ERj9ySS+XQBPlhxfIQcLIEkXzXx27dWlSTW9dMJfED0JvpWMvC/y5ZPvGdOSFgS5vThWOEEdWM4vlw71/Fb7H+5yA/MY34JARWPz79BSzBkQRgA/i7ol2Oq4xRmAN/TJT1jbMkbBKpGHF1cUXHlAZNn8P5ZbW0e0roNljIgFwTXnDIwYKL779Vd0Ll2DDFumqTIU/Y6/iiHQt2L6Kf+zq2X5bjjIGhbRTg4jXvBSxLeItCgJ2rxyg== X-YMail-OSG: MqD1QvEVM1mzRvOFxVeJteBxh.3_0ejux3rZfLw1NuBTZFSCG0SXigzMUQJMboc OUVHg1hLd59R97LEs.5KR.eUsCKGFr0BYlMTEl8Acj5mfP4JoNrLgjbC34XZ0q1mNT1oLSC7RJ9V dnAqdS8hYP5t6OMYvQFJ7EOJ9oL29wwC3K4vKfOzL5oIZ.WyHtfzPpORDBI9QM3um47BynpPgaPs T_rlkZ3QqGx9ngV1VuYzVQ3Ay2lRvySSOXF3dtwk6z1UQH_nLffChyoHzRqJo54y7oe9eU74bRnz LJ25Jsu1W_X1pTyOF90D_3t9MfsvyJmQT75IKgrvLhACJXIHt6XYltNdprXtT.GPPFt99XOtsa6N iHqFXeKXNaBpZTebUb6Dyae8QFyIjxc0CHq2dl1EcTfhTGmhnP3EyW1qAxSJXaTIRszsIPkKyjda 51kpT34xH43GHRQ9cAtvvTKK4g83DFNf3YanvKs42ZxgLUCi9qFgmqvYsAsv_HHD17qVvurV3n4o Hwmovc4Ngbu3N_LdHB_Ls8KWCc8qMDODDMxdGdOSqR3gQj7hMl1yU3UbXUJ5zi_tTssOv8jdjLdi LnGUOyEBGpx5ye3cUTvlShTrwkBkHiWlDtyIb9D5EzbwnvjGA99.FRNaYn_mK1PsgSr5s1EAD1r3 tNwzMjtjLLyOW1qXtELIb8VrpAv_5_RXdw761kvuliPR.hjbEalLKFAxStLaAZLNeMbmjOhuXjE_ PJNitrxarnaIgXrvBFsGAeEucedvHtxEKCvmk_whTtCeW4Dk2uJG80xLEvaAdGD8Q.mAPPTlZmhf 7G29OMa9HHoFqrgtqKD5MJhqUuNSViwhJ3YroD05iuf9nJxkhLJW5zqBrKLlvUEENzRRkJq9z.kG KRLGFrtzl1.tVXaHHkNLhG8.nMoADpuSD0ymoo_6_Mt7Bt.6rLMvhr0NKmZOMMRRGPq2Jxv1hMal kgELtulFLV3ACpFUL5JDNuYtlEBJsIY7jgR8I9R3xV60uy4F88mgnz2ILSfEWr1V1IgX7Fgu3Quk RApobblUPf1YjF.g8cwbuqxR22b.8sHtFhLj9Nvv_qwN_jd9FJ3ZmJVvoVCvcJMcRHwVTV_dqYAp 3DqIj3SHphJjsHRvCPN2IzfUE26DOzLvdbzkQZ7WJhdGhC1DEZpK06mzB4NiE2CxcWG1t.kDpgME 0cue3FJYDeM8Q6Hj1QGCNAzRV2.e8_yEVWFF_OyTtNkO0_m7MDY_wjCzCub3ZeVwXZ4nBT.fWjlO UCiYJPPsbfmqehehvLLekQt3Pd9W4hKBnBuFSAQcvTauJGmeC9CbJJXYUq1SdNfzQWaQgwuhb4E5 k9j4v_TrMMt4E7IkOYUhmumtEy87IWPMoXoirfr00zX55RsiytnIomHo2QHYx6mLBhsYYUaru_HK 3eZA6A_01w.8_7LiGB9ca.87rgF0spMslLBcB4XBLzFPI2mEPp2y6Q8.cuAgFUiJ.UppriKpiBuO vxhIIUNqSMHO8R866MfhqgZDzHzLQhP_RuzfhbNXsh500RuFyUdgAAgINRnvA7wMV0GEnI30QjIn _MTsRKVjLMiwX1xyuExwjtTHWS4wp_w1ASnTu0xt6etpuv.bolC5yF9TH9Yn9_o_bcbak4.h_b2z N109owM.GaAo1APZ5xySnl.v_0cWCAgPl3F4BPYkC1WnFZ.gYknQ6F1NBRlfLk1X5CyKq7J8G0C5 XONELvaHVWOOKUe2Ef5E8Lt6ZB2KdX858PYpdyzSUvS6RmsVG6polN_09YQlfSgrihrIV2N8gLzj qtQmsNtuN5i70.jsi9uRDqivxmATWbIVn6wAsnyiRLrh2dzJ9kZJWeO.Y0Tr5kudaDM8tdaaqROq vpyDzP9GY93K9ernnYW7jtqVfEv58V1CBYXo4U3ByyzvsM.dbYKQKFKxoXtVcY6SNTlf5muMuMgM EsU7STc.R7yObS820_O8FQBvZAlHi4bB3PpO2SfOFR3kn5PIaZn0yz1AlcCNeSe0ZzJtoDxOTInW 3Z_i3NNOUkw78ilppG7QujhJL1MD8jeuaTq1zVWAefOrhe88C3n64FUVzsKqlpKV7rkRNLfSxJLj ochBEVe8BRXat.9uSD7BnVETt3mPh3or8nt07zFIVAyDs.yaTspJX_3kgBnBSOqxe.D7RMMiF3S5 DICrfg6Hnhzm8PWdNfGPq1T9F.hHasoeDqVqIIVFfWQR0w0c1ify7LHdBvt9HN_JtlZGRfPXwf1D fZ4szefntB0PgfrdjBcjCGQR6.yXuZp7w98Hibjug2gMeivCnDlL13LEGwszQinxpJpO_DmqD3Np ANpmaJqSYJJs1YwqjqXZS7KfC X-Sonic-MF: X-Sonic-ID: fa0799ff-e34b-4ec5-bfc7-8fc06b8687f9 Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:23:05 +0000 Received: by hermes--production-gq1-6949d6d8f9-q7525 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 7388d6c7a490bc7dfaae35982f4a3b58; Fri, 15 Dec 2023 22:23:03 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, linux-audit@redhat.com, audit@vger.kernel.org Subject: [PATCH v39 08/42] LSM: Use lsmblob in security_ipc_getsecid Date: Fri, 15 Dec 2023 14:16:02 -0800 Message-ID: <20231215221636.105680-9-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 There may be more than one LSM that provides IPC data for auditing. Change security_ipc_getsecid() to fill in a lsmblob structure instead of the u32 secid. Change the name to security_ipc_getlsmblob() to reflect the change. The audit data structure containing the secid will be updated later, so there is a bit of scaffolding here. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-audit@redhat.com Cc: audit@vger.kernel.org --- include/linux/lsm_hook_defs.h | 4 ++-- include/linux/security.h | 18 +++++++++++++++--- kernel/auditsc.c | 3 +-- security/security.c | 14 +++++++------- security/selinux/hooks.c | 9 ++++++--- security/smack/smack_lsm.c | 17 ++++++++++------- 6 files changed, 41 insertions(+), 24 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 52d090d1957c..d69332031270 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -234,8 +234,8 @@ LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p, struct inode *inode) LSM_HOOK(int, 0, userns_create, const struct cred *cred) LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag) -LSM_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp, - u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, ipc_getlsmblob, struct kern_ipc_perm *ipcp, + struct lsmblob *blob) LSM_HOOK(int, 0, msg_msg_alloc_security, struct msg_msg *msg) LSM_HOOK(void, LSM_RET_VOID, msg_msg_free_security, struct msg_msg *msg) LSM_HOOK(int, 0, msg_queue_alloc_security, struct kern_ipc_perm *perm) diff --git a/include/linux/security.h b/include/linux/security.h index 029cf071148b..2ca118960234 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -289,6 +289,17 @@ static inline bool lsmblob_is_set(struct lsmblob *blob) return !!memcmp(blob, &empty, sizeof(*blob)); } +/** + * lsmblob_init - initialize a lsmblob structure + * @blob: Pointer to the data to initialize + * + * Set all secid for all modules to the specified value. + */ +static inline void lsmblob_init(struct lsmblob *blob) +{ + memset(blob, 0, sizeof(*blob)); +} + #ifdef CONFIG_SECURITY int call_blocking_lsm_notifier(enum lsm_event event, void *data); @@ -487,7 +498,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, void security_task_to_inode(struct task_struct *p, struct inode *inode); int security_create_user_ns(const struct cred *cred); int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid); +void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob); int security_msg_msg_alloc(struct msg_msg *msg); void security_msg_msg_free(struct msg_msg *msg); int security_msg_queue_alloc(struct kern_ipc_perm *msq); @@ -1299,9 +1310,10 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp, return 0; } -static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +static inline void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob); } static inline int security_msg_msg_alloc(struct msg_msg *msg) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 52b4697d938c..89d490db0494 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2638,8 +2638,7 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp) context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - /* stacking scaffolding */ - security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid); + security_ipc_getlsmblob(ipcp, &context->ipc.oblob); context->type = AUDIT_IPC; } diff --git a/security/security.c b/security/security.c index 4b78bface040..b82245d55f66 100644 --- a/security/security.c +++ b/security/security.c @@ -3595,17 +3595,17 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) } /** - * security_ipc_getsecid() - Get the sysv ipc object's secid + * security_ipc_getlsmblob() - Get the sysv ipc object LSM data * @ipcp: ipc permission structure - * @secid: secid pointer + * @blob: pointer to lsm information * - * Get the secid associated with the ipc object. In case of failure, @secid - * will be set to zero. + * Get the lsm information associated with the ipc object. */ -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) + +void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob) { - *secid = 0; - call_void_hook(ipc_getsecid, ipcp, secid); + lsmblob_init(blob); + call_void_hook(ipc_getlsmblob, ipcp, blob); } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 83ce496e8ef6..f15991ef6ca8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6266,10 +6266,13 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) return ipc_has_perm(ipcp, av); } -static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +static void selinux_ipc_getlsmblob(struct kern_ipc_perm *ipcp, + struct lsmblob *blob) { struct ipc_security_struct *isec = selinux_ipc(ipcp); - *secid = isec->sid; + blob->selinux.secid = isec->sid; + /* stacking scaffolding */ + blob->scaffold.secid = isec->sid; } static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) @@ -7165,7 +7168,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(userns_create, selinux_userns_create), LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), - LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), + LSM_HOOK_INIT(ipc_getlsmblob, selinux_ipc_getlsmblob), LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index a4ace6ea2ab0..b00f4f44f9c5 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3396,16 +3396,19 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) } /** - * smack_ipc_getsecid - Extract smack security id + * smack_ipc_getlsmblob - Extract smack security data * @ipp: the object permissions - * @secid: where result will be saved + * @blob: where result will be saved */ -static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) +static void smack_ipc_getlsmblob(struct kern_ipc_perm *ipp, + struct lsmblob *blob) { - struct smack_known **blob = smack_ipc(ipp); - struct smack_known *iskp = *blob; + struct smack_known **iskpp = smack_ipc(ipp); + struct smack_known *iskp = *iskpp; - *secid = iskp->smk_secid; + blob->smack.skp = iskp; + /* stacking scaffolding */ + blob->scaffold.secid = iskp->smk_secid; } /** @@ -5109,7 +5112,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), - LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), + LSM_HOOK_INIT(ipc_getlsmblob, smack_ipc_getlsmblob), LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), From patchwork Fri Dec 15 22:16:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495126 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CD86C18EBF for ; Fri, 15 Dec 2023 22:23:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="PE31wjlz" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678990; bh=3gRmOpEVfGBTXm6cSKhWruAudxiwq20dQIpn1DBXMZo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=PE31wjlzEmZd4FphqG4EbQ0GtaI1Tui4SjzO4NYGegKopGP3vBleFgrxOHCTgjCCdDROw7qR7QNkWMnPs0hwCvh/cJLd8niIlMUqtu6z+cI1kbMhJnIu95cAptRmQpP2NDaiRayWr8H5A0s7yUkod9Zb7tRPjaPu00f8L/s4TfvHWEUO6ZyTYMTgUbb5oSztXFZ6mTX87NESL7386BomdlLeUpXN7ODLo3gP4+n0KaLc1mIvXvE28qCmgrICmD+m/WXOMzGrgsXZHZno33VXGnml/A0lv9HsxfsXtA7UNj96OQ6fmdqT54Z5TmL1SHB5RTjLwdjuMUNYeacnRWMuVg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702678990; bh=H5piEox20lILUqaYg1+cSexnAfnzjYEDZOBrX8aTAyh=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=IF0bQZ1+AKuNEajnLXSmOXwOBIGFlvyS3Uo8IGwU6zGcgR/Y05bLbCgvoq7GjsGMLXbczHvvtrMm9vAT7EVpDlq98Cm9A8+TRInfVHENmRb/85knl4cNpCCdO+/R/BPTzVnjXnw7oztHmSlMsFJ5lDM0pA7XQTuDmMEZjjEnOc584EO1mG3P4jmKB28Y+o4W74j3a1C2SLUac2N6m2nEiUZsm07s9d+U26uY2AjDsWmTkiBYILRfosX5a9C9b7rDPm/PJ8ClHTNwyT+ZC1wvbN6rsNNOi//36DRCLkWuOQE3b5AzAPFqOAEbiwZcCyzpxc6iWZ4jYw3NoNzrHqVtxA== X-YMail-OSG: in9VcAkVM1nNitpu5NpH_n4mm0U_l6svqqhF85jMdH_7ilyAmu1rkFoi05OhLyL vA2DPRBnsj3UQo6ScA9nT5kmtLtVzAmv_FoAcE2AtmnDcZ0A1s79tGtkdnOJnWZ2j9t_Tj7zBYJx GZqe5S9QjMnYMvexGmDsv_Xh72Cr0okdU40E9Qs0kgE6XfZflsLALcmFV1Q5L2Un0WO.goDHtzKU AlauAwQIQi9hDcFgLUH5dXTKdq8gxZnDQAp1l7KIgRCT5HQA1nPCA.90PZ4yqUV0GGs6KFKHm5.k g8dsB0H2nfAmQ8LWNhg00Gp9IQIBintUE0Eag3IqcFHLYvvipMITTq2aPRgzwydwZ1yS4kprRV4z MIRFMZRva9KrkIWhD_fVEa1ngOsZ18KRfmBjdGmZeXC5k4.BaA0ZPcHCixUCw8Gdvhw7n0VnRctJ J0tnRpHywrv17xmMiRw5gj0yqCxnWCaXRdusnMGWc72Xmy7MafCrW79ZR64CpUMp7q2OXEx5RaqH sh7j8_eAhtG_uH.so6v6sX.hi8Hew7OWe38etzW5xCvIM1nReFftAohDCPg0mKr.fhhKJJlkED9e 2V7aG9DMEkuHLvSIk1Sh8TxxtFx_Uq9LPip1HUgaNX5IleUaui6RhrPt28X6QvNLSahdMHI6mefj _rXI57fa7P4qz5ygt1TNm4TiXexNZqV5ppZ5mzzKJxWj.AJX5S.WVjfFbmU72PcdQ1yhznWfQVb9 HjBNvl0KFKughXKccEpNFuHLWYd4iKjMekdtycWDMzOA4lfMbX8aNKX2lefBTnrKU8NV1lwmjMRb V2xyLyTjI8.GKaZVwpqkRwsvvTlcOqlH0Tam1VpS02un1KhbzTSDIRBPuG9YGtnc.jSYMAgtn088 GbrLWG2cmdnL7P.tQxgxzIaxDDbDhzr08thiJYWrQSr30Rv8H6.5m3JGKE6coXRSGhzAeUeS1iNg 6p_UuE6gk1wGHzykYWXZQhsHSysL65UhPl_uXXO4_HQCvhgJJ.TmYJBkYSg4RWC.HJyCsWhX_Qe. 8TCb0YN6dp2A9vFOpyeGLIsETGufPtvzmr8YOWAIUa2sgg1W414bedYe7CpUOqkY_JnCXzM.Sm2G yGBqoMYzG.4W68ivwhfkcZJ.qCrmqXZBQzIOcWRx1gBRL._wcBss8qwdG8tG1YuMzylyxSUdnktF bIhIQAzZLxUCn9QscEEopakodEX.ZW7MFCsYrHwxY5LEpr_1DERnWJtCAac2zC5NfzmSZjV3fK8R 0nc0CxZR44m45vS2DE3Aa6a4WsokBjspVu2PZo1WzqzdzhJvZP62RrdEaorL.37lxgu6Bz23cCQy ArC9h35vyGlaZ9PY2usMllVU_joS96ZlnwOGVvu4zXjvDYYL_bxCISNbVXQpqgIsJJr4WFvP2fdS mwkTLCrRx_u0uV1tkTyt1651daEe6KggD9y7L_FNFa5bEL5QEDavHuJ1U8KA2FBhOS7c1Jh1wUcV CP4NJ0ZGRweBttfuzT.7585aZgi321RIAJq9YwCcCDDh7AVmD36fMXxU9cnhHhpUIRFzoes8PSRv CWvAo44luerGKlPQg22biAS_1R8nr_BhXE4kp5JJktr48M1ZqoMbg..tNSzrHXD9jpB0b.8ofvF2 Yw.Erq4KSUALk0WJXuvVMz24Kd.PgLuTGWNHKKUcWAF5UGElFi8a26wmccC8OkStdFBfXIO3SrsA TxU7XJoPizWfgYbdl8vuU_xUNj4UlpCyHDTIAqaFdIBl_edrUlOdlV49oyitxO5ubUD6ZfPfqh1f b.E5bPNKtJgP5clIVTrHKBggnVTNCIgS5932gv19kMBme1WomTSBvYlVv4Ln159mhy1Qh1ao3DN7 QM1RH5VKQbVhvU_veiE62FkTxYroaDs8FEkyo14HMq0T6x_r88yS7oLLz2sedmcQxKhCExyBZFkw T0A6C3P0NRxTilpVf1gFB1nrNYSChfUIMk93kstuOhEnsUhinjmx3Umh5l1duuHZWL2zbN4scfDi pWXnyD3ochJz52.neAsl_S21n3onqNAbPTqbZ_H6nM1nvii2qUsmqP1E1stkjhXbst6FOsqoPkRn cOpdojxFVLHFeGFekAverOZ.qL_U2HsYtAU764OPHW4IfjVZ7al9OyiKVPL4RdUPkeSiP_kUgnNU bSSLgXu7uU28UBAn8DKbbuzXiD3sq7h_al1shIA0ZmP4NuCp5_jfSVzhC9dmmrCSk5rQxko5Jsmo U5OZUPnRpWBN9WIJbcAz5yM5TdCvLrlfu9ra8rLWr63Fh X-Sonic-MF: X-Sonic-ID: d4803ee4-5cf8-4a92-b582-81ac2b7ba410 Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:23:10 +0000 Received: by hermes--production-gq1-6949d6d8f9-q7525 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 7388d6c7a490bc7dfaae35982f4a3b58; Fri, 15 Dec 2023 22:23:05 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 09/42] Audit: Update shutdown LSM data Date: Fri, 15 Dec 2023 14:16:03 -0800 Message-ID: <20231215221636.105680-10-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The audit process LSM information is changed from a secid audit_sig_sid to an lsmblob in audit_sig_lsm. Update the users of this data appropriately. Calls to security_secid_to_secctx() are changed to use security_lsmblob_to_secctx() instead. security_current_getsecid_subj() is scaffolded. It will be updated in a subsequent patch. Signed-off-by: Casey Schaufler --- kernel/audit.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 16205dd29843..875df831fb61 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -123,7 +123,7 @@ static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; /* The identity of the user shutting down the audit system. */ static kuid_t audit_sig_uid = INVALID_UID; static pid_t audit_sig_pid = -1; -static u32 audit_sig_sid; +static struct lsmblob audit_sig_lsm; /* Records can be lost in several ways: 0) [suppressed in audit_alloc] @@ -1460,20 +1460,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } case AUDIT_SIGNAL_INFO: len = 0; - if (audit_sig_sid) { - err = security_secid_to_secctx(audit_sig_sid, &ctx, &len); + if (lsmblob_is_set(&audit_sig_lsm)) { + err = security_lsmblob_to_secctx(&audit_sig_lsm, &ctx, + &len); if (err) return err; } sig_data = kmalloc(struct_size(sig_data, ctx, len), GFP_KERNEL); if (!sig_data) { - if (audit_sig_sid) + if (lsmblob_is_set(&audit_sig_lsm)) security_release_secctx(ctx, len); return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; - if (audit_sig_sid) { + if (lsmblob_is_set(&audit_sig_lsm)) { memcpy(sig_data->ctx, ctx, len); security_release_secctx(ctx, len); } @@ -2389,7 +2390,8 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - security_current_getsecid_subj(&audit_sig_sid); + /* stacking scaffolding */ + security_current_getsecid_subj(&audit_sig_lsm.scaffold.secid); } return audit_signal_info_syscall(t); From patchwork Fri Dec 15 22:16:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495127 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic316-27.consmr.mail.ne1.yahoo.com (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F81E13B139 for ; Fri, 15 Dec 2023 22:24:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="ezsOsT0i" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679084; bh=ya0OCYd/b1yyh4uzXzAyH0lituR0lp9LeCsospqdOmE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=ezsOsT0iVIiMzWakeQboTpN55HwqCCZ5/hBr9qm3hxZVebROS3slB4hhFLIrsaPeKE2ulVMhfzWPvBZaTEU5abaoYzQ1H2eJTNFAfT+1vR+fbIMXWVDw9howdpIoJ1M1RD6xnp+wXgmYtk58VGFjpxm5eRn3bFs8ZMZ5rkIQoDYHPWZmxi8BW8XG2sqrJdA989ICRHvg1B32UGz70m+v2hdeaV6Tz5RGhWw2C/r+2iPjZZYCY7QhKrfmEpTxMocKaMfYnAhVX5lSPz1h7NXYwvujhLUQe9Ko8xi6scC/sPKsSVfDRH1AsXdGc96KtaBXEIduySqw4caun+K1cY6s8Q== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679084; bh=ec9K0gp/YeS3lx9Mu8qvVcYa7PUUxMItvUguWAEC1xS=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=M+hjx3MHwoY66xRLPtFd10vBS6+fHX4XfE0YUKkuu32tsy4KdL5sSXn7Jdlhsq3OtUYBst4BVdzHiRccXKs2J+iy7AzD82JzN+EioxMeK32pXAEEAwECTojbIzvxn2xzywy18UHuLZC9Log8oaIQE8BIxMIuqtiWX88hIEEWJfJwDEX8YnlA0eaHcxk/liX3w2IvrntEQo2tr2tY+QFUxY8jEqejj1+oSg01xcameNZkB5kl6CyDwMRT15mKgPJyBmZAGngKd7dcbTakOMLEuzphlKQPOGQVKtH46mD/yJzL5j0I4OxJpGyHEmncjy6+59AgPQrucamBk4/axzx6Vw== X-YMail-OSG: Ma1O6GMVM1nxIpbBLmG.pYTD21spsB1YngIitqUoRskKRZiwyX9YYznJoD16mfn yK3ksPM.u.iKnz8jowqrVu4H5T4Si784oFxFEekFvb4x02vO0UK5rTz01rSsURPR_4aU3pYB2RQS h5N5qatC1JlM7tzVx2uqy9dBu_tb1.2RrJRZN1Q5mycO0KmMK20qnj_iA9rkBf2PHDSykID8f3xd 9E5677x5RV6bV8DV9MDa30GwtcP0k3pffc72d53sKjYDr7H_PkWGtk76jGO3Nh901y1CwthsoaS. V335nByvimLzKdbtoQFeWRMo7oZSoZCEEyH8dHmQzwsdQQycDG4pPylLurcP0WhZ7Y60zvfmA1Ys Py3CYCDFnZHdO9FuZxOPLlcJPCDNoBOH9CZB_ZMSUwB7Z5.k.b2XF_LUg3IAlVTa9cZwyMlh2u5m n.EOlaoOUCtCBJws4BlJcFQfSVFbpPnomeLpxRcPnwiP7Vm9drsWyFOVYZsLLyzXU7FfI_dJAU9Q G2rMmskdNRhcnLp1N28sQI_Eh9oMeEAUHg0NZEXbvMUyrEnH_RDLMjOx1IrJQKqL6GBddGM3BcdK ASmbHwo7XHsz5NQWjWhHICv5A6fAxiqjO_tzZdHHKi77ljJPJhQxBegyonJyfOWksMWB0.HrquhG x0nL.bjS0iQYvQqrYoo.UQ9YOm9GWyEHh3bHEPy9LCU56BmImxDZTg10PrWBWqcR_aPN9WBV1_PE 0sT6Rk2jF.MmDEvCiDJneEPPhVi5psHc_AYT7udFX2OalX6BSz9dw4qei.g3SaDFJdXApIMor5pU wKjv3BXwuMTY1b1l0OdrEYtAF2X9PKVfmbGFn2CX70wuFxW0HQHJaDQdxnkk6xrExAMinMh07Yq7 8PeVFTtrp9jSdLe_nONNtZsWj8rQ3ZiyDkpaErpZ2QZQqsh2GIeYts5x7nmHOt.osSbcGSEcWK4C oq4lQB_N4mnXTFJWSUKMluZfhppO.rySQuqLLM2XOO3Aefh55ey3ONUawJjTvga47SSY4_UxDhmR 25ioZmauruff7Wx8DiyMTvyQD2gT_n6GB5CJ0gPPohc58V8tmZnpuKSL5kJjcc0twZz9OoOgjhpv 9PYV8PDXT5API5ZAKUNK5B6eadkqjaUlQVTfaGo.yCWfHSLgnTRKyCtkKwftScS.k.gTDEIZXSYu QeM7yPj0XP6Sx3eiieq0Cjj0n_iqSpZNPOuK1XF4ZYRvEuqWggRu3HpAtrF5GSO.dzXWexzmRWrP oKtwOgOvM9C1vrrdI2XQjcojuaRpijp2D50C1t119pb.xDwrcmMaiqE3_JCECxYTBeGkN4w4S7VC z3UEsEkmKNkVduIAQGrSsNwFTxIr8bcyN0SPh8XJz3cKVkh2M9d_fBn_B2W_DM12wacujYchUpb9 F_L.760UO9DwKiyq25dweP0Gzk7hVajvloyhaTzW2_FIiUXX.v7UXkWppA15K5JZE6XEYVAtui2S IRqd5xJMkBX_61B.3txr6SoVakSZ_Euv2DWWD4_s7HPdamaDqG0_PT1gO4bPVAaqbzO1.7nLn_NR JB.YCemt_.mAaC_cFuTI_0e1WKFhbIaaj4KuToSl.Hr2rIsg4YpUz5crilUw6ZfdqXBk7mBYX0i3 jo7.LIJWmiUfH8nK6tSj7RILU02J3nI993BqdthVnsI2gvxkHnReYxved7zKrwKyB6gEQE_okxnU hiAdvHgFis7qh_FshFm6ywpNV9B_qvOUYVdwwFVpZRBgzMbx3FpVPDblO2rKmG9kGKhIvjq8btqG ZO34ehWio3dTRl0n8__3uoqn.bekXvIl73SpIzqxD74BtKLf8MWzYZ5Cc7Qg0WDqxwoRSokP7nR6 nnqXYEz6jOdPoUzFJ3bRHC9wHFhiOtulttkL7Eg9mAY08CneQfh7gf8H7GX0KaZeMVLBtVYV3CRC NSu8VFkzWg7ECktOI_RXPwyPmiU6.G82LU6a4lHxKX3ugJRSzPnrdjkspXuPgTkXCk3CK42AdaH8 eJ23BodqJdrCpPKus.x9SPjy6og0N4LMUM3XYdub6jn0j7ZJ3sXB1qugP72C0pD1WNRTbuxj4ZLD KAhKYEdwzB5mQfuok_Qm_FBRLoIq8zSMZ03jDn_tSbpZrD..dvT4wvlFYAhAt7ZwYdA2nAymyy8E CkE7DMO2V0skdg0.7Rv9kxG9y2QICVSHFpALVox4JMD9dlqvS_QMA4B1mGE657BefE0aXmYabZwk _DcFHL9MuJAf19Q7sBwBoLqKwrlaXX_0hIesmJCltht5yjgYy6JvpsPpHCwJOJ4J6le4wkXqerFJ I0osv2XHek.xg6n9dHdZr28_86YrcrA-- X-Sonic-MF: X-Sonic-ID: 4a404d4f-f93e-4b92-96f2-dc46c989ad72 Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:24:44 +0000 Received: by hermes--production-gq1-6949d6d8f9-ghhkt (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID aee9c1d49ff512a4183bc9eedbd8cede; Fri, 15 Dec 2023 22:24:38 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, linux-integrity@vger.kernel.org, linux-audit@redhat.com, netdev@vger.kernel.org Subject: [PATCH v39 10/42] LSM: Use lsmblob in security_current_getsecid Date: Fri, 15 Dec 2023 14:16:04 -0800 Message-ID: <20231215221636.105680-11-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Change the security_current_getsecid_subj() and security_task_getsecid_obj() interfaces to fill in a lsmblob structure instead of a u32 secid in support of LSM stacking. Audit interfaces will need to collect all possible security data for possible reporting. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com Cc: netdev@vger.kernel.org --- include/linux/lsm_hook_defs.h | 6 +-- include/linux/security.h | 13 +++--- kernel/audit.c | 11 +++-- kernel/auditfilter.c | 3 +- kernel/auditsc.c | 22 ++++++---- net/netlabel/netlabel_unlabeled.c | 5 ++- net/netlabel/netlabel_user.h | 6 ++- security/apparmor/lsm.c | 20 ++++++--- security/integrity/ima/ima.h | 6 +-- security/integrity/ima/ima_api.c | 6 +-- security/integrity/ima/ima_appraise.c | 6 +-- security/integrity/ima/ima_main.c | 59 ++++++++++++++------------- security/integrity/ima/ima_policy.c | 14 +++---- security/security.c | 28 ++++++------- security/selinux/hooks.c | 17 +++++--- security/smack/smack_lsm.c | 23 +++++++---- 16 files changed, 138 insertions(+), 107 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index d69332031270..2db7320a1e05 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -213,9 +213,9 @@ LSM_HOOK(int, 0, task_fix_setgroups, struct cred *new, const struct cred * old) LSM_HOOK(int, 0, task_setpgid, struct task_struct *p, pid_t pgid) LSM_HOOK(int, 0, task_getpgid, struct task_struct *p) LSM_HOOK(int, 0, task_getsid, struct task_struct *p) -LSM_HOOK(void, LSM_RET_VOID, current_getsecid_subj, u32 *secid) -LSM_HOOK(void, LSM_RET_VOID, task_getsecid_obj, - struct task_struct *p, u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, current_getlsmblob_subj, struct lsmblob *blob) +LSM_HOOK(void, LSM_RET_VOID, task_getlsmblob_obj, + struct task_struct *p, struct lsmblob *blob) LSM_HOOK(int, 0, task_setnice, struct task_struct *p, int nice) LSM_HOOK(int, 0, task_setioprio, struct task_struct *p, int ioprio) LSM_HOOK(int, 0, task_getioprio, struct task_struct *p) diff --git a/include/linux/security.h b/include/linux/security.h index 2ca118960234..6306e8ab0cf6 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -479,8 +479,8 @@ int security_task_fix_setgroups(struct cred *new, const struct cred *old); int security_task_setpgid(struct task_struct *p, pid_t pgid); int security_task_getpgid(struct task_struct *p); int security_task_getsid(struct task_struct *p); -void security_current_getsecid_subj(u32 *secid); -void security_task_getsecid_obj(struct task_struct *p, u32 *secid); +void security_current_getlsmblob_subj(struct lsmblob *blob); +void security_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob); int security_task_setnice(struct task_struct *p, int nice); int security_task_setioprio(struct task_struct *p, int ioprio); int security_task_getioprio(struct task_struct *p); @@ -1227,14 +1227,15 @@ static inline int security_task_getsid(struct task_struct *p) return 0; } -static inline void security_current_getsecid_subj(u32 *secid) +static inline void security_current_getlsmblob_subj(struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob); } -static inline void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +static inline void security_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob); } static inline int security_task_setnice(struct task_struct *p, int nice) diff --git a/kernel/audit.c b/kernel/audit.c index 875df831fb61..54dfe339e341 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2164,16 +2164,16 @@ void audit_log_key(struct audit_buffer *ab, char *key) int audit_log_task_context(struct audit_buffer *ab) { + struct lsmblob blob; char *ctx = NULL; unsigned len; int error; - u32 sid; - security_current_getsecid_subj(&sid); - if (!sid) + security_current_getlsmblob_subj(&blob); + if (!lsmblob_is_set(&blob)) return 0; - error = security_secid_to_secctx(sid, &ctx, &len); + error = security_lsmblob_to_secctx(&blob, &ctx, &len); if (error) { if (error != -EINVAL) goto error_path; @@ -2390,8 +2390,7 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - /* stacking scaffolding */ - security_current_getsecid_subj(&audit_sig_lsm.scaffold.secid); + security_current_getlsmblob_subj(&audit_sig_lsm); } return audit_signal_info_syscall(t); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 08dc64bb8496..d0df226bdc51 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1370,8 +1370,7 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_CLR: if (f->lsm_rule) { /* stacking scaffolding */ - security_current_getsecid_subj( - &blob.scaffold.secid); + security_current_getlsmblob_subj(&blob); result = security_audit_rule_match( &blob, f->type, f->op, f->lsm_rule); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 89d490db0494..7afeae468745 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -470,7 +470,6 @@ static int audit_filter_rules(struct task_struct *tsk, { const struct cred *cred; int i, need_sid = 1; - u32 sid; struct lsmblob blob = { }; unsigned int sessionid; @@ -675,15 +674,14 @@ static int audit_filter_rules(struct task_struct *tsk, * fork()/copy_process() in which case * the new @tsk creds are still a dup * of @current's creds so we can still - * use security_current_getsecid_subj() + * use + * security_current_getlsmblob_subj() * here even though it always refs * @current's creds */ - security_current_getsecid_subj(&sid); + security_current_getlsmblob_subj(&blob); need_sid = 0; } - /* stacking scaffolding */ - blob.scaffold.secid = sid; result = security_audit_rule_match(&blob, f->type, f->op, @@ -2730,12 +2728,15 @@ int __audit_sockaddr(int len, void *a) void __audit_ptrace(struct task_struct *t) { struct audit_context *context = audit_context(); + struct lsmblob blob; context->target_pid = task_tgid_nr(t); context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &context->target_sid); + security_task_getlsmblob_obj(t, &blob); + /* stacking scaffolding */ + context->target_sid = blob.scaffold.secid; memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2751,6 +2752,7 @@ int audit_signal_info_syscall(struct task_struct *t) struct audit_aux_data_pids *axp; struct audit_context *ctx = audit_context(); kuid_t t_uid = task_uid(t); + struct lsmblob blob; if (!audit_signals || audit_dummy_context()) return 0; @@ -2762,7 +2764,9 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &ctx->target_sid); + security_task_getlsmblob_obj(t, &blob); + /* stacking scaffolding */ + ctx->target_sid = blob.scaffold.secid; memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2783,7 +2787,9 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getsecid_obj(t, &axp->target_sid[axp->pid_count]); + security_task_getlsmblob_obj(t, &blob); + /* stacking scaffolding */ + axp->target_sid[axp->pid_count] = blob.scaffold.secid; memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 9996883bf2b7..129d71c147f1 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -1534,11 +1534,14 @@ int __init netlbl_unlabel_defconf(void) int ret_val; struct netlbl_dom_map *entry; struct netlbl_audit audit_info; + struct lsmblob blob; /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_current_getsecid_subj(&audit_info.secid); + security_current_getlsmblob_subj(&blob); + /* stacking scaffolding */ + audit_info.secid = blob.scaffold.secid; audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index d6c5b31eb4eb..c4864fa18a08 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -32,7 +32,11 @@ */ static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info) { - security_current_getsecid_subj(&audit_info->secid); + struct lsmblob blob; + + security_current_getlsmblob_subj(&blob); + /* stacking scaffolding */ + audit_info->secid = blob.scaffold.secid; audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 1b230ade84fc..b5f3beb26d5a 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -979,17 +979,24 @@ static void apparmor_bprm_committed_creds(const struct linux_binprm *bprm) return; } -static void apparmor_current_getsecid_subj(u32 *secid) +static void apparmor_current_getlsmblob_subj(struct lsmblob *blob) { struct aa_label *label = __begin_current_label_crit_section(); - *secid = label->secid; + + blob->apparmor.label = label; + /* stacking scaffolding */ + blob->scaffold.secid = label->secid; __end_current_label_crit_section(label); } -static void apparmor_task_getsecid_obj(struct task_struct *p, u32 *secid) +static void apparmor_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { struct aa_label *label = aa_get_task_label(p); - *secid = label->secid; + + blob->apparmor.label = label; + /* stacking scaffolding */ + blob->scaffold.secid = label->secid; aa_put_label(label); } @@ -1519,8 +1526,9 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_free, apparmor_task_free), LSM_HOOK_INIT(task_alloc, apparmor_task_alloc), - LSM_HOOK_INIT(current_getsecid_subj, apparmor_current_getsecid_subj), - LSM_HOOK_INIT(task_getsecid_obj, apparmor_task_getsecid_obj), + LSM_HOOK_INIT(current_getlsmblob_subj, + apparmor_current_getlsmblob_subj), + LSM_HOOK_INIT(task_getlsmblob_obj, apparmor_task_getlsmblob_obj), LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), LSM_HOOK_INIT(task_kill, apparmor_task_kill), LSM_HOOK_INIT(userns_create, apparmor_userns_create), diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 560d6104de72..53f794b75bf9 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -256,7 +256,7 @@ static inline void ima_process_queued_keys(void) {} /* LIM API function definitions */ int ima_get_action(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, int mask, + const struct cred *cred, struct lsmblob *blob, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos); @@ -287,8 +287,8 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); /* IMA policy related functions */ int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, enum ima_hooks func, - int mask, int flags, int *pcr, + const struct cred *cred, struct lsmblob *blob, + enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos); void ima_init_policy(void); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 597ea0c4d72f..f9f74419f5ef 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -165,7 +165,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * @idmap: idmap of the mount the inode was found from * @inode: pointer to the inode associated with the object being validated * @cred: pointer to credentials structure to validate - * @secid: secid of the task being validated + * @blob: secid(s) of the task being validated * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC, * MAY_APPEND) * @func: caller identifier @@ -187,7 +187,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * */ int ima_get_action(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, int mask, + const struct cred *cred, struct lsmblob *blob, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos) @@ -196,7 +196,7 @@ int ima_get_action(struct mnt_idmap *idmap, struct inode *inode, flags &= ima_policy_flag; - return ima_match_policy(idmap, inode, cred, secid, func, mask, + return ima_match_policy(idmap, inode, cred, blob, func, mask, flags, pcr, template_desc, func_data, allowed_algos); } diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 870dde67707b..41cf92d15972 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -73,13 +73,13 @@ bool is_ima_appraise_enabled(void) int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode, int mask, enum ima_hooks func) { - u32 secid; + struct lsmblob blob; if (!ima_appraise) return 0; - security_current_getsecid_subj(&secid); - return ima_match_policy(idmap, inode, current_cred(), secid, + security_current_getlsmblob_subj(&blob); + return ima_match_policy(idmap, inode, current_cred(), &blob, func, mask, IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL, NULL); } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index cc1217ac2c6f..657143fe558d 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -205,8 +205,8 @@ void ima_file_free(struct file *file) } static int process_measurement(struct file *file, const struct cred *cred, - u32 secid, char *buf, loff_t size, int mask, - enum ima_hooks func) + struct lsmblob *blob, char *buf, loff_t size, + int mask, enum ima_hooks func) { struct inode *backing_inode, *inode = file_inode(file); struct integrity_iint_cache *iint = NULL; @@ -230,7 +230,7 @@ static int process_measurement(struct file *file, const struct cred *cred, * bitmask based on the appraise/audit/measurement policy. * Included is the appraise submask. */ - action = ima_get_action(file_mnt_idmap(file), inode, cred, secid, + action = ima_get_action(file_mnt_idmap(file), inode, cred, blob, mask, func, &pcr, &template_desc, NULL, &allowed_algos); violation_check = ((func == FILE_CHECK || func == MMAP_CHECK || @@ -430,23 +430,23 @@ static int process_measurement(struct file *file, const struct cred *cred, int ima_file_mmap(struct file *file, unsigned long reqprot, unsigned long prot, unsigned long flags) { - u32 secid; + struct lsmblob blob; int ret; if (!file) return 0; - security_current_getsecid_subj(&secid); + security_current_getlsmblob_subj(&blob); if (reqprot & PROT_EXEC) { - ret = process_measurement(file, current_cred(), secid, NULL, + ret = process_measurement(file, current_cred(), &blob, NULL, 0, MAY_EXEC, MMAP_CHECK_REQPROT); if (ret) return ret; } if (prot & PROT_EXEC) - return process_measurement(file, current_cred(), secid, NULL, + return process_measurement(file, current_cred(), &blob, NULL, 0, MAY_EXEC, MMAP_CHECK); return 0; @@ -473,9 +473,9 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) char *pathbuf = NULL; const char *pathname = NULL; struct inode *inode; + struct lsmblob blob; int result = 0; int action; - u32 secid; int pcr; /* Is mprotect making an mmap'ed file executable? */ @@ -483,13 +483,13 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) return 0; - security_current_getsecid_subj(&secid); + security_current_getlsmblob_subj(&blob); inode = file_inode(vma->vm_file); action = ima_get_action(file_mnt_idmap(vma->vm_file), inode, - current_cred(), secid, MAY_EXEC, MMAP_CHECK, + current_cred(), &blob, MAY_EXEC, MMAP_CHECK, &pcr, &template, NULL, NULL); action |= ima_get_action(file_mnt_idmap(vma->vm_file), inode, - current_cred(), secid, MAY_EXEC, + current_cred(), &blob, MAY_EXEC, MMAP_CHECK_REQPROT, &pcr, &template, NULL, NULL); @@ -527,15 +527,18 @@ int ima_bprm_check(struct linux_binprm *bprm) { int ret; u32 secid; + struct lsmblob blob = { }; - security_current_getsecid_subj(&secid); - ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, - MAY_EXEC, BPRM_CHECK); + security_current_getlsmblob_subj(&blob); + ret = process_measurement(bprm->file, current_cred(), + &blob, NULL, 0, MAY_EXEC, BPRM_CHECK); if (ret) return ret; security_cred_getsecid(bprm->cred, &secid); - return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, + /* stacking scaffolding */ + blob.scaffold.secid = secid; + return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0, MAY_EXEC, CREDS_CHECK); } @@ -551,10 +554,10 @@ int ima_bprm_check(struct linux_binprm *bprm) */ int ima_file_check(struct file *file, int mask) { - u32 secid; + struct lsmblob blob; - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, NULL, 0, + security_current_getlsmblob_subj(&blob); + return process_measurement(file, current_cred(), &blob, NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND), FILE_CHECK); } @@ -755,7 +758,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id, bool contents) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* * Do devices using pre-allocated memory run the risk of the @@ -775,9 +778,9 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id, /* Read entire file for all partial reads. */ func = read_idmap[read_id] ?: FILE_CHECK; - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, NULL, - 0, MAY_READ, func); + security_current_getlsmblob_subj(&blob); + return process_measurement(file, current_cred(), &blob, NULL, 0, + MAY_READ, func); } const int read_idmap[READING_MAX_ID] = { @@ -805,7 +808,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, enum kernel_read_file_id read_id) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* permit signed certs */ if (!file && read_id == READING_X509_CERTIFICATE) @@ -818,8 +821,8 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, } func = read_idmap[read_id] ?: FILE_CHECK; - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, buf, size, + security_current_getlsmblob_subj(&blob); + return process_measurement(file, current_cred(), &blob, buf, size, MAY_READ, func); } @@ -945,7 +948,7 @@ int process_buffer_measurement(struct mnt_idmap *idmap, int digest_hash_len = hash_digest_size[ima_hash_algo]; int violation = 0; int action = 0; - u32 secid; + struct lsmblob blob; if (digest && digest_len < digest_hash_len) return -EINVAL; @@ -968,9 +971,9 @@ int process_buffer_measurement(struct mnt_idmap *idmap, * buffer measurements. */ if (func) { - security_current_getsecid_subj(&secid); + security_current_getlsmblob_subj(&blob); action = ima_get_action(idmap, inode, current_cred(), - secid, 0, func, &pcr, &template, + &blob, 0, func, &pcr, &template, func_data, NULL); if (!(action & IMA_MEASURE) && !digest) return -ENOENT; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index d24205aa1beb..48287b75fe77 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -579,7 +579,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, * @idmap: idmap of the mount the inode was found from * @inode: a pointer to an inode * @cred: a pointer to a credentials structure for user validation - * @secid: the secid of the task to be validated + * @blob: the secid(s) of the task to be validated * @func: LIM hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @func_data: func specific data, may be NULL @@ -589,7 +589,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, static bool ima_match_rules(struct ima_rule_entry *rule, struct mnt_idmap *idmap, struct inode *inode, const struct cred *cred, - u32 secid, enum ima_hooks func, int mask, + struct lsmblob *blob, enum ima_hooks func, int mask, const char *func_data) { int i; @@ -681,8 +681,6 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - /* stacking scaffolding */ - blob.scaffold.secid = secid; rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, Audit_equal, lsm_rule->lsm[i].rule, @@ -748,7 +746,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * @inode: pointer to an inode for which the policy decision is being made * @cred: pointer to a credentials structure for which the policy decision is * being made - * @secid: LSM secid of the task to be validated + * @blob: LSM secid(s) of the task to be validated * @func: IMA hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE) @@ -765,8 +763,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * than writes so ima_match_policy() is classical RCU candidate. */ int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, enum ima_hooks func, - int mask, int flags, int *pcr, + const struct cred *cred, struct lsmblob *blob, + enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos) { @@ -784,7 +782,7 @@ int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode, if (!(entry->action & actmask)) continue; - if (!ima_match_rules(entry, idmap, inode, cred, secid, + if (!ima_match_rules(entry, idmap, inode, cred, blob, func, mask, func_data)) continue; diff --git a/security/security.c b/security/security.c index b82245d55f66..58387e1f0c04 100644 --- a/security/security.c +++ b/security/security.c @@ -3357,33 +3357,33 @@ int security_task_getsid(struct task_struct *p) } /** - * security_current_getsecid_subj() - Get the current task's subjective secid - * @secid: secid value + * security_current_getlsmblob_subj() - Current task's subjective LSM data + * @blob: lsm specific information * * Retrieve the subjective security identifier of the current task and return - * it in @secid. In case of failure, @secid will be set to zero. + * it in @blob. */ -void security_current_getsecid_subj(u32 *secid) +void security_current_getlsmblob_subj(struct lsmblob *blob) { - *secid = 0; - call_void_hook(current_getsecid_subj, secid); + lsmblob_init(blob); + call_void_hook(current_getlsmblob_subj, blob); } -EXPORT_SYMBOL(security_current_getsecid_subj); +EXPORT_SYMBOL(security_current_getlsmblob_subj); /** - * security_task_getsecid_obj() - Get a task's objective secid + * security_task_getlsmblob_obj() - Get a task's objective LSM data * @p: target task - * @secid: secid value + * @blob: lsm specific information * * Retrieve the objective security identifier of the task_struct in @p and - * return it in @secid. In case of failure, @secid will be set to zero. + * return it in @blob. */ -void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +void security_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob) { - *secid = 0; - call_void_hook(task_getsecid_obj, p, secid); + lsmblob_init(blob); + call_void_hook(task_getlsmblob_obj, p, blob); } -EXPORT_SYMBOL(security_task_getsecid_obj); +EXPORT_SYMBOL(security_task_getlsmblob_obj); /** * security_task_setnice() - Check if setting a task's nice value is allowed diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f15991ef6ca8..d70000363b7a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4124,14 +4124,19 @@ static int selinux_task_getsid(struct task_struct *p) PROCESS__GETSESSION, NULL); } -static void selinux_current_getsecid_subj(u32 *secid) +static void selinux_current_getlsmblob_subj(struct lsmblob *blob) { - *secid = current_sid(); + blob->selinux.secid = current_sid(); + /* stacking scaffolding */ + blob->scaffold.secid = blob->selinux.secid; } -static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid) +static void selinux_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { - *secid = task_sid_obj(p); + blob->selinux.secid = task_sid_obj(p); + /* stacking scaffolding */ + blob->scaffold.secid = blob->selinux.secid; } static int selinux_task_setnice(struct task_struct *p, int nice) @@ -7153,8 +7158,8 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), LSM_HOOK_INIT(task_getsid, selinux_task_getsid), - LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj), - LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj), + LSM_HOOK_INIT(current_getlsmblob_subj, selinux_current_getlsmblob_subj), + LSM_HOOK_INIT(task_getlsmblob_obj, selinux_task_getlsmblob_obj), LSM_HOOK_INIT(task_setnice, selinux_task_setnice), LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index b00f4f44f9c5..46cc79eb1200 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2210,30 +2210,35 @@ static int smack_task_getsid(struct task_struct *p) } /** - * smack_current_getsecid_subj - get the subjective secid of the current task - * @secid: where to put the result + * smack_current_getlsmblob_subj - get the subjective secid of the current task + * @blob: where to put the result * * Sets the secid to contain a u32 version of the task's subjective smack label. */ -static void smack_current_getsecid_subj(u32 *secid) +static void smack_current_getlsmblob_subj(struct lsmblob *blob) { struct smack_known *skp = smk_of_current(); - *secid = skp->smk_secid; + blob->smack.skp = skp; + /* stacking scaffolding */ + blob->scaffold.secid = skp->smk_secid; } /** - * smack_task_getsecid_obj - get the objective secid of the task + * smack_task_getlsmblob_obj - get the objective data of the task * @p: the task * @secid: where to put the result * * Sets the secid to contain a u32 version of the task's objective smack label. */ -static void smack_task_getsecid_obj(struct task_struct *p, u32 *secid) +static void smack_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { struct smack_known *skp = smk_of_task_struct_obj(p); - *secid = skp->smk_secid; + blob->smack.skp = skp; + /* stacking scaffolding */ + blob->scaffold.secid = skp->smk_secid; } /** @@ -5100,8 +5105,8 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), LSM_HOOK_INIT(task_getsid, smack_task_getsid), - LSM_HOOK_INIT(current_getsecid_subj, smack_current_getsecid_subj), - LSM_HOOK_INIT(task_getsecid_obj, smack_task_getsecid_obj), + LSM_HOOK_INIT(current_getlsmblob_subj, smack_current_getlsmblob_subj), + LSM_HOOK_INIT(task_getlsmblob_obj, smack_task_getlsmblob_obj), LSM_HOOK_INIT(task_setnice, smack_task_setnice), LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), From patchwork Fri Dec 15 22:16:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495128 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6DC7013B143 for ; Fri, 15 Dec 2023 22:24:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="XgA2Ul+H" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679085; bh=gM+LsHgIihuJigplOYZBWLpN1B0KNpUXeKsws5Epi88=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=XgA2Ul+HkuBJmXYTuZHKX1hJeapIjvKzGgy1If/1zQPoA09oh0IUw7tlw8uGEafQstODmnb2UiJE8++jD78zu/7+w7c1nme8zDx9WdjK5KxSBKd81Pat70qhWDtIjtxDG7NHcAsa64CFjl+FcFefmHbPD9FIU/oFPEXutX7Tq3c9mYe3X0R1vDw6AeKEOpB2Eg7RqhyJChH/wtaq8wVyhu/ezXeYPxzk0rE7E4sLcPUHLAjmk8quJ5hKwj0ojOVcI1tt4m5t2Z2iNbk7TaxZroigqFv/2MpYTCHy4C5+2S0AUz0YLB9dRCI29A7h0SwjFPumA0Grq6m1QnMfHXjlHA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679085; bh=sJisvyEaiEIDTvHJoCBm959AQyUp2ajfAaIoeslpkEv=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=RJdVqm7YtTgRmgYS5OaT3Bryze+oouKK2KdpPldhLKp9cbDdVEDK8bztfNk+MezcYi31bZU409oSrJNmZMuYxugJnW5OGPnO3ASrZzmc6S0CAKU26BadtZ+Ik9Gz01+tZGVfyEkkggmzfXgGjqfkqg+k1JCl7IhOsMREGTU7p7I61Y/vkRqygy5HWKWoYe+RDU7sGDIrJaNE97XR/i+orWnL/R4RoX3dCwj1kIwIw1SYN4CZjDLzVoq0XJw4bz3FlKjPUe1iHHGPdXDBBpAf8xu2UWenE7RVGSN/4+u7GMM4sVVOb7nwXy0ytGFQz3V52vKZRz0WjWxDTvwbpirgtA== X-YMail-OSG: j48yVbgVM1lH6smcB8G24yK2ZUW8_4Tx.H1cT_wnooEsxERehzA1g23E6RTyf2O MDwKYLO2CUnNmWrSxmsuzTkHtI3Mxsc.t01dcVNxm.FWE4c353ZaB1JiW0I3._3u6oaHyCRBM_KN UT6_uQAiEeXS3RDJIaFexpxaNITUfrPq2LhrKWJoB4kUDV.oyMkZrhI_w4tdWwpWuY3zVPKiGNFT mHmwysM_gvg05lTAzAmMMOwpQI6VjC8LQBS.6JzBx25GurMamU6wOST28Ma7U4.zU2fBF9ZLYhm_ Wbb84U_Gv9FXwd.f_cPlUuIl4X7CC.KJaRBm1RIj8DlYdk4EcsKS.lMxBPkudmsnvj7tLe10_JRh j3jh11y_MEDK4U2FpQJ2fltsSLOUpCVq80yza2RnRA5fD04UkztusJXKnBC7vW9fl90bBTFEybz4 FUxbuMDQQ_g43vKDIg2iv8h9pRBDB1tKejzCmSn.oLkk6nx7puZpdT11AvAyeqcZK9fYk49QFxdJ tViNue4SHIF7GKIOUvtlCWCrQBDprfvFMiqF07YFpkRvhs6J0J0CQsjUepojTDDBGb5RxiyBH2rh kQgaijESZmr3kAFbuXRzA.h9VijSzf7M2S4Zzu9ytoHlJoSjLI38yyxhcOKaaNWYVRHtovjJQyFy hzbRusjA3zUl5Xk_FbUuHKhok.IReyv8vHM7vEjWwI82I88NNpfTczMbENmH9qGcHjUMynh17kbY NTNF9GzDdGU2hP.pijNn3aBifQlUiepdjsWzjf7tO58Wf8iCLnRen3oNQ_oS17JgkEe065IWTs.0 OJX9BcswXqh8FAd_x5cGKVxsnuHgUntG5Y6qhB7C13l.FrwscKb4CFveymrC2uI3BjHaTbykLIV1 Eneb2lRBqid_gW7FZaoObm6I6bx8KV.PaKqR6.qTxjbiF6iYfHZOLbchBnfaFuW0xittxSwBLciq 9utwt6abGB46dM94i7Jwj70lrfs7iDxP2ftg9WlG40pdtURtzq4l8FqnjWzeETPkUVdDs.Up5A0e fL_ahGvMeimta9j8hrzf1JUhCbcwa59gL7YWsN.e0VQ2o.fxls_zH4grab6nLJtnSJXPZieCZrqC MGtBfa0wiF5DA0SLLO2K5iXCSKzbOZJg6P8LKKMtCozJD3SA.qIrDMuprXEmggNYuorrrV.4nld8 qvhKamGz_Sd0oipW8iX8rvkBAT3yrmQqEsXu2YziOJvOLnBRnelfqrHqurFiqp3VW3bfQ1S8F8nl ZfElLDytX20xedow_VxV7WfCIJkWK3e8iALigBHZWqTnooS3zMo8xXVTKKzMaFrCKpFdTfYoB0qA E4kZn1KohYWFKzD9l.eQBAEIaGTfDCc_q.2wXf.1w9FjteF7rPsSjn40NpK5MkRyhYH4fEgrrAnZ E5_0Vc_unRUgwQj5RZDoLVaFn9.FkwVpI1TWENKg_sazL_uowz5wACkC1U2L2szbieGdHKs3cISk GRw1GiYeFLQzMi8sTJTx7KZEgxTk3OcNouGZwftvlmef_ZONSPC6kXTi3NkjlUnoteNBiKU9FnJJ qq_ZGIDTGZFw6L4LUgTk6qWc1tHbdRlonyhr90P3DoXGibsJ8VL78mnlHRw5hn9BV9_VV.xFbyZ. aFkrn4ywD1RglF5QODebrwsUFt3Tmf1IGF13KBLSGAay42aHLoNHtfJGSwznD1QFldDqXI3.kCgC 0dU0aVG6R62E4z2_1UZpX7AuC5.T5hVGqKhmlzR.QGmrl0gtWgSl4DJ6k0vi6lYFKQzWv34QRzWC Kn6uHA4kAGKF55MqG1m5H9h..vRaT7dxIhZDLj9ATyU4wtWDlnrossSjMICt7rvqsAgH2zvV472y c0ODctFnljLdbviqpo28vHUB0x0BX5bA9iMvH.e39ZRLhxR54uYS2Ks7pEKXjhCqz4Ytzo5YKIBz fh3IqH_o1FpVw8Mhm8.9J44xEKN6J.MyZXOySMsrPXu_lKQVizf4QIAt1yJnjIo3.SUIdi3tDU60 6EfVFLoBCDdHT075LeSBfL9tp_ZTZJDTLo0VzGGTsEH9HyTAKQOdpSwjI3CyowFr55HEIgzabwPQ ZRZB10YG_Ex_CB3L_D2eExZ0o4IM90kxR71f7c9x5Mc0U_eIW2pN9UrcBKyBchMd1Zsv.wq8HmFX 0cGYrsZYG7hV5O7XjDsY.GsFpBreidrfYmqnvjFHpNLo95q8hH2hO1nTNOqE7MjODUPMtJbyPal. AQYraiuH8uSlHH1ZHh1y1MS8HQZw9MaVpJT.1tj4fquaZyCZ5mCD8Jk.z75mSFhbrZr6ZUGwAA3d kNhaH_yAdZGl8f8cykucwMO9dre9zpho- X-Sonic-MF: X-Sonic-ID: 830ae4f8-7df5-44b1-a4f9-bcff6dbf4917 Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:24:45 +0000 Received: by hermes--production-gq1-6949d6d8f9-ghhkt (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID aee9c1d49ff512a4183bc9eedbd8cede; Fri, 15 Dec 2023 22:24:40 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, linux-integrity@vger.kernel.org, audit@vger.kernel.org Subject: [PATCH v39 11/42] LSM: Use lsmblob in security_inode_getsecid Date: Fri, 15 Dec 2023 14:16:05 -0800 Message-ID: <20231215221636.105680-12-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Change the security_inode_getsecid() interface to fill in a lsmblob structure instead of a u32 secid. This allows for its callers to gather data from all registered LSMs. Data is provided for IMA and audit. Change the name to security_inode_getlsmblob(). Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: audit@vger.kernel.org --- include/linux/lsm_hook_defs.h | 3 ++- include/linux/security.h | 7 ++++--- kernel/auditsc.c | 6 +++++- security/integrity/ima/ima_policy.c | 3 +-- security/security.c | 11 +++++------ security/selinux/hooks.c | 15 +++++++++------ security/smack/smack_lsm.c | 12 +++++++----- 7 files changed, 33 insertions(+), 24 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 2db7320a1e05..3c51ee8e3d6c 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -161,7 +161,8 @@ LSM_HOOK(int, -EOPNOTSUPP, inode_setsecurity, struct inode *inode, const char *name, const void *value, size_t size, int flags) LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer, size_t buffer_size) -LSM_HOOK(void, LSM_RET_VOID, inode_getsecid, struct inode *inode, u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, inode_getlsmblob, struct inode *inode, + struct lsmblob *blob) LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new) LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, const char *name) LSM_HOOK(int, 0, kernfs_init_security, struct kernfs_node *kn_dir, diff --git a/include/linux/security.h b/include/linux/security.h index 6306e8ab0cf6..e8b7f858de04 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -431,7 +431,7 @@ int security_inode_getsecurity(struct mnt_idmap *idmap, void **buffer, bool alloc); int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); -void security_inode_getsecid(struct inode *inode, u32 *secid); +void security_inode_getlsmblob(struct inode *inode, struct lsmblob *blob); int security_inode_copy_up(struct dentry *src, struct cred **new); int security_inode_copy_up_xattr(const char *name); int security_kernfs_init_security(struct kernfs_node *kn_dir, @@ -1020,9 +1020,10 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer, return 0; } -static inline void security_inode_getsecid(struct inode *inode, u32 *secid) +static inline void security_inode_getlsmblob(struct inode *inode, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob); } static inline int security_inode_copy_up(struct dentry *src, struct cred **new) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 7afeae468745..b15e44e56409 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2276,13 +2276,17 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { + struct lsmblob blob; + name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getsecid(inode, &name->osid); + security_inode_getlsmblob(inode, &blob); + /* stacking scaffolding */ + name->osid = blob.scaffold.secid; if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 48287b75fe77..8edf7a0ef9f6 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -671,8 +671,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_OBJ_USER: case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: - /* stacking scaffolding */ - security_inode_getsecid(inode, &blob.scaffold.secid); + security_inode_getlsmblob(inode, &blob); rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, Audit_equal, lsm_rule->lsm[i].rule, diff --git a/security/security.c b/security/security.c index 58387e1f0c04..ed4e9b5fdf70 100644 --- a/security/security.c +++ b/security/security.c @@ -2607,16 +2607,15 @@ int security_inode_listsecurity(struct inode *inode, EXPORT_SYMBOL(security_inode_listsecurity); /** - * security_inode_getsecid() - Get an inode's secid + * security_inode_getlsmblob() - Get an inode's LSM data * @inode: inode - * @secid: secid to return + * @blob: lsm specific information to return * - * Get the secid associated with the node. In case of failure, @secid will be - * set to zero. + * Get the lsm specific information associated with the node. */ -void security_inode_getsecid(struct inode *inode, u32 *secid) +void security_inode_getlsmblob(struct inode *inode, struct lsmblob *blob) { - call_void_hook(inode_getsecid, inode, secid); + call_void_hook(inode_getlsmblob, inode, blob); } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d70000363b7a..4ab923698da9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3496,15 +3496,18 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t return len; } -static void selinux_inode_getsecid(struct inode *inode, u32 *secid) +static void selinux_inode_getlsmblob(struct inode *inode, struct lsmblob *blob) { struct inode_security_struct *isec = inode_security_novalidate(inode); - *secid = isec->sid; + + blob->selinux.secid = isec->sid; + /* stacking scaffolding */ + blob->scaffold.secid = isec->sid; } static int selinux_inode_copy_up(struct dentry *src, struct cred **new) { - u32 sid; + struct lsmblob blob; struct task_security_struct *tsec; struct cred *new_creds = *new; @@ -3516,8 +3519,8 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new) tsec = selinux_cred(new_creds); /* Get label from overlay inode and set it in create_sid */ - selinux_inode_getsecid(d_inode(src), &sid); - tsec->create_sid = sid; + selinux_inode_getlsmblob(d_inode(src), &blob); + tsec->create_sid = blob.selinux.secid; *new = new_creds; return 0; } @@ -7125,7 +7128,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), - LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), + LSM_HOOK_INIT(inode_getlsmblob, selinux_inode_getlsmblob), LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), LSM_HOOK_INIT(path_notify, selinux_path_notify), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 46cc79eb1200..e6d49e59a0c0 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1615,15 +1615,17 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer, } /** - * smack_inode_getsecid - Extract inode's security id + * smack_inode_getlsmblob - Extract inode's security id * @inode: inode to extract the info from - * @secid: where result will be saved + * @blob: where result will be saved */ -static void smack_inode_getsecid(struct inode *inode, u32 *secid) +static void smack_inode_getlsmblob(struct inode *inode, struct lsmblob *blob) { struct smack_known *skp = smk_of_inode(inode); - *secid = skp->smk_secid; + blob->smack.skp = skp; + /* stacking scaffolding */ + blob->scaffold.secid = skp->smk_secid; } /* @@ -5081,7 +5083,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), - LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), + LSM_HOOK_INIT(inode_getlsmblob, smack_inode_getlsmblob), LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), From patchwork Fri Dec 15 22:16:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495130 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic315-27.consmr.mail.ne1.yahoo.com (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9120018EA2 for ; Fri, 15 Dec 2023 22:26:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="lgAPuz89" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679179; bh=rEz0OJc8nFf9kWkBCfqRtfoAcWA/jm97QnB3Ho7hKzw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=lgAPuz89S1/R/+ijaVL4CdZPKAN9+bbK75NMb80OdMRDs6lbBSiAra68+4OHq0ZeVYVs162JRpSVll23PqcN97Xyu075mSW5GgIhcUDtsFpJumns83VwCOkqj3o5E48y/UezGP5WogwlNnoWZf18bexm4vIv9WbvLYWsGVaeB32CcE7WtoJlaxo1CGsD1DPFQhVK0hS8MADFSnjp7vHrK55pIbGFKk4G+0tfe5PGvQUi3dFELMICUFDjc96/qA/W79kRylaveGiw5YXspKA9hHkS/QFGoZcfWDLnt1atezAibFHCvfLb+111/fQfEZHA5zjvd92D3InLIOxyyjnLnQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679179; bh=smnZW4VeD6pHtPVZifDGQCxn0DmciFPSthPYcomNrfa=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=B6nQqUDv3WrMQDocvRJ1+CFVK10n1SA/0348TLIDnLztx+4J1AzbG2ugd8K1KeqzYjvmLd3W2cL5CNXTX/LouTICtgFo7SsaErF6rPmKQUPWKjzyv7SZsy45tyGFJ8j2XvsRU+n/EnFm51sh3qjVM/MrxrbETO6xsyMztYXRPd1iuBzbkID9lMXWyY4vmUN6K4Zuh3xnLl0Ns3XxfX96TwxsryAd42IpPGE434TLc5JeqHgJ8r9voEgp+ovREcRHwTBftFZxmUR0uqSW0JRfRVU/YDvIdeER8pmCtFBxkPzVflDZKfBIPyodmN7q817aqUToHGQaAtYo4wgw9GpcgQ== X-YMail-OSG: p.dJWzcVM1lYfQW_x5Xn0e67PlR.G1L6XH3ostQy4WcPfZBRFNM4TIxpYKjRcXz Vy3ayZju0.Qk8o5.QWydogqavZjOpse3PSvjb.K1cvza1Tv0lBPpzxL2iG3tJXa2mc5kehJR5ZSG 76Xviodp4Gk7XXn5DeFMC0KZ11UwsF6TM.TLNlDmAc.DxbtaI_YTwyyA3hdtfeDf_99PpyHiuePT r1JssMgLr8uVyd4Pm42BM_NZiOVsB5nQNbTnPvKobhSjwb37gglmHZs7g1XLrov3u4M_0a67iSlC qqnNGNp8KWKZyc5adezmWvgKCCKKxrHw8XniHZhIP.Rj9OPM_tE.Ty5Ot.z1NJMKqCPxAKrji1fj lJbS5A_JjtNhGDG0BQuBwLs7G6I4TH7PJdY98rzhG9CTl_hqI4abzbHjw1P4spxTn4MiB0Tp.5SD Ja_asG0uyFY72Zg0T4qorKgoQ4dRhbbRo_9G4WFGWf.Ki6VjrHQXge1JBd_N993dti8YLSOZDfUV ekpX9yZDCaB6I8ZZo09xhcmFwICal5SGbZttH0qrdXHoBmG8yehriVUfmVvxrwa7AnnM532ljWdD A2s6iSfW1vOJhx22g2MMvDWxfUo4BIKHzWa_tNr6ZPmcpCkqPekuUOK3KzjtjbK67elVbz9mRR1x d9tQT41Rgv1j65sfyKlXL84M8hNoo7by1IHratjaPBO7EQsN_DU_V4yRhqaZ4yPInGLdDqgl5bbs OPkNTTtSYuxO_KqAvliD82f6AIeIzwabAejcJk8d7ckJDZ8ZBCtXMywVgaamtmBfO_RpeZrxQ7Id bmtoAILn6PJYseKjFG5jzEQf2CCNfFRHNaD3O09AYZYtPjCfvZ0JA2vQ7ba_e0AZuqIwFrvma6nj IPmV_XQwDGscjix72KIbbG_xjFohLY3iXqmheZKYCD.hiJy_8WY_puMtlzYMihG.coXbHzxnGora rBq_d.lBRbNuRT5h6V31hzvf0BOpN0U8ovAbokE493sasd6Q62fFOdEXqLX3vE2max2xUy.ucetq 3bkNFVjmGtTQbUQ3VN.zUxMKGyxxndnaHrFg1t2CpZQ457xpc_mtDxCqczcJQV65nZjbALhyjG3a 9qtterWsOuSZPpwRviET9Uivd7UZOLmjvq5krSJkId1D7GrzENxuw46acI47Y4G8Ri78C4ljn7Jv 4nM_KTzhwuXLR3uAb6MSxySHL9u1uvGin3CZMJSVY8JLoOdns.0U.EyyEXzsI3elAujJTea6pJFX 2iTaA6ZBPP6vnjOKSNC9DJz_T8Z0fWPi7yXawLTMkfXru6OKVm6mspjiL8qwQBJ1rc0JV1Gq6UDF .aAEWaBLLvSESDxDKnUszsXuT4j0QLQ5yigNtDLB2fQ63aN6nJwFx5UbCLhrOumYGk19PojbAT5b O..kan4SIeWcowvv6bKQOTfaTbFa5eD15PHtgi1EbSKVWQuDydUZFa6vNeTa.FzYZDG6_acY77J9 Ce9OeSV06mo5n8rQD0iRiASvzxNVv47X3_sMF_a65TmUNTh1cX5jSrrz6qoPTizjb52rY68RR_Wz kReDZttV_3O1h1X7InI.vSBtqsWnenryfXCeUk7Z7sMLTo4Aa4cl7MGdDNRh0QZ8HA0wc9jcQVTn Getc9TnIciE_CH29P55_l9LnWeKE1FrBL.lR_QYEBTevgwMqW0KaXojH5ib302J4PedEgvUA8rt3 KvEsK893TX6jrtl6Ls7XpAQsr0B8cZU6Q.DE55azP05ZK3Z355onPR8L_u9HZNn7PXd3YWj3xr42 htWK3HC7CtsjSCZf9sx6FGH5n1TcqAVFBtjr_dVfcnukQnn5xK23tA0WlpwI_aaBkKSO5_tCWAGa weVMUhUXYn0P2QdFjlL9uMScvgyGGajtWS.PeNorqG1pKYADOwt_EmjvZiFcBF6b1452v5uNNhUn yBbl1hVIXdXF4VA1X1hdxmmwUJEQVXGBKCNZ8DOM5NoX8_3YEL1XAc.fS71lwNAcbLXCSKBTSnV0 gSsyRsUaMENhLk7Nea73PsQ2NwS6lvDVamqVi1HvzznYeu0Z.cMqPTFebFYV.eETBhUCQCgpJMkw gR.dvfJRU4ucf3Ouvbc64W5Eq9Ab5wARK7imUAAwfacG7OfCD06XLNL0UyObWIBc2QoHp2PwUFgt xz7YOejldqFrOB4ylpVvovniIJz3AAMWiP3U6.ZwWp.EputK1LQl3Z8FFM5h.NFA0l8PUz00.i55 LtTaxO1nLp7lZOJryhKUV52RPpA2f_5p4HGV52mm3aRkTXufGLCjurmnxwfOyGwJON.aqVqFSfcX qeAZgrDs9qZ.XPZBks68VCBOK X-Sonic-MF: X-Sonic-ID: f742a184-4405-4544-a521-c51fc18dd0d3 Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:26:19 +0000 Received: by hermes--production-gq1-6949d6d8f9-pmzmd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 82d6a093b466d43a3aa36e3491ebb0ec; Fri, 15 Dec 2023 22:26:13 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 12/42] Audit: use an lsmblob in audit_names Date: Fri, 15 Dec 2023 14:16:06 -0800 Message-ID: <20231215221636.105680-13-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the osid field in the audit_names structure with a lsmblob structure. This accommodates the use of an lsmblob in security_audit_rule_match() and security_inode_getsecid(). Signed-off-by: Casey Schaufler --- kernel/audit.h | 2 +- kernel/auditsc.c | 20 +++++--------------- 2 files changed, 6 insertions(+), 16 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index b1f2de4d4f1e..6c664aed8f89 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -82,7 +82,7 @@ struct audit_names { kuid_t uid; kgid_t gid; dev_t rdev; - u32 osid; + struct lsmblob oblob; struct audit_cap_data fcap; unsigned int fcap_ver; unsigned char type; /* record type */ diff --git a/kernel/auditsc.c b/kernel/auditsc.c index b15e44e56409..aaea62822505 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -698,19 +698,15 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_rule) { /* Find files that match */ if (name) { - /* stacking scaffolding */ - blob.scaffold.secid = name->osid; result = security_audit_rule_match( - &blob, + &name->oblob, f->type, f->op, f->lsm_rule); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { - /* stacking scaffolding */ - blob.scaffold.secid = n->osid; if (security_audit_rule_match( - &blob, + &n->oblob, f->type, f->op, f->lsm_rule)) { @@ -1562,13 +1558,11 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, from_kgid(&init_user_ns, n->gid), MAJOR(n->rdev), MINOR(n->rdev)); - if (n->osid != 0) { + if (lsmblob_is_set(&n->oblob)) { char *ctx = NULL; u32 len; - if (security_secid_to_secctx( - n->osid, &ctx, &len)) { - audit_log_format(ab, " osid=%u", n->osid); + if (security_lsmblob_to_secctx(&n->oblob, &ctx, &len)) { if (call_panic) *call_panic = 2; } else { @@ -2276,17 +2270,13 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { - struct lsmblob blob; - name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getlsmblob(inode, &blob); - /* stacking scaffolding */ - name->osid = blob.scaffold.secid; + security_inode_getlsmblob(inode, &name->oblob); if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; From patchwork Fri Dec 15 22:16:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495129 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D45AD18EAE for ; Fri, 15 Dec 2023 22:26:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="q6TncGL0" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679180; bh=9ZcTX73QaNIO/8jzBGKXu9xrcBn+sNqoh3q8BtNK3z0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=q6TncGL0o5mRPp1DFh7rcom3F97s9xEtBJUdPI1GMBbbWkf3ZiOMYOJj8X6Ywi3wu7buSahEB0OO6C4YSWLt6uKeLkExZmjMeSB/Hr6gXJGxpPhbBUi0Hykn5DYXV8sFu79gWRJgZJzPvOM34mlgm8gvzjY+k9PbknlO7PiNAWr6YLrlRmwQtCKzJXvN2EudnUoAKVYmVTqEEI0STRNvymSbozC7O9zWz7ieU5LPdcoV0YkrshNPt0fI0SxxxPyRqc+qHGJ31gBz+h0Rk+Lp3r4le7xyJphNpKXxZyTVsxRy+cniG3ehp2IWQHZUzMs4NmbvsMGYcSBchvy9TCwmBw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679180; bh=b5BBXITdN5mFkMToNi9u7QnrGy45/Mii05J4BSlJ/fk=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=rq6OzAwTLj2BVTjfsrPHzM+CAHoOTDC3B/yPI+JkNpeMoiVh0Bi21x9jwN4GEM3XdcDnIYLmBcGNCAksTDz5UeRuEJrvV4J9C5JDE/QjcQWxvi5Htl6+AB9n63WUvh1zGqbP4d6iYjz1bvIWag8zNhxCi+JYXf23rHrhljx/710QcDcvi+AalkvK/hHq72uhF1Dk4gTwEpuLc/nTAf5RO01caZFhIfUEaMTvPPhuJhHYnCUCeWx0NBuUdRCJ0aTbB8wSwyiEc/NtEXEQhP48xu5zi/yiRUG4w2fbUPkYdjl4m76wk/tdGchibvY15WYzYkif5WnqGu1CankE2hEU6w== X-YMail-OSG: 9Uq_wqsVM1nsNmlQkGIjPQshXW_e3Tk6keFl7P6HDOPFhqJ284oEQptFiXV6W4m lF1OOt4bFL4amsHwHSXv5J1Y_t6r3dgpWxieSzYOaBg4vc7fqYRARNpezgv1l0js1EjDdzX4Aavx xJAKW7AaXwfYSZKRkfYCeH3Mb0rr4Wjwmj0ES80NRk8bW2oiNdy_6_dYnirwbKqSe.25Tz3bNdZ1 moF5.On4t8XvSRY4pCl8K_KnB_3aGv5Yzgh59xvj2yxfmWPq3y1rMYMl1y78rW1Qyq_zjoDeyQ_9 Iw7VHU9EorgG5DnDoTQ253p7p5NoxI7JiUlh_hFIT2LAyTDVSGHC25Ic0QoEiDB_hN.03Iuf85sh QUaz2fqTz3Gm0vTY3HlVgaKOt2FB5EkOnW.eshlzhlKBAK524LTXPduufEcy2upEGXgGjexd0nej zmSIt1U_O8zM8_BhW0Mxutr7OeDCVmm4X_Pj7pTlVrOSnMALYXDFfHoPSukmyLaDEQGGL2T2KWtp FhjHHSzYbrJ34osF10NC.z99mojsHlnEI2iL5z3wbGwaAnif2WC_3FbfrAvTRHiCFcQaySoYMlXq 2t6JJ3NznZVQtxmDvbGWhh3aUDxY6cd5huKTzyHyZ4dY5K2MH30mwTWYZ5u2NcEZBRC4OiEQKaCQ YEuNKn3zlfjFSmEjKE8kyUubbFx7zwNlIB55N8a_3aKd8.IOJA4qlp6ztBv5SInWJzHiLfIbITBn uC1hak85Wgl_rsYYGVACq3rMlrTZCTHVRjCMrxveNEzc1zuDyXbj6pxANrvGMcdpvuU.yEutkVNQ J0kGjgNjBeKs9djrDr0dgg4i5nbGeGKTz8UA9c_aLdRfiH8eQtn9p3phEqSnfh6ejgsZn4MByjJJ yLytgGxxgEbp2CFa0u18a9Vw1UHJ.I404NDqMwBghD75phsSIPnQNPizIZmIffJW41hy4Thox9U9 umv55xn8MzncshrzNO_f6Wyb6FMMjxbQVZfqdbJ5UzyMa_N.mKvd33UKjShhVbjAvahzmOBnkgn_ Kneq2nNEFhvoEoHW2hIggx_E8N9tplGOtsmEzlkOXa8sfX.qO7yH99bc6gvd4EuFya2FXKsI6SZV lk6DxAqGlwtyn.G5FIJUCrsIMe3C.kH_4FtuEiXXimJMNArQqngNWGnZm9m__bBUrr5gnpgSum09 Ek1i19n_SN03gnejfzqLD8YgRqFyh7XP22yKz65pFufbtnYAf4Y.Q_kcqJrkdb9rznBk4No9T6h0 MGdIzCEmtIRRuDLX4TB9HikpOnlLJ3KwVSRwZi78pp89F5pUQXff64OyLxvvsyAqX6O3PpuP1wsW Js7yylf3anQNuxI8_jQy.13aGSEWCA4CuIQdajVLjKdOSbBgNxCUO_HLk_8IDgyF.SA3F3kMxFm_ n8q2IRbzAAHOR4mhpR5nuRdJbz6FCeEUxtmekoK8ToMRVel4QvSCJlgaGSeNnYRmSljBIeJrpZp1 5VkayYarMtr6OyoSWZF9bUm9o8o0ku5X5E3CCavUXSJMQI4p4tRkY9DvCwYONeRoOegpDknpQ8ps HEq8MscOMjuaTh4TQIWZWMnMCWzL_uVX5uGuc.gX8iwj6wDJoe8QGXO_Hslb9ovBDOpIdeQy2peJ 39eecZm7TWEL67A2.IQOGbV0saf0c8w5F8JL5Pn1TlgiwmhpZeD3sWpeNzAb0f0aJ.vnrC27NKnn pTkbehBdD5IJFQrthx3i4Dh5D.16XuRlk1NLJuSk6_RefvvnwnFrRZWQPVxoW6.DcgRLipEvkgX_ E_KiizjnbRbNGobrUS_nN8XuXsCCZ2EeOt5F54964ucQXVlPAR6ym8jEuZahFbxCmuAuVEZp2GUt O_0eej8ni7zOo9Wi.5Sd1xWcUpClz1Ek.r6lbyAmmObMDtJcU1rrzpcTW4Z7kplCU6VMrN5Zu13A nt0JDGjvelP5YvQRxEtjDuaj0TcT7AfijDjkt372.h.TNTihJJ2ScfJnLG5cL66LxeAct8ATEIWd nQagK_eUA5GyF27_ILDzUxE1TlRB6wOUgWnwlebvEEyOQv8PY2HxucE42wtlO2t6WwLwPHjHTgKS s1JBoeCor4t4huR1lpX2GSZfITTC3yHeMSUEPWimn3v.ITLu_dobsmsHCj8ux4PlJuAbYyBY5DGO WvATeJdE8y3kRcua4yWLf2JkKC4WXTd1rYGLKuh6X_zODv4lvUHRdDqBC.0fD3F2_3.5RPft6_XX .WPFh8ZcAMdG5ZtP7Fl1muK__u.jnE.f9JNVlwFnKKhcZMBt2uRqj X-Sonic-MF: X-Sonic-ID: 99d984fe-a30e-482e-9dbf-fc3592ae0374 Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:26:20 +0000 Received: by hermes--production-gq1-6949d6d8f9-pmzmd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 82d6a093b466d43a3aa36e3491ebb0ec; Fri, 15 Dec 2023 22:26:16 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, linux-integrity@vger.kernel.org, audit@vger.kernel.org, Todd Kjos Subject: [PATCH v39 13/42] LSM: Create new security_cred_getlsmblob LSM hook Date: Fri, 15 Dec 2023 14:16:07 -0800 Message-ID: <20231215221636.105680-14-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Create a new LSM hook security_cred_getlsmblob() which, like security_cred_getsecid(), fetches LSM specific attributes from the cred structure. The associated data elements in the audit sub-system are changed from a secid to a lsmblob to accommodate multiple possible LSM audit users. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: audit@vger.kernel.org Cc: Todd Kjos --- include/linux/lsm_hook_defs.h | 2 ++ include/linux/security.h | 7 +++++++ security/integrity/ima/ima_main.c | 7 ++----- security/security.c | 15 +++++++++++++++ security/selinux/hooks.c | 8 ++++++++ security/smack/smack_lsm.c | 18 ++++++++++++++++++ 6 files changed, 52 insertions(+), 5 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 3c51ee8e3d6c..fe9c1d89dc66 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -196,6 +196,8 @@ LSM_HOOK(int, 0, cred_prepare, struct cred *new, const struct cred *old, LSM_HOOK(void, LSM_RET_VOID, cred_transfer, struct cred *new, const struct cred *old) LSM_HOOK(void, LSM_RET_VOID, cred_getsecid, const struct cred *c, u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, cred_getlsmblob, const struct cred *c, + struct lsmblob *blob) LSM_HOOK(int, 0, kernel_act_as, struct cred *new, u32 secid) LSM_HOOK(int, 0, kernel_create_files_as, struct cred *new, struct inode *inode) LSM_HOOK(int, 0, kernel_module_request, char *kmod_name) diff --git a/include/linux/security.h b/include/linux/security.h index e8b7f858de04..67ecf8588c90 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -460,6 +460,7 @@ void security_cred_free(struct cred *cred); int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); void security_transfer_creds(struct cred *new, const struct cred *old); void security_cred_getsecid(const struct cred *c, u32 *secid); +void security_cred_getlsmblob(const struct cred *c, struct lsmblob *blob); int security_kernel_act_as(struct cred *new, u32 secid); int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); @@ -1151,6 +1152,12 @@ static inline void security_cred_getsecid(const struct cred *c, u32 *secid) *secid = 0; } +static inline void security_cred_getlsmblob(const struct cred *c, + struct lsmblob *blob) +{ + *secid = 0; +} + static inline int security_kernel_act_as(struct cred *cred, u32 secid) { return 0; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 657143fe558d..c69eb9665cc1 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -526,8 +526,7 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) int ima_bprm_check(struct linux_binprm *bprm) { int ret; - u32 secid; - struct lsmblob blob = { }; + struct lsmblob blob; security_current_getlsmblob_subj(&blob); ret = process_measurement(bprm->file, current_cred(), @@ -535,9 +534,7 @@ int ima_bprm_check(struct linux_binprm *bprm) if (ret) return ret; - security_cred_getsecid(bprm->cred, &secid); - /* stacking scaffolding */ - blob.scaffold.secid = secid; + security_cred_getlsmblob(bprm->cred, &blob); return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0, MAY_EXEC, CREDS_CHECK); } diff --git a/security/security.c b/security/security.c index ed4e9b5fdf70..1cbd45310f63 100644 --- a/security/security.c +++ b/security/security.c @@ -3111,6 +3111,21 @@ void security_cred_getsecid(const struct cred *c, u32 *secid) } EXPORT_SYMBOL(security_cred_getsecid); +/** + * security_cred_getlsmblob() - Get the LSM data from a set of credentials + * @c: credentials + * @blob: destination for the LSM data + * + * Retrieve the security data of the cred structure @c. In case of + * failure, @blob will be cleared. + */ +void security_cred_getlsmblob(const struct cred *c, struct lsmblob *blob) +{ + lsmblob_init(blob); + call_void_hook(cred_getlsmblob, c, blob); +} +EXPORT_SYMBOL(security_cred_getlsmblob); + /** * security_kernel_act_as() - Set the kernel credentials to act as secid * @new: credentials diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 4ab923698da9..1bc28f5f6870 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3992,6 +3992,13 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid) *secid = cred_sid(c); } +static void selinux_cred_getlsmblob(const struct cred *c, struct lsmblob *blob) +{ + blob->selinux.secid = cred_sid(c); + /* stacking scaffolding */ + blob->scaffold.secid = blob->selinux.secid; +} + /* * set the security data for a kernel service * - all the creation contexts are set to unlabelled @@ -7153,6 +7160,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), + LSM_HOOK_INIT(cred_getlsmblob, selinux_cred_getlsmblob), LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index e6d49e59a0c0..7dab00bbd0ed 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2121,6 +2121,23 @@ static void smack_cred_getsecid(const struct cred *cred, u32 *secid) rcu_read_unlock(); } +/** + * smack_cred_getlsmblob - get the Smack label for a creds structure + * @cred: the object creds + * @blob: where to put the data + * + * Sets the Smack part of the blob + */ +static void smack_cred_getlsmblob(const struct cred *cred, + struct lsmblob *blob) +{ + rcu_read_lock(); + blob->smack.skp = smk_of_task(smack_cred(cred)); + /* stacking scaffolding */ + blob->scaffold.secid = blob->smack.skp->smk_secid; + rcu_read_unlock(); +} + /** * smack_kernel_act_as - Set the subjective context in a set of credentials * @new: points to the set of credentials to be modified. @@ -5102,6 +5119,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), + LSM_HOOK_INIT(cred_getlsmblob, smack_cred_getlsmblob), LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), From patchwork Fri Dec 15 22:16:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495142 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic312-30.consmr.mail.ne1.yahoo.com (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA21118EA2 for ; Fri, 15 Dec 2023 22:27:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="S635WZGu" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679272; bh=0xhRzVzL77uFNzvgfzEeytBOt25I4y9r8KJQkUff9Rs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=S635WZGutjA0fM2+I03Er0WW8GqRslS3Adtw9IpI5pzCgaG/nAaCLUxdRNo3rwsiIncPW+CY2JDvqjnUMFrJp8JlnRoFF+M9veeHePdJy1qLpOTEYkKr4OQvJFZMJc+T4KkTVOxvQdMUQKo2HzVqv5OyrwhvUDG7GmmWlkpmB95hnhVe9oWwhh0WvitkNo6yWIbI5uLVC5HOTsANUzpBWRoue4KHBhSOPc9NPuCdfZD9O5sXVloKw2VdruNBbw8hfJ5lo+CIjGS+BqZWfWG1O5rdf9bfnJmwI2tK0OL5iclHvbPfUUxZozXzoSeI8AZpzy46A2X6CrsRkDQC9jg8ng== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679272; bh=SKPWV8ey4mzCkDWp91daijRkgT1+ie4X/UBDMuLVczs=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=qmbyDRsoe1Qbqqe+yzwBv2k9CgcuybdGc0UaLTk8hcAd0IU1ZWU6XiwQo7jrj5HzHlRpGBdLjDmGk25ci5S5CXpgifMjS83oqKPujJPPMBFMe09zXkVS2jCJqlh2ykkgOvUHGwtDFDf63J9a07Ud+dCrkkvGmpUr7vS++1iDzXGVFpjPQAVtrKDawiOk/PTSqmMFukzgY20KekfXOpNHJSRzKjZhBPonvq6B/etQOJiy6Htd5MsSofsZzLxdbEbAHmGC3abfSf19mgrAwB1meDzdrUAfyO+nK0h4ThkjL9VOHJOJp+DfLprOaRLC1tKnY2zhAMrIKobQOBoVvFdKiA== X-YMail-OSG: PH3FmKYVM1mF1hVCKF_PWKmGU_PfyDwYDJXKUjaH8c4Vj7Nhx2WLQdueqNQekjR sVa4xzp0IAusanfXXF..oX0721SXKzbwUErhB.sLx9qhTXUWhVlFsPpqWSibdhSQ3_IHqx5gBbJU NmCGS2eaeCszcB6aTPsRqvwtixdkBd6BSv1EPnGF84QMyuUnUxezUC_94bf0RkK_h6iclc8EstUw w5uA9_4N55f02pHmv2uyVi1811C6YcU1UPfPliB.W78rI.c2ZwbkfFLbv.qLxd5ddpymnwvCCV5g 7xlGGA6e7E5pT7AWuldFeS12bFkqAOQSB_sP0Z0oS2TT7TvmtOCy4KNVIp1D6JoGLzYexo58NMFy zPiGY7DsCxngv6BvE75zZvzzOspqBY9nnN29JrlwHq3c0I6._88UO69XrFHDATli51fVErGivI0e UNA_tAezv2fd7chQIE60ziTlcGukSy885Bd7cG35TRbrzC7i1K8pEMKmD74.KRvmw4w2i8ZcHCpm p.22P60V21V0VO_M_gDZm7aM8fdzfTKklaMQKJLuhondiSBofDBr3LrDm4Gn27ATQu_MPEXMdUQc G0M7v5KuC0VLYxaU6ImlEfZlzL40C8iYcSg5McmfMtaNl7hmmkHxwDHTTv41WTooiOnS4I_Ne.IS X7mANDAaC4OWlS73r7cbheiGkJgwGTWeWeMeNrwDDdj9VxX8UYNJ0QY8tc8p.CDztmGFTaTXtYcZ 7ctlp7UGLWZlc7_5_TZjGnLCFgnXj1MVbcGuQRWlO70DRqH.PQZATH2GP4.TiN8fnci0ZdXoYYdt IQC8w.bhK.5fy9PSTlpK4IeN4nfh3HNhPo4B3gC7qw1LL2pAjHOwMtbEWI6ONQHYLhk4GDsfNmv0 XxsgFWAWRIXjXo4VtFm7q0qDA.EISbuP3_s2s4xR5slgY7wqjhGWdiLxp_azck8NPq8snXWGH_tN lbHGtyieJMn3Ne0Not3esxuTd_RY5fksMzEaUw1K9M2LhL3us08XvNV4wNZZxXfvGTun3JT6waWM DxW7R2oGTO_q771VuPQFkPBtSs9SsOpEJRk0jG54cdaiq9awAQW92toAf29GI0GMYm0lo3VbEC80 ADdY1TlaUgH4UP_5VVLLTNmnkgtV5aH8OPTfL6lACk3djtFwm9dlA7MCNS6XNxowtO4n9fKqly4. Gqjs_Yw1FE_Y66Tcq.WCVUfHzYmZnZUnF6v5TAoenoKD_O3H6QHNHyhuNS18EB2IMS_vDlEyhRv4 zliHrvN.mmRbYDfWDVNdYZgd5YY937lPGF9A9d2CZhpiVVYr.zd7bsawJK1E.hIxypSJmaqGFIss KE70ImlB9.Ihoz8Wau3VRvrYaITtxV4hGkuAKmUL01JHGwIQ_X685FP.grKzj3ZUv5_GDHgE92iK Oxk8wV9GJ1OuXGu2lcNg7u54gc_PGVaV7O6JAkR_4HzK6ydQrOz1VlIgf_Y7xl2ZjixDrbbVhYCB Ed0DsC1c54td2EFkvqkvKEjsM2oQd0.ojgGGS9byBEMvXMak93UuPooFubYChKErA5e2tZIlySAw GglXMss.qW.vxMy7bzBUCcrW5AMdzfMkbrZQPy4NpioRu9OnbFXdbNV70dvyNrw6bmA0yxMurKPS nUO3bXEB39topgQLWBS_RP_3lgdg30TNRXWqszdnL3I9jOuozvJc434Ea8INgg8cpEAuFlQ0VtYz 6Rig2OnEPfHcffHkFpSuxwYA5U1Nc8O9wYQhC6VZV7MaxOFuoJswbtVVf79YVa4mFHUXNmJHUn65 ryOcm1n7GwhyEME9NlKHDQs97q_m8nzgGx5W7k_8kKNoZVUf3dNRyBzaiDk7z_FZ8MTqgAdK2Q4h cCarmDg0ufu2eGWryHd.gKFbTA7WaiV3O0yeiHfBxYvy3ymMgFvx0U8jwUYoykcKsGrMLuNINqQ. NRe5XBn1D.7fVL7r0eiArBPwGgTLNqq8vCOLfMjX00yBmL3ee9_kJGw.oU3zjez_UGEWCmLPGGxX bBxOfpuCix1t_PBTMXsxLsy2FGSLrtgoHhbXw68eRybUiKBgNMHISXJhKvNflfF.BAHw.bNeywWN PtKv8Ui67c4DcGTNZeqpclcnN7fduBzFZwDpkStEwM0vskibOVRWp4RyKdBaKA2xt52jCWdcRy7E Z6gb_DiZi54519rHI1HOi9ObwU7i6ZHjTRSFF8JcLg1SxYzQkbJxU1EFwT.j5TmPDwWbl18hxlmE F7rm4lZXO9kY.AQYZeTm9W4qQMvUQPxxlETkJxsyrT5JhIxW.qh4.hOtRH3UjP0NgpgG.vDCh.VT kDLhQm_.uoOr2Kmz2fDVsQYWxOsUy X-Sonic-MF: X-Sonic-ID: b4d1f540-b7f0-435b-8a33-53babebcef2a Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:27:52 +0000 Received: by hermes--production-gq1-6949d6d8f9-ghhkt (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID b2d8de7c709cc71c362074832ee86fab; Fri, 15 Dec 2023 22:27:49 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 14/42] Audit: Change context data from secid to lsmblob Date: Fri, 15 Dec 2023 14:16:08 -0800 Message-ID: <20231215221636.105680-15-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Change the LSM data stored in the audit transactions from a secid to an LSM blob. This is done in struct audit_context and struct audit_aux_data_pids. Several cases of scaffolding can be removed. Signed-off-by: Casey Schaufler --- kernel/audit.h | 2 +- kernel/auditfilter.c | 1 - kernel/auditsc.c | 31 ++++++++++++------------------- 3 files changed, 13 insertions(+), 21 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index 6c664aed8f89..b413c0420c6f 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -144,7 +144,7 @@ struct audit_context { kuid_t target_auid; kuid_t target_uid; unsigned int target_sessionid; - u32 target_sid; + struct lsmblob target_blob; char target_comm[TASK_COMM_LEN]; struct audit_tree_refs *trees, *first_trees; diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index d0df226bdc51..24cb8259e5b1 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1369,7 +1369,6 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: if (f->lsm_rule) { - /* stacking scaffolding */ security_current_getlsmblob_subj(&blob); result = security_audit_rule_match( &blob, f->type, f->op, diff --git a/kernel/auditsc.c b/kernel/auditsc.c index aaea62822505..bfe2ee3ccbe6 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -100,7 +100,7 @@ struct audit_aux_data_pids { kuid_t target_auid[AUDIT_AUX_PIDS]; kuid_t target_uid[AUDIT_AUX_PIDS]; unsigned int target_sessionid[AUDIT_AUX_PIDS]; - u32 target_sid[AUDIT_AUX_PIDS]; + struct lsmblob target_blob[AUDIT_AUX_PIDS]; char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN]; int pid_count; }; @@ -1019,7 +1019,7 @@ static void audit_reset_context(struct audit_context *ctx) ctx->target_pid = 0; ctx->target_auid = ctx->target_uid = KUIDT_INIT(0); ctx->target_sessionid = 0; - ctx->target_sid = 0; + lsmblob_init(&ctx->target_blob); ctx->target_comm[0] = '\0'; unroll_tree_refs(ctx, NULL, 0); WARN_ON(!list_empty(&ctx->killed_trees)); @@ -1093,8 +1093,9 @@ static inline void audit_free_context(struct audit_context *context) } static int audit_log_pid_context(struct audit_context *context, pid_t pid, - kuid_t auid, kuid_t uid, unsigned int sessionid, - u32 sid, char *comm) + kuid_t auid, kuid_t uid, + unsigned int sessionid, struct lsmblob *blob, + char *comm) { struct audit_buffer *ab; char *ctx = NULL; @@ -1108,8 +1109,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (sid) { - if (security_secid_to_secctx(sid, &ctx, &len)) { + if (lsmblob_is_set(blob)) { + if (security_lsmblob_to_secctx(blob, &ctx, &len)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1778,7 +1779,7 @@ static void audit_log_exit(void) axs->target_auid[i], axs->target_uid[i], axs->target_sessionid[i], - axs->target_sid[i], + &axs->target_blob[i], axs->target_comm[i])) call_panic = 1; } @@ -1787,7 +1788,7 @@ static void audit_log_exit(void) audit_log_pid_context(context, context->target_pid, context->target_auid, context->target_uid, context->target_sessionid, - context->target_sid, context->target_comm)) + &context->target_blob, context->target_comm)) call_panic = 1; if (context->pwd.dentry && context->pwd.mnt) { @@ -2722,15 +2723,12 @@ int __audit_sockaddr(int len, void *a) void __audit_ptrace(struct task_struct *t) { struct audit_context *context = audit_context(); - struct lsmblob blob; context->target_pid = task_tgid_nr(t); context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getlsmblob_obj(t, &blob); - /* stacking scaffolding */ - context->target_sid = blob.scaffold.secid; + security_task_getlsmblob_obj(t, &context->target_blob); memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2746,7 +2744,6 @@ int audit_signal_info_syscall(struct task_struct *t) struct audit_aux_data_pids *axp; struct audit_context *ctx = audit_context(); kuid_t t_uid = task_uid(t); - struct lsmblob blob; if (!audit_signals || audit_dummy_context()) return 0; @@ -2758,9 +2755,7 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getlsmblob_obj(t, &blob); - /* stacking scaffolding */ - ctx->target_sid = blob.scaffold.secid; + security_task_getlsmblob_obj(t, &ctx->target_blob); memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2781,9 +2776,7 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getlsmblob_obj(t, &blob); - /* stacking scaffolding */ - axp->target_sid[axp->pid_count] = blob.scaffold.secid; + security_task_getlsmblob_obj(t, &axp->target_blob[axp->pid_count]); memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; From patchwork Fri Dec 15 22:16:09 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495143 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic315-27.consmr.mail.ne1.yahoo.com (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE44118EAF for ; Fri, 15 Dec 2023 22:27:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="RYo4PIki" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679275; bh=rpVF07UMGtg88DKNUmDaWG5YnR644Gu2+YORdLn3CjM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=RYo4PIki48OzhQDXTVF78fjQALs6vR1XwPl1zE5is6LKjjTqISVMy0SAf6fMYVUjXPuE/YZApCzIBBZ4gawjXwxrnnKQiFIO8HtR04HSOqKKxL9JDq2cqise40zmDJi+1m7itqKeZaM/rX5D0rDj9kANIrae+NXicYYDKAus+aDCsb76tShPd4hfFHXvY0dEThd9nf/aQAaSasLa2kX1bcfeeReOsDTGaEfV6ElS4egevQsmLDeNmabQ/WdDGSyu3rV65x7uSZVSkiGj7V1yVWo+TE97QAqJdTd88hdMs4Yy7TCKv4ebRJZ48f6AgSWmMPFVPSxb1QB7i9WUwVcL7A== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679275; bh=KjvpqDT/X0DPTRduLA9P9hC/fZRG9wcfX6H0AXdSwqo=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=rUFoS6wAmIEqGFbDkB7rg/f6y1TCaBLOeMRSOhdYOt7OJbb8fSWZ4dC7ytvj4a86TxK2isXCTg59t453TQqpz3AIgpVWJgWHuF09dveiXQXolrCpumR/31G0IUTsP8x8iq5eFU9yjkg5hbY2dSMwQivWLO2lC7Jp1I+HhTlkWCIdY0J8wj14nemBu+qL6BExQD+EOvnZzxN4DYy4xZlMBpkgxCfCjfSo1905ZyebG2wqJvFibKjDp775DMMqxt1/C6qth+he4s588aMYQwjkxEVsO1Wk8Yx/QHMgMzZ1GlypQCBH8H0B3a5eH06peQD5Pv1ArhzolEWhKazzi5AfQw== X-YMail-OSG: OwJShbQVM1kRuOTC47pBP7x5vUuEs8W6NDxO5m8rzV6KQ6rWDWZ3H4XFIRb3g7n o2y7UPcTEFJio0bDWBpFOrdKb8QliZZKWyVkKIIXC.Txp1ZsRJ_GAULufHP3IOIEuLnj7GGiZYcP k20a421F6882jxB.DktikNoCdrLwuR07CpnZydiVPLE.KPI8Z5Fwa_ruK3g1VNfLqiKWgWw265lx vbmMH8vDM7bCdg4Rni47R1jQLKtvNDNuLw.x8NaeHRNTX5noetebn2FjUaxQJ3HbZg8p7yA4AnnS 2_ZeiBZbCwDDRkfgjd2A.Q2MGR3rtB8ZsUrM7bo.SxSzIYm8_Rnreic_756RyZb4ysygh4DJ2jqd bHM3mN.ySN0_ketgmlgeNl5rfZl9gV90U0bNw0Xlc9KqeAKV6BCDcgBw2XaumBxMydZz67iEGktK ZnxZ.f22p7EYMGges5DZTxUe9KFMn7KQikD7xOsgSijgRYUSI0.JdqJpJ8nublFyfysaOVvvQ9hx wg3F7KGItOChavAszQadWJGUCKoMJdyhoaPlcTCNO.ZTn.uTRPQ8.8IdGQsE6QOzthr.aLlTsTkc bNZHN48RmilXBD18ZpWGbf6iGvdtUSK05yyYcsuRw5sqD1lyxE802GbRTueLzMp50mwtaivL9PRE Qyz75jsca2_pn_xY76mn.xPD70caRHSxzvV4_A7K_cp.loymc.teWXuF_CmJSnaLIpFqbXCvhbPO xK6QsZJgLatAy5eTgszZGT85rsnK3V5XgdT_qsSp3IwXkGjF3BJors8e9bxQKt0i9RgClL0zeI5_ fXQiHuok3Md5MGnG42wZ5daygPh.od2E_k1rLPVHA7XOk_ZUlriG4sIWDP_fxjzSWE4nPA4Z2uel I8Erm.dNcee9gD4YGqvUNHGmYtLG01s3xHLnOnTb_C_irQBB3I_BmMkR3JIuO9sw_YtZBAzlE1Xi bMyENADb2lU_.PwEKcH7NdhePYztT6J6nc7fyruAfs7tEgiC6wYcZgtAGkIcpNfTvGpRQC8LMSYn o7J06vOzd26UeYwIH86tqHFXv4kzGius0AtDeGRy_mmoW.BK3DJeKdlzOJtpUiBu.CdYGGMF04fU GgeutXOwi3g7LvkINK7o6R7.GWvhE.HxTzAhWcv1h9AWg56NerFSAAoEIoAWx4NR7B.9HcdCxipZ _zJEX8qq.SknusaBF7DgMsK_ogBr7ZykNzbh628q7yTWpGRowsO3FowqcL7.VXRgPbZqiMD2y0.d 5p23P48KANFaDBUxEnv3_pFFmyqzaT6cddP3sHiifDvdhJdEk7syLtdXhGIswkDtA45152xnXy15 YXlTKvKF3AztkVGTh_zYjP4KcpD3FbWQQnFKysxT0Iq3kywyTQqPAZqYlTq9osY9dkv.5Cir7Qhg _6Ombz9zE_w2JvBdzoMnJJnHOu3f0ZZKpODNfyUk6bF_QFYEw2q__66x3XjjkKuXoxRNjVYMhKJI 1W.OPKnUCGvQOFcXFEe1zsUKC8bBdBPlpwB1yH0v9NKge1UF5Fb64klVpc8tvQ_QqDZbo0.VJ5gA .mXwfr3_9mSxZerA6XoJi39IZ71cfrRYimsWp0wFTJAGpP4EKCJ4ONq62DWhIIzYTVlxuJpgzQ1w rX6uTQfJlbwpCbgtyC8gTCpt.2pxty8R5Sa3XwSlgK0QewW7jAHxHbyQimKBjd.QdPput0lpMm9j aai6CfXd0xlnoFqahrhh5p1H3EktdA1g2hc3rJCfig0erJ1zAO2edZ9jrtm8GJzuBSKGPamLfoQj ghvyz98n7xwxsdeZ2O.vxfqg8Cz21GkOgnlCnP7SJ_1QmrSbEtqoFvXS0vvN1MPRgXc7_K4bOQqQ nIRm_V6sdVM25PKQ3ekhbhcCYl5fn3YXlKcCRkm6MDe4YV7o1QD7zOopYpOBSRF4wpdxe0E6uusf Uohmb8Iy5ujvjHVVetb5PwSSrc6C.2dJFt0OvJ7VJJm.QuJXC1J_rSZ9Fp8jJZTrZFLpkX7vYeaI 8weynnlHCN3tsPRh9WOuVoHMacS247dU23AQ4tId2PwhnM1_hxYHd3dRZDtxMwFKRB7wG.n16COX FYeT2Cpa6QwpOPcnqp.p_yiyFGUlgoA8I9tfB81XiZNMJFc61oicAmNsliObstikL4zSFFElHu2T zll5L7mbNYE.ckeCiNy5bEZ4.aO5W8BwswGZKr85tX8ptz4911g1YrALJGu3wRiK9psfzJa1PQnH YpcVZHChVOmyRjYwb.o5lfloG8w_ixLBm8o270YVrDaWX4GxKOgRsP4aAbJgicQ2aYgSb6SkIGjt l3O5dmHdUDJpocf4adNQqEXPlrUEp X-Sonic-MF: X-Sonic-ID: 1c8bf860-4283-47c4-a644-eb7e3b01e7c7 Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:27:55 +0000 Received: by hermes--production-gq1-6949d6d8f9-ghhkt (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID b2d8de7c709cc71c362074832ee86fab; Fri, 15 Dec 2023 22:27:50 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 15/42] Netlabel: Use lsmblob for audit data Date: Fri, 15 Dec 2023 14:16:09 -0800 Message-ID: <20231215221636.105680-16-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the secid in the netlbl_audit structure with an lsmblob. Remove stacking scaffolding that was required when the value was a secid. Signed-off-by: Casey Schaufler --- include/net/netlabel.h | 2 +- net/netlabel/netlabel_unlabeled.c | 5 +---- net/netlabel/netlabel_user.c | 7 +++---- net/netlabel/netlabel_user.h | 6 +----- security/smack/smackfs.c | 4 +--- 5 files changed, 7 insertions(+), 17 deletions(-) diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 43ae50337685..03656b8d0b4f 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h @@ -97,7 +97,7 @@ struct calipso_doi; /* NetLabel audit information */ struct netlbl_audit { - u32 secid; + struct lsmblob blob; kuid_t loginuid; unsigned int sessionid; }; diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 129d71c147f1..7bac13ae07a3 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -1534,14 +1534,11 @@ int __init netlbl_unlabel_defconf(void) int ret_val; struct netlbl_dom_map *entry; struct netlbl_audit audit_info; - struct lsmblob blob; /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_current_getlsmblob_subj(&blob); - /* stacking scaffolding */ - audit_info.secid = blob.scaffold.secid; + security_current_getlsmblob_subj(&audit_info.blob); audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 3ed4fea2a2de..6cd1fcb3902b 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -98,10 +98,9 @@ struct audit_buffer *netlbl_audit_start_common(int type, from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); - if (audit_info->secid != 0 && - security_secid_to_secctx(audit_info->secid, - &secctx, - &secctx_len) == 0) { + if (lsmblob_is_set(&audit_info->blob) && + security_lsmblob_to_secctx(&audit_info->blob, &secctx, + &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); security_release_secctx(secctx, secctx_len); } diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index c4864fa18a08..1a9639005d09 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -32,11 +32,7 @@ */ static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info) { - struct lsmblob blob; - - security_current_getlsmblob_subj(&blob); - /* stacking scaffolding */ - audit_info->secid = blob.scaffold.secid; + security_current_getlsmblob_subj(&audit_info->blob); audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index e22aad7604e8..878fe44b662d 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -182,11 +182,9 @@ static inline void smack_catset_bit(unsigned int cat, char *catsetp) */ static void smk_netlabel_audit_set(struct netlbl_audit *nap) { - struct smack_known *skp = smk_of_current(); - nap->loginuid = audit_get_loginuid(current); nap->sessionid = audit_get_sessionid(current); - nap->secid = skp->smk_secid; + nap->blob.smack.skp = smk_of_current(); } /* From patchwork Fri Dec 15 22:16:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495144 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic315-27.consmr.mail.ne1.yahoo.com (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB5B818EA9 for ; Fri, 15 Dec 2023 22:29:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="sVo+2tTQ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679370; bh=ijG5KPhLf8WT9NPh/OPeKCb8y6uCh4mFGx52DZt41Xw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=sVo+2tTQ9ZU/YywgcLnwVdW7tbsVuhWTZUsJnzTBvYQhZBW9MDHgXQDdeYkGx25McXhVBTebIdUXLoP/hFvUNi1pO5mwtRtvxmcNh7oWLHvztnJYqa9o37T6FYAJXci3ImvAeGweY7MMM9IXh3pj43qRaJhaMj8fKbTiC/em4Yo/2tPrkBwRwJxQH1PQAjJGBBAYvqW82iN5d3ckona1zruu3S//JhMjqFl3V+pB5l2HqeNw+u8UZ0q9rXXAqC8H08FHuYy1Qlt3hWsTIzPomyL9ILIT+yRpBS3Ex/u/AvfwJHexTxzhn43B27H3g3/by6AtdBR1/xwkKJsiaVAezw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679370; bh=n1hH47rWY9fgnuQ/rz4Sv5DTPAPyyO3vRCiHHcVesHU=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Peo3mDFvjl7iEq5fQQ3A1FoORcw4KsEhDrkb4vcs1WRidJL0N2iZ0NvHzil7v3sa72CEz0Ic83Pvkfq2YVUHRkg7FPYe6YHzars83frips2xdt6CXv+7UUXhosUo5OCNs8nCcQQHQfN0cdmnBZRfX9OEYqepDhLYrq3IavrQn4FnX44oi9wznqYWyFErvddV/4gDlv638ysL5pcf9MV63Mazu/V54z+0q0IwQINb+eLvIcBnFDrcMWen1bFS4jxibArX0IYWYIw8voMTANC5cdYE8HJerlcETlfobkuehbNbbdSwwvsoeuycvud60AuhZLptHwKYutl94kBzcmI3xA== X-YMail-OSG: OUAxtq8VM1nN_jBvRUPGfj4Ygg1sHkG551Je8uio1spMIuN1W.BOGm7G5iQvCVG 08Gbha7YCzyM1ezfvemA3mzZejxatEuvdfxiH2XklWCvzMsgT9dMnXXZ_KzVadeRNB6NXbs4YvUc 919GZc8IkYKQHkwWE9LKfqrvjOhI18wOXJup664b3M4Lm6n0FPq15Z39MsUpIdvU299QGbiMGU_t lBIsSBhgrGYmAKC2rfbsVkKPTw_4DzN4ddQf4qwvbXT60CaviIBBGXP7j7pdGbEJ1L232tVKdG3U .W_MxY3HOZKq52V7DveaEnzlqIAinUZAtgYe94Mi7BG7qBcZrrjwiDbQ0PB2hHK93tciFpyPG00I KJFd8Y0lyYMnQS53tDz0yNsIiJ1dx52H0Wd5snHefb2uXNNQGf3U66ZaNqBDyXw4PwZroTWkzaeZ 8a0yELOyVBoewY38Z3gZjwr_6vhof3WGAcGcx4yoCEa6a.h.pG.wRaIMAloorbGKJ_egMEDKAyB5 DpVzQKZH2D.uiM9dFAdKePaNcHBrRg2o6MOkQUFair9z7wXPVzSf3HUxNB9OJO3pwS3rXqRPKffd 1PjE0URlNE2b5W.PMYI6CZRj7qEHazIkUUysaE60kGgU5bDiahxDilYWqbi5KZBo16c8jpjt2jye 3BQ2Rqgv5AI5Bgo.HX0YGaAhSzX6wnlygqDtQRpbCgDTq4v8mIFl05avOpasYn8A6BX5DpwMkJW8 dn2pXc56Mu2a6Ezpd6bF2rEb0uFuC_exbUTb_CPpqf0IiGaPD14Z6GLDG37.Lbk4QikgI453CPk1 5hy.h8VIipGsFM6pgZ04igLGrYHPvtf0G4y_UWeDO3UfeTJlVGSVQn2.hUSE2GxKZ2lzSoKS3at9 avzRQBiceShB1S7eKWMH64tHTQeZQH7j.VoweRptdp5yMc0bRBphe1tPcJmJqXF0UPKJckqIiACn kn6YNp5t.1Ob2JLV2LUeXZ.8H5HgyBW1on0a_ZysnFkK.LOuMTTnvQP.TVElBL9AMSDav.RjIsyD 8orC7i7YHarwWpO2Z1sENvcfPp6i4.Orn3NnQHsLrthapFBERJtuC4DqJJ.H3ZValpg0jf0jIO7h c4otp7HHhNfbovB3b8KDHWB4_SAgz88naG5jFJQka3Rgts627boFx31Y0C.Wn9XNg2Onj28dVc2A lgz5fJWLnrCosyXYYCwxANt2m8czuHeSBY0cGplAlZg0qjoFnUmglPdBDTp5salR0vPdrBOA_pyK gPf.AShcwTMIbg7Q3z5NMeyhSlIPSCUrPXGYIyEmmB_hSrx8oZA1TeVfsFS0w2GQmqePgBGM7pjU xB_2VwhrkW_b1vrTLTPt9wGkFS6wQ2elS3n6zC8HkFpcpL57WB1yw3GvCTLtNpNVNiFnMaVGfXZr 3Mq3fSzR_ctLp.OMAlPgGV0xDW4LbdbHudLYVvzinABBZYVnvhpl6naUWROZgw.APNZbj9nDHVTx PrdfE.p5MpCVVO324RWqW0fo8t_9hRBotct3ww2pmcV_ege9.rTCMlOk96qYwpLPhavQ1LpmaJy0 gdBFmTOLbG9taQ8mSHPBwv3vCU0HPWrB7gwEarAdSMviGAPpGjcYBeR.1SPFd9bwLGp7VJVyLydH .Lsz9fqr.Jn9jJUc9IZWF6sTm.LQEEQ5nyL8BtKVWLn8mHwnyuHrXxSdGLdhzE6y7xGb50G9o2BG XVURd5AzrtM4AGiyMVgop0pgTcWyz.V1lNU_UvKQBb0pBPBRJlnES20GMC.4qE7K9mq1WdZqW0kW 3fD8RtBm5SmdD4qxkP9Cn7gGZEvjOnbOb4Blirph9SUI2_jYo5WHmA8HJAWLdwWM1sA8Tv.49r_e CKBtqPiFPHTqEO2uq_IaF8PQ2l2.LdhK.GvxRQniJY4RtyhfI58db46iXlomOYbBMTCei1GBIOk7 jjX4XoKpWopf7m6FhdQEYV3DInl2g7H5DRE8mcK3e2g_urZzGN9Y5xA4.FRnAc7290ZCTERDjMl2 yIkldk0XdM1K22TYWIoBMcf.1dVgFj1PRegFaa.L5n4W0z85PZ8OjuleevBFVSs4kK9R1GYwjXlX Y1S6s6d6C61gBNibAvHoc6jsC1Y98rQaLZ4dpOYb4BH2a78GjJPXOGhW0i7CRIX08QDiZQUrtqTy H.WGSPSldKJkJ64ht2giwCmH6JCeIB3WRAsjuqDnrWQtOWygHa.5Im3NJ64JwaxUq2SSv8Ha0u6_ yDTnvjI3p9YXp0Ut5n668uXc8op8PvUSTLkvm7XqNE_uVHYEGMGT_OtbyTjLJB9.Ri8uQeAgLMAq q6BA.S3rXIyE60eIzkzwMwO0zv7uiBg-- X-Sonic-MF: X-Sonic-ID: 80a7ca31-8c66-42a1-9e3d-01cace7e99be Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:29:30 +0000 Received: by hermes--production-gq1-6949d6d8f9-nsbdm (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID d22b1f6ad07bda71c6e1d3c51ac27d9d; Fri, 15 Dec 2023 22:29:23 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, Chuck Lever , linux-integrity@vger.kernel.org, netdev@vger.kernel.org, audit@vger.kernel.org, netfilter-devel@vger.kernel.org, linux-nfs@vger.kernel.org, Todd Kjos Subject: [PATCH v39 16/42] LSM: Ensure the correct LSM context releaser Date: Fri, 15 Dec 2023 14:16:10 -0800 Message-ID: <20231215221636.105680-17-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add a new lsmcontext data structure to hold all the information about a "security context", including the string, its size and which LSM allocated the string. The allocation information is necessary because LSMs have different policies regarding the lifecycle of these strings. SELinux allocates and destroys them on each use, whereas Smack provides a pointer to an entry in a list that never goes away. Update security_release_secctx() to use the lsmcontext instead of a (char *, len) pair. Change its callers to do likewise. The LSMs supporting this hook have had comments added to remind the developer that there is more work to be done. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Paul Moore Acked-by: Stephen Smalley Acked-by: Chuck Lever Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: netdev@vger.kernel.org Cc: audit@vger.kernel.org Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso Cc: linux-nfs@vger.kernel.org Cc: Todd Kjos --- drivers/android/binder.c | 24 ++++++------- fs/ceph/xattr.c | 6 +++- fs/nfs/nfs4proc.c | 8 +++-- fs/nfsd/nfs4xdr.c | 8 +++-- include/linux/lsm_hook_defs.h | 2 +- include/linux/security.h | 35 +++++++++++++++++-- include/net/scm.h | 11 +++--- kernel/audit.c | 34 ++++++++++--------- kernel/auditsc.c | 23 +++++++------ net/ipv4/ip_sockglue.c | 10 +++--- net/netfilter/nf_conntrack_netlink.c | 10 +++--- net/netfilter/nf_conntrack_standalone.c | 9 +++-- net/netfilter/nfnetlink_queue.c | 13 ++++--- net/netlabel/netlabel_unlabeled.c | 45 +++++++++++-------------- net/netlabel/netlabel_user.c | 11 +++--- security/apparmor/include/secid.h | 2 +- security/apparmor/secid.c | 11 ++++-- security/security.c | 8 ++--- security/selinux/hooks.c | 11 ++++-- 19 files changed, 170 insertions(+), 111 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 92128aae2d06..58bdb5b75131 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2920,8 +2920,7 @@ static void binder_transaction(struct binder_proc *proc, struct binder_context *context = proc->context; int t_debug_id = atomic_inc_return(&binder_last_id); ktime_t t_start_time = ktime_get(); - char *secctx = NULL; - u32 secctx_sz = 0; + struct lsmcontext lsmctx; struct list_head sgc_head; struct list_head pf_head; const void __user *user_buffer = (const void __user *) @@ -3200,7 +3199,8 @@ static void binder_transaction(struct binder_proc *proc, size_t added_size; security_cred_getsecid(proc->cred, &secid); - ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); + ret = security_secid_to_secctx(secid, &lsmctx.context, + &lsmctx.len); if (ret) { binder_txn_error("%d:%d failed to get security context\n", thread->pid, proc->pid); @@ -3209,7 +3209,7 @@ static void binder_transaction(struct binder_proc *proc, return_error_line = __LINE__; goto err_get_secctx_failed; } - added_size = ALIGN(secctx_sz, sizeof(u64)); + added_size = ALIGN(lsmctx.len, sizeof(u64)); extra_buffers_size += added_size; if (extra_buffers_size < added_size) { binder_txn_error("%d:%d integer overflow of extra_buffers_size\n", @@ -3243,23 +3243,23 @@ static void binder_transaction(struct binder_proc *proc, t->buffer = NULL; goto err_binder_alloc_buf_failed; } - if (secctx) { + if (lsmctx.context) { int err; size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) + ALIGN(tr->offsets_size, sizeof(void *)) + ALIGN(extra_buffers_size, sizeof(void *)) - - ALIGN(secctx_sz, sizeof(u64)); + ALIGN(lsmctx.len, sizeof(u64)); t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset; err = binder_alloc_copy_to_buffer(&target_proc->alloc, t->buffer, buf_offset, - secctx, secctx_sz); + lsmctx.context, lsmctx.len); if (err) { t->security_ctx = 0; WARN_ON(1); } - security_release_secctx(secctx, secctx_sz); - secctx = NULL; + security_release_secctx(&lsmctx); + lsmctx.context = NULL; } t->buffer->debug_id = t->debug_id; t->buffer->transaction = t; @@ -3303,7 +3303,7 @@ static void binder_transaction(struct binder_proc *proc, off_end_offset = off_start_offset + tr->offsets_size; sg_buf_offset = ALIGN(off_end_offset, sizeof(void *)); sg_buf_end_offset = sg_buf_offset + extra_buffers_size - - ALIGN(secctx_sz, sizeof(u64)); + ALIGN(lsmctx.len, sizeof(u64)); off_min = 0; for (buffer_offset = off_start_offset; buffer_offset < off_end_offset; buffer_offset += sizeof(binder_size_t)) { @@ -3682,8 +3682,8 @@ static void binder_transaction(struct binder_proc *proc, binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: err_bad_extra_size: - if (secctx) - security_release_secctx(secctx, secctx_sz); + if (lsmctx.context) + security_release_secctx(&lsmctx); err_get_secctx_failed: kfree(tcomplete); binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c index e066a556eccb..113956d386c0 100644 --- a/fs/ceph/xattr.c +++ b/fs/ceph/xattr.c @@ -1446,12 +1446,16 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx) { +#ifdef CONFIG_CEPH_FS_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ +#endif #ifdef CONFIG_CEPH_FS_POSIX_ACL posix_acl_release(as_ctx->acl); posix_acl_release(as_ctx->default_acl); #endif #ifdef CONFIG_CEPH_FS_SECURITY_LABEL - security_release_secctx(as_ctx->sec_ctx, as_ctx->sec_ctxlen); + lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0); + security_release_secctx(&scaff); #endif #ifdef CONFIG_FS_ENCRYPTION kfree(as_ctx->fscrypt_auth); diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 8a943fffaad5..6ea99e2aabf3 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -138,8 +138,12 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, static inline void nfs4_label_release_security(struct nfs4_label *label) { - if (label) - security_release_secctx(label->label, label->len); + struct lsmcontext scaff; /* scaffolding */ + + if (label) { + lsmcontext_init(&scaff, label->label, label->len, 0); + security_release_secctx(&scaff); + } } static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label) { diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index ec4ed6206df1..9cade754356a 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -3627,8 +3627,12 @@ nfsd4_encode_fattr4(struct svc_rqst *rqstp, struct xdr_stream *xdr, out: #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - if (args.context) - security_release_secctx(args.context, args.contextlen); + if (args.context) { + struct lsmcontext scaff; /* scaffolding */ + + lsmcontext_init(&scaff, args.context, args.contextlen, 0); + security_release_secctx(&scaff); + } #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ kfree(args.acl); if (tempfh) { diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index fe9c1d89dc66..c5e5a32f5e07 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -278,7 +278,7 @@ LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata, LSM_HOOK(int, -EOPNOTSUPP, lsmblob_to_secctx, struct lsmblob *blob, char **secdata, u32 *seclen) LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid) -LSM_HOOK(void, LSM_RET_VOID, release_secctx, char *secdata, u32 seclen) +LSM_HOOK(void, LSM_RET_VOID, release_secctx, struct lsmcontext *cp) LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode) LSM_HOOK(int, 0, inode_notifysecctx, struct inode *inode, void *ctx, u32 ctxlen) LSM_HOOK(int, 0, inode_setsecctx, struct dentry *dentry, void *ctx, u32 ctxlen) diff --git a/include/linux/security.h b/include/linux/security.h index 67ecf8588c90..9712056d71a0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -148,6 +148,37 @@ struct lsmblob_scaffold { u32 secid; }; +/* + * A "security context" is the text representation of + * the information used by LSMs. + * This structure contains the string, its length, and which LSM + * it is useful for. + */ +struct lsmcontext { + char *context; /* Provided by the module */ + u32 len; + int id; /* Identifies the module */ +}; + +/** + * lsmcontext_init - initialize an lsmcontext structure. + * @cp: Pointer to the context to initialize + * @context: Initial context, or NULL + * @size: Size of context, or 0 + * @id: Which LSM provided the context + * + * Fill in the lsmcontext from the provided information. + * This is a scaffolding function that will be removed when + * lsmcontext integration is complete. + */ +static inline void lsmcontext_init(struct lsmcontext *cp, char *context, + u32 size, int id) +{ + cp->id = id; + cp->context = context; + cp->len = size; +} + /* * Data exported by the security modules */ @@ -535,7 +566,7 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); -void security_release_secctx(char *secdata, u32 seclen); +void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); @@ -1475,7 +1506,7 @@ static inline int security_secctx_to_secid(const char *secdata, return -EOPNOTSUPP; } -static inline void security_release_secctx(char *secdata, u32 seclen) +static inline void security_release_secctx(struct lsmcontext *cp) { } diff --git a/include/net/scm.h b/include/net/scm.h index e8c76b4be2fe..6e1add51d4c2 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -93,16 +93,17 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, #ifdef CONFIG_SECURITY_NETWORK static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { - char *secdata; - u32 seclen; + struct lsmcontext ctx; int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { - err = security_secid_to_secctx(scm->secid, &secdata, &seclen); + err = security_secid_to_secctx(scm->secid, &ctx.context, + &ctx.len); if (!err) { - put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, ctx.len, + ctx.context); + security_release_secctx(&ctx); } } } diff --git a/kernel/audit.c b/kernel/audit.c index 54dfe339e341..47cfb6b20c3c 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1209,8 +1209,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_buffer *ab; u16 msg_type = nlh->nlmsg_type; struct audit_sig_info *sig_data; - char *ctx = NULL; - u32 len; + struct lsmcontext lsmctx; err = audit_netlink_ok(skb, msg_type); if (err) @@ -1458,30 +1457,34 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) kfree(new); break; } - case AUDIT_SIGNAL_INFO: - len = 0; + case AUDIT_SIGNAL_INFO: { + size_t sig_data_size; + if (lsmblob_is_set(&audit_sig_lsm)) { - err = security_lsmblob_to_secctx(&audit_sig_lsm, &ctx, - &len); + err = security_lsmblob_to_secctx(&audit_sig_lsm, + &lsmctx.context, + &lsmctx.len); if (err) return err; } - sig_data = kmalloc(struct_size(sig_data, ctx, len), GFP_KERNEL); + sig_data_size = struct_size(sig_data, ctx, lsmctx.len); + sig_data = kmalloc(sig_data_size, GFP_KERNEL); if (!sig_data) { if (lsmblob_is_set(&audit_sig_lsm)) - security_release_secctx(ctx, len); + security_release_secctx(&lsmctx); return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; if (lsmblob_is_set(&audit_sig_lsm)) { - memcpy(sig_data->ctx, ctx, len); - security_release_secctx(ctx, len); + memcpy(sig_data->ctx, lsmctx.context, lsmctx.len); + security_release_secctx(&lsmctx); } audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, - sig_data, struct_size(sig_data, ctx, len)); + sig_data, sig_data_size); kfree(sig_data); break; + } case AUDIT_TTY_GET: { struct audit_tty_status s; unsigned int t; @@ -2164,24 +2167,23 @@ void audit_log_key(struct audit_buffer *ab, char *key) int audit_log_task_context(struct audit_buffer *ab) { + struct lsmcontext ctx; struct lsmblob blob; - char *ctx = NULL; - unsigned len; int error; security_current_getlsmblob_subj(&blob); if (!lsmblob_is_set(&blob)) return 0; - error = security_lsmblob_to_secctx(&blob, &ctx, &len); + error = security_lsmblob_to_secctx(&blob, &ctx.context, &ctx.len); if (error) { if (error != -EINVAL) goto error_path; return 0; } - audit_log_format(ab, " subj=%s", ctx); - security_release_secctx(ctx, len); + audit_log_format(ab, " subj=%s", ctx.context); + security_release_secctx(&ctx); return 0; error_path: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index bfe2ee3ccbe6..2874255f5f25 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1098,8 +1098,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, char *comm) { struct audit_buffer *ab; - char *ctx = NULL; - u32 len; + struct lsmcontext ctx; int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); @@ -1110,12 +1109,12 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (lsmblob_is_set(blob)) { - if (security_lsmblob_to_secctx(blob, &ctx, &len)) { + if (security_lsmblob_to_secctx(blob, &ctx.context, &ctx.len)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { - audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + audit_log_format(ab, " obj=%s", ctx.context); + security_release_secctx(&ctx); } } audit_log_format(ab, " ocomm="); @@ -1371,6 +1370,7 @@ static void audit_log_time(struct audit_context *context, struct audit_buffer ** static void show_special(struct audit_context *context, int *call_panic) { + struct lsmcontext lsmcxt; struct audit_buffer *ab; int i; @@ -1401,7 +1401,8 @@ static void show_special(struct audit_context *context, int *call_panic) *call_panic = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); + security_release_secctx(&lsmcxt); } } if (context->ipc.has_perm) { @@ -1560,15 +1561,15 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, MAJOR(n->rdev), MINOR(n->rdev)); if (lsmblob_is_set(&n->oblob)) { - char *ctx = NULL; - u32 len; + struct lsmcontext ctx; - if (security_lsmblob_to_secctx(&n->oblob, &ctx, &len)) { + if (security_lsmblob_to_secctx(&n->oblob, &ctx.context, + &ctx.len)) { if (call_panic) *call_panic = 2; } else { - audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + audit_log_format(ab, " obj=%s", ctx.context); + security_release_secctx(&ctx); } } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 2efc53526a38..3bf8ff9d4434 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -130,20 +130,20 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { - char *secdata; - u32 seclen, secid; + struct lsmcontext ctx; + u32 secid; int err; err = security_socket_getpeersec_dgram(NULL, skb, &secid); if (err) return; - err = security_secid_to_secctx(secid, &secdata, &seclen); + err = security_secid_to_secctx(secid, &ctx.context, &ctx.len); if (err) return; - put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + put_cmsg(msg, SOL_IP, SCM_SECURITY, ctx.len, ctx.context); + security_release_secctx(&ctx); } static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index fb0ae15e96df..3e79b339a1bc 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -357,10 +357,10 @@ static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct, static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) { struct nlattr *nest_secctx; - int len, ret; - char *secctx; + struct lsmcontext ctx; + int ret; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + ret = security_secid_to_secctx(ct->secmark, &ctx.context, &ctx.len); if (ret) return 0; @@ -369,13 +369,13 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) if (!nest_secctx) goto nla_put_failure; - if (nla_put_string(skb, CTA_SECCTX_NAME, secctx)) + if (nla_put_string(skb, CTA_SECCTX_NAME, ctx.context)) goto nla_put_failure; nla_nest_end(skb, nest_secctx); ret = 0; nla_put_failure: - security_release_secctx(secctx, len); + security_release_secctx(&ctx); return ret; } #else diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 0ee98ce5b816..23949d233375 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -175,17 +175,16 @@ static void ct_seq_stop(struct seq_file *s, void *v) #ifdef CONFIG_NF_CONNTRACK_SECMARK static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) { + struct lsmcontext ctx; int ret; - u32 len; - char *secctx; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + ret = security_secid_to_secctx(ct->secmark, &ctx.context, &ctx.len); if (ret) return; - seq_printf(s, "secctx=%s ", secctx); + seq_printf(s, "secctx=%s ", ctx.context); - security_release_secctx(secctx, len); + security_release_secctx(&ctx); } #else static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 171d1f52d3dd..8b4c5c08daa7 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -408,6 +408,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, enum ip_conntrack_info ctinfo = 0; const struct nfnl_ct_hook *nfnl_ct; bool csum_verify; + struct lsmcontext scaff; /* scaffolding */ char *secdata = NULL; u32 seclen = 0; ktime_t tstamp; @@ -651,8 +652,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return skb; nla_put_failure: @@ -660,8 +663,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return NULL; } diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 7bac13ae07a3..464105080245 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -374,8 +374,7 @@ int netlbl_unlhsh_add(struct net *net, struct net_device *dev; struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; - char *secctx = NULL; - u32 secctx_len; + struct lsmcontext ctx; if (addr_len != sizeof(struct in_addr) && addr_len != sizeof(struct in6_addr)) @@ -438,11 +437,10 @@ int netlbl_unlhsh_add(struct net *net, unlhsh_add_return: rcu_read_unlock(); if (audit_buf != NULL) { - if (security_secid_to_secctx(secid, - &secctx, - &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + if (security_secid_to_secctx(secid, &ctx.context, + &ctx.len) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", ctx.context); + security_release_secctx(&ctx); } audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); audit_log_end(audit_buf); @@ -473,8 +471,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct netlbl_unlhsh_addr4 *entry; struct audit_buffer *audit_buf; struct net_device *dev; - char *secctx; - u32 secctx_len; + struct lsmcontext ctx; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr, @@ -494,10 +491,10 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, addr->s_addr, mask->s_addr); dev_put(dev); if (entry != NULL && - security_secid_to_secctx(entry->secid, - &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + security_secid_to_secctx(entry->secid, &ctx.context, + &ctx.len) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", ctx.context); + security_release_secctx(&ctx); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -534,8 +531,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct netlbl_unlhsh_addr6 *entry; struct audit_buffer *audit_buf; struct net_device *dev; - char *secctx; - u32 secctx_len; + struct lsmcontext ctx; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list); @@ -554,10 +550,10 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, addr, mask); dev_put(dev); if (entry != NULL && - security_secid_to_secctx(entry->secid, - &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + security_secid_to_secctx(entry->secid, &ctx.context, + &ctx.len) == 0) { + audit_log_format(audit_buf, " sec_obj=%s", ctx.context); + security_release_secctx(&ctx); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -1069,10 +1065,9 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, int ret_val = -ENOMEM; struct netlbl_unlhsh_walk_arg *cb_arg = arg; struct net_device *dev; + struct lsmcontext ctx; void *data; u32 secid; - char *secctx; - u32 secctx_len; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, cb_arg->seq, &netlbl_unlabel_gnl_family, @@ -1127,14 +1122,14 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, secid = addr6->secid; } - ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len); + ret_val = security_secid_to_secctx(secid, &ctx.context, &ctx.len); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, NLBL_UNLABEL_A_SECCTX, - secctx_len, - secctx); - security_release_secctx(secctx, secctx_len); + ctx.len, + ctx.context); + security_release_secctx(&ctx); if (ret_val != 0) goto list_cb_failure; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 6cd1fcb3902b..b9289a22b363 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -84,8 +84,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct netlbl_audit *audit_info) { struct audit_buffer *audit_buf; - char *secctx; - u32 secctx_len; + struct lsmcontext ctx; if (audit_enabled == AUDIT_OFF) return NULL; @@ -99,10 +98,10 @@ struct audit_buffer *netlbl_audit_start_common(int type, audit_info->sessionid); if (lsmblob_is_set(&audit_info->blob) && - security_lsmblob_to_secctx(&audit_info->blob, &secctx, - &secctx_len) == 0) { - audit_log_format(audit_buf, " subj=%s", secctx); - security_release_secctx(secctx, secctx_len); + security_lsmblob_to_secctx(&audit_info->blob, &ctx.context, + &ctx.len) == 0) { + audit_log_format(audit_buf, " subj=%s", ctx.context); + security_release_secctx(&ctx); } return audit_buf; diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h index 816a425e2023..e47c37c1beda 100644 --- a/security/apparmor/include/secid.h +++ b/security/apparmor/include/secid.h @@ -29,7 +29,7 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); -void apparmor_release_secctx(char *secdata, u32 seclen); +void apparmor_release_secctx(struct lsmcontext *cp); int aa_alloc_secid(struct aa_label *label, gfp_t gfp); diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c index a7c6f5061882..e9f655f54a42 100644 --- a/security/apparmor/secid.c +++ b/security/apparmor/secid.c @@ -139,9 +139,16 @@ int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) return 0; } -void apparmor_release_secctx(char *secdata, u32 seclen) +void apparmor_release_secctx(struct lsmcontext *cp) { - kfree(secdata); + /* + * stacking scaffolding: + * When it is possible for more than one LSM to provide a + * release hook, do this check: + * if (cp->id == LSM_ID_APPARMOR || cp->id == LSM_ID_UNDEF) + */ + + kfree(cp->context); } /** diff --git a/security/security.c b/security/security.c index 1cbd45310f63..063a209ac17f 100644 --- a/security/security.c +++ b/security/security.c @@ -4250,14 +4250,14 @@ EXPORT_SYMBOL(security_secctx_to_secid); /** * security_release_secctx() - Free a secctx buffer - * @secdata: secctx - * @seclen: length of secctx + * @cp: the security context * * Release the security context. */ -void security_release_secctx(char *secdata, u32 seclen) +void security_release_secctx(struct lsmcontext *cp) { - call_void_hook(release_secctx, secdata, seclen); + call_void_hook(release_secctx, cp); + memset(cp, 0, sizeof(*cp)); } EXPORT_SYMBOL(security_release_secctx); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1bc28f5f6870..1a428a6964a0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6588,9 +6588,16 @@ static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) secid, GFP_KERNEL); } -static void selinux_release_secctx(char *secdata, u32 seclen) +static void selinux_release_secctx(struct lsmcontext *cp) { - kfree(secdata); + /* + * stacking scaffolding: + * When it is possible for more than one LSM to provide a + * release hook, do this check: + * if (cp->id == LSM_ID_SELINUX || cp->id == LSM_ID_UNDEF) + */ + + kfree(cp->context); } static void selinux_inode_invalidate_secctx(struct inode *inode) From patchwork Fri Dec 15 22:16:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495145 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic312-30.consmr.mail.ne1.yahoo.com (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C2B9818EB2 for ; Fri, 15 Dec 2023 22:29:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="a1FP82km" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679372; bh=4LhKS1dSp6/aRhZhVxxpOMfzUTMlpn6YH3k+S376Occ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=a1FP82km1z3caVooNt2FMFfdMyUTRZf13iMB7SZ32fNGIYKmddGWgfP1LXxdBL+gqcTZArkfrPWp4+nuTpiUUki483X10m9YsQhOVMeve0qNRliHWbH6yKbG5NJcbKZIZ6D2FkrNOwObRVfB5bYBGXFVIWmhgQzswsDGdAkTEE6KtFpf3a/1m6zMe9Zd9tw5hFU/ibeTu1HLqk2Sa7nHg7l30e6H2hmCznugfd/Gj3qQJN1NcYyAHeT6oy4TZfk+961aeL+tAtz3yPOcJJtRDl8LEgl9et0Pav7jW0rdBlwjRr3nMeM7rsXOK1pI+iFvDcqZtlgMubVLnuhDpz9x1g== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679372; bh=SWHPnTAgjCxjL/NgCROjTqbzvJAgirvRVZRe2R0YNuZ=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Ep+F8MyeHyJxwgAdiJNfEVAbaNccUQnTqLD5wV+Nk6gBUtNw5AZ/QlDOaUfA0UEHAbSQf0XVWt/29Upkc16qxOSDKGmaughOd94OwxbJsULRjtqaCSXu+dsh09Q9yGs7yPSE1UjXO3Ddwz+kE3QaVmwLr3lv2uBhR6RBJu6ZHGKXgyKWPOPzIf1NNr0SZY3AB8kk08YhEdR8iKfwSHJ85kde3SqHvqNNdMxzyhkLznvjEaBjllMnWT33OrTeMzN7JYtigpur0HAHwjZuuRC3FqQPHD+LDtC7doLsDxK8Y8xheybMDQEdfzSrlhwGbNltS8KNb93HVNfBo45NpH/97g== X-YMail-OSG: C8R6ojoVM1mPBBe.JlbfoPhuIHkgWruFpgJ4Hn17_b1pXpagOzp7CBzGvQ3uNn7 SkcHMzRAkFR7eViuX5pA08G5fyCE3FR_G2BpL3lZa7UkFVVHMZazSrq0t2Qr.87IxVL50Vw2FRj5 tVxjM4R_K1kJw9j3fz_R0XDfWe9H_F_sTi2qyIDJvaClGFLI8EVZPVDQF0XkUMqZO7TSlao1F58G zr30IPBJa1SlLO43qe4FFk8r_PF6l7lHaLf6K28fEupXIMN9EfB1_fxteiEXE_4YbwrP3rMIf03J Ko7LyxZOQvXS5zawzcGXjOSRH9WVq9udz27E9JkyHfQ36r44tr4eY9FWcT7e2wXcULnAc66Wjoyv W7Pupt_jEJdivoVw52PZJcXTLCwWP2dn7IhZ2iEoMcIESswE61nXXgKXhrYhKo8BzR8Ywu2Plduh nq9O2yQUVdPS4UhwdrexBnshbpuphhX8d1psBptqxmPoff0hJfqolIgClfJdUxjTvr8LEHynkjTZ P_XCw.IOvAPMoAfrL7E8leouoMQ8HPnwIcCG8Ofj93WEPDRTbZksXmFgvPM1zqtmum7dhIvtQX_1 CE8tvuormyCF5mMF2OWVXYMJA5bg3yWr_p4D1hCfhpOw2sa9h31NbCRiUaPbvqAlA6vMKdvGwxc4 OpK9HUxkHenqH01cs2_rAz0FH0n06N98lxc57X4TamrPoPkc7eppQ4nlcntTtf_9wXFZuApawG9E uuW3hKj95XOG1EUCoOkCebeaZeJ8JgOautXNToppumAlBtxrptzUUHXBXE7Ap8qEfLqqFWeZTmoC tzJZBTUNxgO95UFgWLttQg610F6CNCSNRzjjOokWGQUqLNiqTGoo1H6NZEzxVA.HWsmMAffffGQW dA3nY1YyFraZ4b4YdLG7Wq79PumAeqUhZurRwIiaruulMry2qibAQ6GAo4gYwcyMXdePNDm4Rgnc tUnfVvXluV_zS5s5msLSL7iSrKPpBrJJolepg_kmJlL3kzbxAs5IGJsLuWLiGTftC7WIyIffU_JZ 0qou4.oxbrpO4Taa5OcyiGVICwlVFF2AS6sTo6ZjkaA12gg5.WAGwLhx1UW4SClQVDnT2eTkJAQE E1hiDd9Jv0tQ3Q.FXmuvRW4qAbzKbDXCoYqLrf0.FGz7GoGBHo9sDQm4gRJnSwb4ZHODQrvhaKcS rZ9t9RjaDA43wZCER7ZRRhDqRlTIgLN2CCg5v1CdJhbkSmPRlfdLmqxuET9ODnMKJjnNqQd04.Yp DDv8pL9s69OMTlhJA0j_IL.CGx2Ct81a.lHM.8ZTc2dL51LV.OD4TIJujNqfNZEw4hKvSuJo0VJ5 dxSL9xtNtqK2Msw1GotWT8LkZNOA1.aDjGcio0McktvuIRp6vSa7RcaM2MTbLR2N27jqgHLlGn3h MsF3uH7UGxgJAaMJOixMqJOx_JocELXtU05Dh10Ar5RLq68x_bGjiI3Te2J20tC_NWCXgLsmIecb gkKRIXijM91xjh6yt_wj2x7ykimH1gHK_4raATXAvazMIi8wdV4TFVgiE33jqnVyW9R645iRdzKC cJMcQyV0dkPwyKB00Qwt5tC0qnAbRdxv5LJ1_ddMnPxEJ7UFHwHlsYPteBr5jHOXSrmtx8tQvugE YpVzRiCHjOh2akeOjnB9Zx1DO7HXu8rr5qZbzjVLmAhHXJmXIm_Nf._1Jp29RMqwFpkQzcC1XLb_ H9PlhApTE6SkjF5Sqdkbh8O2aB0.mShLUqT9DcxoGPUpm8hf0CmADwUyrcRjqsMgMlyaUmBFaDUj hKAbInucH74TUwpOCrn3FBFsgLCFURekrLP4yA_xJ9u_XPsQhcDVcuLgNp8..U_VWB.vg_.d1UaD u5GG5KULZLcNQM485jKSqsPnpZEV_TgsHmT4k7yCtChnIT1GQWD8UsLOo5GGhB2N.ftkYLRxFC0L cZ5wXjmnTCWU1nSTAinKxQ_Wd6hJ4cJ.z3oi_JFRRlDMmU4y2SiP_XBMRxQzrat80WBAJ3Olg2j2 v2Hs8DHGEaGpDHpowP.tHOamXfszDPi72ffs6aebZSbQIZNDmeK7CS8I4hSgQgGdMB7OGatyADKf ZgqTfoVspwMQ7Ek1FiP4_PG8qHvJipG7VsvecLMOGJbzkB1iYao1BNfy4wTJ1sQe68dYEmc8qlef A8CP4QZCZvdT1UaTgX5lcy3HyroaqXXTtDbslwl2lQ6BJpyvenbGUOTKkPxRJK16nQg8Dj7.5XOQ WrfT7vYAe9xyAlMBvXoYPEBFu2ZAIwg9Bjz_9duoclK9FPTO5xzLTaxPiwTXVivIUciLVu_IwWnB CiQVEUthhMM7WXReuwIfAaLBMvE68cw-- X-Sonic-MF: X-Sonic-ID: 78e8c0bb-cb01-438b-ab26-b82b1d5134d3 Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:29:32 +0000 Received: by hermes--production-gq1-6949d6d8f9-nsbdm (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID d22b1f6ad07bda71c6e1d3c51ac27d9d; Fri, 15 Dec 2023 22:29:26 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, netdev@vger.kernel.org, audit@vger.kernel.org, netfilter-devel@vger.kernel.org, Todd Kjos Subject: [PATCH v39 17/42] LSM: Use lsmcontext in security_secid_to_secctx Date: Fri, 15 Dec 2023 14:16:11 -0800 Message-ID: <20231215221636.105680-18-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the (secctx,seclen) pointer pair with a single lsmcontext pointer to allow return of the LSM identifier along with the context and context length. This allows security_release_secctx() to know how to release the context. Callers have been modified to use or save the returned data from the new structure. security_secid_to_secctx() will now return the length value on success instead of 0. Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: audit@vger.kernel.org Cc: netfilter-devel@vger.kernel.org Cc: Todd Kjos --- drivers/android/binder.c | 5 ++--- include/linux/lsm_hook_defs.h | 3 +-- include/linux/security.h | 5 ++--- include/net/scm.h | 5 ++--- net/ipv4/ip_sockglue.c | 4 ++-- net/netfilter/nf_conntrack_netlink.c | 8 ++++---- net/netfilter/nf_conntrack_standalone.c | 4 ++-- net/netfilter/nfnetlink_queue.c | 27 ++++++++++--------------- net/netlabel/netlabel_unlabeled.c | 13 +++++------- security/apparmor/include/secid.h | 2 +- security/apparmor/secid.c | 13 +++++++----- security/security.c | 17 ++++++++-------- security/selinux/hooks.c | 17 ++++++++++++++-- security/smack/smack_lsm.c | 16 ++++++++------- 14 files changed, 72 insertions(+), 67 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 58bdb5b75131..c0fa95e64e7c 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3199,9 +3199,8 @@ static void binder_transaction(struct binder_proc *proc, size_t added_size; security_cred_getsecid(proc->cred, &secid); - ret = security_secid_to_secctx(secid, &lsmctx.context, - &lsmctx.len); - if (ret) { + ret = security_secid_to_secctx(secid, &lsmctx); + if (ret < 0) { binder_txn_error("%d:%d failed to get security context\n", thread->pid, proc->pid); return_error = BR_FAILED_REPLY; diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index c5e5a32f5e07..8e0155ac6697 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -273,8 +273,7 @@ LSM_HOOK(int, -EINVAL, getprocattr, struct task_struct *p, const char *name, char **value) LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size) LSM_HOOK(int, 0, ismaclabel, const char *name) -LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata, - u32 *seclen) +LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, struct lsmcontext *cp) LSM_HOOK(int, -EOPNOTSUPP, lsmblob_to_secctx, struct lsmblob *blob, char **secdata, u32 *seclen) LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid) diff --git a/include/linux/security.h b/include/linux/security.h index 9712056d71a0..03b79089eaf7 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -562,7 +562,7 @@ int security_getprocattr(struct task_struct *p, int lsmid, const char *name, int security_setprocattr(int lsmid, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); +int security_secid_to_secctx(u32 secid, struct lsmcontext *cp); int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); @@ -1487,8 +1487,7 @@ static inline int security_ismaclabel(const char *name) return 0; } -static inline int security_secid_to_secctx(u32 secid, char **secdata, - u32 *seclen) +static inline int security_secid_to_secctx(u32 secid, struct lsmcontext *cp) { return -EOPNOTSUPP; } diff --git a/include/net/scm.h b/include/net/scm.h index 6e1add51d4c2..91452b36b5bf 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -97,10 +97,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { - err = security_secid_to_secctx(scm->secid, &ctx.context, - &ctx.len); + err = security_secid_to_secctx(scm->secid, &ctx); - if (!err) { + if (err >= 0) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, ctx.len, ctx.context); security_release_secctx(&ctx); diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 3bf8ff9d4434..38b9f822a70d 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -138,8 +138,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) if (err) return; - err = security_secid_to_secctx(secid, &ctx.context, &ctx.len); - if (err) + err = security_secid_to_secctx(secid, &ctx); + if (err < 0) return; put_cmsg(msg, SOL_IP, SCM_SECURITY, ctx.len, ctx.context); diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 3e79b339a1bc..a7dfc39bfbf3 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -360,8 +360,8 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) struct lsmcontext ctx; int ret; - ret = security_secid_to_secctx(ct->secmark, &ctx.context, &ctx.len); - if (ret) + ret = security_secid_to_secctx(ct->secmark, &ctx); + if (ret < 0) return 0; ret = -1; @@ -669,8 +669,8 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct) #ifdef CONFIG_NF_CONNTRACK_SECMARK int len, ret; - ret = security_secid_to_secctx(ct->secmark, NULL, &len); - if (ret) + ret = security_secid_to_secctx(ct->secmark, NULL); + if (ret < 0) return 0; return nla_total_size(0) /* CTA_SECCTX */ diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 23949d233375..a1d8952db1c1 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -178,8 +178,8 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) struct lsmcontext ctx; int ret; - ret = security_secid_to_secctx(ct->secmark, &ctx.context, &ctx.len); - if (ret) + ret = security_secid_to_secctx(ct->secmark, &ctx); + if (ret < 0) return; seq_printf(s, "secctx=%s ", ctx.context); diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 8b4c5c08daa7..f7918b21672d 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -319,18 +319,18 @@ static int nfqnl_put_sk_classid(struct sk_buff *skb, struct sock *sk) return 0; } -static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) +static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *ctx) { u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) + if (!skb || !sk_fullsock(skb->sk)) return 0; read_lock_bh(&skb->sk->sk_callback_lock); if (skb->secmark) - security_secid_to_secctx(skb->secmark, secdata, &seclen); - + seclen = security_secid_to_secctx(skb->secmark, ctx); read_unlock_bh(&skb->sk->sk_callback_lock); #endif return seclen; @@ -408,8 +408,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, enum ip_conntrack_info ctinfo = 0; const struct nfnl_ct_hook *nfnl_ct; bool csum_verify; - struct lsmcontext scaff; /* scaffolding */ - char *secdata = NULL; + struct lsmcontext ctx; u32 seclen = 0; ktime_t tstamp; @@ -484,8 +483,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) { - seclen = nfqnl_get_sk_secctx(entskb, &secdata); - if (seclen) + seclen = nfqnl_get_sk_secctx(entskb, &ctx); + if (seclen >= 0) size += nla_total_size(seclen); } @@ -624,7 +623,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, if (nfqnl_put_sk_classid(skb, entskb->sk) < 0) goto nla_put_failure; - if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata)) + if (seclen && nla_put(skb, NFQA_SECCTX, ctx.len, ctx.context)) goto nla_put_failure; if (ct && nfnl_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0) @@ -652,10 +651,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) { - lsmcontext_init(&scaff, secdata, seclen, 0); - security_release_secctx(&scaff); - } + if (seclen >= 0) + security_release_secctx(&ctx); return skb; nla_put_failure: @@ -663,10 +660,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) { - lsmcontext_init(&scaff, secdata, seclen, 0); - security_release_secctx(&scaff); - } + if (seclen >= 0) + security_release_secctx(&ctx); return NULL; } diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 464105080245..b43cfb4fe4f1 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -437,8 +437,7 @@ int netlbl_unlhsh_add(struct net *net, unlhsh_add_return: rcu_read_unlock(); if (audit_buf != NULL) { - if (security_secid_to_secctx(secid, &ctx.context, - &ctx.len) == 0) { + if (security_secid_to_secctx(secid, &ctx) >= 0) { audit_log_format(audit_buf, " sec_obj=%s", ctx.context); security_release_secctx(&ctx); } @@ -491,8 +490,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, addr->s_addr, mask->s_addr); dev_put(dev); if (entry != NULL && - security_secid_to_secctx(entry->secid, &ctx.context, - &ctx.len) == 0) { + security_secid_to_secctx(entry->secid, &ctx) >= 0) { audit_log_format(audit_buf, " sec_obj=%s", ctx.context); security_release_secctx(&ctx); } @@ -550,8 +548,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, addr, mask); dev_put(dev); if (entry != NULL && - security_secid_to_secctx(entry->secid, &ctx.context, - &ctx.len) == 0) { + security_secid_to_secctx(entry->secid, &ctx) >= 0) { audit_log_format(audit_buf, " sec_obj=%s", ctx.context); security_release_secctx(&ctx); } @@ -1122,8 +1119,8 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, secid = addr6->secid; } - ret_val = security_secid_to_secctx(secid, &ctx.context, &ctx.len); - if (ret_val != 0) + ret_val = security_secid_to_secctx(secid, &ctx); + if (ret_val < 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, NLBL_UNLABEL_A_SECCTX, diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h index e47c37c1beda..b66c2d043a02 100644 --- a/security/apparmor/include/secid.h +++ b/security/apparmor/include/secid.h @@ -25,7 +25,7 @@ struct aa_label; extern int apparmor_display_secid_mode; struct aa_label *aa_secid_to_label(u32 secid); -int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); +int apparmor_secid_to_secctx(u32 secid, struct lsmcontext *cp); int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c index e9f655f54a42..55d6c54fe90e 100644 --- a/security/apparmor/secid.c +++ b/security/apparmor/secid.c @@ -61,7 +61,7 @@ struct aa_label *aa_secid_to_label(u32 secid) return xa_load(&aa_secids, secid); } -int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +int apparmor_secid_to_secctx(u32 secid, struct lsmcontext *cp) { /* TODO: cache secctx and ref count so we don't have to recreate */ struct aa_label *label = aa_secid_to_label(secid); @@ -76,8 +76,8 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) if (apparmor_display_secid_mode) flags |= FLAG_SHOW_MODE; - if (secdata) - len = aa_label_asxprint(secdata, root_ns, label, + if (cp) + len = aa_label_asxprint(&cp->context, root_ns, label, flags, GFP_ATOMIC); else len = aa_label_snxprint(NULL, 0, root_ns, label, flags); @@ -85,9 +85,12 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) if (len < 0) return -ENOMEM; - *seclen = len; + if (cp) { + cp->len = len; + cp->id = LSM_ID_APPARMOR; + } - return 0; + return len; } int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, diff --git a/security/security.c b/security/security.c index 063a209ac17f..708a26a88447 100644 --- a/security/security.c +++ b/security/security.c @@ -4172,17 +4172,16 @@ EXPORT_SYMBOL(security_ismaclabel); /** * security_secid_to_secctx() - Convert a secid to a secctx * @secid: secid - * @secdata: secctx - * @seclen: secctx length + * @cp: the LSM context * - * Convert secid to security context. If @secdata is NULL the length of the - * result will be returned in @seclen, but no @secdata will be returned. This + * Convert secid to security context. If @cp is NULL the length of the + * result will be returned, but no data will be returned. This * does mean that the length could change between calls to check the length and - * the next call which actually allocates and returns the @secdata. + * the next call which actually allocates and returns the data. * - * Return: Return 0 on success, error on failure. + * Return: Return length of data on success, error on failure. */ -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +int security_secid_to_secctx(u32 secid, struct lsmcontext *cp) { struct security_hook_list *hp; int rc; @@ -4192,7 +4191,7 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) * LSM hook is not "stackable"). */ hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { - rc = hp->hook.secid_to_secctx(secid, secdata, seclen); + rc = hp->hook.secid_to_secctx(secid, cp); if (rc != LSM_RET_DEFAULT(secid_to_secctx)) return rc; } @@ -4221,7 +4220,7 @@ int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, struct security_hook_list *hp; int rc; - hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { + hlist_for_each_entry(hp, &security_hook_heads.lsmblob_to_secctx, list) { rc = hp->hook.lsmblob_to_secctx(blob, secdata, seclen); if (rc != LSM_RET_DEFAULT(secid_to_secctx)) return rc; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1a428a6964a0..37b97cf81da1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6565,9 +6565,22 @@ static int selinux_ismaclabel(const char *name) return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); } -static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +static int selinux_secid_to_secctx(u32 secid, struct lsmcontext *cp) { - return security_sid_to_context(secid, secdata, seclen); + u32 seclen; + u32 ret; + + if (cp) { + cp->id = LSM_ID_SELINUX; + ret = security_sid_to_context(secid, &cp->context, &cp->len); + if (ret < 0) + return ret; + return cp->len; + } + ret = security_sid_to_context(secid, NULL, &seclen); + if (ret < 0) + return ret; + return seclen; } static int selinux_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 7dab00bbd0ed..d82753bc52ab 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4814,19 +4814,21 @@ static int smack_ismaclabel(const char *name) /** * smack_secid_to_secctx - return the smack label for a secid * @secid: incoming integer - * @secdata: destination - * @seclen: how long it is + * @cp: destination * * Exists for networking code. */ -static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +static int smack_secid_to_secctx(u32 secid, struct lsmcontext *cp) { struct smack_known *skp = smack_from_secid(secid); + int len = strlen(skp->smk_known); - if (secdata) - *secdata = skp->smk_known; - *seclen = strlen(skp->smk_known); - return 0; + if (cp) { + cp->context = skp->smk_known; + cp->len = len; + cp->id = LSM_ID_SMACK; + } + return len; } /** From patchwork Fri Dec 15 22:16:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495146 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic302-28.consmr.mail.ne1.yahoo.com (sonic302-28.consmr.mail.ne1.yahoo.com [66.163.186.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 10F8F18B06 for ; Fri, 15 Dec 2023 22:31:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="B8WXlYQr" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679462; bh=tvjpqyt0BcyonO3ugUYGc4el/VCR47tpN/rANrjzTAc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=B8WXlYQrZfgt6RefCIoEB/5GKWJuNMD+0Hh4axrMtbk2WHtNsJ1ccCn91LqTlGGc2oyLohn2Pa+P2Vgyj/evMdowV803vIs3YOnNIChPr2jl4bsk5Rmoii9M24FoDzJqlFRNxu7NME8CiFrheF53bpTote2B0EiVMVg3gCNn4lB4SkZPU6wi4MuRT3YuNBHSto2uW2iAuRjmE/rqyWsPOi4SCyDmfBaTIEO+KI6XnVZF1hM5QwEVb3AyJFSEp3Xf0a2mJvFn3amuxEVpbZkln2LKfCUyVYtijA6UCb2bld7dZ4aIkx7GPD32k2wswqvpF+XmlOfXVssXDl99xaR/aw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679462; bh=bPByZF8rLBiGTktlsL90nGtynZWnHPGEnlWUsFGMw7Y=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=umMoMCO/tUrPh6OHT/boS359m0VX7LFdo+Z2cseYI/mF2GS9ReSYkFiIjjNi2tOeO3xT3lgeK3EVSiEV0V0X2TK7Zl1n5l/yKTSQ6pbwodBs/qsiEphDt6Zy2w9jtS0oupbSCVcmAW9AjH46jyNkiwHgyNktUREJSjukXovubEKkJtzR5y0oZQssGQDIujDY4dS8AdblsPKtem5ul70D5ZyRVZjO/7/y9nLN+osvYmMvByWYClc6Iys6Yv3u6aFaOZ3hRG6whP6gddDPGT5mWuSCygsy8+IUOU0qBmw1/VFmRzh4P2061laL5eH6mkuD/9n6HNceJKHBhp0IaV65lA== X-YMail-OSG: 0QMuOSUVM1kw95lhlQabvIQO0DmMjM8MwkYIHISkR6S1Zmjjqgmd1I6VG9HAu9s UW_uEKG_0Sp2XDyGA8934o315tAC5keTiNrHG4JDyzYck7hndZAP2PKyyU.rMNQod_U4kmOCZ2Wy sk0UCaY2pordIKX_5L1ekzeOZPv9vbia0vs1N3RCDWYDz4nR99LHvCK46d1sRncAMHUEoMCgyDGI rDVzrGFezs0uQUf5u52Nn_tqwPWsLfqDetUoR.a09FEcPpncIKnnbaRtWDBgr9rghbIeuF8jga8k p8Dv_UZ25sQ80OBNe2VwH7v9n23d.2KJcKHL5zUai9R7_gvHxf3ks.dxANjdLElKXcpsQ6NOo55s VtkKTiwmi25mcyw5ACbwDvT6d5_dGBz7Eo6uezZ6Ex7lzgs8ebTQlyY.AwJFQncxUmo1NEapx_66 147cq_gkS2CnK3obiy5CPAdB6C3PwtLHBQWgMabf_HxZkRflxck93UGi3btsFVzuyzxe4opbUswu XB7PQvQSlD4mI4KKnB962k0BG1ro.yP6kA2rjSxqL7MKYSNxSpQVi6_KMRFHO2DRVBlMyT7uafLN EwVdf1uC7HRwzhg0UXDNXdZpRJcARWJsNHU0rlMuo0M9CJFXBmENC.mvRmUxIxTRmCUK1aacyELh xqRWgCysYoNjpTn1xwseyTIbRLh8KhLxrgns.gmAOQafuZvycSaVl8FOg4SnRPdePmqYGsEnDl0T fwaF.CB8PwrC472JhGTBKpN7fqwTrC.FfF3py5LcoQ.dwu5aYdOQDvdW31bfcbk9_bjtbH8XZ57Y qCXZnnPzYaPl2d1zDRduFapJ970p39_0g1m6Me5Yt5lAfvUF.lqtkC5RDUopAQxzBd18z.3pJtIL pYhLKV94ukFJI6p2fwozXbtcBJQgjTtYXNAM42vFADlk7EA6iUgJqsLYgKvP90gnwd5nazaLAER5 yCNIMKkHtO2mROFmSyLJrJv6CDjiAgzjQJVoFFW5L4jQZlSSn5waamtljUN2QDnwCeTuic_LXa3f ST5sfLa7HslBpNW6SSLmWCAtRnbvy9cX_GUtNb5JMgJ2G4NAlkWhrLyyT7ZWb6R38uq.Ei14C88s nKSR_cSjjU1Tox49cnA8q7hSZz2udJgOuAnczrR5uyBfreTyGmnScVDpI3xOnrmOBTFzBS8cNdwn DMKeeIroFaIChJ_vxV2w5vfdsrn8bT.q_PdtP7M6uzzPPLVADt.v.Iyrjr.2t56a7InX6O7qfr_u ol0V2GSaG2oASl9Gb.J2NO0qrAgE6ouzkd1rU_UhtQoed.R.kD_2uWciajUzhEjBuzbs8PEqMbFK xOSIkVnq5vY02CJ.o6xVOMoPNaKP.1B_z9mW4yieW.8NKU4YMUqc296NpnD_GGTrPrqYkEFlxwq4 U_ReCyYwjl_gb2HwHloap6jXnS0IyjpN8qyfKX3aFeXpFkbUEbYPjD8cgZMfLhZJ2jn0Cnz2Dnmu LSN.oaX0KmrVvaHu9n93HGn6HHAksFV9xiY2wEC52FjlJU5xLW5Sj17RDeU7WxD8E3QDjHyogf6K gKRBDwKBeR7IduSAT4jHgA1D2ics.zwF.6db9CW0Py3Gy0xGdfsryGqI8KeOcOhQyUO.GQQ6umr4 ShEZ11ygArhdvo2fJ9E2bSBp7YiXYwPQF_JD45e3WO96Yif2tyzEkJHSudpdbW4BTEcmroRgMJ.v _HXeBO1m8QOPZQhy8GUYJiTR0fVsVSABNm1VzCPIDBm_JoO.OHAsEvOdVuKN0Yj0eWx1Wxw3U9k1 xfem9cUF5HFh30J2ZEyreqhN50EDCWZyoAPyA1DImbDQdzzpZhMuET5UD46x.AK05l_.eo0YhQIz tRpW8YXXkkZ12lXvrL7ZU9AttkuqsmWBCKkbevy2N9fL5SP9BclDCnN1NMjasmbeVLz52AtjYqwr uPXbHb369j405k_wSvySYVBX5.IQ_mFgApi_lry5zETXKdvq9LjfQ2Lpij83x3nRPV34c5jKVekn QgTd0C7.hHSE3jb7nM..1QjQteixOmzz7ASD3lNPDVQ_xU16DU0bG0TlTkCLK0ZGdIpaUAH7zVTF JYMHRMnX9B0CYvSjRknVXjOXrclpQSXVYXKd.3qE9kj2VxL6Zdo15w5FSnBuSdBwjnSfYHLwz1jo gF1hWSQkoIwTnqHcvY3.WjOQXmyBDnpeuzZJm6TG78cGkcd8uAHJm4EOCI1yhtVuvd1dJn3AOidd Fqlu.EKQa7ylT0xaXILS2UaSSlDS2Ryb4J5BmzPN8IG9Gpf.jOz8LNLkIALkbInS6Om4ZWoVMtFj FkeKGSl8JYvVJCZ1vJ6X6H9K7H5Fk8w-- X-Sonic-MF: X-Sonic-ID: 47bdd27c-92f1-4436-8090-65bda4506aeb Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:31:02 +0000 Received: by hermes--production-gq1-6949d6d8f9-bvfr7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 4f41d5d0227d5bac936de484a6531ff5; Fri, 15 Dec 2023 22:31:00 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, netdev@vger.kernel.org, audit@vger.kernel.org, netfilter-devel@vger.kernel.org, Todd Kjos Subject: [PATCH v39 18/42] LSM: Use lsmcontext in security_lsmblob_to_secctx Date: Fri, 15 Dec 2023 14:16:12 -0800 Message-ID: <20231215221636.105680-19-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the (secctx,seclen) pointer pair with a single lsmcontext pointer to allow return of the LSM identifier along with the context and context length. This allows security_release_secctx() to know how to release the context. Callers have been modified to use or save the returned data from the new structure. security_lsmblob_to_secctx() will now return the length value on success instead of 0. Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: audit@vger.kernel.org Cc: netfilter-devel@vger.kernel.org Cc: Todd Kjos --- include/linux/lsm_hook_defs.h | 2 +- include/linux/security.h | 5 ++--- kernel/audit.c | 9 ++++----- kernel/auditsc.c | 17 ++++++----------- net/netlabel/netlabel_user.c | 3 +-- security/apparmor/include/secid.h | 3 +-- security/apparmor/secid.c | 14 ++++++++------ security/security.c | 24 +++++++++++------------- security/selinux/hooks.c | 18 +++++++++++++++--- security/smack/smack_lsm.c | 16 ++++++++++------ 10 files changed, 59 insertions(+), 52 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 8e0155ac6697..339a4559daf8 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -275,7 +275,7 @@ LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size) LSM_HOOK(int, 0, ismaclabel, const char *name) LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, struct lsmcontext *cp) LSM_HOOK(int, -EOPNOTSUPP, lsmblob_to_secctx, struct lsmblob *blob, - char **secdata, u32 *seclen) + struct lsmcontext *cp) LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid) LSM_HOOK(void, LSM_RET_VOID, release_secctx, struct lsmcontext *cp) LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode) diff --git a/include/linux/security.h b/include/linux/security.h index 03b79089eaf7..2a0615a62125 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -563,8 +563,7 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, struct lsmcontext *cp); -int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, - u32 *seclen); +int security_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp); int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); @@ -1493,7 +1492,7 @@ static inline int security_secid_to_secctx(u32 secid, struct lsmcontext *cp) } static inline int security_lsmblob_to_secctx(struct lsmblob *blob, - char **secdata, u32 *seclen) + struct lsmcontext *cp) { return -EOPNOTSUPP; } diff --git a/kernel/audit.c b/kernel/audit.c index 47cfb6b20c3c..a93a710c980e 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1462,9 +1462,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (lsmblob_is_set(&audit_sig_lsm)) { err = security_lsmblob_to_secctx(&audit_sig_lsm, - &lsmctx.context, - &lsmctx.len); - if (err) + &lsmctx); + if (err < 0) return err; } sig_data_size = struct_size(sig_data, ctx, lsmctx.len); @@ -2175,8 +2174,8 @@ int audit_log_task_context(struct audit_buffer *ab) if (!lsmblob_is_set(&blob)) return 0; - error = security_lsmblob_to_secctx(&blob, &ctx.context, &ctx.len); - if (error) { + error = security_lsmblob_to_secctx(&blob, &ctx); + if (error < 0) { if (error != -EINVAL) goto error_path; return 0; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 2874255f5f25..c37cc02ea4cc 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1109,7 +1109,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (lsmblob_is_set(blob)) { - if (security_lsmblob_to_secctx(blob, &ctx.context, &ctx.len)) { + if (security_lsmblob_to_secctx(blob, &ctx) < 0) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1370,7 +1370,7 @@ static void audit_log_time(struct audit_context *context, struct audit_buffer ** static void show_special(struct audit_context *context, int *call_panic) { - struct lsmcontext lsmcxt; + struct lsmcontext lsmctx; struct audit_buffer *ab; int i; @@ -1393,16 +1393,12 @@ static void show_special(struct audit_context *context, int *call_panic) from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); if (lsmblob_is_set(&context->ipc.oblob)) { - char *ctx = NULL; - u32 len; - if (security_lsmblob_to_secctx(&context->ipc.oblob, - &ctx, &len)) { + &lsmctx) < 0) { *call_panic = 1; } else { - audit_log_format(ab, " obj=%s", ctx); - lsmcontext_init(&lsmcxt, ctx, len, 0); - security_release_secctx(&lsmcxt); + audit_log_format(ab, " obj=%s", lsmctx.context); + security_release_secctx(&lsmctx); } } if (context->ipc.has_perm) { @@ -1563,8 +1559,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, if (lsmblob_is_set(&n->oblob)) { struct lsmcontext ctx; - if (security_lsmblob_to_secctx(&n->oblob, &ctx.context, - &ctx.len)) { + if (security_lsmblob_to_secctx(&n->oblob, &ctx) < 0) { if (call_panic) *call_panic = 2; } else { diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index b9289a22b363..561e1e476a49 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -98,8 +98,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, audit_info->sessionid); if (lsmblob_is_set(&audit_info->blob) && - security_lsmblob_to_secctx(&audit_info->blob, &ctx.context, - &ctx.len) == 0) { + security_lsmblob_to_secctx(&audit_info->blob, &ctx) >= 0) { audit_log_format(audit_buf, " subj=%s", ctx.context); security_release_secctx(&ctx); } diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h index b66c2d043a02..568820a11efc 100644 --- a/security/apparmor/include/secid.h +++ b/security/apparmor/include/secid.h @@ -26,8 +26,7 @@ extern int apparmor_display_secid_mode; struct aa_label *aa_secid_to_label(u32 secid); int apparmor_secid_to_secctx(u32 secid, struct lsmcontext *cp); -int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, - u32 *seclen); +int apparmor_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp); int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); void apparmor_release_secctx(struct lsmcontext *cp); diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c index 55d6c54fe90e..c9b9a8d90afa 100644 --- a/security/apparmor/secid.c +++ b/security/apparmor/secid.c @@ -93,8 +93,7 @@ int apparmor_secid_to_secctx(u32 secid, struct lsmcontext *cp) return len; } -int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, - u32 *seclen) +int apparmor_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp) { /* TODO: cache secctx and ref count so we don't have to recreate */ struct aa_label *label; @@ -115,8 +114,8 @@ int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, if (apparmor_display_secid_mode) flags |= FLAG_SHOW_MODE; - if (secdata) - len = aa_label_asxprint(secdata, root_ns, label, + if (cp) + len = aa_label_asxprint(&cp->context, root_ns, label, flags, GFP_ATOMIC); else len = aa_label_snxprint(NULL, 0, root_ns, label, flags); @@ -124,9 +123,12 @@ int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, if (len < 0) return -ENOMEM; - *seclen = len; + if (cp) { + cp->len = len; + cp->id = LSM_ID_APPARMOR; + } - return 0; + return len; } int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) diff --git a/security/security.c b/security/security.c index 708a26a88447..e070a6cd4089 100644 --- a/security/security.c +++ b/security/security.c @@ -4203,30 +4203,28 @@ EXPORT_SYMBOL(security_secid_to_secctx); /** * security_lsmblob_to_secctx() - Convert a lsmblob to a secctx * @blob: lsm specific information - * @secdata: secctx - * @seclen: secctx length + * @cp: the LSM context * - * Convert a @blob entry to security context. If @secdata is NULL the - * length of the result will be returned in @seclen, but no @secdata - * will be returned. This does mean that the length could change between - * calls to check the length and the next call which actually allocates - * and returns the @secdata. + * Convert a @blob entry to security context. If @cp is NULL the + * length of the result will be returned, but no data will be returned. + * This does mean that the length could change between calls to check + * the length and the next call which actually allocates and returns + * the data. * - * Return: Return 0 on success, error on failure. + * Return: Return length of data on success, error on failure. */ -int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, - u32 *seclen) +int security_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp) { struct security_hook_list *hp; int rc; hlist_for_each_entry(hp, &security_hook_heads.lsmblob_to_secctx, list) { - rc = hp->hook.lsmblob_to_secctx(blob, secdata, seclen); - if (rc != LSM_RET_DEFAULT(secid_to_secctx)) + rc = hp->hook.lsmblob_to_secctx(blob, cp); + if (rc != LSM_RET_DEFAULT(lsmblob_to_secctx)) return rc; } - return LSM_RET_DEFAULT(secid_to_secctx); + return LSM_RET_DEFAULT(lsmblob_to_secctx); } EXPORT_SYMBOL(security_lsmblob_to_secctx); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 37b97cf81da1..d138aa692abd 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6583,16 +6583,28 @@ static int selinux_secid_to_secctx(u32 secid, struct lsmcontext *cp) return seclen; } -static int selinux_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, - u32 *seclen) +static int selinux_lsmblob_to_secctx(struct lsmblob *blob, + struct lsmcontext *cp) { u32 secid = blob->selinux.secid; + u32 seclen; + u32 ret; /* stacking scaffolding */ if (!secid) secid = blob->scaffold.secid; - return security_sid_to_context(secid, secdata, seclen); + if (cp) { + cp->id = LSM_ID_SELINUX; + ret = security_sid_to_context(secid, &cp->context, &cp->len); + if (ret < 0) + return ret; + return cp->len; + } + ret = security_sid_to_context(secid, NULL, &seclen); + if (ret < 0) + return ret; + return seclen; } static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index d82753bc52ab..1fdd4233a9b3 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4839,19 +4839,23 @@ static int smack_secid_to_secctx(u32 secid, struct lsmcontext *cp) * * Exists for audit code. */ -static int smack_lsmblob_to_secctx(struct lsmblob *blob, char **secdata, - u32 *seclen) +static int smack_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp) { struct smack_known *skp = blob->smack.skp; + int len; /* stacking scaffolding */ if (!skp && blob->scaffold.secid) skp = smack_from_secid(blob->scaffold.secid); - if (secdata) - *secdata = skp->smk_known; - *seclen = strlen(skp->smk_known); - return 0; + len = strlen(skp->smk_known); + + if (cp) { + cp->context = skp->smk_known; + cp->len = len; + cp->id = LSM_ID_SMACK; + } + return len; } /** From patchwork Fri Dec 15 22:16:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495147 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic316-27.consmr.mail.ne1.yahoo.com (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 180F118EC0 for ; Fri, 15 Dec 2023 22:31:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="UvO00vVv" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679465; bh=rCo1n5NulVLUwl0INHBYB1LidebEAHUCa4+pCaV/mX8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=UvO00vVvoGXmk4B9dJE6E/3uUWznN0mjPpcVgIUzCWcR/CPXHhF4Ctjh9gIE8zEq0DTMXLaCh1+Vb+cWlGNSQLZl3AoJpClHUVlTNyx+Afm3pbR4Jf/m+IP0awqnCMvYLKKuoOEndo26QL3GQbQ4b1z/uyP/zXHwm8/LdKW43GYeQCBNW59jh1UGVoAQg+Coj7xmfdJemN5Vi+tcXQeQrX/vvsPvj1UbuqUsu2yEQs6mexI7rubq5iCw0HbjGta9eYXExnC18m8Y1Ieedf5tBS88lOasHpf0kVaNBYXDTbqxsIDTTIzr9puPe5LhIvZW/U4e5RYeJvEPzbraKpXOnw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679465; bh=2139v8sAj7176eErxK+u02Zn0Dqi4BnPGxmfbZsxQYz=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Yx1bNV3YphYRW0Y0G+qK+s1iYwPDBtwQJf8LOawkByVhG3hrvGg7zVEWaxHMhyQRelpkChKfMV8pNlBhdp4RKjPsDkMCFV1zAYCR8p0Bbg/n6u+LsJ8ofRPXWpcztq0pzntH4NBXRDcmZv3SSud5Z8uBSlwP5TJvdbmc9+rECSnDKhT1WoGRNWpk1/iIOLJWG3S7rlApx1lHAMsyepp6xOaOTG8Di0Tcf7B7dcoqhiqqhfjNDFiRez32POuvcnwU0D1PxMUt8yeiX7wOetYFP7PoNJVkEzGm9uC16FHYxfpqlXqaiaLgOScTFclfLHM3+vRRURe7eTsiZwxJZUTAhQ== X-YMail-OSG: OuTCzF8VM1neUYExZposEVH3Rd5CRFWDvGYvm4mjLMpUgDTaDnZJT.Rohg8qvg8 9bkTwSvyQ1hZ9G9xsAkU733bFZXZypPB4KkEmcCG8uV6hQnxO1GnsR3065u12S0dyqYSqCIphBaf dqlTn.0gAlRIeEomao6YRqKsQ.6ICuvv0ieGKRO.Svtem1SkEh6iPrY2zpLTPCYI9tvW1XbRmncL bKnIN197c6mhKPKl7XubCpE90mJPrnHmGhYUC_b3xDkDmTlsL1.RA2gzT7r1tpVh9wB.YNBpN2D1 .ALwoDTU4I0yBw3tih9BertkmPiP03jZ5gdLgv4Qyodyv269w.mb3c5HPWh0mL74TywlOENZqoEK gKkVjmcKfw.FVm1b6d3zqfXspc7vPHS3u2yiYgY2wubIXUdxI0NH4SMTFbbJJk.MjCu4NyskcKYE ggTkTwbvZ3l.aG9R2c5o.Dk.GIGahACKGW90CaYx5lvCAWPhzKTpzmDvD64TjIfOVJ.GBUkeYRBm gcEly2bqWL5nrWBB6X341a8w2tCPqYibbrXX7emxGm1..J.IoRaawQINXpcj9WfjCVf8_jfc9_50 h6rxxUhnW7db1tZLHJCFonk3hwJFceQQTHDZ4A0Os9cGySSkF0nJTpGf4eIYRCBrg0ng0sF9rcp. fUoeFShiArvd2nlH0l3pO5I.PvFRbKiaclB7Xj6OKFk9quxqMXG_Vddce83wVL9H2TvPNP7yn3EL sNXAHUrciubObrMYjj4D81adFq0032rWw9Hr42FRT7KT6DRN2Kcj1B4c4wmge_vvz.3THlKXTqmc 9QQvbVx_fToLympzSzRJHQjNACn6cA8xSuASd_kkRAZbOcapOBSSDw..B1iYL272F_GOGXlQ8oDZ nA47XjgCSStNduGdLwtg5xLsEYOfEi3cuf8iIk6D_Q33cuw_L.7hxrH526fxk0cOoTDYJuboQdWx BgsX1Q27cNcCUWL2Q8NPd1Of7uRPfHApho_JrzJwjPCp.GKWnR89.UhlZKab06cVItIHvq.bv2Em P4zazS_Om1FcK11JrLzYp1pUUVWdp3Zw75TSTBhEL_nxpaGDZj1BMHHCIs.EuIdPmI_.uRsB8bHF zXmRaKLmHgx8PAQceFx9QUSUvsTOxZKLbzRERmNzIs0i79nvw5W2LpTyCjcqDp0S4Pwkrq3ggjN3 w2SAFysSsHjhn7hjDUzZ2stBL8P59dQkBqF_lOht0IJp2JHOqkXLkCEtNd04UpI.C.NWlMHjDBX5 lzvqAkkG_5bMq5oK0k0V8yF9ssl645sSB4X1d0drgWKFZn7s8rE2aqLRFKlXL7NKrWN5Owku1xIM wOWBhYhc1s_g0CNvAlzOfol2abiE8BKfL5a4dquM08TRMx01CKl_P5XFU3ivWo3eWoe8S_cUxnuS VuLRmKjlKkuGPhK5gZhasnsqE_IKJiCAd4dUr2LQPrtIL5nHEpWR.DenrTXTDkYgj00z60LGpeB6 cK9wigPbLjOM8Eu5O0cP.P_lG_oITY8u8mR7nMdhDj9im7J_rRzsOXnZP6FUu0xeW4xE2TVKEjeB epdnYT3tnzEQxnd.8CmSI7wBlxNQmGR7EEplL_DvmQVc39rg_EnHkiGOTIUoIvzbwYfW8GYRMXXP SeQDcS6E70kJnmcUAmuujvQt0UHyi1I73I7E9I8EbD5fi0sx0x.0uvZ0I.9O0P_sejGFEDMiSK7n Z5VOf6z3XnRDayIZxmOeyR.pipDqeyuB2nkexrsPiz1ruNSEnodel8zPyPtqSMcaOWA2O5.hZCa0 .9UbS6VVZ21GE7MG8vKDapfQ0Snobv00Ct3j9hgwaY6ng6O8Dyp8vgrTL8wULojQiRPG.RADyvno UXMUytfBWKSMuTIbvMbHAu7bCwjv.qAh1pD2HQ.JTfURoHyfwqDgpPlwyzTQCjKUmN1CjtbDEwGF PW9xg3a9aEBWNKk0oS5Xf7PKK3TxPg05R8fs94NwU7HmimobszDFS5VgzkeiQ5QwngAHhLX6jQJ9 Vb0YVOvCbsbGbbPR_J.Q1O9.9ehIO6JU6BwkCcEGRPQxmDzm.jHnDJ5Yh2oy8X0k4P_6sqFZjfLp SITfS99yJJiphZUvnjtoV6Mlrxmk.8qTcO84Ax3SBtDeG4MS.lthK9m3Cu1Rw7yfspqiOj5mlJyP xFJG1VoHpx_eRWpcKgY3vFWkDKfyL2Sg80HLHWpnoQJKGv9O3i75wAIhhcQv5xT3LtI5J1MJ9soX FeG0_JrbwOVk2AEWWfiuk68V6ET.69DWkocQhYoC7PBJUrliukP624moXnowIWM2kM7mfxTz65XA tVrIAWnf23PtBXPx6OgsefxqLN_ZtwQ-- X-Sonic-MF: X-Sonic-ID: 32c05da9-b477-41b8-935e-97f829c9bca1 Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:31:05 +0000 Received: by hermes--production-gq1-6949d6d8f9-bvfr7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 4f41d5d0227d5bac936de484a6531ff5; Fri, 15 Dec 2023 22:31:02 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, Chuck Lever , linux-nfs@vger.kernel.org Subject: [PATCH v39 19/42] LSM: Use lsmcontext in security_inode_getsecctx Date: Fri, 15 Dec 2023 14:16:13 -0800 Message-ID: <20231215221636.105680-20-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Change the security_inode_getsecctx() interface to fill a lsmcontext structure instead of data and length pointers. This provides the information about which LSM created the context so that security_release_secctx() can use the correct hook. Acked-by: Stephen Smalley Acked-by: Paul Moore Acked-by: Chuck Lever Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler Cc: linux-nfs@vger.kernel.org --- fs/nfsd/nfs4xdr.c | 25 +++++++++---------------- include/linux/lsm_hook_defs.h | 4 ++-- include/linux/security.h | 5 +++-- security/security.c | 12 ++++++------ security/selinux/hooks.c | 10 ++++++---- security/smack/smack_lsm.c | 7 ++++--- 6 files changed, 30 insertions(+), 33 deletions(-) diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 9cade754356a..d81a32c5929c 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -2805,11 +2805,11 @@ static __be32 nfsd4_encode_nfsace4(struct xdr_stream *xdr, struct svc_rqst *rqst #ifdef CONFIG_NFSD_V4_SECURITY_LABEL static inline __be32 nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, - void *context, int len) + const struct lsmcontext *context) { __be32 *p; - p = xdr_reserve_space(xdr, len + 4 + 4 + 4); + p = xdr_reserve_space(xdr, context->len + 4 + 4 + 4); if (!p) return nfserr_resource; @@ -2819,13 +2819,13 @@ nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, */ *p++ = cpu_to_be32(0); /* lfs */ *p++ = cpu_to_be32(0); /* pi */ - p = xdr_encode_opaque(p, context, len); + p = xdr_encode_opaque(p, context->context, context->len); return 0; } #else static inline __be32 nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, - void *context, int len) + struct lsmcontext *context) { return 0; } #endif @@ -2908,8 +2908,7 @@ struct nfsd4_fattr_args { struct nfs4_acl *acl; u64 size; #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - void *context; - int contextlen; + struct lsmcontext context; #endif u32 rdattr_err; bool contextsupport; @@ -3364,8 +3363,7 @@ static __be32 nfsd4_encode_fattr4_suppattr_exclcreat(struct xdr_stream *xdr, static __be32 nfsd4_encode_fattr4_sec_label(struct xdr_stream *xdr, const struct nfsd4_fattr_args *args) { - return nfsd4_encode_security_label(xdr, args->rqstp, - args->context, args->contextlen); + return nfsd4_encode_security_label(xdr, args->rqstp, &args->context); } #endif @@ -3587,12 +3585,11 @@ nfsd4_encode_fattr4(struct svc_rqst *rqstp, struct xdr_stream *xdr, args.contextsupport = false; #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - args.context = NULL; if ((u.attrmask[2] & FATTR4_WORD2_SECURITY_LABEL) || u.attrmask[0] & FATTR4_WORD0_SUPPORTED_ATTRS) { if (exp->ex_flags & NFSEXP_SECURITY_LABEL) err = security_inode_getsecctx(d_inode(dentry), - &args.context, &args.contextlen); + &args.context); else err = -EOPNOTSUPP; args.contextsupport = (err == 0); @@ -3627,12 +3624,8 @@ nfsd4_encode_fattr4(struct svc_rqst *rqstp, struct xdr_stream *xdr, out: #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - if (args.context) { - struct lsmcontext scaff; /* scaffolding */ - - lsmcontext_init(&scaff, args.context, args.contextlen, 0); - security_release_secctx(&scaff); - } + if (args.context.context) + security_release_secctx(&args.context); #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ kfree(args.acl); if (tempfh) { diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 339a4559daf8..f2bbce7fb28e 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -281,8 +281,8 @@ LSM_HOOK(void, LSM_RET_VOID, release_secctx, struct lsmcontext *cp) LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode) LSM_HOOK(int, 0, inode_notifysecctx, struct inode *inode, void *ctx, u32 ctxlen) LSM_HOOK(int, 0, inode_setsecctx, struct dentry *dentry, void *ctx, u32 ctxlen) -LSM_HOOK(int, -EOPNOTSUPP, inode_getsecctx, struct inode *inode, void **ctx, - u32 *ctxlen) +LSM_HOOK(int, -EOPNOTSUPP, inode_getsecctx, struct inode *inode, + struct lsmcontext *cp) #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) LSM_HOOK(int, 0, post_notification, const struct cred *w_cred, diff --git a/include/linux/security.h b/include/linux/security.h index 2a0615a62125..dbbfbcfbb299 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -569,7 +569,7 @@ void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); -int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); +int security_inode_getsecctx(struct inode *inode, struct lsmcontext *cp); int security_locked_down(enum lockdown_reason what); int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, size_t *uctx_len, void *val, size_t val_len, u64 id, u64 flags); @@ -1520,7 +1520,8 @@ static inline int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 { return -EOPNOTSUPP; } -static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) +static inline int security_inode_getsecctx(struct inode *inode, + struct lsmcontext *cp) { return -EOPNOTSUPP; } diff --git a/security/security.c b/security/security.c index e070a6cd4089..e1487979603e 100644 --- a/security/security.c +++ b/security/security.c @@ -4317,17 +4317,17 @@ EXPORT_SYMBOL(security_inode_setsecctx); /** * security_inode_getsecctx() - Get the security label of an inode * @inode: inode - * @ctx: secctx - * @ctxlen: length of secctx + * @cp: security context * - * On success, returns 0 and fills out @ctx and @ctxlen with the security - * context for the given @inode. + * On success, returns 0 and fills out @cp with the security context + * for the given @inode. * * Return: Returns 0 on success, error on failure. */ -int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) +int security_inode_getsecctx(struct inode *inode, struct lsmcontext *cp) { - return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, ctx, ctxlen); + memset(cp, 0, sizeof(*cp)); + return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, cp); } EXPORT_SYMBOL(security_inode_getsecctx); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d138aa692abd..1e97b703f252 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6654,14 +6654,16 @@ static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) ctx, ctxlen, 0); } -static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) +static int selinux_inode_getsecctx(struct inode *inode, struct lsmcontext *cp) { - int len = 0; + int len; len = selinux_inode_getsecurity(&nop_mnt_idmap, inode, - XATTR_SELINUX_SUFFIX, ctx, true); + XATTR_SELINUX_SUFFIX, + (void **)&cp->context, true); if (len < 0) return len; - *ctxlen = len; + cp->len = len; + cp->id = LSM_ID_SELINUX; return 0; } #ifdef CONFIG_KEYS diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 1fdd4233a9b3..a58e2c14f120 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4895,12 +4895,13 @@ static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) ctx, ctxlen, 0); } -static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) +static int smack_inode_getsecctx(struct inode *inode, struct lsmcontext *cp) { struct smack_known *skp = smk_of_inode(inode); - *ctx = skp->smk_known; - *ctxlen = strlen(skp->smk_known); + cp->context = skp->smk_known; + cp->len = strlen(skp->smk_known); + cp->id = LSM_ID_SMACK; return 0; } From patchwork Fri Dec 15 22:16:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495152 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F381E18EB8 for ; Fri, 15 Dec 2023 22:32:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="Mhkm/OUf" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679557; bh=KFKWiTph33t2gPpx3h/moCpllvvhkv3otlJUUDDSqTQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=Mhkm/OUf2fQjwomCcnoqyU/GGEOLbKnfr9hdb2SpuVcaB/FbocqJAsdcIZOmOrRULr8zAEsLQo7fNWpikybtyZMtFHzUgOLIO2GrNWRgohAvquA6nGGZWeOwf8E/sBBPEj2zYglBgJIr6sPb5NRFiPJAm6Se6DTuP1SESTMqYhyxubQm+Uc1eFNUBEoEfFr4l9JxyXHinuYVcNO0Aw1jU/KRMJ8mmmslpvi0rzt6MbLN43/sxHAPasM6wSWtS0Sv3ldSmHVZEpUWhPgiESRIpaviCHodKzZo3TDBmlJUdfRhh0dO7yy7/+Jd2TZaHwbdPDkb+Cpk6V8dsJK2HaKq3Q== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679557; bh=kvtU4Ke5VWfygsu/rdD5fKMDduGb2OkPpnL+dTzge4h=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=XulfTWarUdfPIvt2Z9SC3Yhqd+sDIL8muWuiS1c3RO5KYO2VCpz9RgqT6I/jAoFhIKOWqVa6E9hJBEfdoUQqAtygEGSPn1mSsikdHgwpbopfw2ClXF8RlUHADUJqFrhemSh20056E+PtDbK7Uia2PTMpkZuuqyDz/PuvP1UowCbwJb/EdF1vbw1x7Hgpr1pl/ne61js+Yk6uU9PUlVf2q9ZbtS1M3ycImlQ4J+s2e2DF/WYGD2QnOIjkWfveHgh7DLAPkdyyd9t9JdEbNdbZygQkBDQ6bxNxt1EqPp+hdjZY8IHXGwsJFIdZBER6Y9AyoaVEQmFA8jhep2aogc4EGw== X-YMail-OSG: uJYSCEUVM1mX7vphcRMEWTrfZmpymynG2BFN9EAYws_cBSLXypIYkRa.yCz_0bO 4FFv_yMJQ02CXNPp5qmJcPhKfqPOpJzFGDGST37TTcltpIOfnm94HeJKW9._1Yjp5CA017QJ.3ta s.k0N4h3mCOAP9h6VM7P_p1XjJAJ13VeiuFjM7IMJVE2BLA5uoQa24PYZPbqZ0d717g599qBg6iC _3uC5NLrxrZRjVPC4tjmOy3x8dyXU7X7AdtLQzgyfmln5Gy.itwm92UyvRc4j9vGdMYWBNK6wioi d27cYrXWSkZVNOTKuA4a_3xniiqdnLeLlfrOT3p1DVrxs0rB1WzT3uOXqM0BoK.HxNPZ27w_rFQZ YCo9IRg1ax1wGgKHHXt86T.RbmM5mjNuSSX1wF7gAIbpjm03zQLJlRv4Wq0ZMYS.V7hlc03lJsPm dLks5lFxUSGmR7X2yMrMW5cCBxZ.f0xHQMl.lsC_OGB23qGaWMrk0vkM3FHoFTFp7ZuIKXY0VaPW QAEV7P4TApztvDpxAKLlS8WUOQNtLfFuNeXB8xtxVaan_..yKFLcRfgsH2b85ByyLjxmtJ2BVkGv ydpLXBM47WSauvdOMuHUaIo3cZ3FHOpH6YH8at2UWaAqECIcV7FhKxffb40QSMH_gUAsXbaoOE1G TVmYpacs87axbVhYs6VI.ZzXma2ZY5XGpStQVs2rVCSJTwT.GcFJ4IBRcaVwxDjVlku1tAib9N2L s0KScAaFeAdYgtPTDjrC4m3W1BDK5KBcqEccAmOgnX0fDcvPTC2_M5O01PgVzqFam.3CFw2c48A5 OgxcL5f6MY2tgg3j5JxlBD4R57URgenCB40o4YZCCerf4iZIks3qQt2if7wNmDS_CdZLNwZhk5ek ZSnOI7DMlvAV1I.gefj2tp211ftm4ezRcbWL0fK69cckoNEyKd.6sc430hQAu5B0Di3zhMKHc.Xb w.D4ldL63L9dDZwepabmqEgG7gO0ZsZ7H1YyDuHS6vbUSO9r0F0gsXbbrxeSb0hFxgJN_A0b_3zh 9wTyVDUaIwzw_8eQvNO84SYXhXj4F1qlvZrHCAC6MFqBJK4_rxB92ITMM.9fBgZWd9dpYGmaLW4P 67cOyQsHAiFNUYcqRmcoxvt.sYFg5z2JphZEBT3BzUzC8zwYaHz.ue6gJ1FEiiF1FciFnl8IdCjH bK2ZZGMXtQGJY4E.y2UojDGzc2A.47NXSLFdXc7lGw.DJFanqm8zqUJk08Ov71rUAVrVsUGk_Q.K rgcA8XYCuw38o.AN4KLDebD4TQix1R9CSc5gIXoIOrEZT.CvpWdLZmzvEb7_vym4hcvZElkdST3k 2WY3tnPRxBxlJ3czWLQqpAnDMnue8GtKP9eJ2yjG6x_7Pn2_r3um4r.sFlAo6D3qDVKTPlK.Q2qX TaJ8sPTGtWK8deaFDUU2dql_eKoxST1sIufPCmhfD0qP6UZOkYKkWdADnYZJnkHaj8h2kF82W1ch G7Oxq4P838zHcAt4O4VlDP5k6sDI3tV78lc19NwTMC1TvKCJ5y7AhtwubvlmrPXjGx8RWnbuhX9o n_c_QLFLQQiOArytbvWhufR.ZVfW8PYM4JqwxpUhfpwiXpyGM.GI2h9JeOoDOFO_5jrqmalG.emU Pnme9LKiN6dYqKGeMLU09sidz7iNmfTbxbq7Lol7zAiaGe8roT8LKhGiocY7rvrzKEu1M_1_1T2F UbJNanskASMRWULcr9NZ8ocJqKzMYju4LlN2yP7Q1XShxKOgM4GF8CDXcHGJijoPH7lKSunOxNVy l0hy6T_0AHIwomr7pZRKsBLwxRc3aBLbsuvqwRe9lsRHyHl.h68hii6lqkojbDHhAJr9ML6hBRXy FH8Lts32gaDbwka9Z6OC_LcLEq4xTac4rbn_.k0bEA24rDTirkKAWsLo5jxnSffPZVQ2bFtqspkF Ffo8_6U8qi9IBbYoOOH8ed0Uk4H93uJGy2xY499JzYh8dKHSl5Ue4kp4zSKlUlRtSwYnsSFbx038 1ycSWFTkfAzcJbnLlAyNxAg9eS2OjPZ.mxu8S1D6.Hiv3OiMxAypWozwCG5h6MlnQkkcWwwfochz 6lgwoXmO3Ox0se9qxf8cSWxOtUMXnSmY1ILINwjcafr9WCjO43ZFmGTppnYwGW2TTRHbjLPDeD1T OpcoO27xfAb8eCgVIX.gli16mOOq6QAwWG6F8ugVGvIo_BiUxGFLnrzn.PwjLmNk2yoR7l_9Wltj ykCQoUG4tpVrBCzlF_gp2aNiBETPp6Jy.4jY7dTyhXTPOSONeN.02NwRaUxhzmhgfHCOY83VCICR iQXWoH394KfFrAJe8dzOWh6lGBDe3bRg- X-Sonic-MF: X-Sonic-ID: bfca283d-322e-4c88-9b88-c2713d6bb7cf Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:32:37 +0000 Received: by hermes--production-gq1-6949d6d8f9-ghhkt (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID e3e0e17187ae06698f220367a4c91416; Fri, 15 Dec 2023 22:32:35 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net, ceph-devel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH v39 20/42] LSM: Use lsmcontext in security_dentry_init_security Date: Fri, 15 Dec 2023 14:16:14 -0800 Message-ID: <20231215221636.105680-21-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the (secctx,seclen) pointer pair with a single lsmcontext pointer to allow return of the LSM identifier along with the context and context length. This allows security_release_secctx() to know how to release the context. Callers have been modified to use or save the returned data from the new structure. Special care is taken in the NFS code, which uses the same data structure for its own copied labels as it does for the data which comes from security_dentry_init_security(). In the case of copied labels the data has to be freed, not released. Signed-off-by: Casey Schaufler Cc: ceph-devel@vger.kernel.org Cc: linux-nfs@vger.kernel.org --- fs/ceph/super.h | 3 +-- fs/ceph/xattr.c | 19 ++++++------------- fs/fuse/dir.c | 35 ++++++++++++++++++----------------- fs/nfs/dir.c | 2 +- fs/nfs/inode.c | 17 ++++++++++------- fs/nfs/internal.h | 8 +++++--- fs/nfs/nfs4proc.c | 22 +++++++++------------- fs/nfs/nfs4xdr.c | 22 ++++++++++++---------- include/linux/lsm_hook_defs.h | 2 +- include/linux/nfs4.h | 8 ++++---- include/linux/nfs_fs.h | 2 +- include/linux/security.h | 7 +++---- security/security.c | 9 ++++----- security/selinux/hooks.c | 9 +++++---- 14 files changed, 80 insertions(+), 85 deletions(-) diff --git a/fs/ceph/super.h b/fs/ceph/super.h index fe0f64a0acb2..d503cc7478b7 100644 --- a/fs/ceph/super.h +++ b/fs/ceph/super.h @@ -1133,8 +1133,7 @@ struct ceph_acl_sec_ctx { void *acl; #endif #ifdef CONFIG_CEPH_FS_SECURITY_LABEL - void *sec_ctx; - u32 sec_ctxlen; + struct lsmcontext lsmctx; #endif #ifdef CONFIG_FS_ENCRYPTION struct ceph_fscrypt_auth *fscrypt_auth; diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c index 113956d386c0..4c767a20ac4c 100644 --- a/fs/ceph/xattr.c +++ b/fs/ceph/xattr.c @@ -1383,8 +1383,7 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, int err; err = security_dentry_init_security(dentry, mode, &dentry->d_name, - &name, &as_ctx->sec_ctx, - &as_ctx->sec_ctxlen); + &name, &as_ctx->lsmctx); if (err < 0) { WARN_ON_ONCE(err != -EOPNOTSUPP); err = 0; /* do nothing */ @@ -1409,7 +1408,7 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, */ name_len = strlen(name); err = ceph_pagelist_reserve(pagelist, - 4 * 2 + name_len + as_ctx->sec_ctxlen); + 4 * 2 + name_len + as_ctx->lsmctx.len); if (err) goto out; @@ -1429,11 +1428,9 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, as_ctx->pagelist = pagelist; } - ceph_pagelist_encode_32(pagelist, name_len); - ceph_pagelist_append(pagelist, name, name_len); - - ceph_pagelist_encode_32(pagelist, as_ctx->sec_ctxlen); - ceph_pagelist_append(pagelist, as_ctx->sec_ctx, as_ctx->sec_ctxlen); + ceph_pagelist_encode_32(pagelist, as_ctx->lsmctx.len); + ceph_pagelist_append(pagelist, as_ctx->lsmctx.context, + as_ctx->lsmctx.len); err = 0; out: @@ -1446,16 +1443,12 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx) { -#ifdef CONFIG_CEPH_FS_SECURITY_LABEL - struct lsmcontext scaff; /* scaffolding */ -#endif #ifdef CONFIG_CEPH_FS_POSIX_ACL posix_acl_release(as_ctx->acl); posix_acl_release(as_ctx->default_acl); #endif #ifdef CONFIG_CEPH_FS_SECURITY_LABEL - lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0); - security_release_secctx(&scaff); + security_release_secctx(&as_ctx->lsmctx); #endif #ifdef CONFIG_FS_ENCRYPTION kfree(as_ctx->fscrypt_auth); diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c index d19cbf34c634..ee24797842df 100644 --- a/fs/fuse/dir.c +++ b/fs/fuse/dir.c @@ -462,29 +462,29 @@ static int get_security_context(struct dentry *entry, umode_t mode, { struct fuse_secctx *fctx; struct fuse_secctx_header *header; - void *ctx = NULL, *ptr; - u32 ctxlen, total_len = sizeof(*header); + struct lsmcontext lsmctx = { }; + void *ptr; + u32 total_len = sizeof(*header); int err, nr_ctx = 0; - const char *name; + const char *name = NULL; size_t namelen; err = security_dentry_init_security(entry, mode, &entry->d_name, - &name, &ctx, &ctxlen); - if (err) { - if (err != -EOPNOTSUPP) - goto out_err; - /* No LSM is supporting this security hook. Ignore error */ - ctxlen = 0; - ctx = NULL; - } + &name, &lsmctx); + + /* If no LSM is supporting this security hook ignore error */ + if (err && err != -EOPNOTSUPP) + goto out_err; - if (ctxlen) { + if (lsmctx.len) { nr_ctx = 1; namelen = strlen(name) + 1; err = -EIO; - if (WARN_ON(namelen > XATTR_NAME_MAX + 1 || ctxlen > S32_MAX)) + if (WARN_ON(namelen > XATTR_NAME_MAX + 1 || + lsmctx.len > S32_MAX)) goto out_err; - total_len += FUSE_REC_ALIGN(sizeof(*fctx) + namelen + ctxlen); + total_len += FUSE_REC_ALIGN(sizeof(*fctx) + namelen + + lsmctx.len); } err = -ENOMEM; @@ -497,19 +497,20 @@ static int get_security_context(struct dentry *entry, umode_t mode, ptr += sizeof(*header); if (nr_ctx) { fctx = ptr; - fctx->size = ctxlen; + fctx->size = lsmctx.len; ptr += sizeof(*fctx); strcpy(ptr, name); ptr += namelen; - memcpy(ptr, ctx, ctxlen); + memcpy(ptr, lsmctx.context, lsmctx.len); } ext->size = total_len; ext->value = header; err = 0; out_err: - kfree(ctx); + if (nr_ctx) + security_release_secctx(&lsmctx); return err; } diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c index 13dffe4201e6..c56a7caea6d3 100644 --- a/fs/nfs/dir.c +++ b/fs/nfs/dir.c @@ -807,7 +807,7 @@ static int nfs_readdir_entry_decode(struct nfs_readdir_descriptor *desc, int ret; if (entry->fattr->label) - entry->fattr->label->len = NFS4_MAXLABELLEN; + entry->fattr->label->lsmctx.len = NFS4_MAXLABELLEN; ret = xdr_decode(desc, entry, stream); if (ret || !desc->plus) return ret; diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c index ebb8d60e1152..ddd8f7bae5de 100644 --- a/fs/nfs/inode.c +++ b/fs/nfs/inode.c @@ -357,14 +357,15 @@ void nfs_setsecurity(struct inode *inode, struct nfs_fattr *fattr) return; if ((fattr->valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL) && inode->i_security) { - error = security_inode_notifysecctx(inode, fattr->label->label, - fattr->label->len); + error = security_inode_notifysecctx(inode, + fattr->label->lsmctx.context, + fattr->label->lsmctx.len); if (error) printk(KERN_ERR "%s() %s %d " "security_inode_notifysecctx() %d\n", __func__, - (char *)fattr->label->label, - fattr->label->len, error); + (char *)fattr->label->lsmctx.context, + fattr->label->lsmctx.len, error); nfs_clear_label_invalid(inode); } } @@ -380,12 +381,14 @@ struct nfs4_label *nfs4_label_alloc(struct nfs_server *server, gfp_t flags) if (label == NULL) return ERR_PTR(-ENOMEM); - label->label = kzalloc(NFS4_MAXLABELLEN, flags); - if (label->label == NULL) { + label->lsmctx.context = kzalloc(NFS4_MAXLABELLEN, flags); + if (label->lsmctx.context == NULL) { kfree(label); return ERR_PTR(-ENOMEM); } - label->len = NFS4_MAXLABELLEN; + label->lsmctx.len = NFS4_MAXLABELLEN; + /* Use an invalid LSM ID as this should never be "released". */ + label->lsmctx.id = LSM_ID_UNDEF; return label; } diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h index 9c9cf764f600..1bc7cdf52f04 100644 --- a/fs/nfs/internal.h +++ b/fs/nfs/internal.h @@ -346,13 +346,15 @@ nfs4_label_copy(struct nfs4_label *dst, struct nfs4_label *src) if (!dst || !src) return NULL; - if (src->len > NFS4_MAXLABELLEN) + if (src->lsmctx.len > NFS4_MAXLABELLEN) return NULL; dst->lfs = src->lfs; dst->pi = src->pi; - dst->len = src->len; - memcpy(dst->label, src->label, src->len); + /* Use an invalid LSM ID as lsmctx should never be "released" */ + dst->lsmctx.id = LSM_ID_UNDEF; + dst->lsmctx.len = src->lsmctx.len; + memcpy(dst->lsmctx.context, src->lsmctx.context, src->lsmctx.len); return dst; } diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 6ea99e2aabf3..79626ce7cecd 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -124,12 +124,11 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, label->lfs = 0; label->pi = 0; - label->len = 0; - label->label = NULL; + label->lsmctx.len = 0; + label->lsmctx.context = NULL; err = security_dentry_init_security(dentry, sattr->ia_mode, - &dentry->d_name, NULL, - (void **)&label->label, &label->len); + &dentry->d_name, NULL, &label->lsmctx); if (err == 0) return label; @@ -138,12 +137,8 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, static inline void nfs4_label_release_security(struct nfs4_label *label) { - struct lsmcontext scaff; /* scaffolding */ - - if (label) { - lsmcontext_init(&scaff, label->label, label->len, 0); - security_release_secctx(&scaff); - } + if (label) + security_release_secctx(&label->lsmctx); } static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label) { @@ -6155,7 +6150,7 @@ static int _nfs4_get_security_label(struct inode *inode, void *buf, size_t buflen) { struct nfs_server *server = NFS_SERVER(inode); - struct nfs4_label label = {0, 0, buflen, buf}; + struct nfs4_label label = {0, 0, {buf, buflen, -1} }; u32 bitmask[3] = { 0, 0, FATTR4_WORD2_SECURITY_LABEL }; struct nfs_fattr fattr = { @@ -6183,7 +6178,7 @@ static int _nfs4_get_security_label(struct inode *inode, void *buf, return ret; if (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL)) return -ENOENT; - return label.len; + return label.lsmctx.len; } static int nfs4_get_security_label(struct inode *inode, void *buf, @@ -6260,7 +6255,8 @@ static int nfs4_do_set_security_label(struct inode *inode, static int nfs4_set_security_label(struct inode *inode, const void *buf, size_t buflen) { - struct nfs4_label ilabel = {0, 0, buflen, (char *)buf }; + struct nfs4_label ilabel = {0, 0, + {(char *)buf, buflen, -1}}; struct nfs_fattr *fattr; int status; diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c index deec76cf5afe..fe6d184ff169 100644 --- a/fs/nfs/nfs4xdr.c +++ b/fs/nfs/nfs4xdr.c @@ -1154,7 +1154,7 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, } if (label && (attrmask[2] & FATTR4_WORD2_SECURITY_LABEL)) { - len += 4 + 4 + 4 + (XDR_QUADLEN(label->len) << 2); + len += 4 + 4 + 4 + (XDR_QUADLEN(label->lsmctx.len) << 2); bmval[2] |= FATTR4_WORD2_SECURITY_LABEL; } @@ -1186,8 +1186,9 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, if (label && (bmval[2] & FATTR4_WORD2_SECURITY_LABEL)) { *p++ = cpu_to_be32(label->lfs); *p++ = cpu_to_be32(label->pi); - *p++ = cpu_to_be32(label->len); - p = xdr_encode_opaque_fixed(p, label->label, label->len); + *p++ = cpu_to_be32(label->lsmctx.len); + p = xdr_encode_opaque_fixed(p, label->lsmctx.context, + label->lsmctx.len); } if (bmval[2] & FATTR4_WORD2_MODE_UMASK) { *p++ = cpu_to_be32(iap->ia_mode & S_IALLUGO); @@ -4236,11 +4237,11 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap, return -EIO; bitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL; if (len < NFS4_MAXLABELLEN) { - if (label && label->len) { - if (label->len < len) + if (label && label->lsmctx.len) { + if (label->lsmctx.len < len) return -ERANGE; - memcpy(label->label, p, len); - label->len = len; + memcpy(label->lsmctx.context, p, len); + label->lsmctx.len = len; label->pi = pi; label->lfs = lfs; status = NFS_ATTR_FATTR_V4_SECURITY_LABEL; @@ -4248,10 +4249,11 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap, } else printk(KERN_WARNING "%s: label too long (%u)!\n", __func__, len); - if (label && label->label) + if (label && label->lsmctx.context) dprintk("%s: label=%.*s, len=%d, PI=%d, LFS=%d\n", - __func__, label->len, (char *)label->label, - label->len, label->pi, label->lfs); + __func__, label->lsmctx.len, + (char *)label->lsmctx.context, + label->lsmctx.len, label->pi, label->lfs); } return status; } diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index f2bbce7fb28e..741bbf5df0af 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -83,7 +83,7 @@ LSM_HOOK(int, 0, move_mount, const struct path *from_path, const struct path *to_path) LSM_HOOK(int, -EOPNOTSUPP, dentry_init_security, struct dentry *dentry, int mode, const struct qstr *name, const char **xattr_name, - void **ctx, u32 *ctxlen) + struct lsmcontext *cp) LSM_HOOK(int, 0, dentry_create_files_as, struct dentry *dentry, int mode, struct qstr *name, const struct cred *old, struct cred *new) diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h index c11c4db34639..04e4afc8deb5 100644 --- a/include/linux/nfs4.h +++ b/include/linux/nfs4.h @@ -15,6 +15,7 @@ #include #include +#include #include #include @@ -44,10 +45,9 @@ struct nfs4_acl { #define NFS4_MAXLABELLEN 2048 struct nfs4_label { - uint32_t lfs; - uint32_t pi; - u32 len; - char *label; + uint32_t lfs; + uint32_t pi; + struct lsmcontext lsmctx; }; typedef struct { char data[NFS4_VERIFIER_SIZE]; } nfs4_verifier; diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h index 279262057a92..c314fb43547f 100644 --- a/include/linux/nfs_fs.h +++ b/include/linux/nfs_fs.h @@ -457,7 +457,7 @@ static inline void nfs4_label_free(struct nfs4_label *label) { #ifdef CONFIG_NFS_V4_SECURITY_LABEL if (label) { - kfree(label->label); + kfree(label->lsmctx.context); kfree(label); } #endif diff --git a/include/linux/security.h b/include/linux/security.h index dbbfbcfbb299..35604f43d4ff 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -404,8 +404,8 @@ int security_sb_clone_mnt_opts(const struct super_block *oldsb, int security_move_mount(const struct path *from_path, const struct path *to_path); int security_dentry_init_security(struct dentry *dentry, int mode, const struct qstr *name, - const char **xattr_name, void **ctx, - u32 *ctxlen); + const char **xattr_name, + struct lsmcontext *lsmcxt); int security_dentry_create_files_as(struct dentry *dentry, int mode, struct qstr *name, const struct cred *old, @@ -855,8 +855,7 @@ static inline int security_dentry_init_security(struct dentry *dentry, int mode, const struct qstr *name, const char **xattr_name, - void **ctx, - u32 *ctxlen) + struct lsmcontext *lsmcxt) { return -EOPNOTSUPP; } diff --git a/security/security.c b/security/security.c index e1487979603e..cea3c1b614a1 100644 --- a/security/security.c +++ b/security/security.c @@ -1666,8 +1666,7 @@ void security_inode_free(struct inode *inode) * @mode: mode used to determine resource type * @name: name of the last path component * @xattr_name: name of the security/LSM xattr - * @ctx: pointer to the resulting LSM context - * @ctxlen: length of @ctx + * @lsmctx: pointer to the resulting LSM context * * Compute a context for a dentry as the inode is not yet available since NFSv4 * has no label backed by an EA anyway. It is important to note that @@ -1677,8 +1676,8 @@ void security_inode_free(struct inode *inode) */ int security_dentry_init_security(struct dentry *dentry, int mode, const struct qstr *name, - const char **xattr_name, void **ctx, - u32 *ctxlen) + const char **xattr_name, + struct lsmcontext *lsmctx) { struct security_hook_list *hp; int rc; @@ -1689,7 +1688,7 @@ int security_dentry_init_security(struct dentry *dentry, int mode, hlist_for_each_entry(hp, &security_hook_heads.dentry_init_security, list) { rc = hp->hook.dentry_init_security(dentry, mode, name, - xattr_name, ctx, ctxlen); + xattr_name, lsmctx); if (rc != LSM_RET_DEFAULT(dentry_init_security)) return rc; } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1e97b703f252..ed4237223959 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2859,8 +2859,8 @@ static void selinux_inode_free_security(struct inode *inode) static int selinux_dentry_init_security(struct dentry *dentry, int mode, const struct qstr *name, - const char **xattr_name, void **ctx, - u32 *ctxlen) + const char **xattr_name, + struct lsmcontext *cp) { u32 newsid; int rc; @@ -2875,8 +2875,9 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode, if (xattr_name) *xattr_name = XATTR_NAME_SELINUX; - return security_sid_to_context(newsid, (char **)ctx, - ctxlen); + cp->id = LSM_ID_SELINUX; + return security_sid_to_context(newsid, (char **)cp->context, + &cp->len); } static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, From patchwork Fri Dec 15 22:16:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495153 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic315-27.consmr.mail.ne1.yahoo.com (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB9A618ED0 for ; Fri, 15 Dec 2023 22:32:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="QCZJbU6L" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679561; bh=wsEZq6q3+06miaqCNUNybAu13net40ImW1aiAhPQhxQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=QCZJbU6LrMTJCc1hOfHZbSe+1Uc5TEhFp2zc7su0C2gO+NHc8gLc0b+UcqkhErBX/v0H/sUzkLGualahkkDLxM2jeKFHcM1Pu3Sx+Upyu8IBDSsOO3zIv4f9vLKLk8tf9a6SNNu0+x+vcD5zei0kTRNLM74I6hGnrx3F0P0guKn4gw/V3NjmOw+ZF2A1341/q3d7r6u9Jh1ZskkI3sLTPmgQJ+1PnRfatN2R5VyAcCNLIRekluI1xC5PmwNr9LPnvqLz9vVrq8YegGj0FHwkoaLC2+HfgfpoMGoT9BMLhmYumoM/655QOpbMrY8pZbieO7BVlvZ2TOE2diqFuupONg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679561; bh=7HZaBEZxB3eI5UhvDTGUKLIn6qQxXCBNIualX0pMysA=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=SptKgulM0OOltFnCe+1IgKhXS3sSbE9zGajcKi/1yabAbJ60yGEYJySCFW29wgGLVnC19IG6atBlxTbhJZfnp9tnR6o9C83o28fg0aw3i0aVtfzLGY5EfJerGqrhhNR8ES0UHio13RqN+AQ8KuH3DAUvSGIq+AnCpNcaw8eE+6bLQhujKczLAwV9KfiLniyMoRlVNBQsp2toAUY3cMSXIkFvjRlW/pJsrvDDPVANBVp5jYg7JOQI/MD53grJCflYOdL2X0+Gm8BYvFuiDJPVPKfQrYaBrtvQ+IuxPTvSFOZXv3d83WL5uczp6KBtyORzaLG6Gfmd5IdsKwI2FNVnhQ== X-YMail-OSG: Q.B9lmMVM1ljekOpGmYVAs.JLwyntks5YzILaO2SQ316mgjmH2U05UxEPKy66Ej Us0tQUypAJNAcR7VEODx4vjQIul.hXqezoj2VWSxbrDmpItpayOVqL6mDodfMXoTlORLNzM4WG6X 8dO3WC0H8KrnIFoo5FX3FmZbYKaR4HA16f1MYPRHZgIIbe7wq693RcKssIm8JYtk_4lDxXTwcjig fg4uxrhGjScWMl0nVX7hxEveY3BZyZQcV8mr6AB7m1b_q5oUGSB8bCOFBdVhfM51XUWMp3wjdPKX WnBlLRqhHsnqD5CMdXi59e9trKEPSMhN7JQo5x.D0zdcw2q7w5I8cF5FHjlds9PDsaaEpmFIf70b kDfGtmPdjDJ70JbCQQDFZOrXhUrmAdwUqWXpXFLZ8BJbTV7MalTNit7VN8w3B_uvjxcYSBpQHRap Q2mwydb7.KgtT5OuGY4BvBnmvd8Bkzul21._vfJx84xoGCPhrFvvfk2zMlucQB8N_s4Ej.wLYmgm QVR8n.S1V6kzdnG_mlfEU1IJan1miQQAcNMJ5vFazBQ7ktPRG1Mit2vJKkqsiEaenfOllfiHBADU ObXEjs7peS5SQZBgLmGXnqm3TZCzDOCBgZCM_5OWYErESq4R6SAY5MBFXavgy0UH.ssR.KLeCGdI NqqR8PnVAyCuh6uRwOb3B14bcVUjOJTilIBi_OICf0fPhwlogRp5N4h5CliCNiLYcW4SdPMg9A5u t2en8jdaRZCmnCcp4Yki.Q_H9ge4MIeNS7qC5nzllv_jWBD6VBgPc.V6SeKAbOL8yTvXf1SdViBb 5paHHvVum.gc7a7GkGer4dAtVljgYbi8saZldYilziVch7bnkZXyUdiguXmVTSmOFcciSxkYeIR2 8PWN.oSaFF8Vh6xXl5U.YhpPEQ3rxFgK2TCUu7ED9VScWAuwMMIsdxGxq71_UPZMllL.2wxI_53M LDY334lEnwvXjnBmdePckPcGRWS.tWMNOSaFWya0lL5OqDyMAfIDkL1NnisbsSzwtNZ14E6n87Ct qE_Zr1fTcCXxaNZ71azYf8YCeHa6Z_u6dHA7bcV35.8EVg1ne1Vj3LwvyhRtQUKYZgmrcipE0_hc NOO8db000zuhzkeixO8zq_3_1A3P1Hbgeq191cjMX1A_erXXZGdQKSPLVqweeTiGmtUecPFZgNdr ZJdiwVt4ngJeH8LxdbgW6wajyOuvB3UObAWSDo6LsBIQjSDvzK1bqccR.izi3r3a_x7EWfZk6BRU et6b6U8po9vj2sEm0KvZygZLTKNmbymMvcUeACm1C.5O2jWUhbntlAj1LD7KesGzU9EazdJ616li DFJHaHSEO03D6F_7QvUtk9SrL4bC1ZOFbkmOC4Lc1Vyz4uMctFc4flJrHwi7S1S5LNOD1mL73gKg 0KHl0NAno9bjwqzes0DmZrA.niRWDYBunytUeFpxvEK8D3HpBekVqN6gW7x8_UEIXbxzwqXt2i4r NEXX9nuSc3tXP33_sugllxo8WUmRlxjEVatMEjm060l2dXwNs9OlWP0FprxNca53O5Fcg4kI68wz CXynIHI3pqTE7zN1ZL5X55JcpDoK83aD2Y3_LooT7dXh.pH.qfunMsg_a6Znx4m0Xm.FQBJkgvrB O8XmB3rwhTpKrTui6j3aVTBDahq._wND2bclVJYGJCrSDEfvDfwmblTo8Mwuq2r0rZCXH4t8z_FV Hda.mHOGOh7itxALUgtulE4t6CVIUjtVlLjmrgRJSYaGA4OaD2qM.9T6TWBOFRJ3n9aNATQeTMAF etXEuvPIgXgvAvI8QyTGr5X5v4jYa26hE52XOKulKx0N3Y8.3RJxNB5jGuBVOp34fspGOCawJb_w KlsMsk8JiyVXMFk2dAYfgz54.KlBninprh_7Q5yxu0gFmsw6_jjTSE0.kK7u3HKHKcN32Z9DNREN f6mtxub6AEqvOdrdqRVzhOwoWsuXSp5ROExQis4Oo.rAIid3KfBbm4KbroUNp8FusBGODwnf2qof P65QPE.NMp5JdFwoAbdLyaWjoN8xMJmCpgSUD1YeXGl.z8nVQc3pwDfbMZtyx5mraotSfBZ.gQKM tFeVJRpKWmfSh72VU3Wcyb2ZASE0DZQO2ZRTMQvrLLLb3PgvXO3PbhTayz5FWkfEJRZm7xOad6O0 iZGklOA.67VHLbaUIrDqeZULEn2pjAObzjZGLX65_NiooJfcrGW2wRBW7Sf2yVk2d5NrWyZkf5nJ E_do5GxqgAlVRJrqUnJFz4O9.KryApjfQ5gNtdG9dpsqf8OiMGQkilPT2.otxSWfqe_3O5iXfx2n CkhcpUcUeQoQogEYhpp8CE7RzBd4X X-Sonic-MF: X-Sonic-ID: 74795a18-4949-44d0-9593-75fef32c61a7 Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:32:41 +0000 Received: by hermes--production-gq1-6949d6d8f9-ghhkt (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID e3e0e17187ae06698f220367a4c91416; Fri, 15 Dec 2023 22:32:37 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 21/42] LSM: security_lsmblob_to_secctx module selection Date: Fri, 15 Dec 2023 14:16:15 -0800 Message-ID: <20231215221636.105680-22-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add a parameter lsmid to security_lsmblob_to_secctx() to identify which of the security modules that may be active should provide the security context. If the value of lsmid is LSM_ID_UNDEF the first LSM providing a hook is used. security_secid_to_secctx() is unchanged, and will always report the first LSM providing a hook. Signed-off-by: Casey Schaufler --- include/linux/security.h | 5 +++-- kernel/audit.c | 4 ++-- kernel/auditsc.c | 8 +++++--- net/netlabel/netlabel_user.c | 3 ++- security/security.c | 11 ++++++----- 5 files changed, 18 insertions(+), 13 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 35604f43d4ff..360a454d5f8e 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -563,7 +563,8 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, struct lsmcontext *cp); -int security_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp); +int security_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp, + int lsmid); int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); @@ -1491,7 +1492,7 @@ static inline int security_secid_to_secctx(u32 secid, struct lsmcontext *cp) } static inline int security_lsmblob_to_secctx(struct lsmblob *blob, - struct lsmcontext *cp) + struct lsmcontext *cp, int lsmid) { return -EOPNOTSUPP; } diff --git a/kernel/audit.c b/kernel/audit.c index a93a710c980e..edefb370a72e 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1462,7 +1462,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (lsmblob_is_set(&audit_sig_lsm)) { err = security_lsmblob_to_secctx(&audit_sig_lsm, - &lsmctx); + &lsmctx, LSM_ID_UNDEF); if (err < 0) return err; } @@ -2174,7 +2174,7 @@ int audit_log_task_context(struct audit_buffer *ab) if (!lsmblob_is_set(&blob)) return 0; - error = security_lsmblob_to_secctx(&blob, &ctx); + error = security_lsmblob_to_secctx(&blob, &ctx, LSM_ID_UNDEF); if (error < 0) { if (error != -EINVAL) goto error_path; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index c37cc02ea4cc..3c0559b01677 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1109,7 +1109,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (lsmblob_is_set(blob)) { - if (security_lsmblob_to_secctx(blob, &ctx) < 0) { + if (security_lsmblob_to_secctx(blob, &ctx, LSM_ID_UNDEF) < 0) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1394,7 +1394,8 @@ static void show_special(struct audit_context *context, int *call_panic) context->ipc.mode); if (lsmblob_is_set(&context->ipc.oblob)) { if (security_lsmblob_to_secctx(&context->ipc.oblob, - &lsmctx) < 0) { + &lsmctx, + LSM_ID_UNDEF) < 0) { *call_panic = 1; } else { audit_log_format(ab, " obj=%s", lsmctx.context); @@ -1559,7 +1560,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, if (lsmblob_is_set(&n->oblob)) { struct lsmcontext ctx; - if (security_lsmblob_to_secctx(&n->oblob, &ctx) < 0) { + if (security_lsmblob_to_secctx(&n->oblob, &ctx, + LSM_ID_UNDEF) < 0) { if (call_panic) *call_panic = 2; } else { diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 561e1e476a49..842a236540b0 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -98,7 +98,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, audit_info->sessionid); if (lsmblob_is_set(&audit_info->blob) && - security_lsmblob_to_secctx(&audit_info->blob, &ctx) >= 0) { + security_lsmblob_to_secctx(&audit_info->blob, &ctx, + LSM_ID_UNDEF) >= 0) { audit_log_format(audit_buf, " subj=%s", ctx.context); security_release_secctx(&ctx); } diff --git a/security/security.c b/security/security.c index cea3c1b614a1..444051575793 100644 --- a/security/security.c +++ b/security/security.c @@ -4203,6 +4203,7 @@ EXPORT_SYMBOL(security_secid_to_secctx); * security_lsmblob_to_secctx() - Convert a lsmblob to a secctx * @blob: lsm specific information * @cp: the LSM context + * @lsmid: which security module to report * * Convert a @blob entry to security context. If @cp is NULL the * length of the result will be returned, but no data will be returned. @@ -4212,15 +4213,15 @@ EXPORT_SYMBOL(security_secid_to_secctx); * * Return: Return length of data on success, error on failure. */ -int security_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp) +int security_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp, + int lsmid) { struct security_hook_list *hp; - int rc; hlist_for_each_entry(hp, &security_hook_heads.lsmblob_to_secctx, list) { - rc = hp->hook.lsmblob_to_secctx(blob, cp); - if (rc != LSM_RET_DEFAULT(lsmblob_to_secctx)) - return rc; + if (lsmid != hp->lsmid->id && lsmid != LSM_ID_UNDEF) + continue; + return hp->hook.lsmblob_to_secctx(blob, cp); } return LSM_RET_DEFAULT(lsmblob_to_secctx); From patchwork Fri Dec 15 22:16:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495154 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic316-27.consmr.mail.ne1.yahoo.com (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 67D5C13B143 for ; Fri, 15 Dec 2023 22:34:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="kkik3eSC" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679655; bh=mM0WZyCz/tlNmJgaPwRTDUjkjMqKhKg8VZllCO0EmTg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=kkik3eSCu8YpbDnaARezAwEWl7snnrGP4kDaWewhitXWdeRsofIWdyENtVBbUS4BIu0lJUZT5Z6kzZBOfDvolBRM6dnJ1KXVzplUNZa8A89vm0Esw2TwdbZqV6esCn4yH7y8/hxGkcYMg7DVB0K/VBV8G9qyONmMjQQxCD4Rk8hZl6BQ/zcp+eTR+Jw9jaOpcFaQOo6Jd9GjTOUMcKf3485JxlFUXpzb+bWQBLl/PiCeajjS7nzl1akVvbdfe3YhfyRJjQ2mfMArZRO4wFBqs5vC1L0C8VZyHJSdz6FmX0DyC1AlflNaBmNvayOHhv/1T8SjWULJwKAsctUckYu8Og== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679655; bh=FAxExbaql8jFIp3VAoQmKNgDIKq+qzvGc5Ayk/CpIzN=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=quhmEjbY0r3/bnqNHDATa5W9SG/kDVAwrxT3KW8iWJA3mo2xMOtErj+y+VEFZ9tvj0RHd0T3kPoSMeQDlWf4b705o4ufgFTLfp5ArQsmcB+BCYrA+c7tlFCdZk/LCotx05Wv3bTUrzKHqf/ZyCTRwbNuOoE/EYwox7r5CEFc3rPJJTUHv1pifLqz6B7IXv71p4BIpnNJ6gH32iGaU49IMJZh6PDaAHTeujNBVW1HMOi6w8mhdbiHi74L9GeQ2CQCgWuuIhAw02zc/XnMI6SOqzYaoASc7/de4NCQRjRKVXycZWZfJs3uGGT4IQ9nwEz/iFRDqCsqk3zfaBNO2ehWaA== X-YMail-OSG: sxegZS4VM1k15GHIGmAaacxqx.3QE2n8uqa0ajCnfWujfk7IzkatndBN8Z29DyU COw7esx.JSHVN54WHazV99Ak7AAlDrKXjhHt0mDij9arGgTBNgkp4kENjFPelvRWycfL3tMlKu5X f9QFuxmRCCibmN3RepR.wzWy6YgQjYTV8p9lh42CZZhb9QsGC5N7O9iSt1LV8RgY2zyUI.8pM.yT tkfc_MgaRORQQYVwRNShdDLKxw8Jqzofbrdon9FfEZKjI4_49YDJcp1fJmOycnsMLITO5o4g0aRQ RF4CJm.PsT7uyb9QGqtK2oSBC8G0_vZL9REMu_9SrP6MyoSMs9rRLshk33Ia24j3n5duWke_Nt5C IP7xKyTpMurmLg5kizTE.gdP0iu_dNPnsv0tGL2WsiNNt3fLQE8mAtGPhcaJApZSZmBs32mCEQ1z 7nlR9uxNNj6iiCNRrp6cdz.WgsPGx7wJlkeQDq1qm3TLw5mo6HaOFYWI6cNhoyconSnlCpuUTpM2 gJ0V1KES1iuNGRayYDM3CgGSywMIx3G1JlCTUpIG8l8pRdTKayC0cIxtpFGVw8_5PEwSGL7OWkSP F3vWPrAK7L5z12x7L2ql25vm8lKvBmzLYvAl1McWpurTcbqkE98EhSz_ynyUJjMyDea39Ec1QTWo KHTuc3umJ6jSiILxB.zS5fKfhFcgj39k1_59zHwGeDYtHuM0FHujbdP_7gMyI1w0Gw9_JrEjJ_lK _V1Q78kN8yrHu.qbCgGEHsZI3j6LMx1A8_wSdMP_egG5vM7Q2Ak5brOO0lQaAw_8ZdCxvA7fkugP exZLv.mZHKyswtvwaAoj4PVftpul5Pzo1GkBmWXx2m35CHXjeHFQ_NL5S3Z1mxynBRXCe9lJNcT5 DsKKsDM_6HhYJxPQz5H8lhezxFsVrfdxE9KeyzsqcYbBDVzrmcQxvwufQiBz_y6FS8e71iZam7fL uY77Mr.P4XVyur_MOwlMt87oTe0VW3M5AKR_bZ4dq62WJ0nAz.FesGgSqMBHYd55t9F2VYdadgqf hXsNks45OTlbuLGANcxGouw5IvHnfyHzwev2uhCPFU8P.5oyGbhe_bpPxXzyAqVjqm2HA_oyA.di tE8LaDZ7FBrOT56tNEj7Fq_oLe8dYbhtIhUAtllHeT9sue8SgDivsk06qtpmZ_IuXD7pocCX_vTw WOvZ6Gqc70buLTB7sfERNVIc0VuxlIpVnIHx6Wq67MRILLH51yggt3SETzTUyPA24gRu9.j4rNW6 f1we3bHR60Z0oRt48QlFsSyVIs2qPNkd36Qoj8jb8gZUEyQedIGaduJDjxiNbpZsFtn9jCUhB6ww DuJIOwVZei0LV4cyJt5A2.xrc_rheG4pzTDkIWfbpTvKLVl5SGBzbD7lBXw.7RAYNWM_QFf5asoa 5yylpZ6nfTuPrqcnbf7NGyGB4VT8Szf3wBcFJmZ30d7uNOR13QMuJDZ7BYr5Wp7D9gU9uMNPF0KX 8tvOcGgmAg2KbHlnV2XQ90nTSztYPS._K5wCff6wC.ACZ0dpTnPO4E_P5RK8XwVVam0Iyr3Aqmi. X_KGQOy45MunRxyRTEnzqsFrktBkt.shyw_mG4vU6kQWiX1pxKhq3anL89sunhxYWylODrlkCuNF 5E9TqaTou9KIuTG.zQTmLCk6nwX6nJOTwsfxIJxr1sH74jUvbIFPXxiIRI7i6baCFDKQZD2AEep6 2yhQNvHMYM8chbrDEpWyb2ok87hZ9at6UZwRGYt46ZwVGTFdH.55iD_wpYPxdbn6BDbbjRDhWGtB EEWUtjMOqtk3Kj4nzhAmWWbtLglOhm4DOgk8XTmCx7KiqU5F6sllo6uxJwPKMgHQ3Rxu3lVkpgLG HThBVtkL8XyIyKRiiopFwK2.rFvq_dnJiFAILf6iMgY3qsPf2GciUJt2kYm.2a2Ni9Iy58i8XIcF JCH6KcQCtG2axtWYnp.ZfTFe8izar5dHBvzmBexJN97ctKFYeP3bOICi9VQ5ANfNy85QKBfl7oD_ 8PKRSD_.QScGafu0kE3EsW1ec17tQpEIBuUuFC46lDP4zMJgfqX2PEutKz3FvvurV5HDUuKhNqE2 BVzWEY0_sCZJ0wx.01djAXLo7wEh3BEulEUOI28X0x3RA8uJMN9mQ3Z99ybs11WTd_UhNDDM586k EEQ8rcitKvg9Z9SxasjCI5mOezjSCI3_kBK5db4Kv6Vem8WP4R0dldVTvQ0Nx.u1niIPcMUPyZkK gxlwa900JxnlnuTkmew0NsZZmi4WZrWPRsYk4_rA7izzWJLcw1bGGuRd33HaGyDhTTT8fiDasFZr 6uWgYcbOGCiOZvNL6U.0nZIGqLWsn X-Sonic-MF: X-Sonic-ID: c1a56000-005b-4423-8689-f3e899d8bc69 Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:34:15 +0000 Received: by hermes--production-gq1-6949d6d8f9-dpfkp (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 0a4ea853851f0b1cf5e01328013d4c00; Fri, 15 Dec 2023 22:34:10 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 22/42] Audit: Create audit_stamp structure Date: Fri, 15 Dec 2023 14:16:16 -0800 Message-ID: <20231215221636.105680-23-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the timestamp and serial number pair used in audit records with a structure containing the two elements. Signed-off-by: Casey Schaufler Acked-by: Paul Moore --- kernel/audit.c | 17 +++++++++-------- kernel/audit.h | 13 +++++++++---- kernel/auditsc.c | 22 +++++++++------------- 3 files changed, 27 insertions(+), 25 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index edefb370a72e..5291f65a01c8 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1820,11 +1820,11 @@ unsigned int audit_serial(void) } static inline void audit_get_stamp(struct audit_context *ctx, - struct timespec64 *t, unsigned int *serial) + struct audit_stamp *stamp) { - if (!ctx || !auditsc_get_stamp(ctx, t, serial)) { - ktime_get_coarse_real_ts64(t); - *serial = audit_serial(); + if (!ctx || !auditsc_get_stamp(ctx, stamp)) { + ktime_get_coarse_real_ts64(&stamp->ctime); + stamp->serial = audit_serial(); } } @@ -1847,8 +1847,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) { struct audit_buffer *ab; - struct timespec64 t; - unsigned int serial; + struct audit_stamp stamp; if (audit_initialized != AUDIT_INITIALIZED) return NULL; @@ -1903,12 +1902,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, return NULL; } - audit_get_stamp(ab->ctx, &t, &serial); + audit_get_stamp(ab->ctx, &stamp); /* cancel dummy context to enable supporting records */ if (ctx) ctx->dummy = 0; audit_log_format(ab, "audit(%llu.%03lu:%u): ", - (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial); + (unsigned long long)stamp.ctime.tv_sec, + stamp.ctime.tv_nsec/1000000, + stamp.serial); return ab; } diff --git a/kernel/audit.h b/kernel/audit.h index b413c0420c6f..f147540862c7 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -99,6 +99,12 @@ struct audit_proctitle { char *value; /* the cmdline field */ }; +/* A timestamp/serial pair to identify an event */ +struct audit_stamp { + struct timespec64 ctime; /* time of syscall entry */ + unsigned int serial; /* serial number for record */ +}; + /* The per-task audit context. */ struct audit_context { int dummy; /* must be the first element */ @@ -108,10 +114,9 @@ struct audit_context { AUDIT_CTX_URING, /* in use by io_uring */ } context; enum audit_state state, current_state; - unsigned int serial; /* serial number for record */ + struct audit_stamp stamp; /* event identifier */ int major; /* syscall number */ int uring_op; /* uring operation */ - struct timespec64 ctime; /* time of syscall entry */ unsigned long argv[4]; /* syscall arguments */ long return_code;/* syscall return code */ u64 prio; @@ -263,7 +268,7 @@ extern void audit_put_tty(struct tty_struct *tty); extern unsigned int audit_serial(void); #ifdef CONFIG_AUDITSYSCALL extern int auditsc_get_stamp(struct audit_context *ctx, - struct timespec64 *t, unsigned int *serial); + struct audit_stamp *stamp); extern void audit_put_watch(struct audit_watch *watch); extern void audit_get_watch(struct audit_watch *watch); @@ -304,7 +309,7 @@ extern void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx); extern struct list_head *audit_killed_trees(void); #else /* CONFIG_AUDITSYSCALL */ -#define auditsc_get_stamp(c, t, s) 0 +#define auditsc_get_stamp(c, s) 0 #define audit_put_watch(w) do { } while (0) #define audit_get_watch(w) do { } while (0) #define audit_to_watch(k, p, l, o) (-EINVAL) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 3c0559b01677..23f72c14276d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -994,10 +994,10 @@ static void audit_reset_context(struct audit_context *ctx) */ ctx->current_state = ctx->state; - ctx->serial = 0; + ctx->stamp.serial = 0; ctx->major = 0; ctx->uring_op = 0; - ctx->ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 }; + ctx->stamp.ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 }; memset(ctx->argv, 0, sizeof(ctx->argv)); ctx->return_code = 0; ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0); @@ -1918,7 +1918,7 @@ void __audit_uring_entry(u8 op) ctx->context = AUDIT_CTX_URING; ctx->current_state = ctx->state; - ktime_get_coarse_real_ts64(&ctx->ctime); + ktime_get_coarse_real_ts64(&ctx->stamp.ctime); } /** @@ -2040,7 +2040,7 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2, context->argv[3] = a4; context->context = AUDIT_CTX_SYSCALL; context->current_state = state; - ktime_get_coarse_real_ts64(&context->ctime); + ktime_get_coarse_real_ts64(&context->stamp.ctime); } /** @@ -2511,21 +2511,17 @@ EXPORT_SYMBOL_GPL(__audit_inode_child); /** * auditsc_get_stamp - get local copies of audit_context values * @ctx: audit_context for the task - * @t: timespec64 to store time recorded in the audit_context - * @serial: serial value that is recorded in the audit_context + * @stamp: timestamp to record * * Also sets the context as auditable. */ -int auditsc_get_stamp(struct audit_context *ctx, - struct timespec64 *t, unsigned int *serial) +int auditsc_get_stamp(struct audit_context *ctx, struct audit_stamp *stamp) { if (ctx->context == AUDIT_CTX_UNUSED) return 0; - if (!ctx->serial) - ctx->serial = audit_serial(); - t->tv_sec = ctx->ctime.tv_sec; - t->tv_nsec = ctx->ctime.tv_nsec; - *serial = ctx->serial; + if (!ctx->stamp.serial) + ctx->stamp.serial = audit_serial(); + *stamp = ctx->stamp; if (!ctx->prio) { ctx->prio = 1; ctx->current_state = AUDIT_STATE_RECORD; From patchwork Fri Dec 15 22:16:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495155 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1399CCA67 for ; Fri, 15 Dec 2023 22:34:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="VOH94/AM" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679657; bh=Cj3o8DDeOO3mB2stYC+RNoE7w+k7QDtNzeFRm8yCL30=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=VOH94/AMCtT3XLQN3JbYEDaP9EXBH4lav/Z/S7RpX/AM8dUHG1/Pzl70sGxr1cy5JVjvBDwIK9kygK902MJKPQ4LcDufULNxVQpudI8S1nEVNQJjKPf5IL1BsDRMTVtE06zVRf4+EV0QtUe7utm9TusNBjJCubAHLlQ6b4/Hr78z37n4q5Gsjv6QHr2IME2JoVK+m7TVk/UXVi/VNTimSy4Y8fTHlhd6SwFdOXzdqKHuF/UL3R5rccOe6FHnBPpCwf+R3Yk27AI0wYKT7mqdka7hUBCZYn7xdo0bg+IeNW/pWB1BKR4CYBjf++ifRRfHaSEvO8Lmt5MzTb82VpO+DQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679657; bh=9V75+0NTxvTdqySoNPi8lLXqS5Hh71vBXC/3KK7dvpn=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=RVCLtmbKc87y0mj7uQEh3NTyd5tN51nvRSl8e9nq4HJep6NpctacJUQ5NfhwXsE2t9PFu+BmQW/Jij4iIVCLwSHaGPRX0fFOFzkgCc/7uvh7/WCOLXxhJaPukCl4q6IcyN6EYLY7JQDFyJvTIzFoKYWLjWR1PbmarZrRpxFhpFaNXOFoL6Gt4vdVLf2WacU4UW2KTQ/pHsOc/27nocz2g6v7mUgxhT7x5iP6Mj8Pb04IoHYRnCk+0Y/L+kY26Kl11bFyRSaWG6XrmUzHhNDWp5Y16EMYC8D/Xxzcg4lOrCAcH1l5yc5v6wWSE5c7JvQj7euaLbm2b86UqYGP/wUVeQ== X-YMail-OSG: IpwwlcAVM1nFyIeUx.iyrETs0wI1G3Hy1EN47o8f5N64TEMEzyzJb9EH51zNjlI qoBc1RfKL4.e0zXPZST6UnAJMxOZEOAQEyatgOwDijn_7dGDFUJCbBPBiHhcCsOyj9pllTM4e2hI Yw6kj8RZWjqxdk75sIcQoYTqbmupi9bTGTrARIreTlC54nbPa_vmQHNwwHHpTmmb7k20N7tmMTo9 q.i1CB5.CQ82smY3yu0PFqM3v6jJLqE6JaS0aJ1LU3Orcf0SY44DuqKyTbshY_c4nIlR.KGuma48 9iszMEYGDTZ47OPtRrMtb2q11TSPWREV4kBd8bL2VsxQfI7H9kT92J8UvOpoIiFaesyB_9ci2Nq9 CoY24_SqAyVt6crxEQvL4EYREIJ.7iaM6VIQzhVDSGU5U9i7yw6tZZLt4A1XBZXjigLVpYNNt_Bt QCWf2nAbBHgLx9lMZPqsbLSA4mz71ac0zwzinjsqC_l25WTg0pkrnNovR2ROyr14ekKNw73qLmWf NKNshHl9V_s0yejFkQtkUfv6fa5UiIG.qMad.AKYwEoRnJt1NOjuLmWBxoaoU_Xn_g.trwku3D4x _2PCdRmqP9awKqDhoxVgNOi9BljuYRmMl3y.5.qIhN7zjECxCg61EuBTjg1QhkOgzdKE.lV6Ml9S GqANN.9_tJdAdt25frtNcRZ2Pw2SeqI6_wpLvUbTB4dZoihtpcTVZg.Ue5N1pjcTyrn9oM94rqJ5 zT0QACgs2hnWLwjOzms3mWV3zDefJ2cXtP351VvDqkCFysq7PmgzUMp6ZcUoNE7aNcPsPcVT7vcK 2Kf0wchKI8lFHLo76.110d6ImFk1rDHgi0Co618JcO4iYKEXUMLADoz1SGbWs6k1S4eGVlaYCAVN WIj0i6JDqlMUdUxUMSB1gW9wEIewv0hgGEgs9.TOi.E6G9v84WXP5TR4rP0MjMMz7E4KBGmgngba KAGCazWvYfzacKHeXr2QWXQ9dclVR0XXxz4FzaOs1wTm3xWB.2E5ga_7SwXVm4LlawgLknmC2ZEQ 4KZd9wVWxlsOGWnxc25eVbcBABsMFj9hPcDA5J43t2b1Ws75uWbMT2b7jt_7Bfqf3DAtmYBqU4B_ jKodmrhcx57PeLKukaZbiRl3BMZbCByuoIGyAfSQktifD5V3s1JykIQBN8tLpH2TzY5UE8l1wOp7 kjpz4sxY.Fl5ppXmyeRt6SAnD0ATNGqu5kNcZ0Z4JWQOgkAIFYT.DnfU6OFMb2aQ07Fay9u7fSIo 5cSLcEMOR.vG8xsOTUZ4bIj.sIe7DFep5IFkEJMGPqFz7PjujlD6Mi_laQ12hR6iEEVxKQcp.nXc SoXdrz9ZKcHTQkGogfKT6aAC.DqeI.xRn7f0jnVG5u7ZVSn2EgqfI.qzSiiIS0W16B_psTUaMrjs o01yG3WlNiR0_Pt8s6xjPbcfH4TxBKED3iWxLSUf4T8d5lLJ.j5XYZVRb2XD8W3iWO8qvNnJEEQD Mfc8qrS0eLqKdXKOlmwS8E8EPu5gcURRBzjkhYXTnQwG5Lt7CaXWL4gTGn.HD4gvQ0MoVcmxIln. kpI0nyZfByL5kzf0JnreE99VZ8of7GUt4GpzvUk471udt1arA3ng7rx1tH5Z.tWvv6xE6A5Wa.nv wGAUTFUjhHRtrzQxpahhWb4bbfH4kZRveipKoPUM3QbLkX4QBeKl1BDtc_L0qEdYIYxYPiYR4qjp rPjCTefDGGmZJAn6UXgC4fhodjJfn4MI4dfENgic9EV6paZFdv0lbxYKU7mQBLtVK61wiyfsrE14 mcxFDUjbRN4pZdftkeP5fw1B26e6Yqq02duHE..5k44EYKKlvvJT25YVRzmVHuErn1.oGamBJQoG XGnpSixfd7oQL8pAg4EljH1wXa6nVQwqY_LQX8g5izNX1O1pJW3jHenztTwTNmG3sSPps77o4xSh PBqqkqvFqgfg94.NzDAiuvcNQCQ3i9EH3w3RkE46pAL8.Grzduj01Gs5AqPi5pgsxRrsbseZYqv9 U9aF8VeoVWcr68DjaKAGPwxvEv_bVym14zwZ.MwmgneB2A1mVHo2LISmUTGs.2SiJvDQ7oEu_alZ e_WmV2f2mDA_fXkGLFI95.Igp4InJd.Li6JBuBhZsbAlN_DI0IOEZwa5U3Ba6Z9otnWrBVrKmTgu ajPlNr7Dq_qdNtICzkCt6EBDfA1EsLx8YbdqZ4REkHLUFbt6ivUNXWh3MBECyYZcZQZtab.6jTee fjlIeJFg_qEud3fxVeaxm7SP_PCOkL23yJ3xQ0XVVcWbu4tyYgEH7orVeTNg_ctSAxV3A781Uc0O 0K1pxPHbvpfbq0prxcBpvdkKHYOBW_g-- X-Sonic-MF: X-Sonic-ID: 649d807f-2ba2-4b35-9a62-bb24e6295b3c Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:34:17 +0000 Received: by hermes--production-gq1-6949d6d8f9-dpfkp (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 0a4ea853851f0b1cf5e01328013d4c00; Fri, 15 Dec 2023 22:34:11 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 23/42] Audit: Allow multiple records in an audit_buffer Date: Fri, 15 Dec 2023 14:16:17 -0800 Message-ID: <20231215221636.105680-24-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the single skb pointer in an audit_buffer with a list of skb pointers. Add the audit_stamp information to the audit_buffer as there's no guarantee that there will be an audit_context containing the stamp associated with the event. At audit_log_end() time create auxiliary records (none are currently defined) as have been added to the list. Functions are created to manage the skb list in the audit_buffer. Suggested-by: Paul Moore Signed-off-by: Casey Schaufler --- kernel/audit.c | 111 +++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 89 insertions(+), 22 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 5291f65a01c8..b194494c4dc4 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -195,8 +195,10 @@ static struct audit_ctl_mutex { * to place it on a transmit queue. Multiple audit_buffers can be in * use simultaneously. */ struct audit_buffer { - struct sk_buff *skb; /* formatted skb ready to send */ + struct sk_buff *skb; /* the skb for audit_log functions */ + struct sk_buff_head skb_list; /* formatted skbs, ready to send */ struct audit_context *ctx; /* NULL or associated context */ + struct audit_stamp stamp; /* audit stamp for these records */ gfp_t gfp_mask; }; @@ -1763,10 +1765,13 @@ __setup("audit_backlog_limit=", audit_backlog_limit_set); static void audit_buffer_free(struct audit_buffer *ab) { + struct sk_buff *skb; + if (!ab) return; - kfree_skb(ab->skb); + while ((skb = skb_dequeue(&ab->skb_list))) + kfree_skb(skb); kmem_cache_free(audit_buffer_cache, ab); } @@ -1782,6 +1787,10 @@ static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx, ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask); if (!ab->skb) goto err; + + skb_queue_head_init(&ab->skb_list); + skb_queue_tail(&ab->skb_list, ab->skb); + if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0)) goto err; @@ -1847,7 +1856,6 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) { struct audit_buffer *ab; - struct audit_stamp stamp; if (audit_initialized != AUDIT_INITIALIZED) return NULL; @@ -1902,14 +1910,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, return NULL; } - audit_get_stamp(ab->ctx, &stamp); + audit_get_stamp(ab->ctx, &ab->stamp); /* cancel dummy context to enable supporting records */ if (ctx) ctx->dummy = 0; audit_log_format(ab, "audit(%llu.%03lu:%u): ", - (unsigned long long)stamp.ctime.tv_sec, - stamp.ctime.tv_nsec/1000000, - stamp.serial); + (unsigned long long)ab->stamp.ctime.tv_sec, + ab->stamp.ctime.tv_nsec/1000000, + ab->stamp.serial); return ab; } @@ -2165,6 +2173,57 @@ void audit_log_key(struct audit_buffer *ab, char *key) audit_log_format(ab, "(null)"); } +/** + * audit_buffer_aux_new - Add an aux record buffer to the skb list + * @ab: audit_buffer + * @type: message type + * + * Aux records are allocated and added to the skb list of + * the "main" record. The ab->skb is reset to point to the + * aux record on its creation. When the aux record in complete + * ab->skb has to be reset to point to the "main" record. + * This allows the audit_log_ functions to be ignorant of + * which kind of record it is logging to. It also avoids adding + * special data for aux records. + * + * On success ab->skb will point to the new aux record. + * Returns 0 on success, -ENOMEM should allocation fail. + */ +static int audit_buffer_aux_new(struct audit_buffer *ab, int type) +{ + WARN_ON(ab->skb != skb_peek(&ab->skb_list)); + + ab->skb = nlmsg_new(AUDIT_BUFSIZ, ab->gfp_mask); + if (!ab->skb) + goto err; + if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0)) + goto err; + skb_queue_tail(&ab->skb_list, ab->skb); + + audit_log_format(ab, "audit(%llu.%03lu:%u): ", + (unsigned long long)ab->stamp.ctime.tv_sec, + ab->stamp.ctime.tv_nsec/1000000, + ab->stamp.serial); + + return 0; + +err: + kfree_skb(ab->skb); + ab->skb = skb_peek(&ab->skb_list); + return -ENOMEM; +} + +/** + * audit_buffer_aux_end - Switch back to the "main" record from an aux record + * @ab: audit_buffer + * + * Restores the "main" audit record to ab->skb. + */ +static void audit_buffer_aux_end(struct audit_buffer *ab) +{ + ab->skb = skb_peek(&ab->skb_list); +} + int audit_log_task_context(struct audit_buffer *ab) { struct lsmcontext ctx; @@ -2399,26 +2458,14 @@ int audit_signal_info(int sig, struct task_struct *t) } /** - * audit_log_end - end one audit record - * @ab: the audit_buffer - * - * We can not do a netlink send inside an irq context because it blocks (last - * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a - * queue and a kthread is scheduled to remove them from the queue outside the - * irq context. May be called in any context. + * __audit_log_end - enqueue one audit record + * @skb: the buffer to send */ -void audit_log_end(struct audit_buffer *ab) +static void __audit_log_end(struct sk_buff *skb) { - struct sk_buff *skb; struct nlmsghdr *nlh; - if (!ab) - return; - if (audit_rate_check()) { - skb = ab->skb; - ab->skb = NULL; - /* setup the netlink header, see the comments in * kauditd_send_multicast_skb() for length quirks */ nlh = nlmsg_hdr(skb); @@ -2429,6 +2476,26 @@ void audit_log_end(struct audit_buffer *ab) wake_up_interruptible(&kauditd_wait); } else audit_log_lost("rate limit exceeded"); +} + +/** + * audit_log_end - end one audit record + * @ab: the audit_buffer + * + * We can not do a netlink send inside an irq context because it blocks (last + * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a + * queue and a kthread is scheduled to remove them from the queue outside the + * irq context. May be called in any context. + */ +void audit_log_end(struct audit_buffer *ab) +{ + struct sk_buff *skb; + + if (!ab) + return; + + while ((skb = skb_dequeue(&ab->skb_list))) + __audit_log_end(skb); audit_buffer_free(ab); } From patchwork Fri Dec 15 22:16:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495156 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 22D45657 for ; Fri, 15 Dec 2023 22:35:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="Cbeu0CWu" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679747; bh=c7E3EinGlYIO5DFIuwJVpD1kjxNAwcYojPiiLg1ANXo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=Cbeu0CWuLslNmc7PxcRvqMyT1SoSDMnGmRrQZfTNCQRrddiZ1TECQHuID6rx9zoZdaNK7FU73JvhHCBR/RqWYgESwC812oSuFW87yGCOU9YqTROysAed/HCuUwqO86zNMEZryDouUR0UccxtCdas8aO/OUDCf7+c3iT6ACwFlK/g0ENNcd32zmkL0Ky8EmM5EbeaESiM5VgXoqefeGySE3gmhVcpBFOnMlaHl5RbHSAUt7/+z9HQWvIoVPMWXoCLHesh8fT6FiTRLiVh5EmodRD+56yKBigaN1M2JVmnZxoYN3uz6Os+X1XItfKxoHL86Sl8f0lU3SQncOx84IeJdA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679747; bh=4g0jPcAkz+MM31SdD1zEI+4JpoZmv25pL7oQyuni4NI=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=mXXAGg9GNOryPQQn7V9Ox2kVP0oPru1Z3+4SIBuwAHBC1cs2RbcGDj7Rv8J6uFatfgeJHYdbG68YVYEtrq62mnri/P3tUHHxu+N7XOqOJ5Hrfs7cDG4HP30ibxwvNTZwcOsCvlIwLfsdAc9PwTCf8Ey5P7J4JV457wlcUmIHGXoi9w1M4HuvRhOOUqHjDqWlOcssOhvETjx55us7kNRKNsZcfhTto2xUCxcxlHhXgx+7U8F6xGWprksIAphDAu5vwgaTGqMDzNLksX+E3TL3cIvWAyYMKafINrEz/rKFiFxDuloSJHMWp5ijtou0GKphZFqzeEtqKP2YpuVPNwguMg== X-YMail-OSG: LC6mkRAVM1l7e5HM0_6jX4Hj7otrxSTEpj83RH0zZhphiPXFX1LiS2CyNG7BJ.w 2IiTgED9z3WqFAydqYiC0IqxyvQEo4OIbaZt_CZCEo87m4j8OL_hQAs1jz3cpEbNImrDvdw1eCim IWWxUlRiEOoIdBYvcXKr60.EU8KAJ3F7kdrnpnTrZTJueIAMC_C_1XrgUbWwNNY7IVB7YV_YmJvG gGgWpiSZ85D3miifviNR0TQKlMFmFzJn.oM4cGzPvqQVyIBtQrzLonZsJma5KvYv.eL1aFuSgGoK dr1ieWq42r6qDGZaiDuv5XWJfbvveJxU4LDntvBwsVwdYlZrzDixLDKzc1OQ2oqwFh2fTQSILSJh AECwD8fXNESwmXJ8SXHa6r8FI6qP8sw326xUV3aG0F1OSwbMTOD3g3T6eFmcqVzD0vaV9PxlZKYp aG.WMpEoc185y3o9BkiirY.vZgtEG5bNZoAyqq2GfB01uLRYwHCgxDQ3CQrELB1E6ipImB9ki7y7 AeRLKKyk2AHFHEtWq8pmDIiz3UHyzf9MQi0F3Ew4oHqhzRrbTkRElt9wzyxq9Pt_3dZtdFEu8DwB 9JQEua4sVPq0CD8WE5YFiswA.fMBRRBufVb.b9Ncbsz18pbPA83HpHy67Zwt1HWhFDPvF7hAPMls AE_ipml0ZYIkA4OHOuQkJyGBH15gK38yUM6shilBX.tqldMxagtYO5V8WGi8VUAJLMne6VrvcFb5 XEgJ2JHvOX_rXR10CpX264L.B3yjGuciLnLf4VwXkhk6z_oiQ89c5Ed1QX3l4YfPkJqlXpkxi_jw gZEcIiOo3PDtlcveREIv_lsHhecwmVoJ88sXShmj2_.lpPmmyCn_kHgOfATc.0QPrkyS0FtTd.LY nynDH_ouqdN3tdoFu7czd4N2GiYWPJ4glSjpGwd8ybBGGF3TNYqMp0QtmdwcRMXO5WFGxyz5KWC7 A2fMEAXRRNIR1GqUIoutL.jOh2cHpGSaEzqnCET3ey6WVWdtJPpoQW2o43BZh16_kAhGngG0wZoh 5ALVOLWjsDNTELR5Kwse1uG6TKhvG0IryYKXhGx1AwT8IE2I6XDMdi7UO_B1YWo5ydmXZ2X27OD_ XV4.7mtEjyH3ms9bS2.f_eMyHs0qXWhGerH6M.iZXj.cBHw5ZUCkICpv2nxB3NoJPZ_77agex8hX bkG3qNB1oA0rA_htPO47JdDrf9FIE5W7hnUgR9F2p4vdW_5kF59Y_TEDz43uARqC2qR9gLrtHUrp x2vfG.ZT1fy.eUtHzPavIWnZ0H17PHp0IpirBhjKB3rYde3AejQruQNyzbhkPjx_JkJELUz_VwEy y249zpcCLck2r30581A6mL9peWZRMRFu05th0B5OkY2BRhwRUZHmbkCYSftwfHQBlpW5qhInFe4N z3l8fDmM60bHZzigpwhqiU6BHt0h3OAjbSjkGZH.tS1Z3sqFrF8dlaFMY6UYTcnKxANaGKcNS1uQ iKhJDEP_xgG8LNuDuF70MzmGNaUVvzKm69PwFd0XfmzNfgP9w4AFAusN8KYjstYYc8BFXuIzARdz vuS.UoPccKiDLwSsIZn_RfHELSryTcx94xK1G1v_T.aEz3cXA6VPBIteSzGAWkMvAW2fJ02787GS CGIquzSn5g14hB0T2RN6g_KOMgK_0sj1WmBIWi8Fmr0ITlS7k8MBrMNTSU4Y_UxvSBqsbtUU9NaG vGNVcVSHf4_SclMyen0vXZxagQkkRuzZZTFDDCsYxwzKWzSa4daZBLJh5Fk03zY0nBGrmrXEqYLd Fc6rFkwYl0ocH84IrlxTUBf.I8GB9LFYIdMo7Iro6EoEmDUBYmCt3OGJ.3h6jOuuyf5r9yDRmVDy d5VX0DR60GDyz99u52DspIFHDQTvoQZoTv7W6Eq4HzbgPg9E5kYYlfn4fvXv1CGR1b1giZaizseP SIao88GhaiIa3nbb6FQr0yWFZABN_G7IwogWJTY_mv6RkLcxq5lWxRooHre0MV8.abOOmk4K9Ndv Jj9xJUsukoPBVbOYtu4c6n1BvFKNa0wmMnPfiQlrxRoBOaNouy8_j2LuwS3cT63AK0PrJmX0ybbW Mjs.jW4O5uTaIVHlhDTT6Kf6NGxB1qTGv5Kt.4vSSe7jSXypMxdD6no_7UIU3AI7Ei80VD5d0DZZ zs9aqepZBJbCjgzirjR66GJGVs5kUZZ_tsDe.OVFT2fpcLCnpHmtJY0BknM5iV9Ovc2K_hQFZ8Qd 2q3O9aE9vd5w350vR9aC.lTqWkxSEy25.J5Zdk8UU5Rg5M45NP4Q8NHLHSohlVoohj1nR6wY3A4U E9N.G9GVq0HP6VvCGAj2ohBwLaANv X-Sonic-MF: X-Sonic-ID: cdc641ab-9029-499e-b365-09cc3fca6299 Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:35:47 +0000 Received: by hermes--production-gq1-6949d6d8f9-c9pk7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 4756c4ce944f308f64e0301afd197084; Fri, 15 Dec 2023 22:35:45 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 24/42] Audit: Add record for multiple task security contexts Date: Fri, 15 Dec 2023 14:16:18 -0800 Message-ID: <20231215221636.105680-25-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Create a new audit record AUDIT_MAC_TASK_CONTEXTS. An example of the MAC_TASK_CONTEXTS (1420) record is: type=MAC_TASK_CONTEXTS[1420] msg=audit(1600880931.832:113) subj_apparmor=unconfined subj_smack=_ When an audit event includes a AUDIT_MAC_TASK_CONTEXTS record the "subj=" field in other records in the event will be "subj=?". An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on a subject security context. Acked-by: Paul Moore Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 2 ++ include/linux/security.h | 1 + include/uapi/linux/audit.h | 1 + kernel/audit.c | 45 ++++++++++++++++++++++++++++++++------ security/apparmor/lsm.c | 1 + security/bpf/hooks.c | 1 + security/security.c | 3 +++ security/selinux/hooks.c | 1 + security/smack/smack_lsm.c | 1 + 9 files changed, 49 insertions(+), 7 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index efd4a0655159..605aaf38c3f5 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -47,12 +47,14 @@ struct security_hook_heads { * struct lsm_id - Identify a Linux Security Module. * @lsm: name of the LSM, must be approved by the LSM maintainers * @id: LSM ID number from uapi/linux/lsm.h + * @lsmblob: indicates the LSM has an entry in struct lsmblob * * Contains the information that identifies the LSM. */ struct lsm_id { const char *name; u64 id; + bool lsmblob; }; /* diff --git a/include/linux/security.h b/include/linux/security.h index 360a454d5f8e..947cb3a35db4 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -192,6 +192,7 @@ struct lsmblob { extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; extern u32 lsm_active_cnt; +extern u32 lsm_blob_cnt; extern const struct lsm_id *lsm_idlist[]; /* These functions are in security/commoncap.c */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index d676ed2b246e..dc045164b86b 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -143,6 +143,7 @@ #define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */ #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ +#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM task contexts */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/kernel/audit.c b/kernel/audit.c index b194494c4dc4..9d971fa96c0e 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -54,6 +54,7 @@ #include #include #include +#include #include #include #include @@ -2228,21 +2229,51 @@ int audit_log_task_context(struct audit_buffer *ab) { struct lsmcontext ctx; struct lsmblob blob; + bool space = false; int error; + int i; security_current_getlsmblob_subj(&blob); if (!lsmblob_is_set(&blob)) return 0; - error = security_lsmblob_to_secctx(&blob, &ctx, LSM_ID_UNDEF); - if (error < 0) { - if (error != -EINVAL) - goto error_path; + if (lsm_blob_cnt < 2) { + error = security_lsmblob_to_secctx(&blob, &ctx, LSM_ID_UNDEF); + if (error < 0) { + if (error != -EINVAL) + goto error_path; + return 0; + } + audit_log_format(ab, " subj=%s", ctx.context); + security_release_secctx(&ctx); return 0; } - - audit_log_format(ab, " subj=%s", ctx.context); - security_release_secctx(&ctx); + /* Multiple LSMs provide contexts. Include an aux record. */ + audit_log_format(ab, " subj=?"); + error = audit_buffer_aux_new(ab, AUDIT_MAC_TASK_CONTEXTS); + if (error) + goto error_path; + + for (i = 0; i < lsm_active_cnt; i++) { + if (!lsm_idlist[i]->lsmblob) + continue; + error = security_lsmblob_to_secctx(&blob, &ctx, + lsm_idlist[i]->id); + if (error < 0) { + if (error == -EOPNOTSUPP) + continue; + audit_log_format(ab, "%ssubj_%s=?", space ? " " : "", + lsm_idlist[i]->name); + if (error != -EINVAL) + audit_panic("error in audit_log_task_context"); + } else { + audit_log_format(ab, "%ssubj_%s=%s", space ? " " : "", + lsm_idlist[i]->name, ctx.context); + security_release_secctx(&ctx); + } + space = true; + } + audit_buffer_aux_end(ab); return 0; error_path: diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index b5f3beb26d5a..075942b253ae 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1447,6 +1447,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = { static const struct lsm_id apparmor_lsmid = { .name = "apparmor", .id = LSM_ID_APPARMOR, + .lsmblob = true, }; static struct security_hook_list apparmor_hooks[] __ro_after_init = { diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c index 57b9ffd53c98..2da40774dd20 100644 --- a/security/bpf/hooks.c +++ b/security/bpf/hooks.c @@ -19,6 +19,7 @@ static struct security_hook_list bpf_lsm_hooks[] __ro_after_init = { static const struct lsm_id bpf_lsmid = { .name = "bpf", .id = LSM_ID_BPF, + .lsmblob = true, }; static int __init bpf_lsm_init(void) diff --git a/security/security.c b/security/security.c index 444051575793..8ff6cef26e6c 100644 --- a/security/security.c +++ b/security/security.c @@ -269,6 +269,7 @@ static void __init initialize_lsm(struct lsm_info *lsm) * Current index to use while initializing the lsm id list. */ u32 lsm_active_cnt __ro_after_init; +u32 lsm_blob_cnt __ro_after_init; const struct lsm_id *lsm_idlist[LSM_CONFIG_COUNT]; /** @@ -599,6 +600,8 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, if (lsm_active_cnt >= LSM_CONFIG_COUNT) panic("%s Too many LSMs registered.\n", __func__); lsm_idlist[lsm_active_cnt++] = lsmid; + if (lsmid->lsmblob) + lsm_blob_cnt++; } for (i = 0; i < count; i++) { diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ed4237223959..656f25337334 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7092,6 +7092,7 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) static const struct lsm_id selinux_lsmid = { .name = "selinux", .id = LSM_ID_SELINUX, + .lsmblob = true, }; /* diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index a58e2c14f120..a9ab31a40e36 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -5069,6 +5069,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { static const struct lsm_id smack_lsmid = { .name = "smack", .id = LSM_ID_SMACK, + .lsmblob = true, }; static struct security_hook_list smack_hooks[] __ro_after_init = { From patchwork Fri Dec 15 22:16:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495157 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic316-27.consmr.mail.ne1.yahoo.com (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C1F218EC0 for ; Fri, 15 Dec 2023 22:35:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="cZx2YgbZ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679750; bh=7oGr4ctFH9QOr0JDyPZF54I+ATweTTJfL6KeAVlw3sg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=cZx2YgbZ0yWw8PpjV3NBeAE4zqX0pXv1QozyWcijSEUi7mMMMmSz4A28juWjG9QSvTRx0LxJEngNKyEFhIoSS8gMCYfE1KNTeqbDYiD0NENd0z2DZSElMt4sOFdeDah2agSRFMXnsjo10h/sNzZvML3peFldRC3XD4qImGroW3VqtHAi5xs3CjZqENEzmgraiy1tNSqKtE1hZLk87kDa4VrC6OXHQfeMsvMhSVJF8d9SEAkYJ490hwymy9a2xs+G63ZtLt09LAbUCS0/4Th1EcgqP4TdYw+1RaplrupGprIlDsABYdL+du3lGQEJhDUu8zKinlAJAoI2l8qG/NX5jQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679750; bh=cZH7URqADBFeRFOdehMoNbzHoLzBFNRIHZY4YfjZzcE=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=uKm7o6iHNoldhoYCf2qCc+1apLB+99AQBzcaYAfNdeddf0Hm4Fx244M0xQGl18FPHnVtE8vunlIwcAffiR7FcZqZB13T4bUH34GGHETixcYEWh9TKVFyKoSAAkkNWsIV9EKi516g+HNsz3ZfffvLdND+Xgz6SaHUfWxnIQaGV9qvgxzQMFpIlp3sihobjy2Fk+Z7M6aHglGOQaExv+cdC/kNBdnx9N8p9QkbieN0VQ77VXwX8RdStO9x/Saf4HJYTsemvhFM+RshWcR8eizVcql2l0T2ae1g21DzXiKSk1FP2RhwDWjJYXUiUZNVZRflJmLkplSZrF45NEhv1HxUKg== X-YMail-OSG: 5Zw6fdMVM1nvxgH9LBsMWQy7JWOMc3r_aNw741QEytgrLfSY.XsGwvJmleLxaai uzo6gmtXdLcCYZ95dthMySItWzE4dU7jXJ3I2sOo6ctlDZnQ72Y8knZr70dhZlMJhpQ81679A8Q2 LuOsMc1_c44Rpkdx.QZaMT6g59ydug56lB8jPQ2LEy_dkxhr9sWPsXDmWkSJ_EJascLmRHG.WJK_ 7iwFXNPLTIgXu0nJ7ssD2E6MSJR_J86fnDz.oZtsbwmlI8KUuYDBcXgy9mwsI6dB2jFrYUMvzwdM y1Rlb5P6itVnh426wXUin3Ie6fb.5qOCGLWUBbJc_zlVppE4uJ1xF01rcX1d5QbujVPmmXj98EYZ QDkluDZ2Np1VLWXhNJobcrYalvhF4t3fiLjWX_CAEIOx7diYaQiaw9OPJYwJSpHaO6Ica0kJtgnh bbIy9Cs8s1YQW1.dmhK10YgC8n25yss6pxn5Ne_jAc93wYyvi6PAF5Bf5QNW4_wnU82p9f5JfD1C feuudW3Exd67VZs3T_iPu2iXnsWzAn_TVJ2PkoyElU2ba0nwvxKH0tSszSJseD7I7vJjmI9BRYs3 4fYFIzkAk7auDDQBlJUkkEnNFjFvXPcu1UllOiSnXj.lKN_mdQ.qGB_GFgM29K09_MMzFVwqyp6x Y0g5j2bcmIc2IWv0.cgGyFDXNB7lsZ8caRwJd6rtD1ILVo3P1TE.VO9OzKPEoQ9GINQygj0YLo21 CLlGwQWEJnFVoDxYOo89yP5I5l24gdBxpl9FNgwOfc7AdVgZ1HCch.SCMUvuuTth8XRmwOfqjYKA H14E6MlG_ilJ__IswPl6nlinLN7GezO4AZFGOqcXJR.drkDRnIN.cWjR8.7xDdUxHZ5o0BTBTsHu WrszOIsff.mPIpXmPPCnJi_vNpAOHssw6SDmZrrdB5cg_2QYGtlOly9K_brgFmFDqeJkAlt8wWWI LblQ6bj1I_igp1surKGIYZrqeuTGLCtGKWOid8x2tkzAy17G17yideQkOu1t0VsrrzcHJjisJc0W yK6WvgTZWMQ8vXbnErLvhBHv144b5Lw8dYdOVbzR0z7G2qdPcy8AfaQqbCbw8rXvL2qtBne7VDaP FgyXtf49oopVvon_5aCSWe7L5JaqZcEq.iYcD0FpqEFwtWvsi62eItoip.DvCBl_OVSbkNBMTSQH nv4x_Lkw_IntnK0aMrBJZpHy1oQh1zckPnkyiI43W9Ye8qYvVqFl9lK7F09WSRjV1OxQB9Y34Rps H8nG9.QN0mCf9P03kFHGzzwHeCVOr.Jz4jZz66IyXjxVYE1YoS9Brz00ihDeuRVtrF3XOub3sgus gCver4bqGE9K6zjodxhZPSGPasRshtn3doJ.koKoUa01PItoyry2ybkw9HgtwmNuNkAYY7MBlAyo _7DaETVj8AYVrtaU9o_IYMJOv0xKUcTLGpOpyRDmW7BTIKb5MAajAxLE9EB0wcu0IlkVK6lbhuAY VcxsJ4DvkoJbnziW2VWqqifBqnVzs034G6cU2auYdRYUJGdhdm3xJ04la2mEdcLajQ3oxd2KELSI _W0Z3dXlKT.mbzetSS1Y22abuuq.AoNMfp3qL7CQ6L8Szux5R1OFItphR13_jVKphG2Os7QCvSwT N_NvELC_kHAtwkl82Uq9.dHkIGB0QhlQ1uiHJt45Ln2scDJxTIfCGXREqMn8XkNBqqI8ukpABJsB rFHhtbMyIXilBLkT2c5SwDVb2RGkUEd0j26wDDfHH6I2Yd_06fxOfXX8WILX5vY778RVF1iuOhwH 0udeZLU2NK1mGFLsAP.Y.JO1qKLOVxT5O20xbQhFloXPcKc1nhQ7MK1pdwI3Gk1.o1Dk8K.AVsgC r7bIMm7V19sWwgRhUrhwRQYfikoyF5JdQ1MP_pNZ4GXMBMXf4WudVr0GqZWxY9bc1_fWRp5ABQ6U ikwGA8hvF1J_NTtB85DhOSIXWBQ56.Uf36yq08DbHT_5S.kU10AykF160.sL8OODBun2vv_fNSjC 3WqOG1REeUMTyz4dFdZh7OQFClvzj6PluR9i5eHaRFXwl5JrOf6rbVns1pWUy1bzDRtz4LKE.mYB kxsT1CEp3QiUss4I49r2TqnpsNT0yx07lnO0dF_cDkMzdJX2W1sJG29UH4x3ATLSZvQlZmvJKmCb N_mb.FfYdqQEpgWt3oFxM4AugF9HmfaTjVf6XYCoMkBEjQM4SxDCpt5irf17shekX7XJx13bMlDl qfAFBOILIfJxdmbEgQomPDZNBaxB_m2GOQwW590LmGI49zrrNHCqe4PuPT1xh.QfAT6BawFyAk1. 73Uw4ijlsptbMoe82_tJZQA7rGqsq X-Sonic-MF: X-Sonic-ID: a6d2c742-c961-47ca-aaf3-9c461d42ba67 Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:35:50 +0000 Received: by hermes--production-gq1-6949d6d8f9-c9pk7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 4756c4ce944f308f64e0301afd197084; Fri, 15 Dec 2023 22:35:46 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 25/42] audit: multiple subject lsm values for netlabel Date: Fri, 15 Dec 2023 14:16:19 -0800 Message-ID: <20231215221636.105680-26-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Refactor audit_log_task_context(), creating a new audit_log_subject_context(). This is used in netlabel auditing to provide multiple subject security contexts as necessary. Acked-by: Paul Moore Signed-off-by: Casey Schaufler --- include/linux/audit.h | 8 ++++++++ kernel/audit.c | 21 ++++++++++++++------- net/netlabel/netlabel_user.c | 8 +------- 3 files changed, 23 insertions(+), 14 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 51b1b7054a23..8974500f730f 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -36,6 +36,7 @@ struct mqstat; struct audit_watch; struct audit_tree; struct sk_buff; +struct lsmblob; struct audit_krule { u32 pflags; @@ -184,6 +185,8 @@ extern void audit_log_path_denied(int type, const char *operation); extern void audit_log_lost(const char *message); +extern int audit_log_subject_context(struct audit_buffer *ab, + struct lsmblob *blob); extern int audit_log_task_context(struct audit_buffer *ab); extern void audit_log_task_info(struct audit_buffer *ab); @@ -244,6 +247,11 @@ static inline void audit_log_key(struct audit_buffer *ab, char *key) { } static inline void audit_log_path_denied(int type, const char *operation) { } +static inline int audit_log_subject_context(struct audit_buffer *ab, + struct lsmblob *blob) +{ + return 0; +} static inline int audit_log_task_context(struct audit_buffer *ab) { return 0; diff --git a/kernel/audit.c b/kernel/audit.c index 9d971fa96c0e..626942c38bca 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2225,20 +2225,18 @@ static void audit_buffer_aux_end(struct audit_buffer *ab) ab->skb = skb_peek(&ab->skb_list); } -int audit_log_task_context(struct audit_buffer *ab) +int audit_log_subject_context(struct audit_buffer *ab, struct lsmblob *blob) { struct lsmcontext ctx; - struct lsmblob blob; bool space = false; int error; int i; - security_current_getlsmblob_subj(&blob); - if (!lsmblob_is_set(&blob)) + if (!lsmblob_is_set(blob)) return 0; if (lsm_blob_cnt < 2) { - error = security_lsmblob_to_secctx(&blob, &ctx, LSM_ID_UNDEF); + error = security_lsmblob_to_secctx(blob, &ctx, LSM_ID_UNDEF); if (error < 0) { if (error != -EINVAL) goto error_path; @@ -2257,7 +2255,7 @@ int audit_log_task_context(struct audit_buffer *ab) for (i = 0; i < lsm_active_cnt; i++) { if (!lsm_idlist[i]->lsmblob) continue; - error = security_lsmblob_to_secctx(&blob, &ctx, + error = security_lsmblob_to_secctx(blob, &ctx, lsm_idlist[i]->id); if (error < 0) { if (error == -EOPNOTSUPP) @@ -2277,9 +2275,18 @@ int audit_log_task_context(struct audit_buffer *ab) return 0; error_path: - audit_panic("error in audit_log_task_context"); + audit_panic("error in audit_log_subject_context"); return error; } +EXPORT_SYMBOL(audit_log_subject_context); + +int audit_log_task_context(struct audit_buffer *ab) +{ + struct lsmblob blob; + + security_current_getlsmblob_subj(&blob); + return audit_log_subject_context(ab, &blob); +} EXPORT_SYMBOL(audit_log_task_context); void audit_log_d_path_exe(struct audit_buffer *ab, diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 842a236540b0..4dd0f453bb4e 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -84,7 +84,6 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct netlbl_audit *audit_info) { struct audit_buffer *audit_buf; - struct lsmcontext ctx; if (audit_enabled == AUDIT_OFF) return NULL; @@ -97,12 +96,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); - if (lsmblob_is_set(&audit_info->blob) && - security_lsmblob_to_secctx(&audit_info->blob, &ctx, - LSM_ID_UNDEF) >= 0) { - audit_log_format(audit_buf, " subj=%s", ctx.context); - security_release_secctx(&ctx); - } + audit_log_subject_context(audit_buf, &audit_info->blob); return audit_buf; } From patchwork Fri Dec 15 22:16:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495159 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic316-27.consmr.mail.ne1.yahoo.com (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AEF1618EAE for ; Fri, 15 Dec 2023 22:37:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="AhqJWdJA" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679845; bh=rC84q4bv3pOtqZ3VRmXBUeRBFuqoQ0GIzDt+InZd7gQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=AhqJWdJAQn+9Fkp9Gbd9jOytDRNEXFej9nWk++B0/E4HBPk1ZndK9HZ19N7zXLN47c58tL+4L//ztGpaHqK8jSKLnjrYBSJJQJWGqQwrZjLCXTwj5zH1Fg64LuO2y+wTV5sfQAMrFH8gbvaH7dMMFYOSFg7M849P6Zp5EYjW65z7ic6CwzG1Wy4Dw5M7kTgFRd/m5xI9Yy7wRY/hCDScEbfjFs2A9Hg/Uiv+IRFpJxbzj7Q0wdoSoJC8EneQFHszaoAGRvxreSdycdrs/H7h+4s1ZQam+XOrq1yfVKYNfe1GISSz3Iw6HjnMwxG6cKdso528+AfAH5s3hyP58ddmlg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679845; bh=xxqyIWfLrsoSC0eg4eaY/Ihbdbw7/1QkMeH4uCpRhjA=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=bsWxJ+qAnxmSFGKm+DwFKdDbsTm8glU06xW2gXaMjdcRq4Dtqe0vC+U4AjIwc3/4fELJ1HyWiWBcvUQy9aQAxTkTu82KcUZzXfxNg+/A/g3UspP2KTR1WQ61+nO/FqJKbcuDrTeXQDs7cgYYKYXM6uUJsD3g5QSrUvVRIeVJZlPpvl0DwzIOMO1/s4Xfixn2xjYxYy62yNWg9aYTb1w39bdCQ+HiBIt7+SvbEm/dJn3PLo4tFv4lDCnRxeAmZ6us/kwi/16txYUhQtjB6j5MmNsQU062X1AyF14hcpavBT+eSz5kFG2qvdqIy8Z3z13NQsP63Ia30MrECghldmJE8A== X-YMail-OSG: wpQks4kVM1ks7bL54iPNm92BB7fVWR4.pHazEAku13DFNhodHpOV32ok5_AO.ji Oo84oXteJa4mOngt0RJ8cd4QQR1TogNA1jPbptU6zIQfnMc23rcDFO0vEnukdPH5aCkkfEWxWu9G QfmoDClkRmOJMDTiIFJrA.592876aqSWT7bRPRlC_ykjYRTTdDxlCqlp.j8kaYsA36xY.du.chhX TxN7M4wpPyVCufkavSbTeyF70.DvXqfR0_rc.1WJxhqah1e5h7nu0dqOcjFiTKA3IVg2OHQeWb9o .qFQ2m3.SIfnzGw2Ed8fsyd0ahlevNU8k1psEdtdA.Kv3U5mI2nBJBLMH4eRwd7rgqGq6tdc4PRI Xwq5HaYrnwWVZoVus_Fu6f_8bxy2sbM_TJHE4cGQdcOp5ApNuSYui11.3VxHmWC4m80t3zvhvpUF lQs6D9NJRuAKR3Ohk4uNB1pFcLhS7AhBLd1vQLQbuhxPXz4p.Az9BuL1CzPgYwPvbBbTC58BREEq 76BQBMYU05V9sWFfp9e.hQDngquiorlWU0p.iXvygxDKBpMH5iXy0g.wSiru44n7DBrHFElMqJ3H rhw42hEHdBHMsouuft.C_eE.ILsFp0yWnLWq80JvY0YssLZMUQozNLrNm5vjRUCavwzqtYzdazoB BGjPz0_exSg69WVa3ZzhkFwCE3VVnGEsDr0ecZ8u2TXp_pLxzLS1zT2mhkJcumDd0nXGpjxqrVPi AoIdnAaBLoAkR51kFbooSGo4Xp8LsQ6g22VhM6_fm8FNPZoQzuS53vIfBax9ke8oNh0uDVjOg8Xw FxzJbsB4wH0TBdnMmgMZRE0n9X3HZW6KD2UVXYU8H0bChyNbDIBTgbQooJPT3O6Z.bGenaoSeImg pl5X6tOhAXcl6gE8pB4fPDoi1qxALbCRCP6IydH8egqmw64HGGo9bcfH0NN94ofnOP5muO2Fe0Qv NxYK75LxQot.PTDfkSj34eTlwfx6nhbbzCPtGg1LSLBq9sggrvky06Vm38pQFfQeZHwRzbNNWPS3 kcA.BVy8UofbEVS5N4EdzzfDLOaK1UDhRtfG61_iofge98GISiqM7B7XBJOWlSLnh.VShxPkUdby lRLE9F4KUOr.orQ6B8xy8RPZwYx5Nhq.90WsuW2lQqZdyV9qYhxEQCssQFhdpCkX93bQplPv4CAe bJY8zyxaAhnsaREToaJ5go.gRaZBgKiJiE2bWUvEWcia6WzTWCVgjRQsJgBm3a.wE6xNFtB.o6D6 LfTg2.HuYDg6qAPdNBmOsN9vSTaEjFWBGup.AfNaK9M7sAxpHusDB3t3TPXnVxxdOV7k8eMsiwLH .bIU2_NR76sDhjQ07odnCYo0LPBJhshGeOyLvO9IpT6zAnslyUTvoBoThg1us9fdkaKtWGWJwN_a zJnC9ls.1kRRKZgebAngNgmDWP76qyb3idNB0rnaDZEGeksrU61buzTCR_QuzoK_ZaX7u_7KPelO 12Y9wCE8qGSrKad2M0Hmn7I43BesikCE8ORhoE3_HDbJFtKhux_9CK4JfMr2dkuNh7o5MAfqHCHD 31vBrC3aETvCvZo6yCmPeIb5gMGK6XKUCHto1KrY.pHSL0YxGD7dy5l1Y7f.kcuAs6KqBSQYNZJB KIuUc.kSQ.mLVL3QneW4Op8Db9M3PQPchn9LWL9BtSJNPo_D_DmcUeR0hlP6LSFe72mxw0o2lGnC NeRrJ4veLY91e1cdWlCsvACEucdEkHY2Hx80e_YwroiQou.hQ8QTawwpxVQaV20qoDYbvoPBqeQm yNS4XXlBrkxEDGXEVESkIjfIVlvmULjfMd7Xhrp6l4h3p1o8x4kHgDj7EYZ8rYNWo1PSFY6QVqwC C3Ys_gEAYTcPIhkzoAfuSDcIg0aUfFOhOX_.VHlWTJuAGEdEQrarbIXHAPr15Z0cvRL.cwAAHOgO eRYQKXX4T5u3nybyntYofe5wEGOvuqpRohr5Mc8vWPtUwdife1htyobvDazwHqPnbKXDZZ0Z3yHT aldwUGznnXcTF0MgN9N6UIWaLXGR6rvSCQGR3PVpt2945IJN4ffMapsHiCgdW5mQaEXUTfYRE34T R5dWIP6QNfufdJeJEVVkHzDjXTUdaBOOMXSLCl2NY_7J8x05Zu2gZtC_vX1V9j0vvEuP17w6L0lK b.gPKrxz5uNu5.IsvPth.6sNEJBjeL7pWmRD8QVfvKwDm_c7Ad5MKJ84inmehdxTk2673ED.lhdL FsMifpdQ3ibB2m4X0dymSxxWRN6z1ZWPEUXgfkdS3W7Y04mVYUwnpYuTkod.WVm8Z2uFHrO9NFl8 ODPvFwBLhjtsD93zl1glW.c01pqLehA-- X-Sonic-MF: X-Sonic-ID: 087cb55c-d788-456f-a84f-8c7f42d79f4b Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:37:25 +0000 Received: by hermes--production-gq1-6949d6d8f9-7dnvp (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 99c4f57f4ffceb7049a22eccaa6e59f8; Fri, 15 Dec 2023 22:37:20 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 26/42] Audit: Add record for multiple object contexts Date: Fri, 15 Dec 2023 14:16:20 -0800 Message-ID: <20231215221636.105680-27-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Create a new audit record AUDIT_MAC_OBJ_CONTEXTS. An example of the MAC_OBJ_CONTEXTS (1421) record is: type=MAC_OBJ_CONTEXTS[1421] msg=audit(1601152467.009:1050): obj_selinux=unconfined_u:object_r:user_home_t:s0 When an audit event includes a AUDIT_MAC_OBJ_CONTEXTS record the "obj=" field in other records in the event will be "obj=?". An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on an object security context. Signed-off-by: Casey Schaufler Acked-by: Paul Moore --- include/linux/audit.h | 5 +++ include/uapi/linux/audit.h | 1 + kernel/audit.c | 51 +++++++++++++++++++++++- kernel/auditsc.c | 81 ++++++++++++-------------------------- 4 files changed, 82 insertions(+), 56 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 8974500f730f..914cfd563ce3 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -185,6 +185,8 @@ extern void audit_log_path_denied(int type, const char *operation); extern void audit_log_lost(const char *message); +extern void audit_log_object_context(struct audit_buffer *ab, + struct lsmblob *blob); extern int audit_log_subject_context(struct audit_buffer *ab, struct lsmblob *blob); extern int audit_log_task_context(struct audit_buffer *ab); @@ -247,6 +249,9 @@ static inline void audit_log_key(struct audit_buffer *ab, char *key) { } static inline void audit_log_path_denied(int type, const char *operation) { } +static inline void audit_log_object_context(struct audit_buffer *ab, + struct lsmblob *blob) +{ } static inline int audit_log_subject_context(struct audit_buffer *ab, struct lsmblob *blob) { diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index dc045164b86b..bed324162a7c 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -144,6 +144,7 @@ #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ #define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM task contexts */ +#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multiple LSM objext contexts */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/kernel/audit.c b/kernel/audit.c index 626942c38bca..dc11dd4c41fc 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1105,7 +1105,6 @@ static int is_audit_feature_set(int i) return af.features & AUDIT_FEATURE_TO_MASK(i); } - static int audit_get_feature(struct sk_buff *skb) { u32 seq; @@ -2289,6 +2288,56 @@ int audit_log_task_context(struct audit_buffer *ab) } EXPORT_SYMBOL(audit_log_task_context); +void audit_log_object_context(struct audit_buffer *ab, struct lsmblob *blob) +{ + int i; + int error; + bool space = false; + struct lsmcontext context; + + if (lsm_blob_cnt < 2) { + error = security_lsmblob_to_secctx(blob, &context, + LSM_ID_UNDEF); + if (error) { + if (error != -EINVAL) + goto error_path; + return; + } + audit_log_format(ab, " obj=%s", context.context); + security_release_secctx(&context); + return; + } + audit_log_format(ab, " obj=?"); + error = audit_buffer_aux_new(ab, AUDIT_MAC_OBJ_CONTEXTS); + if (error) + goto error_path; + + for (i = 0; i < lsm_blob_cnt; i++) { + if (!lsm_idlist[i]->lsmblob) + continue; + error = security_lsmblob_to_secctx(blob, &context, + lsm_idlist[i]->id); + if (error) { + audit_log_format(ab, "%sobj_%s=?", + space ? " " : "", lsm_idlist[i]->name); + if (error != -EINVAL) + audit_panic("error in audit_log_object_context"); + } else { + audit_log_format(ab, "%sobj_%s=%s", + space ? " " : "", lsm_idlist[i]->name, + context.context); + security_release_secctx(&context); + } + space = true; + } + + audit_buffer_aux_end(ab); + return; + +error_path: + audit_panic("error in audit_log_object_context"); +} + void audit_log_d_path_exe(struct audit_buffer *ab, struct mm_struct *mm) { diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 23f72c14276d..bc13666dd6ed 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1092,36 +1092,27 @@ static inline void audit_free_context(struct audit_context *context) kfree(context); } -static int audit_log_pid_context(struct audit_context *context, pid_t pid, - kuid_t auid, kuid_t uid, - unsigned int sessionid, struct lsmblob *blob, - char *comm) +static void audit_log_pid_context(struct audit_context *context, pid_t pid, + kuid_t auid, kuid_t uid, + unsigned int sessionid, struct lsmblob *blob, + char *comm) { struct audit_buffer *ab; - struct lsmcontext ctx; - int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); if (!ab) - return rc; + return; audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (lsmblob_is_set(blob)) { - if (security_lsmblob_to_secctx(blob, &ctx, LSM_ID_UNDEF) < 0) { - audit_log_format(ab, " obj=(none)"); - rc = 1; - } else { - audit_log_format(ab, " obj=%s", ctx.context); - security_release_secctx(&ctx); - } - } + if (lsmblob_is_set(blob)) + audit_log_object_context(ab, blob); audit_log_format(ab, " ocomm="); audit_log_untrustedstring(ab, comm); audit_log_end(ab); - return rc; + return; } static void audit_log_execve_info(struct audit_context *context, @@ -1370,7 +1361,6 @@ static void audit_log_time(struct audit_context *context, struct audit_buffer ** static void show_special(struct audit_context *context, int *call_panic) { - struct lsmcontext lsmctx; struct audit_buffer *ab; int i; @@ -1392,16 +1382,8 @@ static void show_special(struct audit_context *context, int *call_panic) from_kuid(&init_user_ns, context->ipc.uid), from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); - if (lsmblob_is_set(&context->ipc.oblob)) { - if (security_lsmblob_to_secctx(&context->ipc.oblob, - &lsmctx, - LSM_ID_UNDEF) < 0) { - *call_panic = 1; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + if (lsmblob_is_set(&context->ipc.oblob)) + audit_log_object_context(ab, &context->ipc.oblob); if (context->ipc.has_perm) { audit_log_end(ab); ab = audit_log_start(context, GFP_KERNEL, @@ -1557,18 +1539,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, from_kgid(&init_user_ns, n->gid), MAJOR(n->rdev), MINOR(n->rdev)); - if (lsmblob_is_set(&n->oblob)) { - struct lsmcontext ctx; - - if (security_lsmblob_to_secctx(&n->oblob, &ctx, - LSM_ID_UNDEF) < 0) { - if (call_panic) - *call_panic = 2; - } else { - audit_log_format(ab, " obj=%s", ctx.context); - security_release_secctx(&ctx); - } - } + if (lsmblob_is_set(&n->oblob)) + audit_log_object_context(ab, &n->oblob); /* log the audit_names record type */ switch (n->type) { @@ -1773,21 +1745,20 @@ static void audit_log_exit(void) struct audit_aux_data_pids *axs = (void *)aux; for (i = 0; i < axs->pid_count; i++) - if (audit_log_pid_context(context, axs->target_pid[i], - axs->target_auid[i], - axs->target_uid[i], - axs->target_sessionid[i], - &axs->target_blob[i], - axs->target_comm[i])) - call_panic = 1; - } - - if (context->target_pid && - audit_log_pid_context(context, context->target_pid, - context->target_auid, context->target_uid, - context->target_sessionid, - &context->target_blob, context->target_comm)) - call_panic = 1; + audit_log_pid_context(context, axs->target_pid[i], + axs->target_auid[i], + axs->target_uid[i], + axs->target_sessionid[i], + &axs->target_blob[i], + axs->target_comm[i]); + } + + if (context->target_pid) + audit_log_pid_context(context, context->target_pid, + context->target_auid, context->target_uid, + context->target_sessionid, + &context->target_blob, + context->target_comm); if (context->pwd.dentry && context->pwd.mnt) { ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); From patchwork Fri Dec 15 22:16:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495158 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic312-30.consmr.mail.ne1.yahoo.com (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 859CA495C3 for ; Fri, 15 Dec 2023 22:37:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="bysT4xYk" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679842; bh=AY20ZFrU1wbcN7ypVt2+incPtgkBfYNVy9D03vUKxiE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=bysT4xYkSawnxm4xVclXf5BSqOa/dAXgZR1opyCdJq8BeUriarGLgR2pRG4SlyanOe4icu3T5DdTolxgv9xIlaRuLOVteAsLefQiGrtJoQI/bTsPbo5+LAOzkdyCdJDYbtfK1JCdAcL7gRjZeY7KsrX6P6MNWY3gd3UQ2m0RqirAyHCjjy1PVWd4eo39VNXn/939oX31FkVyfDxBndCXBZqiXxDtMB7dFahuK8aS58Exs9NkIWZHQIeMnGNAp3M0oRpCl+hrnu5VITHqjgxvBRFBqBA3eqHcArsYTdV6+VfF4fykAReZiXUJH/XGL1z6wJGK1WveUz+MwdX2vccaSg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679842; bh=IXnnuOyJkeRjF55SPtDjdc+TVP1mutI/FpT9qm3+Hs6=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=kevNW2Vmly6srcVMOg2DDaCLXsDyDwC6uhvSE7uFvg0V/Uame0uUh2JzN5ejc2s5sVjd9IV9+ug4kmgKC+zDtlbhHb0gMUE6gHxRBvjhx1YHYikY4EzeyivHAGjIO4UmggmQBWiDXi5+7u98Xs1ijJavcvDrgc0ewUmGkpENWX3m5YBa+BS7qEFQCz5bgX52g1BjNuJkX/KfvDqCq23eJ/iw72+ZcDt+kluYrrmAL3lAX43c3/j3V27XiL/Uxv6ebe+d25s3aws2cIy47MRvgo2/oa5dz5A883ObuMzeNr58fvsMPrJARmMTQ34x+Goi+L1LaL7YJkNhrhxeELaHtQ== X-YMail-OSG: lIV3mRMVM1m8JyYYibsBE.59mSHktsLaZm6jE2.8x4nksF6kKd.iiSZcEXvXgyc _QHB3Trgz33IAHCW1dzKe_5kobq16.A3ENtMxZWCuttEOS7SHIbcN7Joq6dp9u0UXGs3Kqkd1mhv _ZuKGsOomYIORjs6CWyIE_gj0SPYnwntCm_bg.01knLqPaQt9vXSGmImgGOa2sSF2F1vZH.EOJNK SAuKW.UCx9NPQPwiczgQPpsaWLW.9siMtrQBXIz50wsKYbCNSepniFfyNb8QmRK1PY_U4u6BTGPF dk6GBpKzTO2MaN0FkJXhD8hPK1LZg87PIawmONOxrQARVRzxGrkZcqvxldBQHq2fM87RgL8eDmun NB.YD_B1Q8VMYQHQTijo0ThdZIipVdGPXULkEXxxDPVehFglrg6HNIK1Rp0965VDjkIoKPiBrIhO tmZ1e6ZQVFyNSCuUv2a7QYxhASgSZUfkP80K9siKp0EJreYWZXGZ5V24cgeesV502hGaxRehZ6Al rFstnkHHHE8GI23aLFu1nUp80U0uT1Bv_rrHS9KUydf4iCggt5olB_gJPRyROlVDRfdQVrguzGVi D0ZhTm6OSLEf0favkSKug4Gx7PoaxLlas620c0fbKEnime5S7UUFGfAysrjmaz9GVh51FxFbsDh9 Rcbci42Ef_b555AWQPiOxU2rxUzAiRgu6ZwEkjRccEmNGTtcvCXDaX2FeaxVGjkzX0dZ2Uh_586I jMlRE3DzjUdAj6floNgokx.St.B0U7M_qo9_v5gQlz3qw4UBdzAU9wX2pxt8hiWUi2RAsSfd1ULm zpoVXwdmee1yxLAyi092w70P09jPVEt5RfUC0VZBqQeZA5es44.RH.uALfG373f2rJI8r_MjnU0l B8Ziy8csoCoyyxlqUzKROa7_pMaxheCZb7PsYzLGF5klFk82BaesZFxDzME.qH4V17rHoZwjpn9F Pb.oPr0g3wBtX3Pv0DoV.x9y8pB0Ppgfw7SRzIilsd507ZaQon_2vErrL6JQKY4Ba_KbYVwL5nSg v_6ebQ5xTyauwdU6Bw4rHixIXwyX_hf4sev7rKqlf6JUA7VkjVu1dK8muDUS2mjdMwDBFjT6TV_W QN7aJasZm6diZXw1RWDQlWnn_tXr5HVmTpq06BL20xJCF6lV7ODbDmxbe.jST62nWsV8LNtQZcup 8Ocj7g2poQ9p9E6tTy87qgeYS5FmRKvfvNHSd4JmDdV9RLddDCSLRj2KtZV.m2l0kS6muJfqzAd8 8PxfW6yDtpq3feyeZkvY9.lwX.5hTCkA.KRwRf2CVbtk4nP9Tx89QEOHN.6.TSNvVujy2Bu0Y7pU OGt53Vag5CCXczyNegjr32ICppqMKGpitXpFuai4lyoAC__05c4dJRQAF1ybc2XTCXPaiXUR2TpB wJgIgXKc2bwW6Rpfz84kTiVRmnazwxMIhjrTyeLc5O4CAC6k48MZy0X8CM_pp1XwzWpuphTF3e00 _TEvJRrQdZqNuiyUdADhzazNyeccQFQ_4DM5ny2tnjSCBwjLW.skUiaZg62OkRbEZkWhGO4jCf4Z tX1qXUxGwyiHr0p8vz8eQ0nq1u3VDZFuX9dOe8p3Y2U2UM2Y8l1UcCio9g0wPZtnLGyfhdNwZGPM L_NHJ3jmwWScYTtZtYKuR9yguv9OhmyA9cof3pZE15PrayqWp85ld6Oi7V5yqYjyUyim2r3RPrc6 mcNMhXyCnv9YK36j52pXzTvxRKa.VTb._My7yARBlb2GzhNg6vRhMAnHlkaI1.8nJUt2NnO.vt8o vLKdBOOd1_hRAofD4Z9QVLOkzYeLDizstcbd_iSuk1WFudNiqazymYIT4DQgJmpTK9BXuuT3Jn1C sMKa39EDG53lgpPN4vkZgprLX8Oq0717QSADFgwq00RtTelgSgLKx.F7RzM8WYZO7mEJgFYnFrRo sofBcORMSeHu5tOCbyVzrUOdLqqTzxO_aU6VdX7pZ.3R7CJK8O_h2mSj9b.Es4CQzSMcBUP57WK5 LZkSsF5RBCVEPPbKAvTFMaD35uon5trQqMMev9wzNxNSIY_QSwP9NB6B2BTaxXeG1NgEnv_WV00c dpzYFJfj2tgKG5zWYsvKT1uMjGNZmcZcIXObiTsHnGALex15uoI..QV80i.5hAa9CsrEg2HYo1UD WXnwrNjlTYUe7lQIEvA5osE77kLutJV4txEtp6176142F9n9Jv9Ghuu8dB4R6gCQL0FMr3LMyiC_ 0tH5bKDrIE9UbcwKibYqXdNsmFtX14HVcBRDyDon7Gp6jsQO3 X-Sonic-MF: X-Sonic-ID: 9755b1ff-cb19-43be-bb3f-72b0628282f6 Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:37:22 +0000 Received: by hermes--production-gq1-6949d6d8f9-7dnvp (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 99c4f57f4ffceb7049a22eccaa6e59f8; Fri, 15 Dec 2023 22:37:21 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 27/42] LSM: Remove unused lsmcontext_init() Date: Fri, 15 Dec 2023 14:16:21 -0800 Message-ID: <20231215221636.105680-28-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The lsmcontext init functing is no longer used. Remove it. Signed-off-by: Casey Schaufler --- include/linux/security.h | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 947cb3a35db4..529671a89ce0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -160,25 +160,6 @@ struct lsmcontext { int id; /* Identifies the module */ }; -/** - * lsmcontext_init - initialize an lsmcontext structure. - * @cp: Pointer to the context to initialize - * @context: Initial context, or NULL - * @size: Size of context, or 0 - * @id: Which LSM provided the context - * - * Fill in the lsmcontext from the provided information. - * This is a scaffolding function that will be removed when - * lsmcontext integration is complete. - */ -static inline void lsmcontext_init(struct lsmcontext *cp, char *context, - u32 size, int id) -{ - cp->id = id; - cp->context = context; - cp->len = size; -} - /* * Data exported by the security modules */ From patchwork Fri Dec 15 22:16:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495162 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic302-28.consmr.mail.ne1.yahoo.com (sonic302-28.consmr.mail.ne1.yahoo.com [66.163.186.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C4E3B18EA7 for ; Fri, 15 Dec 2023 22:38:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="s8E7a9Ht" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679938; bh=vw4D+BEaDQJfSHAGsDrE6ropoXZ857wJv+qK1Uq2Fhw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=s8E7a9HtnwBj2iiRElPv7y2OTlbx0dCRAAA6Or5I/05O5N4cr6J1nrWYTkW6kVIbRI2i/KYtGGPGF6pH0JQ4Gzx6xHG62xwnWN4SxNrYpR2OZKP1lUykR2lPd/javdaj3N+znlS1+3IO8z+1JzCIy/hC9M7sjLwGrb6X1UfXBDoaG3EzcErxgWfioyVoTkjesWsKFyRuqrwbmNM3p99JfS02u/U7za4IJb1FyIKF4EXBsS7Q4tk2KYk2uwgqU57CoQLAGG1CLBtYhVqCgnfo7fNHrnzbwCyNVfnpXwlTUwMpgnSY5rfDppPAFNvYnQF/sx+3TY7rK1eQhK4bS7PNyw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679938; bh=2LzbYmbZES/Rx27hObskEXduuG+XqU8pv+hZKjvn5r7=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=dTX/HxkqVX5PK0d8MQO+peyShfelnwP8wEJpgP5MijcaSk0LSP8OCbQc28xaIYckvSRYLJ6PbM2kN6Nq5G4qmV18kjaCf/9jkMH/IN7vqjyBFDerk4hHuutLOR+Z1sUgbPapRGOzZCKv/Q/F04Rmoxk8FcZl2Hkj9bcqFzRGZ3Za2Tp+6yFzNdkq+nWGDv6yY6bRK+5bh5SHdBdyBZWHcpDHEzpNjmbKlhogrubXOrgY5LAPoKKMItnZSUUtzwG3CuZmm27GdYZytU/SXnIiT6gKc4KUSXK2w1MzJFhXTIOXl/xNwKbbWezYnldeGvO8S9sexpb0B4zBzhW/SlyOqw== X-YMail-OSG: ECI1w1QVM1lUPGDvCk.pmrmMnDdEK5GNlLDmCYaPQkgnT9WuOsTiEo95cqhIlNo TtgRjn6x0bF.d5_TUduVxhGFXkWD3CMsERJM8o9VRsScgjM.08rjAE5yRAycJOBnC8uuLghnGnkX AA7OSgDi4gmXY_h9RwVM6oBmdD9iOFGFhEcrUVXXYD8bxgFBVn0PpxcBVU9LYlSm5GHBFqZVWBKF JXaqm3VGwFl87GOQ2zwB4Lk8s.5hPq6snASDUR1sMhdjGhxf0BvCq.gA_ZMQyoHVAFuyRPL6Z_lJ 5cn9ORu8NnKWsfehnZz.oqLHFaT_XevKQfv_v84t48Hi13BS_rKAMxNWERqR48EwudIS7.J0gk8P qWMSyVACNSZQXAUBBSLz_JJmG2DWuN6a3gd54eyHyq6emy.v0vexGBa9niv0u3BoEaagTOHAmIRn fkUK.1I33xYVw43RgCb9mbv9WmKHCjDt_TnWTDsKMLLLPxXzeTa3lAK7lQzx.OVRXlq.sMFGwegG lAcD6tf0_7f134E_HiyzD.lcLliPWNM6Sa5mtXgdg1y6rRLRpavf6l4RWjXE.AFRCxDRoJCoMP9s o0SEYmqhhLgaaYU15xc0RgFCNXtRO7oxuQgRW3PLXORDTZcOeqVUpCHdsO9U.NFEsFKjeZ4VZDuk l_izfvqkq1Uf0km9NNJIj0o1MUwlguu_uJiR3di52XdC.15C2yb9D8mrByaag9GqRxG3EPOGlOZI r2cJTbNJHZy9sdmnnuQppw7uDGYDRZ5BiKA8olF82E4gyEcLHuqVieBAhfVnvuvLIWZw9kHe1TNw HNL64uvBFGoGC2.x5OTpfWi_JEncu.PpcY3Cjo53fMQh7FFJ0mLb0S7tuAZrDtuA3BgP9o9tczT4 4IA_Ffmt9wuOHr7B0On4bQDCr2zMQAeldPGlc9idMJUa9JBXU17ZWt9N32M._skMb33xx.ZvpPK7 hpadrCUNZYvk1.SXK2K40gBw9P75FvVXrmVTb9n9OeVtaXcbEcVGxgz9aeshLY39V926WSz4H.Gp yJhC_JsjCP9zh8O3NNkrmfn.Tp0RF1uOggxcMD57rqz0J3PP8qZSwe6uKrQONI2X.7WxUcpInwP9 qC0TQkp6aXuJnVVZxChvW6Jh6EQ6rlOcOgpCajM_k4yHL9TDQoxsmkzouNctX.XUnAq02vyuTNKR VanQ9hKbGIZC99faHuGSsRp8kxnOHXRj2cZs.tepmUuRo4_xyjqc2WfMaUPx.tgS7iSnpgq4KvG2 rbFn_1RciW2QpNSh0l_.5Qvz8cCnXgywfux55G4XW4RcDUfuFFGGMIFu0SppUUlXcI6b5cYumnLL 6B0lOwJZnCQSqLGr8RsvlI7ERXYuTzVNLY4v_KX3GOh6LaOqS0NSQTLahvf7GMYTzvXKMa9t3yNs Ih7I2XOggIpXASE9FQXqsOiji0vGWvu96G_z6U2uBvfEl6zhml5SJby3hJCEf7BVVGHe9F_EzXzC qGGgWpm2pSWbS4wCcUksiuatvst7WyWjXV0iSngbdXZQt7LMRSYlCOn.B_MRUxw.EkOOpkyRlK6B plIwXU1jrjFDv_AdDn58zIFFZaC8KV3qmsQ8WNjjuh5YBHMrgzY7Z00mWVM.HeQFpxzlSqTuB9G. QhXaHiWRjTVhMr0nBFV3.XP_1KegolrudmhQgNwpjs.v18WB3L0L0Aowpp5nZePzKElyMmTEDE8n TWsaE8EYCnmTUplsnE8idnnKDZx8MmD.TIvFtxof98bJu_kz8ypvBBkrEC7EjsiYD6y0SUlc_05p eu_MuDcrn0WCZSOh7RZ_ATZZfE40kf6qfK2FycR0E.WGcRsK.F2v4wFHr3bxWtQMXo.bxZ2euJ02 zSzJuUQBYgzaSa47VXlM9cDmKtIR7ijgfS_Uwc.7pLea66fkbptD2vW4mw1FqnB_2l.iC1udenJk C_vAz5oYhBvgytwh16qeHZHGo49D08N9bEYLMD7.QVfCrUbORu1cJJT3zbjv9IxJw8AFBhnHwzcj DAYhTxAFcNQiZU6edrIBJD5EOQVlowYurYtjo7ZMQbBy75lbIK0bKvpNZ8dkoygMlzA5z5qybYxa 1Idac7UNmr3RwZLOZWzDc0frBzJNlA4vYkKMbSBBgn0jusSM8mdJxwaYZBpIbnf3URPT2oPwHdf5 xiFFMMiLXbSY7GczQ6F5Z.0SD6jLkjoZ2wQDct2FMI1QjVeuV85YI68Fugh5s6kEV59svyA0UXoM JSXGtfKEd1LTAU8pJmUNVuhIwUJiyhpsqPlQeHnLHufJhjHA4vNFm_EjPy3OznnLQHNTjQ4ii8ia zXrMrUIikzIyzmeMacTEuWMl78iM- X-Sonic-MF: X-Sonic-ID: e49cc921-3fa7-4678-8a0e-ca413b7682da Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:38:58 +0000 Received: by hermes--production-gq1-6949d6d8f9-q7525 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 522caf1ff66b851381e701962a25c33e; Fri, 15 Dec 2023 22:38:54 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 28/42] LSM: Improve logic in security_getprocattr Date: Fri, 15 Dec 2023 14:16:22 -0800 Message-ID: <20231215221636.105680-29-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The conditional in security_getprocattr() can be simplified and made clearer. This change does that. Signed-off-by: Casey Schaufler --- security/security.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/security/security.c b/security/security.c index 8ff6cef26e6c..f2ef6032a925 100644 --- a/security/security.c +++ b/security/security.c @@ -4107,11 +4107,10 @@ int security_getprocattr(struct task_struct *p, int lsmid, const char *name, { struct security_hook_list *hp; - hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) { - if (lsmid != 0 && lsmid != hp->lsmid->id) - continue; - return hp->hook.getprocattr(p, name, value); - } + hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) + if (lsmid == LSM_ID_UNDEF || lsmid == hp->lsmid->id) + return hp->hook.getprocattr(p, name, value); + return LSM_RET_DEFAULT(getprocattr); } From patchwork Fri Dec 15 22:16:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495161 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63EA118EAC for ; Fri, 15 Dec 2023 22:38:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="tTllBY/E" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679937; bh=9keQf9g8TT1WOTQ4FMsX6B5QIMK24lZJ/xlVXj6t8WU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=tTllBY/E6SGxl+s9lXFNHY+lk5xjxPuWSo69GbT05A8S6sbVEqBokVFaoZrIgEA5jIPPb7YBUrjSfIxQPUqhBSOgd0yEFArlfcRgEuxbER2RGlQddeuKlHAKTDMSB5XeI/f8WmSOhfydOex7RYluhhpkqlsOvtpUKLsqfQrUQ8MSJxMiAKg1UCQR3YzKaoXJmjEjOdhVF1BOHd5nAHT2394anIsFJf0gN4aDxu3koNeWs3OUfyw5u/3+qTCg4QcWSeibEXlEmOExUuvkNyOQnxwwlBEzpuWe4gk3X6jfi3UnVr+oixRohEFbP0+MviJfiuavec3Vwf9z+cczQzRZ4g== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702679937; bh=CQqsukU7gsFz0lAYspeBrRZglBXPOm741QE/iLeobu2=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=gZOeQRUBrPQk642wfw4ZWb9K3976Ch0P33u9+zRPpFwsLefkTSLthCs5kE3b+HrAX9j9IK2gWL26RDmdApeBWdu3DTzODujcsPpSEP8SDclAVfbqcVk8rPL72oyH+dXAMAmluZAj9WB05O6LCXA0d1WqiJlYiOXjg3Gk5VP5jARV6nOTbofcwaP/z4IkedNu60XuIuEWd/yWpAAO0hDeZ/exOTRMSala5W9VioWwxIh45ZoYq61kUJPftfuCeeNe90TU2X/+vI8QOKbn9RvJefY0Xwz2XWXDzXMCHFwWawFDFHLiy5lD9cb27PcCoyOl8c+wYLEbWJfkn96kmWxJBw== X-YMail-OSG: n5fF0doVM1lZUSo11zSkzVfMSBl6JA9JVJAUwgdHa7WOiPISWCVuhE5ZkQaGJA2 rVPFy.ry9_zVh_EGfz4VEIFv2e1lvYZS11xfPdYjRkpbvgdXlLaelXMBebLpGm2Jn2UAOB8gw.X4 b9qzT53D2j7zQjmtVCZL1MD..QGM_hNTwyC_FuFzAIFxn3_Rpz3X2NH0ONBPOoUO3i_sc1VQyZFq FvdbPWxcCoDG347hjUHgg1IEdKcKV5Ad5WLMeM7WxNlhGoIDJXY3f1CVVkNNP567CnvdnIhGb7fw 0ezXWyh5X7Gr_VPc3IKpVv.lfUwNV4lTBH6UW7jucj2XxnBDW1k2cDzpLYQ1.b6mgKg7XMVbNTrT ujlqzxg9D1v6e3vX2zPk3XQWMHEihYyD_OLHDCHmvG6USTB8fYha1YGvWdQtefmqcmIacU1Rr6hl 8EGvVN_jYUPWRGHcjWmf5xRhj2VtP5eJteVnRjHnEBoI34l0mImUTPK1jCeoA69VTSy5dG_dIkf1 lDqy42946hUi9hzLKyx1qXAo3L7zq0fI.5kCTHCYrJtKZqWJvY3a77i0Lem4vt.2nfgsuNbp06sq dc.jsXUdPwYrGHFxq2KDfu_pwtefAyoS79WPqI34c2d2pJ0YHhmLQS17PjgJMnpBfTH3XjjMVBn. vESvcXo7k7u7kNIzvpzs3Wf.s82bH_AMEZlJgzjrwvQ_SqE6oU6T_vuhokf3Qv2F2dtZ0hhxeute aAR4v4NgX5xhqvgCk.kmiQhvMd98WOPq4Al8lRQ2z6h2X_LrV8VDWB1mFMiMw2u6X_jhtThT9q8_ IR6V5.Aa0SIcUx1hrdfvBoBloHHQuxzblQZsOz8fHSOyt5S52Jm5qWmMHbayrsTLLBeJEWAFPOiH 99qgSs81nicClkYlXd_WUikXA5WAjCb_J.Mmfa_qHHKGsyIG5qGURzKms6HNm3oRQnV1kB5Fmc19 6kHg19Bwz3KhuuMNzrBW4yP8mnyR_MqcMK8HwqIEm2BR247cMh_5uxo6mv1pDgvOS4Ss_FWO5O9J 9HWCSkFclln6wFhiKvrhTWugMN.lPNd_Ylou1vvXbLTqku3YjM6eFELrcOkVMbFm6UMQjiDRSvnh FEqeGDy1P2hPrKGdm0Ju8yFD.Oft5gJNGzYyTZMPwUhE0he_YBFYY1d9WSi8wne73CUWQEqxMVmK i5Xu_npffOkIGd6qdFVHtqx_tvzqYgQEDfJRkPvuCi6yOAaXt_x_Zow8jOdUrXNfF8rUGmzq86bj 73OJ4fU1..nUiMoKPe3xluLY1Z.dMKvdt6V8kfKlTmr9N6KDmtz3VpklbN3daTDaVSfgYzeyn_W9 N99Lx.SST080lpDOFE2toRhjVhqrcKvPHICD5pzeFv.i2cHloU7qKbD3TXoYwmgaqc5sOUu1NRQM CuyKPc.kdU4T5S_fTIAiWWWZjeRCTFpS23YwjSdXZuMcKYNwhe15.317.H9UBK.u_UnPC_FvifgC j91ACufAmzbjPirK00LKQpPCqHYxpRsbAfUDSf1Kt2w4KgtM9qOXHOHhdRGKxVco1MHIUYKoBLvQ s2r1C5rVEys0e9uTrFyMbiIo7TgcpjZ6dvfHIXj0OfuKWHkYMC943rt4BE5Ny0Z8VNxeDzkvaaPm m.uo3cg9ROS94.LdctzXdn1BwYoRDS3mPlZBtlhqE6JAPEv.uLMgedz6NTWsbReCj.zvUMJt9BBl UuWyR.9uM_ObAmVNDyf8Pb1oUx..Lqq4FgyDDzD0rpZnGmKiuN_eCX2YsUFNDGV75k5f6brgB24u w6QXaxwrMahQ04Upjy00dFA_l0e8EjZlnft9mLgk8dStViittzdrR2DkSShmokx3usCgok69T5HQ qWmygj8DYb9g1LgAlnqmnsB.GzHcfmn79dQks9zK5nmSsuAI248WKYHpUYqsjcEN_aZejC_jvsEJ V7FAGymdR.1oH5d9wps22MJbgV7EGMYTeLOu_YIiJtMsWCUPksV8OoB_7JIxUDKofxq57X3gvcec F8uFpZ1oubMgiOtsH4wCLaI6FgNI71IZ_FAQ9vdnVVdaRuLSZlmx2_.IjRIzdRdjLydaAs1bkpRu 6Sv1PWM9y7GCdIgRcI0.78ua0VaDxjx7PA.WyPTF0OV5yQEY7DTHxYvIJa8R1cB8WgBmIew_kxpB NwDDSmErTFUSrDjvFfB77Qcv3DWCdOEzUyqIDPntngDo8EWeYR8dGVweEqTOypceJCt8Ic06xBGY z5GqSOxIqVlm9fxNuS975PVsqfbBfAN8OtxjQqaEVu2GO4SbQQJm5.GVWdHf27Ei7t3NaPssIlQc ZT7QK.AXplPvt9cevmWJyH46VHEM- X-Sonic-MF: X-Sonic-ID: dd58fa10-8b58-492f-8a87-50fb20c791ee Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:38:57 +0000 Received: by hermes--production-gq1-6949d6d8f9-q7525 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 522caf1ff66b851381e701962a25c33e; Fri, 15 Dec 2023 22:38:55 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 29/42] LSM: secctx provider check on release Date: Fri, 15 Dec 2023 14:16:23 -0800 Message-ID: <20231215221636.105680-30-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Verify that the LSM releasing the secctx is the LSM that allocated it. This was not necessary when only one LSM could create a secctx, but once there can be more than one it is. Signed-off-by: Casey Schaufler --- security/apparmor/secid.c | 10 ++-------- security/selinux/hooks.c | 10 ++-------- 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c index c9b9a8d90afa..1df08372bf1b 100644 --- a/security/apparmor/secid.c +++ b/security/apparmor/secid.c @@ -146,14 +146,8 @@ int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) void apparmor_release_secctx(struct lsmcontext *cp) { - /* - * stacking scaffolding: - * When it is possible for more than one LSM to provide a - * release hook, do this check: - * if (cp->id == LSM_ID_APPARMOR || cp->id == LSM_ID_UNDEF) - */ - - kfree(cp->context); + if (cp->id == LSM_ID_APPARMOR) + kfree(cp->context); } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 656f25337334..a6deccbbcc40 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6616,14 +6616,8 @@ static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) static void selinux_release_secctx(struct lsmcontext *cp) { - /* - * stacking scaffolding: - * When it is possible for more than one LSM to provide a - * release hook, do this check: - * if (cp->id == LSM_ID_SELINUX || cp->id == LSM_ID_UNDEF) - */ - - kfree(cp->context); + if (cp->id == LSM_ID_SELINUX) + kfree(cp->context); } static void selinux_inode_invalidate_secctx(struct inode *inode) From patchwork Fri Dec 15 22:16:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495164 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic315-27.consmr.mail.ne1.yahoo.com (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA97818EC1 for ; Fri, 15 Dec 2023 22:40:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="O6zwzudR" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680033; bh=o5IMFBUGP2UovHyCSNRiU+4kZ3jQYyLWEB5ADn6j2oU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=O6zwzudRZVUq8/FVNESHRKoaMDlJ5scqxAv5JDviYB9mNlB/tPsF1kXlZ4Q5jGlhnqKfzbx4yEPSls7cv+tLceDr526M8rBDCa95/Omwc9A+ULU00lkuuW12xcAtti/B5hr8dw3ytH5MJBEIBI81PD7JYRSbd0gotwlNgCuVzcuDYHy6rOu7x896Ndynp8067dT+bmTstNVBk8X24e/khYoj5H3YoDshmE6IXXdA7vfyrxgVcxARqy0QQ5Dbh78/UPvqaXaYQNi8E8WG9Jef7JU4wjvorp3W3nQeE1t4Z8AaDEUZaBExYfKDxX5yDQe3cqDxFPM2czNYxKCN1iEIJw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680033; bh=+bUJYUNOXUuVi58l0WjnoNkLHMIXQZXrNStlx5iarTM=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=d//Xed7AmTwqwyuD7jNF6GcThSFms6MTymep/x8SPkwM3Y9fjyXzpjB7/l3fAi/QahahcQ7KFoX0nUY2rAaRJ2HWN8uNsAVr/6VpJfXy4qeyk6AuGrVjNJd+lHcMJ9GgIUKtsMziWo7gZxRuJRnuArKIZg2Xqnp6Jn4s80H/ASJzZXfCeOW0FW19jvtMMDRLKxA+/bbwapn1ME7Ukym/5KxBQkj6AyxpV1nwIAg3MoEAkLphLemPDx4VlcSfGbSJl05IoW1yDrFUpxOkMGvpaw/4UxupyxlZVc5tRVQ0mHrSoDnomf6Up8bYoxrMLZETpV0lS9xpjvTTOOqNl0uNYg== X-YMail-OSG: LuT8lnAVM1nEZoptBRpIACvIfKhJTin.P1ZwBGe1zPGEiYD2ZOPaST8XiPvbDGO SeNN7zoADgVlrgQ7rX_CtmqcNy.KSk6oRPLw6KWCgL8LLag5_GLx8uwE.L1SJJpXjLM98lFwRXOh goJlGpjCeYzAGQRLIYcTJgcSJdh6at1ppH5sJOFwyLdxojbO5UlhbQbAsdz9WIBmUO9v2nzqcvvg sYr_MA8VoO0YJAp_i9z5zXrGLU57inhSFNPjH2s7RP3tPCkm7mmliycSaESsPvZWtt3ztrptg0CC xexglxtCMzJXkM_FueiZlE3F6T4E_w9eBxefPHYeIGgIoCrLdYKVmuJ0_GCl4O7F8vc6ABX157Y1 wZkq27JpSDToc975D7J.kGwiGPkxEyq1kLoPkt.wNGwh4n.dL3mMimy5dEx366FkYBVHjN1wSQAm eTlQ1g7Gxq0Ukvt7N5JecI5E63tuRiBcy9b_9lqXfxdYHwxkTE7_SS7X1DE9yuTKRepnPqiXSN4O PGhaok2r8.69P8OuKrfVoVpw3ejK3yW0lqrub0PZDolg03VTYzTTQlbCB7_cYRovWP0Ukk52Jna2 lqCrpDJr2DA0P9aSEHAwtbOGQW7b.DGrHa1ut0yboWqCcOyBdgbE1av_Kfsv2AASH8kUP1_lGRDb znDVYUojshoN4WAWSC1dJsymGJDplft5FbPxSHAmu6Zzs3NexiRnlKNtQaLcXrzrYKIusLKtodas xIaOzg5KVcUP6Py1vrZcZqGpD9i5Kbi.RNpvmT1LLI0WY41aDuYp3ajB4vaSZIw7daDxYbNThV89 8dzdO65TA8PuqXujqt3zt3BmRQn1rclBiJZzsjEuzP1I9j52R9c_OO1ZMPbxXUp9kuSm26D1LIJ5 gqYYWKENac_EpEBkOaEN38fTYk6L4F3sPK96_YMIdJfOBDRf3ickRGaooyXmpSJngyhjcPlmjliB 4Ia65ahXfqd_5jckbC.Eigw7bX.gABeJ9F3gsikF9BtkAQ6CII45EXBC7iRe_rlJc5QeadCFdLxi LvRhcPi9ETznW1zzpCfxanWsqieDX5yFKn_GHkPrOTXrH_KNcH_3mra5VRGAGNQKgHkyHaVtGGO1 1LztTlKM_Ict0GflBH5BGEzY4h9U57IMAcsAGIb5Il93tb8G7UANbjU_.yN8Luz6VuU1QedBWvoC SR6sDNtygO6acb98fKyh4i09IG00iSD8PEsovZWtXKGe0a.DYguT9RBg3AsciM33JKdxI9m8MyNF p.UffrTm9sBs2ylITeSnjEunW1butr581m1uC.5ZMqktR5PfDOhHbBrrAhju0Z9FYxcgqlrcrXw9 FWK2NhUPbLHXFHXr93Ij4BZ73wbJ..J.A6JPhJJYrvjoI2Ns32hgWJGbs1_HyTPfSlUcRm7tQdFz czfFXgMbtd7op4V.FrBXiPxrJTp_yE8vvVL2dPDlEPPMAZeiYXLEB3_Aa89tvsxucWgRaARwRXRc pEWayQqQ78CuOPXVG293pB5a.eSDjt8_XedP39.tjb9mCCcSGxM07FCTsGf3RYZw._PoELXUAULk _pzZxrIIvFzX_vYV589y_W9wtOJ_bFjqN0fstBYfXZk8uCYpkln1VBvQuq0zhWIW3pLCzMjtgV4X YelQzxnzNjRtz_W4VjEoCHm3jvxlubLgIxVbuf.Yt8gMsSYqAz0MQrMTSfeKL.seoZOxqC1PC.n9 81yghYGThpPCYxsNjemYZgRk_3HbRjdl8gLYNoUY2Pdrm61gPu9eAbD42WpCKNoW4EhIx74Lk1BU 5o93mZurnOSCZGP_H6YFcJpSKH3_7Iomv4I3R5aEV4Ub0RXT..unGjLdJyZXUNbIWQ2Bc.9ves4D 5.5D08dgK75eH36un9tizKfJqBabHaeX6RBX0.OHYd_p6GQ4Up_by1DStQDpONE0UH.bu3uND8rp PmRFgDPdr85_p0E7d5DQTafpmH4iIMcXvLVi0L8sRl6gdFUX5FkMPLtDmeCTI5KS1aWHDIpiUfnr S20i00gvy_.C2wUQhZpWk4ZGjYJe2PWvVnaDCTusl1YAMf4eXuiueiFiBi8vkoE2zsaiF_ehTbo4 evnLUIT93KR3JJE.jpkajBON416r4AlTIWo2MzOhTh6PhFW3Nu4IJA6mXSjv6KPTpykUNKcLbtn8 41c4HYm7bpJ1T7Bc9FYNRvtbjqCD6hTGllRwBMZVTlaMziUsyq1LwahHCfh2MQ7cigAt_iGW.nLL X42_NASxM7T2eBQtHQRIzkiobOZQqUZMoOLgpoiLui0swU3kqkpQl9EyCji5KZfEkgsovv8O.C2I _ukiPRJx4Z334LuV1mX49pEETWSm. X-Sonic-MF: X-Sonic-ID: 88385606-f443-4ae1-a189-0fcb3bac267e Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:40:33 +0000 Received: by hermes--production-gq1-6949d6d8f9-k52jv (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 154018758a06b94c4980c22812ec859e; Fri, 15 Dec 2023 22:40:29 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 30/42] LSM: Single calls in socket_getpeersec hooks Date: Fri, 15 Dec 2023 14:16:24 -0800 Message-ID: <20231215221636.105680-31-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 security_socket_getpeersec_stream() and security_socket_getpeersec_dgram() can only provide a single security context or secid to their callers. Open code these two hooks to return the first hook provided. Because only one "major" LSM is allowed there will only be one hook in the list, with the excepton being BPF. BPF is not expected to be using these interfaces. Signed-off-by: Casey Schaufler --- security/security.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/security/security.c b/security/security.c index f2ef6032a925..3f0a4c5094a5 100644 --- a/security/security.c +++ b/security/security.c @@ -4686,8 +4686,14 @@ EXPORT_SYMBOL(security_sock_rcv_skb); int security_socket_getpeersec_stream(struct socket *sock, sockptr_t optval, sockptr_t optlen, unsigned int len) { - return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock, - optval, optlen, len); + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_stream, + list) + return hp->hook.socket_getpeersec_stream(sock, optval, optlen, + len); + + return -ENOPROTOOPT; } /** @@ -4707,8 +4713,13 @@ int security_socket_getpeersec_stream(struct socket *sock, sockptr_t optval, int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) { - return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, - skb, secid); + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram, + list) + return hp->hook.socket_getpeersec_dgram(sock, skb, secid); + + return -ENOPROTOOPT; } EXPORT_SYMBOL(security_socket_getpeersec_dgram); From patchwork Fri Dec 15 22:16:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495163 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8B1F718EB8 for ; Fri, 15 Dec 2023 22:40:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="PPZC3NED" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680032; bh=HgKzEIUhaILipzY9DdZwoNSdFerxS4tj7fn6yV2s/8c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=PPZC3NEDdt7Us7Ydx1VW0Sl1zTTAqxBCOp1DbkHH0feKwMcyMmOlSJivc6XjYd+QvMM/wzd0mk9LMyN1BintFp1YQQ2FwtnR39zwyfKQWLE4yAcgM28UT9LXtAVx0Wr+rRpXpUzXkH5klCVlXuLywnlLFE1HGsxsbFC3iqgrYJfnFc0D9hKxDPpazyRCigzzdufSOBIkLfxmC8QzbHfYr4ZfsCLXhdtUHrumX+aRDBK7zHUe1dEvAQTNXhn0MpNIuWtfOW7/Z5uXYgTTtdV5Zm028nD4Xjmr2Ok8Zh1DMhv4pkxNuHwLQ9EgOa7tsdJS4IRNWMZ900pjWAIau/qMBA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680032; bh=20Z0uj3l4zIsBAGeaBkSy96dDVzLo/RmCINWO23RmQW=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=W6OlrNS9Kn1r21it5z8rUtTpJsfIqDPMFrmaxKjYSDhGL1iuRwhWMmrRIA+XiC/E21YlldeawmEfzfUS2MxCFdPWMOOFsbpu932OOrMC2OKkcm1gJAZpA7a/doZvag6NiDYp/7xU+p0YEA2r4ADRvPUZ7d2p16b9Fj7yvHRizqm3M9TtG1avYODFuuK6b5KJvMlVG5iZxD8WUY0WnJxmgHw5FvhaEJrmANhAypsPnV+OS9OL5sXrZsl8qMsKZEw4ANhxqX8Kh6TxUJ0bgoQdRxaweL5tvFDOtunc3dFLjMgHdwToGOiCyYVyehp2w5zABRlMFyO1hEmoHbMPH3TLBg== X-YMail-OSG: iOqyNHkVM1m_yVy3N01Hs1wdrRke9sf1gUAzxy_cIByHGRjwkzC2OflT2ugr3HI sxv1H59KVqOqhBlk2l0pIP9isgNGmtz5df8thedoToovaRMdPP9VJCSgk1_4DhLUXZZijXBa3dgV erISGrakYfgtr.SCnhUYbVbH996UG.4t59xAYHb5jsXdt5ZlMwdH5YCU6pYwoy_teAKHjVb1bgMI rEl69ejqzVYUWglgdMOayRF_TYLnRGhQfjaWWqGncOdFHbTl7JCBxYwuXrQDOCv1nuRmEfwNOlGg Sy76_vw4QSIXh2pLuztViKG3kuoRspMRkBq8VhIwy0zLrgcn9zcwUYm29Omv.rL4_zbu9DHSwR5b s5MJvc_Z2eYJpHuz9llvxPgmJxPJ8.lbzFrHa1aVFm7qEgKhf_LXf5wa3rHyWUAg.mCWZFCuQw9I xIaspae4zUnUo33w_In4OYRL3DNlaF3EXBmfFCnBINrv1Vv0OJruRR7EbGyzNAhHI5Gdf8sbheoa vh5WdniIl1oXpxdwzy_aqweWiSTNyvam_IvvDu.4rYpIWAgNJgY3QYhfUgEByIxw15KQoSW__yN0 Pcfy_It_AvNAMqe_QjZ6dxZPGL94zm3r0.NrAyNPqurhtB11zp2V8owzeoNBs_d6K6RJad4DH6Xv fjvAW9CArNSN9APImuHWL.rkHEDlazjbq0EUkvk65OQ5cif5rMX_Dzic_TSR.Dbxs2t1UyF.LHGr I.CpDloOFnjYY18R.vA5eFOsugzZpN5wxEdQ79mbl_uQMqPb9Ci0LL_lxuA4NYDagQb4cGcytU3z M6aG6ig5i_h9QILbQBAUlO_bYa2g_dMcMAzl9g3U6reCYYaURIUo5LJt7rMHRBYxXXZ4ArLTBqyB T24lZDxJOeAUyRmVKSwQe2SZMnlBL6QsEs_rY.qRxkHkjDzFO9gt0dXgP2MWmX3P8uTmddXEPc2Q Uo_WHEJjWeADCfuGe08VkWu438D7myXiFcHTeXUuG3ILaJa0MtTdFZ.naK42p9nkVprO0N3qQ9pZ IV1cQxOfyw3VInl0UDlB14R6ufxFnCDtCuXCnP0KeSxttFrKD5sA4bvVBN0ZxTW60pFX1pd4XtDv mwi6MoKHZXSiiIVstWjfY0v.J0arF6Zk_WbfF4.Utg5Ob7AljHNKt6AhXXJbIzWB9NO5us3jlr9b 200vn2pv_FHjQIE_O2ZECnkXPbMq4OPc.egWpHNbq_VfNhf6FX5zYbpfkw3atsHN2U0VpkpzWOL_ JgferiqTIO8yZmxsSye83ij5oNW8yuoziWxHwxvZvNfLfyT6.j9yFvdgBEMxryPykESBSnMMg42Z It02Gc6uRnhpXQJdcv_MxfnPTy9MpUylJ_pOd3v0SYrZFjGhRQujZEY7TMIJbkcCey5PvoOWmFU8 oe__yp9pKCnjPou2h215cmnXo6xKhTXFHLBAuURPXez9WHDR2ejp4EIRR77grn1rD1jcSoItu9Kq rEKT5TnQX843MYQJdeRXuT95hEd9ObHzEm93paJrxCQrRdwOLf0vaH6I.xv5ccNd_pmCL2F24RbF EA5if92tzerLVIIJ_UM1ijpSKbscodCZhZxmEE3pdlwpOa3ww4VFjW5xtcJC9683csaoOddATWT3 DQnKIMKUWhfWOZm4JCuJ67yuKoao2g5eG9uSMdQCFw1z0iqNyjSYFeRvjB7oySoNUXyQ1on93XQy Rhd4pxqwAdEOuzyiC1DDDaYyM.aPJxXlkLUNXmXiEIqx4LRT2pcmnJaWMrNgyKBTZyPklTYJVtij vBhyJQpv650EdrzTAH8.PYyWgGxFb4muQn4sia2pH13YzefjsouF3uweiyeb_M0Xb.WT24Mc4Ds3 cRXYMqhhjp5bAQjKrx0NUZo1S3e5m0L3lk83TKQNzLQIV0wiQJOi6f1vVd_AlKFUY1lSAgEkcS5E fLv9uFLk.b2zrGrSPKAxVOQLoM.cTZCQiySEkXiqkvNyCiVZTvZGxfUt577LiM_emPsS3OdnKdHY Box9E_RTMacLn9OkYqM2Opcr38YvLveAF9Ayg.KwDAqfJOvC.htioiiR63HYFlGWlVKK3tzkopS9 buoblYYHswhrdkXmlsR1yL8CNM1hW6.ZxikAmInwL6Bc5gmEJxXpZNyTjIuW5OCI3tbKzl0kNh64 8WHwQBvIrDJWXpICn0qDJxYOZSg_DahiAeIUcn6rmzt3DN26UL7hZ9be6UXW_VhJEPJYrWKm8.am xMMc7hTWIeO3DvW_Ws1dbTQhG8AVZELef8tgXwLwIEwm5UK0.jBh42q7AK2Aai_RKS8oOT4eOsvW z8XLibiYA99XY5CcssWYywGagCuCf.g-- X-Sonic-MF: X-Sonic-ID: 15c8c364-5e98-40d6-a6bd-e2c4ffe2f2b9 Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:40:32 +0000 Received: by hermes--production-gq1-6949d6d8f9-k52jv (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 154018758a06b94c4980c22812ec859e; Fri, 15 Dec 2023 22:40:31 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 31/42] LSM: Exclusive secmark usage Date: Fri, 15 Dec 2023 14:16:25 -0800 Message-ID: <20231215221636.105680-32-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The network secmark can only be used by one security module at a time. Establish mechanism to identify to security modules whether they have access to the secmark. SELinux already incorparates mechanism, but it has to be added to Smack and AppArmor. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/apparmor/include/net.h | 5 +++++ security/apparmor/lsm.c | 7 ++++--- security/security.c | 6 ++++++ security/selinux/hooks.c | 4 +++- security/smack/smack.h | 5 +++++ security/smack/smack_lsm.c | 3 ++- security/smack/smack_netfilter.c | 10 ++++++++-- 8 files changed, 34 insertions(+), 7 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 605aaf38c3f5..4deb1a4d2d1a 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -81,6 +81,7 @@ struct lsm_blob_sizes { int lbs_msg_msg; int lbs_task; int lbs_xattr_count; /* number of xattr slots in new_xattrs array */ + bool lbs_secmark; /* expressed desire for secmark use */ }; /** diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h index c42ed8a73f1c..2e43e1e8303c 100644 --- a/security/apparmor/include/net.h +++ b/security/apparmor/include/net.h @@ -51,6 +51,11 @@ struct aa_sk_ctx { struct aa_label *peer; }; +static inline bool aa_secmark(void) +{ + return apparmor_blob_sizes.lbs_secmark; +} + static inline struct aa_sk_ctx *aa_sock(const struct sock *sk) { return sk->sk_security + apparmor_blob_sizes.lbs_sock; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 075942b253ae..ab9b0b37f1f7 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1322,7 +1322,7 @@ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { struct aa_sk_ctx *ctx = aa_sock(sk); - if (!skb->secmark) + if (!aa_secmark() || !skb->secmark) return 0; return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE, @@ -1426,7 +1426,7 @@ static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb { struct aa_sk_ctx *ctx = aa_sock(sk); - if (!skb->secmark) + if (!aa_secmark() || !skb->secmark) return 0; return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT, @@ -1442,6 +1442,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = { .lbs_file = sizeof(struct aa_file_ctx), .lbs_task = sizeof(struct aa_task_ctx), .lbs_sock = sizeof(struct aa_sk_ctx), + .lbs_secmark = true, }; static const struct lsm_id apparmor_lsmid = { @@ -2105,7 +2106,7 @@ static unsigned int apparmor_ip_postroute(void *priv, struct aa_sk_ctx *ctx; struct sock *sk; - if (!skb->secmark) + if (!aa_secmark() || !skb->secmark) return NF_ACCEPT; sk = skb_to_full_sk(skb); diff --git a/security/security.c b/security/security.c index 3f0a4c5094a5..8469816c0472 100644 --- a/security/security.c +++ b/security/security.c @@ -232,6 +232,12 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); lsm_set_blob_size(&needed->lbs_xattr_count, &blob_sizes.lbs_xattr_count); + if (needed->lbs_secmark) { + if (!blob_sizes.lbs_secmark) + blob_sizes.lbs_secmark = true; + else + needed->lbs_secmark = false; + } } /* Prepare LSM for initialization. */ diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a6deccbbcc40..3e590f632f59 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -164,7 +164,8 @@ __setup("checkreqprot=", checkreqprot_setup); */ static int selinux_secmark_enabled(void) { - return (selinux_policycap_alwaysnetwork() || + return selinux_blob_sizes.lbs_secmark && + (selinux_policycap_alwaysnetwork() || atomic_read(&selinux_secmark_refcount)); } @@ -6969,6 +6970,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { .lbs_sock = sizeof(struct sk_security_struct), .lbs_superblock = sizeof(struct superblock_security_struct), .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, + .lbs_secmark = true, }; #ifdef CONFIG_PERF_EVENTS diff --git a/security/smack/smack.h b/security/smack/smack.h index 297f21446f45..0f5bc5c03b9e 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -369,6 +369,11 @@ static inline int smk_inode_transmutable(const struct inode *isp) return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0; } +static inline bool smack_secmark(void) +{ + return smack_blob_sizes.lbs_secmark; +} + /* * Present a pointer to the smack label entry in an inode blob. */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index a9ab31a40e36..c93e81facf1b 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4090,7 +4090,7 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) #ifdef CONFIG_NETWORK_SECMARK static struct smack_known *smack_from_skb(struct sk_buff *skb) { - if (skb == NULL || skb->secmark == 0) + if (!smack_secmark() || skb == NULL || skb->secmark == 0) return NULL; return smack_from_secid(skb->secmark); @@ -5064,6 +5064,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { .lbs_sock = sizeof(struct socket_smack), .lbs_superblock = sizeof(struct superblock_smack), .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, + .lbs_secmark = true, }; static const struct lsm_id smack_lsmid = { diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c index bad71b7e648d..fd146e3a2286 100644 --- a/security/smack/smack_netfilter.c +++ b/security/smack/smack_netfilter.c @@ -26,7 +26,7 @@ static unsigned int smack_ip_output(void *priv, struct socket_smack *ssp; struct smack_known *skp; - if (sk) { + if (smack_secmark() && sk) { ssp = smack_sock(sk); skp = ssp->smk_out; skb->secmark = skp->smk_secid; @@ -54,12 +54,18 @@ static const struct nf_hook_ops smack_nf_ops[] = { static int __net_init smack_nf_register(struct net *net) { + if (!smack_secmark()) + return 0; + return nf_register_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); } static void __net_exit smack_nf_unregister(struct net *net) { + if (!smack_secmark()) + return; + nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); } @@ -70,7 +76,7 @@ static struct pernet_operations smack_net_ops = { static int __init smack_nf_ip_init(void) { - if (smack_enabled == 0) + if (smack_enabled == 0 || !smack_secmark()) return 0; printk(KERN_DEBUG "Smack: Registering netfilter hooks\n"); From patchwork Fri Dec 15 22:16:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495166 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic315-27.consmr.mail.ne1.yahoo.com (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0986518EC1 for ; Fri, 15 Dec 2023 22:42:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="Ztiz8+Pv" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680128; bh=ZI3o3PMEzb9gnitNsbuB3iBlot4aiealGMA8AVY8gd4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=Ztiz8+PvN+jZx4/zNPAG3bcpLK+DYIGrzdgqvTcx9ps7HPagfCTJbk35iW7G6kgl9YJ7iD4JJQex0NJwW0I9jxXGP+wy7WltuZ8w/HIsgH/LR2+PZg90vbck3NA1KcXpGEG0rc+pxy4NDjOk53xrUtuiEi5NzDmItNDBcZe7DhNdPZvEKo6xIIQJZW4a2X/E4aQmlbuEQvbvVMpBMtRmiYe30hAvdiPkEiZAw5A1sVry+IaeFhUYTa5prJDqQehz4s3Lo9NDBjZp6Nn+AQyS9udvh8ulC6ObdC7f3XVDcEfgDR7Q1gJUWUoR53LXaXPeWxHU4yHyXVBdF2Vnh46YmQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680128; bh=6ZYf5huaZmC9UCs9n/eiabsPtkOvK63TXZvyZflzODb=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=WfNrh7/wdS0hnDSscJ3M6HNOCYETyZ4YVq6LuCht7eRVKiihfnUpa6qCD2g9MMJplOKHHKSHy1JtfW3wFq2rTorIlZ3PBWvzzzt50yVtxKdJ6D+ea1Rh4TdYqzifxl+aQWc0wcettM4IrSGm7F/2HDsBtiJ/kNSq1TQqNKL+FtBocRebBGttFZ3qbZxH/rT3Rj7Jy1Scn4xHOn5JqwS9x5REhY3BMu0d6NuJg4kELUbnidnWlDwgoFCYDH+RtEQjwR96HGwTB1HoWFdrQAI+MnrjO2Of/RommYQEEH0hMEg5Dber3kgQiBW00X5YiV6uqBqfj9iok6RDvufV5YjqbA== X-YMail-OSG: sVzvT_YVM1nT2E2zuucRPLt_6v38mKH.6L16gk4SfdU7K03jPqXodH6Cii2vDHz kmdMC5Vrn.lhaWfP6ZukFVn1bU.c31n6AQw.vRypoQrzxbOQRnupGbHTDGRWqcu56V3ezjbHw7Qo TKC0mcDpDWVvTZdFnt51w94XIr.O9rK1fj6k5VLRa.faP6X4fsSD9StpxJ1tybq2qVqKae5zjNxS iXPX_LMUjr1vXAumcSDw3JH6xSWiRctahDp6O0QlWFBPHrwW2vySLeAJAhDs.WCw0erLwfDVdDfO CocLyy.cCEeFSjTfUMmJZbbdo3yUppM6xN6z2B_v0NVr0QTKEIzqHrJAu0gfaqqm4GWmSQhhzNaM i0S5XKnvKwSjkjaRz46rS8zkEzu6lGIYbJfzGnZXZMNGbCV37vMM6Lp5M3aoGwecVK5K7TmioDpL lRfOdJDs0Ar52r._b9PpE0E6xRBgfZPZbykEJx5OEEVtgmhBhmkOqVu3TH6Bc6TR9zkcR58cUGDu 31ujZHQUnDy.zttBys2HcyzXJTpzYU8MFLkzm7ArVNYOKwl8m.czF3INKgPrWD0S9Ez8VsHvFp.m rqO6rjLsJI6Cy.ZGdP9FCh_u9Ib3WBx7EJ8kSfOyO3T7tUEYugwOgFgtoH7mCm9md1agNqxbBvTm EpGBao5xJPtPWDlkyTZ3kzXskDBdYQc4oDYWz2nFpnCAoVMZ6Fbt8b1oKP5EoSpLSWhD4laX.rVK 1QxlORlM_HMHq7hSYs8_GmFdgouWyeeiMOFvFoQ_LvH2zj5Dcq0zWBhM0rBQdyraXuSsWJfzw4Xw AUqWfTmueDaolIFAz8vEhgXj0fXINeQvamPa09X6CVnd1iP4Sl00sGckLuXf6p.mI_dPgxA_9ZhW oLgmt52wf_VDnUg5BTNVHUEvjPbjTpslA6qPkcy_uZ3AVA6AN8prodsyf..imriaz5tabvvpGuoo t5uehv8O7o0QsBBD0bVz.V.agEfKYw9lt9r35OlVLZPh63IMOfC4v8I6dFQfHe_cYjKs0MjcstZN GlcbNXxguzwuqnXf1Yg2n1FcXedIW54SjkVKOk45uX3rzPAgkLCNxe5zTnqVaoN40HI8hCzS.Yf. 3ZfLyedzvdfxSKaMQGlx8MA0LQgp4.oPRxIQKlNP_YvAW4AMi8VlQqLluaHhYSff08.gDLwKW81s TiyMUgYzp1e67ouzToRrTyhWM91oYd8KQK6tIXNrWeUU39lAzCVy6h7.rv9yJVAEC6QOT3bZcJ5a 2yrnPAMtZwJoVJ.lyT3jEHiLxk3wLUFSbucJ7xRGe1FZ4ZwIRe8n2z4UCAflVeo.IixCpHSuKvxJ er3lPHdGthLxpx0WGNn_yHeUuwwwycugYINk038qV4dkcSxxwuuOwV2M2WFoVpIMOHmde6kyTK1M hAgyUDYd4qVuZK07wHUEWp_EMeOGfbAGztOMNq8e._jWq5pjMExiNFtTYRPOJNcMX_mcd1wS0kkh aixWX21YHLnUhsQwu1qnwTE4g561MjHOGTHMOXtgONGmV1o_TW6PodCFYPj9La5rRB9G8R0qepSp qI8iWNkowDHnl560qib7Il9aKHehcI49bwgY0omWbZTJiHANkz7RwEjywIj1Wk22F9Hk8aVbQsfA h.CUbNA4dK8fCUHjSH0eYrJHZz.FXfstkRxpAYRxd8O45rieF3TtmfB.HL8Wx3R0Va0v2xkFcTmB DXuZTJnjaOQb9S3qp9BE7S7_knMcDHH7CXlrZaOWrFFXyJGQOiEmA5m5Fcuieyc6u_04BleZVqRI KZAqqOEwoTLCorG1KljQ8K9pJ___7uZMN3jaVXvpUjVnGH0FnK.V1qMrVKD24LfbzQ6z3WoZOpvI NPzVJspsYY27CIFyhkK0jsuKZ6a1IQ7.Y0BWf1CNt9DvMpEpbcowmtQtqDuvMLD132co54u27hiu exAt3SzUyoDTDeKeVMlDKcoSfMx5vc5d2nvFQUxIFTC.zWD1KRbQePXn79aMIukqFxtXruB.Bt04 .RgMfLlarCgEHiK_AwbpAFfqzR._hXfPSeetQgZndXEL73_EpZi.iMEcLVugyA3GJF2Oxm7Cnxxz 58kmA4D1lH22.VSB7WEyJ5lkLjyWZJkDeAkA3co.uSR_N8yfbwCAQTROPvlu6099Mrbyej8czJ3Q dSV.VZ9TEFLg728FsdmttKByY2ostFvG0W_kbsu8O94bvPzpYW6NLs0sejUEcmWjQc4LFsT8nm2a lwcPRMIHJDiKkb94UgGBeYriETfcakAZ3PS9VQ7HaS0fUQxyxNYHUrSKzLei1q4zHZhf1o4bInIo 0m9MmQRbxm8osGYTU19aawRgdBMDJ X-Sonic-MF: X-Sonic-ID: d15b9472-9cd2-4430-a308-5ac4cfafeb7a Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:42:08 +0000 Received: by hermes--production-gq1-6949d6d8f9-bvfr7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 7cf3dab1b010cdb86f7a13f4b7451804; Fri, 15 Dec 2023 22:42:04 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 32/42] LSM: Identify which LSM handles the context string Date: Fri, 15 Dec 2023 14:16:26 -0800 Message-ID: <20231215221636.105680-33-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The security_secctx_to_secid() call can only interpret the context string for a single LSM. Use the first LSM that supplies a hook. Signed-off-by: Casey Schaufler --- security/security.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/security/security.c b/security/security.c index 8469816c0472..8576121fadb9 100644 --- a/security/security.c +++ b/security/security.c @@ -4248,8 +4248,13 @@ EXPORT_SYMBOL(security_lsmblob_to_secctx); */ int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) { + struct security_hook_list *hp; + *secid = 0; - return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid); + hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) + return hp->hook.secctx_to_secid(secdata, seclen, secid); + + return LSM_RET_DEFAULT(secctx_to_secid); } EXPORT_SYMBOL(security_secctx_to_secid); From patchwork Fri Dec 15 22:16:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495165 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F4C118EBF for ; Fri, 15 Dec 2023 22:42:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="XQMWrGxr" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680127; bh=ZEHXiJrgb1zdL6EoMkNwkV2keMKbDFlpdJJZebncUCo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=XQMWrGxrG4L3NnnVe7i8hL42HSG2x92vGiuBrb5h7861cSnJSJj6UZSocWY/Zy844umtGZqOq21NiipRm7bD/zU9DUQp1llTHQaDlosGo47pgHDGysBwpgmYkrDiVl5n4ZcX5z40y4UNTe/9mqYp/vE/ap5aAazMH0UKQ/+dnhC94W/nkCZJZOu2kxf5NlTY9IsQtkIb45A4AKd7kQqwz4xH0JaAqLgbIhUl6o5x1wmC4CvUcQWdYZRSpIYIb+OC5ZTmmclWfpc8uQN5KuTAU20+F/0RSfYHsshI4KY5QbAX7sLxlprv1t6/DJuKp2E84GQOojt+JHuhj1CL9BQYGg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680127; bh=s9OinXN4BNWiWYh6Ku+HYSjEK5Odfe0nhz7SEss2thB=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=R0sXa90XNC82x534Q3cB14JE14NEArCzJICwgqtC6E1SVuOSKCiMfjl+ss0VDC929LyM/Z9lHZmoYuO6PbDbqICckBAQOs356v6waZAurZCXB+8ls4W43axMACW1KwDbjn/T6uB1dqfP64nqSjLSm/5SormCnQBaajTUCqyiKLk6WULS+6fGPbkOW4Qfksg0IK1zEY6m24+Jk4JDL4JQNy3GhwC061Ipbsjsuwh+fPBnv68Vxsqm+HuEsEa0VjLqj25sA/ftOjpnyI6gu2lEL+KwBITbz+MOh7KfyCLK/JBi/YjqTC17F9r0AebxTLdVffSYiqhyVHmYjggVINOIsg== X-YMail-OSG: 4BWwR2EVM1n6hAHa6QGlI.yY8SH2x_io_qTXv0EuYNulesBo29F8UhoKLmK6sOe 7b4yXWzQUh8sei9zAmlZizdpVrv7o4Cg2Mi9gYbeG9KhZyi05Xx89X8klJOBvjYcnQLyxad3nESb sUpiwS_jEst2OAP4gG730TJPdTl_KTqNux_1pvskC2qxgwDknZOLemxJSZb80OGP8RVtmGh9QFMi WOUEH7iIapC8SCKyqhjIuJP3CF6gsyyresT00MwXe64_9LVotZRCciyi9eGyPHzqTDIyzACONkDY y6O7cm7epddA21bePLsVutH89mSCF28Nuc1lPokhhYlwmIT4FVPzWeXO4jteItGUKradKT.LOscz JZBtP1OWInVb1Cy16R8hNXi6BXXuBs8kstyrwl7w8CZT7AuEcmwMzyoA0bGIoHX4nnM.ear5DqX6 ..EFjD5jkUjdCvFPU5HgLBTfxz1ruMSe2MiHKP4VrEH6tUWOdieOag3Ew1roLvU9.FaSRVVpuXu. N1LfiDaTeBJK_pJT7Wqxvq7X3D4ASs4WKp4azhXKB4oY.XSz3nrEV40ncgHkl9hPf.9UNxsuKLVY ZPTRHoDtFRWGf4XgQPZfGNZPK64l322Im7OiU4xfjHkCdbunyvlsuJuWrfxqEs5mrS0oTrMN9lGk NWybrMaS7kqzA2xn9JWc9HQHwBb8s0h3APCC0DTN9KkOlQMZrtf8nS9BcdSDMYDHUE_KsyLocwlA hFCpx.rdLAyFspNJD_8FhyDtDwYG1AL9aLyalw6UuevWQAs9M41Cb3VOO_ftvdlrjsmtYk2FiRhC ZMUixPTnbFvZQhk.qI_uUoHh2J2fEDro2Mf1_3.E9_gy89UxvlFghhUWmrHsnlK9kzuc0rrMzfpm DvJgK5eW0YnbX6JJaheIfsHOVY7wTryI4LjUjzJWxgtpiL0GfQ4.0181CV8MzrY8aaAjoQBtzml5 itiVeDYRT1KV4_7Fz0WA7mmjnGNSyWM.0PkqZ08mqr1yquN9AvUwIpFIx6YRHi5kz6hqwJuOxSHc v9dIUfVpzmnbLQe0cQ06rH9rlAqNJmfAlWlJiAw3XlkTOq7G_oJ2ZUbJ1j6ewIjXijap5A2Clnk4 Xh7vEuEWD79rgIWuZj31cuv3OSVFKvfws2vYi5msF0h8EiRJup.fbqo8ZvoNlvAyKyaZBuaeHAJm _NGrC6ehPPDmtMjhTrfk.R44CW.nOdZFAohAVS9PkVIekuAyrBo3MACrZ4OVQcVN_yfyneVD8TbD Ie0_1vNC.Xr92BS2t070ntUnfq5gRk08eOlWtGb.bQv.v3z8D1h4fEX2YGAxKdaXxfKtVhCFM53D JDm102kBNAFCzupinn_49rH5KKfKLI71nMhOv0tb_gqRF7iQwGpHfW.7vTF9p647y1q6oyExKUPr BxR0lwaXnmPom6.cqLPV97SGDb2fE76pBpUCRAIgcTO3aOzyrlcADP8oQvPvu_Hf0FUNv5q99Cc3 JAZE2LuPPUXUEgvvI1jR47W_ShHN92GTqT_4GRWIkiWnkjUnxT2Y_gfYUIP8h6N2w9Zcws2ScEZE vaHdrCDFiIPmlST1p48Rw1nWr9r0A_9AioRPSNn9ISV0LnzjHWgIkSIEj8on9IqBCu34DjB82Zla 3hMgh8RbmPCFICJJMadhtTdUEbFjJjILdzyhKVSPRgxQsF4MpiogIFBAHSHEhJa24ah5aKdggqkc r5JShu6IjWYBBQzSljNkgzaX4DeZQQnyvnCiF9K1tYauH3ZCOG2wuSY7v.GuC0yXzolVN4OSar4K J4hHXwWFAwE9nHrRqmiCM41CqiY26fWvirjiuDTbMO6C4DpSK96w35egSxPM3lzkMS5K3bNgvU_s lN9W2IF7l9qoBlXYjtMxlEtvGEzpWW8nVzol.ifaGDk.KJgCF2QKqlewTVLLgX.lVMajsXrD7B1O N8kwf7b.Ekr9KHYxmavVPnSmwHkZ8jKvM7dBUzxssB78V7UZJoDoxExcls3HT9ES6A7kX._yJGfb Ov_Yf0NkpFrRbjlEdk5pHy_opS4EfZ.vKEQPgdwXih_6WUvdkhRRYHPwl0BHdX4nD9.VxO4htO1z UBHmKoAqdNZQ3giK05rHc.WEtJKXzIsEx97ZyNoLeH8KINMGXOcktjnYQU8i0TmF7XCcjyrF6v95 .RKla44Hse6Euwd2aPeYDcpu_6bcVl4AdVfln0ssz4obkvM6cBCUvFdjp02xw3kpdt3SqC6V0.nV G0lH.L40i9H.BZYPLvKGWdKPRH.zvuzDfknHfhimnyfaIc06kTh_kBRyDFMd.4rWhnlx6d1ERzNL z4boCUtjlfXAjS2R56UsyG.v._0w- X-Sonic-MF: X-Sonic-ID: e8cd937a-6ca5-488c-acac-5073aa4e5ddd Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:42:07 +0000 Received: by hermes--production-gq1-6949d6d8f9-bvfr7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 7cf3dab1b010cdb86f7a13f4b7451804; Fri, 15 Dec 2023 22:42:05 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 33/42] AppArmor: Remove the exclusive flag Date: Fri, 15 Dec 2023 14:16:27 -0800 Message-ID: <20231215221636.105680-34-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 With the inclusion of the interface LSM process attribute mechanism AppArmor no longer needs to be treated as an "exclusive" security module. Remove the flag that indicates it is exclusive. Remove the stub getpeersec_dgram AppArmor hook as it has no effect in the single LSM case and interferes in the multiple LSM case. Acked-by: Stephen Smalley Acked-by: John Johansen Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler --- security/apparmor/lsm.c | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index ab9b0b37f1f7..d47816e91bd3 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1385,22 +1385,6 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock, return error; } -/** - * apparmor_socket_getpeersec_dgram - get security label of packet - * @sock: the peer socket - * @skb: packet data - * @secid: pointer to where to put the secid of the packet - * - * Sets the netlabel socket state on sk from parent - */ -static int apparmor_socket_getpeersec_dgram(struct socket *sock, - struct sk_buff *skb, u32 *secid) - -{ - /* TODO: requires secid support */ - return -ENOPROTOOPT; -} - /** * apparmor_sock_graft - Initialize newly created socket * @sk: child sock @@ -1510,8 +1494,6 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = { #endif LSM_HOOK_INIT(socket_getpeersec_stream, apparmor_socket_getpeersec_stream), - LSM_HOOK_INIT(socket_getpeersec_dgram, - apparmor_socket_getpeersec_dgram), LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), #ifdef CONFIG_NETWORK_SECMARK LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request), @@ -2296,7 +2278,7 @@ static int __init apparmor_init(void) DEFINE_LSM(apparmor) = { .name = "apparmor", - .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, + .flags = LSM_FLAG_LEGACY_MAJOR, .enabled = &apparmor_enabled, .blobs = &apparmor_blob_sizes, .init = apparmor_init, From patchwork Fri Dec 15 22:16:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495167 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic316-27.consmr.mail.ne1.yahoo.com (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 08EC718EAF for ; Fri, 15 Dec 2023 22:43:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="LNfEV2M2" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680221; bh=NuchN7LWq+7dR5oCIrU3dqcwUFeyKlFDBPhpyQdG6gM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=LNfEV2M2x3AhAouQU996hBof6gSHadROPBvcNl6jSwDmqAgwTMwKD51vgsF3tpnzeTm+NiJwX/pZbQCcpNRi4pytUnEs3pnEuWOddteKmTIczsgLzw/TQtG7os7uP6FC4B5blWE8IzKkzy7mEd2zUpn3CmqVIAphpBOZ5l3MVhsvozJgFMYnsHkYygvFzVuIoSngaYEKafP2aH3sytyfNZcFFshLn8ZywnEPZ15Lcu8BhBzDrnBzjWEk8JIXhRmMtYjB4SGA51x0BeLDpv53vsZ1O89754S/bP7ztoIK0u2YEyCGvkevLq/9sMoln7NbqRgqTUPAUqkkbgJLshFjUA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680221; bh=99tChxCy/47LiTe3kp/zL7x3mbeHpcRS7ymKZm7mlez=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=SVuu7mux7yxU2IT5thac09F0yiwx1pPPATUntIUmqOMbjwSiHKk+uXqDt98LtxdtxkjlBKi2RNx2NTl5fLbWrANZn4vQWR0LxEm80RelLHrMjR2bcBg+6Em4zrMGcMhJ90HHTWFA7usHWTKOnXjI5ehjG0wQfwqZ5NXTGPw5gY4TGlJNPlmEpv8HPBfYhsRv5wNMvxjcPIwqs8j7BdGflombzlpoOVILzyvBrVxNFhj/+GwpDXBv0oIr3YcHqbT3ieUcpzOZyJP5iiDfzCMrmqmci0soihPeFmS4xaWucwKE72uYf/cNsDSEn8zAV0YvkoaQBfXE/UNI8WGvxaVCDw== X-YMail-OSG: 6F_hx6sVM1l2Sp7xn_RpIj6KUhGj.KY8cx1OV5K6jzcSd0YKqE2AcPtu773ohVu oMgpvLNX9lt3nkZbLC7NvmkeYu8iVqFjVP.2IYvwsR3aJ7pJk0D06xvdtu0US6Kn2Ih22QBILbAM zDyzValcq7lQ4o3TxYcYEGwd5miELrMFhhpxLNfrQnlcQXz7J48tHUb1VvO300oFaNxOw.HGXr7d uFeaKRSqlFty2JXns.wFWUEoQcShd0sGXlPZCIseoXFzjy5nX0UemQIojiALs7B_uIPBqQRT1kwG F6Kf1mcCfWL1z3N1CsGfC8b.s8WsJA.YrIKiU3aFcWc8LTLER18gSPoMlrn.aUMwREqFoJ.14PYL I1Fi6HbpfdtsFFxqR.8BIgMfjqOkyQMba6YJ7mcBHFQUXLAzuV88EHTR9AWKsLQExpqJV_QUJeuG 1V4T_EbuE2KzxLidclOISihL8PWmFdWXL4fqvtmSz45GgVJMm7jvCNw8J318TfwExMlpDM76RK_z 64kwfl2RZAUbIYjDCpcN2_jsv6tNBwwomrz6.fAYCjm4dL2jp6nHfOreqib6hMJfr1xQQlj8zAGn neEvsjJDkpIoKE8BYDOsWR6pTiM6Py_csfMVsPZF0dpSn3II4mBLPeWFVT94dDYmzgn4rOlYlN78 2Nn9nahaRnQH3jjNHfF9BegGYhh0dAQLJImQw9pU21MzOVp.fOWdKHeZ.95t7C.TB8_mo.z.02U5 G1cd_VWlXzjTdCzKh3Dql0KITOmUMaxSojJbyYhHHp42X0HQIc0.cgPdRSuRrspM2nUbSUpisXMM _akftguzIff5aI0W2JXeX_Lzxp0q4j945ZGpvBQdUhebIqTbo_gp_j0eKJk0e7oNBy5e14idix7N nV2v9AQhIKRVFmWo9X5DLFBy6GjBCOhHiOGbnRYEzHk1QVERGlP53kg0FyXoZPLYf_On8AT5MZCp bU9XwAwE69L280c5s4fBdGyRqTjlUSlQo3Cx6EBmpgVl7CdZeO.8939Y8KdoCQtOJWkiPZXXMRFY WyV1b59VABlD5eMwTUd8AnGsXDENVk6G4NZ1RHwux4uv3fMlQcu2yCwAUTdedm1YTen8GsojzpPr BVRxPEna6QX139rnhZEbsP2NjDWO0pIU0SqMw0axLNYCDdLYa0f1uYkMSSMyRhVlrJJfBvv0ceAl SJmKwG_r7_CBmicBThuFRzQHvd_COHURz2rXOELXxrNvDt7F3b7ohjOeOU2arMAI92h0y_yXKVRP n7cVN04VqPQYoZONLAYYYI7ZktrxxSymIZ6sdsWDX4bKSzAlm3lRKon8zz5aiSg.ieYwWTQYz.ik XYDPYT5lgCGIq8CtYHjsuc.VN52gzeqkdPKPePj.SD1ujM1sV.jNGKvOmXF7ELJKa1xifemUvoow O9vjmrj.ShX7kmMKksLx2QE2FRZOEJs2EyB5Scnhdvfcef5eE71A5YhB10SUdZW5jI.CzRDgkajZ 6csbnhkpT_AErsApe6vZ8cf7CrPofh7HYTHxIGCT5czkflxIAgDZQ7LpywlQcbzhfTMmjFX6MKMm S4P9TcL1VGEWA33361AlmuzEz4h4phtplgi3YaWCxnWIw0W69tf0WnV8w_BIBgywxcdPduO9ZUJu oM2QPNX8Ku93wKFP04GcbJY1iXlVLuSvRJv9BzVvOxVsO7ju8Q01HiZVJh37WiXdoE9M5iR6HRak slutT817fDY.E6yzw4kHeekra.f92TxN8VAvHd2qw2rbuyPTGlq2Yj1PzlwaBqx8oynG5GMdZPH3 .QXbyqMMBpXEuXDJiqTNPqxtpixsYpaPm0O7Qc7O2lOBueox9yUshrOQFLMlWD.UfwOGTCcxmYc4 lnpZnol7IYTloIWsBpYyELb3wJuVLdo1x4FcqZ69.WnHwkka2yCG3bnnReshabgKfBVAlL8saI6o r8FwQl4c_7BP7chJGs3RPs8grYHGVUZm3P1RZTkT3THF9O2WqQlGezYKyldaZMBEe2OuGiXdXxdv QPZTWgWVetcH7Za5agtYwtWQqG5BjtlkCme2o6xoYkFnlX3ulIPnvySznHP9291ZR9Q5NqhOmy7L Sld9r6xx07lHOIPiFda4Ivpkg0VYYI.V9xZ1xvRQ5OLx8QASs0ac6J7WfnZCURHFPkcp3bCLuawC Yd3.o9I6ZlpTCJKVXjctsRG_BcK06Zt4.Ip330f7Cc6rzWDrHX.t_Z7BM53YN4lxHx9TJQqXki3W qfQLw5zbM68oa7NHc2KrbrFhJ856Hla1.XR06SlGXUD9I2BmBLEFOv_IkHuW0hOja21XY39_KTTS bXSehd6gwn.2qrOVgXKLDejkZXys- X-Sonic-MF: X-Sonic-ID: 869ce3e1-48f0-48d5-8d86-93a5ceaf74f1 Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:43:41 +0000 Received: by hermes--production-gq1-6949d6d8f9-k52jv (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID ca4128361bb8b08e481604451b6f4d3b; Fri, 15 Dec 2023 22:43:39 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 34/42] LSM: Add mount opts blob size tracking Date: Fri, 15 Dec 2023 14:16:28 -0800 Message-ID: <20231215221636.105680-35-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add mount option data to the blob size accounting in anticipation of using a shared mnt_opts blob. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/security.c | 2 ++ security/selinux/hooks.c | 1 + security/smack/smack_lsm.c | 1 + 4 files changed, 5 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 4deb1a4d2d1a..59085248809a 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -81,6 +81,7 @@ struct lsm_blob_sizes { int lbs_msg_msg; int lbs_task; int lbs_xattr_count; /* number of xattr slots in new_xattrs array */ + int lbs_mnt_opts; bool lbs_secmark; /* expressed desire for secmark use */ }; diff --git a/security/security.c b/security/security.c index 8576121fadb9..fd429f67d2da 100644 --- a/security/security.c +++ b/security/security.c @@ -232,6 +232,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); lsm_set_blob_size(&needed->lbs_xattr_count, &blob_sizes.lbs_xattr_count); + lsm_set_blob_size(&needed->lbs_mnt_opts, &blob_sizes.lbs_mnt_opts); if (needed->lbs_secmark) { if (!blob_sizes.lbs_secmark) blob_sizes.lbs_secmark = true; @@ -453,6 +454,7 @@ static void __init ordered_lsm_init(void) init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); init_debug("task blob size = %d\n", blob_sizes.lbs_task); init_debug("xattr slots = %d\n", blob_sizes.lbs_xattr_count); + init_debug("mnt_opts blob size = %d\n", blob_sizes.lbs_mnt_opts); /* * Create any kmem_caches needed for blobs diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3e590f632f59..e0f6f2093708 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6970,6 +6970,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { .lbs_sock = sizeof(struct sk_security_struct), .lbs_superblock = sizeof(struct superblock_security_struct), .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, + .lbs_mnt_opts = sizeof(struct selinux_mnt_opts), .lbs_secmark = true, }; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index c93e81facf1b..573d5bffb9e1 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -5064,6 +5064,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { .lbs_sock = sizeof(struct socket_smack), .lbs_superblock = sizeof(struct superblock_smack), .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, + .lbs_mnt_opts = sizeof(struct smack_mnt_opts), .lbs_secmark = true, }; From patchwork Fri Dec 15 22:16:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495168 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic302-28.consmr.mail.ne1.yahoo.com (sonic302-28.consmr.mail.ne1.yahoo.com [66.163.186.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 24E0017987 for ; Fri, 15 Dec 2023 22:43:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="Te5/75Ah" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680223; bh=OP/fe7KTWBlNrxCDPndD55sIV1PdVPH4756etwgkPBQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=Te5/75Ah40FU7JV5zv4gA6YC/GtWU4lkiluweGh8clYFZtrSecHKgjyvJcnL2vUHmln8cpd1eBYM34ZXb59MyNxqxEmyTYETJkF2f5S4GBbS2MZKRvEVg2iTguKW8xcOO9W2vETPJP+rAQtEdR3F8NksGHm9KMjQVkuugnCdrrpUyfIBesDpVJnENqAqW5ebAmDt/cWlimu0gz/4fTSjnIJMxLV7vlhxm0gRFvj56NKNl8/2n4yikBUHyUXeIogyGVNvj7XwEs5m0djCVNQkPVk/mssQefrMVnDt+eP1WhfDPFG2VAoRGU+v/olcB3Ev/78CQP8IX13MHdffadM1sQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680223; bh=7cFt1PnR65sziyB7/ELmNrG9oDxSfh9AtHlEi4CMFj3=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=XZkZ0BrR3fReGnMSvRUVFxa+FWXY1wSRN4ATIbczwhmoZznlZO5P+tbD+xrnDR8qQk7CSEKN3ALVI+ESoJGlSXwRvkL63qsQnRmi4tHO8+5Sjg8gqSv7OdkhDs26UntIJ1MZLmZLm9hMQuulpUpSJXebh7Kv5XDrGLD9gbkQjOA85wimp6X8ii9lRQsgobAQ8NiZMLWd6ijPIMneKIjNZ+8JCv5zQt+4SLDUI57Jgw+Ulr/YntJ19MVAsJAMXO2P7GmK09Sy2pYDI9nISVmuCEFs8+CR1ZxHtezdcMRxeZcHoe7Bh7ijj9S2tyq1WYdmENan70m67yEoQLGPvV1frw== X-YMail-OSG: eciJ4hsVM1n5pF1jj95VYuHjVLjV.aaiZGxotjXzMoKI.BOXVgAVgqMmPG6tuq5 oNHFI65wJIE59K.OLoIgW.9DdrNZjmQwKCHRSBWuDNVt6zecmseorjWPzmo5QXzdCOSBd9kfX8fG 2L2_g97ZxZ8VsSO0WIRe8BdhtiUh1JP5GVeJLtW22MTCoNYIjnOuzrIyek5h.CcD9nPSpuba.ZA0 eA7TTDsLlvWefCfvaLdvZUltxAFR_FVTbL0j0r_rd50OVSZCxqPJNShF8sSBqPO0x0FegF_u4jC4 gtvy9SIduFMYwLmmHktPMaSeVtAYdLFEjCSQKB8Nq3NZjgvyi0F1P3Mij9u3VV9xqZSAnpR9mEqK XS8JUGWe70fphe6h1or6mJ660l2Lq4XaOAycECYj9Co3TXYA7UJ1zNgZm8xbPvQnqgCeb__a63MI LPiYdFKPbBChOTqALqaNQ28_ZwJQGApRiey9TDOTSI43wHbkogIhp8IEx.ntF7Oobtr.kkK1GO6V j46eO_AvuX4bffOyGBz9grJDdcDR64n808WsgC35FwfE0WTHqptLV3pwckuHVjoViqjir0uFDwHG vTZ2R2VcHtZOFjRWPfJhIXLk20Gfim4VsBiOkFCBWrAmHZjUTPQpl6NBVq_NvIiZ4yZ.u_3ZkUCp ZImS5eZ3mxjwnK0QdeFIg3BAiBzY6FON4X.kdLS6xW82xip2QCYSQ0Kj7OHvkkrhAxKDRarWNOiE FiKptJWZ89NrwQYb7QdGYyBj2nylIDXQk4O5cMggyrOMZNbkBOQb_amksd1KgCMm4zX.RbCAU0Sw PmVC1GBdwdR66Kn.kIUWPV6WntiIp71JpecCw5HwsSgxvFH46QrBFQnqaEFX9fCfNk4cqKfy0DOd _g7oOrcPjGJgX.0wIQ3y_ytSvymxpah0Nv7XinVeAQGyWtFL_LJem.yGsd5OSM4415PRqR_AQ_WS MgwzdeXyXWKgv_mwKKqxxj9gguQwa3SCSZnXvw6SuEZG5o4TPnCQESOOPD40CWwm.aH4popS3pmT ST7d9edcPJZocwXjUwoEB61ibRYI6eGu3c3evE.iKzZkgBRxtWGwnl0RtlNoF3kr6XbKK7PNSNZ5 6E9XbVJ.e9DtT5eRMsFP3Ld3PZXl0L0dH7s3RP19eDXzonhHATgOQMOsx7k2vrrxuIHiTKHrmcDG RVBX.ZGV3NgwbTS40lMoJQz7G4aSegWDXxlRh59l3h.lkRv8cHold1ANAKGbgpCIxi4QDqORIqIr n2T50RsanKwqS.xpLoZlztfyA4Ck2QyObh_l0tA069NC229Kr0xA4O7rQuYxMWJgrUbKY1yhheoO iU14FWi1JLQlZmJBopNOCEt_4D.CJlbV7fVk8WHd0ZO2OyDsH_7RSmTs4faXJXIOQ2BbHLipsx0s 43ZAtl5cIaJGT.lyjnm_ZvQ_xaKqp8iJn3aji7BJTKiaFN8RctW9GmnR5lMzpHpJDRxJMMjCedCz YFpjB4oDalkz8KXvsAAYBZMo20uTQ4w456yWe2J5qoi0WxMzKWEscWijRgLjazlypEXkJkpj974X FHgs0ATyBVx6tNw9uotJIhWMScF5uxWlIMhMufGIzHg27fo3vGZOssjMCvbtyeRkZebSo0zFmWtF 4kzgyWSBD2GDbwn_aTN.NYlxPRCXf7WETO6Ck6nSepv7ya5MJWW24tJtg0rUXT_tZSjTay3SeoA1 TZxE43YtdBCRPFNIe7orin_pk72OoXOcxTrEWgwBozCqhnsEzrbMGdT_NkwzEhO_QA3B2hK8Sipn 8_KWSoqbW6JOLOIwZztNeJPFBTdvFT6rGepvuwtBSBwM0OzKXgDx9_Oe4J1f0fbrEgyDgrxgABd8 33HhBI_S8PgfCcqGrwOplPEcLlgcU0KPTYNa3IMxP8N6eLA7ASIBsYH6iqiTDgBx0IPp.Vu1sSF5 v9ZOS3IKtpof7wlWJZcGSYzRciEGcPV9zZMGLQTy4N1.aFkL9EAh.TBpwSBk3jiI6f7K5KT0QrTy B1DYNslbtD4hx8PJyR_oOhpfprZH9nt.eE6Z4y_31OJ1ld2N9iJ1jl47ChHFxlex53NyhlO4JMDL VTFD.R8Lb61F6thncA6sn6Djaa7eYa1NS1OFzQkaQyRS2apCxRsZZwuLGxwEgPR_oG5npcHCdxXS SglOwZ9ZGIZtYiPrdJFbDxU4wQQuzuPt7qVmXFJ.AeHaAEZlN_xdsACSeDGfJ.d.eLFi418D_4yO qdxWumaX1I24q6cIN39TRf1SEgyQk7v_zhmjh.6oQzszOrtL2BmEsJ6YMnwGGLBofdDkVWBP4E1y 0Xw_lRfrOf9pX7TbfC0i_VI1JWw-- X-Sonic-MF: X-Sonic-ID: 787729f1-851d-4e07-aff2-45c0a9d88a4a Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:43:43 +0000 Received: by hermes--production-gq1-6949d6d8f9-k52jv (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID ca4128361bb8b08e481604451b6f4d3b; Fri, 15 Dec 2023 22:43:40 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 35/42] LSM: allocate mnt_opts blobs instead of module specific data Date: Fri, 15 Dec 2023 14:16:29 -0800 Message-ID: <20231215221636.105680-36-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace allocations of LSM specific mount data with the shared mnt_opts blob. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/security.c | 12 ++++++++++++ security/selinux/hooks.c | 10 +++++++--- security/smack/smack_lsm.c | 4 ++-- 4 files changed, 22 insertions(+), 5 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 59085248809a..24a0f62ec2ac 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -156,5 +156,6 @@ extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[]; __aligned(sizeof(unsigned long)) extern int lsm_inode_alloc(struct inode *inode); +extern void *lsm_mnt_opts_alloc(gfp_t priority); #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/security.c b/security/security.c index fd429f67d2da..7a9fbe706525 100644 --- a/security/security.c +++ b/security/security.c @@ -1385,6 +1385,18 @@ void security_sb_free(struct super_block *sb) sb->s_security = NULL; } +/** + * lsm_mnt_opts_alloc - allocate a mnt_opts blob + * @priority: memory allocation priority + * + * Returns a newly allocated mnt_opts blob or NULL if + * memory isn't available. + */ +void *lsm_mnt_opts_alloc(gfp_t priority) +{ + return kzalloc(blob_sizes.lbs_mnt_opts, priority); +} + /** * security_free_mnt_opts() - Free memory associated with mount options * @mnt_opts: LSM processed mount options diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e0f6f2093708..3d046c9d0121 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2787,7 +2787,7 @@ static int selinux_fs_context_submount(struct fs_context *fc, if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT))) return 0; - opts = kzalloc(sizeof(*opts), GFP_KERNEL); + opts = lsm_mnt_opts_alloc(GFP_KERNEL); if (!opts) return -ENOMEM; @@ -2809,8 +2809,12 @@ static int selinux_fs_context_dup(struct fs_context *fc, if (!src) return 0; - fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL); - return fc->security ? 0 : -ENOMEM; + fc->security = lsm_mnt_opts_alloc(GFP_KERNEL); + if (!fc->security) + return -ENOMEM; + + memcpy(fc->security, src, sizeof(*src)); + return 0; } static const struct fs_parameter_spec selinux_fs_parameters[] = { diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 573d5bffb9e1..97ffb07797e9 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -638,7 +638,7 @@ static int smack_fs_context_submount(struct fs_context *fc, struct smack_mnt_opts *ctx; struct inode_smack *isp; - ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); + ctx = lsm_mnt_opts_alloc(GFP_KERNEL); if (!ctx) return -ENOMEM; fc->security = ctx; @@ -689,7 +689,7 @@ static int smack_fs_context_dup(struct fs_context *fc, if (!src) return 0; - fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); + fc->security = lsm_mnt_opts_alloc(GFP_KERNEL); if (!fc->security) return -ENOMEM; From patchwork Fri Dec 15 22:16:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495170 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic315-27.consmr.mail.ne1.yahoo.com (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A24B218EB8 for ; Fri, 15 Dec 2023 22:45:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="YzD++rAj" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680318; bh=q3GJ/ydywQ11Q5gXfImcpvZcBSkSEwJUqRpdOx0312E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=YzD++rAj8fArr7vAm3sUyJzrrVF5efT4glTlRY5IEtN53Zs4ke6gxeviycRQpUmGeAklERslAvjX58JjrC/kxDwAexz3n8+Pi0Fa610dFiH/8hBHcJdbMrHbzQbqhCtaJxL1AzXX5zVAP+fZB0fbhz+iJUPsAOSTy+jFbPMwWkFBwcjVpJcN94bf9wypi6a7z4ShuXGyAKrtr1uHVRy4CEaF8Ik8oxJqU3fqvSPTl3cu6EaJI4TKBPwM6+l0JXMLTjv7+iz6kQQVG/T7MrUPuz1tbBBrG4mPT6VN5/2t+0T3ALU7kW/bMiNn8xg0shkm6qz4ZvWvZymXEEa5cO64dg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680318; bh=i1KpasmTOcn/CQBphNgw9BBsygmY8VTXE4TE39k8yrT=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=GTMql7sQEvQ8xLUTvU0eT/0J7FfiNKQh92IhpDHzw+ksYjSffS1i/iagqrofRVjlpSAnqwCvssVG0+jyKNQT9f4g+1qyOmjrXc/w/tyPIMGre4tQX2wLdP4WHYg9kfAeNJ+w8oAwulmobr8YlsbGcldfJIEPBgOmtXYYpvRpNqksM5Q6GV+6xNBOt8GkBVYx8UjLxgjSgYHgUI9ZoqEk4Tc+q5Y2CJ6EqjlkjqXgY6ww5+dgERRNNhCNPLeTb43ylVIZsJ7OmlDKPHJbTprXUTNiVT9COmjJGT6+2Hzwp30qifYsBu7irR/xgivG5yeZsDg+X5Powzbs85pgLcZf6g== X-YMail-OSG: zQGojZEVM1lOimhzZ77u0GJgPwUZNXqifFQcTrR.mIl.ET36DXntMDVhXmW9GB2 I.dPndgvFEOCfLjT3tkxg1_j1bq7I0ACuGOVGleKeUrp_L7BHd0jrbC2ye4P47oKBjiiDw61KY_Z PGH4W35tEyGgT6ZG2R0qoPiU8.AKRJt1hR6C0X8JyIe_ry2WBXlKj9tJkPA8Db2sK6kva2Pr0hDw ttkfcIh.pbnoIl65bRCC.CcRGMFHxw0X_i3w6t0f5aeJx3NKGCV6m.ihDalxI6FbXq.KgYbgvIoT 4AhpdPOjc21Bqgib1EEoDkiriszXQ.4VHhV67kYS.eP9UsqRLVuHI3G7ZFierm321JvaOXh0PerV Qi.PL9xlKn4jwE3mvri4t_LOMDDC2gWD8WXHt4rvqckBVp5Mk4U6gygj_ATz.KqQIhJavc5518uX 3xsRQgF.YUcaTxQoT9Wq6WK37jLwpZlPpI6r04osJHlLHdpTjLuSfzSdYuTBz4WQO5kQsda9rSo2 9pH4LW091LVEcAiFI5S6rrfS1lnrr5gdriRp_oDSnDdjQcSyK2zXgEHw5mm4ODX1NrGRirG6q7ab WeIRPctUnQ3dKW0elC2ocmp5it._5Yb.Na2sLbfOS8GXRjanypXs_hw32qEpIjIxQhTwSzFk5XJ2 ffWQp8atdpnA0gd39br5MhNHoc26KVGLF7ahPDh4yzKZaYi1aWUioWF.rOF17XKwC3xU1jSfZ79b .rRMoIvQYuIaca8cd91wmrbqDB1EGquy27YxoPo6hF4S_gTw9.xAYNVMRZOQGkBZSAsLemA8lQ4c lt7CJnW4HMv4NoMKaevSOr4zZDPvuTRtO2JBiOw_cBOc7ytnLWTgr5aKoGO.VgMHG_iW8na3d9RS Cu4f1kgqJztOcVnXb.LKGZNzp_Dn_O0qH33ksvqSdgH7wp0H_qbyKDweOQxpw3VFMjuE8oVuY2OD qAMnXo8rIS.Rhhn73BG9RhV0ibPw0M5ozbiKOlYrvtIvcry7mjS7W2kik7OU5cKfq611x0nKDgu9 ZQifOEg9R1FQlJEratdrafbBLT1u606RO5v_MlJvIgLwWM77Zsexb25AJWdb0Mje53CWNfN9JbhH mvQ1cxsQHgA5lcIvNisMhbN.3rfPkcte.EavWgpdk3.7cVGkvGfgcR80.uwPTS7XKDHeiEqag35A zkMuGBCsnSg8k21FQz30ADcWemAm2MaygWtmsygwjB.zejndI2aK5WPPyHyqHIUYsWYz4ghkofXT sAjJPSgVpc2kyFpFiDK9uvH.cmahwMvzb2h3KT9ljtkUqQHM.ErPHf1TQp8CZf._9IuiBl9tkcF_ KXsgQRS7rntzsUqc6AJ6X0ljD5EjbGgzRXLtmE9cqKHOtTkLFl9tzGVFFUDegLmC9nxPDWiIkBVJ xQ5lnHLnF9nmzHTSNUQL.p2Q1QgWTeWYCUvSM8lEvP5Jw.CZD7p4I6KLWnQUT0jJztHwTn0dqOjv 0zf5NW0n11iChZ1KzbMRsrLYR5JLne46T0o4.g3FExlxvZbfCpIL.32QoqM3hyiXR5N3z_Zjc2Jh CFKwb8pJSqX.W4lHgHeSbAGWTiIYsnH65Wi2RVve3LAkzFqYI9Y__7KBH_rL64_magtdWxCFV4PK bRmXyJ8RAc9.8vHn_jbgAJFe6Zf7zXap.eEMelyInJgyXFQuljjx0s03ImOZwdS8_jbnoQm.VkQc CktLT6VmZEwU7f5bB_Lz7rpSoUZL46eoLrOEiz64AxDFHYZ23gFImw_bjT8b4zOJxjKfvLRqVVCs eniCBffuUMAd_khNXhFeXPKUym7WZ1CerTXcy3zPmSCLdlWefXyGWDYeulXqdWEnW4y87Xl64X52 1dqiH8buFM2T1iOxmBfl3A.ud7bOmmkMS.pHey8jihFokbHClIuRKtLa.Ak9SCUp78Q7CKw.BaRf XDmXJOtgaseYPd40ie202fZwosa_d3c716cQGxyG2auDSv8shS_je_Jz3HlOSLCRNtHm479XNHoa MG57mhqojYeLuEbV0TlurzhPxonTzsZl_4NX6.k2GXkoQGgz5FODdf8LHpPS4nSSxd6BByGucDF1 u5rK4UUF_RppfLlrJ8Mn51VPpX4GbieKmCxMFhOE8MimQu19UHR967IMo0iFVPlPkt8UsuyE8iNP 5s1Dc.sU64bxtHdz0weUTV76sA71sGqb951wQIN4Kq.xwQ648j3j2EKPh3n0fujPsDbhdMOAy7E0 sDaMj0sE_FMOh43wN456btf1wcA6FxG5OvGdyLx.60oBvmqRTyo8wSYPOnihSDkjoI3QqhM5Mf1k _BA_5ONGaDFDcSuRp5teCLjiBWRLeUA-- X-Sonic-MF: X-Sonic-ID: d9c7d73f-dd58-4f27-ba34-839cdfadde7f Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:45:18 +0000 Received: by hermes--production-gq1-6949d6d8f9-hnk4w (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID eb823cd57ae610622380a59672438916; Fri, 15 Dec 2023 22:45:13 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 36/42] LSM: Infrastructure management of the key security blob Date: Fri, 15 Dec 2023 14:16:30 -0800 Message-ID: <20231215221636.105680-37-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Move management of the key->security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/security.c | 41 +++++++++++++++++++++++++++++-- security/selinux/hooks.c | 23 +++++------------ security/selinux/include/objsec.h | 7 ++++++ security/smack/smack.h | 7 ++++++ security/smack/smack_lsm.c | 33 +++++++++++-------------- 6 files changed, 75 insertions(+), 37 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 24a0f62ec2ac..fdeffa0c8d13 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -78,6 +78,7 @@ struct lsm_blob_sizes { int lbs_sock; int lbs_superblock; int lbs_ipc; + int lbs_key; int lbs_msg_msg; int lbs_task; int lbs_xattr_count; /* number of xattr slots in new_xattrs array */ diff --git a/security/security.c b/security/security.c index 7a9fbe706525..092752666fb6 100644 --- a/security/security.c +++ b/security/security.c @@ -226,6 +226,9 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) blob_sizes.lbs_inode = sizeof(struct rcu_head); lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); +#ifdef CONFIG_KEYS + lsm_set_blob_size(&needed->lbs_key, &blob_sizes.lbs_key); +#endif lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock); lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); @@ -449,6 +452,9 @@ static void __init ordered_lsm_init(void) init_debug("file blob size = %d\n", blob_sizes.lbs_file); init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); +#ifdef CONFIG_KEYS + init_debug("key blob size = %d\n", blob_sizes.lbs_key); +#endif /* CONFIG_KEYS */ init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); @@ -768,6 +774,29 @@ static int lsm_ipc_alloc(struct kern_ipc_perm *kip) return 0; } +#ifdef CONFIG_KEYS +/** + * lsm_key_alloc - allocate a composite key blob + * @key: the key that needs a blob + * + * Allocate the key blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +int lsm_key_alloc(struct key *key) +{ + if (blob_sizes.lbs_key == 0) { + key->security = NULL; + return 0; + } + + key->security = kzalloc(blob_sizes.lbs_key, GFP_KERNEL); + if (key->security == NULL) + return -ENOMEM; + return 0; +} +#endif /* CONFIG_KEYS */ + /** * lsm_msg_msg_alloc - allocate a composite msg_msg blob * @mp: the msg_msg that needs a blob @@ -5390,7 +5419,14 @@ EXPORT_SYMBOL(security_skb_classify_flow); int security_key_alloc(struct key *key, const struct cred *cred, unsigned long flags) { - return call_int_hook(key_alloc, 0, key, cred, flags); + int rc = lsm_key_alloc(key); + + if (unlikely(rc)) + return rc; + rc = call_int_hook(key_alloc, 0, key, cred, flags); + if (unlikely(rc)) + security_key_free(key); + return rc; } /** @@ -5401,7 +5437,8 @@ int security_key_alloc(struct key *key, const struct cred *cred, */ void security_key_free(struct key *key) { - call_void_hook(key_free, key); + kfree(key->security); + key->security = NULL; } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3d046c9d0121..a9af3c848a16 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6672,11 +6672,7 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred, unsigned long flags) { const struct task_security_struct *tsec; - struct key_security_struct *ksec; - - ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); - if (!ksec) - return -ENOMEM; + struct key_security_struct *ksec = selinux_key(k); tsec = selinux_cred(cred); if (tsec->keycreate_sid) @@ -6684,18 +6680,9 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred, else ksec->sid = tsec->sid; - k->security = ksec; return 0; } -static void selinux_key_free(struct key *k) -{ - struct key_security_struct *ksec = k->security; - - k->security = NULL; - kfree(ksec); -} - static int selinux_key_permission(key_ref_t key_ref, const struct cred *cred, enum key_need_perm need_perm) @@ -6736,14 +6723,14 @@ static int selinux_key_permission(key_ref_t key_ref, sid = cred_sid(cred); key = key_ref_to_ptr(key_ref); - ksec = key->security; + ksec = selinux_key(key); return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); } static int selinux_key_getsecurity(struct key *key, char **_buffer) { - struct key_security_struct *ksec = key->security; + struct key_security_struct *ksec = selinux_key(key); char *context = NULL; unsigned len; int rc; @@ -6970,6 +6957,9 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { .lbs_file = sizeof(struct file_security_struct), .lbs_inode = sizeof(struct inode_security_struct), .lbs_ipc = sizeof(struct ipc_security_struct), +#ifdef CONFIG_KEYS + .lbs_key = sizeof(struct key_security_struct), +#endif /* CONFIG_KEYS */ .lbs_msg_msg = sizeof(struct msg_security_struct), .lbs_sock = sizeof(struct sk_security_struct), .lbs_superblock = sizeof(struct superblock_security_struct), @@ -7310,7 +7300,6 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { #endif #ifdef CONFIG_KEYS - LSM_HOOK_INIT(key_free, selinux_key_free), LSM_HOOK_INIT(key_permission, selinux_key_permission), LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), #ifdef CONFIG_KEY_NOTIFICATIONS diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index ca12d4d7cfc6..a76d39528262 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -194,6 +194,13 @@ static inline struct superblock_security_struct *selinux_superblock( return superblock->s_security + selinux_blob_sizes.lbs_superblock; } +#ifdef CONFIG_KEYS +static inline struct key_security_struct *selinux_key(const struct key *key) +{ + return key->security + selinux_blob_sizes.lbs_key; +} +#endif /* CONFIG_KEYS */ + static inline struct sk_security_struct *selinux_sock(const struct sock *sock) { return sock->sk_security + selinux_blob_sizes.lbs_sock; diff --git a/security/smack/smack.h b/security/smack/smack.h index 0f5bc5c03b9e..85ec8141fe70 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -360,6 +360,13 @@ static inline struct socket_smack *smack_sock(const struct sock *sock) return sock->sk_security + smack_blob_sizes.lbs_sock; } +#ifdef CONFIG_KEYS +static inline struct smack_known **smack_key(const struct key *key) +{ + return key->security + smack_blob_sizes.lbs_key; +} +#endif /* CONFIG_KEYS */ + /* * Is the directory transmuting? */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 97ffb07797e9..b273e94028bb 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4486,23 +4486,13 @@ static void smack_inet_csk_clone(struct sock *sk, static int smack_key_alloc(struct key *key, const struct cred *cred, unsigned long flags) { + struct smack_known **blob = smack_key(key); struct smack_known *skp = smk_of_task(smack_cred(cred)); - key->security = skp; + *blob = skp; return 0; } -/** - * smack_key_free - Clear the key security blob - * @key: the object - * - * Clear the blob pointer - */ -static void smack_key_free(struct key *key) -{ - key->security = NULL; -} - /** * smack_key_permission - Smack access on a key * @key_ref: gets to the object @@ -4516,6 +4506,8 @@ static int smack_key_permission(key_ref_t key_ref, const struct cred *cred, enum key_need_perm need_perm) { + struct smack_known **blob; + struct smack_known *skp; struct key *keyp; struct smk_audit_info ad; struct smack_known *tkp = smk_of_task(smack_cred(cred)); @@ -4553,7 +4545,9 @@ static int smack_key_permission(key_ref_t key_ref, * If the key hasn't been initialized give it access so that * it may do so. */ - if (keyp->security == NULL) + blob = smack_key(keyp); + skp = *blob; + if (skp == NULL) return 0; /* * This should not occur @@ -4569,8 +4563,8 @@ static int smack_key_permission(key_ref_t key_ref, ad.a.u.key_struct.key = keyp->serial; ad.a.u.key_struct.key_desc = keyp->description; #endif - rc = smk_access(tkp, keyp->security, request, &ad); - rc = smk_bu_note("key access", tkp, keyp->security, request, rc); + rc = smk_access(tkp, skp, request, &ad); + rc = smk_bu_note("key access", tkp, skp, request, rc); return rc; } @@ -4585,11 +4579,12 @@ static int smack_key_permission(key_ref_t key_ref, */ static int smack_key_getsecurity(struct key *key, char **_buffer) { - struct smack_known *skp = key->security; + struct smack_known **blob = smack_key(key); + struct smack_known *skp = *blob; size_t length; char *copy; - if (key->security == NULL) { + if (skp == NULL) { *_buffer = NULL; return 0; } @@ -5060,6 +5055,9 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { .lbs_file = sizeof(struct smack_known *), .lbs_inode = sizeof(struct inode_smack), .lbs_ipc = sizeof(struct smack_known *), +#ifdef CONFIG_KEYS + .lbs_key = sizeof(struct smack_known *), +#endif /* CONFIG_KEYS */ .lbs_msg_msg = sizeof(struct smack_known *), .lbs_sock = sizeof(struct socket_smack), .lbs_superblock = sizeof(struct superblock_smack), @@ -5199,7 +5197,6 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { /* key management security hooks */ #ifdef CONFIG_KEYS LSM_HOOK_INIT(key_alloc, smack_key_alloc), - LSM_HOOK_INIT(key_free, smack_key_free), LSM_HOOK_INIT(key_permission, smack_key_permission), LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), #ifdef CONFIG_KEY_NOTIFICATIONS From patchwork Fri Dec 15 22:16:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495169 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BB39D18EAE for ; Fri, 15 Dec 2023 22:45:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="VWDM4zzk" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680318; bh=IGboAo7eFziof5CfECIvA248+i4VKISGr6D9poWTQsA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=VWDM4zzksd2Gf64oGlAl9GHtZ2JQI6d90bHMM+8qij0+NP6oVfwH16B8ny6HMDXZzJ6uzCochV71t1KI7AoacBPJJXyFzsnU4CyBrsyt1Y6oLOHyc/zzMFiOdrlpPqv66iA1rifHOSzNXiddorxEPtduq2aLgjQ+6R9XYiN5L/B7CALOAkRuboTUaeL4KwkIrm+PjO6bQZNVf5oewsIPGiMX/KCJONmBckgQysbZ2ftoXpwbU+CesVn7f0RLj5N4bQJfYBEL0QnaX7dcYsAs6QDElZCxu6vsfRosjzRV3112LEB9WG+bIfxazbUKiGU4wRaBohAYxL46jjEsLnqoxA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680318; bh=i3Q4Jv+BeKcP5htciuGw83/sHswM3vBj2rN3B5mr+3H=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=e8cZ/c1DPSn3vpbPKcadJs4krgNz/pSkRdS45rRVJ5t8FM9mIzOmUQ6wnxlxdi0NcWs9OuxMcMmha73WsZ19gzTQ5gCxBw5vhxO+pcO3DuhBOO7YIttxrmj7hTwexTsgTXTo1JG6c4XLUSOq6Qh8PAQPvvibjzFIlB5IkOYjIChfs0dLBW1pHaralVUuxxUWg21+X53sGuRYbIFsOr9eUsejrnKg8bh4eDZh4zEybsmZ8XHVPjRlelwRGyfg3N3dTjrkIEFIE8jzSsO8ho40vsrZD1RxlTLem7te5PsB01sO52p1RSrguLi/zb4KiAamDUUG2MkcNsDprndpgaFPLg== X-YMail-OSG: qOGcv2YVM1kUlpfgd5gHgw_uNj77p8Lb4lXB7D1yMO_dFeRQop3gfAL4iUW_Hpz yc1YhKztk27TMdZIPlMk_b1U0VvRGnUs_I_E7z.dwq391cxxHAX5RLKFVJcALN5RiDQagySEeYcF b1Z3aWbiTM1.h7vhu0oT9.YN1k9soFgx8JFCG4o.DrMcI7OJUy6OZsMyViKAijFSMx.uc3kgCbjG svS2wD_.Zbcf.yiikY7y5HKDz0itMomDdVICMCgaR5SzkoKH1ziSv5hmv.4uUcnsxIYcjIK2P6Fj C6sSXl9JNoHsacyZs8HhfzG4XC.CfvMthSE82Mu0gP4nE6ECx9RDO_ykD9f8WCyTjn5K5xOMTFqp xIpufTfC7SOIPbeJEuq0HpgCsSVe.94ztLdzr5rZqg8WWjTv4C.AYhWOwbB14Dqe4HkRDakdNWXh HYSZ0XipgcUrWq20N89ThRTo3urp_3e7K599MQFMtYe6B456osPVjoSTITeOtc5i7Sx3dwOE6Bxg mlBdaQA37JLWi32_QdXXQqOyDP4FspCs4Phsv555n3T57i_j2Qc6Hv8FSzdQVLnAlgK_u4FlLY25 0bYaKUAsvx1i3Dg1LBH6zBNC.gJno0aIbBcc2xcTtLTqJgmBGrPIyBlmNd7kbbjOh.IAqZViZQNh BXz_87IeQsXJ83HXxB0p0xuu6MORsJeZVqY_TTSALxcT5QFRP92qirSiLI_z678mQ2UWi05pnP11 rWmCZow0LrAPYthNe0wO0Ghyw8BH3WLITuz.DWy8kfN_zRrhoZZDPd4zmSNbZZfiQStTf7MhHUE6 WDV2fcd7SE8W7OazYv7r2YlIY.8Qa3ecWwumODOgRgthuyO8RBsHaFA_Q3VQMSPg5Uff_X0KGax3 YALih6PW0XAB_PHIy0Aps8CDsMeyeQqHe0Vr6FfrRrX0wP9aKYwTwjTAulbwfYQ5fKOFxdadBl2s 9kGQiT7VFKQCGnh2NXeV.Sl8.fyVn8TQWdewPCKUypJJZy3dDuDsLAgG01O1Sg7xzAthlgl6bWF2 I2orI959sI1AFnjqsJni2gKp6Nt7Y0TTnJ71DLmIaBNZusrGWKQ.eKXw1ELbgGmhhNypx7NYGmah JUPQPj_E6fA9br6VaZ5L4fktcycVyCFiXL_XMo1V672nwnvp42oMTu3rAScznSRwLimAQwk22cgo DUyzLRhYvlW8SAwR.7_9lfL_bSTDWFN2trSm9Ln1sAjE5V49RwZlHfFXO_ML0.7MFMc82uP.aR8H YtMeoAVn.mKFRspoYiY8hX.BpptUKvssJ4H.jQxN0cU6p3zXHMvFhMzoDiO9dbyzh1AGebqiBWwM j6yImSZ9VMgiORtNycLXQOUaONpNQePSrUumAXFzZQrgoqVNWRjifAMdwwzNr4NG3EAhiSmF72TI TFnt9Pfo52rC7LwopB6Voesga3c9pNCYTFak71xFF7XzrYZwKkpnLLO1A9k1_GJibHgPoMt62gN3 G2YPlNRbQAlt..xwiNTsPNpru40tc7BiDLda08_cfvGLyiI1Guzp0Bp4va4vr5cT3gNoR2.pOz9x mnuGHXgja3pUArBOpoVOCQFmM0yH40i0ggIsizS7jUSpd36PCkirW4dnQeBLoBrPAZUL25hkFUjL kz69.jdUJ1A2ybonaOOX4cdQhOgPs.sZWFBeSnzR4DSkhkZy95hL4chcTLMFRrPX_Ra_Wu25.Unp YemGSRqw4.7kSAJn63qxXFfyLeEwQv0agcA9ZbId3ki6KP9lYWGvOrd4pTz2wTf7VvyuGFe9v6oy Myf76xB_LjiX7B8ny5tkhTKJQZTg1ukYPEmSgIZLCoPICCs.rKXUAsxRDzgFkV0CDQMx9DHfPE4K jYuI8JsazhJrwb7ZSt5VL3SkRbSsqEflumNrhrlMl8HqdK5BBK.BEExD18s6mXFKAeKiM66.ue7c lrTHvW5xxEfaZRpaDKkvJ4vAltFhwshrItvpJkezOkA4AAFhztF_SoVyEIRY5q_hRqCJSOT6tS7C 97b62co3fQx4cEqfbSuduIOAGwN0jDEJhpvhUrZ.AOIqaRuptGLgDJaBM0CJxXYV14v.BjRyrQmd ZEpGylD9._93csowidlPVRctilG3HAf9wIJermoRaBpUiIN_l3hUH8KOXu8U_Id7ojiF9C4ncm9S CmykhQ3LzcY1DDDUaE34TeX8jsNG8WdxxoPyON1UgrKncM.7ddewvuCvmgvXTxl0X0sllnuyDS9J wyK7ishvEhFyM5Tf1ijxyTVBZqn2FwtAihxxh9QYd5RrZE0wmu9iOJP9CkyKaGZHXqS2d.oblv.S TAhUz5yAf3yu32NHcRjTj45QUzDFJfQ-- X-Sonic-MF: X-Sonic-ID: 00781111-531e-48f1-8001-67903e0535c5 Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:45:18 +0000 Received: by hermes--production-gq1-6949d6d8f9-hnk4w (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID eb823cd57ae610622380a59672438916; Fri, 15 Dec 2023 22:45:15 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 37/42] LSM: Infrastructure management of the mnt_opts security blob Date: Fri, 15 Dec 2023 14:16:31 -0800 Message-ID: <20231215221636.105680-38-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Move management of the mnt_opts->security blob out of the individual security modules and into the security infrastructure. Blobs are atill allocated within the modules as they are only required when mount options are present. The modules tell the infrastructure how much space is required, and the space is allocated if needed. Modules can no longer count on the presence of a blob implying that mount options specific to that module are present, so flags are added to the module specific blobs to indicate that this module has options. Signed-off-by: Casey Schaufler --- security/security.c | 14 ++++----- security/selinux/hooks.c | 58 +++++++++++++++++++++++------------- security/smack/smack_lsm.c | 61 ++++++++++++++++++++++++++------------ 3 files changed, 85 insertions(+), 48 deletions(-) diff --git a/security/security.c b/security/security.c index 092752666fb6..64cdf0e09832 100644 --- a/security/security.c +++ b/security/security.c @@ -1352,18 +1352,15 @@ int security_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param) { struct security_hook_list *hp; - int trc; - int rc = -ENOPARAM; + int rc; hlist_for_each_entry(hp, &security_hook_heads.fs_context_parse_param, list) { - trc = hp->hook.fs_context_parse_param(fc, param); - if (trc == 0) - rc = 0; - else if (trc != -ENOPARAM) - return trc; + rc = hp->hook.fs_context_parse_param(fc, param); + if (rc != -ENOPARAM) + return rc; } - return rc; + return -ENOPARAM; } /** @@ -1437,6 +1434,7 @@ void security_free_mnt_opts(void **mnt_opts) if (!*mnt_opts) return; call_void_hook(sb_free_mnt_opts, *mnt_opts); + kfree(*mnt_opts); *mnt_opts = NULL; } EXPORT_SYMBOL(security_free_mnt_opts); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a9af3c848a16..46dee63eec12 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -365,15 +365,28 @@ static void inode_free_security(struct inode *inode) } struct selinux_mnt_opts { + bool initialized; u32 fscontext_sid; u32 context_sid; u32 rootcontext_sid; u32 defcontext_sid; }; +static inline struct selinux_mnt_opts *selinux_mnt_opts(void *mnt_opts) +{ + if (mnt_opts) + return mnt_opts + selinux_blob_sizes.lbs_mnt_opts; + return NULL; +} + static void selinux_free_mnt_opts(void *mnt_opts) { - kfree(mnt_opts); + struct selinux_mnt_opts *opts; + + if (mnt_opts) { + opts = selinux_mnt_opts(mnt_opts); + opts->initialized = false; + } } enum { @@ -628,7 +641,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, const struct cred *cred = current_cred(); struct superblock_security_struct *sbsec = selinux_superblock(sb); struct dentry *root = sb->s_root; - struct selinux_mnt_opts *opts = mnt_opts; + struct selinux_mnt_opts *opts = selinux_mnt_opts(mnt_opts); struct inode_security_struct *root_isec; u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; u32 defcontext_sid = 0; @@ -644,7 +657,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, mutex_lock(&sbsec->lock); if (!selinux_initialized()) { - if (!opts) { + if (!opts || !opts->initialized) { /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security server is ready to handle calls. */ @@ -682,7 +695,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, * also check if someone is trying to mount the same sb more * than once with different security options. */ - if (opts) { + if (opts && opts->initialized) { if (opts->fscontext_sid) { fscontext_sid = opts->fscontext_sid; if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, @@ -991,7 +1004,7 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, */ static int selinux_add_opt(int token, const char *s, void **mnt_opts) { - struct selinux_mnt_opts *opts = *mnt_opts; + struct selinux_mnt_opts *opts; u32 *dst_sid; int rc; @@ -1006,12 +1019,12 @@ static int selinux_add_opt(int token, const char *s, void **mnt_opts) return -EINVAL; } - if (!opts) { - opts = kzalloc(sizeof(*opts), GFP_KERNEL); - if (!opts) + if (!*mnt_opts) { + *mnt_opts = lsm_mnt_opts_alloc(GFP_KERNEL); + if (!*mnt_opts) return -ENOMEM; - *mnt_opts = opts; } + opts = selinux_mnt_opts(*mnt_opts); switch (token) { case Opt_context: @@ -1038,6 +1051,7 @@ static int selinux_add_opt(int token, const char *s, void **mnt_opts) WARN_ON(1); return -EINVAL; } + opts->initialized = true; rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL); if (rc) pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n", @@ -2629,10 +2643,7 @@ static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) return 0; free_opt: - if (*mnt_opts) { - selinux_free_mnt_opts(*mnt_opts); - *mnt_opts = NULL; - } + selinux_free_mnt_opts(*mnt_opts); return rc; } @@ -2683,13 +2694,13 @@ static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) { - struct selinux_mnt_opts *opts = mnt_opts; + struct selinux_mnt_opts *opts = selinux_mnt_opts(mnt_opts); struct superblock_security_struct *sbsec = selinux_superblock(sb); if (!(sbsec->flags & SE_SBINITIALIZED)) return 0; - if (!opts) + if (!opts || !opts->initialized) return 0; if (opts->fscontext_sid) { @@ -2787,9 +2798,13 @@ static int selinux_fs_context_submount(struct fs_context *fc, if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT))) return 0; - opts = lsm_mnt_opts_alloc(GFP_KERNEL); - if (!opts) - return -ENOMEM; + if (!fc->security) { + fc->security = lsm_mnt_opts_alloc(GFP_KERNEL); + if (!fc->security) + return -ENOMEM; + } + opts = selinux_mnt_opts(fc->security); + opts->initialized = true; if (sbsec->flags & FSCONTEXT_MNT) opts->fscontext_sid = sbsec->sid; @@ -2797,14 +2812,14 @@ static int selinux_fs_context_submount(struct fs_context *fc, opts->context_sid = sbsec->mntpoint_sid; if (sbsec->flags & DEFCONTEXT_MNT) opts->defcontext_sid = sbsec->def_sid; - fc->security = opts; return 0; } static int selinux_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc) { - const struct selinux_mnt_opts *src = src_fc->security; + const struct selinux_mnt_opts *src = selinux_mnt_opts(src_fc->security); + struct selinux_mnt_opts *dst; if (!src) return 0; @@ -2813,7 +2828,8 @@ static int selinux_fs_context_dup(struct fs_context *fc, if (!fc->security) return -ENOMEM; - memcpy(fc->security, src, sizeof(*src)); + dst = selinux_mnt_opts(fc->security); + memcpy(dst, src, sizeof(*src)); return 0; } diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index b273e94028bb..61bd3f626e7d 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -560,6 +560,7 @@ static int smack_sb_alloc_security(struct super_block *sb) } struct smack_mnt_opts { + bool initialized; const char *fsdefault; const char *fsfloor; const char *fshat; @@ -567,24 +568,37 @@ struct smack_mnt_opts { const char *fstransmute; }; +static inline struct smack_mnt_opts *smack_mnt_opts(void *mnt_opts) +{ + if (mnt_opts) + return mnt_opts + smack_blob_sizes.lbs_mnt_opts; + return NULL; +} + static void smack_free_mnt_opts(void *mnt_opts) { - kfree(mnt_opts); + struct smack_mnt_opts *opts; + + if (mnt_opts) { + opts = smack_mnt_opts(mnt_opts); + opts->initialized = false; + } } static int smack_add_opt(int token, const char *s, void **mnt_opts) { - struct smack_mnt_opts *opts = *mnt_opts; + struct smack_mnt_opts *opts; struct smack_known *skp; - if (!opts) { - opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); - if (!opts) + if (!s) + return -EINVAL; + + if (!*mnt_opts) { + *mnt_opts = lsm_mnt_opts_alloc(GFP_KERNEL); + if (!*mnt_opts) return -ENOMEM; - *mnt_opts = opts; } - if (!s) - return -ENOMEM; + opts = smack_mnt_opts(*mnt_opts); skp = smk_import_entry(s, 0); if (IS_ERR(skp)) @@ -617,6 +631,7 @@ static int smack_add_opt(int token, const char *s, void **mnt_opts) opts->fstransmute = skp->smk_known; break; } + opts->initialized = true; return 0; out_opt_err: @@ -638,10 +653,12 @@ static int smack_fs_context_submount(struct fs_context *fc, struct smack_mnt_opts *ctx; struct inode_smack *isp; - ctx = lsm_mnt_opts_alloc(GFP_KERNEL); - if (!ctx) - return -ENOMEM; - fc->security = ctx; + if (!fc->security) { + fc->security = lsm_mnt_opts_alloc(GFP_KERNEL); + if (!fc->security) + return -ENOMEM; + } + ctx = smack_mnt_opts(fc->security); sbsp = smack_superblock(reference); isp = smack_inode(reference->s_root->d_inode); @@ -671,6 +688,7 @@ static int smack_fs_context_submount(struct fs_context *fc, return -ENOMEM; } } + ctx->initialized = true; return 0; } @@ -684,16 +702,21 @@ static int smack_fs_context_submount(struct fs_context *fc, static int smack_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc) { - struct smack_mnt_opts *dst, *src = src_fc->security; + struct smack_mnt_opts *src; + struct smack_mnt_opts *dst; + src = smack_mnt_opts(src_fc->security); if (!src) return 0; - fc->security = lsm_mnt_opts_alloc(GFP_KERNEL); - if (!fc->security) - return -ENOMEM; + if (!fc->security) { + fc->security = lsm_mnt_opts_alloc(GFP_KERNEL); + if (!fc->security) + return -ENOMEM; + } - dst = fc->security; + dst = smack_mnt_opts(fc->security); + dst->initialized = src->initialized; dst->fsdefault = src->fsdefault; dst->fsfloor = src->fsfloor; dst->fshat = src->fshat; @@ -803,7 +826,7 @@ static int smack_set_mnt_opts(struct super_block *sb, struct superblock_smack *sp = smack_superblock(sb); struct inode_smack *isp; struct smack_known *skp; - struct smack_mnt_opts *opts = mnt_opts; + struct smack_mnt_opts *opts = smack_mnt_opts(mnt_opts); bool transmute = false; if (sp->smk_flags & SMK_SB_INITIALIZED) @@ -836,7 +859,7 @@ static int smack_set_mnt_opts(struct super_block *sb, sp->smk_flags |= SMK_SB_INITIALIZED; - if (opts) { + if (opts && opts->initialized) { if (opts->fsdefault) { skp = smk_import_entry(opts->fsdefault, 0); if (IS_ERR(skp)) From patchwork Fri Dec 15 22:16:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495171 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic316-27.consmr.mail.ne1.yahoo.com (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B20B18EAE for ; Fri, 15 Dec 2023 22:46:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="pUqVE5zK" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680411; bh=uKhqCEuW3HN1RNrz6vcbzbPS+KDRSe9EK23D2ZT30dY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=pUqVE5zK5Q24QDjcj72JPdGLPGuFtb5aEJ+94Am5jk8mhrm2bPlXIlZNjxaMrk5OI2K7x8HT75PpKJzxNOo/16fNbuok+kn+mLFuipZk62K9A1anX7yLmy92osqHIxNa+Sm8J0KamIs36bNO9OV9+j1n2aCAULN3O6M+1dH1yS9xQLvz1e7QjJI0OkwX6ZjYj+z74Nh2bmYOqWN5ecR7eLyCZi49xujFzU2UlGxoqVVcymzGMLRTGFe7yNDvO6Rx3Vf5zdOt9SMW6f+PlDkXatTREhU1HvqX7+uTe8Wx/iDJPmsT+klNEba8oCM+PJ6QY5HLyw9VDdSfQ8CYBcpBsg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680411; bh=hsPYL+9UYxSrSAV24yoGwudNIN6Iewr2VgfagLgtaUe=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=eLUWk0q0cz2fSXII1SeIEdwI7B04AmVusZ8ZQ7nP7AojHlDgl/Szzk5yW6pGfi+rIZDwKIK3iOF8yI3QHUz2ie25iZknmoCZ/yzrryf3VHIQDndZE1BXxasfbFPiX9B0xn7rq6Xmc0HIUjkCvFkKhJqBXronrwkAgoVfUv50m/Ig8IAGIJTZ93tccPRHKfdRPhiiA01+/rD3b/mtgrMJrqavcUXuwi8LjnfigWnCV6nXMSHZHWr9WtT/6lK4pOq4COdaLOU8iAbhTNVhT6mzvkM1psh05KcUO7hVRliwrhNFqu/1WlaeKfgaPVMpWnSsvY/BrmDAzuDu92L+rYFUNw== X-YMail-OSG: uJUDWOcVM1m4zhcGaRvcpMdNTHEv4FUcZqYzHtvKQ.7DvWqiv7gZWn0CVgYH1tg mne3Tw5dHf02xeHUooR7BCg1xl7kZTWBevfm.9keJ1Uk9L6jyQc2PNSWWXY30fNkQThGV09Tr_Ah ZqDlJvsICJKJnLyIPQtP_hSvAAqlFOQwzpzAPDEm8H5bVvZTxlwczjkyjk2dAylrxKCLe6SWvRcL grnFMWjLHxLcPyYTmC8U0ilYhkP06TvRI5sc562MeEQA3EpOlLgxp0yDcKVeCg6mIf6gsqVPZPDW _c2NO3rP6wrkPrSLcOQ5ioX1cjnaKfIL.k8NBrMvx.fZzsM0zlTIooY6m0eW53Z44EjPHhDYJeou bJXT26E5FHLWUTyPnExMRBsLM.3Hzlk3S_lzAAAuaGoY0fEWmu.xvjWO8JZBY2qt4osPVSLs05bw poLGdtwxkorvzsjFaud0T8NBXtt0gz9SWuEXiGgVmuepog77nPhWZ7XQ4tYCXth7QlQJw7rSbr0t 2Yu56NdciqHm75tTx.QjEgYRIv0pNHp0V7hatgXIkBhqtHySLGTGejQ.1e4mtsTjQn4Vr7..puff 2VBCZTDF5kZUJ8.HNDv.3yKZARfTlwvTnPiIuhkekbWCADF5pPQNx1qEzfTLeof3W1pxoW69eddO BVcH2__MZrqk9ct3zDVJeaIRHVvztibJMjWuzGTvMybS5XP3v4g.BYmV4OHsJ8ctSr.pmQd7.Y3Z BjBnDl2uTajnIopSCM04SiXtHgSjf8jTP7p1qGBjkMvIkmjVOTZLF7NKewB.7AWwG9OpP24S2o9D .FkUKFOEZukBUzZttmr4lOV2YgCCWeAg_jDbdY.fbkW.0IvWqYPkiF5oCeWogZZZgzPwf_RlFNyp h_BbhdqKn_dCJ5SZCsBb3mJ08tf70eTHjEKSRndewuTWFYFk6IAH25uAzWOuZqp2W3xISjeByot6 JDH4deURib0noaZT2o_avRQ23S0h8XjJiQHCxl.PIWKnLnfP1Ya6fhm_AEevU46lrPJc6DHCyUWf Nap7rsPga8OvxUVmJRU5rb1nHWSH4W1mBFSICx3DT1cHfsewb54l0MnBlBewEljS0MjtJKo2H9ob NtSf5f0s0EvqIbcH4PZH0v5bFyxrUzs4OtoNNxSuOrcDfSZe_Oe8GmYutgJgZk3vVBVNVlZO_iM1 uVbkzUar2hFnWk88aodLmIlHGKLuXiQcm3jGykrRfFkakvK96TugpIr_1OBFuzQLK.7OqSLm2Dw0 PjnIpfjSy8PD3dfxhxMJRBQHnZ0lonGs8ZVa7BrJa2wGRB6QnSaMwk6jPDwA_R_v1SG9yJkBsc3f b5KfmuU_apWMBbG9el8qvCv0MXJDkSXAt8Y9PNBAG_FgSuwz.Lsf3dQcjyZcUEI7K3wrPBR8_T4b .SEsMpyrc8X2yY3F5yx4Dn7TLPb9lnPd0EM.bY2SFIyrDXzFjsCt93iSK1tBznXj70k0tQUNsl3k V7L8o.T1H8P9lMGa2Foroqasd.UiOo14uU8Q1Fw6fR08x8w6vZi8XTbXwOsvPWnxVcG16dtxdCys DgAdoBQRi2gnIOGE0ubs2W3oc1Yp8kkVxAC8TPSbgND8TVLAP6v5zUUI1FpnRpteHK0zR9TcqoJf ctQrXts1hDvyVoOysvVXYtUkqUbE9rtuUWPAxKHOW.znElThQ4rvsDzxKa0ohTA8_F8I4Z7X2i55 Eel0qHv6pIHagFXEdcnBwY6umuN1.MpHj8VB4rijwR4rFJDNztkbHHg8_7IStDv4h7RC43Wbjbv6 BbfdkBr7Ttm_YJEH_jUZaPuKp.86l44dHV5jcF7AyH_EcSU9U6Xe.5rFLV1S_a45JyTgqIXbiHpp 8T8E7nDEeQH3ktiv6cD5UJziafVQAmkvlubWJNHQP9WTX2YHVbgYuk.4Ez408OBDkws4Vm1KnhZx kfAcPCXR94o.gy.F15FdyeWLoblDW.0iaw122tG1rhwV4qP0W6GKji_3tDjiEjJJT6iy5m7Uj9_9 T2YoVb6V06MLiIxIp6dXBws.Diu9DtGAJYhdW8nS2XvV8F5gfM5MaPIGdJreH.awLPb4YS9eSjGX D1K8xeNGYZf8RpROczlQ8JzKTk8cjhN_vMIl1lySz889xcvePZDJnk2pLfm.AKcTJxDh5UGIK54N 0WlYMQA8T_wsphADsGB7z2CG7aW2SJehhqdEcJ8Lch3O02e7rg6Xu9D1ab9xW0Ii3kGumxqNUzxU PyUD035lM8kzNB34wMm30mUzHiQpJTQ5vohPvHiSl1nxljF1enOQGyr.Zt3wJaKXb4Hy7pt1NMc1 vbtaJ0D5buiOV1536uWT_lF7epCdl X-Sonic-MF: X-Sonic-ID: d6019e9a-3993-4a0c-87d8-d51d380b768a Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:46:51 +0000 Received: by hermes--production-gq1-6949d6d8f9-pmzmd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID c8320ae1bddb7a2f7fa2be3a3860d99b; Fri, 15 Dec 2023 22:46:49 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 38/42] LSM: Correct handling of ENOSYS in inode_setxattr Date: Fri, 15 Dec 2023 14:16:32 -0800 Message-ID: <20231215221636.105680-39-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The usual "bail on fail" behavior of LSM hooks doesn't work for security_inode_setxattr(). Modules are allowed to return -ENOSYS if the attribute specified isn't one they manage. Fix the code to accommodate this unusal case. This requires changes to the hooks in SELinux and Smack. Signed-off-by: Casey Schaufler --- security/security.c | 29 +++++++++++++++-------------- security/selinux/hooks.c | 7 ++----- security/smack/smack_lsm.c | 10 +++++----- 3 files changed, 22 insertions(+), 24 deletions(-) diff --git a/security/security.c b/security/security.c index 64cdf0e09832..b1a849e8589c 100644 --- a/security/security.c +++ b/security/security.c @@ -2346,24 +2346,25 @@ int security_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { - int ret; + struct security_hook_list *hp; + int rc = -ENOSYS; if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; - /* - * SELinux and Smack integrate the cap call, - * so assume that all LSMs supplying this call do so. - */ - ret = call_int_hook(inode_setxattr, 1, idmap, dentry, name, value, - size, flags); - if (ret == 1) - ret = cap_inode_setxattr(dentry, name, value, size, flags); - if (ret) - return ret; - ret = ima_inode_setxattr(dentry, name, value, size); - if (ret) - return ret; + hlist_for_each_entry(hp, &security_hook_heads.inode_setxattr, list) { + rc = hp->hook.inode_setxattr(idmap, dentry, name, value, size, + flags); + if (rc != -ENOSYS) + break; + } + if (rc == -ENOSYS) + rc = cap_inode_setxattr(dentry, name, value, size, flags); + if (rc) + return rc; + rc = ima_inode_setxattr(dentry, name, value, size); + if (rc) + return rc; return evm_inode_setxattr(idmap, dentry, name, value, size); } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 46dee63eec12..4ac4b536c568 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3207,13 +3207,10 @@ static int selinux_inode_setxattr(struct mnt_idmap *idmap, int rc = 0; if (strcmp(name, XATTR_NAME_SELINUX)) { - rc = cap_inode_setxattr(dentry, name, value, size, flags); - if (rc) - return rc; - /* Not an attribute we recognize, so just check the ordinary setattr permission. */ - return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); + rc = dentry_has_perm(current_cred(), dentry, FILE__SETATTR); + return rc ? rc : -ENOSYS; } if (!selinux_initialized()) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 61bd3f626e7d..02b9aa200ad4 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1340,7 +1340,7 @@ static int smack_inode_setxattr(struct mnt_idmap *idmap, strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) rc = -EINVAL; } else - rc = cap_inode_setxattr(dentry, name, value, size, flags); + rc = -ENOSYS; if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) rc = -EPERM; @@ -1354,11 +1354,11 @@ static int smack_inode_setxattr(struct mnt_idmap *idmap, rc = -EINVAL; } - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); - smk_ad_setfield_u_fs_path_dentry(&ad, dentry); - if (rc == 0) { - rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); + smk_ad_setfield_u_fs_path_dentry(&ad, dentry); + rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), + MAY_WRITE, &ad); rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); } From patchwork Fri Dec 15 22:16:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495172 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F18B518EDA for ; Fri, 15 Dec 2023 22:46:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="o6nK9tPX" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680413; bh=2ItutyWCOqum5ggW8vKDaicqqW2B05naexATsg5BxIQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=o6nK9tPXZEDlhK1RQFmUfDBpU1FFmGVc5SqOuEt5ivSppKyjWRmLoj+Wnz4v/7Gqy2WrR7h9g+/6gxIV58lneIfy6sXDcZsKvq9K8tTj+Zw8J7s5U8ggUevdghiRy3LHh+rZmb73dtqCvHrAzbykQr9RyCvBu9b+ekf+gFe+tHVEiPfPYhQNCS5JXqiwNwZuM0GCaMBbEqIu6i6YB5QClOqylEtF1F2qi+nxPJ9q2SBZHv5kbfxgHOKA4KaLuIXp5Kbj8KH7RFx/ed15nPgF0eSZYy8Pss4tGAlgnZYBYHmdu4Lu51IoXGsAiHZ9RIPq9hCzVqLSK2ik4W4yXWsTEw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680413; bh=q2MmQW1mPAbzMStPB9LmS+O7dSyQ31yTK+IfVeQq9Al=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=p/H/VYwqo3eF7m2bPDBhxmWOvDqbAyh36ugNyjiOi9bTixHqoO3Geu7UuMuLUxSdcQ5T48x1vJnr7CO0UaSr9hAuk0yhsuncyzx+SlU1sk9FnHlFp2MlVsRdTToeFajhtx8bip2PV2Y0bQNgUOV9MN/hOQObmDhfAD2+mWw2wvna+XBHME5uQDMJtzFeAMd7KgKuvsNBFjlbUwkjDGO/8RT9KIuGDJJD+82XfqtGOtpL6ugJSus1whTJ9o1Otuz6ScmH4rs1FUwLqeY3olc66NmqeiPYh/te+vVP0Sy6/nxFdhhLDxGTZU2iko3LZXh3U4rksa92Ean8h1TkB3xaWg== X-YMail-OSG: LMx2RTsVM1l4HPMjS8coAPC.2n_3OKvu2Oy.C6C8n49wLINMG8Rs9hhUwe35Q3P GcnagTgAmNb48nb653IxjbkMGSmyeP97_YCHx0aa81zD6PyLI02dwmod2CictfTpisES6lcK6PWu FatSmZu2xgYha9KoyxscnecRtHJsxu68RvPNoC37BjENkn6WgsgIw.4MQ6y.fBQ6A1IRFbWzCeN8 qnrepxtQfzN5UYybJpt8pymFEYwvj3KCreOxZ350jDDPNt1efQ1oDdopo8lHizhM.NP9Bmk14MxX vG9wpA0yK93aB8cr0kHutsik2qrloISYiA0isMKnqnvSgM8CmXdTbkOUA5XONcha3u78DMNK3LHc G9fG5CocNAKjBF0EXoFJZrTn_sFotAzsCSg8wyGt6eN6aEDs9IKpt3aE0S.4XOStcN3gBWF9XdVB IuHghgW0w0LPCScSdUu3vAPK4fV9Njuf97Kz38o5uvPEoBeRMevR2BfGLWzABu1IBt4TBKCq7Ex7 yQE7vfNuac2M8sHZ8DS7gvd9mgttBCev7am5_zFy.WtD5_7x6vdB4ywX_CDiD2vPlSDlquPlCUMe T7NW1uyXxcBkM7nDE3rMMNkEZ.JtJhKN2EX3Xk2mwN2d2ACxmu1srat5vQmCQcV5.xFaxUGqEvlU PXcDTnUdDPsQ1j8uUK5RlgskIlua0F4UFihcsXylq2cCGxLQKGE1iMKACccTSv.GR_ZfpqifiLbM YnVeIgWcqGm8j0wy4ZXaD72fJ2JVnQrKgEScmJ1DEwAJX.G9i0PbuKZ9QhW9pGH_f0KE1mou7.ny lQthPfJyhgDMr3y9.5dF8qoOoSw1TWsCgIy3JWiNtc6pndhi1xrUadhAI867IvvRzN7b2a9h6ZxQ oU8WSfENeqXVWjd2sLJulP99NOIM.G4f1Zu.B8PVVMSwSeJMlj8a08Zv43TSn6jpM3FIVjw1.Y1V ZcEwmTWokF43.jUhh8_SvVMcQVIUe2dhP9pxfDCVjKD_VAC3_a_7pC2VblBfce2T_72r1EgR71vu x4KZFAg7kVyF.91grJILjj7f0ZWNkaS6R1h3LDemz.17rvCSp7RPRm.B28XKLJwQFYwRJyY3x_K5 QsRp9T0Eh31YPDUL5j4VF2rHJia_Dgk.m4uIY5jG1XXK7P_6oR5BrZL2m0opF8WFqDd7ujWQL9b1 .rgezKfgXz0y4zBwgLCEq6hsfORNmx4i0iPDlMe7obYx6gqgjTlLzwF290ow6T2TxHfa7JLPQrb6 JkdUHhsbzmfhtFvoufk_GuhFZiUxzGnWug7r8mdP9nxyb4SXwuN6uERlHOUT2jgnR9N6Q8HO5j8b gqqzFWZ4MZADII5Fh55rYaI414eTxD2IldTcN3KSoDz0LVr0n0POzF9ZLZ03kmi_SsrVUTKE.6IJ MsofwFNXzZod5mmUxf5tOox4zFERBk4YI.DhkzM6_IYULLpQkZTVXq0nvgInW8POa_LVsIc.Jfmo jHUeQEPOeLO.JIF834jsS3xlW_kZQexRcR622saTRxDhqvSUGiTvf7hRFZ0Mg6IFsWMZuGIUtrps ulyqUyCO499RHeNb0T8K50zwDTMfkGnjSpd_Ci3IBCzbwH4sT.os1NmnnuNh7wZL67fTTsaHuH3z YP8YqSw5IVpLbo.nb3MJafRbbp3Xc.SnG3aH8e9MbAM0HKXsdQQy1Eslocb678ypKQROogqi2luU 9BoQJ6sCck.BQbJSXAAX.N95F4r.9pE9ua5KjM1TjqD3tTX8dlc4OAsmsjulRal.Im0lOCo42G9W 6naZ_hF2TxWbSZuj4gA33NO9ckebZyKqiWinLRs1q53NFBzdMsZeXoXXJahuREaqZy60UwwETDdq Rx9vuvEQMO.frT3ApOvwCNQhebEM4V9wYtA607Ew_exJQHePc6xhobkhN8eMG3F6dw2SlSw3maPS YSGL02LpqF0iF1HPM1SHVcR7NXtfzIqBycgTEnVGZtPvSlADOtxa_NvH.Sr7ERTLRBeVxp3YYVIb CYkem_y7_5JlM46YIkWTU0yuQl7njV4ghx4cTvJXW_7LHIzKSiWkC3.oRcDppv96IYn82p.O.9Wa 7LvlXb6t2oGZaGMxmgYYfY4uBo3FEstsVK.giu9ar7Gq7GbwD12I16mQXEsfnwymjZp0nHD9sSQB CqRRuxCepmoNqMH839vpAr_jg2mMG3GKuVOe22x29zg2dlKoN9j7yv5kEBG6F4RDTAhsWbbvKbuR Huc4o7knfICdWxVdIHzulFHnh3IDtDgYofwhN79mdfv7Srkm99iNt7fwntO5WVmakQDL3DOUae2. _EzZh77zcb4FKPBudYxwJugCA2ayByg-- X-Sonic-MF: X-Sonic-ID: 0df4a50c-3bf3-44d5-aef7-5af268ef7bef Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:46:53 +0000 Received: by hermes--production-gq1-6949d6d8f9-pmzmd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID c8320ae1bddb7a2f7fa2be3a3860d99b; Fri, 15 Dec 2023 22:46:51 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 39/42] LSM: Remove lsmblob scaffolding Date: Fri, 15 Dec 2023 14:16:33 -0800 Message-ID: <20231215221636.105680-40-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Remove the scaffold member from the lsmblob. Remove the remaining places it is being set. Signed-off-by: Casey Schaufler --- include/linux/security.h | 6 ------ security/apparmor/audit.c | 6 +----- security/apparmor/lsm.c | 4 ---- security/apparmor/secid.c | 6 +----- security/selinux/hooks.c | 14 -------------- security/selinux/ss/services.c | 4 ---- security/smack/smack_lsm.c | 33 ++++----------------------------- 7 files changed, 6 insertions(+), 67 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 529671a89ce0..f7727bf767e5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -143,11 +143,6 @@ enum lockdown_reason { LOCKDOWN_CONFIDENTIALITY_MAX, }; -/* stacking scaffolding */ -struct lsmblob_scaffold { - u32 secid; -}; - /* * A "security context" is the text representation of * the information used by LSMs. @@ -168,7 +163,6 @@ struct lsmblob { struct lsmblob_smack smack; struct lsmblob_apparmor apparmor; struct lsmblob_bpf bpf; - struct lsmblob_scaffold scaffold; }; extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 72c414d00ba6..d51ab2f1284f 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -279,11 +279,7 @@ int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule, if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_APPARMOR) return 0; - /* stacking scaffolding */ - if (!blob->apparmor.label && blob->scaffold.secid) - label = aa_secid_to_label(blob->scaffold.secid); - else - label = blob->apparmor.label; + label = blob->apparmor.label; if (!label) return -ENOENT; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index d47816e91bd3..c31d5c008b14 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -984,8 +984,6 @@ static void apparmor_current_getlsmblob_subj(struct lsmblob *blob) struct aa_label *label = __begin_current_label_crit_section(); blob->apparmor.label = label; - /* stacking scaffolding */ - blob->scaffold.secid = label->secid; __end_current_label_crit_section(label); } @@ -995,8 +993,6 @@ static void apparmor_task_getlsmblob_obj(struct task_struct *p, struct aa_label *label = aa_get_task_label(p); blob->apparmor.label = label; - /* stacking scaffolding */ - blob->scaffold.secid = label->secid; aa_put_label(label); } diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c index 1df08372bf1b..e5cfaedf1a9f 100644 --- a/security/apparmor/secid.c +++ b/security/apparmor/secid.c @@ -102,11 +102,7 @@ int apparmor_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp) AA_BUG(!seclen); - /* stacking scaffolding */ - if (!blob->apparmor.label && blob->scaffold.secid) - label = aa_secid_to_label(blob->scaffold.secid); - else - label = blob->apparmor.label; + label = blob->apparmor.label; if (!label) return -EINVAL; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 4ac4b536c568..113ee3df9b5a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3520,8 +3520,6 @@ static void selinux_inode_getlsmblob(struct inode *inode, struct lsmblob *blob) struct inode_security_struct *isec = inode_security_novalidate(inode); blob->selinux.secid = isec->sid; - /* stacking scaffolding */ - blob->scaffold.secid = isec->sid; } static int selinux_inode_copy_up(struct dentry *src, struct cred **new) @@ -4014,8 +4012,6 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid) static void selinux_cred_getlsmblob(const struct cred *c, struct lsmblob *blob) { blob->selinux.secid = cred_sid(c); - /* stacking scaffolding */ - blob->scaffold.secid = blob->selinux.secid; } /* @@ -4156,16 +4152,12 @@ static int selinux_task_getsid(struct task_struct *p) static void selinux_current_getlsmblob_subj(struct lsmblob *blob) { blob->selinux.secid = current_sid(); - /* stacking scaffolding */ - blob->scaffold.secid = blob->selinux.secid; } static void selinux_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob) { blob->selinux.secid = task_sid_obj(p); - /* stacking scaffolding */ - blob->scaffold.secid = blob->selinux.secid; } static int selinux_task_setnice(struct task_struct *p, int nice) @@ -6305,8 +6297,6 @@ static void selinux_ipc_getlsmblob(struct kern_ipc_perm *ipcp, { struct ipc_security_struct *isec = selinux_ipc(ipcp); blob->selinux.secid = isec->sid; - /* stacking scaffolding */ - blob->scaffold.secid = isec->sid; } static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) @@ -6609,10 +6599,6 @@ static int selinux_lsmblob_to_secctx(struct lsmblob *blob, u32 seclen; u32 ret; - /* stacking scaffolding */ - if (!secid) - secid = blob->scaffold.secid; - if (cp) { cp->id = LSM_ID_SELINUX; ret = security_sid_to_context(secid, &cp->context, &cp->len); diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index eef6655f7730..48211352345e 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3656,10 +3656,6 @@ int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, goto out; } - /* stacking scaffolding */ - if (!blob->selinux.secid && blob->scaffold.secid) - blob->selinux.secid = blob->scaffold.secid; - ctxt = sidtab_search(policy->sidtab, blob->selinux.secid); if (unlikely(!ctxt)) { WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n", diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 02b9aa200ad4..a486ac42caac 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1644,11 +1644,7 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer, */ static void smack_inode_getlsmblob(struct inode *inode, struct lsmblob *blob) { - struct smack_known *skp = smk_of_inode(inode); - - blob->smack.skp = skp; - /* stacking scaffolding */ - blob->scaffold.secid = skp->smk_secid; + blob->smack.skp = smk_of_inode(inode); } /* @@ -2156,8 +2152,6 @@ static void smack_cred_getlsmblob(const struct cred *cred, { rcu_read_lock(); blob->smack.skp = smk_of_task(smack_cred(cred)); - /* stacking scaffolding */ - blob->scaffold.secid = blob->smack.skp->smk_secid; rcu_read_unlock(); } @@ -2259,11 +2253,7 @@ static int smack_task_getsid(struct task_struct *p) */ static void smack_current_getlsmblob_subj(struct lsmblob *blob) { - struct smack_known *skp = smk_of_current(); - - blob->smack.skp = skp; - /* stacking scaffolding */ - blob->scaffold.secid = skp->smk_secid; + blob->smack.skp = smk_of_current(); } /** @@ -2276,11 +2266,7 @@ static void smack_current_getlsmblob_subj(struct lsmblob *blob) static void smack_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob) { - struct smack_known *skp = smk_of_task_struct_obj(p); - - blob->smack.skp = skp; - /* stacking scaffolding */ - blob->scaffold.secid = skp->smk_secid; + blob->smack.skp = smk_of_task_struct_obj(p); } /** @@ -3451,11 +3437,8 @@ static void smack_ipc_getlsmblob(struct kern_ipc_perm *ipp, struct lsmblob *blob) { struct smack_known **iskpp = smack_ipc(ipp); - struct smack_known *iskp = *iskpp; - blob->smack.skp = iskp; - /* stacking scaffolding */ - blob->scaffold.secid = iskp->smk_secid; + blob->smack.skp = *iskpp; } /** @@ -4796,10 +4779,6 @@ static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) return 0; - /* stacking scaffolding */ - if (!skp && blob->scaffold.secid) - skp = smack_from_secid(blob->scaffold.secid); - /* * No need to do string comparisons. If a match occurs, * both pointers will point to the same smack_known @@ -4862,10 +4841,6 @@ static int smack_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp) struct smack_known *skp = blob->smack.skp; int len; - /* stacking scaffolding */ - if (!skp && blob->scaffold.secid) - skp = smack_from_secid(blob->scaffold.secid); - len = strlen(skp->smk_known); if (cp) { From patchwork Fri Dec 15 22:16:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495174 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic316-27.consmr.mail.ne1.yahoo.com (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 52C6E18EDC for ; Fri, 15 Dec 2023 22:48:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="o42C0lgv" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680511; bh=K7csj15FYLLSxxZ7kmvWUnCpbvfgQe4Te4FnBFnK+kc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=o42C0lgvhJJccYUQJIt3HAj2Mp25A9V4iriVooDx9znzphhTVPMPe2Ci/FLEbxk9I6qQwU6Uy2BvujwGC1iqoucayfhJt9mQ2MLoYEAxDQLAJfNa7G/5BbvwyHyQZLpmzGcoQ8r+pA+BvYl3XcFM38+bDod4sDxBpvC3HaFpdyjcyh7wPmsmjN8xRKledvsKL7yhgsuny8Gw5P6wNtkkqrAHpG7CVU34JK0Ga4ayyI2+0EwHlriJbP3jNO183lGG+9us+cPKQmr/3bJ4dnGzWP7nR722+XfTCQKs93/MwLzuG/HWLrNgxxBO/RzgYXURLY7tYEG756RHchSlhldX4w== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680511; bh=DtL8HKeo5K0jeMbDCKFA+5LU5qxUJKbqKjaC0bD6jGG=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=RSBKnnBYBZLwiWPvCKmzj2dPWHIAe/Wq9FTAy4TVyBjTs/Xdg2u1tjKGMOIaNx6HmNoNnCBS5Kth9ojYusDUUXPu0Anq+7B4kwxR/7HwqHn2uCEqTZe+CQUHNGVk45oqgmOGCr2Vuotj1fr+QoD0YD4unXmORvD8bcJog4u6oV9mfjSBS8lGEqTvYWDK4YOphh4djbzAznYLZHlNwhxKlBehOR2yksw2o+7OmFw+r4F1Ectd9XqpHz3r5pKhlAsH56LwMCDOV8uo6sf+StLVUk4W0KezzrHK8owzICc0cQvhzsj2wyKXKcgS8ScuN+oiIuTkpZU7UTRh4bnf+RMJEw== X-YMail-OSG: oBmP0J0VM1mym6yc5Gp3a9_15t6J9XSDppTDpHUsmj6MnaiAdbXU9C26zxhS6vx u6oUtGKCsByZN.b51ldHCc7Rwx0HCOM.Ebhw9MDi6NlcqEkgTtbOmAlyWCNTdi1NSf5vJrlX1QlX k6Y6iDs0O7G6Mb0juy5tZwEj2YsfEa0UqaQ_yvyHEUKvCrRY4Xu_xpaQVWo5VdfsGfTqgdV0HVg4 OMjXUxGiwKYQwe3V38ZoWrPVSwtFkTstALsmNohS35EJW3gdicHUwg83jHoLgYCPHDCLamzJROjq J_p.WpuB10_XomKafKlat0mc.JVyd2cWoKDhR0J8tfH7_mK9IwPcWGYo6N.6ygqYC19oNy3tfmWK RzINYpgeZ2S6aBskXwOdcx5ADtibgoD.pG8LjAhTmPC_.A85P2nK3NM.e8dSdeyJUMA5.c.tye7D dKA3VaFfysThkL3Hl9TImEt01WDQbgeGQtl3dE8rfLmHd74Q58U6Zqh6AZW9E8j5lLHERvJQQ96z wnvU_tR1lAWeywKshGfj014HyzObVDRNrr6LanZWhXNcMFUKgnc1cciqLV1VJY4BMwUbEFRYssnx fqiSPnfbBvMTaizuxDBTr8eKwcng0bSBdLrEDaDPAcQZE9eIlAfQ.JgfnPoBeUUPiCd1cEs4aivP xWnsw._XkmXKa3o26D5zKv_jcV3FgpAwKZykbtuOwsUlGY3Ogkr2L6VtP_afA554ebfTqIhXy..1 v2xSi2LTNynbB6WdCeEz0cWJmbiSrhGWsUnqggDw3yQxcxyjOIXaat2garwGbhlQ_LPVKxoDApQU s_nSU4pZI.ROxnvDcsvzMnCgbmGWV9FZjbEpGEsvspsl9MJv80luwmBCeV3kO6F1ewxubRumcEXC 2T4Yq3VuJmcv4YxFPhYZiM6ZwFytDh4HzPa0j8wzFq5eSKg.njYnyauTWUyEOP8ypW2Z3pZ7Cx.K M1VfV0xrMlYj.Q7_cif5DASZ1lPOYsEkwgJLg_s.5KBmmWilCzBYqLhwWWvBCoSlQm9h626b9gff mP4N2a_x82pzl1HPm7PF7CmgzVgz8JLPicgOqmgQ9PtPAPpTz6Zl15hFk.jzIdVVLgrk2CbjAH3G YPY5QJc86kZ5dpKl9a.w2vOzrX5uPJciF5Ovthq7q43QHsOEuEqF5dWxFmGW4n2CGPE6FkHq9MCY nV9V32IybxfuOOeoLFIaCApKUtvHsSz4eMPR3IBGxBxhc2Y_HPYS7Sw798XqZKWNnqvXlw0nxJCr 88MB_nkgMIvdLIIH5F7C20QC0ia.F42wBYr24v.RnaOdTJaJKcJ0fq05q3.tfsSdjPmm.G3ptE7D dixjZ4PEDpKo9QVMvJ3.9Mi4C0UAme3VSA2D4r1VOs4Tm8oeqTVk4KVBgRtZhLHqL3JXXtrvNFCL QM7W_Ti.ycoR6B9X70g2085zGMSzS_dclDdEn6caAjAmiZocO7qPR8BgAKrytFHgiErlxLoYw7iT QJuga7KaYbfmr2w8xzo_zgCWM.slTPeEfER8sOdVzbU4ckqKbNKfcpZ_8G9lBGAkJpntc47XecsH O9lJAFEh9c.vCwAIqSA0Usrbk0FiNazWXjxpwzmU9IOwCyFzC_1aMDADcDY0O7VQDmAgaLAhCs7O ahWkHKi.VvUZVokBfLxKZ5Ud_nRlfCPkTjnnpi9jtV.vE0XwPM0iK_R35k8jAZd0eA0Spyciw..m XmwIZizaBaQB9qza2rDMe8lqAMtXe9BCqby4qIVY7mBg9nodZb_WKnECVMqa8I0EbNp2mJlybsn0 SQGM.yrk9Rk_hOgiTtw2vXOiH0zuPJ4yDJsSbsyxtDxhS_Zmw5PPb1Khc8nek7mlgMXp6gyR39Ku 5ojg1Y6LJPoPMEfAw_toJMMKy8LVfqa0w1Il3dK4jP5G4JcTWzgUFjNyAV4BqhId12nPhftXkgMR 0B3lzYpo_EhIQvvyhC_6rvGkJlQDaJqix4vWW7N5oKezo.1cDRBycUcVWPg9egJL2vW1VKgg83vv ClMY4DW1iK9LZLq0rHMcYuUvqZDAnV8NScr3bPhM9q0DdmGfwBLTB_GdL5XdDrIxZCz6bKIufIqe cve5uNG6.WUaabWPzyjb6MzVEeZIe7lOUdkDzAW_xXM.9c3432fmE3DK8Z0c93ycYSDocJvqzJ0m epPWLSfMetOyfBF.E8DzO_eZfOqIFvNt93.2AAXvUYThPzANtcUEszB8cEJQ3gq44T4wtA3eW.Su zGDUvlopJXqDTvjA00gg9NX02s27mZb1s1iqizdPaLiKi0N3LW0cy5St.7FdRSiBOINaEG1hGco1 GbdU9jaqUw4EFCAdT03UTE8tv5EaD X-Sonic-MF: X-Sonic-ID: 39fbb8ec-7d31-4bc7-827d-e816f8f08030 Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:48:31 +0000 Received: by hermes--production-gq1-6949d6d8f9-qkzts (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 98319ae8e5188ac722d06529a3337566; Fri, 15 Dec 2023 22:48:25 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 40/42] LSM: Allow reservation of netlabel Date: Fri, 15 Dec 2023 14:16:34 -0800 Message-ID: <20231215221636.105680-41-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Allow LSMs to request exclusive access to the netlabel facility. Provide mechanism for LSMs to determine if they have access to netlabel. Update the current users of netlabel, SELinux and Smack, to use and respect the exclusive use of netlabel. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/security.c | 6 +++++ security/selinux/hooks.c | 7 +++--- security/selinux/include/netlabel.h | 5 +++++ security/selinux/netlabel.c | 4 ++-- security/smack/smack.h | 5 +++++ security/smack/smack_lsm.c | 35 +++++++++++++++++++++-------- security/smack/smackfs.c | 20 ++++++++++++++++- 8 files changed, 68 insertions(+), 15 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index fdeffa0c8d13..da60bf163447 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -84,6 +84,7 @@ struct lsm_blob_sizes { int lbs_xattr_count; /* number of xattr slots in new_xattrs array */ int lbs_mnt_opts; bool lbs_secmark; /* expressed desire for secmark use */ + bool lbs_netlabel; /* expressed desire for netlabel use */ }; /** diff --git a/security/security.c b/security/security.c index b1a849e8589c..f1bff6b5b076 100644 --- a/security/security.c +++ b/security/security.c @@ -242,6 +242,12 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) else needed->lbs_secmark = false; } + if (needed->lbs_netlabel) { + if (!blob_sizes.lbs_netlabel) + blob_sizes.lbs_netlabel = true; + else + needed->lbs_netlabel = false; + } } /* Prepare LSM for initialization. */ diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 113ee3df9b5a..6da2e95ad5b7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -182,7 +182,7 @@ static int selinux_secmark_enabled(void) static int selinux_peerlbl_enabled(void) { return (selinux_policycap_alwaysnetwork() || - netlbl_enabled() || selinux_xfrm_enabled()); + selinux_netlbl_enabled() || selinux_xfrm_enabled()); } static int selinux_netcache_avc_callback(u32 event) @@ -5673,7 +5673,7 @@ static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) return NF_DROP; - if (netlbl_enabled()) + if (selinux_netlbl_enabled()) /* we do this in the FORWARD path and not the POST_ROUTING * path because we want to make sure we apply the necessary * labeling before IPsec is applied so we can leverage AH @@ -5690,7 +5690,7 @@ static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, struct sock *sk; u32 sid; - if (!netlbl_enabled()) + if (!selinux_netlbl_enabled()) return NF_ACCEPT; /* we do this in the LOCAL_OUT path and not the POST_ROUTING path @@ -6965,6 +6965,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, .lbs_mnt_opts = sizeof(struct selinux_mnt_opts), .lbs_secmark = true, + .lbs_netlabel = true, }; #ifdef CONFIG_PERF_EVENTS diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h index 4d0456d3d459..189803009d04 100644 --- a/security/selinux/include/netlabel.h +++ b/security/selinux/include/netlabel.h @@ -147,4 +147,9 @@ static inline int selinux_netlbl_socket_connect_locked(struct sock *sk, } #endif /* CONFIG_NETLABEL */ +static inline bool selinux_netlbl_enabled(void) +{ + return selinux_blob_sizes.lbs_netlabel && netlbl_enabled(); +} + #endif diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index e8832726bd86..1242296b5fe1 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -198,7 +198,7 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, int rc; struct netlbl_lsm_secattr secattr; - if (!netlbl_enabled()) { + if (!selinux_netlbl_enabled()) { *type = NETLBL_NLTYPE_NONE; *sid = SECSID_NULL; return 0; @@ -440,7 +440,7 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, u32 perm; struct netlbl_lsm_secattr secattr; - if (!netlbl_enabled()) + if (!selinux_netlbl_enabled()) return 0; netlbl_secattr_init(&secattr); diff --git a/security/smack/smack.h b/security/smack/smack.h index 85ec8141fe70..2191f8304e4f 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -367,6 +367,11 @@ static inline struct smack_known **smack_key(const struct key *key) } #endif /* CONFIG_KEYS */ +static inline bool smack_netlabel(void) +{ + return smack_blob_sizes.lbs_netlabel; +} + /* * Is the directory transmuting? */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index a486ac42caac..9f5a37a5b47e 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2584,6 +2584,9 @@ static int smack_netlbl_add(struct sock *sk) struct smack_known *skp = ssp->smk_out; int rc; + if (!smack_netlabel()) + return 0; + local_bh_disable(); bh_lock_sock_nested(sk); @@ -2614,6 +2617,9 @@ static void smack_netlbl_delete(struct sock *sk) { struct socket_smack *ssp = smack_sock(sk); + if (!smack_netlabel()) + return; + /* * Take the label off the socket if one is set. */ @@ -2664,7 +2670,7 @@ static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) /* * Clear the socket netlabel if it's set. */ - if (!rc) + if (!rc && smack_netlabel()) smack_netlbl_delete(sk); } rcu_read_unlock(); @@ -3970,6 +3976,8 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, int acat; int kcat; + if (!smack_netlabel()) + return smack_net_ambient; /* * Netlabel found it in the cache. */ @@ -4126,6 +4134,9 @@ static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, struct socket_smack *ssp = NULL; struct smack_known *skp = NULL; + if (!smack_netlabel()) + return NULL; + netlbl_secattr_init(&secattr); if (sk) @@ -4196,7 +4207,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, MAY_WRITE, rc); - if (rc != 0) + if (rc != 0 && smack_netlabel()) netlbl_skbuff_err(skb, family, rc, 0); break; #if IS_ENABLED(CONFIG_IPV6) @@ -4407,7 +4418,7 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, if (skp == NULL) { skp = smack_from_netlbl(sk, family, skb); if (skp == NULL) - skp = &smack_known_huh; + skp = smack_net_ambient; } #ifdef CONFIG_AUDIT @@ -4428,8 +4439,11 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, /* * Save the peer's label in the request_sock so we can later setup * smk_packet in the child socket so that SO_PEERCRED can report it. + * + * Only do this if Smack is using netlabel. */ - req->peer_secid = skp->smk_secid; + if (smack_netlabel()) + req->peer_secid = skp->smk_secid; /* * We need to decide if we want to label the incoming connection here @@ -4442,10 +4456,12 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, hskp = smack_ipv4host_label(&addr); rcu_read_unlock(); - if (hskp == NULL) - rc = netlbl_req_setattr(req, &skp->smk_netlabel); - else - netlbl_req_delattr(req); + if (smack_netlabel()) { + if (hskp == NULL) + rc = netlbl_req_setattr(req, &skp->smk_netlabel); + else + netlbl_req_delattr(req); + } return rc; } @@ -4463,7 +4479,7 @@ static void smack_inet_csk_clone(struct sock *sk, struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp; - if (req->peer_secid != 0) { + if (smack_netlabel() && req->peer_secid != 0) { skp = smack_from_secid(req->peer_secid); ssp->smk_packet = skp; } else @@ -5062,6 +5078,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, .lbs_mnt_opts = sizeof(struct smack_mnt_opts), .lbs_secmark = true, + .lbs_netlabel = true, }; static const struct lsm_id smack_lsmid = { diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 878fe44b662d..f8c0ea18b2fe 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -77,7 +77,7 @@ static DEFINE_MUTEX(smk_net6addr_lock); * If it isn't somehow marked, use this. * It can be reset via smackfs/ambient */ -struct smack_known *smack_net_ambient; +struct smack_known *smack_net_ambient = &smack_known_floor; /* * This is the level in a CIPSO header that indicates a @@ -685,6 +685,9 @@ static void smk_cipso_doi(void) struct cipso_v4_doi *doip; struct netlbl_audit nai; + if (!smack_netlabel()) + return; + smk_netlabel_audit_set(&nai); rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai); @@ -725,6 +728,9 @@ static void smk_unlbl_ambient(char *oldambient) int rc; struct netlbl_audit nai; + if (!smack_netlabel()) + return; + smk_netlabel_audit_set(&nai); if (oldambient != NULL) { @@ -848,6 +854,8 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, */ if (!smack_privileged(CAP_MAC_ADMIN)) return -EPERM; + if (!smack_netlabel()) + return -EINVAL; if (*ppos != 0) return -EINVAL; if (format == SMK_FIXED24_FMT && @@ -1178,6 +1186,8 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf, */ if (!smack_privileged(CAP_MAC_ADMIN)) return -EPERM; + if (!smack_netlabel()) + return -EINVAL; if (*ppos != 0) return -EINVAL; if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) @@ -1437,6 +1447,8 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf, */ if (!smack_privileged(CAP_MAC_ADMIN)) return -EPERM; + if (!smack_netlabel()) + return -EINVAL; if (*ppos != 0) return -EINVAL; if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) @@ -1608,6 +1620,8 @@ static ssize_t smk_write_doi(struct file *file, const char __user *buf, if (!smack_privileged(CAP_MAC_ADMIN)) return -EPERM; + if (!smack_netlabel()) + return -EINVAL; if (count >= sizeof(temp) || count == 0) return -EINVAL; @@ -1675,6 +1689,8 @@ static ssize_t smk_write_direct(struct file *file, const char __user *buf, if (!smack_privileged(CAP_MAC_ADMIN)) return -EPERM; + if (!smack_netlabel()) + return -EINVAL; if (count >= sizeof(temp) || count == 0) return -EINVAL; @@ -1753,6 +1769,8 @@ static ssize_t smk_write_mapped(struct file *file, const char __user *buf, if (!smack_privileged(CAP_MAC_ADMIN)) return -EPERM; + if (!smack_netlabel()) + return -EINVAL; if (count >= sizeof(temp) || count == 0) return -EINVAL; From patchwork Fri Dec 15 22:16:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495173 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic306-28.consmr.mail.ne1.yahoo.com (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1732218EBF for ; Fri, 15 Dec 2023 22:48:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="SoLgQbXf" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680508; bh=gRUGzkRraMOtA1ZY2czwdZ1ExZidr2K7SF6xcBYCs0k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=SoLgQbXfqsl6Z2ppYzwDp3aZFtcDuN8Ap/5Sb1//P8N77OSclDsUQWqP10Vm3PR9SeDuv/9rIGT1QvxBKQ8gQClfO5tSNr2OTxp3BhQpFO24a91x5aEhahdaL0D3QN72a2pUbiFm9YJ2zTwBtWoMWARzqiP/bhOb2cIxMAaAas/OXH5+nL1Pfj8T2ooPdVgEJEOmggjYwYfaxnlKx+hDvntT6KeJ127hL8OEmyP4hYXMhyrwK8TYne4/KfgAKpw5YDrrY/tkb478YK30kDHL0Z4a/0SBWNNaH5K1/A29R25uoyFHiII5zUicW5ngsYjQZkNRMyQlWMCj+UifYZq61Q== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680508; bh=TG4+ZQ3eMtuA1/dVf2s7hxpLGJv/hfIBvoPy8vStqlO=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=AiS5ytJpZkKbJIzmyPftaTWIyTtA4NkNcmuoezVuMs7QFC7tzT1P5zKTsILuIWezeFakwo5ZVmMIiRCeO/NucsN4rixXXf1xBqdA82+fooKzdGq8cNXQBJoc/cqpTiRSl5qsXOX+JLIVO6OoLKj2eZk3GL+m8buGQmMJNmlrE+wpIzQ7dhZCed5u+ovvketq1RwnsyU+1lOh8G7Iw/EJkrhU28Mf5ntl8gDelpLxiGtj7Oz9jmHwYZ/lhM+pDj0aDozWIr8cCGVxR51b81CK2rUTUUR4PqGetu7LmUK++otCEZPJtfBXvTllxja2hzV+Gz/fmc26nTfPrm1tIxBbMQ== X-YMail-OSG: Q6tcmVMVM1kHYAZa6zAk9MP6WPMoYIpea1s1q_SdnSkihAwjvLxe1ml3z7.Ote8 LN7Rm2bGsrYjOTR3XTUfmQ5KlXhw3ndhKMIDEU6jq4PrZpbMJp3EKnddjf4EqyV4tfUhTvAEyuhb iSTKUlodXEKQB_.lead3bPAMpJgMJjL7zQh4EzFO3G.i2ZhYuXWShK5a6OmqQVHNz2JpO7b_vxoH ZA9q6o_yAtdQgkzcNx5SzUeCKBbLtT0jDmrSzZLl_JSau_E4L783gQ3eOveBYnVOrY.PVwWDQcbc BvIXhLNggN_MzIEjP2XtrIRqD.5Ob0HNigbTiGRFcHdBO_DiugA936NPg_rTNl1uZotyT_42uCzo 91Ttz2KMb7sctJdbAB32cn3KLbXO7D4nkC4ziD33rq_0C3exgDCwFZbZEdkBRfcimujKuSTlje0H uUj7XgJrb1EoaTs887Kx3MxE_c1h3p1svS_.sSYWd98ii7p.eyJRDJIE37ggJVPWEoVl_uRccEi8 LrNtz9lBSIj.st0PbvVK.gGtFSdz2PWYVshUXuwnx.PL7wfJgKWz1h.L55XZrJs5bmUTXd8TS94L xeAefLZMUEYUwq1rDIDa5z9YrhKEWn8PtRp.fwATzl7WpvK2d6u.1JdysV25mJrJkFXAH2cjnna6 UN42QDLRnK2cbyuTFNcZds532kAEhRzxqp7y8KPQrzVP6hglhOCHOf0V2ab99.gmsODf_aFnjxJ2 1JBL_MGWPjTNASsTSrrVVKVxrXd4X4GOCEmToB49PaXxTw5ePAGHD0cxUt2aTRDOK4BF4soL5wjA mXTo3oZu061MI.4Yhjcm8F3aSZfPnjV_tqIpYwuAcYN_WAxAABW3Yj_d.YO4ZZkxvhK6Pp_v3612 2lLxo_1Gr_112LmqkIt5nGjfq1XavKwafA.xoF2UMP0vDo_4R8agZ59nOqQxbV4VBDFuhtAAHx2u __VzA_uhuzjlSZDraWYteRUABQ0yZPta9ZZGC_QhEGxVPaxGzbbGem.hZTVcq7lZ2DXQtHVznIw8 12DWT40cV6KLw3D2dEqQ3Yi4xSYq4aAYxziPDAHBe_5ffDWIv5_dROJDqMGHpqWGJlkFVw_Ssfs3 ZQuM23k70wGHezjq21MV_X8ROko33cwtlimxB7cIrvMC.Zm8K3OuiTa0LrPXL.fLOHvpcHltde2c oKl_c1O8X6P_s6TPCXpFrxaDl.MrIlqyFiELedHrFV6LbrrhOwmO16SOacuM1bgM_ShPBcK1bbbh n8WwWGjYlCwYfhSC8BjBXRz404iJOFpN8hp1bY1Nem70ooG89Xvr6xz7GrS.uHY48FUR6OzX5lP5 EEKgJl80JRw_95Wc1zCfDp6luPLSRteX0hy.zYyeODyzHV6geJaYa1scbRHo3eo6B8FOBK9QPzUq _4zDV2F1oVMRvGdKWYLEYqmp2iq.L8xgh9T1_oJW.0V0fOq1DAeDIFY7Cfz3_FzW7vRwXnQDoYiq ZXLbj4_uN3ibmDZmcDngQ1hJmqSJ2fzC4EXUiuBPP1mTWcukKKN4ELqQBeNxV4ekcrbFBjA.7lIi Uy480nNKhBPWE0dMCVFoxielzfIkEPpw0LKL4LhCSPTfL4a3Kc71POymfJ3LqcMYe5G3vSK0OlDG UcRA8pKx16WM0ixwU6Oj9jkZEau0KYWcu8mQJsIZyId63f32s4bVtAoHRrjCM5DHLFkYGfszvUkU tEhdCxnTpBa8.oH5dzd2QBKNpyRlU.ZlrlKwWoFXXPhsSVuxBOfQFre51JhQOC49qXtOH6R0D1d4 bxqkdxf1WRlyICf.XQ2.Ls66GHHlScfavr0x7MeD9HfrZf45.QfGN2mUJO0V1coXxRHavJJfG6_. f6mJFXVFdHofGu1Tjx.3EnMyCtW1poLDpEeyJ3HcVHI93IUJl64JhyTrgj5JYWmb0w8pElJPliYr lQFeZU0l_c7InV7pOPGTEl29c5JMc0H.DaG6bmAs7bF9jYLKItirwcAMt_mIf8aPSAKlpZmuMyS4 7KMcScAmpPRYYrUz8NdYxPH5QlxdhsSblvuO3_y1j97XoKoa6HHpv9YNimu_KX2KejUrYiBS84RT YwoBpac93iUPAHJuIJYHxPLxWmktzvDvTlYso7F1bOoh5NyoNl1c.ROsMmLdyju29rQMdsKftTl5 yOIqXD..m4YtSHLvS7F6iUpL0WRSn2WF.1niPrGj2Rhtfe3haV5J3TRBeFON8BYB90m._Ruw7WCm UvkWglIrhmhPexWxIb22BpNrrKqVhlUyV7KtFg77tcJWtHU2Nfae5zj8NK5Gk6XJ5kka1B6lLwVy GQuI0MFegwi0D_bEa30wY.RcVMIY- X-Sonic-MF: X-Sonic-ID: 4611144a-9a8d-43bf-b7cf-99a84dc30b45 Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:48:28 +0000 Received: by hermes--production-gq1-6949d6d8f9-qkzts (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 98319ae8e5188ac722d06529a3337566; Fri, 15 Dec 2023 22:48:26 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 41/42] LSM: restrict security_cred_getsecid() to a single LSM Date: Fri, 15 Dec 2023 14:16:35 -0800 Message-ID: <20231215221636.105680-42-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The LSM hook security_cred_getsecid() provides a single secid that is only used by the binder driver. Provide the first value available, and abandon any other hooks. Signed-off-by: Casey Schaufler --- security/security.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/security/security.c b/security/security.c index f1bff6b5b076..504dfc6d05fa 100644 --- a/security/security.c +++ b/security/security.c @@ -3157,13 +3157,20 @@ void security_transfer_creds(struct cred *new, const struct cred *old) * @c: credentials * @secid: secid value * - * Retrieve the security identifier of the cred structure @c. In case of - * failure, @secid will be set to zero. + * Retrieve the first available security identifier of the + * cred structure @c. In case of failure, @secid will be set to zero. + * Currently only used by binder. */ void security_cred_getsecid(const struct cred *c, u32 *secid) { + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &security_hook_heads.cred_getsecid, list) { + hp->hook.cred_getsecid(c, secid); + return; + } + *secid = 0; - call_void_hook(cred_getsecid, c, secid); } EXPORT_SYMBOL(security_cred_getsecid); From patchwork Fri Dec 15 22:16:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13495175 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic312-30.consmr.mail.ne1.yahoo.com (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1DFE318EAC for ; Fri, 15 Dec 2023 22:50:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="WtED4umQ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680603; bh=rBrX20RKGA/fq/6ZpKrjQGgBq3YXTniSXMxOJWRHlHg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=WtED4umQ89i9DP+27JOtPJGe9d3NXsKNgLFfejji1w7wZu4mfkW9h+tvy/py22+meL6gIkQ0SHRhPBq/3S6aEl0QxSDLQQq2gPmClnCWI0qnUNpsndo0u4sVtD6OLu099nzTjBdGlWM9Q7G8H7AI68trm0kasNN0K3KUb48GK+FLyqJdJA1Bj/P4Djh9De4c9pU+PowMERuYXR+dOwGXKctAHsHWKLyTsDT7ajLgdZU5cASK2jcEO9k3TcTSsDvvcTIssjqK476xPhld5X37GiUQ0033yjWkLtyPToLt7TezKC1fk239wmUeHhQL7mBT080HRUokKw/O/VkNEoYgIw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702680603; bh=cCXPVLJVjTpxa8aQ8l1NNDtJgIgas1pHPmm6wKmj16L=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=BxocgvuEZnoLKRLBuHCyqVkixWK5K4RA1y4IawGw0dRulFGlndVqEJhTCfMIlpcWIxhn6IPbqb8iCXoSTHD3rGm61+klPEuPSkLtFS1DwNUSKIBvVF7FUEXWbsXprESZgf+QKqlaRwIU9ZvgyfISn6VvACd+fWPGzi8UuJgsGKeGf/xEZf2HhF32Nesk/WAHvm1KBzwgVK1kX/IrjCLa9Hae8UMCrvOM3B2hnIU+cHPPFpjr9yuAyxXJD2/JeSUfERUFwqgkksPZr9xhwFkAxfEyh7y3zPO2Ijfnn4Tz9+Aqr2S9C6V5CbI4BJCULz3qCxELbMViE8GNESNvClWvXg== X-YMail-OSG: kmcwAAYVM1nyQRivV3hBA0khhAbEdFHCub.rsza7.P7rdz2eFCPoeeJ4sx8HNB_ ku3LC9CjjwgqvSFLFScjonwVruLtk4qOcs8YpZx2z2Wf25ffB93qtqjls0lE_._dtovZPgHEJ2cN A5xJI9FxePac8BaphtEcNRoRyqs9y1Vzuc220jbqtYo4z4q.15Q78p6qfNUPUkepwEKjnHg3VlrA rasZDFgO7yHhVwCcwQl7x2MtDFLIBxzCZcPhWksxwzRH5I3qUXMsFkVzpNYloUg9o2TbiUxN17Ab y1F2N.TjpalA6cOK9qVIfV.ETVR..fBnQQLmKadcUOS0OUp7dKaTGtSfYTzL66Bqu2loQHySAfqN lBmBQeaYFB0rK.lX1rjXa0WL2osGdsEH4pioNWY043ZKBwL7DQj1sl8r0K8GalAde1_LYvN.uo6M LBhZVVCKCs3wrn1vuSqXr9B40Rf1r6XOoa_v_ICZbrqcyxIpc0DWLDkABws3Ru2fTLX1gtwGOZ4e Jd8reFczWzTIHxVuDOXoew3i83YzUAqzVGL0tEA9ZhDPM5w4yTeELdzfta0AeBuC6eIcgY2R0LKA NH8FLlc9MIashQmPwCPzmKqDl1ekuV7hmT7bnlovkIlDE0Nf_5rPw3oaFQcRDZp36MR6rpH.Hbzn _MQveONfTIytn8k3k6qadPJUrg3.cbJD1b_kPS.fpgk29kxV4gGUgVLhDSg.Zyswb3tnICgzMkdB eyd2OZX5US6LgWnnROjZhzCE6EkM.kpW7S2CjD6K6zkbgaYOGQM78ynzlhGIVAj0FhIcgosEgsIA D_0oGrzvsdHLxec15pFxbSXqHzKPe04VdJ9Bdb_uFMnWmwDF9hHZ4Dgp0OIDLogB3Ud0jys1ziSH IuJErvGSg7u1bY_Z_lz7sKRsqlKtab.gJcZiCyI1SRF.rJx1gtTBeKGmTv.862ZBNk2d7bago_4r z9pc4lpkFwvLmJK7oGHUbZ0.SeuVhXyk5HjoNiCp6GOnCModc91R1cI4VJmU1WmpjgJMw8o_.yws 1BZUwGn1xmMeJt3Ft3Bj3JuAKM2ucrQmtcuXA98STc0_XeQBX6Mnoq04NwClxDVCu_jYV8AXjlvI BG5U4zkuYRR0dTPxQtdvXCgkf49leWgsurk_r36WcdM2M_AalvKg9IvApnKgA2O09KL.AYtjIMLb fQR.wTbkPY2LJyP2qgNhyrMw3A75VI7aOIC.EcbnlvAZdoY_Z9WIaLby0K604uQr22Dpd5nk_0Gb eJ7TQEG0VMKpa1NqXIQlbse_mDMeWwrRsh5GNAWDHK8RwTAJnMLOJTIUVqQx2E_Z1udTScFGiogP 24xYuWNv8mS4BcIT33BScQJ2AbgQwoeQX05vGXr2L5sF1DW5fKnGZrdsp0A.rP9PVrOvxqshzwWs Im.mxm2C.uZT1aCiQd_PTHvSfQuIOiIED9nDwP_MMvh6bBXVGPSHbh1ZYAFIYhWFgH.nV.HbGV33 jnyRbB6nzaMi1iBcBaw6MuTkybOrkSHQ.Dddcc08aEs2FXg_k4B5uwhKvjLU43KcaY0ZLAG0l8gj UAKIca5LJxfJRBMQEULYQYZtY5uHVoT7KBYcwIQVEKBp2oay_CYHnJCryQPa5qOMCdo2YKywwue0 sMGfeNMgT8oKKRSEDKge2_t4KvTgk5LsL73.XAlULL7QmakMaFqnHiaIzb3GjGo61MS7tWkXyeOs uJp.jGROc2JS3wLW6cKiEsCz4.ALOEeVqhhgTq144iNAAb1BaOtP4hc3KcdfE.f8pZ0XO6tAaJrb 7n0pDb0y9LlAHZYePNodyQUMAOK4aeQiOs51lPzJGbB3e14qHMrmoR4683bipgDPU85B2cilzfgp KSjMn9r9cLJC.MI10dVS9VDz.Vpq28FHTq_7ofAOpZo4Jq5f4ekIr50Jz8O52UTGgu_yMAAfqrs9 brj3w1rdO1VOXU8f5FU91M.y4caQlQCHnCoQmPLQObA8HZHlAElv9aiVwHdSrm53adPgdrZa.ypk xZJwXdiuE6gtHqUpB.RWRtmwg9GL3jF35EJlZwdseOAHFGNBlLITtjErih.nT4iWV9k3vBGO27gh eR0FTskk9VEMs__zRR1Wq7g62CcQ5xOSeaPFh1LntoscJf_THYk8QZt4hfJTO9dsaQCukTSoULJ_ WjLgn9507MdbhZKMmGBd_lLqgwAar9irq6VVCMR2mfN8z6hT7ej6c.YYKIyFz_dx.yxWe3SpINVV Tx9YdrLMwBcWPWVscNT5HCvWEZceWPRzc2YRc1LPl3xYhDFaPPgIAU4kfbVZk7yy3FYAYr18MXpk dIN7rgjLJJheLtXegbHmrh5YWISbh X-Sonic-MF: X-Sonic-ID: 2be22b4b-e59a-4cd7-b2d9-37a846ad2914 Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:50:03 +0000 Received: by hermes--production-gq1-6949d6d8f9-pmzmd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID bab51986ed5b5f266b6ddd6db4744dbe; Fri, 15 Dec 2023 22:50:00 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, mic@digikod.net Subject: [PATCH v39 42/42] Smack: Remove LSM_FLAG_EXCLUSIVE Date: Fri, 15 Dec 2023 14:16:36 -0800 Message-ID: <20231215221636.105680-43-casey@schaufler-ca.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com> References: <20231215221636.105680-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Smack no longer has any behaviors that require LSM_FLAG_EXCLUSIVE. Signed-off-by: Casey Schaufler --- security/smack/smack_lsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 9f5a37a5b47e..7bf2a3fabf33 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -5325,7 +5325,7 @@ static __init int smack_init(void) */ DEFINE_LSM(smack) = { .name = "smack", - .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, + .flags = LSM_FLAG_LEGACY_MAJOR, .blobs = &smack_blob_sizes, .init = smack_init, };