From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-yw1-f68.google.com ([209.85.161.68]:46900 "EHLO mail-yw1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726258AbeIMFhW (ORCPT ); Thu, 13 Sep 2018 01:37:22 -0400 Received: by mail-yw1-f68.google.com with SMTP id j131-v6so473507ywc.13 for ; Wed, 12 Sep 2018 17:30:23 -0700 (PDT) Received: from mail-yb1-f180.google.com (mail-yb1-f180.google.com. [209.85.219.180]) by smtp.gmail.com with ESMTPSA id v185-v6sm804011ywc.94.2018.09.12.17.30.20 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Sep 2018 17:30:21 -0700 (PDT) Received: by mail-yb1-f180.google.com with SMTP id o17-v6so2581693yba.2 for ; Wed, 12 Sep 2018 17:30:20 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <03851eb1-46cd-9d31-9ad5-0b80a24f5288@schaufler-ca.com> References: <03851eb1-46cd-9d31-9ad5-0b80a24f5288@schaufler-ca.com> From: Kees Cook Date: Wed, 12 Sep 2018 17:30:19 -0700 Message-ID: Subject: Re: [PATCH 09/10] LSM: Infrastructure management of the inode security To: Casey Schaufler Cc: LSM , James Morris , LKLM , SE Linux , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "linux-fsdevel@vger.kernel.org" , Alexey Dobriyan , "Schaufler, Casey" Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Tue, Sep 11, 2018 at 9:42 AM, Casey Schaufler wrote: > Move management of the inode->i_security blob out > of the individual security modules and into the security > infrastructure. Instead of allocating the blobs from within > the modules the modules tell the infrastructure how much > space is required, and the space is allocated there. > > Signed-off-by: Casey Schaufler > --- > include/linux/lsm_hooks.h | 3 ++ > security/security.c | 83 ++++++++++++++++++++++++++++++- > security/selinux/hooks.c | 32 +----------- > security/selinux/include/objsec.h | 5 +- > security/smack/smack_lsm.c | 70 ++++---------------------- > 5 files changed, 98 insertions(+), 95 deletions(-) > > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index 167ffbd4d0c0..416b20c3795b 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -2030,6 +2030,7 @@ struct security_hook_list { > struct lsm_blob_sizes { > int lbs_cred; > int lbs_file; > + int lbs_inode; > }; > > /* > @@ -2092,9 +2093,11 @@ static inline void loadpin_add_hooks(void) { }; > #endif > > extern int lsm_cred_alloc(struct cred *cred, gfp_t gfp); > +extern int lsm_inode_alloc(struct inode *inode); > > #ifdef CONFIG_SECURITY > void lsm_early_cred(struct cred *cred); > +void lsm_early_inode(struct inode *inode); > #endif > > #endif /* ! __LINUX_LSM_HOOKS_H */ > diff --git a/security/security.c b/security/security.c > index 5430cae73cf6..2501cdcbebff 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -41,6 +41,7 @@ struct security_hook_heads security_hook_heads __lsm_ro_after_init; > static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); > > static struct kmem_cache *lsm_file_cache; > +static struct kmem_cache *lsm_inode_cache; > > char *lsm_names; > static struct lsm_blob_sizes blob_sizes; > @@ -101,6 +102,10 @@ int __init security_init(void) > lsm_file_cache = kmem_cache_create("lsm_file_cache", > blob_sizes.lbs_file, 0, > SLAB_PANIC, NULL); > + if (blob_sizes.lbs_inode) > + lsm_inode_cache = kmem_cache_create("lsm_inode_cache", > + blob_sizes.lbs_inode, 0, > + SLAB_PANIC, NULL); > /* > * The second call to a module specific init function > * adds hooks to the hook lists and does any other early > @@ -111,6 +116,7 @@ int __init security_init(void) > #ifdef CONFIG_SECURITY_LSM_DEBUG > pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred); > pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file); > + pr_info("LSM: inode blob size = %d\n", blob_sizes.lbs_inode); > #endif > > return 0; > @@ -288,6 +294,13 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed) > { > lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred); > lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file); > + /* > + * The inode blob gets an rcu_head in addition to > + * what the modules might need. > + */ > + if (needed->lbs_inode && blob_sizes.lbs_inode == 0) > + blob_sizes.lbs_inode = sizeof(struct rcu_head); > + lsm_set_size(&needed->lbs_inode, &blob_sizes.lbs_inode); > } > > /** > @@ -311,6 +324,46 @@ int lsm_file_alloc(struct file *file) > return 0; > } > > +/** > + * lsm_inode_alloc - allocate a composite inode blob > + * @inode: the inode that needs a blob > + * > + * Allocate the inode blob for all the modules > + * > + * Returns 0, or -ENOMEM if memory can't be allocated. > + */ > +int lsm_inode_alloc(struct inode *inode) > +{ > + if (!lsm_inode_cache) { WARN_ON? > + inode->i_security = NULL; The other patch didn't set to NULL. Probably should do that in the other one too. > + return 0; > + } > + > + inode->i_security = kmem_cache_zalloc(lsm_inode_cache, GFP_NOFS); > + if (inode->i_security == NULL) > + return -ENOMEM; > + return 0; > +} > + > +/** > + * lsm_early_inode - during initialization allocate a composite inode blob > + * @inode: the inode that needs a blob > + * > + * Allocate the inode blob for all the modules if it's not already there > + */ > +void lsm_early_inode(struct inode *inode) > +{ > + int rc; > + > + if (inode == NULL) > + panic("%s: NULL inode.\n", __func__); > + if (inode->i_security != NULL) > + return; > + rc = lsm_inode_alloc(inode); > + if (rc) > + panic("%s: Early inode alloc failed.\n", __func__); > +} Same thoughts on the use of panic() as the other patch... > + > /* > * Hook list operation macros. > * > @@ -557,14 +610,40 @@ EXPORT_SYMBOL(security_sb_parse_opts_str); > > int security_inode_alloc(struct inode *inode) > { > - inode->i_security = NULL; > - return call_int_hook(inode_alloc_security, 0, inode); > + int rc = lsm_inode_alloc(inode); > + > + if (unlikely(rc)) > + return rc; > + rc = call_int_hook(inode_alloc_security, 0, inode); > + if (unlikely(rc)) > + security_inode_free(inode); > + return rc; > +} > + > +static void inode_free_by_rcu(struct rcu_head *head) > +{ > + /* > + * The rcu head is at the start of the inode blob > + */ > + kmem_cache_free(lsm_inode_cache, head); > } > > void security_inode_free(struct inode *inode) > { > integrity_inode_free(inode); > call_void_hook(inode_free_security, inode); > + /* > + * The inode may still be referenced in a path walk and > + * a call to security_inode_permission() can be made > + * after inode_free_security() is called. Ideally, the VFS > + * wouldn't do this, but fixing that is a much harder > + * job. For now, simply free the i_security via RCU, and > + * leave the current inode->i_security pointer intact. > + * The inode will be freed after the RCU grace period too. > + */ > + if (inode->i_security) > + call_rcu((struct rcu_head *)inode->i_security, > + inode_free_by_rcu); > } > > int security_dentry_init_security(struct dentry *dentry, int mode, > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 2720fe3ebf5f..0b593030d9f2 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -148,8 +148,6 @@ static int __init checkreqprot_setup(char *str) > } > __setup("checkreqprot=", checkreqprot_setup); > > -static struct kmem_cache *sel_inode_cache; > - > /** > * selinux_secmark_enabled - Check to see if SECMARK is currently enabled > * > @@ -245,13 +243,9 @@ static inline u32 task_sid(const struct task_struct *task) > > static int inode_alloc_security(struct inode *inode) > { > - struct inode_security_struct *isec; > + struct inode_security_struct *isec = selinux_inode(inode); > u32 sid = current_sid(); > > - isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); > - if (!isec) > - return -ENOMEM; > - > spin_lock_init(&isec->lock); > INIT_LIST_HEAD(&isec->list); > isec->inode = inode; > @@ -259,7 +253,6 @@ static int inode_alloc_security(struct inode *inode) > isec->sclass = SECCLASS_FILE; > isec->task_sid = sid; > isec->initialized = LABEL_INVALID; > - inode->i_security = isec; > > return 0; > } > @@ -337,14 +330,6 @@ static struct inode_security_struct *backing_inode_security(struct dentry *dentr > return selinux_inode(inode); > } > > -static void inode_free_rcu(struct rcu_head *head) > -{ > - struct inode_security_struct *isec; > - > - isec = container_of(head, struct inode_security_struct, rcu); > - kmem_cache_free(sel_inode_cache, isec); > -} > - > static void inode_free_security(struct inode *inode) > { > struct inode_security_struct *isec = selinux_inode(inode); > @@ -365,17 +350,6 @@ static void inode_free_security(struct inode *inode) > list_del_init(&isec->list); > spin_unlock(&sbsec->isec_lock); > } > - > - /* > - * The inode may still be referenced in a path walk and > - * a call to selinux_inode_permission() can be made > - * after inode_free_security() is called. Ideally, the VFS > - * wouldn't do this, but fixing that is a much harder > - * job. For now, simply free the i_security via RCU, and > - * leave the current inode->i_security pointer intact. > - * The inode will be freed after the RCU grace period too. > - */ > - call_rcu(&isec->rcu, inode_free_rcu); > } > > static int file_alloc_security(struct file *file) > @@ -6840,6 +6814,7 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) > struct lsm_blob_sizes selinux_blob_sizes = { > .lbs_cred = sizeof(struct task_security_struct), > .lbs_file = sizeof(struct file_security_struct), > + .lbs_inode = sizeof(struct inode_security_struct), > }; > > static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { > @@ -7109,9 +7084,6 @@ static __init int selinux_init(void) > > default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); > > - sel_inode_cache = kmem_cache_create("selinux_inode_security", > - sizeof(struct inode_security_struct), > - 0, SLAB_PANIC, NULL); > avc_init(); > > avtab_cache_init(); > diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h > index 3304a1ee58a4..7a3d18fa9b13 100644 > --- a/security/selinux/include/objsec.h > +++ b/security/selinux/include/objsec.h > @@ -59,10 +59,7 @@ enum label_initialized { > > struct inode_security_struct { > struct inode *inode; /* back pointer to inode object */ > - union { > - struct list_head list; /* list of inode_security_struct */ > - struct rcu_head rcu; /* for freeing the inode_security_struct */ > - }; > + struct list_head list; /* list of inode_security_struct */ > u32 task_sid; /* SID of creating task */ > u32 sid; /* SID of this object */ > u16 sclass; /* security class of this object */ > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > index 364699ad55b9..6617abb51732 100644 > --- a/security/smack/smack_lsm.c > +++ b/security/smack/smack_lsm.c > @@ -288,24 +288,18 @@ static struct smack_known *smk_fetch(const char *name, struct inode *ip, > } > > /** > - * new_inode_smack - allocate an inode security blob > + * init_inode_smack - initialize an inode security blob > + * @isp: the blob to initialize > * @skp: a pointer to the Smack label entry to use in the blob > * > - * Returns the new blob or NULL if there's no memory available > */ > -static struct inode_smack *new_inode_smack(struct smack_known *skp) > +static void init_inode_smack(struct inode *inode, struct smack_known *skp) > { > - struct inode_smack *isp; > - > - isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS); > - if (isp == NULL) > - return NULL; > + struct inode_smack *isp = smack_inode(inode); > > isp->smk_inode = skp; > isp->smk_flags = 0; > mutex_init(&isp->smk_lock); > - > - return isp; > } > > /** > @@ -824,17 +818,13 @@ static int smack_set_mnt_opts(struct super_block *sb, > /* > * Initialize the root inode. > */ > - isp = smack_inode(inode); > - if (isp == NULL) { > - isp = new_inode_smack(sp->smk_root); > - if (isp == NULL) > - return -ENOMEM; > - inode->i_security = isp; > - } else > - isp->smk_inode = sp->smk_root; > + lsm_early_inode(inode); > + init_inode_smack(inode, sp->smk_root); > > - if (transmute) > + if (transmute) { > + isp = smack_inode(inode); > isp->smk_flags |= SMK_INODE_TRANSMUTE; > + } > > return 0; > } > @@ -963,48 +953,10 @@ static int smack_inode_alloc_security(struct inode *inode) > { > struct smack_known *skp = smk_of_current(); > > - inode->i_security = new_inode_smack(skp); > - if (inode->i_security == NULL) > - return -ENOMEM; > + init_inode_smack(inode, skp); > return 0; > } > > -/** > - * smack_inode_free_rcu - Free inode_smack blob from cache > - * @head: the rcu_head for getting inode_smack pointer > - * > - * Call back function called from call_rcu() to free > - * the i_security blob pointer in inode > - */ > -static void smack_inode_free_rcu(struct rcu_head *head) > -{ > - struct inode_smack *issp; > - > - issp = container_of(head, struct inode_smack, smk_rcu); > - kmem_cache_free(smack_inode_cache, issp); > -} > - > -/** > - * smack_inode_free_security - free an inode blob using call_rcu() > - * @inode: the inode with a blob > - * > - * Clears the blob pointer in inode using RCU > - */ > -static void smack_inode_free_security(struct inode *inode) > -{ > - struct inode_smack *issp = smack_inode(inode); > - > - /* > - * The inode may still be referenced in a path walk and > - * a call to smack_inode_permission() can be made > - * after smack_inode_free_security() is called. > - * To avoid race condition free the i_security via RCU > - * and leave the current inode->i_security pointer intact. > - * The inode will be freed after the RCU grace period too. > - */ > - call_rcu(&issp->smk_rcu, smack_inode_free_rcu); > -} > - > /** > * smack_inode_init_security - copy out the smack from an inode > * @inode: the newly created inode > @@ -4619,6 +4571,7 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode, > struct lsm_blob_sizes smack_blob_sizes = { > .lbs_cred = sizeof(struct task_smack), > .lbs_file = sizeof(struct smack_known *), > + .lbs_inode = sizeof(struct inode_smack), > }; > > static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { > @@ -4637,7 +4590,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { > LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), > > LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), > - LSM_HOOK_INIT(inode_free_security, smack_inode_free_security), > LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), > LSM_HOOK_INIT(inode_link, smack_inode_link), > LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), > -- > 2.17.1 > > I continue to really like this series: I think pulling the memory management up into the core LSM makes things much cleaner. -Kees -- Kees Cook Pixel Security