From: Kees Cook <keescook@chromium.org>
To: linux-kernel@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
Stephen Smalley <sds@tycho.nsa.gov>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
James Morris <james.l.morris@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Andy Lutomirski <luto@kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
John Johansen <john.johansen@canonical.com>,
Paul Moore <paul@paul-moore.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
David Howells <dhowells@redhat.com>,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH v5 05/15] selinux: Refactor to remove bprm_secureexec hook
Date: Tue, 1 Aug 2017 12:16:28 -0700 [thread overview]
Message-ID: <1501614998-62619-6-git-send-email-keescook@chromium.org> (raw)
In-Reply-To: <1501614998-62619-1-git-send-email-keescook@chromium.org>
The SELinux bprm_secureexec hook can be merged with the bprm_set_creds
hook since it's dealing with the same information, and all of the details
are finalized during the first call to the bprm_set_creds hook via
prepare_binprm() (subsequent calls due to binfmt_script, etc, are ignored
via bprm->called_set_creds).
Here, the test can just happen at the end of the bprm_set_creds hook,
and the bprm_secureexec hook can be dropped.
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Paul Moore <paul@paul-moore.com>
Tested-by: Paul Moore <paul@paul-moore.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
---
security/selinux/hooks.c | 24 +++++-------------------
1 file changed, 5 insertions(+), 19 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1db40195d178..a1f5f5ddfba7 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2442,30 +2442,17 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
/* Clear any possibly unsafe personality bits on exec: */
bprm->per_clear |= PER_CLEAR_ON_SETID;
- }
-
- return 0;
-}
-
-static int selinux_bprm_secureexec(struct linux_binprm *bprm)
-{
- const struct task_security_struct *tsec = current_security();
- u32 sid, osid;
- int atsecure = 0;
-
- sid = tsec->sid;
- osid = tsec->osid;
- if (osid != sid) {
/* Enable secure mode for SIDs transitions unless
the noatsecure permission is granted between
the two SIDs, i.e. ahp returns 0. */
- atsecure = avc_has_perm(osid, sid,
- SECCLASS_PROCESS,
- PROCESS__NOATSECURE, NULL);
+ rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
+ SECCLASS_PROCESS, PROCESS__NOATSECURE,
+ NULL);
+ bprm->secureexec |= !!rc;
}
- return !!atsecure;
+ return 0;
}
static int match_file(const void *p, struct file *file, unsigned fd)
@@ -6266,7 +6253,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
- LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
--
2.7.4
WARNING: multiple messages have this Message-ID (diff)
From: keescook@chromium.org (Kees Cook)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v5 05/15] selinux: Refactor to remove bprm_secureexec hook
Date: Tue, 1 Aug 2017 12:16:28 -0700 [thread overview]
Message-ID: <1501614998-62619-6-git-send-email-keescook@chromium.org> (raw)
In-Reply-To: <1501614998-62619-1-git-send-email-keescook@chromium.org>
The SELinux bprm_secureexec hook can be merged with the bprm_set_creds
hook since it's dealing with the same information, and all of the details
are finalized during the first call to the bprm_set_creds hook via
prepare_binprm() (subsequent calls due to binfmt_script, etc, are ignored
via bprm->called_set_creds).
Here, the test can just happen at the end of the bprm_set_creds hook,
and the bprm_secureexec hook can be dropped.
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Paul Moore <paul@paul-moore.com>
Tested-by: Paul Moore <paul@paul-moore.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
---
security/selinux/hooks.c | 24 +++++-------------------
1 file changed, 5 insertions(+), 19 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1db40195d178..a1f5f5ddfba7 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2442,30 +2442,17 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
/* Clear any possibly unsafe personality bits on exec: */
bprm->per_clear |= PER_CLEAR_ON_SETID;
- }
-
- return 0;
-}
-
-static int selinux_bprm_secureexec(struct linux_binprm *bprm)
-{
- const struct task_security_struct *tsec = current_security();
- u32 sid, osid;
- int atsecure = 0;
-
- sid = tsec->sid;
- osid = tsec->osid;
- if (osid != sid) {
/* Enable secure mode for SIDs transitions unless
the noatsecure permission is granted between
the two SIDs, i.e. ahp returns 0. */
- atsecure = avc_has_perm(osid, sid,
- SECCLASS_PROCESS,
- PROCESS__NOATSECURE, NULL);
+ rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
+ SECCLASS_PROCESS, PROCESS__NOATSECURE,
+ NULL);
+ bprm->secureexec |= !!rc;
}
- return !!atsecure;
+ return 0;
}
static int match_file(const void *p, struct file *file, unsigned fd)
@@ -6266,7 +6253,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
- LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-08-01 19:20 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-01 19:16 [PATCH v5 00/15] exec: Use sane stack rlimit under secureexec Kees Cook
2017-08-01 19:16 ` Kees Cook
2017-08-01 19:16 ` [PATCH v5 01/15] exec: Rename bprm->cred_prepared to called_set_creds Kees Cook
2017-08-01 19:16 ` Kees Cook
2017-08-01 19:16 ` [PATCH v5 02/15] exec: Correct comments about "point of no return" Kees Cook
2017-08-01 19:16 ` Kees Cook
2017-08-01 19:16 ` [PATCH v5 03/15] binfmt: Introduce secureexec flag Kees Cook
2017-08-01 19:16 ` Kees Cook
2017-08-01 19:16 ` [PATCH v5 04/15] apparmor: Refactor to remove bprm_secureexec hook Kees Cook
2017-08-01 19:16 ` Kees Cook
2017-08-01 19:16 ` Kees Cook [this message]
2017-08-01 19:16 ` [PATCH v5 05/15] selinux: " Kees Cook
2017-08-01 19:16 ` [PATCH v5 06/15] smack: " Kees Cook
2017-08-01 19:16 ` Kees Cook
2017-08-01 19:16 ` [PATCH v5 07/15] commoncap: " Kees Cook
2017-08-01 19:16 ` Kees Cook
2017-08-01 19:16 ` [PATCH v5 08/15] commoncap: Move cap_elevated calculation into bprm_set_creds Kees Cook
2017-08-01 19:16 ` Kees Cook
2017-08-01 19:16 ` [PATCH v5 09/15] LSM: drop bprm_secureexec hook Kees Cook
2017-08-01 19:16 ` Kees Cook
2017-08-01 19:16 ` [PATCH v5 10/15] exec: Use secureexec for setting dumpability Kees Cook
2017-08-01 19:16 ` Kees Cook
2017-08-01 19:16 ` [PATCH v5 11/15] exec: Use secureexec for clearing pdeath_signal Kees Cook
2017-08-01 19:16 ` Kees Cook
2017-08-01 19:16 ` [PATCH v5 12/15] smack: Remove redundant pdeath_signal clearing Kees Cook
2017-08-01 19:16 ` Kees Cook
2017-08-01 19:16 ` [PATCH v5 13/15] exec: Consolidate dumpability logic Kees Cook
2017-08-01 19:16 ` Kees Cook
2017-08-01 19:16 ` [PATCH v5 14/15] exec: Use sane stack rlimit under secureexec Kees Cook
2017-08-01 19:16 ` Kees Cook
2017-08-01 19:16 ` [PATCH v5 15/15] exec: Consolidate pdeath_signal clearing Kees Cook
2017-08-01 19:16 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1501614998-62619-6-git-send-email-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=james.l.morris@oracle.com \
--cc=john.johansen@canonical.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.