From: "T.J. Mercier" <tjmercier@google.com>
To: tjmercier@google.com,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Arve Hjønnevåg" <arve@android.com>,
"Todd Kjos" <tkjos@android.com>,
"Martijn Coenen" <maco@android.com>,
"Joel Fernandes" <joel@joelfernandes.org>,
"Christian Brauner" <brauner@kernel.org>,
"Carlos Llamas" <cmllamas@google.com>,
"Suren Baghdasaryan" <surenb@google.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>,
"Eric Paris" <eparis@parisplace.org>
Cc: hannes@cmpxchg.org, daniel.vetter@ffwll.ch,
android-mm@google.com, jstultz@google.com,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Subject: [PATCH 4/4] security: binder: Add transfer_charge SElinux hook
Date: Mon, 9 Jan 2023 21:38:07 +0000 [thread overview]
Message-ID: <20230109213809.418135-5-tjmercier@google.com> (raw)
In-Reply-To: <20230109213809.418135-1-tjmercier@google.com>
Any process can cause a memory charge transfer to occur to any other
process when transmitting a file descriptor through binder. This should
only be possible for central allocator processes, so a new SELinux
permission is added to restrict which processes are allowed to initiate
these charge transfers.
Signed-off-by: T.J. Mercier <tjmercier@google.com>
---
drivers/android/binder.c | 5 +++++
include/linux/lsm_hook_defs.h | 2 ++
include/linux/lsm_hooks.h | 6 ++++++
include/linux/security.h | 2 ++
security/security.c | 6 ++++++
security/selinux/hooks.c | 9 +++++++++
security/selinux/include/classmap.h | 2 +-
7 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 9830848c8d25..9063db04826d 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2279,6 +2279,11 @@ static int binder_translate_fd(u32 fd, binder_size_t fd_offset, __u32 flags,
if (IS_ENABLED(CONFIG_MEMCG) && (flags & BINDER_FD_FLAG_XFER_CHARGE)) {
struct dma_buf *dmabuf;
+ if (security_binder_transfer_charge(proc->cred, target_proc->cred)) {
+ ret = -EPERM;
+ goto err_security;
+ }
+
if (unlikely(!is_dma_buf_file(file))) {
binder_user_error(
"%d:%d got transaction with XFER_CHARGE for non-dmabuf fd, %d\n",
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index ed6cb2ac55fa..8db2a958557e 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -33,6 +33,8 @@ LSM_HOOK(int, 0, binder_transfer_binder, const struct cred *from,
const struct cred *to)
LSM_HOOK(int, 0, binder_transfer_file, const struct cred *from,
const struct cred *to, struct file *file)
+LSM_HOOK(int, 0, binder_transfer_charge, const struct cred *from,
+ const struct cred *to)
LSM_HOOK(int, 0, ptrace_access_check, struct task_struct *child,
unsigned int mode)
LSM_HOOK(int, 0, ptrace_traceme, struct task_struct *parent)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 0a5ba81f7367..39c40c7bf519 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1385,6 +1385,12 @@
* @file contains the struct file being transferred.
* @to contains the struct cred for the receiving process.
* Return 0 if permission is granted.
+ * @binder_transfer_charge:
+ * Check whether @from is allowed to transfer the memory charge for a
+ * buffer out of its cgroup to @to.
+ * @from contains the struct cred for the sending process.
+ * @to contains the struct cred for the receiving process.
+ * Return 0 if permission is granted.
*
* @ptrace_access_check:
* Check permission before allowing the current process to trace the
diff --git a/include/linux/security.h b/include/linux/security.h
index 5b67f208f7de..3b7472308430 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -270,6 +270,8 @@ int security_binder_transfer_binder(const struct cred *from,
const struct cred *to);
int security_binder_transfer_file(const struct cred *from,
const struct cred *to, struct file *file);
+int security_binder_transfer_charge(const struct cred *from,
+ const struct cred *to);
int security_ptrace_access_check(struct task_struct *child, unsigned int mode);
int security_ptrace_traceme(struct task_struct *parent);
int security_capget(struct task_struct *target,
diff --git a/security/security.c b/security/security.c
index d1571900a8c7..97e1e74d1ff2 100644
--- a/security/security.c
+++ b/security/security.c
@@ -801,6 +801,12 @@ int security_binder_transfer_file(const struct cred *from,
return call_int_hook(binder_transfer_file, 0, from, to, file);
}
+int security_binder_transfer_charge(const struct cred *from,
+ const struct cred *to)
+{
+ return call_int_hook(binder_transfer_charge, 0, from, to);
+}
+
int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
{
return call_int_hook(ptrace_access_check, 0, child, mode);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3c5be76a9199..823ef14924bd 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2066,6 +2066,14 @@ static int selinux_binder_transfer_file(const struct cred *from,
&ad);
}
+static int selinux_binder_transfer_charge(const struct cred *from, const struct cred *to)
+{
+ return avc_has_perm(&selinux_state,
+ cred_sid(from), cred_sid(to),
+ SECCLASS_BINDER, BINDER__TRANSFER_CHARGE,
+ NULL);
+}
+
static int selinux_ptrace_access_check(struct task_struct *child,
unsigned int mode)
{
@@ -7052,6 +7060,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
+ LSM_HOOK_INIT(binder_transfer_charge, selinux_binder_transfer_charge),
LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index a3c380775d41..2eef180d10d7 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -172,7 +172,7 @@ const struct security_class_mapping secclass_map[] = {
{ "tun_socket",
{ COMMON_SOCK_PERMS, "attach_queue", NULL } },
{ "binder", { "impersonate", "call", "set_context_mgr", "transfer",
- NULL } },
+ "transfer_charge", NULL } },
{ "cap_userns",
{ COMMON_CAP_PERMS, NULL } },
{ "cap2_userns",
--
2.39.0.314.g84b9a713c41-goog
next prev parent reply other threads:[~2023-01-09 21:40 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-09 21:38 [PATCH 0/4] Track exported dma-buffers with memcg T.J. Mercier
2023-01-09 21:38 ` [PATCH 1/4] memcg: Track exported dma-buffers T.J. Mercier
2023-01-10 8:58 ` Michal Hocko
2023-01-10 19:08 ` T.J. Mercier
2023-01-09 21:38 ` [PATCH 2/4] dmabuf: Add cgroup charge transfer function T.J. Mercier
2023-01-09 21:38 ` [PATCH 3/4] binder: Add flags to relinquish ownership of fds T.J. Mercier
[not found] ` <20230110014720.281-1-hdanton@sina.com>
2023-01-10 21:20 ` T.J. Mercier
2023-01-20 21:25 ` Carlos Llamas
2023-01-20 21:52 ` T.J. Mercier
2023-01-09 21:38 ` T.J. Mercier [this message]
2023-01-09 22:28 ` [PATCH 4/4] security: binder: Add transfer_charge SElinux hook Casey Schaufler
2023-01-10 0:30 ` T.J. Mercier
2023-01-10 19:39 ` Casey Schaufler
2023-01-12 0:21 ` T.J. Mercier
2023-01-10 0:13 ` kernel test robot
2023-01-10 0:14 ` kernel test robot
2023-01-11 23:00 ` Paul Moore
2023-01-12 0:21 ` T.J. Mercier
2023-01-12 20:45 ` Paul Moore
2023-01-12 21:36 ` T.J. Mercier
2023-01-12 21:54 ` Paul Moore
2023-01-10 0:18 ` [PATCH 0/4] Track exported dma-buffers with memcg Shakeel Butt
2023-01-11 22:56 ` Daniel Vetter
2023-01-12 0:49 ` T.J. Mercier
2023-01-12 8:13 ` Shakeel Butt
2023-01-12 8:17 ` Christian König
2023-01-12 7:56 ` Shakeel Butt
2023-01-12 10:25 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230109213809.418135-5-tjmercier@google.com \
--to=tjmercier@google.com \
--cc=android-mm@google.com \
--cc=arve@android.com \
--cc=brauner@kernel.org \
--cc=cmllamas@google.com \
--cc=daniel.vetter@ffwll.ch \
--cc=eparis@parisplace.org \
--cc=gregkh@linuxfoundation.org \
--cc=hannes@cmpxchg.org \
--cc=jmorris@namei.org \
--cc=joel@joelfernandes.org \
--cc=jstultz@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=maco@android.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
--cc=surenb@google.com \
--cc=tkjos@android.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).