From: Paul Moore <paul@paul-moore.com>
To: David Howells <dhowells@redhat.com>
Cc: Stephen Smalley <stephen.smalley.work@gmail.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Casey Schaufler <casey@schaufler-ca.com>,
keyrings@vger.kernel.org, selinux@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] keys: Make the KEY_NEED_* perms an enum rather than a mask
Date: Wed, 13 May 2020 01:04:29 +0000 [thread overview]
Message-ID: <CAHC9VhQhYz8xZ6MGv0S9q2D-gReb0Pqqb=2+oX=NVuxb_F5WfA@mail.gmail.com> (raw)
In-Reply-To: <158932282880.2885325.2688622278854566047.stgit@warthog.procyon.org.uk>
On Tue, May 12, 2020 at 6:33 PM David Howells <dhowells@redhat.com> wrote:
> Since the meaning of combining the KEY_NEED_* constants is undefined, make
> it so that you can't do that by turning them into an enum.
>
> The enum is also given some extra values to represent special
> circumstances, such as:
>
> (1) The '0' value is reserved and causes a warning to trap the parameter
> being unset.
>
> (2) The key is to be unlinked and we require no permissions on it, only
> the keyring, (this replaces the KEY_LOOKUP_FOR_UNLINK flag).
>
> (3) An override due to CAP_SYS_ADMIN.
>
> (4) An override due to an instantiation token being present.
>
> (5) The permissions check is being deferred to later key_permission()
> calls.
>
> The extra values give the opportunity for LSMs to audit these situations.
>
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> cc: Paul Moore <paul@paul-moore.com>
> cc: Stephen Smalley <stephen.smalley.work@gmail.com>
> cc: Casey Schaufler <casey@schaufler-ca.com>
> cc: keyrings@vger.kernel.org
> cc: selinux@vger.kernel.org
> ---
>
> include/linux/key.h | 30 ++++++++++++++++-----------
> include/linux/security.h | 6 +++--
> security/keys/internal.h | 8 ++++---
> security/keys/keyctl.c | 16 ++++++++-------
> security/keys/permission.c | 31 ++++++++++++++++++++++------
> security/keys/process_keys.c | 46 ++++++++++++++++++++----------------------
> security/security.c | 6 +++--
> security/selinux/hooks.c | 25 ++++++++++++++++-------
> security/smack/smack_lsm.c | 31 +++++++++++++++++++++-------
> 9 files changed, 124 insertions(+), 75 deletions(-)
Thanks for clarifying this, it helps a lot.
My comments below are nitpicky, but take them into account, the style
of the SELinux code changes makes my eyes hurt.
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 0b4e32161b77..3ff6b6dfc5ca 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -6541,20 +6541,31 @@ static void selinux_key_free(struct key *k)
>
> static int selinux_key_permission(key_ref_t key_ref,
> const struct cred *cred,
> - unsigned perm)
> + enum key_need_perm need_perm)
> {
> struct key *key;
> struct key_security_struct *ksec;
> - u32 sid;
> + u32 perm, sid;
>
> - /* if no specific permissions are requested, we skip the
> - permission check. No serious, additional covert channels
> - appear to be created. */
> - if (perm = 0)
> + switch (need_perm) {
> + case KEY_NEED_UNLINK:
> + case KEY_SYSADMIN_OVERRIDE:
> + case KEY_AUTHTOKEN_OVERRIDE:
> + case KEY_DEFER_PERM_CHECK:
> return 0;
> + default:
> + WARN_ON(1);
> + return -EPERM;
Please move the default case to the bottom of the switch statement.
> - sid = cred_sid(cred);
> + case KEY_NEED_VIEW: perm = KEY__VIEW; break;
> + case KEY_NEED_READ: perm = KEY__READ; break;
> + case KEY_NEED_WRITE: perm = KEY__WRITE; break;
> + case KEY_NEED_SEARCH: perm = KEY__SEARCH; break;
> + case KEY_NEED_LINK: perm = KEY__LINK; break;
> + case KEY_NEED_SETATTR: perm = KEY__SETATTR; break;
Please don't put the case statements all on one line, use the more
traditional multi-line format. For example:
case KEY_NEED_SETATTR:
perm = KEY__SETATTR;
break;
> + }
>
> + sid = cred_sid(cred);
> key = key_ref_to_ptr(key_ref);
> ksec = key->security;
--
paul moore
www.paul-moore.com
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul@paul-moore.com>
To: David Howells <dhowells@redhat.com>
Cc: Stephen Smalley <stephen.smalley.work@gmail.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Casey Schaufler <casey@schaufler-ca.com>,
keyrings@vger.kernel.org, selinux@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] keys: Make the KEY_NEED_* perms an enum rather than a mask
Date: Tue, 12 May 2020 21:04:29 -0400 [thread overview]
Message-ID: <CAHC9VhQhYz8xZ6MGv0S9q2D-gReb0Pqqb=2+oX=NVuxb_F5WfA@mail.gmail.com> (raw)
In-Reply-To: <158932282880.2885325.2688622278854566047.stgit@warthog.procyon.org.uk>
On Tue, May 12, 2020 at 6:33 PM David Howells <dhowells@redhat.com> wrote:
> Since the meaning of combining the KEY_NEED_* constants is undefined, make
> it so that you can't do that by turning them into an enum.
>
> The enum is also given some extra values to represent special
> circumstances, such as:
>
> (1) The '0' value is reserved and causes a warning to trap the parameter
> being unset.
>
> (2) The key is to be unlinked and we require no permissions on it, only
> the keyring, (this replaces the KEY_LOOKUP_FOR_UNLINK flag).
>
> (3) An override due to CAP_SYS_ADMIN.
>
> (4) An override due to an instantiation token being present.
>
> (5) The permissions check is being deferred to later key_permission()
> calls.
>
> The extra values give the opportunity for LSMs to audit these situations.
>
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> cc: Paul Moore <paul@paul-moore.com>
> cc: Stephen Smalley <stephen.smalley.work@gmail.com>
> cc: Casey Schaufler <casey@schaufler-ca.com>
> cc: keyrings@vger.kernel.org
> cc: selinux@vger.kernel.org
> ---
>
> include/linux/key.h | 30 ++++++++++++++++-----------
> include/linux/security.h | 6 +++--
> security/keys/internal.h | 8 ++++---
> security/keys/keyctl.c | 16 ++++++++-------
> security/keys/permission.c | 31 ++++++++++++++++++++++------
> security/keys/process_keys.c | 46 ++++++++++++++++++++----------------------
> security/security.c | 6 +++--
> security/selinux/hooks.c | 25 ++++++++++++++++-------
> security/smack/smack_lsm.c | 31 +++++++++++++++++++++-------
> 9 files changed, 124 insertions(+), 75 deletions(-)
Thanks for clarifying this, it helps a lot.
My comments below are nitpicky, but take them into account, the style
of the SELinux code changes makes my eyes hurt.
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 0b4e32161b77..3ff6b6dfc5ca 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -6541,20 +6541,31 @@ static void selinux_key_free(struct key *k)
>
> static int selinux_key_permission(key_ref_t key_ref,
> const struct cred *cred,
> - unsigned perm)
> + enum key_need_perm need_perm)
> {
> struct key *key;
> struct key_security_struct *ksec;
> - u32 sid;
> + u32 perm, sid;
>
> - /* if no specific permissions are requested, we skip the
> - permission check. No serious, additional covert channels
> - appear to be created. */
> - if (perm == 0)
> + switch (need_perm) {
> + case KEY_NEED_UNLINK:
> + case KEY_SYSADMIN_OVERRIDE:
> + case KEY_AUTHTOKEN_OVERRIDE:
> + case KEY_DEFER_PERM_CHECK:
> return 0;
> + default:
> + WARN_ON(1);
> + return -EPERM;
Please move the default case to the bottom of the switch statement.
> - sid = cred_sid(cred);
> + case KEY_NEED_VIEW: perm = KEY__VIEW; break;
> + case KEY_NEED_READ: perm = KEY__READ; break;
> + case KEY_NEED_WRITE: perm = KEY__WRITE; break;
> + case KEY_NEED_SEARCH: perm = KEY__SEARCH; break;
> + case KEY_NEED_LINK: perm = KEY__LINK; break;
> + case KEY_NEED_SETATTR: perm = KEY__SETATTR; break;
Please don't put the case statements all on one line, use the more
traditional multi-line format. For example:
case KEY_NEED_SETATTR:
perm = KEY__SETATTR;
break;
> + }
>
> + sid = cred_sid(cred);
> key = key_ref_to_ptr(key_ref);
> ksec = key->security;
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2020-05-13 1:04 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-17 15:48 Problem with 9ba09998baa9 ("selinux: Implement the watch_key security hook") in linux-next Paul Moore
2020-04-17 15:48 ` Paul Moore
2020-04-17 16:32 ` Richard Haines
2020-04-17 16:32 ` Richard Haines
2020-04-17 16:59 ` Paul Moore
2020-04-17 16:59 ` Paul Moore
2020-04-21 12:29 ` David Howells
2020-04-21 12:29 ` David Howells
2020-04-22 19:20 ` Paul Moore
2020-04-22 19:20 ` Paul Moore
2020-04-22 21:09 ` Paul Moore
2020-04-22 21:09 ` Paul Moore
2020-04-24 23:43 ` David Howells
2020-04-24 23:43 ` David Howells
2020-04-26 20:53 ` Paul Moore
2020-04-26 20:53 ` Paul Moore
2020-04-27 14:12 ` [PATCH] selinux: Fix use of KEY_NEED_* instead of KEY__* perms David Howells
2020-04-27 14:12 ` David Howells
2020-04-27 14:36 ` Stephen Smalley
2020-04-27 14:36 ` Stephen Smalley
2020-04-27 15:24 ` Paul Moore
2020-04-27 15:24 ` Paul Moore
2020-04-27 17:02 ` Stephen Smalley
2020-04-27 17:02 ` Stephen Smalley
2020-04-27 22:17 ` Paul Moore
2020-04-27 22:17 ` Paul Moore
2020-04-28 12:54 ` [PATCH] selinux: Fix use of KEY_NEED_* instead of KEY__* perms [v2] David Howells
2020-04-28 12:54 ` David Howells
2020-04-28 14:32 ` Stephen Smalley
2020-04-28 14:32 ` Stephen Smalley
2020-04-28 15:57 ` David Howells
2020-04-28 15:57 ` David Howells
2020-04-28 16:19 ` Stephen Smalley
2020-04-28 16:19 ` Stephen Smalley
2020-05-01 16:37 ` Paul Moore
2020-05-01 16:37 ` Paul Moore
2020-05-12 22:33 ` [PATCH] keys: Make the KEY_NEED_* perms an enum rather than a mask David Howells
2020-05-12 22:33 ` David Howells
2020-05-13 1:04 ` Paul Moore [this message]
2020-05-13 1:04 ` Paul Moore
2020-05-13 12:58 ` Stephen Smalley
2020-05-13 12:58 ` Stephen Smalley
2020-05-13 15:25 ` Casey Schaufler
2020-05-13 15:25 ` Casey Schaufler
2020-05-13 23:13 ` David Howells
2020-05-13 23:13 ` David Howells
2020-05-14 12:08 ` Stephen Smalley
2020-05-14 12:08 ` Stephen Smalley
2020-05-14 14:45 ` Stephen Smalley
2020-05-14 14:45 ` Stephen Smalley
2020-05-13 23:16 ` David Howells
2020-05-13 23:16 ` David Howells
2020-05-13 23:25 ` David Howells
2020-05-13 23:25 ` David Howells
2020-05-14 11:00 ` Jarkko Sakkinen
2020-05-14 11:00 ` Jarkko Sakkinen
2020-05-14 16:58 ` [PATCH] keys: Move permissions checking decisions into the checking code David Howells
2020-05-14 16:58 ` David Howells
2020-05-14 17:06 ` Casey Schaufler
2020-05-14 17:06 ` Casey Schaufler
2020-05-15 15:06 ` Stephen Smalley
2020-05-15 15:06 ` Stephen Smalley
2020-05-15 16:45 ` David Howells
2020-05-15 16:45 ` David Howells
2020-05-15 18:55 ` Stephen Smalley
2020-05-15 18:55 ` Stephen Smalley
2020-05-15 19:10 ` Casey Schaufler
2020-05-15 19:10 ` Casey Schaufler
2020-05-15 22:27 ` David Howells
2020-05-15 22:27 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhQhYz8xZ6MGv0S9q2D-gReb0Pqqb=2+oX=NVuxb_F5WfA@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.