* [PATCH] selinux: Use task_alloc hook rather than task_create hook
@ 2017-03-28 13:12 ` Tetsuo Handa
0 siblings, 0 replies; 14+ messages in thread
From: Tetsuo Handa @ 2017-03-28 13:12 UTC (permalink / raw)
To: selinux, linux-security-module; +Cc: Tetsuo Handa
This patch is a preparation for getting rid of task_create hook because
task_create hook which can do what task_create hook can do was revived.
Creating a new thread is unlikely prohibited by security policy, for
fork()/execve()/exit() is fundamental of how processes are managed in
Unix. If a program is known to create a new thread, it is likely that
permission to create a new thread is given to that program. Therefore,
a situation where security_task_create() returns an error is likely that
the program was exploited and lost control. Even if SELinux failed to
check permission to create a thread at security_task_create(), SELinux
can later check it at security_task_alloc(). Since the new thread is not
yet visible from the rest of the system, nobody can do bad things using
the new thread. What we waste will be limited to some initialization
steps such as dup_task_struct(), copy_creds() and audit_alloc() in
copy_process(). We can tolerate these overhead for unlikely situation.
Therefore, this patch changes SELinux to use task_alloc hook rather than
task_create hook so that we can remove task_create hook.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
security/selinux/hooks.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d37a723..d850b7f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3710,7 +3710,8 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
/* task security operations */
-static int selinux_task_create(unsigned long clone_flags)
+static int selinux_task_alloc(struct task_struct *task,
+ unsigned long clone_flags)
{
u32 sid = current_sid();
@@ -6205,7 +6206,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
LSM_HOOK_INIT(file_open, selinux_file_open),
- LSM_HOOK_INIT(task_create, selinux_task_create),
+ LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
LSM_HOOK_INIT(cred_free, selinux_cred_free),
LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
--
1.8.3.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH] selinux: Use task_alloc hook rather than task_create hook
@ 2017-03-28 13:12 ` Tetsuo Handa
0 siblings, 0 replies; 14+ messages in thread
From: Tetsuo Handa @ 2017-03-28 13:12 UTC (permalink / raw)
To: linux-security-module
This patch is a preparation for getting rid of task_create hook because
task_create hook which can do what task_create hook can do was revived.
Creating a new thread is unlikely prohibited by security policy, for
fork()/execve()/exit() is fundamental of how processes are managed in
Unix. If a program is known to create a new thread, it is likely that
permission to create a new thread is given to that program. Therefore,
a situation where security_task_create() returns an error is likely that
the program was exploited and lost control. Even if SELinux failed to
check permission to create a thread at security_task_create(), SELinux
can later check it at security_task_alloc(). Since the new thread is not
yet visible from the rest of the system, nobody can do bad things using
the new thread. What we waste will be limited to some initialization
steps such as dup_task_struct(), copy_creds() and audit_alloc() in
copy_process(). We can tolerate these overhead for unlikely situation.
Therefore, this patch changes SELinux to use task_alloc hook rather than
task_create hook so that we can remove task_create hook.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
security/selinux/hooks.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d37a723..d850b7f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3710,7 +3710,8 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
/* task security operations */
-static int selinux_task_create(unsigned long clone_flags)
+static int selinux_task_alloc(struct task_struct *task,
+ unsigned long clone_flags)
{
u32 sid = current_sid();
@@ -6205,7 +6206,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
LSM_HOOK_INIT(file_open, selinux_file_open),
- LSM_HOOK_INIT(task_create, selinux_task_create),
+ LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
LSM_HOOK_INIT(cred_free, selinux_cred_free),
LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH] selinux: Use task_alloc hook rather than task_create hook
2017-03-28 13:12 ` Tetsuo Handa
@ 2017-03-28 13:29 ` Stephen Smalley
-1 siblings, 0 replies; 14+ messages in thread
From: Stephen Smalley @ 2017-03-28 13:29 UTC (permalink / raw)
To: Tetsuo Handa, selinux, linux-security-module
On Tue, 2017-03-28 at 22:12 +0900, Tetsuo Handa wrote:
> This patch is a preparation for getting rid of task_create hook
> because
> task_create hook
task_alloc hook?
> which can do what task_create hook can do was revived.
>
> Creating a new thread is unlikely prohibited by security policy, for
> fork()/execve()/exit() is fundamental of how processes are managed in
> Unix. If a program is known to create a new thread, it is likely that
> permission to create a new thread is given to that program.
> Therefore,
> a situation where security_task_create() returns an error is likely
> that
> the program was exploited and lost control. Even if SELinux failed to
> check permission to create a thread at security_task_create(),
> SELinux
> can later check it at security_task_alloc(). Since the new thread is
> not
> yet visible from the rest of the system, nobody can do bad things
> using
> the new thread. What we waste will be limited to some initialization
> steps such as dup_task_struct(), copy_creds() and audit_alloc() in
> copy_process(). We can tolerate these overhead for unlikely
> situation.
>
> Therefore, this patch changes SELinux to use task_alloc hook rather
> than
> task_create hook so that we can remove task_create hook.
Aside from the nit on the patch description above,
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
> security/selinux/hooks.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index d37a723..d850b7f 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3710,7 +3710,8 @@ static int selinux_file_open(struct file *file,
> const struct cred *cred)
>
> /* task security operations */
>
> -static int selinux_task_create(unsigned long clone_flags)
> +static int selinux_task_alloc(struct task_struct *task,
> + unsigned long clone_flags)
> {
> u32 sid = current_sid();
>
> @@ -6205,7 +6206,7 @@ static int selinux_key_getsecurity(struct key
> *key, char **_buffer)
>
> LSM_HOOK_INIT(file_open, selinux_file_open),
>
> - LSM_HOOK_INIT(task_create, selinux_task_create),
> + LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
> LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
> LSM_HOOK_INIT(cred_free, selinux_cred_free),
> LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] selinux: Use task_alloc hook rather than task_create hook
@ 2017-03-28 13:29 ` Stephen Smalley
0 siblings, 0 replies; 14+ messages in thread
From: Stephen Smalley @ 2017-03-28 13:29 UTC (permalink / raw)
To: linux-security-module
On Tue, 2017-03-28 at 22:12 +0900, Tetsuo Handa wrote:
> This patch is a preparation for getting rid of task_create hook
> because
> task_create hook
task_alloc hook?
> which can do what task_create hook can do was revived.
>
> Creating a new thread is unlikely prohibited by security policy, for
> fork()/execve()/exit() is fundamental of how processes are managed in
> Unix. If a program is known to create a new thread, it is likely that
> permission to create a new thread is given to that program.
> Therefore,
> a situation where security_task_create() returns an error is likely
> that
> the program was exploited and lost control. Even if SELinux failed to
> check permission to create a thread at security_task_create(),
> SELinux
> can later check it at security_task_alloc(). Since the new thread is
> not
> yet visible from the rest of the system, nobody can do bad things
> using
> the new thread. What we waste will be limited to some initialization
> steps such as dup_task_struct(), copy_creds() and audit_alloc() in
> copy_process(). We can tolerate these overhead for unlikely
> situation.
>
> Therefore, this patch changes SELinux to use task_alloc hook rather
> than
> task_create hook so that we can remove task_create hook.
Aside from the nit on the patch description above,
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
> ?security/selinux/hooks.c | 5 +++--
> ?1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index d37a723..d850b7f 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3710,7 +3710,8 @@ static int selinux_file_open(struct file *file,
> const struct cred *cred)
> ?
> ?/* task security operations */
> ?
> -static int selinux_task_create(unsigned long clone_flags)
> +static int selinux_task_alloc(struct task_struct *task,
> + ??????unsigned long clone_flags)
> ?{
> ? u32 sid = current_sid();
> ?
> @@ -6205,7 +6206,7 @@ static int selinux_key_getsecurity(struct key
> *key, char **_buffer)
> ?
> ? LSM_HOOK_INIT(file_open, selinux_file_open),
> ?
> - LSM_HOOK_INIT(task_create, selinux_task_create),
> + LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
> ? LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
> ? LSM_HOOK_INIT(cred_free, selinux_cred_free),
> ? LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] selinux: Use task_alloc hook rather than task_create hook
2017-03-28 13:29 ` Stephen Smalley
@ 2017-03-28 14:08 ` Tetsuo Handa
-1 siblings, 0 replies; 14+ messages in thread
From: Tetsuo Handa @ 2017-03-28 14:08 UTC (permalink / raw)
To: sds; +Cc: selinux, linux-security-module
Stephen Smalley wrote:
> On Tue, 2017-03-28 at 22:12 +0900, Tetsuo Handa wrote:
> > This patch is a preparation for getting rid of task_create hook
> > because
> > task_create hook
>
> task_alloc hook?
Oops, copy&paste error. Yes, I meant task_alloc hook.
>
> > which can do what task_create hook can do was revived.
> >
> > Creating a new thread is unlikely prohibited by security policy, for
> > fork()/execve()/exit() is fundamental of how processes are managed in
> > Unix. If a program is known to create a new thread, it is likely that
> > permission to create a new thread is given to that program.
> > Therefore,
> > a situation where security_task_create() returns an error is likely
> > that
> > the program was exploited and lost control. Even if SELinux failed to
> > check permission to create a thread at security_task_create(),
> > SELinux
> > can later check it at security_task_alloc(). Since the new thread is
> > not
> > yet visible from the rest of the system, nobody can do bad things
> > using
> > the new thread. What we waste will be limited to some initialization
> > steps such as dup_task_struct(), copy_creds() and audit_alloc() in
> > copy_process(). We can tolerate these overhead for unlikely
> > situation.
> >
> > Therefore, this patch changes SELinux to use task_alloc hook rather
> > than
> > task_create hook so that we can remove task_create hook.
>
> Aside from the nit on the patch description above,
>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Thank you.
>From b43bd0fc0cc267b91f51ad118f6fabd13efb921e Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Tue, 28 Mar 2017 22:09:38 +0900
Subject: [PATCH v2] selinux: Use task_alloc hook rather than task_create hook
This patch is a preparation for getting rid of task_create hook because
task_alloc hook which can do what task_create hook can do was revived.
Creating a new thread is unlikely prohibited by security policy, for
fork()/execve()/exit() is fundamental of how processes are managed in
Unix. If a program is known to create a new thread, it is likely that
permission to create a new thread is given to that program. Therefore,
a situation where security_task_create() returns an error is likely that
the program was exploited and lost control. Even if SELinux failed to
check permission to create a thread at security_task_create(), SELinux
can later check it at security_task_alloc(). Since the new thread is not
yet visible from the rest of the system, nobody can do bad things using
the new thread. What we waste will be limited to some initialization
steps such as dup_task_struct(), copy_creds() and audit_alloc() in
copy_process(). We can tolerate these overhead for unlikely situation.
Therefore, this patch changes SELinux to use task_alloc hook rather than
task_create hook so that we can remove task_create hook.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
---
security/selinux/hooks.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d37a723..d850b7f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3710,7 +3710,8 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
/* task security operations */
-static int selinux_task_create(unsigned long clone_flags)
+static int selinux_task_alloc(struct task_struct *task,
+ unsigned long clone_flags)
{
u32 sid = current_sid();
@@ -6205,7 +6206,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
LSM_HOOK_INIT(file_open, selinux_file_open),
- LSM_HOOK_INIT(task_create, selinux_task_create),
+ LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
LSM_HOOK_INIT(cred_free, selinux_cred_free),
LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
--
1.8.3.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH] selinux: Use task_alloc hook rather than task_create hook
@ 2017-03-28 14:08 ` Tetsuo Handa
0 siblings, 0 replies; 14+ messages in thread
From: Tetsuo Handa @ 2017-03-28 14:08 UTC (permalink / raw)
To: linux-security-module
Stephen Smalley wrote:
> On Tue, 2017-03-28 at 22:12 +0900, Tetsuo Handa wrote:
> > This patch is a preparation for getting rid of task_create hook
> > because
> > task_create hook
>
> task_alloc hook?
Oops, copy&paste error. Yes, I meant task_alloc hook.
>
> > which can do what task_create hook can do was revived.
> >
> > Creating a new thread is unlikely prohibited by security policy, for
> > fork()/execve()/exit() is fundamental of how processes are managed in
> > Unix. If a program is known to create a new thread, it is likely that
> > permission to create a new thread is given to that program.
> > Therefore,
> > a situation where security_task_create() returns an error is likely
> > that
> > the program was exploited and lost control. Even if SELinux failed to
> > check permission to create a thread at security_task_create(),
> > SELinux
> > can later check it at security_task_alloc(). Since the new thread is
> > not
> > yet visible from the rest of the system, nobody can do bad things
> > using
> > the new thread. What we waste will be limited to some initialization
> > steps such as dup_task_struct(), copy_creds() and audit_alloc() in
> > copy_process(). We can tolerate these overhead for unlikely
> > situation.
> >
> > Therefore, this patch changes SELinux to use task_alloc hook rather
> > than
> > task_create hook so that we can remove task_create hook.
>
> Aside from the nit on the patch description above,
>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Thank you.
>From b43bd0fc0cc267b91f51ad118f6fabd13efb921e Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Tue, 28 Mar 2017 22:09:38 +0900
Subject: [PATCH v2] selinux: Use task_alloc hook rather than task_create hook
This patch is a preparation for getting rid of task_create hook because
task_alloc hook which can do what task_create hook can do was revived.
Creating a new thread is unlikely prohibited by security policy, for
fork()/execve()/exit() is fundamental of how processes are managed in
Unix. If a program is known to create a new thread, it is likely that
permission to create a new thread is given to that program. Therefore,
a situation where security_task_create() returns an error is likely that
the program was exploited and lost control. Even if SELinux failed to
check permission to create a thread at security_task_create(), SELinux
can later check it at security_task_alloc(). Since the new thread is not
yet visible from the rest of the system, nobody can do bad things using
the new thread. What we waste will be limited to some initialization
steps such as dup_task_struct(), copy_creds() and audit_alloc() in
copy_process(). We can tolerate these overhead for unlikely situation.
Therefore, this patch changes SELinux to use task_alloc hook rather than
task_create hook so that we can remove task_create hook.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
---
security/selinux/hooks.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d37a723..d850b7f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3710,7 +3710,8 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
/* task security operations */
-static int selinux_task_create(unsigned long clone_flags)
+static int selinux_task_alloc(struct task_struct *task,
+ unsigned long clone_flags)
{
u32 sid = current_sid();
@@ -6205,7 +6206,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
LSM_HOOK_INIT(file_open, selinux_file_open),
- LSM_HOOK_INIT(task_create, selinux_task_create),
+ LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
LSM_HOOK_INIT(cred_free, selinux_cred_free),
LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH] selinux: Use task_alloc hook rather than task_create hook
2017-03-28 14:08 ` Tetsuo Handa
@ 2017-03-29 22:08 ` Paul Moore
-1 siblings, 0 replies; 14+ messages in thread
From: Paul Moore @ 2017-03-29 22:08 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: Stephen Smalley, selinux, linux-security-module
On Tue, Mar 28, 2017 at 10:08 AM, Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
> >From b43bd0fc0cc267b91f51ad118f6fabd13efb921e Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Date: Tue, 28 Mar 2017 22:09:38 +0900
> Subject: [PATCH v2] selinux: Use task_alloc hook rather than task_create hook
>
> This patch is a preparation for getting rid of task_create hook because
> task_alloc hook which can do what task_create hook can do was revived.
>
> Creating a new thread is unlikely prohibited by security policy, for
> fork()/execve()/exit() is fundamental of how processes are managed in
> Unix. If a program is known to create a new thread, it is likely that
> permission to create a new thread is given to that program. Therefore,
> a situation where security_task_create() returns an error is likely that
> the program was exploited and lost control. Even if SELinux failed to
> check permission to create a thread at security_task_create(), SELinux
> can later check it at security_task_alloc(). Since the new thread is not
> yet visible from the rest of the system, nobody can do bad things using
> the new thread. What we waste will be limited to some initialization
> steps such as dup_task_struct(), copy_creds() and audit_alloc() in
> copy_process(). We can tolerate these overhead for unlikely situation.
>
> Therefore, this patch changes SELinux to use task_alloc hook rather than
> task_create hook so that we can remove task_create hook.
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> security/selinux/hooks.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
When are you planning to remove the task_create() hook?
I have no objection to this patch, and I plan to merge it, but merging
it now would require rebasing the selinux/next and I try to keep from
rebasing during the development cycle unless absolutely necessary. I
think this can wait until after the next merge window, what do you
think?
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index d37a723..d850b7f 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3710,7 +3710,8 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
>
> /* task security operations */
>
> -static int selinux_task_create(unsigned long clone_flags)
> +static int selinux_task_alloc(struct task_struct *task,
> + unsigned long clone_flags)
> {
> u32 sid = current_sid();
>
> @@ -6205,7 +6206,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
>
> LSM_HOOK_INIT(file_open, selinux_file_open),
>
> - LSM_HOOK_INIT(task_create, selinux_task_create),
> + LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
> LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
> LSM_HOOK_INIT(cred_free, selinux_cred_free),
> LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
> --
> 1.8.3.1
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] selinux: Use task_alloc hook rather than task_create hook
@ 2017-03-29 22:08 ` Paul Moore
0 siblings, 0 replies; 14+ messages in thread
From: Paul Moore @ 2017-03-29 22:08 UTC (permalink / raw)
To: linux-security-module
On Tue, Mar 28, 2017 at 10:08 AM, Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
> >From b43bd0fc0cc267b91f51ad118f6fabd13efb921e Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Date: Tue, 28 Mar 2017 22:09:38 +0900
> Subject: [PATCH v2] selinux: Use task_alloc hook rather than task_create hook
>
> This patch is a preparation for getting rid of task_create hook because
> task_alloc hook which can do what task_create hook can do was revived.
>
> Creating a new thread is unlikely prohibited by security policy, for
> fork()/execve()/exit() is fundamental of how processes are managed in
> Unix. If a program is known to create a new thread, it is likely that
> permission to create a new thread is given to that program. Therefore,
> a situation where security_task_create() returns an error is likely that
> the program was exploited and lost control. Even if SELinux failed to
> check permission to create a thread at security_task_create(), SELinux
> can later check it at security_task_alloc(). Since the new thread is not
> yet visible from the rest of the system, nobody can do bad things using
> the new thread. What we waste will be limited to some initialization
> steps such as dup_task_struct(), copy_creds() and audit_alloc() in
> copy_process(). We can tolerate these overhead for unlikely situation.
>
> Therefore, this patch changes SELinux to use task_alloc hook rather than
> task_create hook so that we can remove task_create hook.
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> security/selinux/hooks.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
When are you planning to remove the task_create() hook?
I have no objection to this patch, and I plan to merge it, but merging
it now would require rebasing the selinux/next and I try to keep from
rebasing during the development cycle unless absolutely necessary. I
think this can wait until after the next merge window, what do you
think?
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index d37a723..d850b7f 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3710,7 +3710,8 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
>
> /* task security operations */
>
> -static int selinux_task_create(unsigned long clone_flags)
> +static int selinux_task_alloc(struct task_struct *task,
> + unsigned long clone_flags)
> {
> u32 sid = current_sid();
>
> @@ -6205,7 +6206,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
>
> LSM_HOOK_INIT(file_open, selinux_file_open),
>
> - LSM_HOOK_INIT(task_create, selinux_task_create),
> + LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
> LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
> LSM_HOOK_INIT(cred_free, selinux_cred_free),
> LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
> --
> 1.8.3.1
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] selinux: Use task_alloc hook rather than task_create hook
2017-03-29 22:08 ` Paul Moore
@ 2017-03-30 11:13 ` Tetsuo Handa
-1 siblings, 0 replies; 14+ messages in thread
From: Tetsuo Handa @ 2017-03-30 11:13 UTC (permalink / raw)
To: paul; +Cc: sds, selinux, linux-security-module
Paul Moore wrote:
> > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> > Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> > ---
> > security/selinux/hooks.c | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
>
> When are you planning to remove the task_create() hook?
>
> I have no objection to this patch, and I plan to merge it, but merging
> it now would require rebasing the selinux/next and I try to keep from
> rebasing during the development cycle unless absolutely necessary. I
> think this can wait until after the next merge window, what do you
> think?
Nothing to hurry. SELinux is the only user. We can wait as much as you want.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] selinux: Use task_alloc hook rather than task_create hook
@ 2017-03-30 11:13 ` Tetsuo Handa
0 siblings, 0 replies; 14+ messages in thread
From: Tetsuo Handa @ 2017-03-30 11:13 UTC (permalink / raw)
To: linux-security-module
Paul Moore wrote:
> > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> > Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> > ---
> > security/selinux/hooks.c | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
>
> When are you planning to remove the task_create() hook?
>
> I have no objection to this patch, and I plan to merge it, but merging
> it now would require rebasing the selinux/next and I try to keep from
> rebasing during the development cycle unless absolutely necessary. I
> think this can wait until after the next merge window, what do you
> think?
Nothing to hurry. SELinux is the only user. We can wait as much as you want.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] selinux: Use task_alloc hook rather than task_create hook
2017-03-30 11:13 ` Tetsuo Handa
@ 2017-03-31 19:20 ` Paul Moore
-1 siblings, 0 replies; 14+ messages in thread
From: Paul Moore @ 2017-03-31 19:20 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: Stephen Smalley, selinux, linux-security-module
On Thu, Mar 30, 2017 at 7:13 AM, Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
> Paul Moore wrote:
>> > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
>> > Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>> > ---
>> > security/selinux/hooks.c | 5 +++--
>> > 1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> When are you planning to remove the task_create() hook?
>>
>> I have no objection to this patch, and I plan to merge it, but merging
>> it now would require rebasing the selinux/next and I try to keep from
>> rebasing during the development cycle unless absolutely necessary. I
>> think this can wait until after the next merge window, what do you
>> think?
>
> Nothing to hurry. SELinux is the only user. We can wait as much as you want.
Okay, I'll leave this in the queue and I'll merge it after the next
merge window.
Thanks.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] selinux: Use task_alloc hook rather than task_create hook
@ 2017-03-31 19:20 ` Paul Moore
0 siblings, 0 replies; 14+ messages in thread
From: Paul Moore @ 2017-03-31 19:20 UTC (permalink / raw)
To: linux-security-module
On Thu, Mar 30, 2017 at 7:13 AM, Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
> Paul Moore wrote:
>> > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
>> > Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>> > ---
>> > security/selinux/hooks.c | 5 +++--
>> > 1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> When are you planning to remove the task_create() hook?
>>
>> I have no objection to this patch, and I plan to merge it, but merging
>> it now would require rebasing the selinux/next and I try to keep from
>> rebasing during the development cycle unless absolutely necessary. I
>> think this can wait until after the next merge window, what do you
>> think?
>
> Nothing to hurry. SELinux is the only user. We can wait as much as you want.
Okay, I'll leave this in the queue and I'll merge it after the next
merge window.
Thanks.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] selinux: Use task_alloc hook rather than task_create hook
2017-03-31 19:20 ` Paul Moore
@ 2017-05-16 18:21 ` Paul Moore
-1 siblings, 0 replies; 14+ messages in thread
From: Paul Moore @ 2017-05-16 18:21 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: Stephen Smalley, selinux, linux-security-module
On Fri, Mar 31, 2017 at 3:20 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Thu, Mar 30, 2017 at 7:13 AM, Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>> Paul Moore wrote:
>>> > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
>>> > Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>>> > ---
>>> > security/selinux/hooks.c | 5 +++--
>>> > 1 file changed, 3 insertions(+), 2 deletions(-)
>>>
>>> When are you planning to remove the task_create() hook?
>>>
>>> I have no objection to this patch, and I plan to merge it, but merging
>>> it now would require rebasing the selinux/next and I try to keep from
>>> rebasing during the development cycle unless absolutely necessary. I
>>> think this can wait until after the next merge window, what do you
>>> think?
>>
>> Nothing to hurry. SELinux is the only user. We can wait as much as you want.
>
> Okay, I'll leave this in the queue and I'll merge it after the next
> merge window.
>
> Thanks.
Merged, thanks again.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] selinux: Use task_alloc hook rather than task_create hook
@ 2017-05-16 18:21 ` Paul Moore
0 siblings, 0 replies; 14+ messages in thread
From: Paul Moore @ 2017-05-16 18:21 UTC (permalink / raw)
To: linux-security-module
On Fri, Mar 31, 2017 at 3:20 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Thu, Mar 30, 2017 at 7:13 AM, Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>> Paul Moore wrote:
>>> > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
>>> > Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>>> > ---
>>> > security/selinux/hooks.c | 5 +++--
>>> > 1 file changed, 3 insertions(+), 2 deletions(-)
>>>
>>> When are you planning to remove the task_create() hook?
>>>
>>> I have no objection to this patch, and I plan to merge it, but merging
>>> it now would require rebasing the selinux/next and I try to keep from
>>> rebasing during the development cycle unless absolutely necessary. I
>>> think this can wait until after the next merge window, what do you
>>> think?
>>
>> Nothing to hurry. SELinux is the only user. We can wait as much as you want.
>
> Okay, I'll leave this in the queue and I'll merge it after the next
> merge window.
>
> Thanks.
Merged, thanks again.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2017-05-16 18:22 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-28 13:12 [PATCH] selinux: Use task_alloc hook rather than task_create hook Tetsuo Handa
2017-03-28 13:12 ` Tetsuo Handa
2017-03-28 13:29 ` Stephen Smalley
2017-03-28 13:29 ` Stephen Smalley
2017-03-28 14:08 ` Tetsuo Handa
2017-03-28 14:08 ` Tetsuo Handa
2017-03-29 22:08 ` Paul Moore
2017-03-29 22:08 ` Paul Moore
2017-03-30 11:13 ` Tetsuo Handa
2017-03-30 11:13 ` Tetsuo Handa
2017-03-31 19:20 ` Paul Moore
2017-03-31 19:20 ` Paul Moore
2017-05-16 18:21 ` Paul Moore
2017-05-16 18:21 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.