From patchwork Fri Aug 30 00:34:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784058 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic305-28.consmr.mail.ne1.yahoo.com (sonic305-28.consmr.mail.ne1.yahoo.com [66.163.185.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 785FB4428 for ; Fri, 30 Aug 2024 00:46:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.185.154 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978766; cv=none; b=MEORp0YnBNDIaQ5V9fxuKpTJy3oC//ae07TlQdzor1Yat4qZXn5SBO5NV5gHxjEsRRaL7/ly8avTnAatXEX11BgJeFtgDxkuxIOmzLs/TzdYgXFGbAS/mhI9mzKI1iCb0PX/w33UHESrbR/HXYKUqcX6OOlRQ2JVAaCiwEiHMSQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978766; c=relaxed/simple; bh=WIo7RjfjzCM4PfItxYsF071hSZlJ4WcjUQz1IlE93Aw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TpHuuGcJXWNNlb8qEI8WdbnkA9U/xXNGEh8ioRx5+d38GoPjol+AD0mpuYUsU0QdLeVLPQkhVdPZj7Un5Vg2U+3Z5NpqI2U1d1fwfXHS0+hfux+T9oU/cskJux8Qt+h8unsT65khUnfJy4TO7u34v1VRvQTz3jDRSP9jfPlQRg4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=LikXcZGg; arc=none smtp.client-ip=66.163.185.154 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="LikXcZGg" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978763; bh=DLpXQa4JsJkIRpfEAEc+Y9Ht1T3bHoWaYdhrtE7A5pE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=LikXcZGgvzyuT9KAhRwaazYvTiplziBIrWRAr4XYjlrjrqqkTCfYYF+AJkVpL6LPB/415+1cepLTtMbcfNZyR6jbcMlAMrKmi+wfajzhDOC2g2SqYpOOhiTgJCpfL/JTv+dobKXTyZFjEW/b2n1zxKoW7tSBqHQOA+/QvDIW2VlJ804GU8Mn7+NnnKwxxGSQGDUcltFX4QO6TFEkynRo7IFMub5ORYSs/AcN3I0BbXQkm9pj/8mgE49U9skW8SRuzvnDd2LvEPT+Pqc6TT0i8fxhzQClsh88s4QSeS4hJhRqXjdj4NQAhhg2AiVXH9e27+G5tF9ZvgW6AhvOFaD2vg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978763; bh=ccV6+FsupoFy5s4q2Cm6oRx26+RkDnNRAZskl5Y4dtw=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=VEmxCETMVUnWnBeYiTNekj83g9M3zGQs7LHx2MQB6b4fdB/rW07Jr7DXdFyH4eHjKXFHsXeFOG8xyR29JdIflGO8u00sDXTWebLdi/aEkXY9zHvnmMfYojC/D7NuEIRnFxMNi7dPt5PeOauMsloLZ81Lk3WyXoTK1PTlPqoyT8U3EVlmK4QNhmlBv3rsSykhtl/nUW4A30FfJ3V6C8Gl/F+HiY6j7uUVPbm1BwTzxp29dQrnHGYSq9bmo97g41UfNHGNO7LGiFqw1N28chyih27U3ZDvFGSkv95vIGbCznwX0qQFr0FmZbHohhRak71kHjdTnBfYKGGgA8re3LQYKA== X-YMail-OSG: eMiopRkVM1laUH7VVDiEDoU2jqapbZfnNKduWhzBETG0YwJzQ9zW59VABv7l.9p gdYMnReLgGjaLNhH1bGRvyDu1ceeh_zMCXY67bMxzGVJ4_qMPIWA7.R8BPbmrR0Kvwduyb1bUAws UqhpVxDDtUTnx2AWJ0Is_uUSNaypRWcnPmR_.xnWXnTQ1pd_4xpWVLLLA95dxnkAEndegs9DoTBA .RubWGDNfgCUW9Y_qHw9SjTeZDDZBgf96ASMS7ovn_P5bQdnTYwLlu_hR1y2zNiSMsylBzEqyq2. amNXfiMTIBAOEwqpU9GDhY96HVLf6WXuvjFq4Fl52R3ABhuguQ07qxlzB4hhI9RrZjipgOJ8UZdL 1TjvclCV4KbC9MW5g3Flbtnyu_ZIxJ6KO3IfJFof5TCDTn.YeYOtyFygYxnjggiZ8oFgMnk7jrOo YDZdz2v7G6xAJ.dmzWbFu5mKII3pjyXL_C2dYpwBj8T5U2e.3qQ.cyka2xyA_IJxpDXEDHz.HV7l ZHoO0sRJH_avG.GHR3z_JrCz1nKm5unQaw7PsDvqkeWkTW8VB2Un7r6e2.ZMnyVGZg8agTc.x48Z mnWbupoh3j_AckEmO725sRQE8rnMAeT.03c1cmxH_py_CvhHHFQSFyIXtpqxLM55EH8NgxvMy_UB PrhdOF9SBddqTCixhpEc4yZdxNBucXEQMy7.y2XvkkMLEflXWKBaSwzAlKCFVuSJtOw9DUb7YaFq .J8Nh_034PiMuP.l3hZmRRFW9YuHW.hv3ieJCHdiBts4GdQoGJF9ebP.d8.485LoYK7MonE6wC_S ZcYoe1sRQB.P_gmUVXAR3TGV7RkRTUllZLLGtDUJ3dw.UtJiII1j14khGxve73cl_obIWDO8s9Qq k3nDv_btKa8idmiOucEegvkpsXn0qeajzx826uxUjexjWml9per7anGwxHAzKVQRCbMT_LV5HAzc kv9d85ybs4K_IwvGlgsZOaaWycxAovue5tMBFWvFnE5Ce2UMTer6FDXSfZ7d.0_myTTd6kteiWDl h5IGAGvG_xvFxKON37Gxj0_mP2oRPvOyVz9OVsNtA8FGT2pVq2R3tdK39RNNAkvKtVcbFEm9aeaA apY71L.u87xNDI07vyzNWRD25IHlPLCjweo0xSbpatyMgApC_Odq_veDYH7GluJsRiVROAhntfTe r9Oijf.e7qDb4jyNcuHvddqkc3BNkWa5E2a1vBkKjYwJ67qbSsoHlnnbHiL9QDcYok4zsqc53qdN xA3Y85ukjqkh5cfTVQd3OdC2UgnAnQ06Bv.K6YwjY0Uo.1dNsUIqcXIC.4V8xMisNerg0rrRPaDY Tys95H_P1._IfqujNF1z4nLPcU05oT5wCeh3WtLAYXlC1YxLfwX6l5fkQTR.T9S09yRJwyf6Rm8j 0LeecgR6vej4WsvuhD41sPCPh0q2qp6IWKIwrZ7omTaKVa32BBtVXH5e8SoqOOTf84bg0FZvDbFL 8coFrB29Lth71rEgL_lqReY_lnhjuaZkNTKFH_VkOXIm6T3v1fmybVzQY7aqbrvR6hN92KZs68Wu xw34jGEpMqrBONs6XpnK2zyFcPsSx1buOzSR7odajbkV.3xx3EZ8ZmkeJGbXbPbHVpg1nqlFU9Ci 6W72TUCPR1m1F1GCOW9M.NYlnX96HvwfryKIrJtyxqmK7ZrH2897JdVyHVqQRFQ2VQZ3ALJoAiY0 HXUIn3KxbajB_xHUNzfnyAw9PWroP9FtiNngH2nhMggiBW_Bz89l5NKjeINLTuJzfCDZR__hwIJm tetXDq.F4mb0IkyLV73im7xL_d3UM4J3ampD6SbXr08LygKzU5eJuIztxwPqIAbHicGyPvI6oTZU rLHvBaDk9sqi9uuNM6Tm7TYCzXVAff1p1_WxHuzFnnDwrkJpbOA1gaVqrraYvLHOyBg6qOmy_5Zf B7ZmO21BgtsV.t4h722hDBUWVlCUivaXiBtGKrwb59Z8l7a_2ppCEEOvj4RKSqOuhMWZrpgrPdwn 8JaVdxVwypsVI.q27.4oSlvSm34kvubC0puM_C5VHtqgNCI2pt__IDES7chlV03H2UO5k9eCfQPp HGnV4TDEUGiQovGxNYl_RwepUGzzGz30GOWW0PerAEggU35qXH85ggjA_plw12eDmmqGY4bdLmVK Vu2B6sxf4sHoi.dvL3OT20Uf5eIoUnIbouL99m3NoaB0MqW2CqJN3OQlraYq8EKHivOEdQKmok0B RYN.cqoCkBZuBrXPD3E75z52k1H_UEB86Q14vPINwm9_PPBjvA9FR8Rly1Q-- X-Sonic-MF: X-Sonic-ID: 4afc0cf6-54f5-461d-aff2-58a225cbb2d5 Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:46:03 +0000 Received: by hermes--production-gq1-5d95dc458-24x88 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID dffbd785ee8ecfc4db9f25ae20a43d90; Fri, 30 Aug 2024 00:35:53 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net, audit@vger.kernel.org Subject: [PATCH v2 05/13] LSM: Use lsmblob in security_ipc_getsecid Date: Thu, 29 Aug 2024 17:34:03 -0700 Message-ID: <20240830003411.16818-6-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 There may be more than one LSM that provides IPC data for auditing. Change security_ipc_getsecid() to fill in a lsmblob structure instead of the u32 secid. Change the name to security_ipc_getlsmblob() to reflect the change. The audit data structure containing the secid will be updated later, so there is a bit of scaffolding here. Signed-off-by: Casey Schaufler Cc: audit@vger.kernel.org Cc: linux-security-module@vger.kernel.org Cc: selinux@vger.kernel.org --- include/linux/lsm_hook_defs.h | 4 ++-- include/linux/security.h | 18 +++++++++++++++--- kernel/auditsc.c | 3 +-- security/security.c | 14 +++++++------- security/selinux/hooks.c | 9 ++++++--- security/smack/smack_lsm.c | 17 ++++++++++------- 6 files changed, 41 insertions(+), 24 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 3e5f6baa7b9f..c3ffc3f98343 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -253,8 +253,8 @@ LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p, struct inode *inode) LSM_HOOK(int, 0, userns_create, const struct cred *cred) LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag) -LSM_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp, - u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, ipc_getlsmblob, struct kern_ipc_perm *ipcp, + struct lsmblob *blob) LSM_HOOK(int, 0, msg_msg_alloc_security, struct msg_msg *msg) LSM_HOOK(void, LSM_RET_VOID, msg_msg_free_security, struct msg_msg *msg) LSM_HOOK(int, 0, msg_queue_alloc_security, struct kern_ipc_perm *perm) diff --git a/include/linux/security.h b/include/linux/security.h index a0b23b6e8734..ebe8edaae953 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -290,6 +290,17 @@ static inline bool lsmblob_is_set(struct lsmblob *blob) return !!memcmp(blob, &empty, sizeof(*blob)); } +/** + * lsmblob_init - initialize a lsmblob structure + * @blob: Pointer to the data to initialize + * + * Set all secid for all modules to the specified value. + */ +static inline void lsmblob_init(struct lsmblob *blob) +{ + memset(blob, 0, sizeof(*blob)); +} + #ifdef CONFIG_SECURITY int call_blocking_lsm_notifier(enum lsm_event event, void *data); @@ -500,7 +511,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, void security_task_to_inode(struct task_struct *p, struct inode *inode); int security_create_user_ns(const struct cred *cred); int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid); +void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob); int security_msg_msg_alloc(struct msg_msg *msg); void security_msg_msg_free(struct msg_msg *msg); int security_msg_queue_alloc(struct kern_ipc_perm *msq); @@ -1340,9 +1351,10 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp, return 0; } -static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +static inline void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob); } static inline int security_msg_msg_alloc(struct msg_msg *msg) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 84f6e9356b8f..94b7ef89da2e 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2638,8 +2638,7 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp) context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - /* scaffolding */ - security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid); + security_ipc_getlsmblob(ipcp, &context->ipc.oblob); context->type = AUDIT_IPC; } diff --git a/security/security.c b/security/security.c index bb541a3be410..6e72e678b5b4 100644 --- a/security/security.c +++ b/security/security.c @@ -3611,17 +3611,17 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) } /** - * security_ipc_getsecid() - Get the sysv ipc object's secid + * security_ipc_getlsmblob() - Get the sysv ipc object LSM data * @ipcp: ipc permission structure - * @secid: secid pointer + * @blob: pointer to lsm information * - * Get the secid associated with the ipc object. In case of failure, @secid - * will be set to zero. + * Get the lsm information associated with the ipc object. */ -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) + +void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob) { - *secid = 0; - call_void_hook(ipc_getsecid, ipcp, secid); + lsmblob_init(blob); + call_void_hook(ipc_getlsmblob, ipcp, blob); } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 102489e6d579..1b34b86426e8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6328,10 +6328,13 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) return ipc_has_perm(ipcp, av); } -static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +static void selinux_ipc_getlsmblob(struct kern_ipc_perm *ipcp, + struct lsmblob *blob) { struct ipc_security_struct *isec = selinux_ipc(ipcp); - *secid = isec->sid; + blob->selinux.secid = isec->sid; + /* scaffolding */ + blob->scaffold.secid = isec->sid; } static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) @@ -7252,7 +7255,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(userns_create, selinux_userns_create), LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), - LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), + LSM_HOOK_INIT(ipc_getlsmblob, selinux_ipc_getlsmblob), LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 5d74d8590862..370ca7fb1843 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3442,16 +3442,19 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) } /** - * smack_ipc_getsecid - Extract smack security id + * smack_ipc_getlsmblob - Extract smack security data * @ipp: the object permissions - * @secid: where result will be saved + * @blob: where result will be saved */ -static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) +static void smack_ipc_getlsmblob(struct kern_ipc_perm *ipp, + struct lsmblob *blob) { - struct smack_known **blob = smack_ipc(ipp); - struct smack_known *iskp = *blob; + struct smack_known **iskpp = smack_ipc(ipp); + struct smack_known *iskp = *iskpp; - *secid = iskp->smk_secid; + blob->smack.skp = iskp; + /* scaffolding */ + blob->scaffold.secid = iskp->smk_secid; } /** @@ -5157,7 +5160,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), - LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), + LSM_HOOK_INIT(ipc_getlsmblob, smack_ipc_getlsmblob), LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), From patchwork Fri Aug 30 00:34:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784044 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic308-16.consmr.mail.ne1.yahoo.com (sonic308-16.consmr.mail.ne1.yahoo.com [66.163.187.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 37F5723B1 for ; Fri, 30 Aug 2024 00:37:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.187.39 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978256; cv=none; b=ZT7rcZiNzkXJBC/tfzXn+Z29JU5zuRosiQWJSjp32oRB4Wc2tFwHLkf4I7sf8dd5bI1AQ3TdNmBqvjtib3DtaKQzTvk2qh9vvSM2ujVsocpynOfmq0B5+M35nXOpaymXdBHbckAT8D/GekpHQcmRxj9KozwbMG5EOyZ0Rwlht5c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978256; c=relaxed/simple; bh=g0IbyVcXzElD46BdZgUbwao4FNE+T2asoW1w/oO2hMU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=R797Inht0MLEa6JDCFdx7Qn847U0wpnrGG/XVO9VijA5aeh1iUzDMVisudOWD6YYigWlPJ+RScGSlqFWBnBZdtPmWSukFQAY+WcfwZ3XCO67w0LvPf9xHb1dC6okaZoN5o6Y5IqfX9srFf684Eucw+lGax7GFx5rhDtJV6KsP7g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=fjINa+IM; arc=none smtp.client-ip=66.163.187.39 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="fjINa+IM" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978253; bh=NaArIe63sY9q+u/KXmksG/ULfNEUdomxSXmKu+yH4Z4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=fjINa+IMKfV/KSBPoi8FxwQ3Tpbw/hTjSLkx9VsXhL2RgQlwqQzlugZtH7TqDQXma1ugjCXtAZ1ta+tgsG/JXsAGM7MEOCQEzkyC+CrSBKzFn/ZXeLD71+sEeCFFB50W3cDL+nsUeNdbK7Ig9adh3TrhonsgvsEbr1xudHpwQemgKYjubJ8ACA9lNCtvPfoC/uv8lv+v2lntOoU37aAaOtZpLkPRGaJq2Tj6skO/oWY1urhMRxghBCNHA0zMQfKt5R91IGKjS867JkcJ7cwsmk0VTLc71SqvHk8RCoSh8C35yM8W61crRRazphZW00LjaXzU5OVl6SbeVfKMqkHegw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978253; bh=gI2eqUBpoLQ83XiDtZlVQd0tsaggeW2Ev8z4VGvS1fR=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=l5YydsWndkQY9OqojBM6m9tKYwuPKiwkXgLVT2vRwGk8KxHma7yLyebqi3cTwtYoDipP5CYtUaZVHkekWYn1EzRwZGlkm8+JorfN7Q9FG4gIwGYg8WVVmPoKWKiOeY/XNsCrm74BpVopTCOOoJkDNEOCbletpwZ82ukd2J4dNOHS6cwfxBHBJnsZWTXrcfJg3gskKT4kmLjsiZ0SZpmpiJSzxJLSYIdi47OHRLsEg8schHDb1YXtWODZNWpYfwG5Tlynm+QlJ6uMaevloLqu3UzJVFCfAP3v68w2+userRs7QApOK2+pGS/+pUfKIhx2tL9vItMt3YJex2oB3/6rEQ== X-YMail-OSG: 1wEW6rUVM1nbikoZohQppaOpKqy_NKPc5WaLPUDL6BKOi_moqho4uQfsfwxfM9A WK3Cz4U56tCvXOsPDCGtJT._CkHFDiRcCJBNiWKghSF6Pb9SWE_ISWlMS8HBsf8MhtfCPzFFOVDO 2jse_D2pAtT6HGIS.GzhEpwYfJjt84ha7t80VOSr.4I8sJpzlKmKVWpdX3CO45TKanDC7eK.XH4k 4ZCCwaaKbEJf9LHwN146BWV6MHfGzoXKsDlV.iiYZCjCpO09HcyGzJeExA_ZI.XcuoGBmd4kbIxE xNfmLyz0DCLcoQDu.rtdNOBc5_YOhPsjBlHZCQbTTnr57c3jx6gUshClf9JYY6CxUmb5wcWuts7z IWvhl8SZ02q_pe8cgaeM3Oj4h4YIRA0okwoX23c85A6eu95bE1T_D1MeldK_iz_R.L9BkPWrU8oc C6bBKFCniFxd5pLgTy4GMMsqqEgfVxtq.IgIoyJxGVAIWebxG_.iJ4SQtu94tbrdiRDez1jtFW8n 7pJCqEwUdVtGk46OdBl53N4x26f03IyIPaopeiM_x4u9rXMsWYCViG9Vz4TM3KV5NuXTHN6MGl.u fsAH2hEiyExg26h2ibccEMo1Kjj6AzA_tHRPcr_MekqUxbLjkTYe2yujJ.ObjLnSTrspxcV5lwoB 1PQQiJN8HYU7f_1zRTR9DZZha4UK9NLEVYh9XVTCj_OBQfjJWmdMFMyaKLl7bAQmxG9Byh8KQNo4 VcRLjZJN5e8faeNhSqnBACQ3T2q_k.A81wrOVNyT6KDuyoqpQZuDCKzrSIv1vhhL0IfwiyPSN2ou Gg0.ge5STjvgHL91XyUYxlnr6J7M.NYhrZ47iwYOZxAUMUV4u3HKorEEV0tA99xSqbpFyBhgdxyu AhNsnFwLjPWIzoA8CBhBRan7ofL75QqkVI2cQJftOmGmbDPHj2VnWgxBIy3u61ckcME8aQOVhCdE mXtQiaFWsWoBMMH0cVLijvIiegH09hf0xBBKdkIvZWimTo0mmFa4lZC0yLCH6lRVpkSh2xyflEyU JHlLhxIFHFIOtsaxES.jRFKIytWUyz_0EXDUoJzPKVGm0QpB8zaigwxuvd3zviSM4CDDsYTBaKww ltjIxEx2ImVoXoP6hcpjcDNEKhg.DqQ2IWNZ0FvsgfZQ7WRoe5nwrGzzPgBLffHrGJvXC.gj_YJY ST2CHNYDXVCpo3.eD1cmAM0AenDcPKf76K6rbFqJuqznLX8G1L.vhGwaSjnCUKcA7DmI5xVSi63V vppXBdTuJSGuqjRwJ0VlECShw4i9RlNXohpXppFE2DzG05HMaSdzn8WSbWZBG1SfUydk0tQlOKhp bUV0ZuujoDxo0Oh.saghh1DEYX4NOPBW2S_0SzRzAh0uvJ831XPxHHs8bVjZ2S88cycyTZi3wkX6 VZ04Th4_wiNmIHPtpMAn.0OI1JG7AV0WEcYAWox4.SwKXN6Ycc69B8mcR6HKMs0B_MIvVQYoByiL 2eElNHyGhuBZ0wt6dTvaymC.M7_w0W6pd7xpXQTpaqjOFkV7xRTSgcRMUg41bxdzpSj7w0os.FHZ xtSGR6d_P26GBGuIzlDyCxFb9kjDjT98opnvnEFFy130poj8HkoI4JgrDKF3dowMC0U_7QIM3EFO wPQ5B8GJrRRTyA.rFy7lkYxzaxCOYd7dEgxUFV0rtr3wXv3iPCSZgg56siImVFE_pkL5C4oNi2wm JP4RwnC2e7VcX5bJ6GfHlpsXu.N_mgkr7Ny.tWpW_d9tQM58aWMYegSalII2m03e43vJ52ZiV5Ay LMxCKsi8khYVSw5._4xqULEs.PNb9Gigr6iB4BtYifDt.tt6dR8JDel0MfE21riPnh1GxcqB_KW6 DbrGaFjA44xDL2OGO5l2BFtcx9S18GLSMLm4XmlG24mKx3vC3TXmRm6JME4hLX.r4kdacGL09XNJ mRUjWH53N4iUpvSiMTZp9dG00ZSLAWaaFUq3Zd.P1bBEwk32hMFm.cJ1OTWRUaRdOR3VCRoI8muG nGpJ.rKJgeJ78F8OtrRcM5Man7ztFypnnYhgAgn49CFEelZb3Dvq2LJC7YCO2NvZh1odgz8cCN5y IbfE5w_uDcLFJMCWzw58.dZBSzHwG3qTaYNQo2MrDVD8ehp0KfRI_eT_4kxX8wK7I5SwGQj8TkiO .gETpBhuXxvzqrfr2lOfq9UPgDw9414wJN8KQ7oXuJ9PSpxSY3cjEQpgxoF5r9EpwJZDoqm0N3nS L8kzuLBrbsCS1MeE3l5_jjV_RZskMuBeUlMZEa7sHBsL.c.FJBjU9jH3q9T.4jZrJ_5DSjL279oy rr9jG82T3phdcQ3AX6siNGYTfsBxuGAm2fRw- X-Sonic-MF: X-Sonic-ID: b54358f2-c6e7-4040-a8ca-a6b1a30e7f7f Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:37:33 +0000 Received: by hermes--production-gq1-5d95dc458-jflr5 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID f4d7fb0b22ad2b46e66df0183031cfdb; Fri, 30 Aug 2024 00:37:29 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net, linux-integrity@vger.kernel.org, audit@vger.kernel.org Subject: [PATCH v2 07/13] LSM: Use lsmblob in security_current_getsecid Date: Thu, 29 Aug 2024 17:34:05 -0700 Message-ID: <20240830003411.16818-8-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Change the security_current_getsecid_subj() and security_task_getsecid_obj() interfaces to fill in a lsmblob structure instead of a u32 secid. Audit interfaces will need to collect all possible security data for possible reporting. Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: audit@vger.kernel.org Cc: selinux@vger.kernel.org --- include/linux/lsm_hook_defs.h | 6 +-- include/linux/security.h | 13 +++--- kernel/audit.c | 11 +++-- kernel/auditfilter.c | 3 +- kernel/auditsc.c | 22 ++++++---- net/netlabel/netlabel_unlabeled.c | 5 ++- net/netlabel/netlabel_user.h | 6 ++- security/apparmor/lsm.c | 20 ++++++--- security/integrity/ima/ima.h | 6 +-- security/integrity/ima/ima_api.c | 6 +-- security/integrity/ima/ima_appraise.c | 6 +-- security/integrity/ima/ima_main.c | 59 ++++++++++++++------------- security/integrity/ima/ima_policy.c | 14 +++---- security/security.c | 28 ++++++------- security/selinux/hooks.c | 17 +++++--- security/smack/smack_lsm.c | 25 +++++++----- 16 files changed, 139 insertions(+), 108 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index c3ffc3f98343..06c60f1aefa7 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -232,9 +232,9 @@ LSM_HOOK(int, 0, task_fix_setgroups, struct cred *new, const struct cred * old) LSM_HOOK(int, 0, task_setpgid, struct task_struct *p, pid_t pgid) LSM_HOOK(int, 0, task_getpgid, struct task_struct *p) LSM_HOOK(int, 0, task_getsid, struct task_struct *p) -LSM_HOOK(void, LSM_RET_VOID, current_getsecid_subj, u32 *secid) -LSM_HOOK(void, LSM_RET_VOID, task_getsecid_obj, - struct task_struct *p, u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, current_getlsmblob_subj, struct lsmblob *blob) +LSM_HOOK(void, LSM_RET_VOID, task_getlsmblob_obj, + struct task_struct *p, struct lsmblob *blob) LSM_HOOK(int, 0, task_setnice, struct task_struct *p, int nice) LSM_HOOK(int, 0, task_setioprio, struct task_struct *p, int ioprio) LSM_HOOK(int, 0, task_getioprio, struct task_struct *p) diff --git a/include/linux/security.h b/include/linux/security.h index ebe8edaae953..b28f2f7fe4ef 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -492,8 +492,8 @@ int security_task_fix_setgroups(struct cred *new, const struct cred *old); int security_task_setpgid(struct task_struct *p, pid_t pgid); int security_task_getpgid(struct task_struct *p); int security_task_getsid(struct task_struct *p); -void security_current_getsecid_subj(u32 *secid); -void security_task_getsecid_obj(struct task_struct *p, u32 *secid); +void security_current_getlsmblob_subj(struct lsmblob *blob); +void security_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob); int security_task_setnice(struct task_struct *p, int nice); int security_task_setioprio(struct task_struct *p, int ioprio); int security_task_getioprio(struct task_struct *p); @@ -1268,14 +1268,15 @@ static inline int security_task_getsid(struct task_struct *p) return 0; } -static inline void security_current_getsecid_subj(u32 *secid) +static inline void security_current_getlsmblob_subj(struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob); } -static inline void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +static inline void security_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob); } static inline int security_task_setnice(struct task_struct *p, int nice) diff --git a/kernel/audit.c b/kernel/audit.c index 9dac776b60a7..97c0dea0e3a1 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2179,16 +2179,16 @@ void audit_log_key(struct audit_buffer *ab, char *key) int audit_log_task_context(struct audit_buffer *ab) { + struct lsmblob blob; char *ctx = NULL; unsigned len; int error; - u32 sid; - security_current_getsecid_subj(&sid); - if (!sid) + security_current_getlsmblob_subj(&blob); + if (!lsmblob_is_set(&blob)) return 0; - error = security_secid_to_secctx(sid, &ctx, &len); + error = security_lsmblob_to_secctx(&blob, &ctx, &len); if (error) { if (error != -EINVAL) goto error_path; @@ -2405,8 +2405,7 @@ int audit_signal_info(int sig, struct task_struct *t) audit_sig_uid = auid; else audit_sig_uid = uid; - /* scaffolding */ - security_current_getsecid_subj(&audit_sig_lsm.scaffold.secid); + security_current_getlsmblob_subj(&audit_sig_lsm); } return audit_signal_info_syscall(t); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index c4c7cda3b846..06309227a0eb 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1371,8 +1371,7 @@ int audit_filter(int msgtype, unsigned int listtype) case AUDIT_SUBJ_CLR: if (f->lsm_rule) { /* scaffolding */ - security_current_getsecid_subj( - &blob.scaffold.secid); + security_current_getlsmblob_subj(&blob); result = security_audit_rule_match( &blob, f->type, f->op, f->lsm_rule); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 94b7ef89da2e..1f05445978f9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -470,7 +470,6 @@ static int audit_filter_rules(struct task_struct *tsk, { const struct cred *cred; int i, need_sid = 1; - u32 sid; struct lsmblob blob = { }; unsigned int sessionid; @@ -675,15 +674,14 @@ static int audit_filter_rules(struct task_struct *tsk, * fork()/copy_process() in which case * the new @tsk creds are still a dup * of @current's creds so we can still - * use security_current_getsecid_subj() + * use + * security_current_getlsmblob_subj() * here even though it always refs * @current's creds */ - security_current_getsecid_subj(&sid); + security_current_getlsmblob_subj(&blob); need_sid = 0; } - /* scaffolding */ - blob.scaffold.secid = sid; result = security_audit_rule_match(&blob, f->type, f->op, @@ -2730,12 +2728,15 @@ int __audit_sockaddr(int len, void *a) void __audit_ptrace(struct task_struct *t) { struct audit_context *context = audit_context(); + struct lsmblob blob; context->target_pid = task_tgid_nr(t); context->target_auid = audit_get_loginuid(t); context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &context->target_sid); + security_task_getlsmblob_obj(t, &blob); + /* scaffolding */ + context->target_sid = blob.scaffold.secid; memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2751,6 +2752,7 @@ int audit_signal_info_syscall(struct task_struct *t) struct audit_aux_data_pids *axp; struct audit_context *ctx = audit_context(); kuid_t t_uid = task_uid(t); + struct lsmblob blob; if (!audit_signals || audit_dummy_context()) return 0; @@ -2762,7 +2764,9 @@ int audit_signal_info_syscall(struct task_struct *t) ctx->target_auid = audit_get_loginuid(t); ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); - security_task_getsecid_obj(t, &ctx->target_sid); + security_task_getlsmblob_obj(t, &blob); + /* scaffolding */ + ctx->target_sid = blob.scaffold.secid; memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2783,7 +2787,9 @@ int audit_signal_info_syscall(struct task_struct *t) axp->target_auid[axp->pid_count] = audit_get_loginuid(t); axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); - security_task_getsecid_obj(t, &axp->target_sid[axp->pid_count]); + security_task_getlsmblob_obj(t, &blob); + /* scaffolding */ + axp->target_sid[axp->pid_count] = blob.scaffold.secid; memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 9996883bf2b7..7f38dc9b6b57 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -1534,11 +1534,14 @@ int __init netlbl_unlabel_defconf(void) int ret_val; struct netlbl_dom_map *entry; struct netlbl_audit audit_info; + struct lsmblob blob; /* Only the kernel is allowed to call this function and the only time * it is called is at bootup before the audit subsystem is reporting * messages so don't worry to much about these values. */ - security_current_getsecid_subj(&audit_info.secid); + security_current_getlsmblob_subj(&blob); + /* scaffolding */ + audit_info.secid = blob.scaffold.secid; audit_info.loginuid = GLOBAL_ROOT_UID; audit_info.sessionid = 0; diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index d6c5b31eb4eb..40841d7af1d8 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h @@ -32,7 +32,11 @@ */ static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info) { - security_current_getsecid_subj(&audit_info->secid); + struct lsmblob blob; + + security_current_getlsmblob_subj(&blob); + /* scaffolding */ + audit_info->secid = blob.scaffold.secid; audit_info->loginuid = audit_get_loginuid(current); audit_info->sessionid = audit_get_sessionid(current); } diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 050d103f5ca5..877c4e809ae8 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -982,17 +982,24 @@ static void apparmor_bprm_committed_creds(const struct linux_binprm *bprm) return; } -static void apparmor_current_getsecid_subj(u32 *secid) +static void apparmor_current_getlsmblob_subj(struct lsmblob *blob) { struct aa_label *label = __begin_current_label_crit_section(); - *secid = label->secid; + + blob->apparmor.label = label; + /* scaffolding */ + blob->scaffold.secid = label->secid; __end_current_label_crit_section(label); } -static void apparmor_task_getsecid_obj(struct task_struct *p, u32 *secid) +static void apparmor_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { struct aa_label *label = aa_get_task_label(p); - *secid = label->secid; + + blob->apparmor.label = label; + /* scaffolding */ + blob->scaffold.secid = label->secid; aa_put_label(label); } @@ -1518,8 +1525,9 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_free, apparmor_task_free), LSM_HOOK_INIT(task_alloc, apparmor_task_alloc), - LSM_HOOK_INIT(current_getsecid_subj, apparmor_current_getsecid_subj), - LSM_HOOK_INIT(task_getsecid_obj, apparmor_task_getsecid_obj), + LSM_HOOK_INIT(current_getlsmblob_subj, + apparmor_current_getlsmblob_subj), + LSM_HOOK_INIT(task_getlsmblob_obj, apparmor_task_getlsmblob_obj), LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), LSM_HOOK_INIT(task_kill, apparmor_task_kill), LSM_HOOK_INIT(userns_create, apparmor_userns_create), diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index c51e24d24d1e..64bd77aa28e9 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -369,7 +369,7 @@ static inline void ima_process_queued_keys(void) {} /* LIM API function definitions */ int ima_get_action(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, int mask, + const struct cred *cred, struct lsmblob *blob, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos); @@ -400,8 +400,8 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); /* IMA policy related functions */ int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, enum ima_hooks func, - int mask, int flags, int *pcr, + const struct cred *cred, struct lsmblob *blob, + enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos); void ima_init_policy(void); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 984e861f6e33..896cf716dd6d 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -165,7 +165,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * @idmap: idmap of the mount the inode was found from * @inode: pointer to the inode associated with the object being validated * @cred: pointer to credentials structure to validate - * @secid: secid of the task being validated + * @blob: secid(s) of the task being validated * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC, * MAY_APPEND) * @func: caller identifier @@ -187,7 +187,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * */ int ima_get_action(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, int mask, + const struct cred *cred, struct lsmblob *blob, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos) @@ -196,7 +196,7 @@ int ima_get_action(struct mnt_idmap *idmap, struct inode *inode, flags &= ima_policy_flag; - return ima_match_policy(idmap, inode, cred, secid, func, mask, + return ima_match_policy(idmap, inode, cred, blob, func, mask, flags, pcr, template_desc, func_data, allowed_algos); } diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 656c709b974f..b0db2f38efc6 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -73,13 +73,13 @@ bool is_ima_appraise_enabled(void) int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode, int mask, enum ima_hooks func) { - u32 secid; + struct lsmblob blob; if (!ima_appraise) return 0; - security_current_getsecid_subj(&secid); - return ima_match_policy(idmap, inode, current_cred(), secid, + security_current_getlsmblob_subj(&blob); + return ima_match_policy(idmap, inode, current_cred(), &blob, func, mask, IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL, NULL); } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index f04f43af651c..d408a700fe6f 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -206,8 +206,8 @@ static void ima_file_free(struct file *file) } static int process_measurement(struct file *file, const struct cred *cred, - u32 secid, char *buf, loff_t size, int mask, - enum ima_hooks func) + struct lsmblob *blob, char *buf, loff_t size, + int mask, enum ima_hooks func) { struct inode *real_inode, *inode = file_inode(file); struct ima_iint_cache *iint = NULL; @@ -232,7 +232,7 @@ static int process_measurement(struct file *file, const struct cred *cred, * bitmask based on the appraise/audit/measurement policy. * Included is the appraise submask. */ - action = ima_get_action(file_mnt_idmap(file), inode, cred, secid, + action = ima_get_action(file_mnt_idmap(file), inode, cred, blob, mask, func, &pcr, &template_desc, NULL, &allowed_algos); violation_check = ((func == FILE_CHECK || func == MMAP_CHECK || @@ -443,23 +443,23 @@ static int process_measurement(struct file *file, const struct cred *cred, static int ima_file_mmap(struct file *file, unsigned long reqprot, unsigned long prot, unsigned long flags) { - u32 secid; + struct lsmblob blob; int ret; if (!file) return 0; - security_current_getsecid_subj(&secid); + security_current_getlsmblob_subj(&blob); if (reqprot & PROT_EXEC) { - ret = process_measurement(file, current_cred(), secid, NULL, + ret = process_measurement(file, current_cred(), &blob, NULL, 0, MAY_EXEC, MMAP_CHECK_REQPROT); if (ret) return ret; } if (prot & PROT_EXEC) - return process_measurement(file, current_cred(), secid, NULL, + return process_measurement(file, current_cred(), &blob, NULL, 0, MAY_EXEC, MMAP_CHECK); return 0; @@ -488,9 +488,9 @@ static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, char *pathbuf = NULL; const char *pathname = NULL; struct inode *inode; + struct lsmblob blob; int result = 0; int action; - u32 secid; int pcr; /* Is mprotect making an mmap'ed file executable? */ @@ -498,13 +498,13 @@ static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC)) return 0; - security_current_getsecid_subj(&secid); + security_current_getlsmblob_subj(&blob); inode = file_inode(vma->vm_file); action = ima_get_action(file_mnt_idmap(vma->vm_file), inode, - current_cred(), secid, MAY_EXEC, MMAP_CHECK, + current_cred(), &blob, MAY_EXEC, MMAP_CHECK, &pcr, &template, NULL, NULL); action |= ima_get_action(file_mnt_idmap(vma->vm_file), inode, - current_cred(), secid, MAY_EXEC, + current_cred(), &blob, MAY_EXEC, MMAP_CHECK_REQPROT, &pcr, &template, NULL, NULL); @@ -542,15 +542,18 @@ static int ima_bprm_check(struct linux_binprm *bprm) { int ret; u32 secid; + struct lsmblob blob = { }; - security_current_getsecid_subj(&secid); - ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, - MAY_EXEC, BPRM_CHECK); + security_current_getlsmblob_subj(&blob); + ret = process_measurement(bprm->file, current_cred(), + &blob, NULL, 0, MAY_EXEC, BPRM_CHECK); if (ret) return ret; security_cred_getsecid(bprm->cred, &secid); - return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, + /* scaffolding */ + blob.scaffold.secid = secid; + return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0, MAY_EXEC, CREDS_CHECK); } @@ -566,10 +569,10 @@ static int ima_bprm_check(struct linux_binprm *bprm) */ static int ima_file_check(struct file *file, int mask) { - u32 secid; + struct lsmblob blob; - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, NULL, 0, + security_current_getlsmblob_subj(&blob); + return process_measurement(file, current_cred(), &blob, NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND), FILE_CHECK); } @@ -768,7 +771,7 @@ static int ima_read_file(struct file *file, enum kernel_read_file_id read_id, bool contents) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* * Do devices using pre-allocated memory run the risk of the @@ -788,9 +791,9 @@ static int ima_read_file(struct file *file, enum kernel_read_file_id read_id, /* Read entire file for all partial reads. */ func = read_idmap[read_id] ?: FILE_CHECK; - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, NULL, - 0, MAY_READ, func); + security_current_getlsmblob_subj(&blob); + return process_measurement(file, current_cred(), &blob, NULL, 0, + MAY_READ, func); } const int read_idmap[READING_MAX_ID] = { @@ -818,7 +821,7 @@ static int ima_post_read_file(struct file *file, char *buf, loff_t size, enum kernel_read_file_id read_id) { enum ima_hooks func; - u32 secid; + struct lsmblob blob; /* permit signed certs */ if (!file && read_id == READING_X509_CERTIFICATE) @@ -831,8 +834,8 @@ static int ima_post_read_file(struct file *file, char *buf, loff_t size, } func = read_idmap[read_id] ?: FILE_CHECK; - security_current_getsecid_subj(&secid); - return process_measurement(file, current_cred(), secid, buf, size, + security_current_getlsmblob_subj(&blob); + return process_measurement(file, current_cred(), &blob, buf, size, MAY_READ, func); } @@ -967,7 +970,7 @@ int process_buffer_measurement(struct mnt_idmap *idmap, int digest_hash_len = hash_digest_size[ima_hash_algo]; int violation = 0; int action = 0; - u32 secid; + struct lsmblob blob; if (digest && digest_len < digest_hash_len) return -EINVAL; @@ -990,9 +993,9 @@ int process_buffer_measurement(struct mnt_idmap *idmap, * buffer measurements. */ if (func) { - security_current_getsecid_subj(&secid); + security_current_getlsmblob_subj(&blob); action = ima_get_action(idmap, inode, current_cred(), - secid, 0, func, &pcr, &template, + &blob, 0, func, &pcr, &template, func_data, NULL); if (!(action & IMA_MEASURE) && !digest) return -ENOENT; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 40119816b848..33bdbd031673 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -557,7 +557,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, * @idmap: idmap of the mount the inode was found from * @inode: a pointer to an inode * @cred: a pointer to a credentials structure for user validation - * @secid: the secid of the task to be validated + * @blob: the secid(s) of the task to be validated * @func: LIM hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @func_data: func specific data, may be NULL @@ -567,7 +567,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, static bool ima_match_rules(struct ima_rule_entry *rule, struct mnt_idmap *idmap, struct inode *inode, const struct cred *cred, - u32 secid, enum ima_hooks func, int mask, + struct lsmblob *blob, enum ima_hooks func, int mask, const char *func_data) { int i; @@ -658,8 +658,6 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - /* scaffolding */ - blob.scaffold.secid = secid; rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, Audit_equal, lsm_rule->lsm[i].rule); @@ -723,7 +721,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * @inode: pointer to an inode for which the policy decision is being made * @cred: pointer to a credentials structure for which the policy decision is * being made - * @secid: LSM secid of the task to be validated + * @blob: LSM secid(s) of the task to be validated * @func: IMA hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE) @@ -740,8 +738,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * than writes so ima_match_policy() is classical RCU candidate. */ int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode, - const struct cred *cred, u32 secid, enum ima_hooks func, - int mask, int flags, int *pcr, + const struct cred *cred, struct lsmblob *blob, + enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, const char *func_data, unsigned int *allowed_algos) { @@ -759,7 +757,7 @@ int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode, if (!(entry->action & actmask)) continue; - if (!ima_match_rules(entry, idmap, inode, cred, secid, + if (!ima_match_rules(entry, idmap, inode, cred, blob, func, mask, func_data)) continue; diff --git a/security/security.c b/security/security.c index 6e72e678b5b4..b6e28e20ac51 100644 --- a/security/security.c +++ b/security/security.c @@ -3373,33 +3373,33 @@ int security_task_getsid(struct task_struct *p) } /** - * security_current_getsecid_subj() - Get the current task's subjective secid - * @secid: secid value + * security_current_getlsmblob_subj() - Current task's subjective LSM data + * @blob: lsm specific information * * Retrieve the subjective security identifier of the current task and return - * it in @secid. In case of failure, @secid will be set to zero. + * it in @blob. */ -void security_current_getsecid_subj(u32 *secid) +void security_current_getlsmblob_subj(struct lsmblob *blob) { - *secid = 0; - call_void_hook(current_getsecid_subj, secid); + lsmblob_init(blob); + call_void_hook(current_getlsmblob_subj, blob); } -EXPORT_SYMBOL(security_current_getsecid_subj); +EXPORT_SYMBOL(security_current_getlsmblob_subj); /** - * security_task_getsecid_obj() - Get a task's objective secid + * security_task_getlsmblob_obj() - Get a task's objective LSM data * @p: target task - * @secid: secid value + * @blob: lsm specific information * * Retrieve the objective security identifier of the task_struct in @p and - * return it in @secid. In case of failure, @secid will be set to zero. + * return it in @blob. */ -void security_task_getsecid_obj(struct task_struct *p, u32 *secid) +void security_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob) { - *secid = 0; - call_void_hook(task_getsecid_obj, p, secid); + lsmblob_init(blob); + call_void_hook(task_getlsmblob_obj, p, blob); } -EXPORT_SYMBOL(security_task_getsecid_obj); +EXPORT_SYMBOL(security_task_getlsmblob_obj); /** * security_task_setnice() - Check if setting a task's nice value is allowed diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1b34b86426e8..af48b8f868b7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4161,14 +4161,19 @@ static int selinux_task_getsid(struct task_struct *p) PROCESS__GETSESSION, NULL); } -static void selinux_current_getsecid_subj(u32 *secid) +static void selinux_current_getlsmblob_subj(struct lsmblob *blob) { - *secid = current_sid(); + blob->selinux.secid = current_sid(); + /* scaffolding */ + blob->scaffold.secid = blob->selinux.secid; } -static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid) +static void selinux_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { - *secid = task_sid_obj(p); + blob->selinux.secid = task_sid_obj(p); + /* scaffolding */ + blob->scaffold.secid = blob->selinux.secid; } static int selinux_task_setnice(struct task_struct *p, int nice) @@ -7240,8 +7245,8 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), LSM_HOOK_INIT(task_getsid, selinux_task_getsid), - LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj), - LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj), + LSM_HOOK_INIT(current_getlsmblob_subj, selinux_current_getlsmblob_subj), + LSM_HOOK_INIT(task_getlsmblob_obj, selinux_task_getlsmblob_obj), LSM_HOOK_INIT(task_setnice, selinux_task_setnice), LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 370ca7fb1843..fcacc59faf33 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2239,30 +2239,35 @@ static int smack_task_getsid(struct task_struct *p) } /** - * smack_current_getsecid_subj - get the subjective secid of the current task - * @secid: where to put the result + * smack_current_getlsmblob_subj - get the subjective secid of the current task + * @blob: where to put the result * * Sets the secid to contain a u32 version of the task's subjective smack label. */ -static void smack_current_getsecid_subj(u32 *secid) +static void smack_current_getlsmblob_subj(struct lsmblob *blob) { struct smack_known *skp = smk_of_current(); - *secid = skp->smk_secid; + blob->smack.skp = skp; + /* scaffolding */ + blob->scaffold.secid = skp->smk_secid; } /** - * smack_task_getsecid_obj - get the objective secid of the task + * smack_task_getlsmblob_obj - get the objective data of the task * @p: the task - * @secid: where to put the result + * @blob: where to put the result * * Sets the secid to contain a u32 version of the task's objective smack label. */ -static void smack_task_getsecid_obj(struct task_struct *p, u32 *secid) +static void smack_task_getlsmblob_obj(struct task_struct *p, + struct lsmblob *blob) { struct smack_known *skp = smk_of_task_struct_obj(p); - *secid = skp->smk_secid; + blob->smack.skp = skp; + /* scaffolding */ + blob->scaffold.secid = skp->smk_secid; } /** @@ -5148,8 +5153,8 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), LSM_HOOK_INIT(task_getsid, smack_task_getsid), - LSM_HOOK_INIT(current_getsecid_subj, smack_current_getsecid_subj), - LSM_HOOK_INIT(task_getsecid_obj, smack_task_getsecid_obj), + LSM_HOOK_INIT(current_getlsmblob_subj, smack_current_getlsmblob_subj), + LSM_HOOK_INIT(task_getlsmblob_obj, smack_task_getlsmblob_obj), LSM_HOOK_INIT(task_setnice, smack_task_setnice), LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), From patchwork Fri Aug 30 00:34:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13784045 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic308-16.consmr.mail.ne1.yahoo.com (sonic308-16.consmr.mail.ne1.yahoo.com [66.163.187.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B76D23B1 for ; Fri, 30 Aug 2024 00:39:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.187.39 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978352; cv=none; b=W1+2ZnOr17rf+qFMbbkNM64M53i781MPwHLQnT2NJ8P2qojGZ/oYgHGJ/AST0zkL7SOwafNjZ2VC2zjCE4nWSMMNtrMEasmqMz35wriMvseojD/qCorLUsnhqqinYgtIHHvlzl7panwdWTlqsbAcaBQ9DFQW92bedSxbTtZLD2w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724978352; c=relaxed/simple; bh=yWQqcFo2VEeVFJdxVNiXAR71ak83CpaL8hJJ1XCkjVU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=eMXgjRAF+FbEBN1lyPgOCBPb1Q+7cjuXHEspz/Xfv9nz8NE5XRncZY1lfE2vvggFJPI1mKcnu6PawHmDsTA6/RKeyAKaTEObRoyCaWYds8eYW7/rKQIw8jcbQIHDfb+A9WiKJo7NNeYl/BTuCUmCLxiF8fNRq6DYN/ROffBUw0s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=QkycgU1r; arc=none smtp.client-ip=66.163.187.39 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="QkycgU1r" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978348; bh=XdNW91Iw22TanKU9ECNSOgSNyH2hI8Zx0Ag2V/vlglw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=QkycgU1ruNsM4HQ1BTaaAGLHW2Dn3jMERm6gBCGFMWszqf/efCgAXl0Dd7NtwkJpTce8U/xFhZ7VvUagoGGob56ReQg8fhqI5F3zu9vddrgmcz9SPAjBlTUlT1iIDmYf7jDOKq3JHKnbpNj0pw8ugLrEgrp8295Jm+K5lDJlXSU8ao283pA/nNgBB7M1isfz2EcYSxuLuZMD/yJJiQBiJdBI9P17KNa8BhdSIKh817dPUPTeU58TMkUs+Hj+bnBTwS0Gy1AjPocG6LFKXaQPgMGsANQ7Y0xft3YKRG2r/5k5t1CT3CntHoTUXGpQzE9yKHqTTWlXSm7KneE29GJdZw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1724978348; bh=isLss5h1k+6Q90jLFkNSNmtW+zUiXCDB6SCRyILYX28=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=YgpwR/tjKIKcolmbAbqf34wq941zejzQOfdZaXQhLXrVq8xkd6FcT7sxj4O1A+Ummv4QZJe+Fl0ft58XsYy58UfQIO403T+uHYTPlbgYPrZy3ozBpWObRQOPCY0Ntwti5vcOXZ+AZZotSHZCW2tzISIm3jZGIAlR8be+S/+bUz6u1WtlbKMVQMWWXEWbEbLw3ouDw0fq3IKN2BhtjIELaXxW5du1Va8SL5WfCSdcdso3nb2iRWmO22/uUpFm7DNdfegjX7cOMLkgfu4baPdb3dTRv8AWbFYFJ/D8LQgxZ90rPSaPkOxhVDqPjqYAbrZxRLOPM4Wq49/BivWuQHcRXw== X-YMail-OSG: Lt5i.OsVM1n9aFZwNhpK_s10Wq3.DVuC_RQcIkkdLGmqFMji7vIZCcU5yO30nB3 IYN2F4qOSj.5nAUqgyqcDxyFUllHSOVjXq27C5aWf0.9lqf2YDwBNAb4vswOzaXqrwQjwLNHUraG 2DOz_CH5hKyR5kbPedT1DDZ43coXgEW0wYQg8u7xdpYxum19Pf75UPm_xzAEq9Ov0NhZlnJKT6fF 9wUtzlQYHGXNUYkV74hW7a_CwVKuZNcuBYPWtKK_DtmO7sxsCBASy9le4WjMeEt3eKVGSgUtEuO4 2kt4Ijh6SyQ2qCy0TYlTfd_Ixatk5ptvzrb9G5lSLD8YIPmAXD25rLOA7wgmjbBJKJZehXLuRuKQ On.W6vdBnJ4PwsAg8X31g9EK1M3xERuSuGrRGba3txHcvxECNjmxAc5gbrINZ1hE4D3ndTOUuTe7 r9AwjMlgR5WKrUFUM6v7aZrzlkHRqYTNZFRrtVAHAokFb.PBAaYG6I7C7DTOOhjMYGa2MiBOzJhc oWduv97PrB_x8P5gZ5JN1rPJQWxYGalW2LjSJ2.wWeS5cwnRDX1t5_Gx1dhhdWGbnHBZpd66Qs3s C4DYXQsEgkM52BbpUAIMKJugalsSIDFlttR9xllNiR7nL7z80Ess9hleGnqb_gEm6uwRsqu6VXay s8ZqfW9GowbibQa5NGZtEdTTCrPXbFKwo2b_F3bkMtMC8cdiW7PRMUEjV0bMB9uaXYX5E89AI99w IFWchKolWiV4Bf2Q6yf5tNUh3c9bHb7VaSpilAii.arDe7IqxGZfAzqAts6AkxpY23RkkGAF5JWt pdzo7AZW3MtlN1AdM6bT6ISK72uo8bpk2LnK4NumXL4TL1p2YfCw_Fk_2HNfTcsN35Mfhq1YnUIm VZ7lcVxU4y7R2sFGB73D3MPw1c0d_RaWIu3vrP5WyVEp9KesQ8hpeeH0fAS039oLOaUP3GkFHyJc smX585yvFvpq3Cdo.8VSfzsI.Eh6x5g5sIUY0GRYE0lf6Mmo846zaXMaKRPCxkgCUx9Y1H9tpXdE XZE4Zni3DgkKwawwNjzp1GN9OuVyj4w1PDU6nMpwqkMxOap.qT2O.Fo2x4kQVYaRAIotwaDD0rDu JcIlxu0ermU.e630uzmZv.OYaUK9V9eRDhCljuTuuFxbN3nh8Wwjbvsygouo2YkSTqBiVSxvttt. BREXEYnOi5EVc96pT8DggxnTmXZBNB_sfBwDNWW2TISjvH8qeAYbVpd13AOuJSSW1sCM_sUoj8dF olRmkHn3h0Uf_WJaAL_PcDOhncIVbeQmIDdxGySsbIBcbpi_t6C0xtZtqwpgdN4D_dn9zJKfnthK iHyo92tkRl8BanmYo4NeGhuG0urPRd4e752GzzkJvc1EoDn0plv4gsczFeI_TQtsQHQhcODzSeXU dOrK0Bqnh7oG9.d7GuQDHK34VC8j5qUYMSMT4_LfNblZkq.CqIa80iDAtyUn33yZZkUugkepzusN LeFojrNPfqBDnGdBcRS0UA9gTHyY9YelgyPoEyIpbzcYBlB3WiMz1IUvThZ2ot1woaG.PJoB31_U 2ADbDgJV0iJayLC_VBhr9QcMHhp1pLr3dl4udrE9OBQop0uc3zpWY3SsFyimL64ApT9LerxYj7tL fewRMEXFBQ.U4Lv42PTVZkdqfNJAlvuhWSkk07zOqMPTMFKkxLpwUaQYH1dcJ_Tss7XAJNKC2r15 eR8Re1g133M2R_6D6uouhFOcr2aSNgVphtot6JSbRMLPAQPf4BVL8VgTB4Yoq6O5N6nO7P5V0bmA u9ROlFLj9KKCk.VvLcTm8UBkFyiRJmJ9E0VBGiv67oCqo9dfaehcmJ42CcdbYrD.0IgKXQsCt0iD z8aWzG_.j5E1TCG0_hSeRPvqfjadSwbqy5fMsRRu_Zv8WGla_0cWQVDxQWH5LCzpEBmg.rjB_W9t JyRc5sltc0Irc2IFH1sio4vyej8rsHJUVVjaubZXtTz.zDW18mVTGZJM9kwRsx15PM5aPdzQL_ad GuOVLxdW3WaFbeeZs7CRlhxgOET0UmhUlRokwIkAckQMNu.S6.M.gv.R0nVNrboiZvGIjTPk208v AGHnzROcX_nGnsOQ.9xFzC40XoSWupF9pluIytxMCGQLB1sMo13F9_0.c.TZ9DCxKUAN.PB6quPj PjGHuqJmFWhmapaJETVH_01qXFl8shIhRjZTc98RhyZtQ0v2D6pPjKcYtFabYAK6hx_oFmYjooKn UTSddVMekls.3YUmcM7fjhH_oQDCwgGGO9o.wtgltk.roAmsWjWGbzGGY3NnE_hPVzPqFLoqMsYj M4tDbywDjSl2QZwac41Ea.gPrfsCXijE1W8eYB7d23QowfpE- X-Sonic-MF: X-Sonic-ID: 1e72a095-b931-4a33-b88b-0ef8d1725ace Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Fri, 30 Aug 2024 00:39:08 +0000 Received: by hermes--production-gq1-5d95dc458-jflr5 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 35a934a1749a25fd4473b6654327c16f; Fri, 30 Aug 2024 00:39:05 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net, linux-integrity@vger.kernel.org, audit@vger.kernel.org, Todd Kjos Subject: [PATCH v2 10/13] LSM: Create new security_cred_getlsmblob LSM hook Date: Thu, 29 Aug 2024 17:34:08 -0700 Message-ID: <20240830003411.16818-11-casey@schaufler-ca.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Create a new LSM hook security_cred_getlsmblob() which, like security_cred_getsecid(), fetches LSM specific attributes from the cred structure. The associated data elements in the audit sub-system are changed from a secid to a lsmblob to accommodate multiple possible LSM audit users. Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: audit@vger.kernel.org Cc: selinux@vger.kernel.org Cc: Todd Kjos --- include/linux/lsm_hook_defs.h | 2 ++ include/linux/security.h | 7 +++++++ security/integrity/ima/ima_main.c | 7 ++----- security/security.c | 15 +++++++++++++++ security/selinux/hooks.c | 8 ++++++++ security/smack/smack_lsm.c | 18 ++++++++++++++++++ 6 files changed, 52 insertions(+), 5 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 4fd508841a6e..4bdd36626633 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -215,6 +215,8 @@ LSM_HOOK(int, 0, cred_prepare, struct cred *new, const struct cred *old, LSM_HOOK(void, LSM_RET_VOID, cred_transfer, struct cred *new, const struct cred *old) LSM_HOOK(void, LSM_RET_VOID, cred_getsecid, const struct cred *c, u32 *secid) +LSM_HOOK(void, LSM_RET_VOID, cred_getlsmblob, const struct cred *c, + struct lsmblob *blob) LSM_HOOK(int, 0, kernel_act_as, struct cred *new, u32 secid) LSM_HOOK(int, 0, kernel_create_files_as, struct cred *new, struct inode *inode) LSM_HOOK(int, 0, kernel_module_request, char *kmod_name) diff --git a/include/linux/security.h b/include/linux/security.h index 4fe6f64cc3b4..111c1fc18f25 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -473,6 +473,7 @@ void security_cred_free(struct cred *cred); int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); void security_transfer_creds(struct cred *new, const struct cred *old); void security_cred_getsecid(const struct cred *c, u32 *secid); +void security_cred_getlsmblob(const struct cred *c, struct lsmblob *blob); int security_kernel_act_as(struct cred *new, u32 secid); int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); @@ -1192,6 +1193,12 @@ static inline void security_cred_getsecid(const struct cred *c, u32 *secid) *secid = 0; } +static inline void security_cred_getlsmblob(const struct cred *c, + struct lsmblob *blob) +{ + *secid = 0; +} + static inline int security_kernel_act_as(struct cred *cred, u32 secid) { return 0; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index d408a700fe6f..8171da96a4a4 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -541,8 +541,7 @@ static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, static int ima_bprm_check(struct linux_binprm *bprm) { int ret; - u32 secid; - struct lsmblob blob = { }; + struct lsmblob blob; security_current_getlsmblob_subj(&blob); ret = process_measurement(bprm->file, current_cred(), @@ -550,9 +549,7 @@ static int ima_bprm_check(struct linux_binprm *bprm) if (ret) return ret; - security_cred_getsecid(bprm->cred, &secid); - /* scaffolding */ - blob.scaffold.secid = secid; + security_cred_getlsmblob(bprm->cred, &blob); return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0, MAY_EXEC, CREDS_CHECK); } diff --git a/security/security.c b/security/security.c index c2be9798c012..325030bc7112 100644 --- a/security/security.c +++ b/security/security.c @@ -3153,6 +3153,21 @@ void security_cred_getsecid(const struct cred *c, u32 *secid) } EXPORT_SYMBOL(security_cred_getsecid); +/** + * security_cred_getlsmblob() - Get the LSM data from a set of credentials + * @c: credentials + * @blob: destination for the LSM data + * + * Retrieve the security data of the cred structure @c. In case of + * failure, @blob will be cleared. + */ +void security_cred_getlsmblob(const struct cred *c, struct lsmblob *blob) +{ + lsmblob_init(blob); + call_void_hook(cred_getlsmblob, c, blob); +} +EXPORT_SYMBOL(security_cred_getlsmblob); + /** * security_kernel_act_as() - Set the kernel credentials to act as secid * @new: credentials diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f5d09beeef0f..076511c446bd 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4029,6 +4029,13 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid) *secid = cred_sid(c); } +static void selinux_cred_getlsmblob(const struct cred *c, struct lsmblob *blob) +{ + blob->selinux.secid = cred_sid(c); + /* scaffolding */ + blob->scaffold.secid = blob->selinux.secid; +} + /* * set the security data for a kernel service * - all the creation contexts are set to unlabelled @@ -7240,6 +7247,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), + LSM_HOOK_INIT(cred_getlsmblob, selinux_cred_getlsmblob), LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 88e7ac15ca62..a2445e4f906d 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2150,6 +2150,23 @@ static void smack_cred_getsecid(const struct cred *cred, u32 *secid) rcu_read_unlock(); } +/** + * smack_cred_getlsmblob - get the Smack label for a creds structure + * @cred: the object creds + * @blob: where to put the data + * + * Sets the Smack part of the blob + */ +static void smack_cred_getlsmblob(const struct cred *cred, + struct lsmblob *blob) +{ + rcu_read_lock(); + blob->smack.skp = smk_of_task(smack_cred(cred)); + /* scaffolding */ + blob->scaffold.secid = blob->smack.skp->smk_secid; + rcu_read_unlock(); +} + /** * smack_kernel_act_as - Set the subjective context in a set of credentials * @new: points to the set of credentials to be modified. @@ -5150,6 +5167,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), + LSM_HOOK_INIT(cred_getlsmblob, smack_cred_getlsmblob), LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), LSM_HOOK_INIT(task_setpgid, smack_task_setpgid),